Tuesday, July 11, 2006

TCP/IP Weapons School Will Rock

Are you attending TCP/IP Weapons School at USENIX Security 2006 In Vancouver on 31 July and 1 August 2006? If yes, these are the topics I will cover:

  • Hardware and Network Design


    • Bridges

    • Hubs

    • Switches

    • Routers

    • Duplex and Domains

    • Layer-X Switches

    • Middleboxes

    • Local Area Networks

    • xANs, VPNs, and WLANs

    • VLANs


  • Layer 1


    • What is Layer 1?

    • Ethernet

    • Raw Ethernet (Nemesis)

    • UTP

    • Ethernet over UTP

    • Fiber Optics

    • Ethernet over Fiber Optics

    • Ethernet Emulation over FireWire

    • IP over FireWire

    • IP over Wireless


  • Layer 1 Attack


    • Rogue Access Point


  • Layer 2


    • What is Layer 2?

    • Ethernet Revisited

    • Revisiting What is Layer 2?

    • Test Network Layout

    • Packet Delivery on the LAN

    • Ethernet Interfaces

    • ARP Basics

    • ARP Request/Reply

    • ARP Cache

    • Arping

    • Arpdig

    • Arpwatch

    • Dynamic Trunking Protocol


  • Layer 2 Attacks


    • Test LAN Reference

    • Changing MAC Addresses

    • MAC Flooding (Macof)

    • ARP Denial of Service (Arp-sk)

    • Port Stealing (Ettercap)

    • Layer 2 Man-In-The-Middle (Ettercap)

    • Dynamic Trunking Protocol Attack (Yersinia)


  • Layer 3


    • What is Layer 3?

    • Internet Protocol

    • Raw IP (Nemesis)

    • IP Options (Fragtest)

    • IP Time-To-Live (Traceroute)

    • Internet Control Message Protocol (Sing)

    • ICMP Error Messages (Gnetcat)


  • Layer 3 Attacks


    • IP Spoofing

    • Gont ICMP Attacks

    • ICMP Shell



I am really excited by this class. If you read the class description posted at USENIX, you'll notice it goes through levels 1-7. After creating 312 slides for a two-day class, I realized I needed to stop with level 3. I originally envisioned this class being a four-day affair, and once I develop material for levels 4-7 I can see it being a new four-day class.

One of the reasons I think this class will be special is that I generated Libpcap traces of all of the interesting traffic discussed in the class. Students can load them into Wireshark and follow along as we learn what they mean.

Developing the class was absolutely grueling (well, not like digging a ditch), but still fun. I had never used Yersinia to fake a trunk line and get access to VLAN traffic on a Cisco switch, but it's in the class now.

The USENIX class description recommends students bring some version of VMware to class so they can run a VM I will provide. I will indeed provide a FreeBSD VM including all of the tools I used on FreeBSD. I'll probably also include a Debian VM for those tools that didn't run on FreeBSD. However, you will not be able to duplicate all of the attacks I ran while developing this class. VMware is nice, but it cannot simulate conditions in a real hardware lab, especially when mucking around with layer 2.

If you have any questions, please post them here.

I am probably going to offer this same two-day class at USENIX LISA on 3-4 December 2006 in Washington, DC. I am contemplating offering additional material independent of USENIX, perhaps before the conference (which runs 3-8 December) or after the conference. That means Saturday 2 December or Saturday 9 December. These would be paid events separate from USENIX. If you would have any interest in attending training while you are in town, email me (richard at taosecurity dot com) with your ideas.

8 comments:

Joe said...

Will you be offering this class at any other conferences besides USENIX?

Richard Bejtlich said...

Joe,

I will start offering TCP/IP Weapons School as an independent course to private organizations. I will probably also organize a public class, maybe before the end of 2006 but probably in early 2007. I don't intend to teach TWS anywhere else, unless invited to do so.

Anonymous said...

Man, you tease so much! :) Unfortunately, due to my financial situation this summer, I can't make plans to attend anything. But once I can...this would be awesome to check out!

-LonerVamp

Joe said...

Since I'm paying for their classes this year, I'll recommend this course to the BlackHat folks.

Richard Bejtlich said...

Thanks Joe. I'm not sure I'm 31337 enough for Black Hat though.

John Ward said...

So is that rock, as in "Rock you Like a Hurricane", that song they always play at Air shows and was tired and lame in the 80's? Or is that Rock as in "The Rock", and your gonna lay the Peoples Eyebrow down on some jabronis and show some really kick ass tools and techniques ;)

If its the later, how about you teaching that somewhere down south, particuarly down in the SA/Austin area and invite your old buddy John to the class? I'd invite you, I just couldn't pay you :)

wpn said...

Yes, yes! Another vote for SA/Austin. I'd pay for the class; I just can't do out of state travel. Anything to avoid Yet Another Snort Class.

Anonymous said...

Where's the love for the West coast?