Hands-on Demonstrations by

Johannes Ullrich and Kevin Johnson 

Understanding your network is a first and critical step in detecting and preventing intrusions. In particular, the relatively new field of network forensics attempts to reconstruct events based on network packet captures, which may reveal data no longer recoverable from the compromised disk. This presentation will discuss basic network traffic "file carving" techniques. We will go over some covert channel techniques that do not leave any artifacts on the victims file system, and how to detect them and reconstruct payloads. In the second half, we will enter the new world of IPv6 and show how various tunneling mechanisms that are used by hosts to connect to IPv6 networks can be used. The presentation will include a large number of demonstrations and traffic samples as well as some tools and scripts will be made available to participants.

You will need to install the required software on your laptop for the hands-on exercises that will be done in class. A Linux VMware image is supplied for class exercises. Familiarity and comfort with entering commands via the command line will facilitate your experience with the hands-on exercises.

Before coming to the course, you will need to perform the following actions:

• Review the following laptop requirements to make sure your laptop is suitable for the course.
• Download and install the free VMware player for Windows or Linux (RPM or tarball) from the VMware site or VMware Fusion for Mac or have your own copy of the VMware workstation preinstalled (version 5.5x minimum or 6.x for Vista)
  Note: The VMware image supplied for the course is used to do all of the class exercises. The VMware image CD will be supplied during the course.

Organizations are under constant attack via the web applications they depend on to do business. In recent events, underground organizations such as LULSec and Anonymous are targeting and exploiting systems via SQL injection vulnerabilities. These vulnerabilities allow the attacker to gain access to an organization's data. In this presentation Kevin Johnson will explore some recent attacks, describe how various web application attacks work, and show live demonstrations of such attacks.

Attendees will gain a better understanding of how SQL attacks work and why web security problems are as severe as they are. The demonstrations will reflect the simplicity of the attack and how it can be used for much more than simple data exfiltration.
Don't forget your laptop to fully participate in these great learning events.

Before coming to the course, you will need to perform the following actions:

• Review the following laptop requirements to make sure your laptop is suitable for the course.
• Download and install the free VMware player for Windows or Linux (RPM or tarball) from the VMware site or VMware Fusion for Mac or have your own copy of the VMware workstation preinstalled (version 5.5x minimum or 6.x for Vista)
  Note: The VMware image supplied for the course is used to do all of the class exercises. The VMware image CD will be supplied during the course.
   

Mandatory laptop hardware requirements:

• x-86 compatible 1.5 GHz CPU Minimum or higher is preferred for better performance
• DVD Drive (not CDROM Drive)
• 1 GB RAM minimum or higher (2 GB preferred)
• Ethernet adapter (optional)
• 512 MB RAM to VMware, 1 GB recommended
• 12 Gigabyte available hard drive space
• Windows XP/Vista/7, Mac OS X, and Linux any types
• Any Service Pack level is acceptable for your Windows XP/Vista/Win 7
• Windows and Linux software will require an unzip utility for VMware image
   

Required Software:

• VMware player or workstation for Windows or Linux or VMware Fusion for Mac OS

• 1GHz Processor
• 2GB RAM (More memory is highly recomended)
• 10GB free hard disk space
• DVD ROM drive

• VMWare Player 3.x or VMWare Workstation 6.x or newer or VMWare Fusion (Server and ESX are not supported)
• Firefox Browser

You must have the ability to disable the host firewall (Windows firewall or other third party firewall) and antivirus running on your desktop.
This usually means you need to have administrative privilege on the machine.

DO NOT plan on just killing your antivirus service or processes, because most antivirus tools still function even when their associated services and processes have been terminated.