ITX8063 2012
Allikas: Lambda
Information Systems Hacking Attacks and Defence 2012/2013
Sisukord
Course Description
- Schedule
- The course will be conducted on the second half of Autumn semester of 2012/2013
- First will be held on 30th of October in room III-310
- EAP: 3.00
- Course Objectives and Organization
- Main objective is to give a good technical overview of different attack methods and vulnerabilities the attackers are exploiting to compromise IT systems. Malware in general is out of the scope as this topic will be covered in detail in specific course.
- We will not use strong academic approach. Rather, we will focus on the current problems and practical issues of IT security.
- There will a lot of hands-on work on lab systems
- The labs are mainly built around Capture The Flag Exercises
- We set up purposely vulnerable systems
- Student's job is to identify vulnerabilities, gain access somehow and find the flag from the systems
- First ones get the most points
- Instructors
- Course coordinator: Kaur Kasak, kaur.kasak(at)gmail.com, +372 52 17 946
- There will be several instructors for this course:
- Team from Clarified Security: Mehis Hakkaja, Mait Peekma, Jaanus Kääp, Elar Lang
- Others: Roman Palik, Tarko Tikan
- Our aim is get presentations from persons who have strong real-world experience
- Prerequisites
- Experience in administrating Linux and Windows based systems. For lab-work, BackTrack5 based virtual machines
- Understanding of main networking protocols (IP, TCP, UDP, ICMP, ARP, DNS, HTTP)
- Some experience with web technologies and relational databases (HTML, PHP, MySQL, Javascript)
- Programming skills in any standard high-level language
Communication
- Course coordinator contacts: Kaur Kasak, kaur.kasak (at) gmail.com, +372 52 17 946, skype: kaur.kasak
- E-mail list (Google Group)
- itx8063-2012[=at=]googlegroups.com
- Everyone has to join to get announcements
- Group Manager is Sten: estonien[=at=]gmail.com
Schedule
- Starting from the second half of the semester
- Tuesdays, 17:45-21:00, III-310, IT-213A, IT-213B
- NB! Check the exact location for every single lecture/lab!
30.10 I
- Location: III-310 (for the whole evening)
- Topics:
- Administrative Information
- Introduction and Demos (Mehis)
- Pen-Testing Wireless Networks (intro). Description of Homework (Mait)
06.11 II
- Location: III-310 (for the whole evening)
- Administrative Info
- Homework
- VPN to Lab
- TODO for next time
- TODO by 13.11.2012:
- Get VPN access working ITX8063_2012_Labs
- Access materials in lab http://192.168.136.5/files
- Review the following slides
- 02-1.Attack.Phases.pdf
- 02-2.Reconnaissance.pdf
- 02-3.Scanning.and.Enumeration.pdf
- 02-4.Password.and.Brute-Force.Attacks.pdf
- Topics:
- Network infrastructure attacks and defence (MAC flooding, ARP spoofing, ICMP redirection, IP spoofing and fragmentation, VLAN hopping, leaking data over CDP, port security, DHCP snooping and dynamic ARP inspection, private VLANs, 802.1x) (Roman)
- Mail security: SMTP overview, grey-listing, SPF, DKIM (Roman)
- DNS security: DNS overview, cache poisoning, DNSSec (Roman)
13.11 III
- Location:
- III-310 17:45 - 19:15
- IT-213A, IT-213B 19:30 - 21:00
- Topics:
- Mail Security continued (Roman)
- DNS Security (Roman)
- Exercises on MiTM attacks and DNS
- ITX8063_2012_Labs
20.11 IV
- Location:
- III-310 17:45 - 21:00
- Topics:
- Problems with the first labs:
- Description of first scanning exercise was wrong - TCP port 25 was missing from the list you should send probes
- DNS Task 1 had initially wrong "correct answer"
- MiTM machines were not available due to wrong virtual network interface mappings
- Access from IT-213A and IT-213B does not work. But seems to be working from IT-213E, IT-213I(?)
- Less than 50% of the tasks has been activated so far - please start working!
- Other Lab issues
- Use hints
- Lab Report
- Deadline for getting access to lab, creating account on scoreboard and solving tasks under Scanning I is 27 Nov 2012 23:59
- DNSSec continued (Roman Palik)
- Exploitation intro (Roman Palik)
- We will go to the computer class only in case there will be enough time
- New missions will be activated after the lecture approx 22:00
- Problems with the first labs:
27.11 V
- Location: 17:45-21:00 III-310
- Administrative information
- Dates for Exams in Jan 2013?
- 21 Dec 2013
- 7 Jan 2013
- 24 Jan 2013
- Deadline for getting access to lab, creating account on scoreboard and solving tasks under Scanning I is 27 Nov 2012 23:59
- Deadline for Homework is 30 Nov 2012 23:59
- Deadline for solving tasks under Man In The Middle Attacks is 04 Dec 2012 23:59
- Downtime in lab: Thu, 29 Nov 2012, 13:00-15:00
- Dates for Exams in Jan 2013?
