ITX8063 2011

Allikas: Lambda

Information Systems Hacking Attacks and Defence 2011/2012

Course Description

  • Schedule
    • The course will be conducted on the second half of Autumn semester of 2011/2012
    • First lecture/lab on 25th of October
  • EAP: 3.00
  • Course Objectives and Organization
    • Main objective is to give a good technical overview of different attack methods and vulnerabilities the attackers are exploiting to compromise IT systems. Malware in general is out of the scope as this topic will be covered in detail in specific course.
    • We will not use strong academic approach. Rather, we will focus on the current problems and practical issues of IT security.
    • There will a lot of hands-on work on lab systems
    • The labs are mainly built around Capture The Flag Exercises
      1. We set up purposely vulnerable systems
      2. Student's job is to identify vulnerabilities, gain access somehow and find the flag from the systems
      3. First one gets the most points
  • Instructors
    • Course coordinator: Kaur Kasak, kaur.kasak(at)gmail.com, +372 52 17 946
    • There will be several instructors for this course: Mehis Hakkaja, Roman Palik, Tarko Tikan, Jaanus Kääp, Mait Peekma
    • Our aim is get presentations from persons who have strong real-world experience
  • Prerequisites
    • Experience in administrating Linux and Windows based systems. For lab-work, BackTrack5 based virtual machines
    • Understanding of main networking protocols (IP, TCP, UDP, ICMP, ARP, DNS, HTTP)
    • Some experience with web technologies and relational databases (HTML, PHP, MySQL, Javascript)
    • Programming skills in any standard high-level language
  • General List of Topics
    1. Introduction. Attack Phases. Reconnaissance
    2. Scanning and Enumeration
    3. Password and Brute-Force Attacks
    4. Attacks and Defence of Network Infrastructure
      • WAN perspective
      • LAN perspective
    5. Exploitation
    6. Web Application Security I
      • Web Application Mapping and Reconnaissance
      • Authentication and Authorization (Lab:Jaanus)
      • Session Management
    7. Web Application Security II
      • Injection (code, OS command, SQL, log injection)
      • Direct Object Reference
      • XSS
      • CSRF
    8. Web Application Security III
      • Special Functionalities (password recovery, default pwd generation).
      • Business Logic Flaws (Lab:Jaanus)
      • Resource Intensive Queries
      • Error Handling and Logging (Lab:Jaanus)
      • Rich Internet Applications (Flash, Silverlight,...)

Communication

  • Course coordinator contacts: Kaur Kasak, kaur.kasak (at) gmail.com, +372 52 17 946, skype: kaur.kasak
  • E-mail list
    • Important announcements will be sent to ivcm11 e-mail list
    • Predrag Tasevski is responsible for managing the list

Labs

Schedule

  • Starting from the second half of the semester
  • Tuesdays, 17:45-21:00, IT-213E, IT-213I

25.10 I

  • Course overview and Administrative remarks
  • Introduction. Demos (Mehis Hakkaja)

01.11 II

  • Homework by 08.11.2011
    1. Get access to the Lab over VPN by following the instructions
    2. Create yourself a user account on course management application: https://192.168.136.5/users/register
      • Note that your username will be displayed on the scoreboard - you can use a pseudonym if you like.
      • However, First Name and Last Name have to be real!
      • First missions will be activated on 08.11.2011
    3. When you have VPN running, download and review the slides from http://192.168.136.5/files/ for the following topics: "Attack Phases", "Reconnaissance", "Scanning and Enumeration", "Password and Brute-Force Attacks".

08.11 III

  • DNS Security. Mail Security (Roman Palik)

15.11 IV

  • DNS Security continued (Roman Palik)
  • Practical Tasks
  • Deadline for practical tasks under missions: DNS Security, Scanning I, Scanning II is 22.11.2011.

