ECE4112 - Internetwork Security
Instructor
Dr. George F. Riley
Office: Klaus 3360
Office hours: Tue/Thu 3:00 - 5:00
Email: riley@ece.gatech.edu
Course Summary
The class is an intensive laboratory-based study of Internet Security,
with hands-on and in-depth working with the various tools and techniques
used by hackers to compromise computer systems or otherwise interfere
with normal operations. The purpose of the class is NOT to teach
you how to be a hacker, but rather to teach you the approaches used
by hackers so you can better defend against them.
Students work in groups of two to complete assigned labs. It is OK to
talk to others and help each other in the lab. Students will be graded
based upon their completion of assigned labs and the specific written
improvements and implementing those improvements they make to those
assigned labs/lectures. Completion of lab assignments will result in a
B for the lab assignments. Creating detailed additions, doing these
additions, documenting them, and presenting them in class
presentations opens up the possibility of a higher grade on the lab
assignments. You must prove that you actually did your suggested lab
additions/enhancements through screen shots and other output to be
turned in. In addition students are required to generate one entirely
new lab and accompanying class presentation material for possible use
in future course offerings of Internetwork Security. Specific format
and content are required and are specified in a separate document on
the class web site.
Class Laboratory
The laboratory is Klaus 2446, which requires buzz-card access. All
registered students should gain admittance by swiping your buzz card.
A schedule of Teaching Assistant hours is posted on the door. Many of the
labs require "TA Checkoff", so it is best to work on the labs with the
TA's are present. You are free however to work on the lab at any time.
Prerequisites
ECE3076 or CS3251 or ECE4110 and only CMPE ECE EE CS; some previous C Programming (or Java) experience, assembly language helpful but not mandatory. If
you are uncomfortable with C, you should get a lab partner who is familiar
with the language.
Textbook
Hacking Exposed, Fifth Edition, McGraw Hill, ISBN 0-07-226081-5
Grading
Labs : 60%
Eleven assigned labs (completion of each lab is worth
8 points; suggested additions/enhancements may
possibly be worth 2 additional points. The last 2 points are not
automatically awarded, the maximum points each lab
assignment is 10 points). In order to earn these extra
points you must also present to the class your enhancement
via power point slides and a brief oral explanation and
presentation of results (through screen shots and other output)
Final Project : 30%
New self-contained laboratory, student lab handout,
TA setup instructions, answer key, grading criterion,
and lecture presentation materials for a new lab
(See last semester web site for examples)
Participation : 10%
Class attendance and participation, attended special
Thursday on class Thursday Apr 23, and attended all Final presentations
during the final exam period.
Summary:
In order to get an A in the class, you must:
Substantially complete all 11 lab assignments
Create and present at least 5 extensions to lab assignments
Attend at least 9 of the 11 class periods
Create and present a final project, and earn a grade of A on the
final project.
Attend both of the last two class periods (Apr 21 and Apr 23),
where students
present their final project.
Attend class during the final exam period for final project
presentations
Handouts
All class handouts will be posted on the web page (here) in the
Syllabus section below.
Lab Rule
You will never take any programs from the lab on any writable
media/memory devices, nor will you ever connect any of the lab
machines to any production wired or wireless network machines or
laptop devices. This is to prevent the spread of any of our malicious
programs and techniques.
You are encouraged to bring code into the lab to experiment with.
