IT Systems Attack and Defence Course (October 2025)

IT Systems Attack and Defence is a practical 5-day course, intended for system administrators, developers and other technical personnel. The course introduces tools and methods used by attackers to gain access to IT systems and discusses potential countermeasures and ways of detection. A large part of the course is based on hands-on exercises. Practical tasks focus mainly on the offensive side of IT security, the participants can try out for themselves how various real-world attacks can be conducted. In addition, participants can take part in a Capture the Flag competition, where points are awarded for successfully completing the hands-on tasks, with bonus points awarded for the fastest students.

Students will be provided with virtual machines based on Kali Linux. The majority of the tools used in the class are free or open-source. The vulnerable web applications are built using mostly PHP and MySQL. The course does not focus on specific technologies, but rather uses them as an example for certain classes of attacks.

 

Learning Objectives

The course introduces students to the way penetration testers and hackers think. Practical work is used to further develop this kind of thinking and also to figure out ways how to defend against these kinds of attacks. The course does not go in-depth into specific vulnerabilities, rather it serves as a broad introduction into IT systems attacks and points the students towards material where to learn further.

The following topics will be covered during the course:

• Phases of a cyber-attack:
  • Reconnaissance
  • Scanning and Enumeration.
  • Gaining Access.
  • Privilege Escalation.
  • Lateral Movement.
• Provide an overview of common tools used by penetration testers and attackers.
• Show various ways of doing reconnaissance.
• Understand, see and do different ways of network scanning.
• See and do different ways of network infrastructure attacks.
• See and do different types of DNS attacks.
• Explore Web Application Security:
  • Main building blocks of web applications.
  • Session management and authentication attacks.
  • Injection attacks (SQL injection, OS command injection, File inclusion, Insecure file upload functionality).
  • Cross-site scripting.
  • Cross-site request forgery.
• Get an overview of various protection mechanisms and common misconfigurations in a Windows domain environment.
• See and do stealing credentials from Windows systems and using them to conduct Pass-the-Hash and Pass-the-Ticket attacks.
• Conduct man-in-the-middle attacks.
• Use Metasploit Framework and existing exploit code against different targets, including client-side attacks.
• Exploit vulnerabilities in custom-built web applications.

 

Target Audience

The course has been designed for network and system administrators and security specialists. In general, the expected audience should consist of people who have a good background in information technology, whether gained from studies at university or by practical experience, or both. We do not expect these individuals to have knowledge or good practical know-how about security problems of computer networks and applications. Professional security practitioners or penetration testers with years of experience are not the target audience for this course.

 

Outline

• Introduction of the lab environment. The basics of Kali Linux and Metasploit.
• Reconnaissance: sources and tools for gathering information about target networks.
• Network scanning: host discovery, TCP and UDP port scanning, operating system detection, vulnerability scanning, scanning in IPv6 networks, honeypots and tarpits.
• Enumeration: using DNS, SNMP and other protocols to identify potential vulnerabilities.
• Credential attacks: password guessing and cracking, how passwords are stored in IT systems, hashing functions and identified vulnerabilities in them, Rainbow Tables, best practices for password security.
• Network infrastructure attacks and defence: MAC flooding, ARP spoofing, ICMP redirection, IP spoofing and fragmentation, VLAN hopping, leaking data over CDP, BGP hijacking; port security, DHCP snooping and dynamic ARP inspection, private VLANs, 802.1x.
• DNS security: DNS overview, DNS tunnelling, DNS rebinding, DNS snooping, cache poisoning attacks, DNSSec.
• Windows Security: Pass-the Hash, Pass-the-Ticket, Kerberos ‘Silver and Golden Ticket Attack’, Authentication methods, Security mechanisms, Privilege escalation, Process injection.
• Web Application Security:
• Main building blocks of web applications.
• Session management and authentication attacks.
• Injection attacks:
  • SQL injection.
  • OS command injection.
  • File inclusion.
  • Insecure file upload functionality.
• Cross-site scripting.
• Cross-site request forgery.

 

Theoretical lectures are supported by sets of practical exercises. These allow the students to conduct different tasks such as:

• Using various open-source or freely available tools for information gathering from public sources.
• Scanning small networks to finding alive hosts or machines with specific vulnerabilities.
• Using DNS enumeration to find interesting hosts, exploiting unprotected SNMP service for enumeration of information.
• Tunnelling arbitrary IP traffic over DNS protocol in restrictive environment.
• Guessing and cracking passwords.
• Stealing credentials from Windows systems and using them to conduct Pass-the-Hash/Pass-the-Ticket attacks.
• Conducting man-in-the-middle attacks (e.g. dissecting and sniffing SSL encrypted traffic) by using ARP spoofing in IPv4 networks and falsified Neighbour Advertisements in IPv6 networks.
• Using Metasploit Framework and existing exploit code against different targets. This includes client-side attacks.
• Exploiting vulnerabilities in custom-built web applications.

Prerequisites

• Ideally, the students would have at least junior administrator level experience with Windows and Linux based systems. They should understand the main networking protocols (e.g. ARP, IP, ICMP, TCP, UDP, DNS, HTTP, SNMP, SMTP), have some experience with web technologies (like HTML, PHP, JavaScript) and knowledge about relational database management systems (MySQL).
• Programming skills are helpful.
• English language skill comparable to STANAG 6001, 3.2.3.2. is required.
• Student’s workstation will be based on Kali Linux; therefore at least user-level knowledge of working with Linux systems on the command line is expected (opening ssh connections, working with the filesystem, configuring network settings, etc).
• The course has a mandatory e-learning module (ADL 394 “IT Systems Attack and Defence”, see the details in the “e-Learning courses” chapter) that can be accessed through the NATO e-Learning Joint Advanced Distributed Learning portal and will be available to all users of the portal. Once registered, users may access the course by navigating to the ‘Centres of Excellence’ -> ‘COE Cyber Defence’ -> ADL 394 ‘“IT Systems Attack and Defence’ course listing.

ISACA CPEs

With the completion of this course the students can earn 35 ISACA CPE hours.

Registration

Please register for the course by visiting the NATO CCDCOE website and completing the provided registration form before the deadline. Applicants from CCDCOE member nations should use the registration code provided by their national Point of Contact.

Module certificate of the ADL 394 must be send to [email protected] when registering for the residential part of the course. You can download it once you have successfully finished the final test of the e-Learning module.

An email confirming the participation will be sent only after the registration has closed.

Seat allocation will only be approved when the payment of the course fee is confirmed.

Should you have any questions, please contact: [email protected]