Re: Graduate CS Pen Testing Class

[Scott <opiesan () gmail com>]

Hello Wesley.

That sounds like a great class. Since this is a grad level CS class
can we assume the students will be familiar with programming,
operating systems, analytical troubleshooting, and possibly system
administration? If so I think you've got a great opportunity here.
Many of the best pen testers I've met started out in some other field
of IT (programming, sys admin, database admin, web programming, etc.)
and gained a high degree of fluency in that area before transitioning
to the audit/pen test role. They were able to leverage that knowledge
and experience when it came time to think like an attacker and find
the weak points of a network, host system, or application.

Learning the tools is a good idea since it can help automate checking
long lists of potential vulnerabilities but I think you learn more by
building a tool yourself, even if it only does one thing (this
includes writing a module for Metasploit). If you can automate a
process and turn it into a tool others can use, it shows you have a
much deeper understanding of the problem or vulnerability the tool is
exploiting. That level of understanding is something too many of us
lack (for a variety of reasons) these days. The process of creating
your own tool also teaches you how to research and learn all the
details of that specific problem (very similar to creating sys admin
scripts or programs for non-security issues). If you can do that once,
you can apply it repeatedly down the road to build better tools and/or
better understand other tools you may end up using.

You can also review the new PTES project (Penetration Testing
Execution Standard) here:

http://www.pentest-standard.org/
http://www.secmaniac.com/march-2011/the-penetration-testing-execution-standard-ptes-alpha-released/

This is a great resource for learning the stages of a penetration
test, how professional pen testers think through an attack, and the
process they follow. It's high level now but already a great resource.

My last suggestion is learn how to *think* like a hacker. This isn't
limited to the evil stereotype we normally think of either. The
hacking mindset is creative, adaptive, open, and persistent (IMO).
Take something that was intended to do A, then figure out how to make
it do Z instead. When you fail the first few times, keep at it and try
again. Doesn't matter if it's software or hardware. The exercise of
thinking differently and getting around limitations in the original
design implementation teaches us how to look for things that either
weren't considered or weren't intended originally.  If you have time
to do something similar with your class then perhaps you can give a
project that requires them to tear something down (again, HW or SW),
change it, make it do something else, then document it (what they did,
why they did it, how they did it, and possibly how to prevent someone
else from doing it).

I once took a class called "Troubleshooting and Repairing Lasers" but
in reality we never touched a laser that session. We were given
Heathkit AM radio boards instead and our grade was based on how many
radios we fixed. The instructors induced problems (simple to nasty)
and it was on us to find the problem and fix it. This is just an
example of how to use something simple like a radio to shift someone's
mindset towards creative problem solving. The skills we learned that
session were equally applicable when we finally did work on lasers.

Hopefully this is helpful for you and I wish you the best of luck with
your class.

Scott / @phat32

On Tue, Apr 12, 2011 at 1:36 AM, Wesley <wesley-shadoan () utulsa edu> wrote:
> Hi All,
>
> I've been asked to teach a graduate level computer science course on
> network auditing and penetration. I'm hoping to make the class as
> hands on as possible, covering material from enumeration to system
> hacking. What practical scenarios should be included in the course
> content? I'd like to cover a range of popular tools but at the same
> time make it more than a script kiddie class. Each scenario should
> teach concepts as well as getting students familiar with different
> security tools. If you were to one day have these students either
> conducting audits for you or working for you what skill set would you
> like them to have?
>
> Thanks
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------