Junior Penetration Tester (IHK) - Online (English)

The participant masters the standard procedures of a penetration test. They learn about legal foundations, standards, and a selection of different career paths, and can name and categorise them as needed. They are capable of independently conducting superficial reconnaissance and identifying obvious vulnerabilities. Additionally, the participant is taught the basics of exploiting vulnerabilities to gain a foothold. The participant is familiar with the differences between exploit frameworks and manual approaches, their advantages and disadvantages, as well as troubleshooting non-functional exploits. They learn various types of privilege escalation and lateral movement and can apply them under guidance. The participant can appropriately prepare and document discovered vulnerabilities in a target audience-oriented manner.

Course content

1. Foundations and Frameworks 

• Security goals, pillars of IT security
• Types of hackers
• Laws and regulations, critical infrastructure (KRITIS)
• Standards and methods
• Career paths & IT security professions
• Relevant certifications, further education opportunities, training labs
• Project management (Waterfall vs. Agile)
• Red Teaming vs. Pentesting vs. Vulnerability Analysis
• CTF vs. Pentesting
• Phases of an attack/Kill Chain, Lockheed Martin, PTES, MITRE, etc.

2. Structure and Process of a Penetration Test 

• Phases/Process of a penetration test
• Objective and results of a penetration test
• Documentation of vulnerabilities
• Planning/Initiation of a penetration test
• Risks and common mistakes (from practice to practice)
• Scoping
• Result presentations for IT & Management

3. Conducting a Penetration Test 

• KickOff
• Information Gathering/ Active /Passive Reconnaissance
• Fundamentals of countermeasures (FW, IDS, IPS, WAF, EPP, Logging, SIEM) & Security Operations (SOC, CERT, Blue Team, etc.)
• Vulnerability Analysis and Vulnerability Classification (CVE, CVSS, Exploitability, and Criticality)
• Dealing with 0-Days Disclosure Types (Responsible, Full)
• Exploitation/Low Hanging Fruits (Common Attack Paths like SQL/Command Injection, Basic Buffer-Overflow, Misconfigurations, etc.)
• Post Exploitation Basic Privilege Escalation Looting, Persistence, and Lateral Movement/ Low Hanging Fruits
• Differences On-Premise vs. Cloud
• Mobile & Web Application Pentesting Basics

Participants have access to a specially developed virtual E-LAB during the event and the exam, through which the course contents are taught and tested. The practical implementation of various attack techniques takes centre stage.

Video Introduction to the Course: https://youtu.be/VoEt4msIjC0

The course is carried out in cooperation with the IT-Security Company ProSec GmbH. The company offers premium IT security services, penetration testing, as well as security consulting and actively conducts zero-day research.