Suggested References
http://www.en.hakin9.org/ This magazine Hacking may be purchased at some Barnes and Noble
Counter Hack Reloaded, Second Edition, Ed Skoudis, Prentice Hall, ISBN 0-13-148104-5
Hands-On Ethical Hacking and Network Defense, Michael Simpson, Thompson, 2006, ISBN 0-619-21708-1
The Unofficial Guide to Ethical Hacking, Second edition, Ankit Fadia, Thomson Course Technology, 2006. ISBN 1-59863-062-8 ($44.99)
Rootkits, Subverting the Windows Kermel, Greg Hoglund and James Butler, Addison Wesely, 2006 ISBN 0-321-20098-5 ($44.99)
Windows Forensics and Incident Recovery, Harlan Carvey, Addison-Wesley, 2005, ISBN 0-321-20098-5 ($54.99)
Anti-Hacker Toolkit, Third Edition, Mike Shema, Chris Davis, Aaron Phillip, and David Cohen, McGraw Hill Osborne, 2006, ISBN 0-07-226287-7 ($54.99)
WI-Foo: The Secrets of Wireless Hacking, Andrew A. Vladimirov, Konstantin V. Gavrilenko, Andrei A. Mikhailovsky, Addison Wesley, 2004 ISBN 0321202171, ($34.99)
Network Security A Hacker's Perspective, Second Edition Ankit FAdia, Thompson 2006, ISBN 1-59863-163-2 ($49.99)
Gray Hat Hacking : The Ethical Hacker's Handbook, Shon Harris, Allen Harper, Chris Eagle, Jonathan Ness, Michael Lester, McGraw-Hill Osborne, 2005, ISBN: 0072257091 ($49.99)
Malware, Fighting Malicious Code, Ed Skoudis, Printice Hall, 2004, 0-13-101405-6 ($44.99)
Computer Forensics Jump Start, Michael Solomon, Diane Barrett, Neil Broom, Sybex, 2005, 0-7821-4375-x, ($22.99)
Hacking Web Applications Exposed, Joel Scambray, and Mike Shema, McGraw Hill, ISBN 0-07-222438-X
Hack Attacks Revealed, A complete Reference with Custom Security Hacking Toolkit, John Chrillo, Wiley, ISBN 0-471-4`624-x
Honeypots, Tracking Hackers, Lance Spitzner, Addison Wesley, ISBN 0-321-10895-7
Syllabus
| Day |
Month |
Date |
Handout |
Description |
Due Date |
Reading |
| Tue | Jan | 6 |
EthicalHacking.ppt |
Ethical Hacking |
|
|
| Tue | Jan | 13 |
Lab1Overview.ppt |
Lab 1 Overview |
|
Hacking Exposed, chapters 1, 2, 3
|
| Tue | Jan | 13 |
Lab 1 assigned | Reconnaissance, Network Maping, Vulnerability Assessment |
Tue Jan 20 | Hacking Exposed, chapters 1, 2, 3 |
| |
|
LabAdditionsCover.pdf |
Laboratory Additions Cover Sheet |
|
|
| Tue | Jan | 20 |
|
|
|
|
| Tue | Jan | 20 |
Lab 2 assigned | Password Cracking, Network Sniffing, Man-in-the-Middle Attacks, and Virtual Private Networks |
Tue Jan 27 | Hacking Exposed, chapters 4, 5 |
| Tue | Jan | 27 |
|
|
|
|
| Tue | Jan | 27 |
Lab 3 assigned | Address Spoofing, Denial of Service, Email Spoofing, and VoIP |
Tue Feb 3 | |
| Tue | Feb | 3 |
|
|
|
|
| Tue | Feb | 3 |
Lab 4 assigned | Firewalls |
Tue Feb 10 | |
| Tue | Feb | 10 |
|
|
|
|
| Tue | Feb | 10 |
Lab 5 assigned | Rootkits, Backdoors, and Trojans (pdf format) |
Tue Feb 17 | |
| Tue | Feb | 17 |
|
|
|
|
| Tue | Feb | 17 |
Lab 6 assigned | Buffer Overflows |
Tue Feb 24 | |
| Tue | Feb | 24 |
|
|
|
|
| Tue | Feb | 24 |
Lab 7 assigned | Honeynets |
Tue Mar 3 | |
| Tue | Mar | 3 |
|
|
|
|
| Tue | Mar | 3 |
Lab 8 assigned | Worms and Viruses |
Tue Mar 10 | |
| Tue | Mar | 10 |
|
|
|
|
| Tue | Mar | 10 |
Lab 9 assigned | Web Page Security |
Tue Mar 24 | |
| Tue | Mar | 17 |
|
Spring Break! |
|
|
| Tue | Mar | 24 |
|
|
|
|
| Tue | Mar | 24 |
Lab 10 assigned | Botnets |
Tue Mar 31 | |
| Tue | Mar | 31 |
|
|
|
|
| Tue | Mar | 31 |
Lab 11 assigned | Tiger Team Evaluation |
Tue Apr 7 | |
