Difference between revisions of "MSc: Offensive Technologies"
Jump to navigation
Jump to search
(Created page with "= Offensive Technologies = * Course name: Offensive Technology * Course number: ? == Course characteristics == === Key concepts of the class === * Physical Security * Netw...") |
R.sirgalina (talk | contribs) |
||
| (12 intermediate revisions by 5 users not shown) | |||
| Line 1: | Line 1: | ||
| + | |||
= Offensive Technologies = |
= Offensive Technologies = |
||
| + | * '''Course name''': Offensive Technologies |
||
| + | * '''Code discipline''': ? |
||
| + | * '''Subject area''': |
||
| + | == Short Description == |
||
| − | * Course name: Offensive Technology |
||
| + | This course covers the following concepts: Software Security; Malware Analysis; Mobile Security; Network and Web Security. |
||
| − | * Course number: ? |
||
| − | == |
+ | == Prerequisites == |
| − | === |
+ | === Prerequisite subjects === |
| + | * The course has been designed to be self-included as much as possible. The successful completion will depend on prerequisite courses such as: |
||
| + | * CSE522 - Advanced Security |
||
| + | * Essential skills |
||
| + | * Classical Internet Applications |
||
| + | === Prerequisite topics === |
||
| − | * Physical Security |
||
| − | * Network security |
||
| − | * Web Security |
||
| − | * Software Security |
||
| − | * GSM |
||
| − | === What is the purpose of this course? === |
||
| + | == Course Topics == |
||
| − | Offensive Technology introduces methods and tools to the students to assess the security of different services and protocols therein. The course aims to expose the students to real-world problems from a security point of view and let them find vulnerabilities in both software and hardware. The course hosts exciting and interesting topics. Furthermore, the students will develop projects of their choice to show their skills. In this course the students will particularly focus on physical security, network security, web injection flaws, advanced memory exploit/mitigation and fuzzing techniques. |
||
| + | {| class="wikitable" |
||
| − | |||
| + | |+ Course Sections and Topics |
||
| − | === Course Objectives Based on Bloom’s Taxonomy === |
||
| + | |- |
||
| + | ! Section !! Topics within the section |
||
| + | |- |
||
| + | | Software Security || |
||
| + | # Buffer overflow vulnerability |
||
| + | # Format string vulnerability |
||
| + | # ASLR defensive technique |
||
| + | # NX defensive technique |
||
| + | # Fuzzing security testing |
||
| + | |- |
||
| + | | Malware Analysis || |
||
| + | # Malware evasion techniques |
||
| + | # Malware injection techniques |
||
| + | # Malware artifacts |
||
| + | # Virtual Machine environment hardening |
||
| + | # Professional malware analysis frameworks and tools |
||
| + | |- |
||
| + | | Mobile Security || |
||
| + | # Mobile architecture |
||
| + | # Mobile security testing |
||
| + | # Detection of mobile malware |
||
| + | # Professional mobile security testing frameworks and tools |
||
| + | |- |
||
| + | | Network and Web Security || |
||
| + | # Injection Flows |
||
| + | # Cookies Flows |
||
| + | # Server Misconfiguration |
||
| + | # Network Misconfiguration |
||
| + | |} |
||
| + | == Intended Learning Outcomes (ILOs) == |
||
| − | + | === What is the main purpose of this course? === |
|
| + | Offensive Technology introduces methods, tools, and techniques to the students to assess the security of different services, protocols, and applications. The course aims to expose the students to real-world expertise from a security perspective and let them find vulnerabilities in both software and hardware, Also in this course, the students will learn how to analyze a malicious application and how they can understand the behavior of this application and deploy the appropriate defenses against this application. Furthermore, the students will develop projects of their choice to show their skills. In this course, the students will particularly focus on Software Testing, Fuzzing, Malware Analysis, Mobile Security, and Network and Web Security. |
