Course Overview: Attackers have at their disposal a large collection of tools that aid their exploiting systems. If you plan to defend against attacks, knowledge of these tools and the techniques behind their use is imperative. This class covers vulnerabilities in systems, how attackers locate these security holes, and how they can then exploit them to achieve their goals. Additionally, the class covers defenses against the attackers tools and techniques.
Labs in this course are of two types: (1) Attacking a vulnerable system, and (2) preventing your classmates from successfully attacking your system.
Course objectives: Learn techniques attackers use to compromise systems Learn how to defend against these attacks Learn many of the tools available to attackers
Intended Audience: If you are attending this class, then we assume that: You have a basic knowledge of Windows, including the ability to install software You are familiar with the Linux command line, including using a text editor, file manipulation commands, and basic system administration tasks You can read documentation for both of these systems You know the ISO seven-layer model for networking, including what services each layer provides You understand the basics of TCP, UDP, and ICMP and know the differences between the protocols
Logistics: The student computers need to run both Linux and Windows under Xen. The class uses the following software:
Firefox Gnu C/C++ compiler Hping2 Internet access LaBrea tarpit software Nemesis Netcat SARA SNMP tools Scapy WebGoat v4.0 or later Yersinia bro dig dsniff ettercap gdb host metasploit nessus nmap nm objdump rpcinfo saint snort tcpdump telnet traceroute whois wireshark development tools such as make password cracking software sufficient network address space for a honeynet (private IP addresses acceptable)
Because the students will be using a collection of attack tools, we strongly recommend that the class network be isolated from the corporate network. However, Internet access (HTTP, HTTPS, DNS, possibly POP or IMAP) is necessary. This access can be through a firewall, but the firewall cannot prevent access to hacker sites.
The students will be gathering publicly-available information about the customers company. Permission to gather this information from remote sites should be explicitly given. Attackers are gathering this information already. However, the gathering of this information may reveal security issues in the corporate presence on the Internet. Students will be explicitly directed not to attack production machines.
The class network needs to be a /16. Private Internet space is acceptable. Students will also need an external email address. Web-based email is preferred, but IMAP and/or POP access will also work. Note that the mail user agent (web or other) must allow the user to view the full set of headers. For an extra fee, this access can be provided.
In addition to the machines the students will use, the instructor needs a machine with at least a dual-core 64-bit CPU with 4GB of RAM and a DVD reader. More memory would be an asset, as would additional CPUs. This machine will run many of the victim systems as virtual machines, as well as simulate a victim network full of machines. Software for this machine will be provided on a DVD, and the instructor will install and test the setup on the day before the class starts.
Additionally, for an extra fee we can supply a bridging firewall placed between the class network and the outside world that will enforce the rules and guidelines, as well as log any attempted violations of the policy. To utilize this service requires:
the class has its own Ethernet switch, and the instructor can access the room containing the switch and can place the firewall between the class switch and the outside world. The location for the firewall must provide sufficient cooling (ambient temperature not to exceed 75F), power (500 watts), and a stable physical location for the firewall machine.
Using this firewall is recommended because it will also be properly configured to act as a local DHCP and DNS server as well as a web proxy and provide network address translation (NAT) services. The instructor will set up the firewall the day before the class starts. The class needs a web server for the class web site. The instructors laptop may be this web server; otherwise the machine provided in the classroom for the instructor is a good choice. This machine obviously will need web server software installed.
