Examination arrangement

Course content

The course covers the theory and practical techniques of ethical hacking and penetration testing, which are essential elements in modern cybersecurity. Ethical hacking consists of testing the security of IT systems by trying to find and exploit security vulnerabilities. The course presents the steps of penetration testing including information gathering, network reconnaissance, how to get in touch with services, but also covers specific topics such as web hacking, binary exploitation, social engineering and wireless hacking.

Learning outcome

A. Knowledge:

Students will learn:

• the theoretical basis for security testing
• the legal aspects of performing ethical hacking and to judge what is within and outside permitted activities

B. Skills:

Students will learn:

• how to perform practical penetration testing using up-to-date tools and techniques
• how to evaluate the security status of systems and suggest solutions for removing security vulnerabilities
• how to use publicly available resources for verifying the status of vulnerabilities and for applying patches

C. General competence:

• Students will have a better understanding how to protect systems against modern cyber attacks.

Learning methods and activities

Lectures and workshops with laboratory exercises, capture the flag style competitions with up-to-date security challenges.

Further on evaluation

Portfolio assessment is the basis for the grade in the course. The portfolio includes practical ethical hacking tasks including one final practical assignment given at the end of the semester. The work on all those tasks composes 100% of the final grade. The results for the practical tasks are given in points and in %-scores. The entire portfolio is assigned a letter grade. If a student has the final grade F/failed, the student must repeat the entire course.

Recommended previous knowledge

Basic knowledge of computer networks, basic knowledge of programming languages.

Course materials

The main course material will be given in the form of slides, tutorials, and video presentations. The material will cover the following topics of ethical hacking:

• general information gathering
• technical information gathering
• network reconnaissance
• get in touch and attacking services such as for instance FTP, DNS, SMTP
• web hacking basics (finding and accessing hidden content, client side manipulation, brute-forcing, parameter tampering)
• web hacking client side attacks (Cross Site Scripting, Cross Site Request Forgery)
• web hacking server side injections (SQL injection, XPath injection, Template injections)
• web hacking specific vulnerabilities (eg file inclusions, session manipulation, IDOR)
• basic binary exploitation, understanding the virtual address space, debugging binaries, exploiting stack overflow
• advanced binary exploitations, return oriented programming, heap exploitations
• internal network hacking (get access to the internal network, Netbios, SMB attack)
• social engineering attacks (phishing, spear phishing practice)
• wireless hacking