||
| + | === ILOs defined at three levels === |
||
| − | By the end of the course, the students should be able to recognize and define |
||
| + | ==== Level 1: What concepts should a student know/remember/explain? ==== |
||
| − | * RFID |
||
| + | By the end of the course, the students should be able to ... |
||
| − | * A rogue Wifi access point |
||
| − | * ARP & DNS spoofing |
||
| − | * Sniffing & MAC flooding |
||
| − | * Covert channel |
||
| − | * Honey pots |
||
| − | * SSL meet in the middle |
||
* Common weaknesses/vulnerabilities in web application |
* Common weaknesses/vulnerabilities in web application |
||
| − | * ASLR, NX and how are these techniques can help to protect against a malicious attacker |
+ | * ASLR, NX, and how are these techniques can help to protect against a malicious attacker |
* Fuzzing techniques |
* Fuzzing techniques |
||
| + | * Malware C&C server |
||
| − | * 2G, UMTS, LTE, LTE-A, ARFCNs, and hopping channels |
||
| + | * Process injection techniques that are used in malware and how to defend against it |
||
| + | * Mobile security analysis |
||
| − | ==== |
+ | ==== Level 2: What basic practical skills should a student be able to perform? ==== |
| + | By the end of the course, the students should be able to ... |
||
| + | * Methods and techniques bypass memory mitigation techniques |
||
| + | * Methods and techniques for fuzz testing |
||
| + | * Methods and techniques malware analysis |
||
| + | * Methods and techniques for mobile security testing |
||
| + | * Methods and techniques web penetration testing |
||
| − | + | ==== Level 3: What complex comprehensive skills should a student be able to apply in real-life scenarios? ==== |
|
| + | By the end of the course, the students should be able to ... |
||
| − | |||
| − | * Vulnerabilities on Mifare Classic |
||
| − | * Ways to get in a passive eavesdropper position |
||
| − | * Ways to get in an active intruder position |
||
| − | * Ways to bypass memory mitigation techniques |
||
| − | * The vulnerability of the A5/1 stream cipher |
||
| − | |||
| − | ==== - What should a student be able to apply at the end of the course? ==== |
||
| − | |||
| − | * Clone HID and Mifare ID Tags |
||
| − | * Setup port-mirroring and IDS |
||
| − | * Setup an inline mode IPS |
||
* Perform a network discovery |
* Perform a network discovery |
||
| − | * Be in the middle by various means of spoofing |
||
| − | * Be in the middle by various means of rogue services |
||
| − | * Proceed with SSL/TLS meet in the middle attack |
||
* Detect/exploit common weaknesses/vulnerabilities in web applications. |
* Detect/exploit common weaknesses/vulnerabilities in web applications. |
||
* Detect vulnerabilities in software. |
* Detect vulnerabilities in software. |
||
* Writing an exploit to bypass ASLR and NX protection. |
* Writing an exploit to bypass ASLR and NX protection. |
||
* Perform fuzzing for a specific use case. |
* Perform fuzzing for a specific use case. |
||
| + | * Perform security assessment for mobile application |
||
| − | * Evesdrop on 2G SMS and voice calls |
||
| + | * Perform security analysis for a malicious application |
||
| + | == Grading == |
||
| − | === Course |
+ | === Course grading range === |
| + | {| class="wikitable" |
||
| − | |||
| − | + | |+ |
|
| − | |+ Course grade breakdown |
||
| − | ! |
||
| − | ! |
||
| − | !align="center"| '''Proposed points''' |
||
|- |
|- |
||
| + | ! Grade !! Range !! Description of performance |
||
| − | | Labs/seminar classes |
||
| − | | ? |
||
| − | |align="center"| 80 |
||
|- |
|- |
||
| + | | A. Excellent || 85-100 || - |
||
| − | | Exams |
||
| − | | ? |
||
| − | |align="center"| 20 |
||
| − | |} |
||
| − | |||
