Check out the new USENIX Web site.
2007 USENIX Annual Technical Conference

Training Overview | USENIX Training Program | USENIX Training Instructors

USENIX is pleased to partner with SANS at USENIX '07 to offer a 6-day training course focused on security:

The complete course description is available below.

SANS Security 504 will take place in Meeting Room 203 at the Santa Clara Convention Center.

Please note: The SANS class runs for 6 days. Attending the SANS course precludes attending USENIX training courses or technical sessions.

Satisfaction guaranteed: If you feel the SANS tutorial does not meet your needs, let us know by the first break and we will change you into any other available USENIX tutorial immediately.

SANS Security 504: Hacker Techniques, Exploits, and Incident Handling

Instructor: John Strand, Northrop Grumman

Overview | Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Laptop Requirements

Overview: If your organization has an Internet connection and one or two disgruntled employees (and whose doesn't?), your computer systems will get attacked. From the five, ten, or even one hundred daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth.

By helping you understand attackers' tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan, the in-depth information in this course helps you turn the tables on computer attackers. This course addresses the latest cutting-edge insidious attack vectors and the "oldie-but-goodie" attacks that are still so prevalent, and everything in between. Instead of merely teaching a few hack-attack tricks, this course includes a time-tested, step-by-step process for responding to computer incidents, a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them, and a hands-on workshop for discovering holes before the bad guys do. Additionally, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence.

This challenging course is particularly well-suited to individuals who lead or are a part of an incident handling team. Furthermore, general security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your company's system, and also that you advise your network and computer operations teams of your testing.

Who should attend:

  • Members and leaders of incident handling teams
  • System administrators and security personnel
  • Ethical hackers/penetration testers who want to understand the concepts underlying their testing regimens
A sampling of topics:
  • The step-by-step approach used by many computer attackers
  • The latest computer attack vectors and how you can stop them
  • Proactive and reactive defenses for each stage of a computer attack
  • Hands-on workshop addressing scanning for, exploiting, and defending systems
  • Strategies and tools for detecting each type of attack
  • Attacks and defenses for Windows, UNIX, switches, routers, and other systems
  • Application-level vulnerabilities, attacks, and defenses
  • Developing an incident handling process and preparing a team for battle
  • Legal issues in incident handling
  • Recovering from computer attacks and restoring systems for business

John Strand (SANS 504) John Strand started working in information security at Accenture Consulting at the Department of the Interior, where he worked incident response, vulnerability assessment, and intrusion detection. He is currently employed with Northrop Grumman in Denver doing Information Assurance. John currently holds the CISSP and GIAC GCIH and GCFW Certifications.

Sunday, June 17, 2007

504.1 Incident Handling Step-by-Step and Computer Crime Investigation

Securing an infrastructure is a complex task of balancing business needs against security risks. With the discovery of new vulnerabilities almost on a daily basis, there is always the potential for an intrusion. In addition to online intrusions, physical incidents like fires, floods, and crime all require a solid methodology for incident handling to be in place, in order to get systems and services back online as quickly and securely as possible.

The first part of the course looks at the invaluable Incident Handling Step-by-Step model. Incident Handling Step-by-Step was created through a consensus process involving experienced incident handlers from corporations, government agencies, and educational institutes, and has been proven effective in hundreds of organizations. This section is designed to provide students with a complete introduction to the incident handling process, using the six steps (preparation, identification, containment, eradication, recovery, and lessons learned) one needs to follow to prepare for and deal with a computer incident.

The second part of this course examines from-the-trenches case studies to understand what does and does not work in identifying computer attackers. This section provides valuable information on the steps a systems administrator can take to improve the chances of catching and prosecuting attackers.

