IT 6825 – 002 / IT 4825 - 001 2005 Fall

ETHICAL HACKING: NETWORK SECURITY AND PENETRATION TESTING

CRN	Course ID			CR	Days	Time	Meeting Dates	Bldg/Room
8928		IT 4825 / 001	3.0		M - W - -	6:00pm – 7:15pm	8/22 – 12/14/2005	J – 260
8931		IT 6825 / 002	3.0		M - W - -	6:00pm – 7:15pm	8/22 – 12/14/2005	J – 260

Instructor:

Andy Ju An Wang

Office:

J – 393B

Phone / Fax:

678-915-3718 / 678-915-5511

E-mail:

Jwang@spsu.edu

Web URL:

http://lovelace.spsu.edu/jwang

Office Hours:

Monday and Wednesday: 2:00pm – 5:00pm

Tuesday and Thursday: 10:30am – 11:30am

I will be in my office at many other times; to minimize possible inconvenience, please phone or e-mail to set up an appointment outside of the times listed above.

Textbook and

References:

Textbook:

· Shon Harris et al, Gray Hat Hacking: The Ethical Hacker’s Handbook, McGraw-Hill/Osbourne, Emeryville, CA 94608, 1^st edition 2005. ISBN: 0-07-225709-1.

References:

· Ed Skoudis, Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses, Prentice Hall, Upper Saddle River, NJ 07458, 2002. ISBN: 0-13-033273-9.

· James S. Tiller, The Ethical Hack: A Framework For Business Value Penetration Testing, CRC Press, Boca Raton, FL 33431, 1^st edition 2005. ISBN 0-8493-1609-X.

· David Litchfield et al, The Database Hacker’s Handbook, Wiley Publishing, Indianapolis, IN 46256, 1^st edition. ISBN: 0-7645-7801-4.

· Jack Koziol et al, The Shellcoder’s Handbook, Wiley Publishing, Indianapolis, IN 46256, 1^st edition. ISBN: 0-7645-4468-3.

Grading Scheme:

90.0 -- 100% A = 450 -- 500 Points

80.0 -- 89.9% B = 400 -- 449 Points

70.0 -- 79.9% C = 350 -- 399 Points

60.0 -- 69.9% D = 300 -- 349 Points

00.0 -- 59.9% F = 000 -- 299 Points

Grade	Criteria
C	Attend class regularly, complete class work on time, are prepared and active in class discussion.
B	In addition to the above, demonstrate a substantial amount of critical effort: creative and productive writing, respond to criticism by improving your work
A	In addition to the above, demonstrate excellence in all work: be recognizably a leader in the class, asking good questions, significantly teaching your peers, intriguing and exciting the class with your insights. Your speaking and writing demonstrate research ability far above the norm, creative approaches, careful reflection, and reliable implementation.
D	Late work, frequent absences, superficial writing, reading, and speaking, little reflection about your audience, little effort to contribute in class
F	Late or incomplete work, make no attempt to connect class information with anything else, frequent absences, superficial and ragged.

Tentative Point Distribution:

Tests 2 * 50 points each 100 Points 20%

Project 1 * 50 points each 50 Points 10%

Assignments Points vary for different assignments 270 Points 54%

Participation Attendance + Involvement 80 Points 16%

---------------------------------------------------------------------------------------------------

TOTAL: 500 Points 100%

Important Note: I reserve the right to change this grading system as the course progresses and various circumstances develop.

Tests:

Two tests will be given. Each test will cover the material from that unit only. Test questions will have answers consisting of multiple choices, fill in the blanks, programming, and/or essay questions. Questions will cover topics discussed in class that may or may not be covered in the textbook. Students are encouraged to attend class often so as to maximize their exam scores.