| − | If necessary, please indicate freely your course’s features in terms of students’ performance assessment: The laboratory assessments are particularly taken care of, and the tasks do correspond with the teachings from the lectures. |
||
| − | |||
| − | === Grades range === |
||
| − | |||
| − | {| |
||
| − | |+ Course grading range |
||
| − | ! Grade |
||
| − | ! Default range |
||
| − | !align="center"| Proposed range |
||
|- |
|- |
||
| + | | B. Good || 70-84 || - |
||
| − | | A. Excellent |
||
| − | | 90-100 |
||
| − | |align="center"| 90-100 |
||
|- |
|- |
||
| + | | C. Satisfactory || 60-69 || - |
||
| − | | B. Good |
||
| − | | 75-89 |
||
| − | |align="center"| 70-89 |
||
|- |
|- |
||
| + | | D. Poor || 0-59 || - |
||
| − | | C. Satisfactory |
||
| − | | 60-74 |
||
| − | |align="center"| 60-69 |
||
| − | |- |
||
| − | | D. Poor |
||
| − | | 0-59 |
||
| − | |align="center"| 0-59 |
||
|} |
|} |
||
| + | === Course activities and grading breakdown === |
||
| − | If necessary, please indicate freely your course’s grading features: The laboratory assignments are mandatory with a requried minimum result of 6/10 - including re-takes - to complete the course. As a conscequence, the grades are generally pretty high and therefore the grading ranges are scaled up. |
||
| + | {| class="wikitable" |
||
| − | |||
| + | |+ |
||
| − | === Resources and reference material === |
||
| − | |||
| − | * Mike O’Leary, ''Cyber Operations, Second Edition'', Apress, 2019 |
||
| − | * Michal Zalewsk, ''The Tangled Web'', No Starch Press, 2011 |
||
| − | * Jon Erickson, ''Hacking: The Art of Exploitation, 2nd Edition'', No Starch Press, 2008 |
||
| − | * The Fuzzing Book https://www.fuzzingbook.org |
||
| − | * Jörg Eberspächer, Hans-Joerg Vögel, Christian Bettstetter, Christian Hartmann, ''GSM - Architecture, Protocols and Services, Third Edition'', Wiley, 2009 |
||
| − | |||
| − | == Course Sections == |
||
| − | |||
| − | {| |
||
| − | |+ Course Sections |
||
| − | ! Section |
||
| − | ! Section Title |
||
| − | !align="center"| Teaching Hours |
||
| − | |- |
||
| − | | 1 |
||
| − | | Physical & Network Security |
||
| − | |align="center"| 8 |
||
| − | |- |
||
| − | | 2 |
||
| − | | Web Security |
||
| − | |align="center"| 4 |
||
|- |
|- |
||
| + | ! Activity Type !! Percentage of the overall course grade |
||
| − | | 3 |
||
| − | | Software Security |
||
| − | |align="center"| 8 |
||
|- |
|- |
||
| + | | Labs/seminar classes || 50 |
||
| − | | 4 |
||
| − | | GSM |
||
| − | |align="center"| 4 |
||
|- |
|- |
||
| + | | Project || 50 |
||
| − | | 5 |
||
| − | | Labs |
||
| − | |align="center"| 56 |
||
|} |
|} |
||
| + | === Recommendations for students on how to succeed in the course === |
||
| − | === Section 1 === |
||
| − | '''Section title: Physical & Network Security''' |
||
| + | == Resources, literature and reference materials == |
||
| − | '''Topics covered in this section:''' |
||
| − | + | === Open access resources === |
|
| + | * Mike O’Leary, Cyber Operations, Second Edition, Apress, 2019 |
||
| − | * RFID |
||
| + | * Ric Messier, Penetration Testing Basics: A Quick-Start Guide to Breaking into Systems, Apress, 2016 |
||
| − | * Sniffing & network discovery |
||
| + | * Michal Zalewsk, The Tangled Web, No Starch Press, 2011 |
||
| − | * MAC flooding |
||
| + | * Jon Erickson, Hacking: The Art of Exploitation, 2nd Edition, No StarchPress, 2008 |
||
| − | * ARP spoofing |
||
| + | * The Fuzzing Bookhttps://www.fuzzingbook.org |
||
| − | * DNS spoofing |
||
| + | * Wil Allsopp, Advanced Penetration Testing: Hacking the World’s most secure Networks, Wiley, 2017 |
||
| − | * Rogue DHCP |
||
| + | * Dafydd Stuttard, The Web Application Hacker’s Handbook: Finding and exploiting Security Flaws, 2nd edition, Wiley, 2011 |
||
| − | * Rogue Wifi Access Point |
||
| + | * Rafay Baloch, Ethical Hacking and Penetration Testing Guide, AuerbachPublications, 2014 |
||
| − | * Port mirroring & Intrusion Detection Systems |
||
