MSc: Offensive Technologies

From IU
Revision as of 15:07, 30 July 2021 by 10.90.136.11 (talk) (Created page with "= Offensive Technologies = * Course name: Offensive Technology * Course number: ? == Course characteristics == === Key concepts of the class === * Physical Security * Netw...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Offensive Technologies

  • Course name: Offensive Technology
  • Course number: ?

Course characteristics

Key concepts of the class

  • Physical Security
  • Network security
  • Web Security
  • Software Security
  • GSM

What is the purpose of this course?

Offensive Technology introduces methods and tools to the students to assess the security of different services and protocols therein. The course aims to expose the students to real-world problems from a security point of view and let them find vulnerabilities in both software and hardware. The course hosts exciting and interesting topics. Furthermore, the students will develop projects of their choice to show their skills. In this course the students will particularly focus on physical security, network security, web injection flaws, advanced memory exploit/mitigation and fuzzing techniques.

Course Objectives Based on Bloom’s Taxonomy

- What should a student remember at the end of the course?

By the end of the course, the students should be able to recognize and define

  • RFID
  • A rogue Wifi access point
  • ARP & DNS spoofing
  • Sniffing & MAC flooding
  • Covert channel
  • Honey pots
  • SSL meet in the middle
  • Common weaknesses/vulnerabilities in web application
  • ASLR, NX and how are these techniques can help to protect against a malicious attacker
  • Fuzzing techniques
  • 2G, UMTS, LTE, LTE-A, ARFCNs, and hopping channels

- What should a student be able to understand at the end of the course?

By the end of the course, the students should be able to describe and explain (with examples)

  • Vulnerabilities on Mifare Classic
  • Ways to get in a passive eavesdropper position
  • Ways to get in an active intruder position
  • Ways to bypass memory mitigation techniques
  • The vulnerability of the A5/1 stream cipher

- What should a student be able to apply at the end of the course?

  • Clone HID and Mifare ID Tags
  • Setup port-mirroring and IDS
  • Setup an inline mode IPS
  • Perform a network discovery
  • Be in the middle by various means of spoofing
  • Be in the middle by various means of rogue services
  • Proceed with SSL/TLS meet in the middle attack
  • Detect/exploit common weaknesses/vulnerabilities in web applications.
  • Detect vulnerabilities in software.
  • Writing an exploit to bypass ASLR and NX protection.
  • Perform fuzzing for a specific use case.
  • Evesdrop on 2G SMS and voice calls

Course evaluation

Course grade breakdown
Proposed points
Labs/seminar classes ? 80
Exams ? 20

If necessary, please indicate freely your course’s features in terms of students’ performance assessment: The laboratory assessments are particularly taken care of, and the tasks do correspond with the teachings from the lectures.

Grades range

Course grading range
Grade Default range Proposed range
A. Excellent 90-100 90-100
B. Good 75-89 70-89
C. Satisfactory 60-74 60-69
D. Poor 0-59 0-59

If necessary, please indicate freely your course’s grading features: The laboratory assignments are mandatory with a requried minimum result of 6/10 - including re-takes - to complete the course. As a conscequence, the grades are generally pretty high and therefore the grading ranges are scaled up.

Resources and reference material

  • Mike O’Leary, Cyber Operations, Second Edition, Apress, 2019
  • Michal Zalewsk, The Tangled Web, No Starch Press, 2011
  • Jon Erickson, Hacking: The Art of Exploitation, 2nd Edition, No Starch Press, 2008
  • The Fuzzing Book https://www.fuzzingbook.org
  • Jörg Eberspächer, Hans-Joerg Vögel, Christian Bettstetter, Christian Hartmann, GSM - Architecture, Protocols and Services, Third Edition, Wiley, 2009

Course Sections

Course Sections
Section Section Title Teaching Hours
1 Physical & Network Security 8
2 Web Security 4
3 Software Security 8
4 GSM 4
5 Labs 56

Section 1

Section title: Physical & Network Security

Topics covered in this section:

  • Physical access
  • RFID
  • Sniffing & network discovery
  • MAC flooding
  • ARP spoofing
  • DNS spoofing
  • Rogue DHCP
  • Rogue Wifi Access Point
  • Port mirroring & Intrusion Detection Systems
  • Intrusion Prevention Systems
  • Covert channels
  • Honey pots
  • SSL meet in the middle

What forms of evaluation were used to test students’ performance in this section?