Projects:

There is one course project in this course worth 50 points. The project is intended to test the range of knowledge sets and skills developed by students in their prior courses and this course as well. Each student will work as a member of a 2~4-person team to complete one hands-on project in the area of network security and penetration testing. More details about the nature of the project, suggested topics, grading policy, deliverables, and the instructor's expectations will be provided as a separated handout in class. Each student is expected to contribute equally to the success of the project and to participate in the presentation of the final results. Grading will be subjective based on the quality and completeness of the project.

Assignments:

Assignments are individual work testing the understanding of the course materials. Students should complete their assignments independently and turn in their solutions in time according to the assignment requirements.

Graduate Students:

Each graduate student has to do an extra course work to fulfill the IT 6825 course requirements. Each graduate student will develop one hands-on lab for one penetration testing tool.

Thesis / Research Topics:

Network Security and Penetration Testing represents a challenging research arena for multiple disciplines including Information Technology, Computer Science, Computer Engineering, Software Engineering , and Statistics. Many topics covered in this course are likely to be developed into your Master Thesis or Senior Projects. More details will be provided by the instructor upon request. Please contact the instructor if you are interested in doing research in this field.

Late Work:

All assignments and deliverables, including all project progress reports, source code, presentations, group reports, individual reports, homework assignments, and peer evaluations, are due at the beginning of the class time on the due date, or as specified on the assignments. Any late item will be discounted by 10 points per hour delay. Students should be responsible for their homework and project result reaching the instructor in time. (Don't trust the department drop-box.)

Makeup Tests:

You must contact the instructor prior to the test to explain your reasons for being absent in the test. The instructor will decide whether a makeup test is allowed or not. If your application for a makeup test is accepted, in any case, the makeup test must be done before the next scheduled class unless you could provide official documents from the Student Health Service or the Office of the Senior Vice President for Academic Affairs for attending authorized and official University activities.

No makeup project-work (reports or presentations) are allowed.

Class Participation:

Class participation includes class attendance, contributions during class discussion, and sense of teamwork. Class participation will contribute to your overall grade up to 80 points. The instructor expects you to attend class regularly and to arrive on time. Attendance checking (roll-call) will be conducted at the beginning of each class. Students are responsible to inform the instructor their attendance if they miss the roll call but actually attend the class. Your attendance grade for each class time is determined by the following grading sheet for this fall semester:

Class attendance Time T (minute)	Late or Left-early by (minute)	Your Attendance Grade
T ≥ 65	< 10	3
50 ≤ T < 64	< 20	2
35 ≤ T < 49	< 30	1
T < 34	≥ 41	0
Approved absence		1.5

Maximum attendance grade: 3 * 20 = 60 points.

You are responsible for all course work. Being absent does not excuse work from the stated due dates. In addition to attendance, there will be a contribution grade to encourage class discussion and sense of teamwork. You can earn up to 20 points in the whole semester by

actively asking/answering questions – maximum grade: 10 points
being a good team player – maximum grade: 5 points
providing accurate peer evaluations – maximum grade 5 points

Academic Dishonesty:

SPSU values academic integrity. Therefore all students must understand the meaning and consequences of cheating, plagiarism and other academic offenses. Work submitted for this course must represent your own efforts. Copying assignments or tests, or allowing others to copy your work, will not be tolerated. Note that introducing syntactic changes into a copied program is still considered plagiarism. The grade for all involved parties for any course work (homework, assignment, project, programming, or test) will be zero if plagiarism is evidenced.

Academic dishonesty is an extremely serious offense. All cases of academic dishonesty will be dealt with in accordance with the policies of the University as published in the Undergraduate Catalog and Graduate Student Handbook. Penalties may include expulsion from the University.

Disability:

Students with disabilities who believe that they may need accommodations in this class are encouraged to contact the counselor working with disabilities at 678-915-7226 as soon as possible to better ensure that such accommodations are implemented in a timely fashion.

Return and Destruction of Coursework:

Homework and other completed class assignments submitted via email will not be returned. However, floppy disks, CD ROMs or other memory media will be brought to class once to be returned after they are graded. If you are absent on a day that a coursework is returned you will need to arrange to pick up the coursework in the instructor's office. All coursework may be destroyed after the end of the first week of the following semester.

