 I'm Sam Bowne. I'm in the Computer, Networking and Information Technology Department at City College San Francisco. I guess I want to tell you a story first. A year and a half ago I'd never been to DEFCON and I heard a news story about a guy presenting a Cisco vulnerability which I think Dark Tangents just told the whole story about. Now they made me wait in the speaker room where they had relatively luxurious chairs but I didn't get to hear that story. So all I know is whatever distorted media I read about it. But the main thing I got out of that is that really important stuff happens here at DEFCON. Really good information that people need to know. And I didn't know any of it and so I bought a ticket. I said well I'd better go check this thing out. And so before this, before DEFCON, a month before it, in Texas there was a teacher's conference I went to. And a guy stood up and he gave an hour long talk about security and the need to have strong ethics and the need to be able to answer immediately with no hesitation if the cross examiner will ask you is there any illegal software on your computer? Have you ever taken any illegal drugs? You have to immediately say no and you have to mean it. That's what he said. And then he said those people at DEFCON are complete idiots. You can't ever send your students there. They won't learn anything. Those people will tell you things about computers. They're not even true. The exploits don't even work. And I sat there, oh really? Gee, well I guess it's kind of too late to sell my ticket back and I guess I could always like quietly sneak away and never admit I went if it's really that bad. But how bad could it be? And I came here and I was amazed at how wrong it was. I mean serious PhD candidates, teachers from everywhere, professional network security people. And the main thing I noticed is at my college people are in my way. Every time I'm walking somewhere I'm trying to get there and I have to go around people like obstacles all the time. This is the only place I've been in years where people were going around me because I was in their way. Anyway, and I heard about all these exciting things and I said well if this stuff works it is really a shame that there's no class at our college at all that prepares someone to come here and compete in something like capture the flag. Or even to understand what's happening here largely. So I went back and told my department head all this just because she asked what did you do this summer? And I said well I learned all this great stuff at Defconn. She said well why don't you teach a course? And I said they'd never let me teach a course in hacking would they? I mean I didn't even think to ask. And she said oh yeah go ahead there's a book. And there is a book. This was news to me. I thought this stuff was all like illegal and scary and dangerous in the eyes of academia. But there's a book. And that's a real, now I don't know if you've got it wrote this book Michael Simpson is he here? Perhaps not? Well I don't hope I wouldn't offend him too much by saying that this book is the perfect book for what I needed to do. Convincing a hesitant scared college to accept my course because it's very straightforward. It explains everything from a very good way and it's kind of dull. And the projects are kind of wimpy. You don't actually do what I would regard as a lot of real hacking. You talk about hacking and then there's hands-on projects but too often the hands-on projects are sort of you go to a website and look at something. So what I was able to do see is use this book as cover. The purpose I could with the administration asked me what are you teaching? I said I'm teaching what's in that book. And I found websites from six other colleges that are teaching classes in that book and I say I'm just teaching a network security class like all the rest it happens to have hacking in the title but you know it's not that bad. And then I wrote my own projects to add to it. So I get my my department head who talked me into doing this and I appreciated it. Also took the bold step of building into our program. We're a community college, a two-year college and although it is possible for four-year students to go to our college and then transfer to a four-year college and get an undergraduate degree that is a very small portion of our population. The majority of the people in our classes are full-time networking professionals going to night classes to brush up on skills. Which is how I got there anyway. I was a database analyst. We upgraded from a DOS based application to access and I took night classes and while I was taking night classes to brush up on access I was thinking you know I'm really tired of being a DBA and I'd rather be teaching this class. And so I left and went and did that. But that's mostly what our students are. So anyway our programs are kind of short but they put hacking in our security program. And so I'm convinced it's a good idea and here's why. We have a security plus class and we have other security classes where people talk about security and best practices and the students listen to lectures, presumably study the book and then regurgitate it back on tests and the result is they don't learn it very well. They don't really know it. When I took even the smarter students and I would talk to them in a lab about exploits and a man in a middle attack they didn't really understand what was going on with the art cache poisoning. Which surprised me because they weren't at the bottom of the pack but reading a book about it doesn't really get it in their heads. You have to have labs. Students have to really do it. They have to really do combat, attack and defense. And it really excites them to do hacking. They've all heard about it. They see it in movies and on TV and they want to do it and they didn't think they could learn it at college. And like I say professional network administrators out there, even ones I've talked to are amazed and they want to take the class. People with