25,000+ Courses Nationwide
0345 4506120

CREST Registered Penetration Tester (10 days)

The CREST penetration testing course takes students of varying IT experience levels and re-skills them so that they can enter the industry not as a trainee but as qualified Penetration Tester making them productive from day one. This is an Accredited CREST Training course. This is THE Penetration Tester Training that you need to have!

This in-depth, hands-on, 2-week course will take you into a rewarding and lucrative career in the Cyber Security world.

Select specific date to see price, venue and full details.

Learning Objectives

To help you forge a successful career within this sector we will thoroughly prepare you to gain two (2) of the most relevant, in-demand, industry-recognized qualifications; which are:

+ CREST Practitioner Security Analyst (CPSA) + CREST Registered Penetration Tester (CRT)

Course Style:

The CREST penetration testing course training combines Instructor-led, Virtual Instructor-led, and self-paced e-Learning modules. This “blended learning” approach integrates classroom, hands-on lab exercises, and project teamwork to provide both the theoretical and practical training needed to make individuals Cyber Security professionals.

The course will allow our students to leave as sought-after professionals, well-equipped with the in-demand job skills and certifications needed to be employed as technically well-rounded professionals in any Cyber Security team.



  • using VMware, Virtual box, Hyper-V – at least one of mentioned platforms
  • being able to create and use VMs, configure networking (bridge, NAT) in abovementioned platforms
  • understand that VMs can be converted from one platform to another


  • being able to configure IP settings on various windows and Linux OSs
  • being able to configure routing and manipulate routing tables on windows and Linux OSs
  • understanding basic troubleshooting tools and being able to fix troubleshoot networking issues related to IP, DNS, DG

Operating System

  • being able to perform software installation, uninstallation, OS updates at least on windows and preferably Linux OSs
  • know how to create users and add users to groups at least on widows and preferably Linux OSs
  • being able to troubleshoot computer boot issues


  • know how to enter the BIOS and modify various settings
  • understand boot sequence and preferably BIOS POST procedure

General knowledge

  • general computer user knowledge related to:
  • Internet browsing,
  • file copy and paste
  • file permissions
  • command line tools usage and understanding on command vs. switches
  • compression tool usage
  • good understanding on different file types on windows and what to do with them

Soft skills

  • being able to work in a stressful situations
  • being able to learn without supervision
  • being able to think out of the box

Who should attend

This training is intended for individuals who wish to have a rewarding and lucrative career in the Cyber Security world.

Course Content

Course Structure

Step 1 – You meet the pre-requisite requirements (see below)

Step 2 – Receive 2 weeks of instructor lead training.

Step 3 – Enrolled Delegates are issued with a Pearson VUE exam voucher for CPSA exam to be taken anytime.

Step 4 – Delegates are given access to our iLab services for 30 days.                

The instructor is contactable by email to support practical classes & exercises.

Step 5 – The iLab will give delegates continued access to the learning environment to practice all the skills you have been taught on the course.

Step 6 – Take the CRT exam at a Crest testing center near you.

The Penetration tester course will allow our students to leave as sought-after professionals, well-equipped with the in-demand job skills and certifications needed to be employed as technically well-rounded professionals in any Cyber Security team.

Security Concepts

  • Introduction to security
  • CIA/DAD triangles
  • Defense in depth
  • Main reasons why hacker succeed

Risk management

  • Threat modelling
  • Risk assessment process
  • Risk treatment
  • Risk management and Penetration testing
  • LAB: Threat modelling

Law & Compliance

  • UK legislation:
  • Computer Misuse act 1990
  • Human Rights Act 1998
  • Data Protection Act 1998
  • Police and Justice Act 2006
  • Penetration testing and legislation
  • Regulatory issues

Attack phases

  • Hacking attack phases
  • Techniques for scanning the network
  • Techniques for resource enumeration
  • Google hacking
  • DEMO: Google hacking (using advanced operators, elmah.axd, online devices, targeting specific domain, file type, …)
  • OS and service fingerprinting
  • DEMO: OS and service fingerprinting and EoP (Homework)
  • LAB: Reconnaissance
  • LAB: scanning ports and services with nmap
  • DEMO: Enumerating: DNS, SNMP, AD, SMTP

Penetration testing

  • Penetration testing explained
  • Penetration testing phases
  • Difference between vulnerability scanning and penetration testing
  • How to write a Penetration testing report
  • DEMO: Example penetration testing report
  • DEMO: Vulnerability scanning using various tools (nmap, ZAP, Accunetix WVS, Nessus)
  • LAB: Vulnerability scanning (network and Web)