Topics include:

  • Preparation
    • Building a jump kit
    • Identifying the core team
    • Instrumentation of the site and system
  • Identification
    • Signs of an incident
    • First steps
    • Chain of custody
  • Containment
    • Documentation strategies: Video and audio
    • Containment and quarantine
    • Pull the network cable, switch, and site
    • Identifying and isolating the trust model
  • Eradication
    • Evaluating whether a backup is compromised
    • Total rebuild of the operating system
    • Moving to a new architecture
  • Recovery
    • Who makes the determination to return to production?
    • Monitoring to system
    • Expect an increase in attacks
  • Special actions for responding to different types of incidents
    • Espionage
    • Inappropriate use
    • Sexual harassment
  • Incident record keeping
    • Pre-built forms
    • Legal acceptability
  • Incident follow-up
    • Lessons learned meeting
    • Changes in process for the future

Monday, June 18, 2007

504.2 Computer and Network Hacker Exploits: Part 1

Seemingly innocuous data leaking from your network could provide the clue needed by an attacker to blow your systems wide open. This day-long course covers the details associated with reconnaissance and scanning, the first two phases of many computer attacks.

Your networks reveal an enormous amount of information to potential attackers. In addition to looking for information leakage, attackers conduct detailed scans of systems, scouring for openings to get through your defenses. They scope out targets of opportunity to break into your network, such as weak DMZ systems and firewalls, unsecured modems, or the increasingly popular wireless LAN attacks. Attackers are increasingly employing inverse scanning, blind scans, and bounce scans to obscure their source and intentions. They are also targeting firewalls, attempting to understand and manipulate rule sets to penetrate our networks. Another very hot area in computer attacks involves intrusion detection system evasion, techniques that allow an attacker to avoid detection by these computer burglar alarms.

If you don't have the skills needed to understand these critical phases of an attack in detail, you won't be able to protect your network. Students who take this class and master the material will understand these attacks and the associated defenses.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organizations systems, and also that you advise your network and computer operations teams of your testing schedule.

Topics include:

  • Reconnaissance
    • What does your network reveal?
    • Are you leaking too much information?
    • Using whois lookups, ARIN, RIPE, and APNIC
    • Domain name system harvesting
    • Data gathering from job postings, Web sites, and government databases
  • Scanning
    • The art of war driving to locate insecure wireless LANs
    • War dialing for renegade modems
    • Port scanning: Traditional, stealth, and blind scanning
    • Active and passive operating system fingerprinting
    • Firewalking to determine firewall filtering rules
    • Vulnerability scanning using Nessus and other tools
    • CGI Scanning with Whisker
  • Intrusion detection system evasion
    • Foiling IDS at the network level: Fragmentation and other tricks
    • Foiling IDS at the application level: Exploiting the rich syntax of computer languages
    • Using Fragroute, Fragrouter, and Whisker IDS evasion tactics
  • Hands-on exercises with the following tools:
    • NetStumbler for wireless LAN discovery
    • Nmap port scanner and operating system fingerprinting tool
    • Nessus vulnerability scanner
    • Enum for extracting Windows data through null sessions

Tuesday, June 20, 2007

504.3 Computer and Network Hacker Exploits: Part 2

Computer attackers are ripping our networks and systems apart in novel ways, while constantly improving their techniques. This day-long course covers the third step of many hacker attacks: gaining access.

Attackers employ a variety of strategies to take over systems, from the network level up to the application level. This section covers the attacks in depth, from the details of buffer overflow and format string attack techniques to the latest in session hijacking of supposedly secure protocols. Additionally, you'll get hands-on experience in running sniffers and the incredibly flexible Netcat tool.

Administrators need to get into the "meat" of how the attacks and their associated defenses work to really defend against these attacks. For each attack, the course explains the vulnerability, how various tools exploit it, the signature of the attack, and how to harden the system or application against the attack. Students who sign an ethics and release form are issued a CD-ROM containing the attack tools examined in class.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organizations system, and also that you advise your network and computer operations teams of your testing schedule.

