Hasso-Plattner-Institut25 Jahre HPI
Hasso-Plattner-Institut25 Jahre HPI
 

CTF: Cops & Robbers (Sommersemester 2020)

Lecturer: Dr. Feng Cheng (Internet-Technologien und -Systeme) , Daniel Köhler (Internet-Technologien und -Systeme) , Leonard Marschke (Internet-Technologien und -Systeme)

General Information

  • Weekly Hours: 4
  • Credits: 6
  • Graded: yes
  • Enrolment Deadline: 06.07.2020 - 12. 07.2020
  • Teaching Form: Seminar / Project
  • Enrolment Type: Compulsory Elective Module
  • Course Language: English
  • Maximum number of participants: 12

Programs, Module Groups & Modules

IT-Systems Engineering BA
  • ISAE: Internet, Security & Algorithm Engineering
    • HPI-ISAE-G Grundlagen
  • ISAE: Internet, Security & Algorithm Engineering
    • HPI-ISAE-V Vertiefung
  • OSIS: Operating Systems & Information Systems Technology
    • HPI-OSIS-G Grundlagen
  • OSIS: Operating Systems & Information Systems Technology
    • HPI-OSIS-V Vertiefung
  • SAMT: Software Architecture & Modeling Technology
    • HPI-SAMT-G Grundlagen
  • SAMT: Software Architecture & Modeling Technology
    • HPI-SAMT-V Vertiefung

Description

Introduction

This experimental project seminar is about learning and training with the advanced techniques of practical system and network security. We will have two teams (each with about 5-6 members) challenging each other and the tutoring team within three challenges - with changing roles either as attackers or defenders of a target IT system. For each challenge, the teams will have to prepare their arms: setting up a secure system (under given constraints) for the defenders, choosing and testing recon and penetration tools for the attackers. After preparation, the teams will hold a supervised Capture-the-Flag live challenge.

During the whole seminar, we will have a meta-challenge as each team has to provide the tutors a wiki, which contains all information about the team's progress.

Besides the challenges, each participant is supposed to select a security relevant topic, do research on it (reading and testing), and give a short presentation (15-20 mins) during the seminar.

Topics for the challenges:
    1. System- and Network Security
    2. Web- and Service/Application Security
    3. Managing large environments (combination of first two topics in a larger environment)

Important Notice: We are not guiding you for hacking and participation in this seminar is not an excuse for any kinds of malicious actions towards unauthorized resources over Internet!

Requirements

We are looking for good team players with strong interests in cyber security. If you got interested while seeing this page, please directly drop a line to Feng (feng.cheng"at"hpi.de) and come to the first session. Dont wait too long! First come, first served!

It is recommended that the participants have successfully finished the lectures/seminars

  • Internet- und WWW-Technologien
  • Internet Security - Weaknesses and Targets

Additional fields of knowledge, which might help you (but are not required)

  • Networking technologies (TCP/IP, Switches, VLANs, ...)
  • Server administration (Linux, SSH, Hardware management, ...)
  • Operating Systems (Management, Internals, ...)
  • Monitoring/Logging-Techniques
  • Experience with VMMs

Please keep in mind, this seminar is highly dependant on team effort.

Literature

Learning

Students will be divided in two groups. For the first two challenges, each group is either the red (attackers) or blue (defenders) team. The blue team is preparing a network scenario for the red team.

After scenario preperation the red team is allowed to attack the scenario for several hours in a live hacking session. During this session the blue teams task is to surveil the red team. Both teams then will present their findings few days later.

During the preparation phase of the scenarios, each member of the red team will prepare one short individual introduction about attacking and defending techniques, which might get used in the scenario. The blue team has to set up the scenario itself during this time.

After the first two challenges, we will prepare a third challenge with an even more advanced scenario, covering additional topics. For documentation purposes, each team has to write a report about this challenge.

Possible interesting topics:

  1. Password Security and new Authentication Methods
  2. Security of Mobile OSes and Apps
  3. Security of Social Web  
  4. Web Security: SSL/TLS, Web Application Firewall (WAF), ...
  5. Email Security: Signature, Encryption, Spamming, Phishing, ...
  6. IoT Security: Home Automation, Vehicle, ...
  7. Virtualization and Cloud Security 
  8. Switch, Router, Gateway, and Firewalls
  9. Intrusion Detection (IDS/IPS)
  10. SSH Tunneling and Virtual Private Network (VPN)
  11. IPSec, IPv6 and the relevant Security Issues
  12. Network Scanning and Monitoring
  13. Complex Attacks and APT
  14. SIEM and Security Analytics
  15. Attack Category and Vulnerability Modeling
  16. ...

Examination

(subject to change)

Overview of all grade relevant parts:

  1. Wiki (log of your activities): 15%
    1. Accuracy of your activity log
    2. Uptime
  2. Challenge One: 20%
    1. Achievements (red team)
    2. Presentation
    3. Preparation (blue team)
  3. Challenge Two: 20%
    1. Achievements (red team)
    2. Presentation
    3. Preparation (blue team)
  4. Individual Introduction/Presentation: 15%
  5. Challenge Three: 30%
    1. Achievements
    2. Report (Documentation in your wiki in PDF format)

We will award bonus points for additional activities leading to information disclosure of the other team. Please note: You are not allowed to attack any other resources beside the resources (servers, VMs..) you are getting from the tutors during the seminar. Additionally, you are required to check with the tutors before any action.

Dates

(to be updated following further adaptions from Uni-Potsdam and HPI on the general semester organization)

  • 2020-08-14, 1:30 p.m. Introductory Session, H-2.57
    • Assignment of individual topic; Team building
    • Wiki server assignment
  • 2020-09-18, 11:00 a.m. Team B: Kick-Off Challenge One
    • Red Team
    • Tutorials
  • 2020-09-21, 11:00 a.m. Team A: Kick-Off Challenge One
    • Blue Team
    • Hand-Out requirements sheet
  • 2020-09-28, 11:59 a.m. Team A: Hand-In Challenge One
  • 2020-10-01, 11 a.m. Team B: Idividual Presentations
    • 20 Minutes per Presentation
  • 2020-10-02, 8:00 a.m.: Session Challenge One
    • Duration: 4 hours
  • 2020-10-07, 9:15 a.m.: Presentations Challenge One
    • Each presentation about 40 minutes
  • 2020-10-07, 11:00 a.m. Team A: Kick-Off Challenge Two
  • 2020-10-08, 11:00 a.m. Team B: Kick-Off Challenge Two
  • 2020-10-15, 11:59 a.m. Team B: Hand-In Challenge Two
  • 2020-10-19, 11 a.m. Team A: Idividual Presentations
    • 20 Minutes per Presentation
  • 2020-10-20, 9:30 a.m.: Session Challenge Two
    • Duration: 4 hours
  • 2020-10-26, 11:00 a.m.: Presentations Challenge Two
  • 2020-10-26, 3 p.m.: Court Challenge Three
  • 2020-10-28, 9:00 a.m.: Session Challenge Three Part 1
    • Duration: Whole day
  • 2020-10-29, 8:00 a.m.: Session Challenge Three Part 2
    • Duration: Until 3:30 p.m.
    • Afterwards, we will have a BBQ

To pass the course you have to attend on all presentation sessions as well as all challenge sessions.

If you have any questions regarding the dates of the seinar, do not hesitate to ask us directly.

Zurück