Course Overview
Movement, Pivoting, and Persistence for Pentesters and Ethical Hackers is the next step in YOUR penetration testing and ethical hacking journey.
Most engagements are conducted remotely, meaning that the tester must have the ability to move about freely from outside of the network into it. We do this using various techniques. Some of the simplest can be utilizing a compromised password to access a desktop environment via remote desktop and attempting to access other machines with those credentials. More complicated techniques include utilizing compromised endpoints to act as a proxy for us, forwarding traffic from internal targets back to our own.
MP&P will cover topics such as:
- Username and Password List Generation
- Password Spraying
- Email Phishing
- Command and Control (C2)
- Credential Harvesting and Passing
- Routing, Port Forwarding, SOCKS Proxies, and Bind Usage
- Offensive PowerShell
- How the Misconfigurations We See in Real Pentests Happen
- Common Remediation Strategies You Can Use to Report to Clients
Prerequisites
- This course is not meant to be a course for beginners. It is assumed that each student has a basic to intermediate understanding of penetration testing and ethical hacking, including the use of Nmap, Metasploit, OWASP ZAP or Burp Suite, and other well-used tools. Some basic level knowledge will be used, such as enumeration, and expanded upon for various lessons.
- The course will require the generation of a local lab environment. In order to gain the full benefit from the course, the student’s PC will need at least 16GB of RAM. It is possible to configure the lab with less, however some assets will have to be suspended to run critical services. Students can also opt to generate lab environments using Azure, AWS, or Google Cloud; however, implementation will be outside the scope of the course.
- Students should have the knowledge to install VirtualBox, create and provision virtual machines. VirtualBox will be necessary in order to provision the virtual networks needed for the course. Automated generation scripts are provided in order to create necessary user accounts and permissions for your Active Directory domain environment. Some additional configurations will be required, which will be covered at the appropriate point in the course.
Why should you purchase this course?
- The information in this course comes from first hand experiences in real world penetration tests.
- This course will provide you with advanced hacking techniques and expertise that can help you pass professional pentesting certifications such as eCPPT, OSCP, ePTX, PNPT, and more.
- The skills you will learn in Movement, Pivoting, and Persistence for Pentesters and Ethical Hackers are the same that employers are demanding from applicants looking to enter the field.
What will I receive from this course?
- Access to the student-only channel on Discord to receive support from the instructor and other students
- Custom Kali Linux distribution for students
- Course completion certificate
Jordan
"I just wanna say, I’ve been having so much fun going through this course. As a beginner. I was concerned I it would be too much for me.. but no, it has given me valuable experience in setting up an AD environment. Using real world tactics to exploit networks, etc. Great course!"
Joe Aguilar Jr.
"Used some of our long weekend to advance my skillset with Joe Helle course with Movement, persistence, and lateral movement!! Excellent course that teaches Covenant’s C2 framework, persistence techniques, and utilizing powershell during internal assessments! Definitely a course to take!"
Soubhy Kouzi
"Thank you Joe Helle for providing such an amazing course ! The course was worth it. Absolutely amazing how much I’ve learned about Windows Active Directory Movement , Pivoting and Persistence.
Good Job Sir and keep up the good work."
Course Curriculum - 5 Hours
- 2-1 Network Configuration (3:25)
- 2-2 MayorSec Domain Setup Part 1 - Installing Windows Server 2019 (4:44)
- 2-3 MayorSec Domain Setup Part 2 - DC01 Invoke-ForestDeploy (4:01)
- 2-4 MayorSec Domain Setup Part 3 - DC01 InvokeADGenerator (4:57)
- 2-5 MayorSec Domain Setup Part 4 - Workstation-01 and Workstation-02 Creation (5:36)
- 2-6 MayorSec Domain Setup Part 5 - Workstation-01 and 02 Domain Connect (12:04)
- 2-7 MayorSec Domain Setup Part 6 - UbuntuMail (4:45)
- 2-8 MayorSec Domain Setup Part 7 - MayorSec Kali Installation (Optional)
