Advanced Ethical Hacking and Attack Tools

Course Duration: 4 days

Course Overview: Attackers have at their disposal a large collection of tools that aid their
exploiting systems. If you plan to defend against attacks, knowledge of these tools and the
techniques behind their use is imperative. This class covers vulnerabilities in systems, how
attackers locate these security holes, and how they can then exploit them to achieve their goals.
Additionally, the class covers defenses against the attackers tools and techniques.

Labs in this course are of two types: (1) Attacking a vulnerable system, and (2) preventing your
classmates from successfully attacking your system.

Course objectives:
Learn techniques attackers use to compromise systems
Learn how to defend against these attacks
Learn many of the tools available to attackers

Intended Audience:
If you are attending this class, then we assume that:
You have a basic knowledge of Windows, including the ability to install software
You are familiar with the Linux command line, including using a text editor, file manipulation
commands, and basic system administration tasks
You can read documentation for both of these systems
You know the ISO seven-layer model for networking, including what services each layer
provides
You understand the basics of TCP, UDP, and ICMP and know the differences between the
protocols

Logistics:
The student computers need to run both Linux and Windows under Xen. The class uses the
following software:

Firefox
Gnu C/C++ compiler
Hping2
Internet access
LaBrea tarpit software
Nemesis
Netcat
SARA
SNMP tools
Scapy
WebGoat v4.0 or later
Yersinia
bro
dig
dsniff
ettercap
gdb
host
metasploit
nessus
nmap
nm
objdump
rpcinfo
saint
snort
tcpdump
telnet
traceroute
whois
wireshark
development tools such
as make
password cracking
software
sufficient network
address space for a
honeynet (private IP
addresses acceptable)


Because the students will be using a collection of attack tools, we strongly recommend that the
class network be isolated from the corporate network. However, Internet access (HTTP,
HTTPS, DNS, possibly POP or IMAP) is necessary. This access can be through a firewall, but
the firewall cannot prevent access to hacker sites.

The students will be gathering publicly-available information about the customers company.
Permission to gather this information from remote sites should be explicitly given. Attackers are
gathering this information already. However, the gathering of this information may reveal
security issues in the corporate presence on the Internet. Students will be explicitly directed not
to attack production machines.

The class network needs to be a /16. Private Internet space is acceptable.
Students will also need an external email address. Web-based email is preferred, but IMAP
and/or POP access will also work. Note that the mail user agent (web or other) must allow the
user to view the full set of headers. For an extra fee, this access can be provided.

In addition to the machines the students will use, the instructor needs a machine with at least a
dual-core 64-bit CPU with 4GB of RAM and a DVD reader. More memory would be an asset, as
would additional CPUs. This machine will run many of the victim systems as virtual machines,
as well as simulate a victim network full of machines. Software for this machine will be provided
on a DVD, and the instructor will install and test the setup on the day before the class starts.

Additionally, for an extra fee we can supply a bridging firewall placed between the class network
and the outside world that will enforce the rules and guidelines, as well as log any attempted
violations of the policy. To utilize this service requires:

the class has its own Ethernet switch, and
the instructor can access the room containing the switch and can place the firewall between
the class switch and the outside world.
The location for the firewall must provide sufficient cooling (ambient temperature not to exceed
75F), power (500 watts), and a stable physical location for the firewall machine.

Using this firewall is recommended because it will also be properly configured to act as a local
DHCP and DNS server as well as a web proxy and provide network address translation (NAT)
services. The instructor will set up the firewall the day before the class starts. The class needs a
web server for the class web site. The instructors laptop may be this web server; otherwise the
machine provided in the classroom for the instructor is a good choice. This machine obviously
will need web server software installed.


COURSE OUTLINE

1. Introduction (Lecture: 25; Lab: 0)
(a) Class Introductions
(b) Class Logistics
i. Class schedule
ii. Breaks
iii. Question policy
iv. Break room and restroom locations
v. Assumptions about your background
(c) Typographic conventions
(d) What the class covers