TCP/IP protocols

  • OSI and TCP/IP models
  • Network layer protocols: IP protocol v4
  • Network layer protocols: IP protocol v6
  • Network layer protocols: ICMP
  • Network layer protocols: IPsec
  • Transport layer protocols: TCP
  • Transport layer protocol: UDP
  • Application layer protocols: DNS, DHCP, SSH, SNMP, TFTP, NTP
  • Other protocols: , Cisco Reverse Telnet, CDP, HSRP, VRRP, VTP, STP, TACACS+
  • Layer 2 protocols: ARP
  • VoIP
  • Cabling and network types: CAT 5 / Fibre , 10/100/1000baseT, Token ring
  • Cisco configuration files and security
  • LAB: Analysing traffic with Wireshark and Microsoft Message analyser
  • LAB: Analysing traffic with Network miner
  • DEMO: Cisco configuration files, Mikrotik configuration files

Network devices

  • Switches (Hubs)
  • Routers
  • Firewalls
  • Honeypots
  • DEMO: Tunnelling traffic through firewalls
  • LAB: Iptables basic settings

Wi-Fi protocols and security

  • WEP and vulnerabilities
  • WPA and vulnerabilities
  • WPA2 and vulnerabilities
  • DEMO: Cracking WEP
  • DEMO/LAB: Cracking WPA2
  • DEMO: Rogue Wi-Fi access point

MitM attacks

  • ARP spoofing
  • DNS spoofing
  • MAC duplicating
  • DHCP attacks
  • Other MitM attacks
  • DEMO: ARP spoofing, basic MitM attacks
  • LAB: MitM attacks (ARP spoofing with arpspoof in Linux and Cain&Abel in windows)


  • Cryptography basics
  • About encryption (history, symmetric and asymmetric encryption basics)
  • Encryption protocols (DES, 3DES, AES, RC4)
  • Encoding and protocols
  • Hashing and protocols (MD5, SHA-1, SHA-2, SHA-3)
  • PKI 101
  • PKI algorithms and integrity codes (RSA, HMAC)
  • HTTPS and protocols: SSL (NOT TO BE USED ANYMORE), TLS
  • LAB: Testing HTTPS supported protocols
  • LAB: MitM attacks (MitMf – Man in the middle framework tool ): ARP, DNS, java script and HTML injection, smb credentials steeling, SSLStrip, SSLStrip+ and other attacks possible)

Tools showcase (basic concepts and usage) – DEMO

  • nc, ncat, cryptcat
  • nmap, port service, vulnerability scanning
  • metasploit framework

Tools showcase – LAB

  • nc, ncat, cryptcat
  • nmap, port service, vulnerability scanning
  • metasploit framework

Pivoting with various tools

  • DEMO: Pivoting with metasploit framework
  • LAB: Pivoting with metasploit framework
  • DEMO:ssh local and remote port forwarding
  • DEMO: Pivoting through windows client
  • LAB: Pivoting through windows client

Windows OS

  • Windows basic troubleshooting, commands and services hacker would use ((ipconfig, nslookup, net, netstat, nbatstat, sc, netsh, ftp, tftp, telnet, arp, wscript, cscript, add services through command shell, batch scripts, process list, kill process, ipconfig, tracert, …)
  • File permission basics
  • Registry and permissions
  • AD 101 (DC, GC, FSMO, master browser)
  • Domain reconnaissance
  • User and group enumeration (NetBIOS, SNMP, AD)
  • Windows passwords: LM (SHUDN’T BE USED ANYMORE), NTLM, NTLMv2
  • LAB: user and group enumeration on windows AD using various techniques
  • LAB: resetting local and AD password
  • LAB: Cracking windows passwords (Brute force, dictionary, precomputed hashes) using cain, john and or hashcat
  • DEMO: Pass the hash
  • LAB: “stealing” NTLMv2 hash from client surfing the web in MitM attack
  • Windows patching techniques
  • RDP
  • EoP (Elevation of privilege) on windows
  • Post exploitation techniques, and “shell” escapes
  • MS Exchange attack vectors
  • Common windows application vulnerabilities

Linux OS

  • Bash basics
  • Linux basic troubleshooting commands and services hacker would use (ifconfig, ip, arp, netstat, traceroute, smbclient, rpcclient, service, systemctl, journalctl, /etc/network/interfaces, add service to autostart, mount, mkfs, fdisk, start and configure: apache, ftp, tftp, ssh…)
  • Linux file permissions basics
  • User enumeration on Unix like systems
  • Gaining remote access to linux systems through remotely exploitable, publicly available vulnerabilities
  • Sendmail/SMTP publicly known exploits
  • NFS
  • R* services
  • X11
  • RPC services
  • SSH

Web applications security incidents

  • Introduction to web application security
  • Various attacks on web applications
  • Web application attack statistics (Verizon DBIR, AKAMAI state of the Internet report, White Hat security

