Training before The Black Hat Briefings '01
Amsterdam, November 19th - 20th
Providing practical security of current issues
Class overview and schedule
Class size will be up to a maximum of 30 people.

Today, more than ever, protecting the IT resources of a company against security threats is of vital importance.  In order to do this, your company‚s professionals need to be capable of guarding your company‚s resources.  Black Hat Training is designed to raise these professionals‚ competence level in Internet security to a whole new level.

The Trainers
The trainers for these sessions are experts in the subject matter they are teaching and are fully active in the computer security arena.  Some of the speakers you won't find anywhere else.  They are taking some time out of their heavily occupied life in order to lead training for Black Hat.  Here, they want to share new and interesting security information on cutting-edge topics.  Get to know the tools and techniques applied by hackers.  Fight them with their own means.  Those hand-picked security experts will train you in understanding the real threats and securing your network. 

Class size will be up to a maximum of 30 people. Lunch and two coffee breaks will be provided.

Offerings (Track 'A' and 'B')
Two days before the Black Hat Briefings 2001 Amsterdam, Black Hat, Inc. is proud to present in-depth-training in three parallel tracks.
Monday, November 19th
Ofir Arkin Advanced Scanning with ICMP 
JD Glaser NT Network Intrusion Workshop
Halvar Flake Auditing Binaries for Security Vulnerabilities
Foundstone Ultimate Hacking: Black Hat Edition - Day 1-2
Tuesday, November 20th
JD Glaser NT Network Intrusion Workshop
Foundstone Ultimate Hacking: Black Hat Edition - Day 2-2
Rooster Complete Windows 2000 Security
Tim Mullen Secure Development of Data-Driven Web Applications

Ofir Arkin Advanced Scanning with ICMP

The Internet Control Message (ICMP) Protocol may seem harmless at first glance. In terms of security, ICMP is one of the most controversial protocols in the TCP/IP protocol suite.
This workshop will be an in depth theoretical and hands on experience with the ICMP protocol, and its usage in Scanning.

We will start by explaining the protocol‚s basics and characteristics. We will explain the circumstances in which each ICMP message is being generated, and with ICMP error messages, what was the trigger to send those. We will be explaining where and why to expect to see ICMP messages, and in which segments of your network. We will go over security hazards (such as D.o.S., Covert Channels and more) with each ICMP message. This part of the training explains a lot of phenomenon with TCP/IP networking.

We will explain some basic Host Detection methods. We will not only concentrate on ICMP query messages, we will also examine some unique situations where a simple ICMP error message will carry more than enough information for the malicious computer attacker.

We will cover host-based security methods and explain why these measures are not enough. 
Next we will overview methods in which aim to trigger ICMP error messages back from the probed IP addresses. Some of these Advanced Host Detection methods will allow us to detect the presence of a filtering device, and even to learn and understand the ACL scheme a filtering device is forcing on a protected network. We will also learn why, in some cases, firewalls fail to understand that values inside the IP header where mangled. We will have a live demonstration with one of the leading firewall products in the market today. Methods, which take advantage of Router functionality, and aid a prober in unique circumstances, will also be examined.

Active operating system fingerprinting methods using the ICMP protocol, discovered by the ICMP project, will be examined and explained. We will examine the methods that allow us to clearly identify a flavor of an operating system. We will demonstrate methods that will allow us to fingerprint and differentiate between Linux, Sun Solaris, Microsoft (all flavors), HPUX, AIX, FreeBSD, Ultrix, and other OSs based machines. For example, we will demonstrate how we can differentiate between all the different flavors of Microsoft based operating systems. We will be using a set of tools to generate the queries and examine the different behavioral patterns we produce from the servers in the class. 
We will focus on our ability to combine everything together, and how this makes the process of operating system identification and fingerprinting more efficient and simple (even better than common methods being used in the computer security field today).

We will learn ways to identify the different methods of active OS fingerprinting using the ICMP protocol with the help of Snort, a free IDS utility.

