OffensiveSecurity(CIS4930/CIS5930)

Spring2013

Classtimeandlocation:
TuesdayandThursday,11:00AM12:15PM,Room103,LoveBuilding

Instructors:
Instructor:W.OwenRedwood
Email:redwood@cs.fsu.edu(mosteffectivewaytocontactme).
Homepage:http://ww2.cs.fsu.edu/~redwood/
Office:010LoveBuilding(LOV)

Instructor:ProfessorXiuwenLiu(pronouncedasShuwenLeal).
Email:liux@cs.fsu.edu(mosteffectivewaytocontactme).
Homepage:http://www.cs.fsu.edu/~liux.
Office:166LoveBuilding(LOV) Phone:(850)6440050.

ClassHomePage:
http://www.cs.fsu.edu/~redwood/OffensiveSecurity/
Thiswebsitecontainstheuptodateinformationrelatedtothisclasssuchasnews,
announcements,assignments,lecturenotes,andusefullinkstoresourcesthatarehelpful
tothisclass.Besidesthewebpages,Blackboardwillbeusedtocommunicatechanges
andupdatesandpostgradesforthisclassinparticular,Iwillsendemailsusingemail
addressesintheBlackboardsystemandpleasemakesurethatyouremailaddresson
recordiscurrent.

Rationale:
Theprimaryincentiveforanattackertoexploitavulnerability,orseriesofvulnerabilitiesisto
achieveareturnonaninvestment(his/hertimeusually).Thisreturnneednotbestrictly
monetaryanattackermaybeinterestedinobtainingaccesstodata,identities,orsomeother
commoditythatisvaluabletothem.Thefieldofpenetrationtestinginvolvesauthorizedauditing
andexploitationofsystemstoassessactualsystemsecurityinordertoprotectagainst
attackers.Thisrequiresthoroughknowledgeofvulnerabilitiesandhowtoexploitthem.Thus,
thiscourseprovidesanintroductorybutcomprehensivecoverageofthefundamental
methodologies,skills,legalissues,andtoolsusedinwhitehatpenetrationtestingandsecure
systemadministration.

RequiredTextbooks:
Skoudis,EdandListon,Tom.CounterHackReloaded
Erickson,Jon."Hacking:TheArtofExploitation,2ndEdition"

SuggestedTextbooks:
Thefollowingtextbooksaresuggestedforanystudentwhoseeksadvancedresourcesto
supplementtheknowledgepresentedinthiscourse:

Russinovich,MarkE.WindowsInternals,6thedition(Part1and2)
Sikorski,Michael.PracticalMalwareAnalysis
Kozoil,Jack.TheShellcoder'sHandbook:DiscoveringandExploitingSecurityHoles
BrianCarrier:FileSystemForensicAnalysis

Prerequisites:

Thisisahighlytechnicalclass.Weexpectstudentstohaveastrongtechnicalbackground
beforetakingthiscourse.Studentswhohavenottakenasecurityclassbeforeorwhomare
otherwiseunfamiliarwithcomputersecuritywilllikelynotbeabletocompletethisclass.
Specifically,studentsshouldsatisfyatleasttwoofthefollowing:

1)Assemblycode(IntelX86preferred)
2)KnowledgeofComputerSecuritybasics
Forundergraduates(atleastCIS4360orCNT4406)
Forgraduates(atleastCIS5370,CNT5412,CNT5415,orCIS5371)
3)Proficiencyinascriptinglanguage(pythonpreferably)
4)Familiaritywithoperatingsystemkernel/internals(windowsorlinux)
5)FamiliaritywithcommandlineoperationofWindowsANDLinux

CourseObjectives:
Uponsuccessfulcompletionofthiscourseofstudy,thestudentwill:
Knowhowtoidentifysoftwareflawsdiscoveredthroughbinaryandsourcecodeauditing
Knowhowtoreverseengineerx86binaries
Knowhowtoexploitsoftwareflaws(suchasinjectionflaws,bufferoverflows)
Knowhowtoperformnetworkandhostenumeration,aswellasOSandservice
fingerprinting
Knowhowtoperformnetworkvulnerabilityanalysis,penetrationandpostexploitation
Knowhowtoeffectivelyreportandcommunicatealloftheaboveflaws

Grading:
Allhomework,projects,andassignmentsareindividualworkonly.Nocollaborationisallowed.
Discussionofmaterialisencouraged,butdiscussionofanswersisprohibited.
Homeworks:40%

Midterm:15%

TermProject20%

TermProjectPresentation10%

FinalExam:15%

Thisclasswillinvolveregularhomeworksthatwillassessthestudentsknowledgeofmaterials
onaweeklybasis.Homeworkswilloftenexposestudentstotoolsrelatedtosubjects,and
requirethestudenttousethetoolstosolveproblems.Sometimestheycanbesmallprojects.If
studentsdonothaveaccesstopersonalcomputersthatcanrunthetools,thenaccesstothe
SAITsecuritylabwillbeprovided.