| − | * Intrusion Prevention Systems |
||
| − | * Covert channels |
||
| − | * Honey pots |
||
| − | * SSL meet in the middle |
||
| + | === Closed access resources === |
||
| − | '''What forms of evaluation were used to test students’ performance in this section?''' |
||
| + | |||
| − | {| |
||
| + | === Software and tools used within the course === |
||
| − | ! Form |
||
| + | |||
| − | ! Yes/No |
||
| + | = Teaching Methodology: Methods, techniques, & activities = |
||
| − | !align="center"| |
||
| + | |||
| + | == Activities and Teaching Methods == |
||
| + | {| class="wikitable" |
||
| + | |+ Activities within each section |
||
|- |
|- |
||
| + | ! Learning Activities !! Section 1 !! Section 2 !! Section 3 !! Section 4 |
||
| − | | Development of individual parts of software product code |
||
| − | | 0 |
||
| − | |align="center"| |
||
|- |
|- |
||
| − | | Homework and group projects |
+ | | Homework and group projects || 1 || 1 || 1 || 1 |
| − | | 1 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Testing (written or computer based) || 1 || 1 || 1 || 1 |
||
| − | | Midterm evaluation |
||
| − | | 0 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Reports || 1 || 1 || 1 || 1 |
||
| − | | Testing (written or computer based) |
||
| − | | 1 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Discussions || 1 || 1 || 1 || 1 |
||
| − | | Reports |
||
| − | | |
+ | |} |
| + | == Formative Assessment and Course Activities == |
||
| − | |align="center"| |
||
| + | |||
| + | === Ongoing performance assessment === |
||
| + | |||
| + | ==== Section 1 ==== |
||
| + | {| class="wikitable" |
||
| + | |+ |
||
|- |
|- |
||
| + | ! Activity Type !! Content !! Is Graded? |
||
| − | | Essays |
||
| − | | 0 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Question || What are the pros and cons of using ASLR? does it affect the performance? || 1 |
||
| − | | Oral polls |
||
| − | | 0 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Question || What is the required information to be able to identify a remote libc version? || 1 |
||
| − | | Discussions |
||
| − | | 1 |
||
| − | |align="center"| |
||
| − | |} |
||
| − | |||
| − | '''Typical questions for ongoing performance evaluation within this section''' |
||
| − | |||
| − | * What is RFID? |
||
| − | * What is a rogue Wifi access point? |
||
| − | * What is ARP & DNS spoofing? |
||
| − | * What is sniffing & MAC flooding? |
||
| − | * What is a covert channel? |
||
| − | * What is a honey pot? |
||
| − | |||
| − | '''Typical questions for seminar classes (labs) within this section''' |
||
| − | |||
| − | * Clone HID and Mifare ID Tags |
||
| − | * Setup port-mirroring and IDS |
||
| − | * Setup an inline mode IPS |
||
| − | * Perform a network discovery |
||
| − | * Be in the middle by various means of spoofing |
||
| − | * Be in the middle by various means of rogue services |
||
| − | * Proceed with SSL/TLS meet in the middle attack |
||
| − | |||
| − | '''Test questions for final assessment in this section''' |
||
| − | |||
| − | * Briefly describe one Mifare classic weakness and an afferent attack |
||
| − | * By what means can you get in a passive eavesdropper position? |
||
| − | * By what means can you get in an active intruder position? |
||
| − | * Describe different methods to perform ARP spoofing in term of both, network surface and precision |
||
| − | |||
| − | === Section 2 === |
||
| − | |||
| − | '''Section title: Web Security''' |
||
| − | |||
| − | '''Topics covered in this section:''' |
||
| − | |||
| − | * Injection Flows |
||
| − | * Cookies Flows |
||
| − | * Server Misconfiguration |
||
| − | |||
| − | '''What forms of evaluation were used to test students’ performance in this section?''' |
||
| − | |||
| − | {| |
||
| − | ! Form |
||
| − | ! Yes/No |
||
| − | !align="center"| |
||
|- |
|- |
||
| + | | Question || What are the pros and cons of writing your own fuzzer? || 1 |
||
