Basic knowledge of TCP/IP. No time will be spent explaining IP addressing, ports, etc. This is an advanced packet analysis class.
Basic Unix command line knowledge. We do not use GUIs or Windows in this class, other than Wireshark.
To follow along and inspect network traces, Wireshark or another protocol analysis tool must be installed on the student's laptop.
To run the VM, the student must install the free VMware Player, Server, or the commercial Workstation products.
For maximum flexibility in class, wired and wireless connectivity is encouraged. Access to a CD or DVD reader is helpful to read the class CD.
Black Hat DC Training 2008
Westin Washington DC City Center • Feburary 18-19
TCP/IP Weapons School:
Black Hat Edition
Richard Bejtlich, TaoSecurity
Do you want to do something with Ethereal/Wireshark besides inspecting normal traffic? Do you want to learn how networks can be abused and subverted, while analyzing the attacks, methods, and traffic that make it happen? Are you ready for technical, packet-centric training that really matters? If your answer to any of these questions is yes, join Richard Bejtlich for TCP/IP Weapons School, Black Hat Edition. We will walk up the layers of the OSI model, examining packet traces that detail the various ways attackers abuse core TCP/IP functionality. For example, have you seen an attack against a Windows service fragmented at the IP, TCP, SMB, and DCE-RPC levels? After this class you will not only know how this occurs and what it looks like, but you will have replicated and extended it.
Packet Delivery on the LAN
Dynamic Trunking Protocol
MAC Flooding (Macof)
ARP Denial of Service (Arp-sk)
Port Stealing (Ettercap)
Layer 2 Man-In-The-Middle (Ettercap)
Dynamic Trunking Protocol Attack (Yersinia)
Raw IP and Fragmentation (Nemesis)
IP Scrubbing (Pf)
IP Options (Fragtest)
IP Time-To-Live (Traceroute)
Internet Control Message Protocol (Sing)
IP IDs: Isnprober
IP IDs: Idle Scan
IP TTLs: LFT
IP TTLs: Etrace
IP TTLs: Firewalk
ICMP Covert Channel: Ptunnel
TCP ISN: Isnprober
TCP Fragmentation: Fragroute
TCP Manipulation: Fragroute
TCP Manipulation: Snort Flexresp2
TCP Windows: LaBrea
DCE/RPC-SMB: Impacket Exploit
Network Security Operations
Network Security Monitoring
Sample Tools include Squil (www.squil.net), Argus (www.gosient.com/argus), and related applications
This is a two-day course that augments hands-on inspection of packet traces with select labs. Students will receive a VMware virtual machine with select tools and traffic. This is an advanced packet analysis class for students who wish to detect and respond to security events.
Who Should Attend
This class is perfect for a security analyst or networking person who knows networking to some degree but wants to really know what is happening and how these attacks look on the wire.
Course Length: Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.
is Director of Incident Response for General Electric. Prior to joining GE, Richard operated TaoSecurity LLC as an independent consultant, protected national security interests for ManTech Corporation's Computer Forensics and Intrusion Analysis division, investigated intrusions as part of Foundstone's incident response team, and monitored client networks for Ball Corporation. Richard began his digital security career as a military intelligence officer at the Air Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA). Richard is a graduate of Harvard University and the United States Air Force Academy. He wrote "The Tao of Network Security Monitoring" and "Extrusion Detection," and co-authored "Real Digital Forensics." He also writes for his blog (taosecurity.blogspot.com)