2. Ethical hacking introduction (Lecture: 30; Lab: 0)
(a) Vocabulary
i. Worm
ii. Virus
iii. Firewall
(b) Attack goals
i. Access data
ii. Modify (including delete) data
iii. DoS
iv. Impersonate someone
v. Repudiation of actions
vi. Set up botnet
vii. Install rootkit
(c) Types of vulnerabilities that exist
i. Input validation
ii. Improper resource management
iii. Improper (or nonexistent) authentication
iv. Trust where it is not warranted
v. Broken (or missing) session management
vi. Improper configuration (of a potentially secure app/OS)
vii. Fail open and other failure issues
viii. Failure to patch
ix. Feature interaction
x. Lack of crypto use
xi. Assuming that adding crypto makes a product secure
xii. Vulnerable to a replay attack
xiii. Code reuse
xiv. Nobody would ever do THAT!
xv. It does not apply to me
(d) Attack procedure
i. Intelligence gathering
ii. Map target
iii. Identify entry point
iv. Execute attack
v. Achieving goal may require several sub-attacks
(e) Defending
i. Knowledge is key
(f) Risk analysis
i. It comes down to resources

(g) Legal issues
i. Apply this info wrong and go to jail
ii. Fail to properly apply this info and go to jail
iii. Millenium copyright act
iv. Do not attack machines outside of the classroom

3. Intelligence about the target (Lecture: 45; Lab: 45)
(a) Types of useful information
i. Network and host architecture
ii. Information for social engineering
iii. Likely skill level of programmers, sysadmins, web site admins, etc
(b) Internal and external web sites
i. Corporate directories
ii. Multiple servers
(c) Google and other search engines
(d) Financial search engines
(e) Netcraft
(f) Geolocation
(g) DNS
i. Forward and reverse lookups
ii. Enumerate net blocks
iii. ARIN and related number athorities
iv. AS numbers
v. Tools
(h) Email
i. Email headers showing the route a message takes
(i) Defenses
(j) Lab

4. Network mapping (Lecture: 30; Lab: 45)
(a) Overall network architecture
(b) Firewalls
i. Filtering at various ISO layers
ii. Packet dropping versus blocking with ICMP reply
iii. Examples of firewall architectures
(c) Scanning for hosts
i. IP
ii. TCP
iii. UDP
iv. Options for these scans
(d) Tools and techniques
i. Tools for picturing the network
ii. nmap
iii. traceroute
iv. Other tools
(e) Defenses
(f) Lab


5. Host mapping (Lecture: 35; Lab: 30)
(a) Introduction
(b) Port scanning
i. Information available
ii. Uses for this information
iii. TCP
iv. UDP
v. ICMP
vi. Remote procedure call protocols
vii. Tools
viii. Stealth scanning
(c) Banner grabbing
i. Information available
ii. Tools
(d) OS identification
i. Active
ii. Passive
(e) Netcraft
(f) Defenses
(g) Lab

6. SNMP mapping (Lecture: 30; Lab: 30)

(a) Introduction
i. Quick overview of SNMP
ii. MIBs
iii. Versions of SNMP
iv. Information you can obtain
v. SNMP security (or lack thereof)
(b) Server information
i. Configuration
ii. Resources
iii. Network traffic
(c) Client information
i. Configuration
ii. Resources
iii. Network traffic
(d) Network hardware information
i. Configuration
ii. Resources
iii. Network traffic
(e) Tools
(f) Defenses
(g) Lab


7. Vulnerability analysis (Lecture: 45; Lab: 60)
(a) Vulnerability databases
i. How to interpret query results
ii. Attacker tools sites
A. Common limitations on attacker tools
(b) Vulnerability assessment tools
i. Limitations of these tools
(c) Defenses
(d) Lab

8. Network monitoring (Lecture: 20; Lab: 30)
(a) Why
i. Find passwords
ii. Find sensitive data
iii. Passive OS fingerprinting
iv. Passive network mapping
(b) Monitoring tools
(c) Attacking switches
i. Switches do not prevent eavesdropping
A. Tools
(d) Defenses
(e) Lab

9. Attacking the network infrastructure (Lecture: 25; Lab: 45)
(a) ARP spoofing
(b) DNS poisoning
(c) MAC flooding
(d) Network hardware runs an OS and have vulnerabilities, patches
(e) Network printers
(f) Defenses
(g) Lab

10. Network traffic injection (Lecture: 15; Lab: 25)
(a) Why inject traffic
i. Increase net load
ii. Hide the real attack
iii. Attack network stack vulnerabilities
(b) Tools
(c) Defenses
(d) Lab