| − | | Development of individual parts of software product code |
||
| − | | 0 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Question || Write an exploit for a given binary, also try to bypass the mitigation techniques || 0 |
||
| − | | Homework and group projects |
||
| − | | 1 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Question || Implement a fuzzer for a specific use-case || 0 |
||
| − | | Midterm evaluation |
||
| − | | |
+ | |} |
| + | ==== Section 2 ==== |
||
| − | |align="center"| |
||
| + | {| class="wikitable" |
||
| + | |+ |
||
|- |
|- |
||
| + | ! Activity Type !! Content !! Is Graded? |
||
| − | | Testing (written or computer based) |
||
| − | | 1 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Question || For a given malicious application try to find useful artifacts, for example, find encryption key, C&C server, find commands that server can send || 1 |
||
| − | | Reports |
||
| − | | 1 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Question || while setup an isolated analytic Virtual Machine, What are the required steps for hardening? || 1 |
||
| − | | Essays |
||
| − | | 0 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Question || what are the most commonly used evasion and injection in malware and how can you detect it? || 1 |
||
| − | | Oral polls |
||
| − | | 0 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Question || For a given malicious application try to find the evasion and injection techniques that are used by that application || 0 |
||
| − | | Discussions |
||
| − | | 1 |
||
| − | |align="center"| |
||
| − | |} |
||
| − | |||
| − | '''Typical questions for ongoing performance evaluation within this section''' |
||
| − | |||
| − | * What is the difference between boolean-based and time-based SQL injection? |
||
| − | * Can regex matching protect against Directory Traversal attack? |
||
| − | * Does the Same Origin Policy apply to the localStorage inside the browser? |
||
| − | |||
| − | '''Typical questions for seminar classes (labs) within this section''' |
||
| − | |||
| − | * Vulnerability analysis and exploitation for a given web application |
||
| − | * Write and deploy WAF rules to mitigate a specific web attack |
||
| − | |||
| − | '''Test questions for final assessment in this section''' |
||
| − | |||
| − | As above |
||
| − | |||
| − | === Section 3 === |
||
| − | |||
| − | '''Section title: Software Security''' |
||
| − | |||
| − | '''Topics covered in this section:''' |
||
| − | |||
| − | * Buffer overflow |
||
| − | * Format string |
||
| − | * ASLR |
||
| − | * NX |
||
| − | * Fuzzing |
||
| − | |||
| − | '''What forms of evaluation were used to test students’ performance in this section?''' |
||
| − | |||
| − | {| |
||
| − | ! Form |
||
| − | ! Yes/No |
||
| − | !align="center"| |
||
|- |
|- |
||
| + | | Question || For a given malicious application try to write detection rules to be able to defend against it || 0 |
||
| − | | Development of individual parts of software product code |
||
| − | | 0 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Question || Setup an isolated analytic Virtual Machine and test it against Virtual Machine detection tools || 0 |
||
| − | | Homework and group projects |
||
| − | | |
+ | |} |
| + | ==== Section 3 ==== |
||
| − | |align="center"| |
||
| + | {| class="wikitable" |
||
| + | |+ |
||
|- |
|- |
||
| + | ! Activity Type !! Content !! Is Graded? |
||
| − | | Midterm evaluation |
||
| − | | 0 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Question || What privilege does root or jailbreak gives you? is it mandatory for security testing? || 1 |
||
| − | | Testing (written or computer based) |
||
| − | | 1 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Question || What is the difference from the security perspective between some version of an old mobile operation system || 1 |
||
| − | | Reports |
||