| Tue | Apr | 7 |
|
|
|
|
| Tue | Apr | 14 |
|
|
|
|
| Tue | Apr | 21 |
|
Final project presentations |
|
|
| Thu | Apr | 23 |
|
Final project presentations |
|
|
| Mon | Apr | 27 |
Final exam period 11:30AM |
Final project presentations |
|
|
Lab Descriptions
Lab 1: OS Installation and Introduction to security tools
Installing RedHat Linux Enterprise Work Station 4.0
Installing VMware on your RedHat Enterprise 4.0 Host
Installing RedHat 7.2 and Windows XP virtual machines
Configuring the Windows XP virtual machine
Hardening a Redhat 4.0 Virtual Machine Installation
Windows XP Firewall Logging
Installation and usage of network security tools
NMAP
Nessus
Windows XP tools SuperScan 4
Appendix A: NAS problems
Appendix B: Writing NASL scripts
Appendix C: Search Engine Reconnaissance
Appendix D: Other Network Scanning Tools
Appendix E: Sharing files between Virtual Machines
Appendix F: Sam Spade Tool (Windows Appendix G: Bastille Linux and Cheops
Appendix H: General Linux Tips
Lab2: Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks (VPN)
Installing and Using L0phtCrack on the Windows System
Installing and Running John the Ripper on the Linux system
Use ethereal to watch a telnet session.
Use Ethereal to capture packets from SSH.
Use Ethereal to see how nmap maps out a network.
Use Ethereal to capture http passwords
Software Keyboard Logger
Hardware Key Loggers
Installing the Keylogger
Using the Keylogger
Local Windows Account Hijacking
USB Password Grabbing
Overview
Vulnerabilities Exploited
Making your USB grab passwords.
Starting the Virtual Machines (1 step)
Getting to Know ARP and ARP Tables (4 steps, 2 questions, 1 screenshot)
Using ARP (2 steps, 1 question)
Getting to Know Ettercap (2 steps, 1 question, 1 screenshot)
Using Ettercap Passively to Sniff a Connection (2 steps, 2questions, and 2 screenshots)
Using Ettercap Actively to Disrupt a Connection (2 steps)
Using Hunt to Hijack a connection
Intro to VPNs:
A simple secure shell VPN in Linux
Cisco VPN Concentrator
Appendix A: Installations
Appendix B: Hardening Passwords
Appendix C: VMware cloning
Appendix D: IPSec on Windows
Appendix E: IPSec on Linux
Appendix F: Fingerprinting VPN Server
Appendix G: Checking for SSH Version 1 using ScanSSH
Appendix H: Resetting root Password
Appendix I: Random Passphrases and Passwords
Appendix J: Windows Hijacker
Appendix K: Detecting Sniffers with AntiSniff
Appendix L: ARPWatch (Also used in Lab 3)
Appendix M: Rainbow Crack
Appendix N: Exploiting Autorun with a USB Drive
Appendix O: Using DSniff to Man-in-the-Middle (MITM) SSH v1 Connections
Appendix P: Password hardening based on keystroke dynamics
Appendix P: TrueCrypt
Appendix Q: Network Login Crackers
Lab 3: Address Spoofing, Denial of Service, Email Spoofing, and VoIP
MAC address spoofing
Windows XP MAC Cloning
Linux MAC Cloning
IP spoofing from Windows
IP spoofing from a Linux machine
UDP Spoofing
TCP Spoofing
DNS Spoofing and Denial of Service
Forging a DNS message
Monitoring for Spoofing Attacks
TCP Spoofing and Denial of Service
NMAP Spoofing and DOS Attacks
Preventing Spoof Scans and DOS Attacks
Denial of Service Attacks
TCP SYN attack
Teardrop attack
UDP flood attack
SYN Flood Defense with SYN Cookies
Email Spoofing
Sendmail Spoofing
Spoofing Emails through Remailers
VoIP Snooping
VoIP Security
VoIP Session Initiation Routine
Minisip
Configuring Minisip
Vomit