Topics include:

  • Network-level attacks
    • Session hijacking: From telnet to SSL and SSH
    • Person-in-the-middle attacks
    • Passive sniffing
  • Gathering and parsing packets
    • Active sniffing: ARP cache poisoning and DNS injection
    • DNS cache poisoning: Redirecting traffic on the Internet
    • Using and abusing Netcat, including backdoors and nasty relays
    • IP address spoofing variations
  • Operating system and application-level attacks
    • Buffer overflows in depth
    • The MetaSploit exploitation framework and Perl exploit library
    • Format string attacks
  • Netcat: The attacker's best friend
    • Using Netcat to transfer files, create backdoors, and shovel shell
    • Netcat relays to obscure the source of an attack
    • Replay attacks using Netcat
  • Hands-on exercises with the following tools:
    • Sniffers, including Tcpdump
    • Sniffer detection tools, Including ifconfig, ifstatus, and promiscdetect
    • Netcat for transferring files, creating backdoors, and setting up relays
    • Format string vulnerabilities in Windows

Wednesday, June 20, 2007

504.4 Computer and Network Hacker Exploits: Part 3

This course starts out by covering one of the attackers favorite techniques for compromising systems: worms. We'll analyze worm developments over the past two years, and project these trends into the future to get a feel for the coming Super Worms we'll face. Then, the course turns to another vital area often exploited by attackers: Web applications. Because most organizations' homegrown Web applications don't get the security scrutiny of commercial software, attackers exploit these targets using SQL injection, cross-site scripting, session cloning, and a variety of other mechanisms discussed in detail.

The course also presents a taxonomy of nasty denial of service attacks, illustrating how attackers can stop services or exhaust resources, as well as what you need to do to prevent their nefarious deeds.

Also, once intruders have gained access into a system, they want to keep that access, preventing pesky system administrators and security personnel from detecting their presence.

To fool you, attackers install backdoor tools and manipulate existing software on a system to maintain access to the machine on their own terms.

To defend against these attacks, you need to understand how attackers alter systems to discover the sometimes-subtle hints associated with system compromise. This course arms you with the understanding and tools you need to defend against attackers maintaining access and covering their tracks.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organizations system, and also that you advise your network and computer operations teams of your testing schedule.

Topics include:

  • Password cracking
    • Password cracking with John the Ripper
    • Analysis of worm trends from 1999 to 2005
    • Password cracking with L0phtCrack and John the Ripper
  • Web application attacks
    • Account harvesting
    • SQL injection: Manipulating back-end databases
    • Session cloning: Grabbing other users' Web sessions
    • Cross-site scripting
  • Denial of service attacks
    • Distributed denial of service: Pulsing zombies and reflected attacks
    • Local denial of service
    • SYN floods and Smurf attacks: DoS building blocks
  • Hands-on exercises with the following tools:
    • John the Ripper password cracker
    • Web application attack tools, including Achilles

Thursday, June 21, 2007

504.5 Computer and Network Hacker Exploits: Part 4

This day-long course covers the fourth and fifth steps of many hacker attacks: maintaining access and covering their tracks. Computer attackers install backdoors, apply Rootkits, and sometimes even manipulate the underlying kernel itself to hide their nefarious deeds. Each of these categories of tools requires specialized defenses to protect the underlying system. In this course, we'll analyze the most commonly used malicious code specimens, as well as explore future trends in malware, including BIOS-level and combo malware possibilities.

Attackers also cover their tracks by hiding files, sniffers, network usage, and active processes. Additionally, super stealthy sniffing backdoors are increasingly being used to thwart investigations. Finally, attackers often alter system logs, all in an attempt to make the compromised system appear normal. This course gives you the tools and techniques you need to detect and respond to these activities on your computers and network.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organizations system, and also that you advise your network and computer operations teams of your testing schedule.

Topics include:

  • Maintaining access
    • Backdoors: Using QAZ, Tini, and other popular beasts
    • Trojan horse backdoors: A nasty combo
    • Application-level Trojan horse backdoor suites (VNC, SubSeven, etc.)
    • Rootkits: Substituting binary executables with nasty variations
    • Kernel-level rootkits: Attacking the heart of the operating system (Adore, the Super User Control Kit, and KIS)
  • Covering the tracks
    • File and directory camouflage and hiding
    • Log file editing on Windows and UNIX
    • Accounting entry editing: UTMP, WTMP, shell histories, etc.
    • Covert channels over HTTP, ICMP, TCP, and other protocols
    • Sniffing backdoors and how they can really mess up your investigations unless you are aware of them
    • Steganography: Hiding data in images, music, binaries, or any other file Type
  • Putting it all together
    • Specific scenarios showing how attackers use a variety of tools Together
    • Analyzing scenarios based on real-world attacks
    • Learning from the mistakes of other organizations
    • Where to go for the latest attack info and trends
  • Hands-on exercises with the following tools:
    • Virtual network computing (VNC) and shovelling GUI
    • RootKits and detection
    • Detecting backdoors with Netstat, Lsof, and Fport
    • Hidden file detection with LADS
    • Covert channels using Covert_TCP

