Syllabus

advertisement
Ethical Hacking for Administrators
Syllabus
IT 430 Section 002
Instructor:
Stan J. Senesy (senesy@njit.edu)
Office:
NJIT Newark, GITC rm. 3803. (973)596-5288.
Office hours:
10 – 11:30am, 1 – 3pm
Website:
http://it.njit.edu/senesy
Text:
Whitaker & Newman, Penetration Testing and Network Defense, Cisco Press,
Indianapolis, IN. 2006
ISBN: 1-58705-208-3
Schedule:
Monday 10 – 11:25am TIER 113
Friday 10 – 11:25am GITC 1204
Course Description
This course will explore the various means that an intruder has available to gain access to computer
resources. We will investigate weaknesses by discussing the theoretical background behind, and whenever
possible, actually performing the attack. We will then discuss methods to prevent/reduce the vulnerability.
What is ethical hacking? The threat to systems is one that is continuously changing and evolving. It is not
sufficient that a System Administrator harden a system based upon the threats that are currently known.
Typically, one must think out of the box with the mentality that in order to catch a thief, you need to think
like a thief. The goal of the ethical hacker is to help the organization take preemptive measures against
malicious attacks by attacking the system himself; all the while staying within legal limits.
Vulnerability testing and security audits will not ensure the security proofing of an organization because
they test only exploits which are currently known. To ensure that systems are adequately protected,
administrators must probe networks and assess the security posture for vulnerabilities and exposure.
The quote the certification guide, an Ethical Hacker is an individual who is usually employed with the
organization and who can be trusted to undertake an attempt to penetrate networks and/or computer
systems using the same methods as a Hacker. Hacking is a felony in the United States and most other
countries. When it is done by request and under a contract between an Ethical Hacker and an organization,
it is legal. The most important point is that an Ethical Hacker has authorization to probe or attack the target.
Prerequisites
IT 420 or equivalent
Grading:
Presentations
Quizzes
Midterm
Project
Final Exam
5%
15%
25%
20%
35%
Grades will be computed on a straight scale out of 100 possible points: 90-100=A, 87-89=B+, 80-86=B,
etc.
Presentations
Once each week (approx. every 2 class periods) each student will give a short presentation on an article
they found on the Web or in print that relates to the subject matter covered in the course.
Lectures
Lectures will be held from 10:00 – 11:25 am in TIER 113 on Mondays and GITC, room 1204 on Fridays. I
tend to use PowerPoint slides for the main points in my presentations, augmented with board-work when
necessary. You can find a copy of the slides that I’ll use on the course WebCT board at:
http://webct.njit.edu
You’ll need your UCID and password to login. There is a tutorial on the login screen that you should use if
this is your first experience with WebCT.
Regular attendance in this course is mandatory. Role will be taken at the start of each class session.
Students with more than 3 unexcused absences will fail the course irregardless of your other grades. 2 late
arrivals count as an unexcused absence.
Project/Presentation
This course contains a semester long project that is designed to increase your understanding of a particular
area of Ethical Hacking/Penetration Testing. The project will be completed in groups of 4 and consist of a
25-30 page research paper and a 15-20 minute presentation. All group members must participate in the
paper and presentation. You will be assigned a topic to research during our 3rd class session. If you have
any particular interests that you would like to explore, please let me know prior to then and I will
review/approve them. The paper should be written to MLA standards and include a table of contents,
introduction, main body, summary and bibliography. Sources should be quoted in the paper to document
your research. You paper will be graded on technical content, professionalism, and accuracy. Please
provide your completed work in an electronic copy in MS Word format sent to my e-mail address. Your
presentation should be made using MS PowerPoint.
Assessment
The midterm and final will constitute a significant portion of your overall grade. Exam times will be
announced as they become available. Both exams will be in a closed book/notes format and will contain
information from the text, as well as lectures. The final will be cumulative.
As a general rule, I do not give makeup exams without a legitimate reason (e.g., jury duty, serious medical
problem). If you have an emergency, I will make allowances as long as you provide proper documentation.
If for some reason you have a conflict that will cause you to miss an exam, please inform me immediately
so that we can arrange an alternate date for you to complete the test. You can send email or leave a phone
message on my answering machine at any hour of any day.
I do not give out extra-credit assignments.
If you must miss a class, lab, or exam because of a religious observance, it is your responsibility to report to
me within the first two weeks of classes which days you will be missing.
Collaboration
You are encouraged to work together with your classmates in order to help your high-level understanding
of the material presented in the course. Any solutions to assignments/exams/projects presented for credit
must be work created on your own. Plagiarism, cheating, or any other anti-intellectual behavior will be
dealt with as per the NJIT Honor Code. You can find a copy of the Honor Code at
http://www.njit.edu/academics/honorcode.php.
Please read the Code prior to our first class. In the instance that a student’s work appears to be a derivative
of another’s, both will receive zero credit for the work and will be referred to the Dean of Students. There
will be NO exceptions.
NJIT Campus Schedule
Information regarding important dates during the semester may be found at:
http://www.njit.edu/v2/Directory/Admin/Registrar/Calendar/2007sp.htm
Schedule
Wk
1
2
3
4
5
6
7
8
Date
1/19
1/22
1/26
1/29
2/2
2/5
2/9
2/12
2/16
2/19
2/23
2/26
3/2
3/5
3/9
Topics Covered
Introduction to Penetration Testing
Cont.
Legal and Ethical Considerations
Creating and Implementing a Test Plan
Cont.
Social Engineering
Cont.
Host Reconnaissance
Reading
Chapter 1
Chapters 2 & 3
Chapter 4
Chapter 5
Session Hijacking
Chapter 6
Web Server Attacks
Cont.
Database Attacks
Cont.
Password Cracking
Chapter 7
10
11
3/19
3/23
3/26
3/30
4/2
Network Devices & Attacks
Cont.
Wireless Network Attacks
Chapter 10
Trojans and Backdoor Applications
Chapter 12
OS Specific Attacks
Chapter 13
Buffer Overflows
Chapter 14
Denial of Service Attacks
Chapter 15
Chapter 8
Chapter 9
13
14
15
4/9
4/13
4/16
4/20
4/23
4/27
4/30
5/3 – 5/9
Midterm
Chapters 1 – 8
Semester Break
No Classes
Chapter 11
4/6
12
Quiz 1
Chapters 1-4
Reconnaissance Tools (Lab)
Juggernaut/Hunt (Lab)
3/12, 3/16
9
Notes
Kismet/Netstumbler (lab)
Quiz 2
Chapters 8-11
Good Friday
No Classes
WEPCrack (lab)
Netcat/Nessus (lab)
Project due/Presentations
Khat2 (lab)
Presentations
Putting it all together (lab)
Final Exam Week
This course contains a very large amount of material compressed into a single semester and will require a
significant contribution of your time. Don’t let yourself get behind! Reading is to be completed prior to
class. You are responsible for the material on the date indicated.
Download