Web technologies and concepts

  • History
  • Multi-tier architecture
  • Web technologies concepts
  • HTTP protocol
  • Encoding
  • HTTP protocol methods
  • HTTP protocol status codes
  • Cookies
  • Cookie protection
  • HTML
  • XML
  • SOAP
  • Parameter tampering concepts
  • OWASP: Top 10
  • OWASP: Testing guide
  • Various web debugger proxy tools
  • LAB: Burp proxy (FREE edition) parameter tampering
  • LAB: Burp proxy (FREE edition) Crawling
  • LAB: Burp proxy (FREE edition) Using Repeater and Intruder
  • LAB: ZAP proxy automated scanning

Web application frameworks

  • NET / Silverlight (NOT TO BE USED ANYMORE)
  • LAB: Decompiling Silverlight application
  • PHP
  • Java
  • LAB: Decompiling Java application
  • Flash
  • LAB: Decompiling Flash application

Web servers concepts and differences

  • MS IIS
  • Apache
  • Tomcat
  • Web server vulnerabilities
  • LAB: Hacking Tomcat server

Bypassing client side controls

  • Parameter tampering
  • Client side attacks
  • DEMO: Client side attack example (DLL hijacking)
  • Hidden form fields
  • Session cookies and cookie protection
  • DEMO: Cookie analysis
  • URL parameters
  • Referrer header
  • LAB: Cookie analysis and parameter tampering
  • How to defend against this type of attacks

Authentication attacks

  • Authentication/Authorization concepts
  • Authentication methods: Basic
  • Authentication methods: Digest
  • Authentication methods: Integrated Windows
  • Authentication methods: Form based
  • Authentication methods: Client certificate
  • LAB: Analysing various authentication types
  • LAB: Password cracking with burp
  • LAB: Password cracking with hydra
  • How to defend against this type of attacks

Design/Implementation flaws

  • Bad passwords
  • Authentication susceptible to Brute-force
  • Verbose failure messages
  • Unprotected transmission of credentials
  • Change and forgotten password functionality
  • Remember me functionality
  • User impersonation functionality
  • How to defend against this type of attacks

OWASP TOP 10: Injection (A1)

  • SQL injection explained
  • DEMO: SQLi (simple, complex, automated)
  • LAB: SQLi simple
  • LAB: from SQLi to reverse shell
  • LAB: SQLi automation using SQLMap tool
  • LDAP injection explained
  • OS command injection explained
  • LAB: from OS command injection to shell
  • How to defend against this type of attacks


  • Cross Site Scripting types explained
  • DEMO: stored and reflected XSS
  • LAB: simple reflected XSS
  • LAB: cookie stealing using XSS
  • LAB: from XSS to shell using BeeF (Browser Exploitation toolkit)
  • How to defend against this type of attacks

OWASP TOP 10: Broken authentication and session management (A2)

  • Session management and vulnerabilities
  • Cookie weaknesses
  • Cookie stealing techniques
  • DEMO: Trace.axd, Elmah.axh

Other common web application vulnerabilities

  • DoR (Direct Object references)
  • LAB: DoR
  • How to defend against this type of attacks
  • File inclusion: local (LFI)
  • File inclusion: remote (RFI)
  • Directory traversal
  • Null byte attacks
  • DEMO/LAB: LFI, RFI with directory traversal
  • File upload issues
  • DEMO: from image to root in few minutes
  • LAB: from image to root

Microsoft SQL server

  • Common attack vectors
  • Privilege escalation through database connection
  • DEMO: MS SQL server EoP through database connection

Oracle RDBMS

  • Common attack vectors
  • Oracle default accounts
  • Version identification
  • DEMO: ORACLE RDBMS version identification and default user accounts


  • Common attack vectors
  • Privilege escalation through database connection
  • DEMO: MySQL UDF exploit

Web application database connectivity

  • MS SQL server authentication methods and connection
  • Oracle server authentication methods and connection
  • MySQL server authentication methods and connection
  • MS Access authentication methods and connection

BoF (Buffer overflow)

  • Computer architecture and Assembly language intro
  • BoF attacks and examples (stack, SEH)
  • DEMO: Simple stack BoF from fuzzing to exploit
  • DEMO: Simple stack SEH BoF exploit
  • HOMEWORK: Simple stack BoF from fuzzing to exploit
  • BoF protection techniques

Related Courses

Privacy Notice

In order to provide you with the service requested we will need to retain and use your contact information in accordance with our Privacy Notice. If you choose to provide us with this information you explicitly consent to us using the information as necessary to provide the requested service to you. If you do not agree please do not proceed to request the service from us.

Marketing Permissions

Would you like to receive our newsletter and other information on products and services which we think will be of interest to you by email. We will always treat your information with care and in accordance with our Privacy Notice. You are free to withdraw this permission at any time.


We work with the best