a lot of experience. People with a lot more experience running networks than I ever had still want to learn all these hacking tools because they don't know any of it and they recognize immediately that this is really important. So the next thing is how dangerous is it anyway? This is the first thing that happens to me every time I talk about this in a chat room with my friends anywhere. Well, you're just making people into criminals. I say, well, no, I really don't think the criminals go to college and take classes to learn this stuff. I think they do use it and they learn it but I think they learn it in other places. The people that go to classes are people that want to be security professionals on the other side but they still need to know it. There may be some students who take what they learn in my class and apply it for evil but I have no evidence of that. I've never seen anything like that happen yet and I'll talk a little bit more about it later. But what certainly is true is a lot of network professionals that really want to understand security are learning it a lot better. That's the point of it. And if one of them goes bad for every 100 that goes good then I think I'm improving the world. If it really was true that I was raising up a crop of terrible people that would go destroy the world then I would quit teaching in class and I'd have to agree. But that's not what I think is happening here. All right. Anyway, this is not a very advanced class. You certainly can do very advanced wonderful things. And I was just watching a H.D. Moore's class. They talk about metaspoys. That was wonderful. But that's not the where I'm at. This is a simpler class for people that have only taken a couple of networking classes. So I made it so you should have network plus and security plus first. Perhaps not the certificate, but at least preparation classes for it. And there's no programming. That's just a structure of our college. So we're not going to be able to create exploits or do reverse engineering or machine language. We're just going to use tools and do attacks with that. So and the pattern is you do a bunch of projects. Each project goes the same way. You create a vulnerable system of some kind. Then you attack it and take it over. Then you harden it and reserve that it's no longer vulnerable. And that's the point. That's why you learn both sides. So we need a lab. I saw another good talk today from a guy that wants to set up his labs with live CDs. And I guess I could have gone that way, but I didn't. I wanted virtual machines instead, which are another alternative. I'm used to them, but you certainly could do it with live CDs. Anyway, we just have early ordinary machines here. The only thing notable about our machines is that we have pretty big hard drives and moderately fast processors, not that great these days. And each, the hard drives have to be big because each student needs a lot of space. I just found out when I just taught this whole class in Texas in a week at that same conference, they brought me back to teach the housing class this year, that each student needs about 15 gigabytes for this stuff to work. Each virtual machine is pretty big. Anyway, I had a lot of security concerns about this class. In order to avoid getting in trouble, when I went before the faculty review board for review new classes, I was armed with materials to justify my class in hacking, lists of other colleges that were teaching the same book. I was ready to endure a barrage of abuse and retribution for daring to suggest this. And they just said, oh, that'll be funny. You're going to make them like Superman, and then the rubber stamped it. So my review board had no clue about the potential hazard that I was putting us in. So I wanted to make sure that it stayed that way, and to make sure that nothing bad happens, and they can continue to not be aware of things that some people might reasonably worry about. So my goal in setting up the lab was to protect the world from the lab, not the usual goal where you protect your lab from the world. So I found a router, one of my students found it actually, this Zizel router. It's actually a pretty lame device. It crashes a lot, but it has a strange feature, I don't know why they put it there, where you can filter the upstream bandwidth. And that's what I did. So you can't do anything to the world at any speed. The upstream is limited to 128. The downstream is a T3 line. We've got plenty of bandwidth, but not up. So it protects the world from us. There are signs up all over the lab. I tell them our students, and this, amazingly enough to me, really penetrated them. They're scared to send e-mail from the lab. They don't know how to turn in their homework. I warn them, look, even if people are doing just what I told them to do, they are doing, man in the middle of tax, hardware keyloggers, software keyloggers, sniffing on a wire with EtterCat, they're stealing everybody's password in this room. They use an off-crack to steal your login password. Just don't even use any password in this room that you love, or any e-mail account that you use for anything else. Make another e-mail account with a different password and never type your normal password anywhere in this lab. Because I know they're stealing everything they're supposed to. That's their homework. So anyway, this really got through to them. I got a bunch of student assistants. The hacking lab is open almost all the time, and there's some other classes in there, but it's pretty much just a hacking lab. And a bunch of students volunteered to come in and be the monitor over the lab for a couple hours at a time. They all have keys. They all have keys to the closet where all the hardware is stored. And it worked really well. They showed up on time. There were no troublesome incidents. They didn't even steal my stuff. They didn't even steal the really cool stuff. I had a bunch of Wi-Fi routers, little Wi-Fi dongles. I had some hardware keyloggers, which are a couple of them. I