Textbook

Required book ($25 - $33)

CNIT 124
Advanced Ethical Hacking

Fall 2017 Sam Bowne

Schedule · Lecture Notes · Projects · Links · Home Page

Violent Python Book

Optional book ($35)

CRN 77818 Thu 6:10-9:00 MUB 388

Catalog Description

Advanced techniques of defeating computer security, and countermeasures to protect Windows and Unix/Linux systems. Hands-on labs include Google hacking, automated footprinting, sophisticated ping and port scans, privilege escalation, attacks against telephone and Voice over Internet Protocol (VoIP) systems, routers, firewalls, wireless devices, Web servers, and Denial of Service attacks.

Prerequisites: CNIT 123.

Upon successful completion of this course, the student will be able to:
  1. Use Google and automated footprinting tools to locate vulnerable Web servers, passwords, open VNC servers, database passwords, and Nessus reports
  2. Perform sophisticated ping and port scans with several tools, and protect servers from the scans
  3. Enumerate resources on systems using banner-grabbing and specific attacks against common Windows and Unix/Linux services including FTP, Telnet, HTTP, DNS, and many others, and protect those services
  4. Use authenticated and unauthenticated attacks to compromise Windows and Unix/Linux systems and install backdoors and remote-control agents on them, and protect the systems from such attacks
  5. Enter networks through analog phone systems, defeating many authentication techniques, and defend networks from such attacks
  6. Penetrate PBX, voicemail, Virtual Private Network (VPN), and Voice over Internet Protocol (VoIP) systems, and defend them
  7. Perform new wireless attacks, including denial-of-service and cracking networks using Wi-Fi Protected Access (WPA) and WPA-2
  8. Identify firewalls and scan through them
  9. Perform classical and modern Denial of Service (DoS) attacks, and defend networks from them
  10. Locate Web server vulnerabilities, exploit them, and cure them
  11. Describe many ways Internet users are attacked through their browsers and other Internet clients, and the protective measures that can help them

Student Learning Outcomes (measured to guide course improvements)

Enumerate resources on systems using banner-grabbing and specific attacks against common Windows and Unix/Linux services including FTP, Telnet, HTTP, DNS, and many others, and protect those services
Perform classical and modem Denial of Service (DoS) attacks, and defend networks from them
Locate Web server vulnerabilities, exploit them, and cure them

Textbook

Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014) Buy from Amazon

Quizzes

The quizzes are multiple-choice, online, and open-book. However, you may not ask other people to help you during the quizzes. You will need to study the textbook chapter before the lecture covering it, and take the quiz before that class. Each quiz is available for one week, up 30 minutes before class. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts. If you take the quiz twice, the higher score counts.

To take quizzes, first claim your RAM ID and then log in to Canvas here:

https://ccsf.instructure.com

Live Streaming

Live stream at: ccsf.edu/webcasts

Classes will also be recorded and published on YouTube for later viewing.



Schedule (may be revised)

DateQuizTopic
Thu 8-24  Ch 1: Setting Up Your Virtual Lab
Thu 8-31  Ch 2: Using Kali Linux
Thu 9-7  Ch 3: Programming
Fri 9-8 Last Day to Add Classes
Thu 9-14Quizzes Ch 2 & 4 due before class
Proj 1-3 due
Ch 4: Using the Metasploit Framework
Thu 9-21Quizzes Ch 3 & 5 due before class
Proj 4 & 5 due
Ch 5: Information Gathering
Thu 9-28No Quiz Guest Speaker (may be rescheduled)
Thu 10-5Quiz Ch 6 due before class
Proj 7 due
Ch 6: Finding Vulnerabilities
Thu 10-12Quiz Ch 7 due before class
Proj 8 due
Ch 7: Capturing Traffic
Thu 10-19Quiz Ch 8 due before class
Proj 9 due
Ch 8: Exploitation
Thu 10-26Quiz Ch 9 due before class
Proj 10 & 11 due
Ch 9: Password Attacks
Thu 11-2Quiz Ch 10-12 due before class
Proj 12 due
Ch 10: Client-Side Exploitation
Ch 11: Social Engineering
Ch 12: Bypassing Antivirus Applications
Thu 11-9No Quiz Guest Speaker (may be rescheduled)
Thu 11-9 Last Day to Withdraw
Thu 11-16Quiz Ch 13 (Part 1) due before class
Proj 13 due
Ch 13: Post Exploitation (Part 1)
Thu 11-23 Holiday - No Class
Thu 11-30Quiz Ch 13 (Part 2) due before class
Proj 14 & 15 due
Ch 13: Post Exploitation (Part 2)
Thu 12-7No Quiz
Proj 16 due
TBA
Thu 12-14No Quiz
All extra credit projects due
Last Class: TBA
Thu 12-21  Final Exam


