Hacker's Hut (TU/e and telelecturing at the UT and RU)
Who gives this course:
- Sandro Etalle (responsible)
- Wouter Bokslag & Jos Wetzels (lab wizards)
- Joep Peeters & Ties de Kock (student assistants in Twente)
Semester 1. Course code: 2IF17
on Thursday, hours 5 and 6 (13.45 -- 15.30)
Place: Lectures are given at the TU/e and may be
followed via telelecturing from the UT (Twente) and from the RU
- At the TU/e: Autitorium 15 (Auditorium 14 for the lectures starting from November 13)
- At the UT and at the RU: check your local telelecturing (at the UT it should be Spiegel 7 for the first block and Carre' 3F for the second block, but check before you go).
Bureaucracy IST Students have to be enrolled at the TU/e, and enroll using OASE (oase.tue.nl). The Twente EIT ICT Master students do not have to be enrolled in Eindhoven, and can enroll in osiris https://osiris.utwente.nl/ using the course code 201100140
Slides (which are being updated during the course) and other course material can be accessed
directly at our svn repository here.
- Additional material on writing a metasploit can be accessed
directly at our svn repository here.
- The buffer overflow challenges
- There is a forum, that can be accessed through OASE. You are encouraged to use it to
exchange ideas and hints (but please not to post the
solutions to the challenges). Regrettably, students who
are not enrolled at the TU/e have no access to it.
Program (this is subject to change)
- 4 September. (Sandro) The trouble with webapplications.
- 11 September. Madison Gurkha invited
lecture. Walter Belgers, over Social Engineering.
- 18 September. September (Sandro). Sandro Etalle: SQL injections, code
injections, path traversal.
- 25 September. (lab): introduction to the Hacker's Hut lab. Exercises on SQL injections etc.
- 2 October. Sandro: Cross-Site Scripting (XSS).
- 9 October (lab) Lab: wrapping up the web-based challenges.
- 16 October. Sandro: Stack and Buffer Overflow explained
- 23 October. No lecture
- 13 November: (Bart de Wijs -- ABB) Security of Industrial Control Systems.
- 20 November, (lab): Sandro + Jos + Wouter: Stack & Buffer
overflows, Metasploit, Metasploit challenges. Exercises on Metasploit (buffer overflow and format string vulnerability).
- 27 Nobember: Sandro: Defense. Erwin Kooi (Alliander): Incident Response.
- 4 December: Some handy tools: WebScarab, Live HTTP Headers, Tamperdata, WebGoat.
Hacking in real. Examples of real, interesting hacks.
- 11 December: Student presentation: students explain the external CFT exercises they have done.
- 18 December: Hints Lecture. In this lecture we go
through the challenges presented so far and we give hints on
how they can be solved. Useful for those who have not solved
all the challenges, but perhaps also for those who have
already solved them all. If time allows: lecture explaining few recent hacks.
- 8 January (closure) KPMG invited lecture. Hacking large
Windows networks. During this guest lecture ethical hackers from KPMG
will demonstrate how to hack complex computer networks of
large corporations. The topics from the previous lectures
(buffer overflows, password cracking etc) will be used as
basic building blocks for describing successful high-profile
hacks on Fortune 500 companies.Keywords: Security Accounts
Manager, NTLM authentication, Active Directory, SMB protocol,
Pass-the-Hash, SEH overwrites, Heap spraying
- 15 January - no lecture (may be used to recuperate).
Grading will be done via the assignments that will be given during the course;
it counts both how many exercises you solve and when (the earlier,
the better). The deadline for submitting the solutions to the
challenges is January 19, 2014. The format string and the command injection challenges are not considered in the grading (they are there only for "fun").
How the course is graded requires a bit of explanation.
Hacker's Hut Grading Explained
The grading of the HH course is done with specific exercises. We have two group of them:
a) the challenges
b) the optional additional tasks
The Challenges The challenges count for 90% of the final grade. Challenges are thoroughly explained during the lectures. Students are expected to complete at least some of them at seclab?.win.tue.nl:8080.
We do NOT expect students to be able to solve all the challenges. Many of the challenges are very difficult; in particular, the Format String Challenges are completely facultative and not counted in the final grade.
When grading the challenges, we take into consideration when a challenge is solved: solving a challenge the days after it has been made available counts for the full score. Solving a challenge just before the final deadline counts much less. The earlier you solve the challenge, the higher the score. If you solve a challenge within 1 or 2 weeks from the moment it was open , then you get the full points. Afterwards, you get a lower score. I do not have a precise algorithm for that, but it decreases linearly. Finishing them before the end of the year will likely give you at least 60 percent of the grade (per challenge). Finishing them in January will cost you more or less 50 percent of the score.
The Additional Tasks
Additional tasks are facultative, and their availability is limited, so they are reserved to the best students (you will not be able to get a 10 for the course unless you carry out an additional task as well).
Look at the slides for the available additional tasks (we have two of them)
Availability for the additional tasks is limited (we cannot have all students giving a presentation), and if there are more requests than places available, I'll have to make a choice based on an intermediate evaluation done on October 16 (this intermediate evaluation is going to be based on the score you have realized on the Webapplication challenges you have solved by October 16).