Beruflich Dokumente
Kultur Dokumente
Spring2013
Classtimeandlocation:
TuesdayandThursday,11:00AM12:15PM,Room103,LoveBuilding
Instructors:
Instructor:W.OwenRedwood
Email:redwood@cs.fsu.edu(mosteffectivewaytocontactme).
Homepage:http://ww2.cs.fsu.edu/~redwood/
Office:010LoveBuilding(LOV)
Instructor:ProfessorXiuwenLiu(pronouncedasShuwenLeal).
Email:liux@cs.fsu.edu(mosteffectivewaytocontactme).
Homepage:http://www.cs.fsu.edu/~liux.
Office:166LoveBuilding(LOV) Phone:(850)6440050.
ClassHomePage:
http://www.cs.fsu.edu/~redwood/OffensiveSecurity/
Thiswebsitecontainstheuptodateinformationrelatedtothisclasssuchasnews,
announcements,assignments,lecturenotes,andusefullinkstoresourcesthatarehelpful
tothisclass.Besidesthewebpages,Blackboardwillbeusedtocommunicatechanges
andupdatesandpostgradesforthisclassinparticular,Iwillsendemailsusingemail
addressesintheBlackboardsystemandpleasemakesurethatyouremailaddresson
recordiscurrent.
Rationale:
Theprimaryincentiveforanattackertoexploitavulnerability,orseriesofvulnerabilitiesisto
achieveareturnonaninvestment(his/hertimeusually).Thisreturnneednotbestrictly
monetaryanattackermaybeinterestedinobtainingaccesstodata,identities,orsomeother
commoditythatisvaluabletothem.Thefieldofpenetrationtestinginvolvesauthorizedauditing
andexploitationofsystemstoassessactualsystemsecurityinordertoprotectagainst
attackers.Thisrequiresthoroughknowledgeofvulnerabilitiesandhowtoexploitthem.Thus,
thiscourseprovidesanintroductorybutcomprehensivecoverageofthefundamental
methodologies,skills,legalissues,andtoolsusedinwhitehatpenetrationtestingandsecure
systemadministration.
RequiredTextbooks:
Skoudis,EdandListon,Tom.CounterHackReloaded
Erickson,Jon."Hacking:TheArtofExploitation,2ndEdition"
SuggestedTextbooks:
Thefollowingtextbooksaresuggestedforanystudentwhoseeksadvancedresourcesto
supplementtheknowledgepresentedinthiscourse:
Russinovich,MarkE.WindowsInternals,6thedition(Part1and2)
Sikorski,Michael.PracticalMalwareAnalysis
Kozoil,Jack.TheShellcoder'sHandbook:DiscoveringandExploitingSecurityHoles
BrianCarrier:FileSystemForensicAnalysis
Prerequisites:
Thisisahighlytechnicalclass.Weexpectstudentstohaveastrongtechnicalbackground
beforetakingthiscourse.Studentswhohavenottakenasecurityclassbeforeorwhomare
otherwiseunfamiliarwithcomputersecuritywilllikelynotbeabletocompletethisclass.
Specifically,studentsshouldsatisfyatleasttwoofthefollowing:
1)Assemblycode(IntelX86preferred)
2)KnowledgeofComputerSecuritybasics
Forundergraduates(atleastCIS4360orCNT4406)
Forgraduates(atleastCIS5370,CNT5412,CNT5415,orCIS5371)
3)Proficiencyinascriptinglanguage(pythonpreferably)
4)Familiaritywithoperatingsystemkernel/internals(windowsorlinux)
5)FamiliaritywithcommandlineoperationofWindowsANDLinux
CourseObjectives:
Uponsuccessfulcompletionofthiscourseofstudy,thestudentwill:
Knowhowtoidentifysoftwareflawsdiscoveredthroughbinaryandsourcecodeauditing
Knowhowtoreverseengineerx86binaries
Knowhowtoexploitsoftwareflaws(suchasinjectionflaws,bufferoverflows)
Knowhowtoperformnetworkandhostenumeration,aswellasOSandservice
fingerprinting
Knowhowtoperformnetworkvulnerabilityanalysis,penetrationandpostexploitation
Knowhowtoeffectivelyreportandcommunicatealloftheaboveflaws
Grading:
Allhomework,projects,andassignmentsareindividualworkonly.Nocollaborationisallowed.