| − | | 1 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Question || what is the pros and cons of mobile security testing? || 1 |
||
| − | | Essays |
||
| − | | 0 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Question || For a given malicious application try to find the evasion and injection techniques that are used by that application || 0 |
||
| − | | Oral polls |
||
| − | | 0 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Question || Setup an automated mobile security testing solution and test a given application || 0 |
||
| − | | Discussions |
||
| − | | 1 |
||
| − | |align="center"| |
||
| − | |} |
||
| − | |||
| − | '''Typical questions for ongoing performance evaluation within this section''' |
||
| − | |||
| − | * What are the pros and cons of using ASLR? does it affect the performance? |
||
| − | * What is the required information to be able to identify a remote libc version? |
||
| − | * What are the pros and cons of writing your own fuzzer? |
||
| − | |||
| − | '''Typical questions for seminar classes (labs) within this section''' |
||
| − | |||
| − | * Write an exploit for a given binary, also try to bypass the mitigation techniques |
||
| − | * Implement a fuzzer for a specific use-case |
||
| − | |||
| − | '''Test questions for final assessment in this section''' |
||
| − | |||
| − | As above |
||
| − | |||
| − | === Section 4 === |
||
| − | |||
| − | '''Section title: GSM''' |
||
| − | |||
| − | '''Topics covered in this section:''' |
||
| − | |||
| − | * Um interface |
||
| − | * IMSI/TMSI |
||
| − | * A5/1 stream cipher |
||
| − | * SIM & USIM cards, A3/A8 and COMP128 |
||
| − | |||
| − | '''What forms of evaluation were used to test students’ performance in this section?''' |
||
| − | |||
| − | {| |
||
| − | ! Form |
||
| − | ! Yes/No |
||
| − | !align="center"| |
||
|- |
|- |
||
| + | | Question || try to bypass some of the security mechanisms that are enabled either on the application or on the operating system level || 0 |
||
| − | | Development of individual parts of software product code |
||
| − | | |
+ | |} |
| + | ==== Section 4 ==== |
||
| − | |align="center"| |
||
| + | {| class="wikitable" |
||
| + | |+ |
||
|- |
|- |
||
| + | ! Activity Type !! Content !! Is Graded? |
||
| − | | Homework and group projects |
||
| − | | 1 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Question || What is the difference between boolean-based and time-based SQL injection? || 1 |
||
| − | | Midterm evaluation |
||
| − | | 0 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Question || Can regex matching protect against Directory Traversal attack? || 1 |
||
| − | | Testing (written or computer based) |
||
| − | | 1 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Question || Does the Same Origin Policy apply to the localStorage inside the browser? || 1 |
||
| − | | Reports |
||
| − | | 1 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Question || Vulnerability analysis and exploitation for a given web application || 0 |
||
| − | | Essays |
||
| − | | 0 |
||
| − | |align="center"| |
||
|- |
|- |
||
| + | | Question || Write and deploy WAF rules to mitigate a specific web attack || 0 |
||
| − | | Oral polls |
||
| − | | |
+ | |} |
| + | === Final assessment === |
||
| − | |align="center"| |
||
| + | '''Section 1''' |
||
| − | |- |
||
| + | # As above |
||
| − | | Discussions |
||
| + | '''Section 2''' |
||
| − | | 1 |
||
| + | # As above |
||
| − | |align="center"| |
||
| + | '''Section 3''' |
||
| − | |} |
||
| + | # As above |
||
| − | |||
| + | '''Section 4''' |
||
| − | '''Typical questions for ongoing performance evaluation within this section''' |
||
| + | # As above |
||
| − | |||
| − | * What are 2G, UMTS, LTE, LTE-A, ARFCNs, and hopping channels? |
||
| − | * What is a fake or rogue Base Transceiver Station? |
||
| − | * What frequency ranges are we listening to? |
||
| − | * What frequency bandwidth is required |
||
| − | * What SDR devices are compatible with those requirements? |