11. Authentication and authorization (Lecture: 35; Lab: 30)
(a) Who authenticates?
i. clients
ii. servers
iii. users
(b) Methods of authentication
i. something you have, know, are
ii. Unix/Linux passwd files
iii. Windows authentication systems
iv. Kerberos
v. Smart cards
vi. Salting
(c) Attack types
i. dictionary
ii. brute force
(d) password guessers
(e) Defenses
(f) Lab

12. Session hijacking (Lecture: 25; Lab: 35)
(a) Introduction
i. The TCP three-way handshake
(b) Examples
(c) Tools
(d) Defenses
(e) Lab

13. Honey pots, dark nets, and tar pits (Lecture: 30; Lab: 30)
(a) Introduction
i. Definitions
ii. Examples
(b) Automatic response
(c) Detecting
(d) Tools
i. Tools for creating
ii. Tools for detecting
(e) Lab

14. Host-based intrusion detection (Lecture: 30; Lab: 35)
(a) Introduction
(b) Examples
i. Tripwire
ii. Antivirus systems
(c) Evading host-based IDSs
i. Mimicry attacks
(d) Shutting down host-based IDSs
i. Squealing
(e) Tools
(f) Defenses
(g) Lab

15. Network IDSs (Lecture: 30; Lab: 45)

(a) Introduction
(b) Examples
(c) IDS placement and network architecture
(d) Evading network-based IDSs
(e) Shutting down IDSs
(f) Lab

16. Rootkits (Lecture: 30; Lab: 60)
(a) What is a rootkit?
(b) Installing
(c) Detecting
(d) Summary
(e) Lab

17. Attacking web applications (Lecture: 45; Lab: 60)
(a) How HTTP works
i. HTTP basics
ii. Common Gateway Interface (CGI) Parameters
iii. GET and POST
iv. Cookies
(b) The attacker controls the client
i. Hidden forms
ii. Cookies
(c) Alternate encodings to evade input validation
(d) Attack tools
(e) Defending against these attacks
(f) Summary
(g) Lab

18. Cross-site scripting (XSS) (Lecture: 40; Lab: 30)
(a) Overview
(b) A simple example
(c) Example XSS attacks
i. DoS the users browser
ii. DoS a web server
iii. Session hijacking
iv. Posting a bogus news story at a news site
v. Port scanning
vi. Worms and viruses
(d) Locations to place script references
(e) Ways attackers try to obscure XSS
(f) XSS is not just for HTML
(g) XSS solutions
(h) Cross-site request forgery
i. CSRF solutions
(i) Lab


19. State and web applications (Lecture: 45; Lab: 45)
(a) Introduction
(b) Where state is stored
i. Hidden fields in forms
ii. HTTP Referer field
iii. CGI parameters
iv. Cookies
(c) Guessable session identifiers
(d) Session hijacking
(e) Summary
(f) Lab

20. SQL injection (Lecture: 30; Lab: 45)
(a) Introduction to SQL injection
i. SQL and the web
(b) Finding vulnerabilities
(c) Exploiting vulnerabilities
(d) Defenses
(e) Summary
(f) Lab

21. Buffer overflow introduction (Lecture: 10; Lab: 0)
(a) Introduction
(b) Memory layout
(c) A simple example
(d) Summary

22. Stack overflows (Lecture: 25; Lab: 60)
(a) Introduction
(b) Example
(c) Other exploits for stack overflows
i. Example
(d) More stack overflow information
(e) A real stack overflow exploit program
(f) Summary
(g) Lab


23. Pointer issues (Lecture: 35; Lab: 45)
(a) Introduction
i. Example
(b) Pointers to functions
(c) C++ virtual method table
i. Example
(d) Global offset table (GOT)
(e) The .dtors section
i. Example
(f) Exit handlers
i. Example
(g) setjmp/longjmp
(h) Exception handling
(i) Summary
(j) Lab

Appendices
A. Wireless networks (Lecture: 45; Lab: 60)
(a) Introduction
i. 802.11abg
ii. Basic radio concepts
(b) Antennas
i. Commercial
ii. Homebuilt
(c) SSID and beacons
(d) Encryption schemes
i. WEP, WPA1, WPA2
ii. What they are
iii. Weaknesses
(e) Wardriving
(f) Tools
(g) Defenses
(h) Lab

B. Heap overflows (Lecture: 10; Lab: 40)
(a) Introduction
(b) Heap data structure attacks
(c) Common programming errors
(d) Example
(e) Summary
(f) Lab