Another year in Vegas, and DEF CON 25 is in the books.
Just like last year, I could fill multiple posts with everything that went on this year. That said, I’ll try to keep the content as limited as possible.
Back in Vegas
While Vegas is still the same, it was still nice being back.
Another hot year, but I didn’t expect anything less from Vegas in the summer.
My wallet ended up down $410 this year, but I’ll just blame SecuritySean for not doing as well as he did last year.
I ended up switching hotels twice this year, which was probably a mistake. I was at Caesar’s for DEF CON itself, but Bally’s for everything else. Staying at the same hotel as DEF CON is super convenient, but switching twice can definitely be a hassle.
Another year where I got to either meet or catch-up with some great people.
EverSec found their more remote team members this year, including Tom from last year!
I grabbed lunch with Lee this year along with a bunch of other PowerShell people (DBo, Carlos, etc.).
It was also really nice being able to meet some more of my co-workers in person. We had an impromptu team meeting at an Irish pub this year, and that was a ton of fun.
This year I actually made it to a few more talks (sorry Grifter) at both cons, but I’ll go more in-depth on those below.
Windows Post-Exploitation and Malware Forward Engineering workshop
If you think that the name of this workshop is a mouthful, that was just the beginning.
The first half of this course was basically a deluge of Windows Internals. While pretty overwhelming, there were definitely some useful nuggets I got even in sections I didn’t understand. I don’t know how EVERY part of this was relevant to the title/core content, but that could also be from inexperience. That said, maybe picking up a Win Internals book is in my near future…
Once we got passed the first half, we delved into the actual malware development. This course wasn’t about building ransomware or anything particularly malicious, but that isn’t to say that someone couldn’t.
They designed the workshop to bring up a topic, and show a small demo built around that topic. That said, I’ll definitely have to do some work on my own combining a few of these demos into an actual Red Team C2 project.
The most interesting demo modules were toxicserpent and puppetstrings. Toxicserpent was the closest to a fully fledged malware, with the ability to log all network traffic, poison, and port knock C2. Puppet Strings is an awesome method for hitching a free ride to Ring 0 with signed drivers.
You can find code and slides from the workshop in zerosum’s Github repository.
I made it to a few talks at both conferences this year, so here’s a quick list of each of them.
BSides LV 2017
- Password Cracking 201: Beyond the Basics – this talk made me want to get into password cracking. From the description, “My goal with this talk is to help occasional, casual, and non-specialist practitioners bootstrap themselves to the next level of password auditing.” As of now, my workflow has generally been: get hashes, run john hashes.txt, wait, if nothing, then send to someone with a rig. This talk brought up various tools and techniques, and I will likely buy a budget rig because of it soon!
- How To Obtain 100 Facebook Accounts Per Day Through Internet Searches – A surprisingly simple vulnerability that easily led to the compromise of Facebook accounts. It was incredible to me that Facebook security overlooked this, but there might even be a similar vulnerability that still exists.
DEF CON 25
- Jailbreaking Apple Watch – this was the first talk I went to at DEF CON this year, but it was way over my head. If you have any interest in Apple Watch exploitation, then this is the talk for you.
- Real-time RFID Cloning in the Field – this talk brought up a few interesting ideas, but seemed way too similar to Mike’s Wiegotcha for me to try to build that one instead.
- Exploiting Old Mag-stripe information with New technology – some cool ideas for mag stripe hacking, but I didn’t quite grasp the benefit over just cloning the mag card.
- A Pineapple, a Turtle, a Bunny, and a Squirrel walk into a bar – Hak5 talking about their upcoming products and changes. Be on the lookout for the new 3G Lan Turtle and the Packet Squirrel (programmable MiTM device)!
Of course, CTFs are where I spent most of my con time this week, and it was another banner year.
I only ended up in 13th in the Amazon MicroCTF this year, which was a little disappointing. That said, I was solo until the 11th hour, and was very close to solving a challenge that would have gotten me 7th.
