BSides Denver 2018 – Hacking the Mile High City

I traveled out to BSides Denver 2018 this past weekend, and had a great time!

BSides Denver 2018 – Introduction

This was my first time in Colorado, and I really enjoyed it.

BSides Denver was a fun conference sponsored by SecureSet Academy.

Of course, I had to rep SwAG during my time out there!

Venue, Area, Food and Drinks

While it was great that SecureSet sponsored the conference, the venue(s) were a bit crowded.

Two of the speaking tracks were in their downtown offices in some conference rooms. This led to a lot of talks having to turn people away due to seating reasons. Additionally, it was hard to hang out in the con area without being too loud for the conference rooms.

The third track + hang out area and meals was held at the Blake St. Tavern down the road. This was a bit less crowded, and I ended up hanging out here more often than not.

Denver was great, and I ended up having some awesome food and drinks during my time there.

Other than that, I visited the USAFA (United States Air Force Academy) since I know someone going there!

We walked around campus, and I got to take pictures of some of the awesome looking buildings.

There was also an F15 there, but they told me that it doesn’t actually run anymore.

Finally, the mountains around campus (and the city in general) were gorgeous, and I wish I got some more pictures.

The beer in Denver was great, and I tried to make it to as many brew-pubs and/or places with local beer as possible.

Talks

I went to 4 talks this conference, and they were all pretty great.

• Ducky-in-the-middle: Injecting keystokes into plaintext protocols – this was a fun talk about intercepting plaintext protocols for mouse/keyboard input and hijacking them. N00py mentioned a few neat tools, and I’d love to take a look as some of them.
• GreatSCT: Gotta Catch ‘Em AWL – this was a tool by ConsciousHacker that I’ve meant to look into for a while now. That said, after this talk, it has moved rapidly up my list. This is a framework that manually builds Metasploit payloads that can bypass anti-virus as well as application whitelisting solutions. You can find the source here, and I hope to blog about it fairly soon.
• WiFiPi: Rasperries and Radios and Antennas, oh my! – This was my talk, and it went pretty well here! An infomercial styled talk about my WiFiPi and how to use it for wireless assessments. While I was unable to make the drink that I made at CarolinaCon, I still shared the recipe with my fans. I hope that the videos/slides will be up soon, but please let me know if there is anything specific that you want/need in the meantime.
• Why Hackers Still Get In – this was a more basic talk given by B1tWr4ngl3r of Rapid7, but it was still a good one. The biggest takeaway for defenders (and attackers) were that passwords are bad. That said, I think I have a mouse that is vulnerable to JackIt, so I’m looking forward to playing with it.

Unfortunately, BSides Denver did not record any of these talks. That said, you can find a few of them from previous conferences below.

• Ducky-in-the-middle (BSides Rochester 2018) – https://www.youtube.com/watch?v=nGWKnR22H6w
• GreatSCT – no videos yet, but hopefully RMISC or Circle City Con (Twitter will post one!
• WiFiPi – still no video, blame Curbob

BSides Denver 2018 – Speaking

I spoke at BSides Denver this year, which was my main reason to go out there! This was my 5th total presentation, and second for this talk.

I definitely feel like I’ve got the speaking bug, and I’m constantly improving. That said, filler words and going too quickly are still where I have some issues.

There were no technical difficulties this time, but the talk wasn’t recorded. That said, the CarolinaCon recording should be up soon, and if not, blame Curbob.

I did not make the themed drink at this venue, but I still shared the recipe for any brave souls.

This talk went very similarly to my CarolinaCon version, only with a few more slides. I tried to cover the questions that I was asked at CarolinaCon during the presentation, and that went well.

That said, there was even more questions than last time, which was awesome. My talk went a bit quickly (30 minutes), so I had almost 15 minutes left for questions, discussions, and demonstrations.

I’ll be giving this talk one more time this year, , but be on the lookout for slides and a video when that is complete.

Finally, if you have any feedback (positive, negative, or neutral) about the content or presentation, then please let me know!

Villages/Events

There was a lock picking village at the Blake Street Tavern, so I popped over there for a bit to watch some people.

Other than that, I briefly participated in the CTF.

While this was a great idea, there wasn’t enough time or automation in place for it to work really well. That said, it was pretty neat, and I got 4/5 of the required e-mail addresses.

If you have any tips for obtaining e-mail addresses from a LinkedIn profile, then I’d love to hear them!

BSides Denver 2018 – Conclusion

This was a great con, and I’m glad that they invited me to come out and speak.

I was able to do a little (ok more than a little) eating, a little drinking, some networking, and some exploring.

That said, I wasn’t able to escape my travel bad luck.

While that screenshot wasn’t the real issue, I still had to deal with a 2 hour delay for my flight back home.