Note: if the class is overfilled, you will be contacted should this occur.

All course materials, lunch and two coffee breaks will be provided.
You must provide your own laptop.

ICMP (or in its full name the Internet Control Message Protocol) looks harmless at first glance. In terms of Security ICMP is one of the most controversial protocols within the TCP/IP protocol suite.

This workshop will be an in depth theoretical and hands-on experience with the TCP and UDP stepbrother – the ICMP protocol, and its usage in Scanning.

Scanning will be only a portion of this workshop.

Part One: ICMP protocol’s basics.
We will cover how messages differ from one another, where we expect to see them on a network, and most important- when; the explanation of the circumstances in which each ICMP message is generated (with ICMP error messages we will be explaining what the different triggers are for this message generation and what network problems contributes to each one of them); and the security problems associated with each and every ICMP message.

We will be covering security related topics such as:

• Denial of Service
• Spoofing
• Covert Channels
• Traffic Abnormalities (we will learn how to differentiate between legitimate and non-legitimate traffic)
• Profiling Traffic
• and more.

Much of the TCP/IP protocol suite’s networking phenomenon will also be explored. It will include Host, Server and Router behaviors that people may experience in a day to day operation of their networks- both from the networking stand point (Routers & Switches) and from a security stand point (IDS, Firewalls, etc).

Part Two: The usage of ICMP for Active Scanning.
This section will begin with some basic Host Detection methods and will illustrate unique situations where ICMP error messages will help a malicious party. This will include a demonstration of Host-based security methods with several operating systems, and will illustrate why some of the OSs do not provide the user with enough tools to achieve a complete Host-based security solution.

There will be more in-depth explanations and demonstrations of Advanced Host Detection methods that aim to use traffic that will trigger ICMP error messages back from a probed machine/IP range. Some of the methods allow the detection of filtering mechanisms as well as access control lists (ACL) schemes. Also included is a demonstration on how some Firewalls fail to block packets with mangled values inside the IP Header and how these packets help us in detecting certain hosts behind a protecting firewall.

We will cover methods that take advantage of Router (and level 3 aware switches) functionality and aid a malicious party to map a network.

Active operating system fingerprinting methods using the ICMP protocol will be examined and explained. The methods, discovered by the ICMP Project, will allow a malicious party as well as an auditor or an administrator to accurately identify the flavor of an operating system using a very low number of packets sent (usually one). Some of the usages for active operating system fingerprinting may include auditing your networks for illegal installations of unauthorized operating systems.

For example, we will explore methods that will allow us to identify and differentiate between all of the different Microsoft based operating system flavors.

We will focus on our ability to combine several active operating system fingerprinting methods together so a better, faster, and more accurate process of active system fingerprinting will be in our auditing tools set.

Part Three: Ways to identify the different methods of active operating systems fingerprinting using the ICMP protocol with the help of Snort, a free IDS utility. An explanation of Snort will be given, as well as how to write a rule base for this awesome IDS open source utility.

Part Four: Passive operating system fingerprinting using the ICMP protocol.
We will go through the basics of passive fingerprinting and what power it gives to those who use it. We will explore the types of information one might glean from a network (application wise, operating system identification wise, etc). We will be looking at a demonstration of the Microsoft way of implementing ICMP within their different operating systems and how this helps us to passively differentiate between them all.

Part Five: Ways to build a proper firewall rule base and mechanisms to prevent most of the methods introduced in the workshop.

Part Six: Examining the subject of traffic profiling and ways we can use it to enhance our overall network security (not only regarding ICMP).

The students will be given the newest version of the ICMP Usage in Scanning research paper, version 4.0, which will be released at the Black Hat Briefings, as well as a CD ROM containing all tools and papers discussed during the training.

Ofir Arkin, Founder, Sys-Security Group

With extensive knowledge in the information security field, Ofir Arkin has worked as a consultant for several European finance institutes where he played the rule of Senior Security Analyst, and Chief Security Architect in major projects. His experience includes working for a leading European Swiss bank architecting the security of the bank's E-banking project.

Ofir also acted as chief security architect for a 4th generation telecom company, were he designed the overall security scheme for the company.

Ofir has published several papers as well as articles and advisories. Most known are the "ICMP Usage in Scanning", and "Trace-Back" research papers. Some of his research was mentioned in professional computer security magazines. He is an active member with the Honeynet project and participated in writing the Honeynet's team book, "Know Your Enemy" published by Addison-Wesley.

The Sys-Security Group, is a web site dedicated to computer security research run by Ofir Arkin