Discussionofmaterialisencouraged,butdiscussionofanswersisprohibited.
Homeworks:40%
Midterm:15%
TermProject20%
TermProjectPresentation10%
FinalExam:15%
Thisclasswillinvolveregularhomeworksthatwillassessthestudentsknowledgeofmaterials
onaweeklybasis.Homeworkswilloftenexposestudentstotoolsrelatedtosubjects,and
requirethestudenttousethetoolstosolveproblems.Sometimestheycanbesmallprojects.If
studentsdonothaveaccesstopersonalcomputersthatcanrunthetools,thenaccesstothe
SAITsecuritylabwillbeprovided.
ExtraCredit:
1)InvolvementinCTF's
2)Anylegalapplicationofcoursematerialoutsideofclass.
Calendar:
Redtextindicatesrequiredreadingforthelecture.Orangetextindicatessupplementalmaterialthathas
beenhandpickedforadditionalunderstanding,butwillnotbetestedupon.HAOEreferstothetextbook
Hacking:theArtofExploitation,andCHRreferstoCounterHackReloaded.Belowistheproposed
coursecalendar,butnotethatitissubjecttochange:
Week1(Jan8,10)OverviewWeek1:
Intro,Hackingvs.PenetrationTestingLecture(ETHICS),Motivation,
ThreatModels,andBasics(PTES..http://www.penteststandard.org/).
Reading:Chapter1inCHRandSAND20075791
EssentialLinux&UNIXoverview:
BasicstoanOS,Kernelvsuserspace,systemcalls,unixpermissions,ruidvseuid
etc...,extfilesystem(forthelimitedfocusofforensics),persistencemechanismsused
bymalware,and/var/log,ELFfileformat
Reading:Chapter3inCHR,
Homework1:Linuxquestions
Week2(Jan15,17)OverviewWeek2:
EssentialWindowsoverview
Overviewoftheregistryandregistryhives,persistencemechanismsusedbymalware,
PortableExecutable(PE)fileformatoverview,windowsystemscallscommonlyused
bymalware(windowsAPI)
Reading:Chapter4inCHR
CodeAuditing
Designflaws,Softwareanalysis,vulnerabilityidentification,signedbugs(intover/under
flows),incorrectuseoflengthparams(strncpy,strncat,snprintf),formatstrings,
Read0x200upto0x250(HAOE)
Homework2:Windowsquestions
Week3(Jan22,24):REweek
GuestLecturer:MitchAdaironReverseEngineering
Read0x250upto0x270(HAOE)
RelatedVideo:PrimeronAssemblyhttp://www.securitytube.net/video/208
Homework3:REquestions
Read0x270upto0x300(HAOE)
ReadConstantInsecurity:ThingsyoudidntknowaboutPortableExcutableFile
Format,2011BlackhatpresentationbyMarioVuksan&TomislavPericin(Reversing
Labs):http://www.reversinglabs.com/sites/default/files/pictures/PECOFF_BlackHatUSA11Slides.
pdf
Week4(Jan29,31):ExploitDevelopmentWeek1
Fuzzing(shortoverview)andExploitationDevelopment101
Fuzzingoverview,environmentvariables,stackattacks,bufferoverflow,nopsleds
Read0x300upto0x340(HAOE)
Homework4:Fuzzing&Exploitationdevelopmentrelated
ExploitationDevelopment102
WritingShellcode(linuxandwindows),
DEP,N^X,ASLR,SEH,SafeSEHOP,Stack(/GS)cookies
Waysattackerscanbypassexecutablesecuritymechanisms
Read0x500upto0x540(HAOE)(Writingshellcode)
Read0x6A0upto0x700(HAOE)
Week5(Feb5,7)Endofexploitdevelopmentweek&startofnetworking
ExploitationDevelopment103
AdvancedTechniques,Polymorphicshellcode,Windowsexploitationtechiques
(http://www.sysdream.com/sites/default/files/sehop_en.pdf)
Read0x680upto0x6A0
Homework5:NetworkExploitation
Networking101XiuwenLiu
Wireshark,Nmap,nc,Hubsvsswitchesvsrouters,manufacturerdefaultlogins/
backdoors...ARP&dns(dnssec),proxies,weakIPvsstrongIPmodel(RFC1122)
Studentshaveachoiceforreading:Forthosewhoareunfamiliarwithnetworking
youshouldread:Chapter2inCHR(60pages)andChapter8(pages439470),
BUTifyouarestrongwithnetworking,insteadjustread:0x400upto0x450(HAOE)
Relatedvideo:HackingRouters
http://www.youtube.com/watch?v=Zazk0plSoQg&feature=relmfu
Week6(Feb12,14):
Networking102XiuwenLiu
PortBindingshellcode,Connectbackshellcode,firewalls(filters,DMZ,egressfiltering,
etc),andtraceroute[DEMO],SNMP,SNMPenumerationandwalking,andairgapped
networks...
