CAST 611 - Advanced Penetration Testing

Advanced Penetration Testing Course

  Get Advanced Penetration Testing Training From EC-Council Get Certified in Mobile Hacking & Forensics Investigations Learn & Get Certified In Advanced Application Security Course Online From EC-Council Join Advanced Network Defense Training Program Online  
  Securing Windows Infrastructure (CAST 616)  Designing and Implementing Cloud Security Advanced SQLi Attacks and Countermeasures (CAST 619)

CAST 611
Advanced Penetration Testing



CAST 611 will teach you how to do a professional security test and produce the most important thing from a test ... the findings and the report!.

The ranges progresses in difficulty and reflect an enterprise level architecture. There will be defenses to defeat and challenges to overcome. This is not your typical FLAT network! As the range levels increase you will encounter the top defenses of today and learn the latest evasion techniques.

The format you will use has been used to train 1000s penetration testers globally, it is proven and effective!.

The course is ALL Hands-On - 100%.
The format is practice the professional security testing methodology for the first half of the class.

The sample methodology:
  • Information gathering and OSINT
  • Scanning Building a Target Database
  • Enumeration
  • Vulnerability Analysis
  • Exploitation
  • Post exploitation
  • Advanced techniques
  • Data Analysis
  • Report
Once you have practiced this then you will go against a "live" range.
The process is as follows:

Access the range:

  • You will be provided a scope of work
  • Have 2-3 hours on the range and then be provided a debrief
The ranges are progressive and increase in difficulty at each level. There are 3-4 levels to complete then you are ready for the challenge range practical!


  • Three phases
    • scope of work for each phase.
    • 6 hours to complete the practical.
    • save all of the data and build a target database of your findings. At completion of the range section.
    • Two hours for written exam base on ranges – Pass exam
    • Receive CAST Advanced Penetration Tester Certification


  • So you think you can pen test? PROVE IT!
The course will teach you how to do a professional security test and produce the most important thing from a test ... the findings and the report!.

The ranges progresses in difficulty and reflect an enterprise level architecture. There will be defenses to defeat and challenges to overcome. This is not your typical FLAT network! As the range levels increase you will encounter the top defenses of today and learn the latest evasion techniques.

The format you will use has been used to train 1000s penetration testers globally, it is proven and effective!

kevin cardwell- Penetration Tester Expert

Kevin Cardwell served as the leader of a 5 person Red Team that achieved a 100% success rate at compromising systems and networks for six straight years. He has conducted over 500 security assessments across the globe. His expertise is in finding weaknesses and determining ways clients can mitigate or limit the impact of these weaknesses.

He currently works as a free-lance consultant and provides consulting services for companies throughout the world, and as an advisor to numerous government entities within the US, Middle East, Africa, Asia and the UK . He is an Instructor, Technical Editor and Author for Computer Forensics, and Hacking courses. He is the author of the Center for Advanced Security and Training (CAST) Advanced Network Defense course. He is technical editor of the Learning Tree Course Penetration Testing Techniques and Computer Forensics. He has presented at the Blackhat USA, Hacker Halted, ISSA and TakeDownCon conferences. He has chaired the Cybercrime and Cyberdefense Summit in Oman. He is author of Bactrack: Testing Wireless Network Security. He holds a BS in Computer Science from National University in California and a MS in Software Engineering from the Southern Methodist University (SMU) in Texas. He developed the Strategy and Training Development Plan for the first Government CERT in the country of Oman that recently was rated as the top CERT for the Middle East. he serves as a professional training consultant to the Oman Information Technology Authority, and developed the team to man the first Commercial Security Operations Center in the country of Oman. He has worked extensively with banks and financial institutions throughout the Middle East, Europe and the UK in the planning of a robust and secure architecture and implementing requirements to meet compliance. He currently provides consultancy to Commercial companies, governments, major banks and financial institutions in the Gulf region to include the Muscat Securities Market (MSM) and the Central Bank of Oman. Additionally, he provides training and consultancy to the Oman CERT and the SOC team in the monitoring and incident identification of intrusions and incidents within the Gulf region.

Students completing this course will gain in-depth knowledge in the following areas:
  • Advanced Scanning methods
  • Attacking from the Web
  • Client Side Pen-testing
  • Attacking from the LAN
  • Breaking out of Restricted Environments
  • Bypassing Network-Based IDS/IPS
  • Privilege Escalation
  • Post-Exploitation

1. Information gathering and OSINT

  • Nslookup
  • Dig
  • dnsenum
  • dnsrecon
  • dnsmap
  • reverseraider
  • Enumeration of DNS with fierce
  • Internet registrars and whois
  • Enumeration with theHarvester
  • ServerSniff
  • Google Hacking Database
  • metagoofil
  • Cloud Scanning with Shodan

2. Scanning

  • Scanning with the Nmap tool
    • Scan for live systems
    • Scan for open ports
    • Identify services
    • Enumerate
    • Output the scanner results in an XML format for display
  • Scanning with autoscan
  • Scanning with Netifera
  • Scanning with sslscan
  • Scanning and Scripting with Hping3
  • Building a Target Database

RANGE: Live Target Range Challenge Level One

3. Enumeration

  • Enumerating Targets
  • Enumerating SNMP
  • Using the nmap scripting engine
  • Enumerating SMB
  • OS Fingerprinting