ExtraCredit:
1)InvolvementinCTF's
2)Anylegalapplicationofcoursematerialoutsideofclass.

Calendar:
Redtextindicatesrequiredreadingforthelecture.Orangetextindicatessupplementalmaterialthathas
beenhandpickedforadditionalunderstanding,butwillnotbetestedupon.HAOEreferstothetextbook
Hacking:theArtofExploitation,andCHRreferstoCounterHackReloaded.Belowistheproposed
coursecalendar,butnotethatitissubjecttochange:

Week1(Jan8,10)OverviewWeek1:
Intro,Hackingvs.PenetrationTestingLecture(ETHICS),Motivation,
ThreatModels,andBasics(PTES..http://www.penteststandard.org/).
Reading:Chapter1inCHRandSAND20075791

EssentialLinux&UNIXoverview:
BasicstoanOS,Kernelvsuserspace,systemcalls,unixpermissions,ruidvseuid
etc...,extfilesystem(forthelimitedfocusofforensics),persistencemechanismsused
bymalware,and/var/log,ELFfileformat
Reading:Chapter3inCHR,
Homework1:Linuxquestions

Week2(Jan15,17)OverviewWeek2:
EssentialWindowsoverview
Overviewoftheregistryandregistryhives,persistencemechanismsusedbymalware,
PortableExecutable(PE)fileformatoverview,windowsystemscallscommonlyused
bymalware(windowsAPI)
Reading:Chapter4inCHR

CodeAuditing
Designflaws,Softwareanalysis,vulnerabilityidentification,signedbugs(intover/under
flows),incorrectuseoflengthparams(strncpy,strncat,snprintf),formatstrings,
Read0x200upto0x250(HAOE)
Homework2:Windowsquestions

Week3(Jan22,24):REweek
GuestLecturer:MitchAdaironReverseEngineering
Read0x250upto0x270(HAOE)
RelatedVideo:PrimeronAssemblyhttp://www.securitytube.net/video/208

Homework3:REquestions
Read0x270upto0x300(HAOE)
ReadConstantInsecurity:ThingsyoudidntknowaboutPortableExcutableFile
Format,2011BlackhatpresentationbyMarioVuksan&TomislavPericin(Reversing
Labs):http://www.reversinglabs.com/sites/default/files/pictures/PECOFF_BlackHatUSA11Slides.
pdf

Week4(Jan29,31):ExploitDevelopmentWeek1
Fuzzing(shortoverview)andExploitationDevelopment101
Fuzzingoverview,environmentvariables,stackattacks,bufferoverflow,nopsleds
Read0x300upto0x340(HAOE)

Homework4:Fuzzing&Exploitationdevelopmentrelated

ExploitationDevelopment102
WritingShellcode(linuxandwindows),
DEP,N^X,ASLR,SEH,SafeSEHOP,Stack(/GS)cookies
Waysattackerscanbypassexecutablesecuritymechanisms
Read0x500upto0x540(HAOE)(Writingshellcode)
Read0x6A0upto0x700(HAOE)

Week5(Feb5,7)Endofexploitdevelopmentweek&startofnetworking
ExploitationDevelopment103
AdvancedTechniques,Polymorphicshellcode,Windowsexploitationtechiques
(http://www.sysdream.com/sites/default/files/sehop_en.pdf)
Read0x680upto0x6A0

Homework5:NetworkExploitation

Networking101XiuwenLiu
Wireshark,Nmap,nc,Hubsvsswitchesvsrouters,manufacturerdefaultlogins/
backdoors...ARP&dns(dnssec),proxies,weakIPvsstrongIPmodel(RFC1122)
Studentshaveachoiceforreading:Forthosewhoareunfamiliarwithnetworking
youshouldread:Chapter2inCHR(60pages)andChapter8(pages439470),
BUTifyouarestrongwithnetworking,insteadjustread:0x400upto0x450(HAOE)
Relatedvideo:HackingRouters
http://www.youtube.com/watch?v=Zazk0plSoQg&feature=relmfu

