Ethical Hacking

William Bailey

Ethical Hacking

MIS 5211.701 ■ Fall 2021 ■ William Bailey

Main Content

November 15th & 16th – SANS PenTest HackFest

By Leave a Comment

If you choose to attend SANS PenTest HackFest, let us know what you thought of the event. What were the key lessons you learned?

There’s an additional event in November that offers two days of content on Penetration Testing and Hacking.

Note that these additional event(s) are optional, not required for this course, but as you’ll find in InfoSec, you’ll continue to network with others in industry throughout your career.

SANS is hosting their “PenTest HackFest Summit (Links to an external site.)“, either on-site in Bethesda, MD, or online.  SANS offers additional training courses during the week, but the summit is FREE to attend.

Also note that if you hold other certifications, you can earn up to 12 CPEs, or 6 per day, for LIVE attendance.  (You will have access to watch the sessions later, but won’t earn CPEs for on-demand viewing)

November 12th & 13th – BSides Delaware

By Leave a Comment

If you choose to attend BSides, let us know what you thought of the event. What were the key lessons you learned?

 

BSides Delaware is happening this weekend.  Security BSides refers to themselves as “the first grass roots, DIY, open security conference in the world!”

Typically this event was held in Wilmington, De, but due to Covid-19, the event is being hosted virtually, via Discord.  Registration is either Free, or you can choose to donate.

While this isn’t required for this course, if you’re looking into continuing with ethical hacking, penetration testing, this annual event is a great place to learn more, and via Discord this year, network with others in the field!

Main Site (Links to an external site.)

Registration (Links to an external site.) (Required to obtain access to Discord, or if claiming CPE credit)

Schedule (Links to an external site.)

Streams (Links to an external site.) (Watch Online)

Wiki

Week 10 – Web Application Hacking

By 15 Comments

This week we turn our attention to tools that can be used to manipulate web-based applications.  There are subscription-based services to test your skills, but during this week we look at two in particular – Web Security Dojo and Security Shepherd.

How has your experience been with these tools this week?  Did you have any “a-ha!” moments?  What lessons have you learned?

Also refer to this week’s Handouts for details on SQL.

November 15th & 16th – SANS PenTest HackFest

by Leave a Comment

If you choose to attend SANS PenTest HackFest, let us know what you thought of the event. What were the key lessons you learned?

There’s an additional event in November that offers two days of content on Penetration Testing and Hacking.

Note that these additional event(s) are optional, not required for this course, but as you’ll find in InfoSec, you’ll continue to network with others in industry throughout your career.

SANS is hosting their “PenTest HackFest Summit (Links to an external site.)“, either on-site in Bethesda, MD, or online.  SANS offers additional training courses during the week, but the summit is FREE to attend.

Also note that if you hold other certifications, you can earn up to 12 CPEs, or 6 per day, for LIVE attendance.  (You will have access to watch the sessions later, but won’t earn CPEs for on-demand viewing)

November 12th & 13th – BSides Delaware

by Leave a Comment

If you choose to attend BSides, let us know what you thought of the event. What were the key lessons you learned?

 

BSides Delaware is happening this weekend.  Security BSides refers to themselves as “the first grass roots, DIY, open security conference in the world!”

Typically this event was held in Wilmington, De, but due to Covid-19, the event is being hosted virtually, via Discord.  Registration is either Free, or you can choose to donate.

While this isn’t required for this course, if you’re looking into continuing with ethical hacking, penetration testing, this annual event is a great place to learn more, and via Discord this year, network with others in the field!

Main Site (Links to an external site.)

Registration (Links to an external site.) (Required to obtain access to Discord, or if claiming CPE credit)

Schedule (Links to an external site.)

Streams (Links to an external site.) (Watch Online)

Wiki

Week 10 – Web Application Hacking

by 15 Comments

This week we turn our attention to tools that can be used to manipulate web-based applications.  There are subscription-based services to test your skills, but during this week we look at two in particular – Web Security Dojo and Security Shepherd.

How has your experience been with these tools this week?  Did you have any “a-ha!” moments?  What lessons have you learned?

Also refer to this week’s Handouts for details on SQL.

Week 9 – OWASP

by 9 Comments

The Open Web Application Security Project (OWASP) periodically updates the TOP 10 Web Application Security Risks. The Top10 serves as a set of best practices for those who develop web-based applications, but as always, provides insight into the possible entry points into vulnerable web-based applications.

One of the key protection methods is to implement a Web Application Firewall (WAF).  For this week’s discussion, does implementing a WAF address the OWASP Top 10, or would implementing the OWASP Top 10 negate the need to add a WAF to a web-based application’s infrastructure?  What your thoughts, and why?

Presentation Handouts

Week 8 – Encoding vs Encryption

by 8 Comments

This week’s topics include encoding and encryption.

Encoding / Decoding uses an algorithm, but no special “key”, per se.  Once someone knows the algorithm (mathematic formula), one can decode the message.

Encryption / Decryption uses an algorithm, but adds a special “key”.  A simple password, such as used on your Wireless Access Point when using WPA2, can make the encryption unbreakable because the outside party doesn’t have knowledge of the password that is used as part of the WPA2 encryption.  No password = No decryption.  (unless you social engineer to get the password)

So, this past week there was a case where a journalist was reviewing data from a publicly-available web site in Missouri, but they noticed that there was a lot of extra data. They used the “View Source” capability of the website, and then noticing a lot of data, ran that data through a decoder program, and then realized that the teachers’ SSNs were being sent to the website.

Link to Article

There are a few questions:

Is this “hacking”?

Who should be liable – the journalist, or the state?

 

Week 8 Handouts

 

Week 6: Metasploit

by 9 Comments

This week we discussed Metasploit Framework, and some of the vulnerabilities we demonstrated were from 2008.  For this week’s discussion, relate to the class a “hack” that involved a vulnerability that had been “in the wild” for at least six months after the patch had been available.

 

Week Six Presentation (Handout)

 

Week 05 – Open Source vs Commercial

by 8 Comments

During this week, we talked about some additional scanning products used in Ethical Hacking.  While many are open source,  we also mentioned that there are some products that are commercial, and require a paid license.

During your trial of Kali, so far, have you found any interesting tools that you want to spend more time with?

While not disclosing your employer’s name, are you aware of tools that your employer currently uses?

Week Five Slide Handouts

Week 03: Virtualization

by 3 Comments

This Discussion Question thread has been created to discuss how we’re succeeding with virtualization.

  • What platform did you choose?  (Windows, Linux, Mac)
  • Which virtualiation platform(s) did you use? (Vmware, VirtualBox, Hyper-V, or your own server farm?)
  • What guest operating system(s) did you install so far?
  • What advantages or disadvantages do you see about these choices?
  • What was the most important “Aha” moment?
  • Did you encounter any challenges or other difficulties?  (it’s ok to run into an issue, as long as one learns from it!)

 

Week Three Handout

 

Week 04 – Scanning

by 8 Comments

This week we talked about initial scans using NMAP and NESSUS.  We also talked about using TCPDUMP as a packet sniffer.  As you work through your virtual environment this week, choose one (or more) of the following questions:

  1. What issue(s) are you encountering with NMAP, NESSUS, or other scanning tools?
  2. Did you discover any “interesting” traffic with TCPDUMP?
  3. How does practicing with a vulnerable device, such as the “MetaSploitable” help you learn more about vulnerability scanning and penetration testing?

Class Four:

Presentation Slides (Handouts)