Instructor Information

Michael Smeltzer

Work Phone: 240-228-4004

Course Information

Course Description

This course exposes students to the world of computer hacking. The primary goal is to give students an understanding of how vulnerable systems can be attacked as a means to motivate how they might be better defended. The class takes a systems engineering view of hacking and emphasizes practical exposure via hands-on assignments. Students are expected to use a computer that will remain off all networks while they complete assignments.

Prerequisites

695.601 Foundations of Information Assurance and one of 635.611 Principles of Network Engineering or 605.671 Principles of Data Communications Networks.

Course Goal

The overall goal of this introductory-level hacking class is to understand penetration testing and determine how to better defend systems by learning to identify and exploit system weaknesses.

Course Objectives

  • Learn about how system vulnerabilities manifest themselves and why hackers continue to enjoy success breaking into systems, despite increasing attention paid to cyber defense.
  • Gain experience with a systematic hacking methodology.
  • Learn about and experiment with hacking tools that can be applied at different stages of the hacking process.
  • Hands-on experience with
    • Social Engineering
    • Reconnaissance
    • Scanning tools
    • Simple IP firewalls, routers and LAN segments
    • Metasploit, and exploitation framework
    • Web exploitation
    • WiFi exploitation
    • Mobile device exploitation
    • Constructing a root kit
    • Executing shell code via stack overflows
    • Return Oriented Programming

When This Course is Typically Offered

This course is scheduled to be offered face to face in the fall.

Syllabus

  • A brief history of hacking
  • Nature of modern IT and its vulnerabilities
  • Hacking methodologies
  • Reconnaissance
  • Social Engineering
  • Scanning
  • Network Exploitation
  • Web Exploitation
  • Maintaining access and roadblocks
  • WiFi Exploitation
  • Secuirty of OSs and rootkits
  • Attacking mobile devices
  • Smashing the stack and ROP
  • Developing a pentesting report

Student Assessment Criteria

Homework/Lab assignments 60%
Hacking Lab Penetration Testing Report 30%
Participation 10%

CAUTION #1: 

This course includes exercises and assignments that require the use of hacking tools and an understanding of cryptography and  weaknesses in protcols.  You will be required to complete all assignments and labs. No exceptions will be made.  If your employer imposes any constraints on your participation, your ability to complete homework assignments or contribute in a productive manner to this class,  you should not enroll in this course.

CAUTION #2:
The social engineering module requires you to allow another student to gather open source information on you in order to craft a spear phishing email.  If you or your employer objects to open source data collection, you should not enroll in this course.

There is an emphasis on hands-on homework.  Some of the labs are hard and complex, so they may involve more work than other introductory classes you have taken.  Please plan accordingly.

Grading:
A:  92-100
A-: 90-91
B+: 88-89
B:  82-87
B-: 80-81
C:  70-79
D:  60-69
F:  0 - 59

Please review the Whiting School miscondudct policy
http://engineering.jhu.edu/include/content/pdf-word/misconduct-policy.pdf

Computer and Technical Requirements

While no programs will be written in this course, programming skills are required to successfully complete the assignments. Fundamentals of x86 assembly, and the use of a debugger and assembler on a Linux VM will be briefly covered in class but the ability to use both will be required for some of the assignments.  You will required to read, understand, and compile instructor suppliled C code.

You must set up a virtual hacking environment, so you will need enough disk space and the ability to install the virtural machine manager of your choice and several VMs. You will need to allocate about 95GB, but the disks are dynamic, so you will use less than that,  but the actual requirement will depend on  your environment. You will want extra disk space for VM snapshots and backups.  The instructor uses VirtualBox,  but many students have used VMWare Player as well and are happier with that.  At a minimum the VMs you will need to install in the VMM include Kali Linux, Metasploitable2, Ubuntu, Windows 10, and CentOS to serve as a firewall and router. If you choose to do the rootkit homework, you will need to install another Linux VM.  You need this VM so you can rebuild the kernel and not worry about damaging your EH environment.  If you have a license for Windows XP, you may want to install that as well, because unpatched SP2  makes an excellent target for experimenting with some of the tools.

Assignments involve the use of hacking tools and the associated work must be conducted on a system that remains off of all networks until the assignment is complete.  The use of virtual machine technology aids in this process by allowing attacks to be launched agains other VMs on the same host.

Participation Expectations

Since there is no final, attendance and participation are required and tracked.  This will contribute 10 percent of your grade

The homework assignments assume the student has good computer and programming skills in accordance with the admission requirements for the CS, CyS, and ISE programs.

There will be no projejct for this course, but the penetration testing report is roughly the same amount of work as a project.

Well written lab reports must incorporate annotated screen shots showing the use of tools in completing labs.  All assignments will be submitted via Blackboard. 

There will be weekly homework and reading assignments. All assignments should be done independently, so you may not share any your content, data, or intermediate results with others.

A penetration testing report will be written for a small network with a vulnerable web server and database.  The report will include a compilation of much of the material collected in completing homework assignements.  That means this report could be thought of as a term project.  However, it will also include material such as risk and threat assessments that go beyond the hands on technical assessments.  You will create an  executive summary for corporate decision makers and a technical report for network engineers and system security engineers.

There will not be a final exam.


Textbooks

Textbook information for this course is available online through the MBS Direct Virtual Bookstore.

Course Notes

There are no notes for this course.

Final Words from the Instructor

The textbook is "The Basics of Hacking and Penetration Testing", Second Edition by Patrick Engebretson. Make sure you buy the second edition which has been updated to cover Kali Linux.The lecture material goes far beyond the content of this book, especially in the second half of the course, so suplemental reading material will be used.

The WiFi homework is not one of the required assignments, but if you opt to do it, you may need to purchase an 8 GB USB drive (~$5) and/or a USB WiFi adaptor (~$20).

If you shoose to do the mobile device homework you may find the following text valuable.  It is not a required text,  but written by the author of the Smartphone Pentest Framework. "Penetration Testing - A Hands-On Introduction to Hacking" by Georgia Weidman.

Term Specific Course Website

http://blackboard.jhu.edu

(Last Modified: 07/10/2018 12:30:31 PM)