wanted to take those home. I said no, but they didn't, and they didn't take them home anyway. But nobody even stole the stuff, which I was amazed. I sort of thought some of it might get stolen, and I figured if they don't steal it all so fast that we can't use it, I can replace the stolen stuff enough to keep going. But they didn't steal anything. They loved it. It was their hangout. So anyway, for projects, we used all the all the exciting stuff that I saw at DEF CON. You folks have already seen this stuff, I imagine. We used Metasploit. It makes it far too easy to take over vulnerable machines. We took over Windows machine from XP and Windows machine from Linux. I did these two projects, I must confess, because they're the only ones I could figure out how to do. One thing that Metasploit does not appear to have is a nice friendly instruction manual that tells you how to do things. But thanks to IronGeek, and IronGeek, if IronGeek is here, I'm happy to buy you a drink. You've totally saved my life. I thought IronGeek's videos show you how to do things. And there are other videos out there to do, but without those I would have been up much later and perhaps failed to get these projects ready in time. So that's why the particular exploits I chosen are chosen because I could figure out how to do them. Metasploit can do 180 things, but I only know how to do two of them. Anyway, then NMAP came with a lot of warnings. NMAP can bring down a server and I said, well gee, I should put in a warning in this project. Be careful because you can bring down a server. And I said, wait a minute, that's no fun. Let's build a web server and bring it down and see if that's true. And by George, it is true. You set up a Windows 2000 web server, you do an aggressive port scan, it goes down to speed zero. It's lots of fun. So anyway, we did that. I wanted to put a root kit on Ubuntu. I knew Linux machines are vulnerable to root kits as well as Windows machines. I wanted to do it the hard way. Let's see if I can put a root kit on a Linux machine. I searched over the web and I found a variety of root kits available on, but most of them were specifically for really old systems. And I found some root kit with the undignified name of fuck it. It was the name of the root kit and this thing was designed to attack old Red Hat Linux servers, but I tried it on Ubuntu and it worked. I was sort of floored. I said, wait a minute now. If I pulled up a Windows exploit from five years ago and put it on a modern Windows machine, there'd be a patch. So I went to the Ubuntu forums and I said, should there be a patch? And they said, no, there shouldn't because you should not add patches just to plug specific exploits. You should only add patches to maintain functionality and if you want security that should be a separate thing you add in. And I ultimately bought it. I think they're right. That would be down the wrong road for them to go. But anyway, that root kit works. I must warn you it doesn't work very well. Not all the features work and it destroys the Ubuntu. You install that root kit. Ubuntu will not restart. You have to clean it off before you restart or it's dead. But we're using virtual machines so I just warned them. Copy your virtual machine. And in fact the first section of my class I said it'll destroy your virtual machine and if any of you can get it off of there please tell me how. But next week I figured out how to get it off. And if anybody here wrote the diff function in Linux, I'd buy you a drink too because the diff function is fantastic. Anyway, I got it off. I don't understand how it works myself. I expected it to compare the list of 30,000 files in their hashes I was trying to do to find out what the root kit did and stop at the first one that didn't agree and then give me 29,000 false positives. But it didn't. It found the 30 files that were changed right anyway. So I got the root kit off of there. Anyway, then I wanted to hack websites. Now I always of course I wanted to set up a website and have them hack and do it but I sort of quickly figured out how much trouble we'd all get in if I did that. And I found this hack the sites place which is pretty exciting. I don't know if any of these folks are here. The founders in prison now because the techniques work too well and he really did use them to steal thousands of credit card numbers and they caught him before he used them. So I said this is great. I told my class, first place don't use your real name or anything but sign up here do these projects because this is the kind of education you'd normally have to learn from your cellmate. So it's a really good opportunity. So they did it. Another great thing about this place is these projects come with solutions. There's a forum and the forum will if you read the forum they will tell you exactly how to do it step by step if necessary. It's a puzzle but there's ten of them and I got to maybe six or seven before I started looking at the forum and by time I got eight I got mad because eight they're doing I think a sequel injection and they didn't have the guts to really let you do real sequel injection on the real site so they have a simulation and it's not right. So you don't get any reward from being close. You have to get exactly the one string they recommend and I got frustrated. Anyway, some of my students made it to the end of that and it's good for them to try. Alright then we wanted to find vulnerabilities in systems. We did a map of course to find out what ports are out there and he analyzed those with Wireshark to see what you got and ran through the firewall tests. That hit the news quite a bit and caught my attention. There was a website firewallleaktester.com I think that has about 25 tools to punch through firewalls. It was the first thing to sit to prove in a quantifiable way what I had often heard rumored which is the Windows XP SB2 firewall is junk. It's easy to get through and and you know because it doesn't filter outgoing traffic so it's fine except that