Computer networks have become an integral part of business and life. At the same time, these systems have become extremely complex, often hosting thousands of software applications, databases, operating systems, servers, processes, data, and more. Numerous vulnerabilities exist in these complex systems, waiting to be exploited by potential threat actors: determined attackers typically make their way gradually by exploiting several successive vulnerabilities, each time using the obtained information, privilege, or access to progress deeper into the network. Examples of worrisome past incidents include power grids being shut down, smart cars being taken over, and financial institutions being hit by server side and denial of service attacks. Thus, the ability to assess and improve the cyber-security of computer networks is becoming a priority in most organizations today.
Ethical hacking is an increasingly popular approach to cyber-security assessment. Ethical Hackers are referred to as white-hat hackers and as such, their process is similar to black hats: they analyse systems to find breaches, flaws or backdoors, and if their search is successful, they sometimes try to make their way into the systems’ back end (e.g., DBMSs) and exfiltrate sensitive data. But they differ in their intention and what they do with their findings. Black-hat hackers’ end-game is illegitimate: they steal data in order to make money (e.g., by selling the data, or by threatening owners to disclose the stolen data and asking for a ransom), but also for political reasons (hacktivists, state-sponsored hacker groups creating Advanced Persistent Threats). On the contrary, the ethical hackers’ motivation is to make systems and networks safer. They don’t attack networks without permission, they disclose vulnerabilities responsibly, and they don't compromise the confidentiality, integrity or availability of the attacked systems.
The purpose of this course is to develop students' understanding of and practical experience in ethical hacking techniques. For this purpose, students are invited to explore and attack a virtual computer network set up as a training environment. Additionally, students write and discuss short essays on the ethics of hacking.
Read more about the course's learning objectives in the course plan.
As a prerequisite, participants should have basic programming skills. Knowledge about operating systems (UNIX-based, Microsoft Windows) and communication networks is a definite plus.
The course material consists of a curated set of reports, web sites, and videos, as well as of the optional course book Rafay Baloch, Ethical hacking and penetration testing guide, CRC Press, 2014.
The course material is there to introduce the topic of Ethical Hacking and to help solving the course assignment. However, in this course we encourage you to take control over your own learning by searching for information also outside of the provided information. Read up on things you find appropriate for solving the assignment or otherwise find interesting. Think of the course material as a “knowledge landscape” in which you can wander around. Also, importantly, do not limit your wanderings to this landscape, the answers to some challenges posed in the course are found elsewhere on the Internet.
The course's main activities are listed below.
There are five lectures, of which four are guest lectures with cyber-security professionals from the industry, professionals who will share their most exciting hacking experiences and anecdotes with the course participants. You can find the planned seminars in the course calendar and under assignments.
The course includes a set of videos that introduce the course as a whole as well as the various subtopics of the course. Additionally, demo videos are offered for the exploits that constitute part of the course. These serve two purposes: (i) To provide some background to the employed exploits, and (ii) to assist students who were unable to perform the exploits solely based on verbal hints. Therefore, the exploit demos are typically released after all other hints relating to a certain exploit have been made available. Finally, a number of interviews with security experts are available in the video section.
A mock corporate network has been rigged in a virtual environment. On various places in this network, flags (information to extract) are placed. The overall objective is to capture all the flags. To assist students, hints are offered for each flag.
To complete the project assignment, students are free to use their imagination and any tools available on the Internet. In the provided material, participants are introduced to specific network and vulnerability scanning tools, exploit platforms, remote control utilities, password cracking tools, and so on. Nonetheless, participants are eventually free to choose methods and tools of their own.
At the start of the course, hackers (students) obtain VPN credentials to connect to the virtual company's office LAN, protected by a firewall. The objective of the mission is to compromise the system as fully as possible. In order to prove that they were able to hack hosts, participants need to collect flags, which take the form of hexadecimal strings. Collecting the flags proves that the participants have managed to hack a host.
To pass the course, all flags need to be collected. The virtual worlds are closed on the final day fo the course. If, at that point, flags remain to be captured, it might be possible to prolong the life of your world for a few additional days, but tardiness will affect your grades adversely.
While the choice of attack platform and tools remains the participants decision, Kali Linux is suggested as a penetration testing platform.
If you have a disability, you may receive support from Funka.
We recommend you inform the teacher regarding any need you may have. Funka does not automatically inform the teachers.