- Section 4 Lab Machine Requirements
- 4-1 Website Enumeration and Wordlist Generation (10:14)
- 4-1a Host File Update Lecture for RoundCube Email (2:48)
- 4-2 OutWord Email Phishing With Covenant (10:59)
- 4-3 hta Email Phishing With Covenant (3:51)
- 4-4 hta Email Phishing With Metasploit (4:19)
- 4-5 Remediating Password Spraying and Email Phishing (2:01)
- Section 5 Lab Machine Requirements
- 5-1 Local Enumeration with Covenant (10:44)
- 5-2 Local Enumeration with Metasploit (6:19)
- 5-3 AutoLogon Misconfiguration and Exploitation (6:55)
- 5-4 AlwaysInstallElevated Misconfiguration and Exploitation with Covenant (6:30)
- 5-5 AlwaysInstallElevated Misconfiguration with Metasploit (3:18)
- 5-6 Fodhelper UAC Bypass with Covenant (5:51)
- 5-7 UAC Bypass with Metasploit (4:55)
- 5-8 New User Persistence (2:50)
- 5-9 Startup Persistence (4:02)
- 5-10 Autorun Persistence (5:55)
- 5-11 Session Passing to Metasploit, SOCKS, and the Autoroute Module (10:51)
- 5-12 Persistence via RDP (4:52)
- 5-13 Workstation Dominance Part 1 - Dumping Hashes with Covenant and Mimikatz (4:12)
- 5-14 Workstation Dominance Part 2 - Dumping Hashes with Metasploit (5:10)
- 5-15 Workstation Dominance Part 3 - Rulelist Hash Cracking with Hashcat (4:36)
- 5-16 Workstation Dominance Part 4 - Cracking the Credential Vault with Covenant (10:59)
- 5-17 Workstation Dominance Part 5 - Cracking the Credential Vault via Metasploit (7:20)
- 5-18 Workstation Dominance Part 6 - Dumping Firefox Credentials with Metasploit (7:29)
- Lab Machine Requirements
- 6-1 Offensive Powershell Part 1 - Downloading Files with Powershell (5:12)
- 6-2 Offensive Powershell Part 2 - Enumerating Users (5:13)
- 6-3 Offensive Powershell Part 3 - Enumerating Groups (3:07)
- 6-4 Offensive Powershell Part 4 - Enumerating Domain Computers and Shares (3:45)
- 6-5 Offensive Powershell Part 5 - Invoke-FileFinder (1:16)
- 6-6 Offensive Powershell Part 6 - Enumerating Local Admin Users (1:53)
- 6-7 Offensive Powershell Part 7 - Enumerating Group Policy Objects (2:10)
- 6-8 Offensive Powershell Part 8 - Enumerating Access Control Lists (5:28)
- 6-9 Offensive Powershell Part 9 - Enumerating the Domain (2:20)
- 6-10 Offensive Powershell Part 10 - Powershell Remoting (4:51)
- Section 7 Lab Machine Requirements
- 7-1 Preparing Necessary Domain Misconfigurations (5:54)
- 7-2 Brief Overview of the Domain Through Bloodhound (12:32)
- 7-3 Abusing ACLs (12:17)
- 7-4 Pivoting Through Remote Desktop via Compromised Host (6:51)
- 7-5 Configuring Reverse Port Forwarding (6:00)
- 7-6 Gaining a Shell on an Internal Workstation (6:12)
- 7-7 Remoting Through Proxychains (4:22)
- 7-8 Unconstrained Delegation (14:21)
- 7-9 Golden Ticket Persistence (5:15)
- 7-10 Reverse Port Forwarding for Shell on DC01 (7:00)
This course is included in our
All-Access Membership
starting at $29.99/month
Get full access to the Practical Ethical Hacking course and our full course catalog when you enroll in our All-Access Pass Membership.
About the Instructor
Joe Helle is an Army Veteran of the Iraq and Afghanistan Wars, former Mayor, and senior penetration tester at TCM Security. Known online as “TheMayor,” Joe has provided educational content and mentoring to thousands of people through Twitch and Youtube.
Joe is eCPPT, eWPT, OSCP, SSCP, CEH, Security+, Network+, and A+ and holds a Bachelor’s of Science in Cybersecurity and Information Assurance.
Follow Joe on Social Media:
LinkedIn: https:// www.linkedin.com/in/joe-helle
Twitter: https://twitter.com/joehelle
Youtube: https://www.youtube.com/c/JoeHellethemayor
Twitch: https://twitch.tv/themayor11
Courses Included in the All-Access Membership
Frequently Asked Questions
Can I get a refund if I'm unhappy with my purchase?
Yes. All purchases come with a 3-day money-back guarantee.
Will I receive a certificate of completion when I finish a course?
Yes. All courses come with a certificate of completion.
Do the courses count as Continuing Education Units (CEUs)?
Yes. Every certificate of completion comes with the total CEUs earned listed on the certificate.
What is the All-Access Pass?
As of July 1st, 2023 TCM Academy transitioned to a monthly subscription model, where you now receive full access to all of the courses on our platform for as long as your subscription remains active.
What if you already own courses on TCM Academy?
If you already own a course on our platform, you will continue to own that course forever. Previously owned courses will not be affected by this change.