all I have to is trick you into clicking on a link and then it's wide open. Anyway, that was fun. I have a project where they test various firewalls and other things NetBIOS, Nessus and the other tools which are more or less familiar I think to a lot of people here but they are not very familiar to people that go to college and take what we claim is thorough education and network security unfortunately. Anyway, then there's Adercat, the Snip Passwords and keyloggers, software keyloggers and hardware keyloggers and Offcrack which really floored me and it has floored almost all the professional network security students I've had come to classes I give them and say I'll just get your XP password right off of that box. Just boot from the CD and then just wait and your passwords just scroll up the screen and their jaws drop and they run home to harden their box and it's very impressive. They finally fixed that in Vista. Vista no longer has LM hashes by default but XP with service pack 2 does for some reason that is too stupid for me to make any excuse for it like compatibility with DOS machines on your LAN. Anyway, but Offcrack is fantastic and the other ones Cain and Abel and John and Rip are all ways to steal passwords and crack into passwords and get where you don't belong. And then of course you can just bypass the passwords. You can bypass Linux passwords with live CD and bypass them with recovery mode if you don't have an admin password which is sort of a cheat but that works on a default install of Ubuntu. When you install Ubuntu I discovered you get something with the security kind of like XP home in many ways but anyway and then the ultimate boot CD something I didn't know about at all one of my students brought it in. I've got a few semi-disturbing hacker type students. In fact a good part of my job turned out to be defending my hackers from the rest of the teachers because along the way other teachers got upset they said what's going on in that lab anyway. Why is this lab open all the time when the other labs aren't open and what are they doing in there and there's one guy in particular that they couldn't even bother to pass the course and you see hackers in my experience a lot of my hackers are brilliant people with no particular interest in jumping through any stupid hoops. They're not motivated by degree or like a letter grade or anything they'll just do what they want to do. So this guy was great and everyone else kept trying to throw him out of the college. He would come in my lab just show up and see what's fun today he's taking apart the machines changing them wiring up the network installing bizarre stuff on them and he would funk my class right he didn't show up he didn't take the test if he did he didn't know the right answer and he dropped all those so the other students tell your teacher said he's an idiot why do you even have them around I said no he's only going to keeping the lab working all these machines were broken last semester I couldn't keep them fixed as fast as they were broken he's fixing them there's nothing he wants to do more than just be a network admin packs all the machines and so I just made him my assistant there's like a work experience class you can take so that was his class fixing the machines he dropped all the other she couldn't pass anyway and he was happy and I was happy but I had to keep fending off a tax on me this guy is no good get rid of him I said no I need him he's great but why he doesn't know anything no he knows great stuff you know stuff I don't know one of the things you do about with the ultimate boot CD which is one of the environment sort of like off-crack or a bunch of live CD that boots from a CD and then let's you mess with the accounts on a Windows machine and the interesting thing about that is it works on Vista designed for XP but you can create an administrator account on Vista now my impression from playing with it in a virtual machine and I must admit probably a Vista beta was that it wasn't very good for the Vista seem to me like the Vista never worked very well after that but you can but you can take a Vista that you're locked out of and create a new administrator account and get in with this thing anyway so at the end of it all there's what happened 80 students took it both sections were completely full I had to turn some people away 40 of them passed which is typical at my college that might sound disturbing it certainly would to me in my typical four-year university education where you're entering a pipe that has a freshman at one end and graduation at the other end and you're all supposed to go through the pipe but it's not at all unusual where I'm at and a lot of them are just overburdened but you have to understand our students are not trying to earn a degree they're trying to get skills for work and most of them are network administrators and many of them would miss class after class because there's a problem in the network and I have to stay and fix it and I remember I did the same thing when I was working all day I would miss my access class because I'm the IT guy I've got to fix the network it doesn't matter I can just plunk that class and it's not important compared to my job anyway well of course some of them were just people that didn't try hard enough and by the way let me just go back and mention something here we had I mentioned we had a lot of proud a lot of projects involved hacking passwords I got kind of disturbed one thing you would think is it would be the a students that will be lab assistants but that's not true at all half of the students are the C students that really need to work in the lab and they'll volunteer to be a lab assistant to be their work regular hours which is fine but any one of them send me an email saying gee I'm going to be late on my homework because I forgot my password I said wait a minute now in other classes that might be a reason but you can't tell me that you're locked out of one of your boxes you're not in this class anyway that