Course Administration

Syllabus can be found at here
A high level view of presentation marking can be found here
Presentation schedule can be found here

System Administration

Kali Linux
root toor
Ubuntu 8.04 with some vulnerable applications installed.
arnold password

News of the Week, summary

A summary of what is happening in information security this week.

Dictionaries

A collection of security and general terms.

Tool of the week

Investigate, demonstrate and report on one of the top information security tools. Each tutorial is installed in one of our VMs.

John the Ripper: presentation, demo script
THC Hydra: presentation
Ghidra: lab.txt, vbuckskeygen.class
Wireshark: presentation
Metasploit: presentation
Snort: presentation
TOR: presentation
OpenSSL: presentation, notes
Ghidra: presentation

In Depth

In-depth report of a current Information Security Issue or Concept. This includes something concrete (ie working examples). May have an associated tutorial.

Topic	Tutorial
Intro to Cryptography	Krypton Wargames (crypto)
CVE-2014-6271 Shellshock
RSA
XML Vulnerabilities
ddos
Homomorphic Encryption	Assignment
Spectre and Meltdown	Tutorial
Social Engineering	Tutorial
Ransomware
Stegosploit	tutorial
Authentication, and a great introduction (see Grant Type: Authorization Code)	tutorial
runc presentation,notes
dnssec presentation, notes

OWASP TOP 10

Documenting the OWASP top 10 security issues with full working exploitable examples and their effective mitigation. Issues can also come from Googles Browser Security Handbook, and from OWASP Top 10 Mobile Risks
* indicates content covered in class.

A3-Cross-Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. XSS tutorial
A8-Cross-Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
OWASP: XSS

Tutorials

Bandit Wargames, Scoreboard Record your passwords and then submit them to utm submit.

Midterm

marking scheme

Challenges/Exercises

Playing around with capture the flag challenges and with security virtual machines.

http://canyouhack.it/
Legally Hack | Hacker Challenges | 11 Places You Can Hack
wargames
hax.tor Online collection of interesting
exploit-exercises.com Nice site with interesting exercises, start here, they have downloadable vms as well.
wechall.net Challenges, also a list of related websites on the side
hackthis.co.uk
hack this site
WebGoat,
Kali vs Vulnerable Stuff http://sathisharthars.wordpress.com/2014/08/04/create-your-own-web-penetration-testing-lab-in-kali-linux/
BadStore (tutorial)
ictf exercises
Web Application Exploits and Defenses

Interesting

How Dropbox securely stores your passwords

Info Sec Resources

CVE Database
pentest-tandard.org: Penetration testing standards documents.