||
| − | * What is an IMSI versus a TMSI and an MSISDN? |
||
| + | === The retake exam === |
||
| − | '''Typical questions for seminar classes (labs) within this section''' |
||
| + | '''Section 1''' |
||
| + | '''Section 2''' |
||
| − | * How to differentiate 2G vs UMTS vs LTE channels? |
||
| − | * What telecom operators do you identify on 2G GSM900 and DCS1800? |
||
| − | * What telecom operators do you identify on LTE and on what bands? |
||
| − | * Locate cell towers and attempt to locate subscribers (yourself) |
||
| − | * Trace your own IMSI and eavesdrop on a circumvented 2G SMS and voice call |
||
| − | * Deal with hopping either by capturing a larger bandwidth, or using two RTL dongles with the same phase |
||
| + | '''Section 3''' |
||
| − | '''Test questions for final assessment in this section''' |
||
| + | '''Section 4''' |
||
| − | * Briefly describe a known attack against the A5/1 stream cipher |
||
| − | * How does COMP128 work? Is it vulnerable? |
||
| − | * Name various ways to deal with 2G channel hopping |
||
| − | * How often do IMSIs show up and in what situations does that usually happen? |
||
Latest revision as of 11:57, 29 August 2022
Offensive Technologies
- Course name: Offensive Technologies
- Code discipline: ?
- Subject area:
Short Description
This course covers the following concepts: Software Security; Malware Analysis; Mobile Security; Network and Web Security.
Prerequisites
Prerequisite subjects
- The course has been designed to be self-included as much as possible. The successful completion will depend on prerequisite courses such as:
- CSE522 - Advanced Security
- Essential skills
- Classical Internet Applications
Prerequisite topics
Course Topics
| Section | Topics within the section |
|---|---|
| Software Security |
|
| Malware Analysis |
|
| Mobile Security |
|
| Network and Web Security |
|
Intended Learning Outcomes (ILOs)
What is the main purpose of this course?
Offensive Technology introduces methods, tools, and techniques to the students to assess the security of different services, protocols, and applications. The course aims to expose the students to real-world expertise from a security perspective and let them find vulnerabilities in both software and hardware, Also in this course, the students will learn how to analyze a malicious application and how they can understand the behavior of this application and deploy the appropriate defenses against this application. Furthermore, the students will develop projects of their choice to show their skills. In this course, the students will particularly focus on Software Testing, Fuzzing, Malware Analysis, Mobile Security, and Network and Web Security.
ILOs defined at three levels
Level 1: What concepts should a student know/remember/explain?
By the end of the course, the students should be able to ...
- Common weaknesses/vulnerabilities in web application
- ASLR, NX, and how are these techniques can help to protect against a malicious attacker
- Fuzzing techniques
- Malware C&C server
- Process injection techniques that are used in malware and how to defend against it
- Mobile security analysis
Level 2: What basic practical skills should a student be able to perform?
By the end of the course, the students should be able to ...
- Methods and techniques bypass memory mitigation techniques
- Methods and techniques for fuzz testing
- Methods and techniques malware analysis
- Methods and techniques for mobile security testing
- Methods and techniques web penetration testing
Level 3: What complex comprehensive skills should a student be able to apply in real-life scenarios?
By the end of the course, the students should be able to ...
- Perform a network discovery
- Detect/exploit common weaknesses/vulnerabilities in web applications.
- Detect vulnerabilities in software.
- Writing an exploit to bypass ASLR and NX protection.
- Perform fuzzing for a specific use case.