Course Homepage:

The URL for the course homepage is:

http://webct.usg.edu/, CS 6293 (Wang)

You will need a WebCT account to access the course web site.

Course Description

Prerequisites:

For IT4825/001 the prerequisite is: IT3124 or upper-division status or CS3424

For IT 6825/002 the prerequisite is: IT5113 or equivalent or CS5183

Catalog Description:

For IT 4825/001- 6825/003 Ethical Hacking: Network Security and Penetration

This course covers the major issues surrounding the use of penetration testing to secure network security. Topics include the ethics of ethical hacking, legal considerations, vulnerability discovery and risk analysis, internal and external attacks, penetration testing methods and tools, latest security countermeasures, and various types of penetration testing and programming skills required to complete successful penetration tests.

Course Objectives:

On completion of this course, students should be able to:

· Describe some of the legal and Human Resource issues to consider when performing security assessments.

· Assess your systems, employing the strategy hackers use to defeat security controls in operating systems and networked environments, including:

o Passive information gathering.

o Active information gathering.

o Analysis and interpretation of information.

o Vulnerability mapping.

o Exploitation (attack).

· Identify ways to improve security controls to prevent hackers from gaining access to operating systems and networked environments.

As a part of your general education, this course will also help you to

· Communicate (written and verbally) about a complex, technical topic simply and coherently.

· Work and interact collaboratively in groups to examine, understand and explain key aspects of information security.

Course Outline:

