Black Hat Digital Self Defense USA 2006


Black Hat USA 2007 Briefings and Training
Caesars Palace, Las Vegas July 28-29 (Weekend) & July 30-31 (Weekday)

Course Length: Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.

Black Hat Registration

TCP/IP Weapons School: Black Hat Edition

Richard Bejtlich, TaoSecurity

What to bring:
Basic knowledge of TCP/IP. No time will be spent explaining IP addressing, ports, etc.

Students must have a laptop with Wireshark/Ethereal installed, and an OpenSSH client.

To run the VM, the student will need the free VMware Player or Server, or the commercial Workstation.

The student laptop should have a wireless connection (802.11b or 802.11g) and preferably an Ethernet port to connect to a wired network.

Do you want to do something with Ethereal/Wireshark besides inspecting normal traffic? Do you want to learn how networks can be abused and subverted, while analyzing the attacks, methods, and traffic that make it happen? Are you ready for technical, packet-centric training that really matters? If your answer to any of these questions is yes, join Richard Bejtlich for TCP/IP Weapons School, Black Hat Edition. We will walk up the layers of the OSI model, examining packet traces that detail the various ways attackers abuse core TCP/IP functionality. For example, have you seen an attack against a Windows service fragmented at the IP, TCP, SMB, and DCE-RPC levels? After this class you will not only know how this occurs and what it looks like, but you will have replicated and extended it.

Layer 2

  • Packet Delivery on the LAN
  • ARP Overview
  • Arping
  • Arpdig
  • Arpwatch
  • Dynamic Trunking Protocol
  • MAC Flooding (Macof)
  • ARP Denial of Service (Arp-sk)
  • Port Stealing (Ettercap)
  • Layer 2 Man-In-The-Middle (Ettercap)
  • Dynamic Trunking Protocol Attack (Yersinia)

Layer 3

  • Internet Protocol
  • Raw IP and Fragmentation (Nemesis)
  • IP Scrubbing (Pf) IP Options (Fragtest)
  • IP Time-To-Live (Traceroute)
  • Internet Control Message Protocol (Sing)
  • IP IDs: Isnprober
  • IP IDs: Idle Scan
  • IP TTLs: LFT
  • IP TTLs: Etrace
  • IP TTLs: Firewalk
  • ICMP Covert Channel: Ptunnel

Layer 4

  • TCP ISN: Isnprober
  • TCP Fragmentation: Fragroute
  • TCP Manipulation: Fragroute
  • TCP Manipulation: Snort Flexresp2
  • TCP Windows: LaBrea

Layer 5

  • SunRPC-NFS
  • DCE/RPC-SMB: Impacket Exploit
  • XML-RPC: Monkeyshell

Layer 6

  • Decoding SSL: Ssldump
  • Decoding SSL: Wireshark
  • Decoding HTTP and Gzip
  • HTTP Chunked Encoding: Metasploit
  • ASN.1 Encoding: Metasploit
  • WMF: Metasploit

Layer 7

  • Application Fingerprinting: NTP
  • Application Fingerprinting: DNS
  • Application Fingerprinting: HTTP
  • Application Fingerprinting: PADS
  • Application Fingerprinting: Fl0p
  • Covert Channel: HTTP
  • Covert Channel: DNS
  • Fuzzing: SNMP

Course Structure
This is a two-day course that combines lecture, hands-on labs, demonstrations, group exercises, etc. A VM will be provided to students who wish to try the tools for each layer. Target VMs will also be provided for labs that require multi-VM interaction. Demonstrations of certain activities that are too complicated or not possible to replicate with VMs (such as certain layer 2 attacks) will be shown.

Who Should Attend?
This class is perfect for a security analyst or networking person who knows networking to some degree but wants to really know what is happening and how these attacks look on the wire.


Richard Bejtlich is founder of TaoSecurity ( He was previously a principal consultant at Foundstone. Richard created network security monitoring operations for ManTech and Ball Corporations. From 1998 to 2001 then-Captain Bejtlich defended global American information assets in the Air Force Computer Emergency Response Team (AFCERT). Formally trained as an intelligence officer, Richard is a graduate of Harvard University and the United States Air Force Academy. He wrote "The Tao of Network Security Monitoring" and "Extrusion Detection," and co-authored "Real Digital Forensics." He also writes for his Web log ( and teaches at USENIX.

Black Hat Registration

Course Length: Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.


Ends May 31, 2007

Ends July 19, 2007

Begins July 20, 2007




Black Hat Logo
(c) 1996-2007 Black Hat