Online Course in Ethical Hacking 7,5 hp

The purpose of this course is to develop students' understanding of and ability to use ethical hacking techniques to perform cyber-security audits of computer networks. The main activity of the course comprises the penetration of a rigged virtual corporate network environment.

Starts August 28, 2018.

Han utbildar företagare till hackare (DI)
Vithattar blir svarta på KTH​​​​​​​ (Voister)​​​​​​​
Kurser i etisk hackning ska öka it-säkerhet (Radio P1 Ekot)
Den goda hackern (Radio P1 Uppkopplad)
KTH öppnar sin utbildning i etisk hackning – företagen också välkomna (Computer Sweden)
Ny KTH-kurs ska lära företag att tänka som hackare (Ny Teknik)
Nu kan du plugga till hackare på KTH (Computer Sweden)
KTH utbildar i etisk hackning (Radio P3)
Swedish University Offers ‘Ethical Hacking' Courses for 'Greater IT Security' (Sputnik news)​​​​​​​
Шведский ВУЗ будет готовить хакеров (Kompravda)​​​​​​​

Contract teaching (Uppdragsutbildning)

August 28 - Nov 30, 2018
Expected workload: 15h/week.
Cost: 15 000 SEK.
7,5 credits are awarded in the LADOK system.
Student-controlled schedule. No physical meetings.

Note that contract teaching is only available through your employer, and your employer will be charged for the course.

Learning Objectives

Upon completion of this course the participants should be able to:

  • perform reconnaissance, identifying and selecting targets for attack, e.g. by means of network scanning,
  • identify vulnerabilities in network equipment and applications,
  • deploy and execute exploits on vulnerable systems,
  • install and use remote access trojans for remote system control,
  • identify password files and extract passwords,
  • exfiltrate data,
  • crack wifi networks,
  • implement solutions to strengthen the information security of computer networks.


As a prerequisite, participants are expected to have basic programming skills. Knowledge about operating systems (Windows, UNIX-based) and communication networks is a plus. 


A mock corporate network has been rigged in a virtual environment. On various places in this network, flags (jpeg images) are placed. The overall objective is to capture as many flags, as quickly as possible. There are around a dozen flags to be captured. To complete the attack, students are free to use their imagination and tools available on the Internet. In the provided reading material, participants are introduced to specific network and vulnerability scanning tools, platforms for development of exploits, for remote control of computers, for password cracking, and so on. Nonetheless, participants are eventually free to choose methods and tools of their own.

Starting Point

At the start of the course, students obtain VPN credentials to connect to a local area network.

Objective: Capture the Flags

The objective of the mission is to compromise the system as fully as possible. In order to prove that they were able to hack hosts, participants need to collect and submit flags. 


Kali Linux is suggested as a penetration testing platform. However, it remains the participants’ choice to decide which tools suit them best. 


As time progresses, students will receive hints that facilitate the exploitation of the network. For students who fail to solve a task independently within a reasonable time frame, teachers may hold webinars or offer screen casts.


The virtual network you will interact with is hosted by Google Cloud. The most important difference between this environment and a physical network, for the point of view of this course, is that OSI layer 2 is missing. Thus, ARP spoofing and other techniques based on Layer 2 won't work. As in the case of a real corporate network, things might change in the network independent of the hacker. Notably, systems may be restored to their unhacked state at any time. Therefore, it is important to be able to repeat your hacks; thus, record your methods after successful exploitation.

The Zen of Hacking

Some advice on how to approach the challenges you will face in this course: Hacking is not user-friendly. On the contrary, you will be walking not only unpaved roads, but roads with intentional roadblocks. Exploits typically do not work on the first attempt, and even when they work, they are often unstable. You may experience significant frustration when your hack fails to execute as intended, and more frustration when the cause turns out to be trivial, such as a typo. The process of trial, error, analysis and correction is, however, very often excellent grounds for learning. So take the opportunity to learn. When things don't work, learn about the underlying technology as well as the tools and methods that may help you better understand the problem. 

Short Essay on the Ethics of Hacking

The purpose of this assignment is to practice critical thinking regarding consequences and ethical aspects of hacking and cyber security. Essay topics examples includes the ethical ramifications of Stuxnet, the ethics of the exploit marketplace, the crypto wars, etc. 

Course Material

The course material consists of an optional course book, Rafay Baloch’s, Ethical Hacking and Penetration Testing Guide, as well as various reports, web sites, and videos. The course material is there to introduce the topic of Ethical Hacking and to help solving the course assignment. However, in this course we encourage you to take control over your own learning by searching for information also outside of the provided information. Read up on things you find appropriate for solving the assignment or otherwise find interesting. Think of the course material as a “knowledge landscape” in which you can wander around. Also, importantly, do not limit your wanderings to this landscape, the answers to some challenges posed in the course are found elsewhere on the Internet.


All material is in English, but teachers are also fluent in Swedish.

Reviews of earlier students

The PDF document below contains the results of the compulsory survey distributed to KTH students in 2017.

Course survey 2017 (pdf 230 kB)


Apply to the course here​​​​​​​

This course is available to employees of organizations, but, for regulatory reasons, contract teaching (uppdragsutbildning) is not available to private persons.


Professors Pontus Johnson and Mathias Ekstedt.


If you have any questions, please contact Pontus Johnson.

Top page top