1. Ethics of Ethical Hacking

1.1 Vulnerability Assessment

1.2 Penetration Testing

1.3 The Controversy of Hacking Books and Tools

1.4 Emulating the Attack

1.5 Where Do Attackers Have Most of Their Fun?

1.5.1 Security does not like complexity

2. Ethical Hacking and the Legal System

2.1 Addressing Individual Laws

2.1.1 18 USC Section 1029

2.1.2 18 USC Section 1030

2.1.3 A state law alternative

2.1.4 18 USC Sections 2510 and 2701

2.1.5 Digital Millennium Copyright Act

2.1.6 Cyber Security Enhancement Act of 2002

3. Proper and Ethical Disclosure

3.1 Different Teams and Points of View

3.2 CERT's Current Process

3.3 Full Disclosure Policy (RainForest Puppy Policy)

3.4 Organization for Internet Safety (OIS)

3.4.1 Discovery

3.4.2 Notification

3.4.3 Validation

3.4.4 Resolution

3.4.5 Release

3.5 Case Studies

3.5.1 Pros and cons of proper disclosure processes

3.5.2 Vendors paying more attention

3.6 iDefense and References

4. Penetration Testing and Tools

4.1 Types of Tests

4.2 Ramping Up

4.2.1 Building a team

4.2.2 Building a lab

4.2.3 Contracts, safety, and staying out of jail

4.3 Assessment Process

4.3.1 Assessment planning

4.3.2 On-site meeting with the customer to kick off assessment

4.3.3 Penetration testing process

4.3.4 Red teaming process

4.3.5 System test process

4.3.6 Footprinting with lsof

5. Advanced Tools for Today's Hacker

5.1 Scanning in the "Good Old Days"

5.1.1 Paketto Keiretsu (scanrand and paratrace)

5.2 Past and Present Forms of Fingerprinting

5.2.1 xprobe2

5.2.2 p0f

5.2.3 amap

5.2.4 Winfingerprint

5.3 Sniffing Tools

5.3.1 libpcap and WinPcap

5.3.2 Passive sniffing vs. active sniffing

5.3.3 Defenses against active sniffing

5.3.4 Sniffing for usernames and passwords

5.4 Sniffing and Hacking LAN Manager Logon Credentials

5.4.1 Using the challenge and hashes

5.4.2 Using ettercap

5.4.3 Sniffing and cracking Kerberos

6. Automated Penetration Testing

6.1 Python Survival Skills

6.2 Automated Penetration Testing Tools

6.2.1 Core IMPACT

6.2.2 Immunity CANVAS

6.2.3 Metasploit

7. Programming Survival Skills

7.1 Programming

7.1.1 The problem-solving process

7.1.2 Pseudo-code

7.1.3 Programmers vs. hackers

7.2 C Programming Language

7.2.1 Basic C language constructs

7.2.2 Sample program

7.2.3 Compiling with gcc

7.3 Computer Memory

7.3.1 Random Access Memory (RAM)

7.3.2 Big Endian and little Endian

7.3.3 Segmentation of memory

7.3.4 Programs in memory

7.3.5 Buffers

7.3.6 Strings in memory

7.3.7 Pointers

7.3.8 Putting the pieces of memory together

7.4 Intel Processors

7.4.1 Registers

7.4.2 Arithmetic Logic Unit (ALU)

7.4.3 Program counter

7.4.4 Control unit

7.4.5 System bus

7.5 Assembly Language Basics

7.5.1 Machine vs. assembly vs. C

7.5.2 AT&T vs. NASM

7.5.3 Addressing modes

7.5.4 Assembly file structure

7.5.5 Assembling

7.6 Debugging with gdb

7.6.1 gdb basics

7.6.2 Disassembly with gdb

8. Basic Linux Exploits

8.1 Stack Operations

8.1.1 Stack data structure

8.1.2 Operational implementation

8.1.3 Function calling procedure

8.2 Buffer Overflows

8.2.1 Example buffer overflow

8.2.2 Overflow of meet.c

8.2.3 Ramifications of buffer overflows

8.3 Local Buffer Overflow Exploits

8.3.1 Components of the exploit

8.3.2 Exploiting stack overflows by command line

8.3.3 Exploiting stack overflows with generic exploit code

8.3.4 Exploitation of meet.c

8.3.5 Exploiting small buffers

8.4 Remote Buffer Overflow Exploits

8.4.1 Client/server model

8.4.2 Determining the remote esp value

8.4.3 Manual brute force with Perl

9. Advance Linux Exploits

9.1 Format String Exploits

9.1.1 The problem

9.1.2 Reading form arbitrary memory

9.1.3 Writing to arbitrary memory

9.1.4 Taking .dtors to root

9.2 Heap Overflow Exploits

9.2.1 Heap overflows

9.2.2 Memory allocators (malloc)

9.2.3 dlmalloc

9.2.4 Exploiting heap overflows

9.2.5 Alternative exploits

9.3 Memory Protection Schemes

9.3.1 Libsafe

9.3.2 GRSecurity kernal patches and scripts

9.3.3 Stackshield

9.3.4 Bottom line

10 Writing Linux Shellcode

10.1 Basic Linux Shellcode

10.1.1 System calls

10.1.2 Exit system call

10.1.3 setreuid system call

