rss feed link header graphic

Black Hat DC Training 2008

Westin Washington DC City Center • Feburary 18-19

TCP/IP Weapons School:
Black Hat Edition

Richard Bejtlich, TaoSecurity

Do you want to do something with Ethereal/Wireshark besides inspecting normal traffic? Do you want to learn how networks can be abused and subverted, while analyzing the attacks, methods, and traffic that make it happen? Are you ready for technical, packet-centric training that really matters? If your answer to any of these questions is yes, join Richard Bejtlich for TCP/IP Weapons School, Black Hat Edition. We will walk up the layers of the OSI model, examining packet traces that detail the various ways attackers abuse core TCP/IP functionality. For example, have you seen an attack against a Windows service fragmented at the IP, TCP, SMB, and DCE-RPC levels? After this class you will not only know how this occurs and what it looks like, but you will have replicated and extended it.

Layer 2

  • Packet Delivery on the LAN
  • ARP Overview
  • Arping
  • Arpdig
  • Arpwatch
  • Dynamic Trunking Protocol
  • MAC Flooding (Macof)
  • ARP Denial of Service (Arp-sk)
  • Port Stealing (Ettercap)
  • Layer 2 Man-In-The-Middle (Ettercap)
  • Dynamic Trunking Protocol Attack (Yersinia)
Layer 3
  • Internet Protocol
  • Raw IP and Fragmentation (Nemesis)
  • IP Scrubbing (Pf)
  • IP Options (Fragtest)
  • IP Time-To-Live (Traceroute)
  • Internet Control Message Protocol (Sing)
  • IP IDs: Isnprober
  • IP IDs: Idle Scan
  • IP TTLs: LFT
  • IP TTLs: Etrace
  • IP TTLs: Firewalk
  • ICMP Covert Channel: Ptunnel
Layer 4
  • TCP ISN: Isnprober
  • TCP Fragmentation: Fragroute
  • TCP Manipulation: Fragroute
  • TCP Manipulation: Snort Flexresp2
  • TCP Windows: LaBrea
Layer 5
  • SunRPC-NFS
  • DCE/RPC-SMB: Impacket Exploit
  • XML-RPC: Monkeyshell
Network Security Operations
  • Network Security Monitoring
  • Incident Response
  • Network Forensics
  • Sample Tools include Squil (, Argus (, and related applications

Course Structure
This is a two-day course that augments hands-on inspection of packet traces with select labs. Students will receive a VMware virtual machine with select tools and traffic. This is an advanced packet analysis class for students who wish to detect and respond to security events.

Who Should Attend
This class is perfect for a security analyst or networking person who knows networking to some degree but wants to really know what is happening and how these attacks look on the wire.

Course Length: Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.


Richard Bejtlich

is Director of Incident Response for General Electric. Prior to joining GE, Richard operated TaoSecurity LLC as an independent consultant, protected national security interests for ManTech Corporation's Computer Forensics and Intrusion Analysis division, investigated intrusions as part of Foundstone's incident response team, and monitored client networks for Ball Corporation. Richard began his digital security career as a military intelligence officer at the Air Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA). Richard is a graduate of Harvard University and the United States Air Force Academy. He wrote "The Tao of Network Security Monitoring" and "Extrusion Detection," and co-authored "Real Digital Forensics." He also writes for his blog (

Ends January 1

Ends February 8

Begins February 8

$2000 USD

$2200 USD

$2400 USD