Form Yes/No
Development of individual parts of software product code 0
Homework and group projects 1
Midterm evaluation 0
Testing (written or computer based) 1
Reports 1
Essays 0
Oral polls 0
Discussions 1

Typical questions for ongoing performance evaluation within this section

  • What is RFID?
  • What is a rogue Wifi access point?
  • What is ARP & DNS spoofing?
  • What is sniffing & MAC flooding?
  • What is a covert channel?
  • What is a honey pot?

Typical questions for seminar classes (labs) within this section

  • Clone HID and Mifare ID Tags
  • Setup port-mirroring and IDS
  • Setup an inline mode IPS
  • Perform a network discovery
  • Be in the middle by various means of spoofing
  • Be in the middle by various means of rogue services
  • Proceed with SSL/TLS meet in the middle attack

Test questions for final assessment in this section

  • Briefly describe one Mifare classic weakness and an afferent attack
  • By what means can you get in a passive eavesdropper position?
  • By what means can you get in an active intruder position?
  • Describe different methods to perform ARP spoofing in term of both, network surface and precision

Section 2

Section title: Web Security

Topics covered in this section:

  • Injection Flows
  • Cookies Flows
  • Server Misconfiguration

What forms of evaluation were used to test students’ performance in this section?

Form Yes/No
Development of individual parts of software product code 0
Homework and group projects 1
Midterm evaluation 0
Testing (written or computer based) 1
Reports 1
Essays 0
Oral polls 0
Discussions 1

Typical questions for ongoing performance evaluation within this section

  • What is the difference between boolean-based and time-based SQL injection?
  • Can regex matching protect against Directory Traversal attack?
  • Does the Same Origin Policy apply to the localStorage inside the browser?

Typical questions for seminar classes (labs) within this section

  • Vulnerability analysis and exploitation for a given web application
  • Write and deploy WAF rules to mitigate a specific web attack

Test questions for final assessment in this section

As above

Section 3

Section title: Software Security

Topics covered in this section:

  • Buffer overflow
  • Format string
  • ASLR
  • NX
  • Fuzzing

What forms of evaluation were used to test students’ performance in this section?

Form Yes/No
Development of individual parts of software product code 0
Homework and group projects 1
Midterm evaluation 0
Testing (written or computer based) 1
Reports 1
Essays 0
Oral polls 0
Discussions 1

Typical questions for ongoing performance evaluation within this section

  • What are the pros and cons of using ASLR? does it affect the performance?
  • What is the required information to be able to identify a remote libc version?
  • What are the pros and cons of writing your own fuzzer?

Typical questions for seminar classes (labs) within this section

  • Write an exploit for a given binary, also try to bypass the mitigation techniques
  • Implement a fuzzer for a specific use-case

Test questions for final assessment in this section

As above

Section 4

Section title: GSM

Topics covered in this section:

  • Um interface
  • IMSI/TMSI
  • A5/1 stream cipher
  • SIM & USIM cards, A3/A8 and COMP128

What forms of evaluation were used to test students’ performance in this section?

Form Yes/No
Development of individual parts of software product code 0
Homework and group projects 1
Midterm evaluation 0
Testing (written or computer based) 1
Reports 1
Essays 0
Oral polls 0
Discussions 1

Typical questions for ongoing performance evaluation within this section

  • What are 2G, UMTS, LTE, LTE-A, ARFCNs, and hopping channels?
  • What is a fake or rogue Base Transceiver Station?
  • What frequency ranges are we listening to?
  • What frequency bandwidth is required
  • What SDR devices are compatible with those requirements?
  • What is an IMSI versus a TMSI and an MSISDN?

Typical questions for seminar classes (labs) within this section

  • How to differentiate 2G vs UMTS vs LTE channels?
  • What telecom operators do you identify on 2G GSM900 and DCS1800?
  • What telecom operators do you identify on LTE and on what bands?
  • Locate cell towers and attempt to locate subscribers (yourself)
  • Trace your own IMSI and eavesdrop on a circumvented 2G SMS and voice call
  • Deal with hopping either by capturing a larger bandwidth, or using two RTL dongles with the same phase

Test questions for final assessment in this section

  • Briefly describe a known attack against the A5/1 stream cipher
  • How does COMP128 work? Is it vulnerable?
  • Name various ways to deal with 2G channel hopping
  • How often do IMSIs show up and in what situations does that usually happen?