The subject of Passive Fingerprinting using the ICMP protocol will be explained and demonstrated. We will examine the Microsoft way of implementing the ICMP protocol and how this helps us to fingerprint all of the Microsoft based operating systems passively. We will also explain how to build a proper firewall rule base that might handle most of the methods introduced.

What to bring to training: Students are encouraged to bring their own laptop, packed with their favorite OS, sniffing tools, and the telnet client of their choice. 

Ofir Arkin is the Founder of the Sys-Security Group, a free computer security research body. Ofir is most widely known for his research about the ICMP protocol usage in scanning. He has extensive knowledge and experience with many aspects of the Information Security field including: Cryptography, Firewalls, Intrusion Detection, OS Security, TCP/IP, Network Security, Internet Security, Networking Devices Security, Security Assessment, Penetration Testing, E-Commerce, and Information Warfare. Ofir has worked as consultant for several European finance institutes where he played the rule of Senior Security Analyst, and Chief Security Architect in major projects. Ofir has published several papers, the newest deal with „Passive Fingerprinting techniquesš and with the „ICMP protocol usage In Scanningš.

JD Glaser NT Network Intrusion Workshop

This NT Network Intrusion workshop will put the student in control of network intrusion traffic analysis. It will focus on NT specific protocols and attack patterns. The course will consist of two parts. 

The morning workshop will deliver an overview of: 
1) Network monitors and capture filter techniques 
2) Specifics tips on using sniffers - Tcpdump /  Netmon / SnifferPro/ NGrep / Analyzer / Ethereal
3) NT specific traffic analysis SMB Traffic 
4) Demo traffic and attack pattern analysis 
5) Detailed review of current IIS web attacks on the wire

The afternoon session will be an intensive hands on traffic analysis workshop in which the students will directly apply what they have learned from the morning session. Activities will include establishing baseline patterns and intrusion packet identification using the students own tools. (Software tools will be provided for students without) 

Several current attack patterns will be mixed into a live network and the student must correctly identify the attack activity. The emphasis will be to learn how to react to the shortcomings of IDS systems, or to new attacks that IDS aren't aware of. Students should bring their own laptop / network card running NT or Unix/Linux to obtain the best hands on experience.

What to bring for this training: A laptop with a 10/100 MB ethernet network card running Windows NT or Windows 2000. Everyone will have something to work with.

What will be provided: A CD with several opensource win32/linux sniffers to use in class - TCPDump, NGrep, Analyzer and Ethereal

New: Updated slides will cover settings for just about every sniffer - NetMon, SnifferPro, TCPDump, NGrep, Analyzer and Ethereal

Halvar Flake Auditing Binaries for Security Vulnerabilities

This workshop would give the audience a good overview over the process of manually auditing binaries for security vulnerabilities.  The theoretical part will take up most of the morning and cover the
following topics:

     1)  Common C/C++ Programming mistakes and how they look when compiled
     2)  Using IDA Pro
     3)  Spotting suspicious constructs in the binary
     4)  Threat evaluation on suspicious programming constructs

The afternoon will be the hands-on part. The students will be provided with several known-to-be vulnerable binaries (both real-life products and constructed examples) and are encouraged to work either in teams or on their own trying to spot the vulnerabilities. This part of the day is supposed to both help the students get familiar with the usage of IDA Pro and to be able to ask question that will arise during the process of  actually analyzing executables. Furthermore, it will give the students a good impression on the amount of frustration involved with auditing closed-source programs.

What to bring to training: Students are encouraged to bring their own laptop running 9x/ME/NT/2k and their own copies of IDA Pro ( For the work- shop itself the evaluation version if IDA Pro will be used. Furthermore, a decent knowledge of C programming and a passing knowledge of x86 assembly is needed in order to get anything out of this workshop.

Foundstone Ultimate Hacking - Black Hat Edition

Foundstone presents a special 2 day edition of Ultimate Hacking for the Black Hat Briefings and Training for the Amsterdam Black Hat.

