DEF CON 25 and BSidesLV 2017 – Hacker Summer Camp

Another year in Vegas, and DEF CON 25 is in the books.

Just like last year, I could fill multiple posts with everything that went on this year. That said, I’ll try to keep the content as limited as possible.

Back in Vegas

While Vegas is still the same, it was still nice being back.

Another hot year, but I didn’t expect anything less from Vegas in the summer.

My wallet ended up down $410 this year, but I’ll just blame SecuritySean for not doing as well as he did last year.

I ended up switching hotels twice this year, which was probably a mistake. I was at Caesar’s for DEF CON itself, but Bally’s for everything else. Staying at the same hotel as DEF CON is super convenient, but switching twice can definitely be a hassle.

The Cons/People

Another year where I got to either meet or catch-up with some great people.

EverSec found their more remote team members this year, including Tom from last year!

I grabbed lunch with Lee this year along with a bunch of other PowerShell people (DBo, Carlos, etc.).

It was also really nice being able to meet some more of my co-workers in person. We had an impromptu team meeting at an Irish pub this year, and that was a ton of fun.

This year I actually made it to a few more talks (sorry Grifter) at both cons, but I’ll go more in-depth on those below.

Windows Post-Exploitation and Malware Forward Engineering workshop

If you think that the name of this workshop is a mouthful, that was just the beginning.

zerosum and Aleph Naught taught this workshop on Saturday afternoon. Like most workshops, 4 hours was definitely not enough for everything they could have demonstrated.

The first half of this course was basically a deluge of Windows Internals. While pretty overwhelming, there were definitely some useful nuggets I got even in sections I didn’t understand. I don’t know how EVERY part of this was relevant to the title/core content, but that could also be from inexperience. That said, maybe picking up a Win Internals book is in my near future…

Once we got passed the first half, we delved into the actual malware development. This course wasn’t about building ransomware or anything particularly malicious, but that isn’t to say that someone couldn’t.

They designed the workshop to bring up a topic, and show a small demo built around that topic. That said, I’ll definitely have to do some work on my own combining a few of these demos into an actual Red Team C2 project.

The most interesting demo modules were toxicserpent and puppetstrings. Toxicserpent was the closest to a fully fledged malware, with the ability to log all network traffic, poison, and port knock C2. Puppet Strings is an awesome method for hitching a free ride to Ring 0 with signed drivers.

You can find code and slides from the workshop in zerosum’s Github repository.

Talks

I made it to a few talks at both conferences this year, so here’s a quick list of each of them.

BSides LV 2017

  • Password Cracking 201: Beyond the Basics – this talk made me want to get into password cracking. From the description, “My goal with this talk is to help occasional, casual, and non-specialist practitioners bootstrap themselves to the next level of password auditing.” As of now, my workflow has generally been: get hashes, run john hashes.txt, wait, if nothing, then send to someone with a rig. This talk brought up various tools and techniques, and I will likely buy a budget rig because of it soon!
  • How To Obtain 100 Facebook Accounts Per Day Through Internet Searches – A surprisingly simple vulnerability that easily led to the compromise of Facebook accounts. It was incredible to me that Facebook security overlooked this, but there might even be a similar vulnerability that still exists.

DEF CON 25

  • Jailbreaking Apple Watch – this was the first talk I went to at DEF CON this year, but it was way over my head. If you have any interest in Apple Watch exploitation, then this is the talk for you.
  • Real-time RFID Cloning in the Field – this talk brought up a few interesting ideas, but seemed way too similar to Mike’s Wiegotcha for me to try to build that one instead.
  • Exploiting Old Mag-stripe information with New technology – some cool ideas for mag stripe hacking, but I didn’t quite grasp the benefit over just cloning the mag card.
  • A Pineapple, a Turtle, a Bunny, and a Squirrel walk into a bar – Hak5 talking about their upcoming products and changes. Be on the lookout for the new 3G Lan Turtle and the Packet Squirrel (programmable MiTM device)!

CTFs

Of course, CTFs are where I spent most of my con time this week, and it was another banner year.

I only ended up in 13th in the Amazon MicroCTF this year, which was a little disappointing. That said, I was solo until the 11th hour, and was very close to solving a challenge that would have gotten me 7th.

DEF CON 25 - MicroCTF

There was no DEF CON 25 OpenCTF this year, which was a mixed blessing. I would have loved to compete and do even better this year, but not having it gave me time for other competitions and relaxing.

While EverSec competed in the IoT CTF this year, I was a minor member of the team at best. This year Tom and Dave led the team, who did a great job of representing. We ended up in 6th place I believe, so kudos to those guys.