10.1.4 Shell-spawning shellcode with execve

10.2 Port-Binding Shellcode

10.2.1 Linux socket programming

10.2.2 Assembly program to establish a socket

10.2.3 Test the shellcode

10.3 Reverse Connecting Shellcode

10.3.1 Reverse connecting C program

10.3.2 Reverse Connecting assembling program

11. Writing a Basic Windows Exploit

11.1 Compiling and Debugging Windows Programs

11.1.1 Compiling on Windows

11.1.2 Debugging on Windows

11.1.3 Building a basic Windows exploit

12 Passive Analysis

12.1 Ethical Reverse Engineering

12.2 Why Reverse Engineering?

12.2.1 Reverse engineering consideration

12.3 Source Code Analysis

12.3.1 Source code auditing tools

12.3.2 The utility of source code auditing tools

12.3.3 Manual source code auditing

12.4 Binary Analysis

12.5 Automated Binary Analysis Tools

12.5.1 Manual auditing of binary code

13. Advanced Reverse Engineering

13.1 Why Try to Break Software?

13.2 The Software Development Process

13.3 Instrumentation Tools

13.3.1 Debuggers

13.3.2 Code coverage tools

13.3.3 Profiling Tools

13.3.4 Flow analysis tools

13.3.5 Memory monitoring tools

13.4 Fuzzing

13.5 Instrumented Fuzzing Tools and Techniques

13.5.1 A simple URL fuzzer

13.5.2 Fuzzing unknown protocols

13.5.3 SPIKE

13.5.4 SPIKE proxy

13.5.5 Sharefuzz

14. From Vulnerability to Exploit

14.1 Exploitability

14.1.1 Debugging for exploitation

14.2 Understanding the Problem

14.2.1 Preconditions and postconditions

14.2.2 Repeatability

14.3 Documenting the Problem

14.3.1 Background information

14.3.2 Circumstances

15. Closing the Holes: Mitigation

15.1 Mitigation Alternatives

15.1.1 Port knocking

15.1.2 Migration

15.2 Patching

15.2.1 Source code patching considerations

15.2.2 Binary patching considerations

Tentative Course Calendar (Fall 2005)

This calendar is subject to change when it is necessary. Changes will be announced in class.

Date

Lecture #

Topics

Assignments/Project

8/22,

Mon.

Lecture #1

(J260)

Syllabus and introductions

Introduction, Questionnaire #1

Assignment #1

8/24, Wed.

Lecture #2

(J260)

Ethical hacking and the legal system: Addressing individual laws that impact ethical hacking

Establish WebCT access

8/29,

Mon.

Lecture #3

(J260)

Proper and ethical disclosure:

Different terms and points of view, working with CERT, the various disclosure policies, conflicts and case studies.

8/31,

Wed.

Lecture #4

(J260)

Attack types and vulnerabilities:

Buffer Overflows, Denial of Service (DoS) and Distributed DdoS, etc.

9/5,

Mon.

Labor Day

Date

Lecture #

Topics

Assignments/Project

9/7,

Wed.

Lecture #5

(J260)

Web reconnaissance

Assignment #1 due today

Hands-on Practice and Assignment

9/12,

Mon.

Lecture #6

(J260)

Footprinting tools and practice (1)

Project Meetings

9/14,

Wed.

Lecture #7

(J260)

Footprinting tools and practice (2)

Hands-on Practice and Assignment

9/19,

Mon.

Lecture #8

(J260)

Footprinting tools and practice (3)

Hands-on Practice and Assignment

9/21,

Wed.

Lecture #9

(J260)

Scanning and enumeration (1)

Hands-on Practice and Assignment

9/26,

Mon.

Lecture #10

(J260)

Scanning and enumeration (2)

Hands-on Practice and Assignment

9/28,

Wed.

Lecture #11

(J260)

Scanning and enumeration (3)

Project Meetings

9/29,

Thu.

Lecture #12

(J260)

OS vulnerabilities and resolutions (1)

Hands-on Practice and Assignment

10/3,

Mon.

Lecture #13

(J260)

OS vulnerabilities and resolutions (2)

Hands-on Practice and Assignment

10/5,

Wed.

Lecture #14

(J260)

OS vulnerabilities and resolutions (3)

Hands-on Practice and Assignment

10/10,

Mon.

Lecture #15

(J260)

Advanced penetration testing and tools (1)

Mid-Term Get Together

Hands-on Practice and Assignment

10/12,

Wed.

Lecture #16

(J260)

Advanced penetration testing and tools (2)

Last day to withdraw

Hands-on Practice and Assignment

10/17,

Mon.

Lecture #17

(J260)

Advanced penetration testing and tools (3)

Project Meeting

10/19,

Wed.

Lecture #18

(J260)

Test #1

(SIGITE 2005)

Test #1

10/24,

Mon.

Lecture #19

(J260)

Advanced penetration testing and tools (4)

Hands-on Practice and Assignment

10/26,

Wed.

