Embed Size (px)
Citation preview
Teaching a Practical Ethical Hacking Course: Challenges and Solutions
Haytham El Miligi!Assistant Professor, Computing Science Dept.,
Thompson Rivers University
ETHICALHACKING
When art meets science
Assessing the security of computer systems or networks using penetration testing techniques.
Ethical Hacking
Penetration testing of computer systems or networks must be authorized by owners.
Ethical Hacking
Authorization is granted by signing a written agreement that details the objectives, procedures, and expected impacts on target systems for each test.
Ethical Hacking
Ethical Hacking
Pen Testing Authorized Agreement
What do Pen-Testers do?
1. Whatcananintruderseeonthetargetsystems?
2. WhatcananintruderdowiththatinformaBon?
3. CananyoneatthetargetnoBcetheintruder’saEemptsorsuccesses?
Apentester’sevalua.onofasystem’ssecurityseeksanswerstothreebasicques.ons:
Pen-Testing Process Reconnaissance and Target Scanning
Imagecopyright©h>p://www.arkive.org/Educa.onallicenseunderh>p://www.arkive.org/about/terms-of-useTargetAr.cle:h>p://www.forbes.com/TheGuardianar.cle:www.theguardian.com
ResearcherswereabletoaccuratelyinferaFacebookuser'srace,IQ,sexuality,substanceuse,personalityorpoli;calviewsusingonlyarecordofthesubjectsanditemstheyhad"liked"onFacebook–evenifusershadchosennottorevealthatinforma;on.
Pen-Testing Process Reconnaissance and Target Scanning
Attack
Gaining Access
Maintaining Access and Covering Tracks
Imagecopyright©h>p://www.arkive.org/Educa.onallicenseunderh>p://www.arkive.org/about/terms-of-use
Vulnerability Scanning vs Pen-Testing
• Looks for known vulnerabilities in your systems and reports potential exposures.
Vulnerability Scan Pen-Testing
• Is designed to actually exploit weaknesses in the architecture of your systems.
• Penetration tests are goal-oriented.
• Focus: Breadth over depth. • Focus: Depth over breadth.
• Vulnerability scans are list-oriented.
• Penetration tests depend primarily on skills.
• Vulnerability scans depend primarily on tools.
TEACHINGCOMP4980:ETHICALHACKING
Challenges and Solutions
COMP 4980: Ethical Hacking
Ethical Hacking Topics
EthicalHackingBasicsFootprinBngNetworkandPortScanningEnumeraBonandVulnerabilityAnalysisHackingThroughtheNetworkAEackingaSystem(DoSaEacks)Web-BasedHacking:ServersandApplicaBonsTrojans,VirusesandOtherAEacksPenetraBonTesBng
Labs ?
Source:h>ps://search.crea.vecommons.org/->h>ps://www.google.ca/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjN99iTgIfMAhUJKWMKHb3CAV4QjhwIBQ&url=h>ps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D-QsN-57bx8E&bvm=bv.119028448,d.cGc&psig=AFQjCNH13Ll_7pjOkmlkVeOZ1AsGzj3wQ&ust=1460478376277921Labeledforreusewithmodifica.on-Crea.veCommonsA>ribu.on4.0License.OriginalwindowslogobelongtoMicrosomWindowsandLinuxlogobyLarryEwing.
Lab Objectives
Simulate Real-Life Environments
Setup Flexible Network Configurations
Protect TRU Network
Provide Rich Hands-on Experience
Students need to try!
Why?
HeartBleed Hack - 2014
Heartbleed Bug
HeartBleed Hack - 2014
Source:h>p://www.cbc.ca/news/canada/cra-heartbleed-hack-stephen-solis-reyes-facing-more-charges-1.2859416
RCMPlaid16newchargesagainstStephenSolis-ReyesinvolvingallegedhacksagainsttheCRA,aswellasthecomputers of the University of Western Ontario, theLondonDistrictCatholicSchoolBoard,andanoffshoreemailservice,JerseyMail,amongothers.
Looking for an Island!
Source:h>ps://search.crea.vecommons.org/->h>ps://www.google.ca/search?site=imghp&tbm=isch&q=island&tbs=sur:fmc&gws_rd=cr&ei=1dQLV4PRBcSgjwORtLuIBg#gws_rd=cr&imgrc=HgLn7nW-BlOLAM%3ALabeledforreusewithmodifica.on-Crea.veCommonsA>ribu.on4.0License.
Lab Setup
Mercury192.168.60.20
NIC2:192.168.50.90
EndianFirewallVM
Jupiter192.168.60.40
Sun
Uranus192.168.60.50
Moon192.168.60.10
NIC1:192.168.60.15
Venus192.168.60.80
Lab Setup
Mercury192.168.60.20
NIC2:192.168.50.90
EndianFirewallVM
Jupiter192.168.60.40
Sun
Uranus192.168.60.50
Moon192.168.60.10
NIC1:192.168.60.15
Venus192.168.50.80
THEFUTUREOFPEN-TESTING
The end of password era
Pass words codes
Passcodes
Know
Have
ARE
Passcodes - Passwords
Know
Have
ARE
Passcodes: Security Tokens
Know
Have
ARE
Imagecopyright©h>p://sciencestockphotos.com/Crea.veCommonsA>ribu.on4.0License
Passcodes: Biometrics
Know
Have
ARE
Imagecopyright©h>p://sciencestockphotos.com/,h>ps://www.pexels.comCrea.veCommonsA>ribu.on4.0License
Passcodes: Biometrics
Biometrics
Behavioral Physical
Passcodes: Biometrics
Biometrics
Behavioral Physical
Passcodes: Keystroke dynamics
Imagecopyright©h>ps://www.pexels.comCrea.veCommonsA>ribu.on4.0License
Passcodes: Behavioral Biometrics
Keystroke dynamics refer to the uniquepa>ernsofrhythmand.ming-basedfeaturesthatarecreatedwhenausertypesonakeyboard.
Keystroke dynamics
Passcodes: Behavioral Biometrics
Passcodes: Behavioral Biometrics
Passcodes: Behavioral Biometrics
Thank You!