22.11 V

  • Admin issues - fix times for examination
  • Mail Security (Roman Palik)
  • Memory corruption vulnerabilities (Roman Palik)
  • Deadline for practical missions under "Password and Brute-Force Attacks" and "Man in the Middle Attacks" is 29.11.2011

29.11 VI

  • Web Application Security I (Jaanus Kääp, Mait Peekma)

06.12 VII

  • Web Application Security II (Jaanus Kääp, Mait Peekma)

13.12 VIII

  • Web Application Security III (Jaanus Kääp, Mait Peekma)

Grade assignment

  • Practical tasks and lab report (scoreboard results and notes about solving the tasks): 50p
    • Max 35p for Accomplished Tasks: 35*(nr_of_accomplished_tasks/27)
    • Max 15p for Lab Report
  • Written exam (closed-book) 50p
  • Bonus
    • Capture the Flag Exercises: 5 first according to the scoreboard will get 85 points for the practical tasks (instead of max 50). Those students do not have to provide a lab report as well.
    • Practical Homework (web exploit analysis): 15p

Exam and Results

Deadline

  • Deadline for accomplishing practical tasks, homework and submitting lab report is 09 Jan 2012
    • Even if you take the exam on 19 Dec you can still finish the labs that are still open after the exam. Only automatically scored exercises will remain open. The deadline for DNS tasks was couple of weeks ago and no new submissions will be accepted.
    • As always: do not leave solving the tasks on the last moment. There are no guarantees of availability of infrastructure and instructor after the lecture session.

Time

  • 19 Dec 2011, 10:00 - 12:00, IT-140
  • 6 Jan 2012, 10:00 - 12:00, IT-140
  • 20 Jan 2012, 10:00 - 12:00, IT-140

Topics

The exam will be in written form (pen and paper), closed-book (you are not allowed to use materials, internet, your computer, etc). There will be approximately 10 questions covering topics from both the labs and lectures:

  1. Anatomy of an attack. Typical attack phases
  2. Reconnaissance
    • Sources for targeted network reconnaissance
  3. Network scanning and enumeration
    • Phases of network scanning: host discovery, port scanning, service and application version detection, OS fingerprinting, vulnerability scanning
    • Methods used for conducting different phases (how different protocols like ARP, ICMP, TCP and UDP are used for scanning)
    • Network scanning in IPv6 networks
    • Defences against scanning: detection, obscurity, deception (honeypots, tarpits, spidertraps)
    • DNS and SNMP enumeration
  4. Password Attacks
    • Guessing vs cracking
    • How passwords are stored on Linux and Windows
    • What is the purpose of salt in passwords
    • Windows LM hash weaknesses.
    • Rainbow tables.
    • Pass-the-hash (why and how does it work).
  5. Using BGP to attack Internet
    • What is BGP. Attacks against BGP routing infra (flooding routers, attacking TCP sessions, hijacking IP prefixes, sending broken BGP messages). IPv6 impact on Internet security
  6. Attacks and Defence of Network Infrastructure
    • Attacks: ARP protocol and ARP spoofing, MAC flooding, attacks against DHCP, fragmentation attacks, VLAN hopping
    • Defence: Switch port security, Dynamic ARP inspection and DHCP snooping, private VLANs, 802.1x
  7. DNS Security
    • DNS tunneling. DNS rebinding. DNS cache poisoning (example: Kaminsky attack), DNS cache snooping, (Ab)using DNS in DoS amplification attacks
    • DNSSEC: purpose and concept of operation
  8. Email Security
    • SPF and DKIM
  9. Exploitation
    • Stack-based buffer overflow
    • DEP and ASLR
  10. Web Application Security
    • Web application mapping
    • Session management
    • Path traversal
    • OS command injection
    • Local and remote file inclusion (including null-byte poisoning, log poisoning)
    • SQL injection
    • Cross-Site Scripting (XSS): reflected and stored XSS, payloads, defence
    • Cross-Site Request Forgery: how does it work, defence

Results