Professional Enterprise Penetration Testing

In-person

1. Recon for massive scopes

2. Passive recon using modern whois, DNS and ASNs

3. In-deposable cloud recon

4. Scouring for credentials, secrets and keys

5. Username enumeration

6. Service enumeration

7. AiTM and device code phishing

8. Attacking common services

9. Scanning vs. Mass scanning

10. Strategies for scanning large networks

11. Service enumeration

12. Vulnerability scanning

13. Exploit selection for initial access

14. Info gathering for initial access (users, emails, tech in use, etc.)

15. Email based social engineering

16. Phishing and payload delivery

17. Payloads and stages

18. Different types of payloads

19. Commonly used payloads

20. Choosing a C2

21. C2 for initial access

22. C2 for post exploitation

23. Persistence

24. Linux privilege escalation

25. Windows privilege escalation

26. EDR evasion

27. Lateral movement

28. Exfiltration

29. Clear text passwords

30. Online password attacks

31. Dumping hashes

32. Capturing hashes

33. Extracting hashes

34. Using uncracked hashes

35. Cracking hashes

36. Enumerating AD

37. Escalating privileges in AD

38. Kerberos attacks

39. AD persistence

40. Types of reporting

41. Reporting best practices

42. Reporting pitfalls