4. Vulnerability Analysis

  • Vulnerability Sites
  • Vulnerability Analysis with OpenVAS
  • Vulnerability Analysis with Nessus
  • Firewalls and Vulnerability Scanners
  • Vulnerability Analysis of Web Applications
    • XSS
    • CSRF
    • SQL Injection
    • Others
  • Vulnerability Scanning with W3AF
  • Vulnerability Scanning with Webshag
  • Vulnerability Scanning with Skipfish
  • Vulnerability Scanning with Vega
  • Vulnerability Scanning with Proxystrike
  • Vulnerability Scanning with Owasp-zap

RANGE: Live Target Range Challenge Level Two

5. Exploitation

  • Exploit Sites
  • Manual Exploitation
    • Scanning the target
    • Identifying vulnerabilities
    • Finding exploit for the vulnerability
    • Prepare the exploit
    • Exploit the machine
  • Exploitation with Metasploit
    • Scan from within Metsaploit
    • Locate an exploit, and attempt to exploit a machine
  • Exploiting with Armitage
    • Scan from within Armitage
    • Managing targets in Armitage
    • Exploiting targets with Armitage
  • Exploitation with SET
    • Setup SET
    • Access compromised web site using Java attack vector
    • Gain user-level access to the latest Windows machines
    • Perform privilege escalation
    • Gain system-level access to the latest Windows machines
    • Extract data with scraper
    • Extract data with winenum
    • Analyze the pilfered data
    • Kill the antivirus protection

6. Post Exploitation

  • Conduct local assessment
    • Conduct the scanning methodology against the machine
    • Identify vulnerabilities
    • Search for an exploit
    • Compile the exploit
    • Attempt to exploit the machine
    • Migrate the exploit to another process
    • Harvest information from an exploited machine
    • Capture and crack passwords
    • Copy files to and from an exploited machine

RANGE: Live Target Range Challenge Four

7. Data Analysis and Reporting

  • Compiling Data in MagicTree
    • Take tool output and store it in a usable form
  • Compiling Data in Dradis
    • Storing OpenVAS results
  • Developing a Professional Report
    • Identify the components of a report.
      • Cover Page
      • Table of Contents
      • Executive Summary
      • Host Table
      • Summary of findings
      • Detailed Findings
      • Conclusion
      • Appendices
  • Reviewing findings and creating report information
    • Conducting systematic analysis
      • Validation and verification
      • Severity
      • Description
      • Analysis/Exposure
      • Screenshot
      • Recommendation
  • Reviewing sample reports
  • Creating a custom report

8. Advanced Techniques

  • Scanning against defenses
    • Routers
    • Firewalls
    • IPS
  • Exploitation through defenses
    • Source port configuration
  • Detecting Load Balancing
    • DNS
    • HTTP
  • Detecting Web Application Firewalls
    • wafW00f
  • Evading Detection
    • Identifying the threshold of a device
    • Slow and controlled scanning
    • Obfuscated exploitation payloads
  • Exploit writing
    • Writing custom exploits
    • Exploit writing references

Practical Phase One

  • External penetration testing

Practical Phase two

  • External and Internal testing

Practical Phase Three

  • Internal testing

Written Exam

  • Based on practical results
  • 60 questions
  • 120 minutes
  • Open book, note and access to range is allowed during the test
  • 70% minimum required to pass

How will this course benefit you?

  • Understanding what it REALLY takes to break into a highly secured organization from the outside
  • Reviewing proven methods on how to move around the network without being detected by IDS/IPS
  • BAppreciating best practices that are applied for mitigating or circumventing common security implementations such as Locked Down desktops, GPOs, IDSs/IPSs/WAFs, among others
  • Having an in depth know-how on Pen-testing “High Security environments” such as government agencies, financial institutions, and other key installations

  • Information security professionals
  • Penetration Testers
  • IT managers
  • IT auditors
  • Government & Intelligence Agencies interested in real world attack and defense in today’s complex and highly secure IT environments

CAST On-site provides personalised Advanced Security Courses to meet the needs of the individual or company and are planned to ensure maximum flexibility in terms of logistics, dates and cost issues. Our certified expert trainers are experienced educators and highly knowledgeable in their respective fields. CAST On-site prides itself on strict quality control principles at all times to ensure that clients receive the highest standard of training and service.
CAST On-Site training is designed to add great value to your work force by increasing staff efficiency and skills ensuring improved productivity and output that far exceeds the value of the initial training costs.

Key features of CAST On-site:

  • Each of the courses selected from the CAST Advanced Training Suite will be specifically designed to meet the needs of each individual, based according to their current skills and pace of learning to meet your organisation’s unique objectives and goals
  • CAST On-site expert/trainers will be flown down to your premise of choice at a date most suitable to you
  • CAST On-site allows students to receive training in more manageable sessions arranged over a spread of a few days that allowing for greater absorption of knowledge with an opportunity to practice and verify the new skills after each session prior to commencing the next one
  • With CAST On-site Advanced Security courses students will be able to take advantage of directly conversing with the chosen expert in matters unique to the student and your organisation
  • You can be rest assured that all challenges and objectives pertaining to your organisation’s goals can be discussed in an environment that ensures complete confidentiality
  • Each individual client receives the required high level of training that is benchmarked to international best practise and standards
  • Each student receives a CAST Advanced Security Training Courseware that allows them to follow and revise the material that has been taught to them
  • Upon completion of the course, each student will receive a CAST On-Site Advanced Security Training certificate of attendance
To download CAST 611 printable brochure Please Click Here

Enquire Online About Advanced Security Training Programs

We at CAST would like to hear from you

if you have questions, comments or feedback for us, please send us a message using the from below or email us at
For more information and news updates, connect with us via Social Media or our Mailing List.
We look forward to hearing from you!

CAST General Enquiry Form

CAST 611 Videos