Introduction in red teaming and penetration testing
November 11th, 2025 | Bucharest
This one-day, hands-on workshop teaches the basics of penetration testing and red teaming through a series of hands-on activities.
The training includes how to scan and exploit networks, test web applications using the OWASP Top 10, attack Active Directory, and set up and run phishing campaigns to get initial intrusion. Each topic has a guided lab where people can use what they learn right away on weakened systems and vulnerable applications.
At the end of the session, participants will know how to find, use, and responsibly report security issues. They will also learn skills that can be used to assess real-world environments.
Why is this workshop relevant?
This workshop is a hands-on crash course in red teaming and penetration testing.
Participants will learn to think like attackers and spot real security weaknesses by testing web apps with the OWASP approach, exploiting Active Directory misconfigurations, hacking vulnerable systems, and running a safe phishing campaign.
By the end of the day, they’ll know how to find, exploit, and report vulnerabilities responsibly, skills they can use to engage in a client’s network, assess a web application and mitigate properly found weaknesses.
Workshop agenda
- Introduction – What is penetration testing? What is red teaming? Engagement stages and rules of engagement
- Work Environment – Setting up Kali VM (VMware) and essential tools (nmap, Metasploit, Burp Suite)
- Recon & Enumeration – Internal vs. external scans, nmap (ports, services, OS fingerprinting), service enumeration, automation
- Exploitation & Post-Exploitation – Basic attacks (brute force, default creds), finding exploits, privilege escalation (Windows & Linux)
- Lab – Vulnerable Machine: scanning, exploitation, privilege escalation with Metasploit
- Burp Suite Basics – UI walkthrough, methodology, endpoint fuzzing
- OWASP Top 10 & RCE – Focus on SQLi, IDOR, Broken Authentication, XXE, insecure deserialization, file upload
- Lab – Exploit weak login, perform manual blind SQLi, XXE → RCE, extract source code, exploit insecure PHP deserialization
- Introduction to AD – AD structure and enumeration tools (PowerView, BloodHound)
- Core Attacks & Persistence – Pass-the-Hash, shadow credentials, delegation abuse, golden/silver tickets, skeleton key
- Lab – LDAP unauthenticated enumeration, brute force DC login, enumerate domain users/groups, create golden ticket
- Phishing Fundamentals – Why social engineering works, website analysis & cloning
- Infrastructure Setup & Campaign – Mail server setup, SSL, GoPhish campaign, SPF/DMARC/DKIM checks
About the trainer

CONFIDENTIAL
Confidential started his career as a software developer, working with PHP (and various frameworks), Node.js, .NET, and C. Afterwards, he spent a year in digital forensics before moving into application security, where he gained over three years of hands-on experience. Today, confidential is a Red Team Lead, leveraging a strong background in offensive security and holding certifications including OSCP, OSEP, OSED, OSWE, OSCE3, CRTO, and CRTL.
Who is it for?
- Skill Level: Beginner
- Target Role: Junior Penetration Tester/Junior Red Teamer
Key learning objectives (I):
✔ Understand the difference between penetration testing and red teaming
✔ Explain engagement stages and rules of engagement
✔ Set up and configure a Kali Linux VM
✔ Use core tools like nmap, Metasploit, and Burp Suite
✔ Perform network scans and service enumeration
✔ Identify and exploit vulnerable services
✔ Escalate privileges on Windows and Linux
✔ Apply OWASP Top 10 methodology
✔ Exploit SQL injection
Key learning objectives (II):
✔ IDOR
✔ Authentication flaws
✔ XXE
✔ Insecure deserialization, and file upload vulnerabilities, manually exploit blind SQL injection
✔ Enumerate Active Directory users and groups with PowerView and BloodHound
✔ Perform Pass-the-Hash
✔ Shadow credential abuse
✔ Delegation attacks
✔ Create and use golden tickets
✔ Explain the role of social engineering
✔ Set up phishing infrastructure with mail server and SSL
✔ Run a GoPhish campaign
✔ Verify SPF, DMARC, and DKIM
Other information & prerequisites
- Basic Networking Knowledge: understanding of IP addressing, subnets, routing, and the OSI model
- Familiarity with Common Protocols: HTTP/HTTPS, DNS, FTP, SSH, SMB
- Basic Web Technologies: ability to read and understand HTML, CSS, JavaScript
- Fundamental Database Knowledge: basic SQL syntax, CRUD operations, and understanding of relational databases (MySQL, PostgreSQL, or similar)
- Basic CLi Knowledge
Technical requirements for attendees:
OS: Windows/Unix Systems
RAM: 12-16 GB
Software Required:
- VMWare
- Download Kali VMWare VM
- Burp Suite
Estimated Workshop Duration: 8 hours
Language of Instruction: Romanian and/or English.
Participation fee: EUR 250
FAQs
If we do not meet the minimum number of participants, you can either transfer to another workshop and pay or receive a refund for any difference in price, or opt for a full refund. You will be notified in advance and given options to choose what works best for you.
The workshop price covers food. However, accommodation is not included, but we can recommend nearby options for your convenience.
Yes, full refunds are available up to 15 days before the workshop start date. However, if you cancel after that, we can offer only 50% of the price.
You will receive an email with all the necessary details, including the workshop location, prerequisites, and schedule, at least one week before the event. If you have any immediate questions, feel free to reach out to us directly.