Monthly Archives: March 2023

192. Post-report Activities (OBJ 4.2) In this section of the course, we’re going to discuss the different actions that you need to perform after your report has been completed and delivered to your client. As we move through this section, we’re going to continue looking at the fourth phase of our engagement, reporting and communication. […]

187. Secure Coding (OBJ 4.2) Secure Coding. In this lesson, we are going to talk about some secure coding best practices. And in this lesson, we’re going to talk about input validation, output encoding, and parametrized queries. First, let’s talk about input validation. Now I know I’ve mentioned how important it is when I talked […]

185. Administrative Controls (OBJ 4.2) In this lesson, we’re going to talk about some administrative controls. This includes role-based access control, minimum password requirements, policies and procedures, and secure software development life cycles. First, we have role-based access control. Role-based access control is a security approach that focuses on restricting the availability of a resource […]

183. Physical Controls (OBJ 4.2) In this lesson, we’re going to talk about some physical security controls that you can use as remediation against vulnerabilities found during your penetration tests. Often, you’re going to find that physical access is a lot easier to achieve than getting remote access, because a lot of organizations will fall […]

180. Findings and Remediations (OBJ 4.2) In this section of the course, we’re going to discuss how to make recommendations for appropriate remediations based on the findings that you found during your penetration test. As we move into this section, we’re going to be continuing to look at the fourth phase of our engagement, reporting […]

176. Report Data Gathering (OBJ 4.1) In this lesson, we’re going to discuss how you gather data for the report at the end of your engagement. Now, data can come from numerous different sources including your open source intelligence, reconnaissance, enumeration, vulnerability scanners, and your attack and exploit tools. As you conduct your engagements, you […]

174. Reasons for Communication (OBJ 4.3) In this lesson, we’re going to discuss the different reasons for communication during a penetration test or engagement. These reasons include situational awareness, de-confliction, de-escalation, identifying false positives, criminal activity, and goal reprioritization. The first reason that a penetration tester needs to communicate with the target organization, is to […]

171. Communication and Reports (OBJ 4.3) In this section of the course, we’re going to discuss the importance of communication during the penetration testing process, and the different components that you should include in your final written report that you’re going to deliver to your client. As we move through this section, we’re going to […]

169. Persistence and Covering Your Tracks (OBJ 3.7) In this demonstration, I’m going to show you how you can set up scheduled tasks for persistence, as well as to cover your tracks in a basic windows environment. Now, for this particular demonstration, I am using a very old version of Windows, which is actually Windows […]

166. Convert Channels (OBJ 3.7) Covert Channels. Now, in the last lesson on data exfiltration, I talked about overt channels. Things like FTP, or peer-to-peer, or instant messaging, that are obvious ways to send data. But data exfiltration can also happen over covert channels. We talked about this by hiding data inside of DNS and […]