IT Systems Attack and Defence Course


IT Systems Attack and Defence Course


11-15 Sep 2017

Registration deadline:

17 Jul 2017



Tallinn, Estonia

Participation fee:

300 € (no fee for the Sponsoring Nations, Contributing Partners and NATO bodies)

IT Systems Attack and Defence is a practical 5‐day introductory course considering the methods and tools used by attackers to gain access to IT systems, and the potential countermeasures to cope with those attacks. 

The course is built on hands‐on exercises. The tasks are mainly focused on the offensive side of IT security. The participants can try out several of the most common types of attacks on lab systems. During the missions the participants can take part in a so‐called Capture the Flag competition; the winner is the first person who is able to capture the specific token from the vulnerable system. 
Students will be provided with virtual machines based on Kali Linux. The majority of the tools used in the class are open‐source or at least non‐commercial. The vulnerable web applications are built using mostly PHP and MySQL. Our purpose is not to focus on details of specific technologies, but to explain the most common attack classes using popular and simple to understand solutions. 

Learning Objectives

The course gives an idea of how penetration‐testers and hackers think, practical work to develop imagination, and what it could mean to defend against them. It is intended to give initial theoretical basics, needs, and an idea where to read further. After that the course members will immediately face hands‐on problems to solve using the introduced tools. 

In this course the attendees can try how pen‐testers and hackers might work in a lab‐situation: 

  • Get introduced to the phases of a penetration testing
    • Reconnaissance
    • Scanning and Enumeration
    • Gaining Access
    • Privilege Escalation
    • Lateral Movement
  • Provide an overview of possible and common pen‐testers and attackers tools
  • Understand potential ways of reconnaissance
  • Understand, see and do different ways of network scanning
  • See and do different ways of network infrastructure attacks
  • See and do different types of DNS attacks
  • See Memory Corruption vulnerabilities
  • Explore Web Application Security
    • Main building blocks of web applications
    • Session management and authentication attacks
    • Injection attacks (SQL injection, OS command injection, File inclusion, Insecure file upload functionality)
    • Cross‐site scripting
    • Cross‐site request forgery
  • See and do stealing credentials from Windows systems and using them to conduct Pass‐the‐Hash and Pass‐the‐Ticket attacks
  • Conduct man‐in‐the‐middle attacks
  • Use  Metasploit  Framework  and  existing  exploit  code  against  different  targets, including client‐side attacks
  • Exploit vulnerabilities in custom‐built web applications. 

Target Audience

The course has been designed for network and system administrators and security specialists. In general, the expected audience should consist of people who have a good background in information technology, whether gained from studies at university or by practical experience, or both. We do not expect these individuals to have knowledge or good practical know‐how about  security  problems  of  computer  networks  and  applications.  Professional  security practitioners or penetration testers with years of experience are not the target audience for this course. 


  • Introduction of the lab environment. The basics of Kali Linux and Metasploit
  • Reconnaissance: sources and tools for gathering information about target networks
  • Network  scanning:  host  discovery,  TCP  and  UDP  port  scanning,  operating  system detection, vulnerability scanning, scanning in IPv6 networks, honeypots and tarpits
  • Enumeration:  using  DNS,  SNMP  and  other  protocols  to  identify  potential vulnerabilities
  • Credential attacks: password guessing and cracking, how passwords are stored in Linux and Windows, hashing functions and identified vulnerabilities in them, Rainbow Tables, Pass‐the Hash, Pass‐the‐Ticket, Kerberos ‘Silver and Golden Ticket Attack’
  • Network  infrastructure  attacks  and  defence:  MAC  flooding,  ARP  spoofing,  ICMP redirection, IP spoofing and fragmentation, VLAN hopping, leaking data over CDP, BGP hijacking; port security, DHCP snooping and dynamic ARP inspection, private VLANs, 802.1x. 
  • DNS  security:  DNS  overview,  DNS  tunnelling,  DNS  rebinding,  DNS  snooping,  cache poisoning attacks, DNSSec
  • Memory corruption vulnerabilities: memory models, virtual memory, the heap and the stack, assembly essentials, GDB basics, program execution flow, smashing the stack, shell  code  basics,  basics  of  Windows  and  Linux  exploitation,  memory  protection mechanisms
  • Web Application Security
    • Main building blocks of web applications
    • Session management and authentication attacks
    • Injection attacks
      • SQL injection
      • OS command injection
      • File inclusion
      • Insecure file upload functionality
    • Cross‐site scripting
    • Cross‐site request forgery. 

 Theoretical lectures are supported by sets of practical exercises. These allow the students to conduct different tasks such as: 

  • Using  social  engineering  tools  such  as  The  Harvester  or  recon‐ng  for  information gathering
  • Scanning small networks to finding alive hosts or machines with specific vulnerabilities
  • Using DNS enumeration to find interesting hosts, exploiting unprotected SNMP service for enumeration of information
  • Tunnelling arbitrary IP traffic over DNS protocol in restrictive environment
  • Guessing and cracking passwords
  • Stealing  credentials  from  Windows  systems  and  using  them  to  conduct  Pass‐the‐Hash/Pass‐the‐Ticket attacks
  • Conducting  man‐in‐the‐middle  attacks  (e.g.  dissecting  and  sniffing  SSL  encrypted traffic) by using ARP spoofing in IPv4 networks and falsified Neighbour Advertisements in IPv6 networks
  • Using Metasploit Framework and existing exploit code against different targets. This includes client‐side attacks
  • Exploiting vulnerabilities in custom‐built web applications


  • At best, the students should have experience in administrating Windows and Linux based systems, understand the main networking protocols (e.g. ARP, IP, ICMP, TCP, UDP, DNS, HTTP, SNMP, SMTP), have some experience with web technologies (like HTML,  PHP,  JavaScript)  and  knowledge  about  relational  database  management systems (MySQL)
  • Programming skills in any standard language would be helpful
  • English language skill comparable to STANAG 6001, is required
  • Student’s  workstation  will  be  based  on  Kali  Linux;  therefore  at  least  user‐level knowledge of working with Linux systems is expected
Registration info

Please register for the course by visiting the NATO CCD COE website and completing the provided registration form before the deadline. Should you have any questions, please contact: events -at- 
* Before registering, please check the up‐to‐date course information on the NATO CCD COE website