| CODE | LAS3013 | ||||||
| TITLE | Network Penetration Testing | ||||||
| UM LEVEL | H - Higher Level | ||||||
| MQF LEVEL | 6 | ||||||
| ECTS CREDITS | 4 | ||||||
| DEPARTMENT | Centre for the Liberal Arts and Sciences | ||||||
| DESCRIPTION | This Unit provides the foundations to understand how IT systems can be attacked and breached by circumventing security controls or exploiting vulnerabilities in the system. The goal of this Unit is to enable students to conduct a professional penetration test in a legal and ethical manner, as well as to gain knowledge on how to design secure systems and defend against intrusions. A hands-on approach will be followed throughout the Unit. Students will first be familiarised with Kali Linux and other essential tools. Subsequently, planning, scoping and reconnaissance is considered, covering various types of penetration tests, methodologies, setting the rules of engagement and reconnaissance methods (search engines, Whois registrars, DNS lookups, Google). This is followed by an overview of network scanning, packet sniffing, operating system and service fingerprinting, and vulnerability scanning using various tools. Next, exploitation methods are studied, covering exploit and payload types, Metasploit, customizing public exploits, exploit transfer methods, gaining shell access and escalating privileges. Password attacks involving cracking password hashes are described, and web application attacks (vulnerability scans, SQL injection, cross-site scripting, cross-site request forgeries and command injection) are investigated in some detail. Finally, the circumvention of anti-virus software by encoding payloads and packers/crypters is highlighted. Students are expected to use their own laptops having a pre-installed instance of Kali Linux running as Virtual Machine. Apart from Kali, the laptop hardware is required to be able to run one other provided Virtual machine instance requiring low resources. Learning Outcomes: 1. Knowledge & Understanding: By the end of the Unit the student will be able to: - Understanding the common approaches and methodologies used for carrying out a penetration together with considerations of the ethical and legal aspects; - Muster knowledge on how common network and application protocols operate; - Understand vulnerabilities in existing protocols, systems and applications; - Understand common forms of attack; - Acquire knowledge on the different tools available to use during a penetration test; - Gather practical experience of how vulnerabilities can be exploited in order to gain access or circumvent a system. 2. Skills: By the end of the Unit the student will be able to: - Establish the right mindset to prepare for and conduct a penetration test; - Enumerate a target environment and map the attack surface; - Correlate information and identify potential entry points; - Use several tools to enumerate, identify and exploit vulnerabilities on target systems; - Conduct a penetration test on a target system; - Produce a professional penetration test report for a client. Main Text/s and any supplementary readings: - Windows and Linux command line crash course http://cli.learncodethehardway.org/book/ - Basics of programming in Python http://learnpythonthehardway.org/book/ - Professional Penetration Testing, 2nd Edition, Syngress 2013 T. Wilhelm. - Hacking Exposed 7: Network Security Secrets and Solutions, McGraw Hill, 2012 S. McClure et al. - Violent Python: A Cookbook for Hackers, forensic analysts, Penetration Testers and Security Engineers, Syngress 2012 T.J. O’Connor. - The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws. John Wiley & Sons, 2011. 2nd edition. D. Stuttard, M. Pinto. |
||||||
| ADDITIONAL NOTES | Pre-Requisite Knowledge, Skills and Competences: - Strong understanding of TCP/IP and client-server applications; - Basic scripting knowledge in Bash, Python or Perl; - Familiarity with Linux and Windows shell commands. |
||||||
| STUDY-UNIT TYPE | Lecture and Practical | ||||||
| METHOD OF ASSESSMENT |
|
||||||
| LECTURER/S | Christian Bajada |
||||||
|
The University makes every effort to ensure that the published Courses Plans, Programmes of Study and Study-Unit information are complete and up-to-date at the time of publication. The University reserves the right to make changes in case errors are detected after publication.
The availability of optional units may be subject to timetabling constraints. Units not attracting a sufficient number of registrations may be withdrawn without notice. It should be noted that all the information in the description above applies to study-units available during the academic year 2023/4. It may be subject to change in subsequent years. |
|||||||