Lectures

Policy · Schedule
Student Agreement
Code of Ethics
Ch 1: Setting Up Your Virtual Lab
Ch 2: Using Kali Linux
Ch 3: Programming
Ch 4: Using the Metasploit Framework
Ch 5: Information Gathering (pptx)
Ch 6: Finding Vulnerabilities (just projects, no Powerpoint):
Proj 8: Nessus (15 pts.)
Proj 9: Nmap Scripts, Metasploit Scanner Modules, and Nikto (15 pts.)
Ch 7: Capturing Traffic (pptx)
Ch 8: Exploitation and Docker (not in textbook) (pptx)
Ch 9: Password Attacks (pptx)

Ch 10: Client-Side Exploitation
Ch 11: Social Engineering
Ch 12: Bypassing Antivirus Applications

Ch 13: Post Exploitation Part 1 (pptx)
Ch 13: Post Exploitation Part 2 (pptx)

Projects

Download VMware Player
Download metasploitable Size: 865,084,584
      SHA-256: 2ae8788e95273eee87bd379a250d86ec52f286fa7fe84773a3a8f6524085a1ff
Download Win2008-124 Size: 2,180,234,212
      SHA-256: dc496623ef74fe1dac1dfb3053acea312350f02d83189bd15d2b48d6eb49be22
Download Kali Linux 32 bit VM PAE

Proj 1: Basic Port Scanning with Python (15 pts.)
Proj 2: HTTP Requests with Python (15 pts.)
Proj 3: Setting Up VMs (15 pts.)
Proj 4: Metasploit v. Windows (15 pts.)
Proj 5: Enumerating Metasploitable (15 pts.)
Proj 6: Metasploit v. Linux (15 pts.)
Proj 7: Password Hashes with Python (15 pts.)
Proj 8: Nessus (15 pts.) (Updated 8-15-17)
Proj 9: Nmap Scripts, Metasploit Scanner Modules, and Nikto (15 pts.)
Proj 10: Hacking a PPTP VPN with Asleap (25 pts.)
Proj 11: Intro to Docker (15 pts.)
Proj 12: Exploiting PHP Vulnerabilities (15 pts.)
Proj 13: XOR Encryption in Python (10 pts.)
Proj 14: Attacking Internet Explorer and Migrating (10 pts.)
Proj 15: Stealing Passwords from RAM with Metasploit (10 pts.)
Proj 16: BeEF (15 pts.)

Extra Credit Projects

Proj 1x: Port Scanning Challenges (15 pts. extra credit)
Proj 2x: HTTP Login Challenges (35 pts. extra credit)
Proj 3x: CodeCademy Python Lessons (45 pts.)
Proj 4x: Wechall.net (points vary)
Proj 5x: Port Scanning with IPv6 and Python (45 pts. extra credit) (last rev. 9-12-15)
Proj 6x: CodeCademy Command Line Course (15 pts.)
Proj 7x: Password Hashing Challenges (40 pts. extra credit)

Proj 13x: XOR Encryption Challenges (40 pts. extra credit)

Proj 20x: Independent Project (pts. vary) -- Do something cool and show it to the class!

Proj 21x: PicoCTF (Up to 40 pts.)


Links

CEH Certification Resources

CEH Tips
CEH: Certified Ethical Hacker - Taking the Exam
CEH: Practice Exams
CEH: TechExams -- Certified Ethical Hacker (CEH) exam
EC-Council - Certified Ethical Hacker (312-50) Practice Exam - This is the one I used

Links for Chapter Lectures

Ch 4a: Metasploit Module Search Page
Ch 4b: How to get started with writing an exploit for Metasploit
Ch 4c: Msfconsole one-liner example
Ch 4d: Scanner HTTP Auxiliary Modules - Metasploit Unleashed
Ch 4e: Metasploit: The New Metasploit Browser Autopwn:...
Ch 4f: Simple Take Over of Windows Server 2008 via ms09-050

Ch 5a: DNS Request Types
Ch 5b: 10 Linux DIG Command Examples for DNS Lookup
Ch 5c: Open Resolver Project
Ch 5d: Public DNS Server List
Ch 5e: DNS AXFR scan data
Ch 5f: DNS Hacking (Beginner to Advanced) - InfoSec Resources
Ch 5g Wildcard DNS record - Wikipedia
Ch 5h: Network tools for every sys admin
Ch 5i: The Strange History of Port 0

Ch 7a: HowToDecrypt802.11 - The Wireshark Wiki
Ch 7b: security - WEP/WPA/WPA2 and wifi sniffing - Server Fault

