IT Systems Attack and Defence

This introductory course on IT Systems Attack and Defence is a practical 5-day course on the methods and tools used by attackers to gain access to IT systems and the potential countermeasures to cope with those attacks. The course is built on hands-on exercises. The tasks are mainly focused on the offensive side of IT security. The participants can try out several of the most common types of attacks on lab systems. During the missions the participants can take part in a so-called Capture the Flag competition; the winner is the first person who is able to capture the specific token from the vulnerable system.

Students will be provided with virtual machines based on Kali Linux. The majority of the tools used in the class are open-source or at least non-commercial. The vulnerable web applications are built using mostly PHP and MySQL. Our purpose is not to focus on details of specific technologies, but to explain the most common attack classes using popular and simple to understand solutions.

Learning Objectives

The course gives an idea of how penetration-testers and hackers think, practical work to develop imagination, and what it could mean to defend against them. It is intended to give initial theoretical basics, needs, and an idea where to read further. After that the course members will immediately face hands-on problems to solve using the introduced tools.

In this course the attendees can try how pen-testers and hackers might work in a lab-situation:

  • Get introduced to the phases of a penetration testing:
    • Scanning and Enumeration
    • Gaining Access
    • Privilege Escalation
    • Lateral Movement
  • Provide an overview of possible and common pen-testers and attackers tools
  • Understand potential ways of reconnaissance
  • Understand, see and do different ways of network scanning
  • See and do different ways of network infrastructure attacks
  • See and do different types of DNS attacks
  • Explore Web Application Security:
    • Main building blocks of web applications
    • Session management and authentication attacks
    • Injection attacks (SQL injection, OS command injection, File inclusion, Insecure file upload functionality)
    • Cross-site scripting
    • Cross-site request forgery
  • Get an overview of various protection mechanisms and common misconfigurations in a Windows domain environment
  • See and do stealing credentials from Windows systems and using them to conduct Pass-the-Hash and Pass-the-Ticket attacks
  • Conduct man-in-the-middle attacks
  • Use Metasploit Framework and existing exploit code against different targets, including client-side attacks
  • Exploit vulnerabilities in custom-built web applications

Target Audience

The course has been designed for network and system administrators and security specialists. In general, the expected audience should consist of people who have a good background in information technology, whether gained from studies at university or by practical experience, or both. We do not expect these individuals to have knowledge or good practical know-how about security problems of computer networks and applications. Professional security practitioners or penetration testers with years of experience are not the target audience for this course.


  • Introduction of the lab environment. The basics of Kali Linux and Metasploit
  • Reconnaissance: sources and tools for gathering information about target networks
  • Network scanning: host discovery, TCP and UDP port scanning, operating system detection, vulnerability scanning, scanning in IPv6 networks, honeypots and tarpits
  • Enumeration: using DNS, SNMP and other protocols to identify potential vulnerabilities
  • Credential attacks: password guessing and cracking, how passwords are stored in IT systems, hashing functions and identified vulnerabilities in them, Rainbow Tables, best practices for password security
  • Network infrastructure attacks and defence: MAC flooding, ARP spoofing, ICMP redirection, IP spoofing and fragmentation, VLAN hopping, leaking data over CDP, BGP hijacking; port security, DHCP snooping and dynamic ARP inspection, private VLANs, 802.1x
  • DNS security: DNS overview, DNS tunnelling, DNS rebinding, DNS snooping, cache poisoning attacks, DNSSec
  • Windows Security: Pass-the Hash, Pass-the-Ticket, Kerberos ‘Silver and Golden Ticket Attack’, Authentication methods, Security mechanisms, Privilege escalation, Process injection.
  • Web Application Security:
  • Main building blocks of web applications
  • Session management and authentication attacks
  • Injection attacks:
    • SQL injection
    • OS command injection
    • File inclusion
    • Insecure file upload functionality
  • Cross-site scripting
  • Cross-site request forgery

Theoretical lectures are supported by sets of practical exercises. These allow the students to conduct different tasks such as:

  • Using various open-source or freely available tools for information gathering from public sources
  • Scanning small networks to finding alive hosts or machines with specific vulnerabilities
  • Using DNS enumeration to find interesting hosts, exploiting unprotected SNMP service for enumeration of information
  • Tunnelling arbitrary IP traffic over DNS protocol in restrictive environment
  • Guessing and cracking passwords
  • Stealing credentials from Windows systems and using them to conduct Pass-the-Hash/Pass-the-Ticket attacks
  • Conducting man-in-the-middle attacks (e.g. dissecting and sniffing SSL encrypted traffic) by using ARP spoofing in IPv4 networks and falsified Neighbour Advertisements in IPv6 networks
  • Using Metasploit Framework and existing exploit code against different targets. This includes client-side attacks
  • Exploiting vulnerabilities in custom-built web applications


  • Ideally, the students would have at least junior administrator level experience with Windows and Linux based systems. They should understand the main networking protocols (e.g. ARP, IP, ICMP, TCP, UDP, DNS, HTTP, SNMP, SMTP), have some experience with web technologies (like HTML, PHP, JavaScript) and knowledge about relational database management systems (MySQL)
  • Programming skills are helpful
  • English language skill comparable to STANAG 6001, is required
  • Student’s workstation will be based on Kali Linux; therefore at least user-level knowledge of working with Linux systems on the command line is expected (opening ssh connections, working with the filesystem, configuring network settings, etc)


Registration opens on 10 June 2019. Applicants from CCDCOE member nations should use the registration code provided by their national Point of Contact. An email confirming the participation will be sent only after the registration has closed.

If you have any questions or issues with registration, please contact [email protected]