DEF CON 25 – Wireless CTF

The final, and most important, CTF that I competed in this year was the Wireless CTF.

(The CTF setup)
DEF CON 25 - Wireless CTF Gear

DEF CON 25 - CTF Gear 2

This was my first time really trying to compete in this CTF at any con, and I had a blast. The fox hunts in particular were pretty fun, and a new experience for me.

DEF CON 25 - Fox Hunt

I had the honor of competing with Eric and a number of co-workers/friends on team “What does the fox say?”

DEF CON 25 - WCTF Team

We ended up killing it, and wound up in first by over double the score.

DEF CON 25 - Scoreboard

DEF CON 25 - Scoreboard screenshot

Though this was my first time competing, I was still able to contribute with flags on some of the lower hanging WEP/WPA access points. Additionally, I helped a little, but learned a lot more, on a few of the SDR challenges.

This is something that I’d like to continue doing at various cons, but I have a little work to do. First, I need to upgrade the gear that I have. The 5GHz spectrum was out of my reach, and the organizers mentioned that they also plan on adding 60GHz in the future. Additionally, my SDR skills are mediocre at best still. Other than that, I need a more portable solution for fox-hunting (walking around with my laptop was a hassle).

Other than that, I learned that a tasty Belgian beer from unclebeer is worth 150 points.

DEF CON 25 - Unclebeer

DEF CON 25 Wireless CTF Prizes

As a team, we got a ton of swag from the organizers for winning.

  • WiFi Pineapple Tetra
  • 5 ESP8266 boards
  • Lock Picks
  • Telefreaks pager watch
  • Ettus b200 with metal case
  • Lan Turtle 3G
  • Bash Bunny
  • Hak5 long-range amp
  • Hak5 WiFi Card
  • HackRF
  • No Starch T-shirt
  • HFC Shirt
  • Wireless Village 2017 coin for each member

DEF CON 25 - USRP

DEF CON 25 - Hak5 Gear

DEF CON 25 - Pager Watch

Once we divvied it all out, I managed to take home a LAN Turtle 3G (gave Eric my old Lan Turtle), the challenge coin, the No Starch shirt, and an ESP8266. Even better, our work pitched in $500 for each employee on the winning team!

DEF CON 25 – Black Badge

More importantly than that, we also found out that we won a DEF CON 25 Black Badge as well! We drew names for this, and steveo ended up winning. Try as he might, he wasn’t able to get Eric to accept it instead.

The badge this year was a solid gold ($1300 worth according to DT) medallion with the DEF CON logo on it.

DEF CON 25 - Black Badge

DEF CON 25 - Black Badge 2

DEF CON 25 - Black Badge 3

This was a wild feeling, and I loved being back up on that stage for a second year in a row. If I’m being completely honest though, it was a lot less nerve-wracking with the Buffalo Trace (thanks Steve!) in me and my experience doing it last year.

We got to go on stage during the closing ceremonies with the team that ran the competition. They announced the 3rd, 2nd, and 1st place finishers, as well as our award. I apologize for the finger in some of the photos…blame unclebeer.

DEF CON 25 - Closing Ceremonies

DEF CON 25 - Closing Ceremonies 2

DEF CON 25 - Closing Ceremonies 3

DEF CON 25 - Closing Ceremonies 4

Eric got to give a brief speech about the contest and inspiring even more people to join the next year.

Unfortunately for our team, it was also announced that Eric would be banned from competing in the future, as he’s won three years in a row. That said, it was also followed up with the great announcement that Eric would be sitting on the other side of the table next year! While I was hoping to get another year of learning from Eric, I’m looking forward to the challenges that he’ll bring next year.

At this point, I’ve won 2 black badges in 2 DEF CONs, and now I want to win them in even more competitions! This was another exciting moment, and I’ll never forget it for the rest of my career.

Plus, we got to take some fun pictures afterwards.

(The off-stage photographer took these, and I’ve been unable to find them so far).

Other than that, if you ask really nicely, I might be able to upload a video of Eric practicing for the shock collar shootout.

DEF CON 25 – Conclusion

Another year in Vegas, and another 100 tabs in my TODO folder to show for it.

As hot and expensive as Vegas is, I know that I’m not one of those people who says, “I’m not going next year.”

Plus, Caesar’s was far more enjoyable than Paris/Bally’s last year, so that helped out a lot.

Other than that, I may try to submit a talk to DEF CON Beijing when DT finally officially announces it! I’ve never been to China, and I’d love to help him build the community over there.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for SecureWorks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (OSCE?!) or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*