Chapter8inCHR(pages470510)
Read0x460upto0x500(HAOE)(20pages)
Read0x540through0x550(HAOE)(11pages)
Relatedvideo:MasteringtheNMAPscriptingengine
http://www.youtube.com/watch?v=gVJHCGfmdI&feature=related
WebHacking101:
HTTP,HTTPProxy(Burpsuite/webscarab)[DEMO],InjectionFlaws,SQLInjection
(inband,outofband,andinferential.....ORalsoknownaserrorbased,unionbased,
orblind)[DEMO],CrossSiteScripting(XSS),CookieManipulation[Gruyeredemo]
[OWASPBVMs]
ReadChapter7inCHR,Page406435
Reading:Open Web Application Security Project (OWASP) Top 10
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Relatedvideo(AdvancedSQLi):
http://www.youtube.com/watch?v=rdyQoUNeXSg&feature=relmfu
*TERMPROJECTSINTRODUCED
TermprojectproposalsdueMarch7(3weekstoplan)
Termprojectdueweek14(Givesyoulotsoftime)
Week7(Feb19,21):WebApplicationHackingWeek
WebHacking102:
VulnerabilityScanning(w3af,openvas[DEMO]),XSRF,SameOriginPolicy,
Authentication&Authorization,WebServices(LDAP,etc),encodingvscrypto
Homework6:SQLi/XSSexploitation
WebHacking103:
SSL,Theflawsofthecertificateauthorityinfrastructure,CABreachesandhistory,trust
agility[convergence],andSSLStrip[http://www.thoughtcrime.org/software/sslstrip/].
RelatedVideo:https://www.youtube.com/watch?v=Z7Wl2FW2TcA([blackhat]SSLand
thefutureofAuthenticity).
RelatedVideo:https://www.youtube.com/watch?v=lt7uW6vDk00WhitfieldDiffieandMoxie
Marlinspiketalkaboutcertificateauthorities,DNSSEC,SSL,dane,trustagility,andetc.
Week8(Feb26,28):
WebHacking104/Exploitation104
IDS/IPS,WebApplicationFirewalls.Connectbackshellcode.Encoded/Polymorphic
shellcode
Read 0x550 in HAOE
Related Video (IDS/IPS Detection, Evasion, VOIP hacking):
http://www.youtube.com/watch?v=tJsNu0VRKYY&feature=related
Wrapupofcoretopics/MidtermReview
ReturnOrientedProgramming(ROP)Chains
Week9(March5,7)
MIDTERM(MARCH5)
SocialEngineering(Orhowtohavemorefunduringspringbreak)
Week10(March12,14)
SPRINGBREAK(NoClassthisweek)
Week11(March19,21)Startofspecialtopics
Metasploit,Armitage&Cortana
AnentireclassonMetasploitandArmitage,withcortanabots.