Ch 8a: An Improved Reflective DLL Injection Technique
Ch 8b: DLL injection - Wikipedia
Ch 8c: Windows DLL Injection Basics--Clear Explanation with Good Figures
Ch 8d: stephenfewer/ReflectiveDLLInjection -- Code from 2013
Ch 8e: Using Cadaver as a WebDAV Client
Ch 8f: WebDAV - Wikipedia
Ch 8g: helper: webdav xampp (= 1.7.3 default credentials
Ch 8h: How To Install and Secure phpMyAdmin on Ubuntu 14.04
Ch 8i: Docker Internals - Google Slides
Ch 8j: Docker: Understand the architecture
Ch 8k: Docker vs Virtualization
Ch 8l: UnionFS - Wikipedia
Ch 8m: Docker Hub
Ch 8o: Docker Container Breakout Proof-of-Concept Exploit | Docker Blog
Ch 8p: The Docker exploit and the security of containers | Xen Project Blog
Ch 8q: Docker breakout: brute-forcing a 32-bit number!
Ch 8r: Docker security
Ch 8s: Docker Addresses More Security Issues and Outlines "Pluggable" Approach
Ch 8t: Dump Windows password hashes efficiently
Ch 8u: Recovering Windows 7 Registry Hives/Files
Ch 8v: How To Install Bkhive on Kali 2

Ch 9a: Yahoo Mail eliminates passwords as part of a major redesign (Oct., 2015)
Ch 9b: Teen says he hacked CIA director\'s AOL account (Oct., 2015)
Ch 9c: Packetstorm Wordlists for password cracking
Ch 9d: Openwall wordlists collection for password recovery, password cracking, and password strength checking
Ch 9e: Why passwords have never been weakerand crackers have never been stronger (2012)
Ch 9f: "thereisnofatebutwhat­wemake"Turbo-charged cracking comes to long passwords (2013)
Ch 9g: Cracking 16 Character Strong passwords in less than an hour (2013)
Ch 9h: How the Bible and YouTube are fueling the next frontier of password cracking (2013)

Ch 10a: Adobe Reader Metasploit Modules
Ch 10b: CCSF Application Form (pdf)
Ch 10b: CCSF Application (pdf, can be poisoned with Metasploit)

Ch 11a: Update Social Engineering Toolkit on Kali Linux - YouTube

Ch 12a: Notepad Plus Plus Download
Ch 12b: VirusTotal - Free Online Virus, Malware and URL Scanner
Ch 12c: How to Evade AV Detection with Veil-Evasion

Ch 13a: Post-Mortem of a Metasploit Framework Bug
Ch 13b: Post Exploitation Using NetNTLM Downgrade Attacks
Ch 13c: Mount shadow volumes on disk images - ForensicsWiki
Ch 13d Shell is coming ...: Metasploit: Getting outbound filtering rules by tracerouting
Ch 13e: 5 Step To Capture Windows User Login Using Metasploit Keylogger
Ch 13f: Windows Capture Winlogon Lockout Credential Keylogger | Rapid7
Ch 13g: Metasploit: Capturing Windows Logons with Smartlocker
Ch 13h: Windows 8.1 stops pass-the-hash attacks
Ch 13i: Pass-the-Hash is Dead: Long Live Pass-the-Hash
Ch 13j: Using claims-based access control for compliance and information governance (2011)
Ch 13k: Windows Internals - showing token structure
Ch 13l: Access token stealing
Ch 13m: Access Tokens (Windows)
Ch 13n: What's in a Token (Part 2): Impersonation - TechNet Blogs
Ch 13o: Fun with Incognito - Metasploit Unleashed

Miscellaneous Links

Learn Python the Hard Way
Fuzzing for SQL injection with Burp Suite Intruder - USE FOR PROJECTS
Pythonista on the App Store on iTunes -- INTERESTING FOR PROJECTS
Pythonista: Using pipista to install modules
How to Build a DNS Packet Sniffer with Scapy and Python
Bypassing Antivirus with Shellter 4.0 on Kali Linux -- GOOD 124 PROJECT
Online JavaScript beautifier -- deobfuscates code! -- IMPORTANT FOR MALWARE ANALYSIS
Android Security: Adding Tampering Detection to Your App

Old Links

New Unsorted Links

Ch 13p: Excellent explanation of NTLMv2
Ch 13q: NTLMv2 cracking speed estimates
Ch 13r: Fast Introduction to SOCKS Proxy - EtherealMind
Ch 15a: HowToDecrypt802.11 - The Wireshark Wiki
xh 15b: WPA 4-way handshake - Wireshark Q&A
PwnWiki.io -- USEFUL RED TEAM TIPS
Hacking Secret Ciphers With Python (Free E-Book)
Introduction to Cryptography Video Lessons by Christof Paar - YouTube
Cryptography Textbook Slides
RSA is 100x slower than AES (figures 9-13)
How to Create a Bootable Ubuntu USB Drive, for Mac, in OS X
EDB (Evan's Debugger) Alternatives and Similar Software - AlternativeTo.net
How to install 32 bit software on a 64 bit Kali Linux system
How to Reverse Engineering with Radare2 -- INTERESTING FOR PROJECTS
OSCP study material : Georgia Weidman's book recommended
A book for those interested in PWK/OSCP -- Georgia Weidman's book recommended
Scapy Documents
Metasploitable 2 Exploitability Guide | Rapid7
Metasploitable 2 enumeration - Hacking Tutorials
Metasploitable 2 vulnerability assessment - Hacking Tutorials
Running Metasploitable2 on VirtualBox

Last Updated: 8-17-17 5 pm