HBO

Introduction au pentest: methodology, web security, and Linux/Windows pentest practice.

Instructor: Daniel De Almeida Braga; Gwendal Patat

Term: M1 CyberSchool / SLM

Location: Universite de Rennes

Time: 22.5 hours (10.5h lectures + 12h TD/labs)

Course Description

This course introduces the fundamental principles, methodology, and good practices of penetration testing. It focuses on how to structure an assessment, choose appropriate tools, document findings, and communicate risk clearly.

The technical content emphasizes web pentesting with OWASP-style vulnerabilities, then extends the methodology to Linux and Windows targets.

At the end of this module, students should be able to:

  • Explain the main phases of a pentest engagement.
  • Identify and test common web vulnerabilities.
  • Use standard pentest tooling in a controlled environment.
  • Produce actionable technical findings.

Prerequisites

  • Basic Unix and Windows usage.
  • Basic networking knowledge.
  • Introductory computer-security concepts.

Teaching Language

French, with some material in English.

Schedule

Topic Materials
Course setup and pentest scope

Course expectations, legal/ethical framing, environment setup, and first tooling checks.

Pentest methodology

Engagement phases, scoping, information gathering, exploitation reasoning, reporting, and communication.

Web security foundations

HTTP, browser/server trust boundaries, common web vulnerabilities, and first hands-on exercises.

OWASP practice

SQL injection, XSS, clickjacking, CSRF, and the practice of turning vulnerability classes into test plans.

Passwords and authentication

Password attacks, credential handling, authentication weaknesses, and practical defensive implications.

Web pentest

Guided web pentest exercise from reconnaissance to exploitation notes and reportable findings.

Linux pentest

Practical Linux target assessment, local enumeration, privilege analysis, and exploitation workflow.

Windows pentest

Practical Windows target assessment, local enumeration, credential exposure, and privilege escalation reasoning.