As the course semester is wrapping up, answer one or both of the following questions:
- What is the most significant concept you learned during the semester?
- How has your view of “hacking” changed during the semester?
Course Handouts
William Bailey
As the course semester is wrapping up, answer one or both of the following questions:
Course Handouts
If you choose to attend SANS PenTest HackFest, let us know what you thought of the event. What were the key lessons you learned?
There’s an additional event in November that offers two days of content on Penetration Testing and Hacking.
Note that these additional event(s) are optional, not required for this course, but as you’ll find in InfoSec, you’ll continue to network with others in industry throughout your career.
SANS is hosting their “PenTest HackFest Summit (Links to an external site.)“, either on-site in Bethesda, MD, or online. SANS offers additional training courses during the week, but the summit is FREE to attend.
Also note that if you hold other certifications, you can earn up to 12 CPEs, or 6 per day, for LIVE attendance. (You will have access to watch the sessions later, but won’t earn CPEs for on-demand viewing)
If you choose to attend BSides, let us know what you thought of the event. What were the key lessons you learned?
BSides Delaware is happening this weekend. Security BSides refers to themselves as “the first grass roots, DIY, open security conference in the world!”
Typically this event was held in Wilmington, De, but due to Covid-19, the event is being hosted virtually, via Discord. Registration is either Free, or you can choose to donate.
While this isn’t required for this course, if you’re looking into continuing with ethical hacking, penetration testing, this annual event is a great place to learn more, and via Discord this year, network with others in the field!
Main Site (Links to an external site.)
Registration (Links to an external site.) (Required to obtain access to Discord, or if claiming CPE credit)
Schedule (Links to an external site.)
Streams (Links to an external site.) (Watch Online)
This week we turn our attention to tools that can be used to manipulate web-based applications. There are subscription-based services to test your skills, but during this week we look at two in particular – Web Security Dojo and Security Shepherd.
How has your experience been with these tools this week? Did you have any “a-ha!” moments? What lessons have you learned?
Also refer to this week’s Handouts for details on SQL.
The Open Web Application Security Project (OWASP) periodically updates the TOP 10 Web Application Security Risks. The Top10 serves as a set of best practices for those who develop web-based applications, but as always, provides insight into the possible entry points into vulnerable web-based applications.
One of the key protection methods is to implement a Web Application Firewall (WAF). For this week’s discussion, does implementing a WAF address the OWASP Top 10, or would implementing the OWASP Top 10 negate the need to add a WAF to a web-based application’s infrastructure? What your thoughts, and why?
This week’s topics include encoding and encryption.
Encoding / Decoding uses an algorithm, but no special “key”, per se. Once someone knows the algorithm (mathematic formula), one can decode the message.
Encryption / Decryption uses an algorithm, but adds a special “key”. A simple password, such as used on your Wireless Access Point when using WPA2, can make the encryption unbreakable because the outside party doesn’t have knowledge of the password that is used as part of the WPA2 encryption. No password = No decryption. (unless you social engineer to get the password)
So, this past week there was a case where a journalist was reviewing data from a publicly-available web site in Missouri, but they noticed that there was a lot of extra data. They used the “View Source” capability of the website, and then noticing a lot of data, ran that data through a decoder program, and then realized that the teachers’ SSNs were being sent to the website.
There are a few questions:
Is this “hacking”?
Who should be liable – the journalist, or the state?
Week 8 Handouts
This week we discussed Metasploit Framework, and some of the vulnerabilities we demonstrated were from 2008. For this week’s discussion, relate to the class a “hack” that involved a vulnerability that had been “in the wild” for at least six months after the patch had been available.
Week Six Presentation (Handout)
During this week, we talked about some additional scanning products used in Ethical Hacking. While many are open source, we also mentioned that there are some products that are commercial, and require a paid license.
During your trial of Kali, so far, have you found any interesting tools that you want to spend more time with?
While not disclosing your employer’s name, are you aware of tools that your employer currently uses?
This Discussion Question thread has been created to discuss how we’re succeeding with virtualization.
Week Three Handout
This week we talked about initial scans using NMAP and NESSUS. We also talked about using TCPDUMP as a packet sniffer. As you work through your virtual environment this week, choose one (or more) of the following questions:
Class Four:
Presentation Slides (Handouts)