COURSE OUTLINE
1. Introduction (Lecture: 25; Lab: 0) (a) Class Introductions (b) Class Logistics i. Class schedule ii. Breaks iii. Question policy iv. Break room and restroom locations v. Assumptions about your background (c) Typographic conventions (d) What the class covers
2. Ethical hacking introduction (Lecture: 30; Lab: 0) (a) Vocabulary i. Worm ii. Virus iii. Firewall (b) Attack goals i. Access data ii. Modify (including delete) data iii. DoS iv. Impersonate someone v. Repudiation of actions vi. Set up botnet vii. Install rootkit (c) Types of vulnerabilities that exist i. Input validation ii. Improper resource management iii. Improper (or nonexistent) authentication iv. Trust where it is not warranted v. Broken (or missing) session management vi. Improper configuration (of a potentially secure app/OS) vii. Fail open and other failure issues viii. Failure to patch ix. Feature interaction x. Lack of crypto use xi. Assuming that adding crypto makes a product secure xii. Vulnerable to a replay attack xiii. Code reuse xiv. Nobody would ever do THAT! xv. It does not apply to me (d) Attack procedure i. Intelligence gathering ii. Map target iii. Identify entry point iv. Execute attack v. Achieving goal may require several sub-attacks (e) Defending i. Knowledge is key (f) Risk analysis i. It comes down to resources
(g) Legal issues i. Apply this info wrong and go to jail ii. Fail to properly apply this info and go to jail iii. Millenium copyright act iv. Do not attack machines outside of the classroom
3. Intelligence about the target (Lecture: 45; Lab: 45) (a) Types of useful information i. Network and host architecture ii. Information for social engineering iii. Likely skill level of programmers, sysadmins, web site admins, etc (b) Internal and external web sites i. Corporate directories ii. Multiple servers (c) Google and other search engines (d) Financial search engines (e) Netcraft (f) Geolocation (g) DNS i. Forward and reverse lookups ii. Enumerate net blocks iii. ARIN and related number athorities iv. AS numbers v. Tools (h) Email i. Email headers showing the route a message takes (i) Defenses (j) Lab
4. Network mapping (Lecture: 30; Lab: 45) (a) Overall network architecture (b) Firewalls i. Filtering at various ISO layers ii. Packet dropping versus blocking with ICMP reply iii. Examples of firewall architectures (c) Scanning for hosts i. IP ii. TCP iii. UDP iv. Options for these scans (d) Tools and techniques i. Tools for picturing the network ii. nmap iii. traceroute iv. Other tools (e) Defenses (f) Lab
5. Host mapping (Lecture: 35; Lab: 30) (a) Introduction (b) Port scanning i. Information available ii. Uses for this information iii. TCP iv. UDP v. ICMP vi. Remote procedure call protocols vii. Tools viii. Stealth scanning (c) Banner grabbing i. Information available ii. Tools (d) OS identification i. Active ii. Passive (e) Netcraft (f) Defenses (g) Lab
6. SNMP mapping (Lecture: 30; Lab: 30)
(a) Introduction i. Quick overview of SNMP ii. MIBs iii. Versions of SNMP iv. Information you can obtain v. SNMP security (or lack thereof) (b) Server information i. Configuration ii. Resources iii. Network traffic (c) Client information i. Configuration ii. Resources iii. Network traffic (d) Network hardware information i. Configuration ii. Resources iii. Network traffic (e) Tools (f) Defenses (g) Lab
7. Vulnerability analysis (Lecture: 45; Lab: 60) (a) Vulnerability databases i. How to interpret query results ii. Attacker tools sites A. Common limitations on attacker tools (b) Vulnerability assessment tools i. Limitations of these tools (c) Defenses (d) Lab
8. Network monitoring (Lecture: 20; Lab: 30) (a) Why i. Find passwords ii. Find sensitive data iii. Passive OS fingerprinting iv. Passive network mapping (b) Monitoring tools (c) Attacking switches i. Switches do not prevent eavesdropping A. Tools (d) Defenses (e) Lab
