Skip to content

Module Description

The universities "official" documentation, and description for the module is below.

Module Overview

In this module students will study the theoretical and practical aspects of penetration testing and security audit. Common tools and techniques will be explored, with a focus on building a good understanding of the underlying theoretical concepts of systems exploitation. Currently standard tools, techniques and frameworks will be explored while building a good understanding of underlying concepts through ground-up development and exploration.

Learning Outcomes

The intended learning outcomes are that on this module the student should be able to:

  1. Use appropriate tools to discover the structure of a network, the services running on it, and identify and classify potential security flaws
  2. Demonstrate understanding of the core theoretical concepts that lead to insecurity in computer systems, and how there can be used to exploit and mitigate threats identified in a computer system or network
  3. Discuss common penetration testing methodologies, vulnerability risk rating systems and how they relate to the security audit process

So what does this mean?

In this module we will look at the more offensive side of Ethical Hacking, and look at how we can perform a security assessment of a system.

This means we get to do the "fun stuff", assessing systems for vulnerabilities, then exploiting them. As the web is a common attack vector, we will have some cross over between this module, and 5067CEM where we use web flaws identified in 5067 to act as a foothold for further exploitation.

There's going to be quite a lot of theory, looking at why these things happen, the common coding mistakes, and the protocol problems that cause them. Don't worry that its all going to be theory. There is also lots of practical parts too.

When it comes to practical work, we will use some well known tools (for example NMap) to help discover potential issues, then build our own exploits for the problems we find.

What no Metasploit?

It might surprise you that we are not going to use that many of the well known "hacking tools".

Things like Metasploit are great (and super relevant for work), but getting the best out of tools means you need to have some understanding of what they are doing.
Rather than teach you how to use "off the shelf" exploits, the module aims to give you an understanding of why the issue happens. This includes a surprising amount of theory and manual work.

I feel that this is a much better approah that just teaching you the steps for a specific vuln. Being able to hack CVE-2018-1133 is pretty cool, but if all you have learnt is how to follow the steps for that specific issue, by the time 20191 comes around, your skills are already out of date.

Understanding the hacking process and being the people who find these issues, and write the Metasploit modules is going to be much better for you in the long run.

Summary

In this section we have covered the Module definition and the main learning outcomes. This should give you some idea of what to expect during the course of the module.

If you have any questions, we will have time for a Q&A in the lab sessions

  1. Yes 2019 is intentional. Even if I teach you how to hack a specific vulnerability from 2021, by the time you finish Uni, you are out of date.