Upload
lequynh
View
222
Download
0
Embed Size (px)
Citation preview
Teaching a Practical Ethical Hacking Course: Challenges and Solutions
Haytham El Miligi!Assistant Professor, Computing Science Dept.,
Thompson Rivers University
Assessing the security of computer systems or networks using penetration testing techniques.
Ethical Hacking
Authorization is granted by signing a written agreement that details the objectives, procedures, and expected impacts on target systems for each test.
Ethical Hacking
What do Pen-Testers do?
1. Whatcananintruderseeonthetargetsystems?
2. WhatcananintruderdowiththatinformaBon?
3. CananyoneatthetargetnoBcetheintruder’saEemptsorsuccesses?
Apentester’sevalua.onofasystem’ssecurityseeksanswerstothreebasicques.ons:
Pen-Testing Process Reconnaissance and Target Scanning
Imagecopyright©h>p://www.arkive.org/Educa.onallicenseunderh>p://www.arkive.org/about/terms-of-useTargetAr.cle:h>p://www.forbes.com/TheGuardianar.cle:www.theguardian.com
ResearcherswereabletoaccuratelyinferaFacebookuser'srace,IQ,sexuality,substanceuse,personalityorpoli;calviewsusingonlyarecordofthesubjectsanditemstheyhad"liked"onFacebook–evenifusershadchosennottorevealthatinforma;on.
Pen-Testing Process Reconnaissance and Target Scanning
Attack
Gaining Access
Maintaining Access and Covering Tracks
Imagecopyright©h>p://www.arkive.org/Educa.onallicenseunderh>p://www.arkive.org/about/terms-of-use
Vulnerability Scanning vs Pen-Testing
• Looks for known vulnerabilities in your systems and reports potential exposures.
Vulnerability Scan Pen-Testing
• Is designed to actually exploit weaknesses in the architecture of your systems.
• Penetration tests are goal-oriented.
• Focus: Breadth over depth. • Focus: Depth over breadth.
• Vulnerability scans are list-oriented.
• Penetration tests depend primarily on skills.
• Vulnerability scans depend primarily on tools.
Ethical Hacking Topics
EthicalHackingBasicsFootprinBngNetworkandPortScanningEnumeraBonandVulnerabilityAnalysisHackingThroughtheNetworkAEackingaSystem(DoSaEacks)Web-BasedHacking:ServersandApplicaBonsTrojans,VirusesandOtherAEacksPenetraBonTesBng
Labs ?
Source:h>ps://search.crea.vecommons.org/->h>ps://www.google.ca/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjN99iTgIfMAhUJKWMKHb3CAV4QjhwIBQ&url=h>ps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D-QsN-57bx8E&bvm=bv.119028448,d.cGc&psig=AFQjCNH13Ll_7pjOkmlkVeOZ1AsGzj3wQ&ust=1460478376277921Labeledforreusewithmodifica.on-Crea.veCommonsA>ribu.on4.0License.OriginalwindowslogobelongtoMicrosomWindowsandLinuxlogobyLarryEwing.
Lab Objectives
Simulate Real-Life Environments
Setup Flexible Network Configurations
Protect TRU Network
Provide Rich Hands-on Experience
HeartBleed Hack - 2014
Source:h>p://www.cbc.ca/news/canada/cra-heartbleed-hack-stephen-solis-reyes-facing-more-charges-1.2859416
RCMPlaid16newchargesagainstStephenSolis-ReyesinvolvingallegedhacksagainsttheCRA,aswellasthecomputers of the University of Western Ontario, theLondonDistrictCatholicSchoolBoard,andanoffshoreemailservice,JerseyMail,amongothers.
Looking for an Island!
Source:h>ps://search.crea.vecommons.org/->h>ps://www.google.ca/search?site=imghp&tbm=isch&q=island&tbs=sur:fmc&gws_rd=cr&ei=1dQLV4PRBcSgjwORtLuIBg#gws_rd=cr&imgrc=HgLn7nW-BlOLAM%3ALabeledforreusewithmodifica.on-Crea.veCommonsA>ribu.on4.0License.
Lab Setup
Mercury192.168.60.20
NIC2:192.168.50.90
EndianFirewallVM
Jupiter192.168.60.40
Sun
Uranus192.168.60.50
Moon192.168.60.10
NIC1:192.168.60.15
Venus192.168.60.80
Lab Setup
Mercury192.168.60.20
NIC2:192.168.50.90
EndianFirewallVM
Jupiter192.168.60.40
Sun
Uranus192.168.60.50
Moon192.168.60.10
NIC1:192.168.60.15
Venus192.168.50.80
Passcodes: Security Tokens
Know
Have
ARE
Imagecopyright©h>p://sciencestockphotos.com/Crea.veCommonsA>ribu.on4.0License
Passcodes: Biometrics
Know
Have
ARE
Imagecopyright©h>p://sciencestockphotos.com/,h>ps://www.pexels.comCrea.veCommonsA>ribu.on4.0License
Passcodes: Behavioral Biometrics
Keystroke dynamics refer to the uniquepa>ernsofrhythmand.ming-basedfeaturesthatarecreatedwhenausertypesonakeyboard.
Keystroke dynamics