Week6(Feb12,14):
Networking102XiuwenLiu
PortBindingshellcode,Connectbackshellcode,firewalls(filters,DMZ,egressfiltering,
etc),andtraceroute[DEMO],SNMP,SNMPenumerationandwalking,andairgapped
networks...
Chapter8inCHR(pages470510)
Read0x460upto0x500(HAOE)(20pages)
Read0x540through0x550(HAOE)(11pages)
Relatedvideo:MasteringtheNMAPscriptingengine
http://www.youtube.com/watch?v=gVJHCGfmdI&feature=related

WebHacking101:
HTTP,HTTPProxy(Burpsuite/webscarab)[DEMO],InjectionFlaws,SQLInjection
(inband,outofband,andinferential.....ORalsoknownaserrorbased,unionbased,
orblind)[DEMO],CrossSiteScripting(XSS),CookieManipulation[Gruyeredemo]
[OWASPBVMs]
ReadChapter7inCHR,Page406435
Reading:Open Web Application Security Project (OWASP) Top 10
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Relatedvideo(AdvancedSQLi):
http://www.youtube.com/watch?v=rdyQoUNeXSg&feature=relmfu
*TERMPROJECTSINTRODUCED
TermprojectproposalsdueMarch7(3weekstoplan)
Termprojectdueweek14(Givesyoulotsoftime)

Week7(Feb19,21):WebApplicationHackingWeek
WebHacking102:
VulnerabilityScanning(w3af,openvas[DEMO]),XSRF,SameOriginPolicy,
Authentication&Authorization,WebServices(LDAP,etc),encodingvscrypto

Homework6:SQLi/XSSexploitation

WebHacking103:
SSL,Theflawsofthecertificateauthorityinfrastructure,CABreachesandhistory,trust
agility[convergence],andSSLStrip[http://www.thoughtcrime.org/software/sslstrip/].
RelatedVideo:https://www.youtube.com/watch?v=Z7Wl2FW2TcA([blackhat]SSLand
thefutureofAuthenticity).
RelatedVideo:https://www.youtube.com/watch?v=lt7uW6vDk00WhitfieldDiffieandMoxie
Marlinspiketalkaboutcertificateauthorities,DNSSEC,SSL,dane,trustagility,andetc.

Week8(Feb26,28):

WebHacking104/Exploitation104
IDS/IPS,WebApplicationFirewalls.Connectbackshellcode.Encoded/Polymorphic
shellcode
Read 0x550 in HAOE
Related Video (IDS/IPS Detection, Evasion, VOIP hacking):
http://www.youtube.com/watch?v=tJsNu0VRKYY&feature=related

Wrapupofcoretopics/MidtermReview
ReturnOrientedProgramming(ROP)Chains

Week9(March5,7)
MIDTERM(MARCH5)

SocialEngineering(Orhowtohavemorefunduringspringbreak)

Week10(March12,14)
SPRINGBREAK(NoClassthisweek)

Week11(March19,21)Startofspecialtopics
Metasploit,Armitage&Cortana
AnentireclassonMetasploitandArmitage,withcortanabots.
RelatedResource:MetasploitMegaprimer
http://www.securitytube.net/groups?operation=view&groupId=10

Homework7:Metasploit+PostExploitationrelated

PostExploitation101:
http://www.darkoperator.com/
OPSEC,intelligence,planning,pivoting,passingthehash,meterpreterscripting,
interestingwindowsregistryareas
(https://www.youtube.com/watch?feature=player_detailpage&v=gNUhK6G8EQ4#t=1832
s),
Read0x640upto0x670inHAOE(logfilesthroughadvancedcamouflage),
RelatedVideo(postexploitation):TacticalPostExploitationbyCarlosPerez
https://www.youtube.com/watch?v=gNUhK6G8EQ4

Week12(March26,28)
PostExploitation102:
Maintainingaccess,DosandDonts.Cleanup
ReadingChapter10inCHR,
Relatedvideo:CovertPostExploitation
https://www.youtube.com/watch?v=PTYYlHYBF0Q&feature=related

Homework8:PostExploitation&Malware

AdvancedMalwareTechniques:Xiuwen
Packers,redpills,bluepills,rootkits,antireverseengineering/debugging,andbinary
patching
RelatedVideo:HackingMalware:OffenseistheNewDefense
https://www.youtube.com/watch?v=PEWaD7keeOw

Week13(April2,4)CyberWarfareweek
DenialofService:XiuwenLiu
TheDsofDenialofservice:Deny,Degrade,Disrupt,Destroy,Degrade,Deceive,and
DENY!
ReadingChapter9inCHR