Security vulnerabilities are an unfortunate, but unavoidable, part of today's computing systems. If exploited by internal or external users, these weaknesses can be catastrophic to your organization. Ultimate Hacking participants learn step-by-step procedures for executing Internet, intranet, and host-level security reviews through classroom presentations and hands-on lab exercises. This course is the definitive training for learning how to perform "tiger team" and attack and penetration assessments.

Foundstone instructors cover all the bases, presenting manual and scripted security-review techniques that go far beyond what automated analysis tools can do. Equally important, the classroom lab provides a way for participants to take that abstract information and apply it in a hands-on environment. You return to your organization with valuable knowledge and experience.

What Is Taught? Because security is an ever-changing battlefield, we continually update Ultimate Hacking to reflect the latest network vulnerabilities and defenses, from Windows NT and Unix hosts to routers and firewalls. Instructors illustrate each technology's default security posture, common installation weaknesses, methods hackers use to circumvent "secure" settings, and countermeasures for each vulnerability. 

Classroom instruction is just the beginning though. The most effective way to gain security skills is to practice them, and Ultimate Hacking participants have a full computer lab at their disposal to do just that. 

Foundstone instructors walk you through footprinting an organization's Internet presence (with proper permission!), then show you how to identify, exploit, and secure well-known and little-known vulnerabilities in Windows NT, Windows 2000, and Unix systems.

Participants also explore common weaknesses in router and firewall installations, learning ways to circumvent both traditional and "hardened" security filters or firewalls. The course's final exercise assimilates the multi-day instruction. In it, participants assess and attempt to exploit a simulated "secure" network with multiple OSes and security mechanisms. 

Why Do We Teach This?  In order to secure and monitor your network, you need to know its weak points. Traditional security assessments, performed by accounting firms or "boutiques," can yield valuable data. Too often though, assessments lack a structure for transferring information to those in your organization who can make the most of it. The hands-on Ultimate Hacking course provides participants with both the knowledge and experience to perform ongoing security assessments themselves. 

Who Should Attend? System and network administrators, security personnel, auditors, and consultants concerned with network and system security. Basic Unix and Windows NT competency is required for the course to be fully beneficial. 

Course Length: 2 days, 30 students, 
Cost: US $2,500

Includes an individual dual-boot Windows NT/Linux laptop for use during the course, use of the lab network and computers, class handouts, and a CD-ROM with course tools and scripts. Breakfast and an afternoon snack are provided.

Rooster Complete Windows 2000 Security

A comprehensive one-day course, Complete Windows 2000 Security takes you through end-to-end process of securing your Windows 2000 network. Many people spend a tremendous amount of time locking down their systems, but this is really only part of the security process.  A complete process is made up of three steps: Creating a security policy, implementing the security policy, and then auditing that policy.

This course will focus on Windows 2000 as a host, working on the Local Security policy, registry settings and other hardening techniques to get everything you can out of your Windows 2000 server.  The second half focuses on the domain level with Active Directory.  Concepts such as authentication, group policy, IPSec, and others will be covered here.

Creating a Security Policy:  The class structure will partly be defined by the class.  We will decide together what kind of a policy we want to define as an organization.  An example policy will be provided but we will only be using that as a skeleton for when we define our own.

Implementing the Security Policy:  Here we will actually dig our hands into what Windows 2000 has to offer.  Using the latest techniques and the cutting edge Microsoft technology we will push that policy first on the machine, then the domain.

Auditing the Security Policy: Once you have implemented your security policy how can you make sure it is correct?  And, how can you make sure it does what you want it to?  That is where the audit process comes in.  Here we will show you techniques that are used to verify the integrity of the system, including doing external attack type audits to verify the integrity of your policy.

Students should come prepared with a laptop running windows 2000 server.  Installing the latest version of perl from, while not required, will definitely help you get more out of the class. Getting a good basic understanding of Active Directory will help as well.  We will be covering the basics but only briefly.  Using the help files that come with is a good place to start.  The site, specifically here has lots of information as well.

Tim Mullen Secure Development of Data-Driven Web Applications

Deploying a poorly designed web application can be like propping open the Front Door into your network infrastructure.  The vulnerabilities introduced by these design flaws can be exploited with different techniques of SQL injection, URL manipulation, error/debug code analysis, and other insidious methods.