Appendix A: Further Hardening of Windows TCP/IP Stack
Appendix B: Additional Exercise on Protecting Windows Against Denial of Service
Appendix C: Additional Information on Email Spoofing
Appendix D: SIPSAK Session Initiation Protocol (SIP)Tool*
Appendix E: Investigating PayPal/Ebay/Bank Account Phishing
Appendix F: Sender Policy Framework
Appendix G: Cookie Spoofing
Lab 4: Firewalls
Linux Firewalls
Setting up routing and iptables
IPtables Introduction
Iptables modules:
Creating your own rules
Network Address Translation (NAT)
NAT in the kernel
Iptables and NAT
Port Forwarding
Masquerading
iptables.firewall Script Explanation
Forwarding
Defending against ICMP Ping Floods
SSH Bouncing through a Firewall Using Netcat
Reverse WWW Shell
Windows Firewalls
RealSecure Desktop Protector
Windows Built-in Firewall
Cisco PIX 515E
Network Address Translation
Configure Global Addresses, NAT, and Routing for Inside and Outside Interfaces
Configuring access to the DMZ zone from Outside
Access Control List
Appendix A iptables.firewall
Appendix B Troubleshooting installation.
Getting rid of ipchains:
Appendix C Reference Websites:
Appendix D Commands for maintaining and testing the PIX Firewall.
Appendix E Basic configuration commands of the PIX interface
Appendix F
Appendix G Linux Firewall exploit
Appendix H ZoneAlarm
Appendix I ProcessGuard
Appendix J Firewall Builder
Appendix K Firehole
Appendix L: Deep Packet Inspection
Appendix M: IPTABLES LOG ANALYSIS
Lab 5: Rootkits, Backdoors and Trojans
Lrk4
Knark
Rootkit Hunter: Not all rootkit detectors are equal
Hacker Defender
TRIPWIRE
Lrk4 Vs Tripwire
Knark Vs Tripwire
Detecting Rootkits on Windows
IceSword for Windows
sucKIT- A different approach to hijacking system calls
Backdoors and Trojans part of the lab:
Installing and Using Netcat
Using Netcat
Netcat File Transfer
Netcat Backdoors
Netcat Relays
Creating a relay
Other uses of Netcat
Icmp-backdoor
Installing and Using Virtual Network Connection (VNC)
Installing and Running VNC on the Linux Machine
Modifying IP tables:
Windows VNC Server
BO2K BackDoor
Using a Simple Backdoor Program in C
Backdoor Detection
Walkthrough Firewalls with Ack Tunneling
Port Knocking
Tricking Users into Opening Backdoors
Sony DRM XCP Rootkit
Playing with the Rootkit
Appendix A: Protecting Against RootKits
Appendix B: Win XP Safeguarding
Appendix C: Trojan Removal
Appendix D: Sub7
Appendix E: Busybox
Appendix F: Dynamic Library Manipulation
Appendix G: Dynamic Library Manipulation
Web Knocking
Appendix H: Using Explorer’s ActiveX to Propagate Trojans/Backdoors
Appendix I: Simple Connect Back Backdoor
Appendix J: The Thompson Hack
Appendix K: HP JetDirect Exploitation
Lab 6: Buffer Overflows
Experimentation with “Smashing the Stack for fun and profit” by Aleph One
The Stack Region
Buffer Overflows
Return Pointer Redirection
Creating a Shell
Writing an Exploit
A Real World Exploit
imapd
Common Vulnerabilities
Buffer Overrun:
Use buffer overflow to exploit user input vulnerabilities
Use buffer overflow to exploit network vulnerabilities
A Contemporary Vulnerability
Windows DCOM RPC service
Libsafe – A Stack Buffer Overflow Preventive Measure
Obtaining Administrator Privileges on Windows using a Buffer Overflow Attack
Watching a Buffer overflow in action
Automated Toolkits to Write Buffer Overflow Exploits
Metasploit Framework
Appendix A .oO Phrack 49 Oo.