There was no DEF CON 25 OpenCTF this year, which was a mixed blessing. I would have loved to compete and do even better this year, but not having it gave me time for other competitions and relaxing.
While EverSec competed in the IoT CTF this year, I was a minor member of the team at best. This year Tom and Dave led the team, who did a great job of representing. We ended up in 6th place I believe, so kudos to those guys.
DEF CON 25 – Wireless CTF
The final, and most important, CTF that I competed in this year was the Wireless CTF.
This was my first time really trying to compete in this CTF at any con, and I had a blast. The fox hunts in particular were pretty fun, and a new experience for me.
I had the honor of competing with Eric and a number of co-workers/friends on team “What does the fox say?”
We ended up killing it, and wound up in first by over double the score.
Though this was my first time competing, I was still able to contribute with flags on some of the lower hanging WEP/WPA access points. Additionally, I helped a little, but learned a lot more, on a few of the SDR challenges.
This is something that I’d like to continue doing at various cons, but I have a little work to do. First, I need to upgrade the gear that I have. The 5GHz spectrum was out of my reach, and the organizers mentioned that they also plan on adding 60GHz in the future. Additionally, my SDR skills are mediocre at best still. Other than that, I need a more portable solution for fox-hunting (walking around with my laptop was a hassle).
Other than that, I learned that a tasty Belgian beer from unclebeer is worth 150 points.
DEF CON 25 Wireless CTF Prizes
As a team, we got a ton of swag from the organizers for winning.
- WiFi Pineapple Tetra
- 5 ESP8266 boards
- Lock Picks
- Telefreaks pager watch
- Ettus b200 with metal case
- Lan Turtle 3G
- Bash Bunny
- Hak5 long-range amp
- Hak5 WiFi Card
- No Starch T-shirt
- HFC Shirt
- Wireless Village 2017 coin for each member
Once we divvied it all out, I managed to take home a LAN Turtle 3G (gave Eric my old Lan Turtle), the challenge coin, the No Starch shirt, and an ESP8266. Even better, our work pitched in $500 for each employee on the winning team!
DEF CON 25 – Black Badge
More importantly than that, we also found out that we won a DEF CON 25 Black Badge as well! We drew names for this, and steveo ended up winning. Try as he might, he wasn’t able to get Eric to accept it instead.
The badge this year was a solid gold ($1300 worth according to DT) medallion with the DEF CON logo on it.
This was a wild feeling, and I loved being back up on that stage for a second year in a row. If I’m being completely honest though, it was a lot less nerve-wracking with the Buffalo Trace (thanks Steve!) in me and my experience doing it last year.
We got to go on stage during the closing ceremonies with the team that ran the competition. They announced the 3rd, 2nd, and 1st place finishers, as well as our award. I apologize for the finger in some of the photos…blame unclebeer.
Eric got to give a brief speech about the contest and inspiring even more people to join the next year.
Unfortunately for our team, it was also announced that Eric would be banned from competing in the future, as he’s won three years in a row. That said, it was also followed up with the great announcement that Eric would be sitting on the other side of the table next year! While I was hoping to get another year of learning from Eric, I’m looking forward to the challenges that he’ll bring next year.
At this point, I’ve won 2 black badges in 2 DEF CONs, and now I want to win them in even more competitions! This was another exciting moment, and I’ll never forget it for the rest of my career.
Plus, we got to take some fun pictures afterwards.
(The off-stage photographer took these, and I’ve been unable to find them so far).
Other than that, if you ask really nicely, I might be able to upload a video of Eric practicing for the shock collar shootout.
DEF CON 25 – Conclusion
Another year in Vegas, and another 100 tabs in my TODO folder to show for it.
As hot and expensive as Vegas is, I know that I’m not one of those people who says, “I’m not going next year.”
Plus, Caesar’s was far more enjoyable than Paris/Bally’s last year, so that helped out a lot.
Other than that, I may try to submit a talk to DEF CON Beijing when DT finally officially announces it! I’ve never been to China, and I’d love to help him build the community over there.