-
Notifications
You must be signed in to change notification settings - Fork 35
/
first-presentation.tex
167 lines (124 loc) · 6.13 KB
/
first-presentation.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
\documentclass[Screen16to9,17pt]{foils}
%\documentclass[16pt,landscape,a4paper,footrule]{foils}
\usepackage{zencurity-slides}
% SPDX-FileCopyrightText: 2006-2024, Henrik Kramselund <hlk@kramse.org>
% SPDX-License-Identifier: BSD 3-Clause "New" or "Revised" License
% This is an example presentation
\begin{document}
%\rm
\selectlanguage{english}
\mytitlepage
{Creating slides using \LaTeX\\Using the old skool foils.cls}
\LogoOn
\slide{Goals for today}
\vskip 2 cm
%{\hlkbig En 3 dages workshop, hvor du lærer at angribe dit netværk!}
\begin{quote}
Abstract
Doing slides can be very frustrating. WYSIWYG programs are often clunky and you dont need the "funny animations" anyway :-D
Using \LaTeX\ allows you to quickly write down text and make them into slides. The power of \LaTeX\ also allows you to link exercise booklets and reference with names, numbers across documents easily.
The talk will present my template for doing this, and link to my repository on Codeberg with examples \url{https://codeberg.org/kramse/security-courses}
\end{quote}
\begin{list1}
\item Introduce the old skool foils.cls which is very \emph{clean}
\item Introduce some of the basic tools i use in my presentations
\item You should be able to clone and modify repo afterwards
\item \LaTeX\ can do so much by itself
\end{list1}
\slide{Small example file}
\VerbatimInput{texfiles/small.tex}
\slide{Starting out}
\begin{list1}
\item Hey, wait! This is just small text files!
\item Yes, creating {\color{red}100s} of slides becomes easier
\item Power comes when integrating multiple files, cross references from slides to exercise booklets
\item Also using \verb+VerbatimInput+ the example file was included from disk, putting code in preformatted or minted with syntaxhighlighting covers a lot of use-cases - for me
\item And git all the versions! \smiley
\end{list1}
\slide{Example preformatted text}
\begin{alltt}
\footnotesize # {\bfseries tcpdump -i en0 host 10.20.20.129 or host 10.0.0.11}
tcpdump: listening on en0
23:23:30.426342 10.0.0.200.33849 > router.33435: udp 12 {\bf [ttl 1]}
23:23:30.426742 safri > 10.0.0.200: {\bf icmp: time exceeded in-transit}
23:23:30.436069 10.0.0.200.33849 > router.33436: udp 12 {\bf [ttl 1]}
23:23:30.436357 safri > 10.0.0.200: {\bf icmp: time exceeded in-transit}
23:23:30.437117 10.0.0.200.33849 > router.33437: udp 12 {\bf [ttl 1]}
23:23:30.437383 safri > 10.0.0.200: {\bf icmp: time exceeded in-transit}
23:23:30.437574 10.0.0.200.33849 > router.33438: udp 12
23:23:30.438946 router > 10.0.0.200: icmp: router {\bf udp port 33438 unreachable}
23:23:30.451319 10.0.0.200.33849 > router.33439: udp 12
23:23:30.452569 router > 10.0.0.200: icmp: router {\bf udp port 33439 unreachable}
23:23:30.452813 10.0.0.200.33849 > router.33440: udp 12
23:23:30.454023 router > 10.0.0.200: icmp: router {\bf udp port 33440 unreachable}
23:23:31.379102 10.0.0.200.49214 > safri.domain: 6646+ PTR?
200.0.0.10.in-addr.arpa. (41)
23:23:31.380410 safri.domain > 10.0.0.200.49214: 6646 NXDomain* 0/1/0 (93)
14 packets received by filter
0 packets dropped by kernel
\end{alltt}
\slide{Example pictures in slide - TCP three-way handshake}
\hlkimage{5cm}{images/tcp-three-way.pdf}
\begin{list2}
\item {\bfseries TCP SYN half-open} scans
\item Tidligere loggede systemer kun når der var etableret en fuld TCP
forbindelse\\
-- dette kan/kunne udnyttes til \emph{stealth}-scans
\item Hvis en maskine modtager mange SYN pakker kan dette fylde
tabellen over connections op -- og derved afholde nye forbindelser
fra at blive oprette -- {\bfseries SYN-flooding}
\end{list2}
\slide{Example: Picture and code}
\hlkimage{18cm}{buffer-overflow-1.pdf}
\begin{minted}[fontsize=\small]{C}
main(int argc, char **argv)
{ char buf[200];
strcpy(buf, argv[1]);
printf("%s\textbackslash{}n",buf);
}
\end{minted}
\slide{VXLAN injection}
\hlkimage{19cm}{vxlan-basic-injection.png}
I tested using my pentest server in one AS, sending across an internet exchange into a production network, towards Arista testing devices - no problems, it's just routed layer 3 IP+UDP packets
\slide{Example attacks, What is possible VXLAN Header}
\begin{alltt}\footnotesize
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|R|R|R|R|I|R|R|R| Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| VXLAN Network Identifier (VNI) | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Inner Ethernet Header:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Inner Destination MAC Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Inner Destination MAC Address | Inner Source MAC Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Inner Source MAC Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|OptnlEthtype = C-Tag 802.1Q | Inner.VLAN Tag Information |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\end{alltt}
\begin{list2}
\item Above protocol header is copied from RFC text document, and in \verb+alltt+ environment
\end{list2}
\slide{Example: Snippets of code with minted Scapy}
First create VXLAN header and inside packet
\begin{minted}[fontsize=\small]{python}
vxlanport=4789 # RFC 7384 port 4789, Linux kernel default 8472
vni=37 # Usually VNI == destination VLAN
vxlan=Ether(dst=routermac)/IP(src=vtepsrc,dst=vtepdst)/
UDP(sport=vxlanport,dport=vxlanport)/VXLAN(vni=vni,flags="Instance")
broadcastmac="ff:ff:ff:ff:ff:ff"
randommac="00:51:52:01:02:03"
attacker="185.27.115.666"
destination="10.0.0.10"
# port is the one we want to contact inside the firewall
insideport=53
testport=54040
packet=vxlan/Ether(dst=broadcastmac,src=randommac)/IP(src=attacker,
dst=destination)/UDP(sport=testport,dport=insideport)/
DNS(rd=1,id=0xdead,qd=DNSQR(qname="www.wikipedia.org"))
\end{minted}
{\footnotesize Fun fact, Unbound on OpenBSD reply to DNS requests received in Ethernet packets with broadcast destination and IP destination being the IP of the server}
\myquestionspage
\end{document}