Lecture #20

(J260)

Security exploits (1)

Hands-on Practice and Assignment

10/31,

Mon.

Lecture #21

(J260)

Security exploits (2)

Hands-on Practice and Assignment

11/2,

Wed.

Lecture #22

(J260)

Security exploits (3)

Hands-on Practice and Assignment

11/7,

Mon.

Lecture #23

(J260)

Security exploits (4)

Project Meeting

11/9,

Wed.

Lecture #24

(J260)

Vulnerability analysis (1)

Hands-on Practice and Assignment

11/14,

Mon.

Lecture #25

(J260)

Vulnerability analysis (2)

Hands-on Practice and Assignment

11/16,

Wed.

Lecture #26

(J260)

Vulnerability analysis (3)

Hands-on Practice and Assignment

11/21,

Mon.

Lecture #27

(J260)

Vulnerability analysis (4)

Hands-on Practice and Assignment

11/23,

Wed.

Thanksgiving Break

11/28,

Mon.

Lecture #28

(J260)

Vulnerability analysis (5)

Project Meeting

11/30,

Wed.

Lecture #29

(J260)

Project Presentation (1)

Project Report Due

Graduate Report Due

12/5,

Mon.

Lecture #30

(J260)

Project Presentation (2)

Project Report Due

Graduate Report Due

12/7,

Wed.

Lecture #31

(J260)

Project Presentation (3)

Project Report Due

Graduate Report Due

12/8,

Thu.

Last Day of Class

12/12,

Mon.

Lecture #32

(J260)

Test #2

Final Examination

12/17,

Sat.

Commencement

Date

Lecture #

Topics

Assignments/Project

IT 4825/001 – IT 6825/002 Ethical Hacking: Network Security and Penetration Testing (Fall 2005)

Instructor: Dr. Andy Ju An Wang

Questionnaire #1: Student Background

Monday August 22, 2005

In order to improve teaching effectiveness, you will be asked to fill a few questionnaires during this semester. This questionnaire is the first one of them. The information you provide in these questionnaires is used solely for the purpose of improving teaching effectiveness. For instance, this first questionnaire is designed for possible improving course schedule and content according to student background. Please complete the following questionnaire during the class and hand it to the instructor before you leave the classroom today.

-------------------------------------------------------------------------------------------------------

1. Statistical information:

Name
Major
Telephone
E-mail

2. Have you taken Advanced Programming and Data Structures or equivalent?

A. Yes B. No

3. Have you taken Mathematical Structures for Computer Science or equivalent?

A. Yes B. No

4. Do you have JAVA programming experience?

A. Yes B. No

If yes, describe briefly your experience of programming in JAVA, e.g., what kind of Java projects have

you developed?

5. Do you have C/C++ programming experience?

A. Yes B. No

If yes, describe briefly your experience of programming in C/C++, e.g., what kind of products have

you developed?

6. Check the following for your OS experience:

Microsoft Windows NT/2000/XP/9X:

□ Familiar

□ Some experience but not familiar

□ Never used it

UNIX/LINUX:

□ Familiar

□ Some experience but not familiar

□ Never used it

Mackintosh OS:

□ Familiar

□ Some experience but not familiar

□ Never used it

7. Check the following for your network experience (check all items applicable):

□ I was / I am a network system administrator.

□ I have set up a local area network in my work, home, or study.

□ I’m familiar with network protocols like TCP/IP/UDP/IMCP, etc.

□ I know the difference between a hub and a switch.

□ I don’t have network knowledge.

8. What is your course objective/expectation?

It is required elective for my major(s) and I must get at least “C” for my grade.
It is required elective for my major(s) and I must get at least “B” for my grade.
It is a required selective course for my major(s) and I must get a grade of _________.
It is elective but I’d like to have a grade of _____________.
To earn another 3 credit hours solely.
I enrolled this course mainly due to my interests in the topics covered by this course.
Others (please explain briefly.)

9. How much time could you (or are you going to) spend for this course after one lecture ?