Homework9:ShortpaperrelatingtoCyberWarfare

The[very]ModernHistoryofCyberWarfare
AnatomyofAPTwarfare,thetakedownofGeorgiabeforetheGeorgianRussianconflict,
nationstatebotnets,cybermilitia,andmostimportantlytheATTRIBUTIONPROBLEM,
andpolicyproblems.
Relatedreading:
http://arstechnica.com/techpolicy/2012/11/howgeorgiadoxedarussianhackerandwh
yitmatters/
http://arstechnica.com/techpolicy/2012/11/uscyberweaponsexemptfromhumanjudg
mentrequirement/
RelatedVideo:ChristopherClearyOperationalUseofOffensiveCyber
https://www.youtube.com/watch?v=lEDCiUyJa2U

Week14(April9,11)
PhysicalSecurityAssessment
Lockpicking(handson),physicalaccessattacks,physicalemanationsecurity,and
shielding,andbiometrics.
Reading:JP133ChapterII(its7pages)

StudentPresentations
TermProjectsdue

Week15(April16,18)
StudentPresentations

Week16(April23,25)
StudentPresentations

Week17(April29May3)
FinalExamWeek

May8:GradesDue&AvailableOnline
External Resources:
Most common unix commands and examples:
http://www.thegeekstuff.com/2010/11/50-linux-commands/
SQLicheatsheet:
http://pentestmonkey.net/cheatsheet/sqlinjection/mssqlsqlinjectioncheatsheet
GeneralPentestingcheatsheets:
http://pentestmonkey.net/cheatsheet
General Port Tables:
http://www.chebucto.ns.ca/~rakerman/port-table.html
Application Security and Vulnerability Analysis courses at NYU polytech
http://pentest.cryptocity.net/
Standalone Training Classes
http://www.opensecuritytraining.info/Training.html
Exploitation guides, tutorials, and resources
https://www.corelan.be/
Metaploit Training Videos:
http://www.securitytube.net/groups?operation=view&groupId=10
Meterpreter Basics:
http://www.offensive-security.com/metasploit-unleashed/Metasploit_Meterpreter_Basics
Backtrack (linux pen-testing distro):
http://www.backtrack-linux.org/
Social Engineering (metasploit kit tutorials):
http://www.social-engineer.org/


Academic Honor Code
The Florida State University Academic Honor Policy outlines the Universitys expectations for
the integrity of students academic work, the procedures for resolving alleged violations of
those expectations, and the rights and responsibilities of students and faculty members
throughout the process. Students are responsible for reading the Academic Honor Policy and
for living up to their pledge to . . . be honest and truthful and . . . [to] strive for personal and
institutional integrity at. (Florida State University Academic Honor Policy, found at
http://dof.fsu.edu/honorpolicy.htm)

Assignments/projects/exams are to be done individually, unless specified otherwise. It is a
violation of the Academic Honor Code to take credit for the work done by other people. It is
also a violation to assist another person in violating the Code (See the FSU Student Handbook
for penalties for violations of the Honor Code). The judgment for the violation of the Academic
Honor Code will be done by the instructor and a third party member (another faculty member in
the Computer Science Department not involved in this course). Once the judgment is made,
the case is closed and no arguments from the involved parties will be heard. Examples of
cheating behaviors include:

Discuss the solution for a homework question.

Copy programs for programming assignments.
Use and submit existing programs/reports on the world wide web as written
assignments.
Submit programs/reports/assignments done by a third party, including hired and
contracted.
Plagiarize sentences/paragraphs from others without giving the appropriate references.
Plagiarism is a serious intellectual crime and the consequences can be very substantial.

Penalty for violating the Academic Honor Code: A 0 grade for the particular
assignment/quiz/exam and a reduction of one letter grade in the final grade for all parties
involved for each occurrence. A report will be sent to the department chairman for further
administrative actions.
Accommodation for Disabilities
Students with disabilities needing academic accommodations should: 1) register with and
provide documentation to the Student Disability Resource Center (SDRC), and 2) bring a letter
to the instructor indicating the need for accommodation and what type. This should be done
within the first week of class. This syllabus and other class materials are available in alternative
format upon request.
For more information about services available to FSU students with disabilities, contact the
Assistant Dean of Students:

Student Disability Resource Center
97 Woodward Avenue, South.
108 Student Services Building
Florida State University
Tallahassee FL, 32306-4167
(850) 644-9566 (voice)
(850) 644-8504 (TDD)
sdrc@admin.fsu.edu
http://www.disabilitycenter.fsu.edu/