- Perform security assessment for mobile application
- Perform security analysis for a malicious application
Grading
Course grading range
| Grade | Range | Description of performance |
|---|---|---|
| A. Excellent | 85-100 | - |
| B. Good | 70-84 | - |
| C. Satisfactory | 60-69 | - |
| D. Poor | 0-59 | - |
Course activities and grading breakdown
| Activity Type | Percentage of the overall course grade |
|---|---|
| Labs/seminar classes | 50 |
| Project | 50 |
Recommendations for students on how to succeed in the course
Resources, literature and reference materials
Open access resources
- Mike O’Leary, Cyber Operations, Second Edition, Apress, 2019
- Ric Messier, Penetration Testing Basics: A Quick-Start Guide to Breaking into Systems, Apress, 2016
- Michal Zalewsk, The Tangled Web, No Starch Press, 2011
- Jon Erickson, Hacking: The Art of Exploitation, 2nd Edition, No StarchPress, 2008
- The Fuzzing Bookhttps://www.fuzzingbook.org
- Wil Allsopp, Advanced Penetration Testing: Hacking the World’s most secure Networks, Wiley, 2017
- Dafydd Stuttard, The Web Application Hacker’s Handbook: Finding and exploiting Security Flaws, 2nd edition, Wiley, 2011
- Rafay Baloch, Ethical Hacking and Penetration Testing Guide, AuerbachPublications, 2014
Closed access resources
Software and tools used within the course
Teaching Methodology: Methods, techniques, & activities
Activities and Teaching Methods
| Learning Activities | Section 1 | Section 2 | Section 3 | Section 4 |
|---|---|---|---|---|
| Homework and group projects | 1 | 1 | 1 | 1 |
| Testing (written or computer based) | 1 | 1 | 1 | 1 |
| Reports | 1 | 1 | 1 | 1 |
| Discussions | 1 | 1 | 1 | 1 |
Formative Assessment and Course Activities
Ongoing performance assessment
Section 1
| Activity Type | Content | Is Graded? |
|---|---|---|
| Question | What are the pros and cons of using ASLR? does it affect the performance? | 1 |
| Question | What is the required information to be able to identify a remote libc version? | 1 |
| Question | What are the pros and cons of writing your own fuzzer? | 1 |
| Question | Write an exploit for a given binary, also try to bypass the mitigation techniques | 0 |
| Question | Implement a fuzzer for a specific use-case | 0 |
Section 2
| Activity Type | Content | Is Graded? |
|---|---|---|
| Question | For a given malicious application try to find useful artifacts, for example, find encryption key, C&C server, find commands that server can send | 1 |
| Question | while setup an isolated analytic Virtual Machine, What are the required steps for hardening? | 1 |
| Question | what are the most commonly used evasion and injection in malware and how can you detect it? | 1 |
| Question | For a given malicious application try to find the evasion and injection techniques that are used by that application | 0 |
| Question | For a given malicious application try to write detection rules to be able to defend against it | 0 |
| Question | Setup an isolated analytic Virtual Machine and test it against Virtual Machine detection tools | 0 |
Section 3
| Activity Type | Content | Is Graded? |
|---|---|---|
| Question | What privilege does root or jailbreak gives you? is it mandatory for security testing? | 1 |
| Question | What is the difference from the security perspective between some version of an old mobile operation system | 1 |
| Question | what is the pros and cons of mobile security testing? | 1 |
| Question | For a given malicious application try to find the evasion and injection techniques that are used by that application | 0 |
| Question | Setup an automated mobile security testing solution and test a given application | 0 |
| Question | try to bypass some of the security mechanisms that are enabled either on the application or on the operating system level | 0 |
Section 4
| Activity Type | Content | Is Graded? |
|---|---|---|
| Question | What is the difference between boolean-based and time-based SQL injection? | 1 |
| Question | Can regex matching protect against Directory Traversal attack? | 1 |
| Question | Does the Same Origin Policy apply to the localStorage inside the browser? | 1 |
| Question | Vulnerability analysis and exploitation for a given web application | 0 |
| Question | Write and deploy WAF rules to mitigate a specific web attack | 0 |
Final assessment
Section 1
- As above
Section 2
- As above
Section 3
- As above
Section 4
- As above
The retake exam
Section 1
Section 2
Section 3
Section 4