IT Systems Attack and Defence

Next Course: 21-25 May 2012  (registration to free slots opens on 23 April)
Number of Attendees: 14 (1 granted slot per sponsoring nation; others can be assigned to the course if slots remain available). 

Introduction
IT Systems Attacks and Defence is a practical 4,5 day introductory course considering the methods and tools used by the attackers to gain access to IT systems and the potential countermeasures to cope with those attacks. The course will cover different topics following the typical attack phases: reconnaissance, scanning, gaining access and privilege escalation, maintaining access.

The course is built upon several hands-on exercises. The tasks are much focused on the offensive side of IT security. The participants can try out several most common types of attacks on lab systems. During the missions the participants can take part in so called Capture the Flag competition – the winner is the person who is able to firstly capture the specific token from vulnerable system.

For completing the missions the students will be provided virtual machines based on BackTrack Linux. The majority of the tools used in the class are open-source or at least non-commercial. The vulnerable web applications will be built using PHP and MySQL. Our purpose is not to focus on details of specific technologies, but to explain the most common attack classes using popular and simple to understand solutions.

Target audience
The course has been designed for novice network and system administrators, and security specialists. In general the expected audience should consist of persons who have good background in information technology gained whether from studies in university or by practical experiences or both. On the other hand we expect these individuals do not have knowledge and good practical know-how about security problems of computer networks and applications. Professional security practitioners or penetration testers with years of experience are not the target audience this course.

Course outline
1. Anatomy of an attack: description of common attack phases.
2. Reconnaissance: sources and tools for gathering information about target networks.
3. Network and vulnerability scanning: host discovery, TCP and UDP port scanning, enumeration (e.g. using DNS and SNMP), operating system detection, vulnerability scanning, scanning in IPv6 networks, honeypots and tarpits.
4. Password and brute force attacks: password guessing and cracking, how passwords are stored in Linux and Windows, Rainbow Tables, Pass-the Hash.
5. Network infrastructure attacks and defence: MAC flooding, ARP spoofing, VLAN hopping, leaking data over CDP, port security, DHCP snooping and dynamic ARP inspection, private VLANs, 802.1x, examples of secure configuration snippets for Cisco switches.
6. Mail security: SMTP overview, grey-listing, SPF, DKIM.
7. DNS security: DNS overview, DNS tunnelling, DNS rebinding, DNS snooping, DNS cache poisoning and Kaminisky attack, DNSSec (concept, setup, security implications of using DNSSEC, advantages and other aspect one needs to be aware of).
8. Exploitation: description of Windows and Linux environment in association with process exploitation, GDB debugger description and hands-on exercise, stack-based buffer overflows, return2libc, using Metasploit Framework for payload generation and obfuscation, protective mechanisms built into the operating system (canaries, DEP, ASLR).
9. Web Application Security:
- Session management.
- Path traversal.
- Code injection: SQL injection, OS command injection, file inclusion, NULL-byte poisoning, log poisoning.
- Cross-site scripting.
- Cross-site request forgery.

Theoretical lectures are supported by set of practical exercises. These expect the students to conduct different tasks such as:
- Scanning small networks to finding alive hosts or machines with specific vulnerabilities.
- Using DNS enumeration to find interesting hosts, exploiting unprotected SNMP service for enumeration of information.
- Tunnelling arbitrary IP traffic over DNS protocol in restrictive environment.
- Guessing and cracking passwords.
- Using ARP spoofing methods for man-in-the-middle attacks (e.g. dissecting and sniffing SSL encrypted traffic).
- Using Metasploit Framework and existing exploit code against different targets.
- Exploiting vulnerabilities in custom-built web applications.
- Simple reverse engineering, exploiting stack based buffer overflow.
- Ret2libc exploitation attack.

Prerequisites
At best the students should have experience in administrating Windows and Linux based systems, understand the main networking protocols (e.g. ARP, IP, ICMP, TCP, UDP, DNS, HTTP), have some experience with web technologies (like HTML, PHP, Javascript) and knowledge about relational database management systems (MySQL). Programming skills in any standard language would be helpful.

Student’s workstation will be based on BackTrack Linux, therefore at least user-level knowledge of working with Linux systems is expected.