Since detection of these attack modes can be difficult (or sometimes impossible when made over secure channels), it not only important to learn how these attacks are structured; one must learn how to build an application whose very structure mitigates the impact these techniques can have.

In contrast to many Blackhat sessions flavored toward the "exploit" side of things, this session will concentrate on the techniques and methods used to protect your network from these types of vulnerabilities, and "best practices" to follow when developing your data-driven applications.

With content specific to Microsoft IIS5 and SQL2000 utilizing ASP and ADODB, this course will provide an overview of a typical application's lifespan from the design and planning stage, through to its production and deployment.

The course will be broken into two main areas of study:  Development and Implementation.

During the development phase, we will cover the following:
1) Web Form Design
2) User Input Validation and Sterilization
3) SQL query string construction
4) Data object instantiation
5) Parameter typing and passing
6) SQL database design
7) Stored procedure design and execution

Implementation will cover the following specific technologies:
1) Microsoft IIS5 server configuration and hardening
2) Microsoft SQL2000 server configuration and hardening
3) SQL mixed mode authentication and pitfalls
4) SQL Integrated mode, user/group structure, and procedure permissions
5) Real-world deployments, vulnerabilities, and considerations

What to bring to training:  Students should bring their own network-ready laptops preferably running NT or Win2k with CDRom drive and an open mind.  A CD will be provided with reference material, sample code, and utilities.

Timothy Mullen is CIO and Chief Software architect for AnchorIS.Com, a developer of secure enterprise-based accounting solutions.  Mullen is also a columnist for Security Focus' Microsoft Focus section, and a regular contributor of InFocus technical articles.  A.k.a. Thor, he is the founder of the "Hammer of God" security coop group.

How many people can attend?
Due to the experimental nature of these training sessions and the desire to create a hands-on environment with optimal interaction/communication between trainer and student, only the first 30 people will be accepted for each track.
What do I need to know?
Since this training is targeted toward a more advanced audience, students are expected to be familiar with all security basics and technologies, concepts of firewalls, and routing.  Basic system administration skills for Unix or Windows NT are expected.  If, on the other hand, you know your way around a Unix box, have dealt with Windows NT at a functioning administrative level, wrote and de-bugged your own or others‚ scripts, this training may be for you!
What do I need to bring?
Because of the technical nature of this training, students are required to supply their own hardware.  Laptops are the first choice, but if you want to bring a desktop that is also acceptable.  Laptop requirements will be dictated by which tracks you will be attending.  Please see the requirements of each training session when setting up your laptop.  The machines should be set up for a 10Mbit ethernet 10BaseT network. See the class section to get an understanding of what types of tools you should have already installed.

The Black Hat Training will take place at the Hotel Krasnapolsky in Amsterdam. Please visit this hotel information page for room rates and hotel specifics.

Costs are $750 US for each day of training, meals, and materials.
Costs are $2,500 US for the two day Foundstone Ultimate Hacking course.

Monday November 19th
Ofir Arkin
JD Glaser
Halvar Flake
08:00 - 09:00 Registration
08:00 - 09:00 Breakfast 
09:00 - 13:00 Training
Advanced Scanning with ICMP
NT Network Intrusion Workshop
 Auditing Binaries for Security Vulnerabilities
Ultimate Hacking: Black Hat Edition Day 1 of 2
13:00 - 14:00 Lunch
14:10 - 18:00 Training        
18:00 - 20:00 Catered Reception, informal get together
Tuesday November 20th
Tim Mullen 
JD Glaser
08:00 - 09:00 Registration
08:00 - 09:00 Breakfast 
09:00 - 13:00 Training
Secure Development of Data-Driven Web Applications
 NT Network Intrusion Workshop
Complete Windows 2000 Security
Ultimate Hacking: Black Hat Edition Day 2 of 2
13:00 - 14:00 Lunch
14:10 - 18:00 Training        
18:00 - 20:00 Informal get together