9. Attacking the network infrastructure (Lecture: 25; Lab: 45) (a) ARP spoofing (b) DNS poisoning (c) MAC flooding (d) Network hardware runs an OS and have vulnerabilities, patches (e) Network printers (f) Defenses (g) Lab
10. Network traffic injection (Lecture: 15; Lab: 25) (a) Why inject traffic i. Increase net load ii. Hide the real attack iii. Attack network stack vulnerabilities (b) Tools (c) Defenses (d) Lab
11. Authentication and authorization (Lecture: 35; Lab: 30) (a) Who authenticates? i. clients ii. servers iii. users (b) Methods of authentication i. something you have, know, are ii. Unix/Linux passwd files iii. Windows authentication systems iv. Kerberos v. Smart cards vi. Salting (c) Attack types i. dictionary ii. brute force (d) password guessers (e) Defenses (f) Lab
13. Honey pots, dark nets, and tar pits (Lecture: 30; Lab: 30) (a) Introduction i. Definitions ii. Examples (b) Automatic response (c) Detecting (d) Tools i. Tools for creating ii. Tools for detecting (e) Lab
14. Host-based intrusion detection (Lecture: 30; Lab: 35) (a) Introduction (b) Examples i. Tripwire ii. Antivirus systems (c) Evading host-based IDSs i. Mimicry attacks (d) Shutting down host-based IDSs i. Squealing (e) Tools (f) Defenses (g) Lab
15. Network IDSs (Lecture: 30; Lab: 45)
(a) Introduction (b) Examples (c) IDS placement and network architecture (d) Evading network-based IDSs (e) Shutting down IDSs (f) Lab
16. Rootkits (Lecture: 30; Lab: 60) (a) What is a rootkit? (b) Installing (c) Detecting (d) Summary (e) Lab
17. Attacking web applications (Lecture: 45; Lab: 60) (a) How HTTP works i. HTTP basics ii. Common Gateway Interface (CGI) Parameters iii. GET and POST iv. Cookies (b) The attacker controls the client i. Hidden forms ii. Cookies (c) Alternate encodings to evade input validation (d) Attack tools (e) Defending against these attacks (f) Summary (g) Lab
18. Cross-site scripting (XSS) (Lecture: 40; Lab: 30) (a) Overview (b) A simple example (c) Example XSS attacks i. DoS the users browser ii. DoS a web server iii. Session hijacking iv. Posting a bogus news story at a news site v. Port scanning vi. Worms and viruses (d) Locations to place script references (e) Ways attackers try to obscure XSS (f) XSS is not just for HTML (g) XSS solutions (h) Cross-site request forgery i. CSRF solutions (i) Lab
19. State and web applications (Lecture: 45; Lab: 45) (a) Introduction (b) Where state is stored i. Hidden fields in forms ii. HTTP Referer field iii. CGI parameters iv. Cookies (c) Guessable session identifiers (d) Session hijacking (e) Summary (f) Lab
20. SQL injection (Lecture: 30; Lab: 45) (a) Introduction to SQL injection i. SQL and the web (b) Finding vulnerabilities (c) Exploiting vulnerabilities (d) Defenses (e) Summary (f) Lab
21. Buffer overflow introduction (Lecture: 10; Lab: 0) (a) Introduction (b) Memory layout (c) A simple example (d) Summary
22. Stack overflows (Lecture: 25; Lab: 60) (a) Introduction (b) Example (c) Other exploits for stack overflows i. Example (d) More stack overflow information (e) A real stack overflow exploit program (f) Summary (g) Lab
23. Pointer issues (Lecture: 35; Lab: 45) (a) Introduction i. Example (b) Pointers to functions (c) C++ virtual method table i. Example (d) Global offset table (GOT) (e) The .dtors section i. Example (f) Exit handlers i. Example (g) setjmp/longjmp (h) Exception handling (i) Summary (j) Lab
Appendices A. Wireless networks (Lecture: 45; Lab: 60) (a) Introduction i. 802.11abg ii. Basic radio concepts (b) Antennas i. Commercial ii. Homebuilt (c) SSID and beacons (d) Encryption schemes i. WEP, WPA1, WPA2 ii. What they are iii. Weaknesses (e) Wardriving (f) Tools (g) Defenses (h) Lab
B. Heap overflows (Lecture: 10; Lab: 40) (a) Introduction (b) Heap data structure attacks (c) Common programming errors (d) Example (e) Summary (f) Lab