- Topics:
- Attacks and Defence of WAN networks. BGP. IPv6 (Tarko)
- Security of mobile devices management (Mina)
04.12 VI
- Location:
- 17:45 - 19:15: III-310
- 19:30 - 21:00: IT-213A, IT-213B
- Admin info
- Deadline for solving tasks under DNS Security is 11 Dec 2012 23:59
- Topics: Web Application Security I (Jaanus, Elar, Mait)
- Introduction to web application technologies
- Web Application Pen-Testing Tools
- Web Application Mapping and Reconnaissance
- Path Traversal
- Cross-Site Scripting
11.12 VII
- Location:
- 17:45 - 19:15: III-310
- 19:30 - 21:00: IT-213A, IT-213B
- Labs:
- Downtime yesterday evening - accidental revert to old snapshot instead of creating new, results were recovered, report problems to instructor.
- More labs to be activated on the following topics: XSS, SQL injection, OS command and PHP code injection
- Hack the TEST Scoreboard
- Last practical tasks will be activated on 18 Dec 2012
- Deadline for solving tasks under Scanning II and Password Security is 18 Dec 2012 23:59
- NB! If the targets are still up, you can still solve the tasks and submit the answers despite the deadlines. However, we do not provide any guarantees that the targets for which deadlines have been announced will stay up. In case we need lab resources for running other VMs, those targets will be closed!
- Top5 will be identified based on the status of the Scoreboard on 19 Dec 2012 23:59
- Access to the lab will be closed on 13 Jan 2013 23:59
- Deadline for providing Lab Report is 14 Jan 2013 23:59
- Please register to the exams through OIS (http://ois.ttu.ee) and do not send emails regarding this topic
- Topics: Web Application Security II (Jaanus, Elar)
- SQL injection
- Session Management
- CSRF
18.12 VIII
- Location:
- 17:45 - 19:15: III-310
- 19:30 - 21:00: IT-213A, IT-213B
- Topics: Web Application Security III (Jaanus, Mait)
- Logic flaws
- Rich internet applications (Flash, Silverlight)
- OS Command injection
- Code injection
- File inclusion
Homework and Labs
Grade assignment
- 100% = 100 points
- Practical tasks and lab report (scoreboard results and notes about solving the tasks): 40p
- Max 20p for Accomplished Tasks
- Max 20p for Lab Report
- Written exam (closed-book) 60p
- Bonus
- Capture the Flag Exercises Top 5: 90p
- Practical Homework: 10p
Exam and Results
Time
- 21 Dec 2012 10:00 - 12:00 (Fri), Location: III-310
- 7 Jan 2013 10:00 - 12:00 (Mon), Location: III-309
- 24 Jan 2013 10:00 - 12:00 (Thu), Location: III-310
Topics
The exam will be in written form (pen and paper), closed-book (you are not allowed to use materials, internet, your computer, etc). There will be approximately 10 questions covering topics from both the labs and lectures. You are expected to provide short (few paragraph) answers.
List of topics
- Reconnaissance
- Sources for targeted network reconnaissance
- Network scanning and enumeration
- Phases of network scanning: host discovery, port scanning, service and application version detection, OS fingerprinting, vulnerability scanning
- Methods used for conducting different phases (how different protocols like ARP, ICMP, TCP and UDP are used for scanning)
- Network scanning in IPv6 networks
- Defences against scanning: detection, obscurity, deception (honeypots, tarpits, spidertraps)
- DNS and SNMP enumeration
- Password Attacks
- Guessing vs cracking
- How passwords are stored on Linux and Windows
- What is the purpose of salt in passwords
- Windows LM hash weaknesses.
- Rainbow tables.
- Pass-the-hash (why and how does it work).
- Attacks and Defence of Network Infrastructure
- Attacks: ARP protocol and ARP spoofing, MAC flooding, attacks against DHCP, VLAN hopping
- Defence: Switch port security, Dynamic ARP inspection and DHCP snooping, private VLANs, 802.1x
- Using BGP to attack Internet
- What is BGP. Attacks against BGP routing infra (flooding routers, attacking TCP sessions, hijacking IP prefixes, sending broken BGP messages). IPv6 impact on Internet security
- DNS Security
- DNS tunneling. DNS rebinding. DNS cache poisoning (example: Kaminsky attack), DNS cache snooping, (Ab)using DNS in DoS amplification attacks
- DNSSEC: purpose and concept of operation
- Email Security
- SPF and DKIM
- Web Application Security
- Basic toolkit for web application pen-tester
- Path Traversal
- Session Management in Web Applications
- How does cookie based authentication work?
- HTTP Basic and Digest Authentication
- Client-side Attacks:
- Web Content Injection/Cross Site Scripting (how and why does it work, payloads, defence)
- Cross-Site Request Forgery
- Server-side injection Attacks
- SQL injection
- OS command injection
- (PHP) code injection. Local and Remote File Inclusion
- Business Logic Flaws