Tactical Exploitation

Attack Research | August 2-5

On This Page


Penetration testing often focuses on individual vulnerabilities and services, but the quickest ways to exploit are often hands on and brute force. This four-day course introduces a tactical approach that does not rely on exploiting known vulnerabilities. Using a combination of new tools and lesser-known techniques, attendees will learn how to compromise systems without depending on standard exploits. The class alternates between lectures and hands-on testing, providing attendees with an opportunity to try the techniques discussed.

In the first half of the course, attendees will come to a new understanding of how to build their own custom malware, using some common and uncommon tool sets.Students will learn how to harness these new-found malware authoring concepts for successful exploitation. The class will then move into unique, less-known tactics for taking down Windows domains, regardless of how old or new they are. This section of the class is based heavily upon post-exploitation techniques perfected by Attack Research. Students will walk away being able to compromise any Windows host.

In the second half of the course, focus will shift from compromising Windows-based networks to a true production-level Unix environment. Attendees will receive in-depth exploitation techniques for becoming root in any Unix environment and abusing these newly found resources for unique lateral movement techniques. Students will learn complete domination of a true production Windows/Unix environment. On the last day, there will be a CTF-style challenge.

The following items are the topic areas covered in the class:
• Malware authoring techniques (Malware for Pen Testers)
• How recon isn’t about processes and software
• Recon techniques for lateral movement
• Using Windows against itself
• Privilege escalation without exploits
• Evasion techniques
• Stealth tactics
• Penetration testing OPSEC
• Persistence mechanisms
• Exploiting Kerberos for profit
• Tunneling for lateral movement in *nix environments
• How windows are made and broken with XStudents will test all the skills they have gained in the course against a virtual network specially designed for the class and representing a large-scale enterprise. The labs will be interwoven into the lecture so that students receive a significant amount of time practically exercising these new skills as they learn. By the end of the class, students will have spent 50% of the time in a lab environment.

Who Should Take This Course

This course is well suited to penetration testers of any skill level and all security professionals who have a basic grasp of networking and software exploits. This course differs from a typical ethical hacking program in that the focus is on techniques that are not affected by patch levels. A portion of the class will be dedicated to building new tools on the fly to solve the challenges posed by a difficult penetration test.

Student Requirements

Student machines must be able to run at least 1 virtual machine utilizing VMware Workstation 8.0 and above (which can be obtained through a demo license). Student laptops must be running OSX, Linux, or Windows, and must have the ability to disable all antivirus, sniff traffic, adjust firewalls, etc. Students must have:
• A concept of scripting languages such as Python/Perl/Ruby
• A concept level of systems administration on a Windows or Linux machine

What Students Should Bring

A laptop capable of fullfilling all requirements in the student requirements section.

What Students Will Be Provided With

Students leave the class with full documentation and the entire custom and non-custom toolsets. Students will also take away the custom tools that they design and build in the class. Students walk away from AR training sessions not only with the “usual" training materials, but with a wealth of knowledge for both attacking and defending networks.


Russ Gideon (rgideon@attackresearch.com)
Russ has many years of experience in information security. He has filled roles as diverse as being a core component of an Incident Response operation to managing effective Red Teams from across the United States government. Russ excels at both malware reverse engineering, giving him a deep understanding of how attackers do what they do, and high-end Red Teaming, penetrating sophisticated and well-protected high-value systems. Russ currently serves as the Director of Malware Research and Training at Attack Research, LLC.

Val Smith (valsmith@attackresearch.com)
Val Smith has been involved in the computer security community and industry for over ten years. He currently works as a professional security researcher on a variety of problems in the security community. He specializes in penetration testing, with over 40,000 machines assessed, reverse engineering, and malware research. He works on the Metasploit Project development team as well as other vulnerability development efforts. Most recently, Val Smith co-founded Attack Research, which is devoted to deep understanding of the mechanics of computer attack. Previously, Val Smith founded Offensive Computing, a public, open-source malware research project.

Colin Ames (amesc@attackresearch.com)
Colin Ames is a security researcher with Attack Research LLC, where he consults for both the private and public sectors. He is currently focused on penetration testing, exploit development, reverse engineering, and malware analysis.

Dave Sayre (dkerb@attackresearch.com)
Dave has worked in the computer security arena for the past ten years. He has specialized in reverse engineering, malware research, and penetration testing. During the past ten years, he has worked with various entities, including Offensive Computing, a malware research company. He is currently conducting research at Attack Research, which is set up to help understand the internals of attacks. Dave Kerb has focused on *nix systems and enjoys figuring out how to abuse various trust relations between them.