APPENDIX B: Buffer Overflow
APPENDIX C: PaX – Hardening Stacks through Kernel
APPENDIX D: ITS4 – Static Source Code Analyzer
APPENDIX E: Security Forest
APPENDIX F: Windows SMB Buffer Overflow / Denial of Service Attack and Defense APPENDIX G: Winamp 5.12 (or earlier) buffer overflow exploit
Appendix H: Buffer Overflow Exploit Prevention
APPENDIX I: Splint – Secure Programming LINT
APPENDIX J: Using RFID Tags to Cause Buffer Overflows and SQL Injection Attacks
APPENDIX K: Securing programs in a chroot jail
APPENDIX K: Linux Live CD – Backtrack 2.0
Lab 7: Honeypots and Network Monitoring and Forensics
BackOfficerFriendlySpecter
Honeyd
Mantrap
Honeynets
The Homemade Honeypot using Netcat as a Port Sniffer
Set up and use Ethereal to capture packets
Set up and use Snort to capture packets
Scan of the Month Challenge
Using SNORT to act as an IDS (Intrusion Detection System)
Advanced uses of Ethereal
Introduction to AIDE (Advanced Intrusion Detection Environment)
Snare for Windows
Forensics Investigation the Penguin Sleuth Kit
Appendix A: Review of how to set up and run imapd exploit
Appendix B: NVP excerpt
Appendix C: Set up and use SnortALog to analyze Snort logs.
Appendix D: Digital evidence: Today's fingerprints
Appendix E: Basic Analysis of Windows Shellcode Through the Usage of the Malcode Analyst Pack
Appendix F: Web Browser Forensics
Lab 8: Viruses, Worms, and Wireless
Viruses and Worms
Worms
A real world worm, AnnaKournikova
Viruses
Worm Generator
Wireless
Encrypted Traffic
Use Nmap to determine router type.
Use ethereal to capture plain text passwords
MAC Control List Subversion
Using Aircrack to Break WEP
Decrypt Encrypted Traffic
Appendix A: vuln_service.c (ignore name remote.c in comments)
Appendix B: worm “source code”
Appendix C: AnnaKornikova code
Appendix D: Vsrc2.c
Appendix E: test_virus.c
Appendix F: LaBrea-A worm “tar-pit” and Symantec Worm Simulator
Appendix G: Polymorphic Viruses
Appendix H: Blaster Worm
Appendix I: Aireplay
Appendix J: War Nibbling
Lab 9: Web Security
Setting up Apache
Setting up PHP
Setting up MySQL
Cross-Site Scripting
SQL Injection on Linux Apache Web Server
Blind SQL Injection
Practical Web Exercise on Windows Server
SQL Injection
Information Leakage
Insufficient Process Validation and Authorization
Credential/Session Prediction
Server-Side Include (SSI) Injection
Weak Password Recovery Validation
Session Fixation
Insufficient Session Expiration
LDAP Injection
Appendix A JAVASCRIPT REFERENCE
Appendix B PHP REFERENCE
Appendix C SQL TUTORIAL
Appendix D source code
Appendix E SSL Phishing
Appendix F Internet Explorer JavaScript Window() Remote Code Execution
Lab 10: Botnets
Setting up the IRCd server
Setting up the Virtual Machines
SDBot
Installation and Configuration
Meet Your Bot
UDP Flood
Ping Flood
Fraudulent Pay-per-click Count
Bot Removal
q8Bot
HoneyNet Botnet Capture Analysis
Appendix A: What Is A Bot and What Is A Bot Not.
Appendix B: Know your Enemy:Tracking Botnets
Appendix C: Setting up Shared Folders in VMWare
Appendix D: onJoin plugin for XChat
Appendix E: IRCBotDetector
Appendix F: Host-Based, Run-time Win32 Bot Detection
Appendix F: XDCC Bots
Appendix G: DNSBL counter-intelligence – Revealing Botnets Passively
Lab 11: Tiger Team Network Evaluation
Contact Information:
riley@ece.gatech.edu
School of Electrical and Computer Computing
Georgia Institute of Technology
Atlanta, GA 30332-0250
Last Modified: Jan 15, 2008