that guy got sick and he's hopefully going to take it again next semester anyway but for a minute I said wait a minute how can I that be anyway so half of them passed but the main thing is there were no security instance we didn't get in any trouble with anybody the students didn't apparently hack any real web servers didn't steal anything they seemed enthusiastic they all seem to quickly get on to the idea of what it is to be an ethical hacker instead of a criminal hacker and the only guy that really gave me any pause was really really sharp he knew everything you know a lot more than I did about creating exploits and he showed up the first day he said you know I nearly got busted about three years ago I brought down his web server for five hours and they almost tracked me down and I was almost went to prison so I gave it up and didn't didn't do any more hacking and then I saw your class oh boy now I'm gonna do it again I see I'm not really sure that's what my goal in this offering this class was but he he was in fact going straight and he went off to UC Berkeley and he's off to great success he did show me his zone H I think where he has his list of his exploits me perhaps he was also on the t-shirt with zone H on it around here I didn't know about it they have competition where they hack into government web servers and he faced them and he was what's part of a team that won some competition to deface the most web servers anyway you're doing that anymore at least not as far as I know anyway everybody was very happy and they all want a more advanced class which is a good thing so as far as I can tell this is a great thing to do it excites the students that brings them in they learn better because they get to really practice combat attack and defense and I think that really pounds it into them I do not I do not understand a science class where you read a book and watch a lecture and then you repeat it back on a test I mean what is the point Mr. Wizard was the best science teacher in my opinion you have to do something and with your own hands then you learn something anyway I'm but I have to warn you if you I imagine there are a lot of college teachers out there to certainly seem to be last year that for your colleges with students who have never had a job just free from parental oversight and suddenly without limitations in a dormitory you might have more discipline problems those people might really hack into places they shouldn't go I would imagine but at City College I had no real troubles but our students are older they're 30 and 40 they're working professionals they have kids they have jobs they don't want to hack into anything they just want to learn security to be better at their work anyway I just want to mention icons and institute supported me in my department supported me fantastically I just went and taught this whole hacking class in Texas to a bunch of teachers at a teachers conference the same one I went to a year before that said nobody should ever go to DefCon they got a different story this year and at everybody thought it was great all the teachers had the same reaction wow this is fantastic I love these projects I got to put in my class then a week later one of the teachers from that college emailed me so well the administration just told me that I can't put any hacking tools on any of the computers in any of the labs and I was sitting there responding well why did you even bring me down there to teach the class then I decided not to send that one but I said well this is like sex ed I thought we went through this in the 60s and the 70s that colleges are not here in the business of concealing information and hiding it we're here to tell people the truth and give them all the knowledge they can make sensible decisions I thought but you know apparently not everybody has caught on anyway I just want to mention there's my contact information and if anybody wants to use any of this stuff it's not very original it's all largely based on the stuff that the people around here have created so I stuck it on my website let's see escape there we are it gets me out of there you're gonna come up or what this computer right it was very cheap when I bought it and it runs very slow here's my website Sam's class dot info there's the class if anybody wants anything it's all there uh-huh there you see see how cool that is isn't that really going to help you out yeah maybe the you know they did take my website down but that was another class anyway oh anyway I guess too bad I kind of wanted to show you that that's getting kind of rude wonder if I just got kicked off the internet no by the way when I was teaching yeah I think I did just get kicked off the net could be a layer one problem let's try that you know what the last day at the Texas conference the whole campus lost internet connection and the other teachers really did come to me and say you did it didn't you and they were serious I said well thank you for the compliment in fact I don't think I know how to do it but it's nice that you think I would I thought about as well you know not you mentioned it I can think of a few ways to do it but anyway there we are that's what I wanted to show you there's a class and what you got here page down alright is I've got all the let's schedule that's not too there's all the lectures which are from the textbook this PowerPoints there and but there's the projects if any that's probably the best part so if anybody wants to teach any of this stuff someplace feel free to take these modify them mangled around put your name on it because this is all just my detailing of the steps required to do stuff that I found on the forums and in hacking videos and such I think I'm done now if it's really a fellow warning me I'm running out of time at some point fact looks like I'm already over is the next guy here or should I take questions I thought I was done at 620 but looks to me like I'm past 620 right I'll clear I guess there's Q&A room if anyone wants to ask questions