This page is updated (check the update date at the end) every week after each session.

Course Description

The subject of this course is to use the Honeynet/pot technologies as a tool to discover and learn existing and new threats to networked/distributed information system. The course includes a project to build a custom honeypot to turn the theory into a practical collection engine. The course requires a high involvement from the participants.

Given by : Alexandre Dulaunoy


During the period of the course, there will be a specific project to realize. The project is fully integrated into the course sessions that means some topics covered will help to enhance or complete your work.

Project definition and group composition (2 or 3 max) should be sent before end of January 2010. Project will be registered at and released under a free software license. Project needs to be tagged in gitorious as dess-20092010. The project must be completed for 29th of April 2010.

Scope of the project can be one of the following topic (some topics could overlap) :

Project Evaluation

Evaluation of the project is based on the following parameters : 25% originality/innovation 25% implementation 25% documentation 25% security and risk analysis.

Documentation should be part of the project development process also including design decision or risks analysis.


Sat. 16 Jan 2010 (09h00->13h00)/SSIC Computer RoomIntroduction to Honeynet/pot Technologies
and network datacapture. Reminder regarding the legal status of Honeynet/pot and your ethical role.
Intro and History - Honeynets
Legal framework of Honeynet/pots
Sat. 23 Jan 2010 (09h00->13h00)/SSIC Computer RoomIntroduction to network & data capture in honeypot. Introduction to the analysis of unknown software.
Network Data Capture : Berkeley Packet Filter Practical analysis of a rootkit Other techniques of dynamic analysis : An Instrumented Analysis of Unknown Software and Malware Driven by Free Libre Open Source Software
Sat. 30 Jan 2010 (CANCELLED)
Sat. 6 Feb 2010 (09h00->13h00)/SSIC Computer RoomData capture in honeypot - practical examples. Attackers' Principles. Forensic Analysis. Project proposal review.honeypot datacapture Attackers' Principles
Sat. 13 Feb 2010 (09h00->13h00)/SSIC Computer RoomForensic analysis of honeypot or compromised systems. Forensic analysisSupporting papers : Order of Volatility - Memory as Example,Password in memory,Flash and Forensic Analysis
Sat. 20 Feb 2010 (09h00->13h00)/SSIC Computer RoomWork assignment - finding and reporting security vulnerabilities in two free software : MojoMojo and DokuWikiTest will be performed by different groups (from black box testing to white box testing). Impact will be defined by the whole class including the report to be performed at the end of the session.
Sat. 6 March 2010 (09h00->13h00) via IRC (TCP 9090) IRC (TCP 80) Closing open points about projects and exam scope (theory : pcap filters and honeypot).Conclusion :What have we learned from attackers?

Sessions - Additional Support


You may find that the subject is too experimental and not yet mature for real-life application. If you have any issue with the course (including the way I teach it), don't hesitate to talk about as soon as possible.