RECONNAISSANCE, the very first phase of any Risk Assessment Exercise, is often underestimated by many security professionals. Every pentester's arsenal should, however, include Open Source Intelligence (OSINT) and active reconnaissance for an effective assessment and measure the security posture against real world adversaries. This training not only talks about using OSINT to extract data but also focuses on the significance of this data and how it could be directly enriched and used offensively for attacking and compromising Modern Digital Infrastructures.
The training will cover topics like Mapping the Attack Surface, Enriching Collected Data, Tech Stack Enumeration, Cloud Recon, Employee Profiling, Identifying Hidden Injection Points, Credential Spraying, Compromising Federation Server, Exploiting Domain Trust, Social Engineering, and much more. Participants will perform real-life attack scenarios in our lab having a Forest Environment expanding over segregated Domains to compromise various services. Also, using Social Engineering and Human aspect of OSINT, students will be guided to compromise the segregated domain environment which otherwise is unreachable through previously compromised domain. The training will not only cover these topics but will also go in-depth on how OSINT techniques can be chained together and even a small piece of information can lead to the catastrophic damage to an organization.
The ultimate objective of this training program is to bring together the mindset and the artillery of a modern adversary to ultimately make the organization resilient. The students will be provided a framework to manage and prioritize all the data collected during the course. A private ONE MONTH LAB ACCESS will also be provided to each participant where they can practice the skills learned during the course.
The training program will cover the following topics:
Day 1
- Target Scoping and Mapping the Attack Surface
- ASN ID, IP Lookups, Allocated IP Range Extraction, Domain IP History
- Subdomain Enumeration
- Certificate Transparency, Brute Forcing, LDNS Walking, Internet Scan Repositories
- Organization's Social Media Profiling
- Employee(s) Profiling
- Identifying Organizations Associations
- Acquisitions, Mergers, Vendors, Customers etc.
- Hunting Code Repositories, Dark Web, Paste Sites and Leaked Data
- Cloud Recon
- Server Instances, Cloud Storage Objects, Federation Server Discovery
- Art of Making Notes
- Enriching OSINT Data
- Generating Username/Password Patterns
- Bucket/Spaces Pattern Generation
- Tech Stack Profiling
- Capturing Screenshots of Exposed Services
- Port Scanning (Active/Passive)
- Identifying SSO/Login/Admin/VPN Portal(s)
- Explore Breached Password Databases
- Metadata Extraction
- Automating CSE for Dork Matching
- Identifying and Prioritizing Targets
- Attacking and Exploitation
- Targeted Credential Spraying on Infrastructure Assets and Third Party Authentication
- Compromising Business Communication Infrastructure (BCI)
- Exploring the Compromised Assets [Bonus Lab Exercise]
Day 2
- Attacking and Exploitation Continued...
- Attacking Network Services using collated data
- Stealing information from Buckets/Blobs
- Compromising Cloud Server Instances
- Discovering and Exploiting Hidden Injection Points
- Compromising Federation Servers/Domain Controller Servers
- Mapping Forest Environment
- Exploiting Domain Trust to Identify New Input Vector (Users) for Further OSINT
- Exploring Human Attack Surface
- Attack Planning: Compromise the Unreachable Domain
- Practical Social Engineering
- User Profiling
- Watering Hole Attack
- Spear Phishing and Targeted Client Side Exploitation
- Dropping Payloads using BCI
- Post Exploitation & Persistence
- Privilege Escalation in Windows Environment
- Dumping Privileged User Credentials
- Compromising AD and Network Persistence