Friday, June 22, 2007

504.6 Hacker Tools Workshop

Over the years, the security industry has become smarter and more effective in stopping hackers; unfortunately, hacker tools are becoming smarter and more complex. One of the most effective methods in stopping the enemy is actually testing the environment with the same tools and tactics an attacker might use against you.

This workshop lets you put what you have learned over the past week into practice. You will be connected to one of the most hostile networks on planet Earth. This network simulates the Internet and allows students to try actual attacks against live machines and learn how to protect against these attacks. This workshop will supplement the classroom training that the student has already received and give them flight time with the attack tools to better understand how they work. Instructors will give guidance on exactly what is happening as exploits and defensive measures are running. As students work on various exploits and master them, the environment will become increasingly difficult so that students will have to master additional skills in order to successfully complete the exercises.

Additionally, students can participate in the workshop's Capture the Flag event. By penetrating systems, discovering subtle flaws, and using puzzle-solving techniques, you can test the skills you've built over the week in this engaging contest. The Capture the Flag victors will win a prize.

Paranoia is good!
Your laptop will be attacked. Do not have any sensitive data stored on the system. SANS and USENIX are not responsible for your system if (actually, when) someone in the class attacks it in the workshop. Bring the right equipment and prepare it in advance to maximize what you'll learn and the fun you'll have doing it.

Topics include:

  • Hands-on analysis
    • Nmap port scanner
    • Nessus vulnerability scanner
    • Network mapping
    • Sniffer attack tools
    • Netcat: File transfer, backdoors, and relays
  • General exploits
    • IP spoofing
    • Session hijacking
    • Buffer overflows
    • John the Ripper password cracker
  • Other attack tools and techniques
    • Web application manipulation
    • Backdoors with Netcat, BO2K, and VNC
    • File and directory hiding on Windows and Linux
    • Covert Channels in HTTP, ICMP, and TCP
    • And much more . . .

Laptop Requirements

Laptop Required for SANS Security 504

To get the most value out of the course, students are required to bring their own laptop so that they can connect directly to the workshop network that we will create. It is the students' responsibility to make sure that the system is properly configured with all drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class.

You are required to bring a Windows 2000 or XP machine, either a real system or a virtual machine. For Windows 2000, you can use any service pack, but SP 4 is recommended. Windows XP with any service pack is also acceptable. The attack tools we will use do not work on Windows 95, 98, ME, and NT, so don't bother bringing them on your workshop laptop. You will also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated.

You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have either the free VMware Player 1.0 or later or the commercial VMware Workstation 4.0 or later installed on your system prior to coming to class. You can download VMware Player for free at Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation from VMware will send you a time-limited serial number for VMware Workstation if you register for the trial at their Web site. No serial number is required for VMware Player. We will give you a CD full of attack tools to experiment with during the class and take home for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.

You do not have to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC. If you want to use your own Linux installation instead of our virtual machine on VMware, you will be required to install all of the tools yourself from the course CD during the course itself, including Nmap, Nessus, covert_tcp, Metasploit, John the Ripper, and Netcat.

Mandatory Laptop Hardware Requirements

  • PIII 1Ghz CPU minimum or higher
  • CD-ROM Drive
  • 512MB RAM minimum or higher
  • Ethernet adapter
  • 5 Gigabytes of available hard drive space
  • Any service pack level is acceptable for your Windows 2000/XP

Paranoia Is Good
During the workshop, you will be connecting to one of the most hostile networks on planet Earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS and USENIX are not responsible for your system if someone in the class attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you'll see and learn, as well as have a lot of fun.

Return to top

?Need help? Use our Contacts page.

Last changed: 14 June 2007 ch