RelatedResource:MetasploitMegaprimer
http://www.securitytube.net/groups?operation=view&groupId=10
Homework7:Metasploit+PostExploitationrelated
PostExploitation101:
http://www.darkoperator.com/
OPSEC,intelligence,planning,pivoting,passingthehash,meterpreterscripting,
interestingwindowsregistryareas
(https://www.youtube.com/watch?feature=player_detailpage&v=gNUhK6G8EQ4#t=1832
s),
Read0x640upto0x670inHAOE(logfilesthroughadvancedcamouflage),
RelatedVideo(postexploitation):TacticalPostExploitationbyCarlosPerez
https://www.youtube.com/watch?v=gNUhK6G8EQ4
Week12(March26,28)
PostExploitation102:
Maintainingaccess,DosandDonts.Cleanup
ReadingChapter10inCHR,
Relatedvideo:CovertPostExploitation
https://www.youtube.com/watch?v=PTYYlHYBF0Q&feature=related
Homework8:PostExploitation&Malware
AdvancedMalwareTechniques:Xiuwen
Packers,redpills,bluepills,rootkits,antireverseengineering/debugging,andbinary
patching
RelatedVideo:HackingMalware:OffenseistheNewDefense
https://www.youtube.com/watch?v=PEWaD7keeOw
Week13(April2,4)CyberWarfareweek
DenialofService:XiuwenLiu
TheDsofDenialofservice:Deny,Degrade,Disrupt,Destroy,Degrade,Deceive,and
DENY!
ReadingChapter9inCHR
Homework9:ShortpaperrelatingtoCyberWarfare
The[very]ModernHistoryofCyberWarfare
AnatomyofAPTwarfare,thetakedownofGeorgiabeforetheGeorgianRussianconflict,
nationstatebotnets,cybermilitia,andmostimportantlytheATTRIBUTIONPROBLEM,
andpolicyproblems.
Relatedreading:
http://arstechnica.com/techpolicy/2012/11/howgeorgiadoxedarussianhackerandwh
yitmatters/
http://arstechnica.com/techpolicy/2012/11/uscyberweaponsexemptfromhumanjudg
mentrequirement/
RelatedVideo:ChristopherClearyOperationalUseofOffensiveCyber
https://www.youtube.com/watch?v=lEDCiUyJa2U
Week14(April9,11)
PhysicalSecurityAssessment
Lockpicking(handson),physicalaccessattacks,physicalemanationsecurity,and
shielding,andbiometrics.
Reading:JP133ChapterII(its7pages)
StudentPresentations
TermProjectsdue
Week15(April16,18)
StudentPresentations
Week16(April23,25)
StudentPresentations
Week17(April29May3)
FinalExamWeek
May8:GradesDue&AvailableOnline
External Resources:
Most common unix commands and examples:
http://www.thegeekstuff.com/2010/11/50-linux-commands/
SQLicheatsheet:
http://pentestmonkey.net/cheatsheet/sqlinjection/mssqlsqlinjectioncheatsheet
GeneralPentestingcheatsheets:
http://pentestmonkey.net/cheatsheet
General Port Tables:
http://www.chebucto.ns.ca/~rakerman/port-table.html
Application Security and Vulnerability Analysis courses at NYU polytech
http://pentest.cryptocity.net/
Standalone Training Classes
http://www.opensecuritytraining.info/Training.html
Exploitation guides, tutorials, and resources
https://www.corelan.be/
Metaploit Training Videos:
http://www.securitytube.net/groups?operation=view&groupId=10
Meterpreter Basics:
http://www.offensive-security.com/metasploit-unleashed/Metasploit_Meterpreter_Basics
Backtrack (linux pen-testing distro):
http://www.backtrack-linux.org/
Social Engineering (metasploit kit tutorials):
http://www.social-engineer.org/
Academic Honor Code
The Florida State University Academic Honor Policy outlines the Universitys expectations for
the integrity of students academic work, the procedures for resolving alleged violations of
those expectations, and the rights and responsibilities of students and faculty members
throughout the process. Students are responsible for reading the Academic Honor Policy and
for living up to their pledge to . . . be honest and truthful and . . . [to] strive for personal and
institutional integrity at. (Florida State University Academic Honor Policy, found at
http://dof.fsu.edu/honorpolicy.htm)
Assignments/projects/exams are to be done individually, unless specified otherwise. It is a
violation of the Academic Honor Code to take credit for the work done by other people. It is
also a violation to assist another person in violating the Code (See the FSU Student Handbook
for penalties for violations of the Honor Code). The judgment for the violation of the Academic
Honor Code will be done by the instructor and a third party member (another faculty member in
the Computer Science Department not involved in this course). Once the judgment is made,
the case is closed and no arguments from the involved parties will be heard. Examples of
cheating behaviors include: