DefCon 24 and BSidesLV 2016

I had the pleasure of attending DefCon 24 and BSidesLV for the first time ever, and it was definitely an amazing experience.

While I could easily fill post upon post about various talks, topics, contests, and people, I will try to keep it down to one (reasonably sized) post.

Vegas in General

This was my first trip to Vegas ever, and it was definitely an eye opener. I have never been to anywhere in the world quite like it.

Between the people, the buildings, and all there is to do, it is definitely a unique place.

Vegas was a bit too hot for my liking, and being "just a dry heat" didn't make it better.

I was finally able to gamble in a casino as well, and ended up $315 or so on the week. These winnings were from craps alone, and mostly thanks to secure_sean.

(the view from my hotel)
DefCon 24 - Hotel view

The Cons/People

Going to DefCon (and BSides) for the first time was an amazing experience.

Seeing (and meeting) the people and places that I've only read about was pretty awesome, albeit overwhelming at times.

The sheer number of interesting conversations and talks alone was enough for me to think of hundreds of new side projects/ideas, which is awesome.

I also met some awesome people (including a 17-year-old reverse engineering wizard) through CTFs or just general conversations. Additionally, we grabbed a few drinks and sushi with MalwareTech, which was pretty awesome (super friendly guy).

Even if you don't go to any talks (to quote Grifter, "No talks, not even one!"), the people and the environment alone are reason enough to head to DefCon at least once.

Raspberry Pi and Kali Deluxe Spy workshop

I signed up for the Raspberry Pi and Kali workshop ($290 for all the toys), which was pretty enjoyable.

As Dallas mentioned at the beginning, Thursdays at DefCon do not go anywhere near to plan.

That said, while it took awhile to set up, and while there were definitely some hiccups, I had a good bit to takeaway from the course.

I got to refresh myself on circuits (which I haven't done in awhile) and get some ideas for some projects. In the kit was resistors, LEDs, sensors, a breadboard, and more, which should be more than enough for now.

Plus finally having a Raspberry Pi and Ardunio means I can finally start trying some of the IoT/small hacking projects that I've seen and thought about doing.

The second half of the class was even more interesting and relevant to me.

Sean (0hm) walked us through the ARM distro he put together for Kali that included all the relevant tools we might need for wireless or small penetration testing engagements.

Additionally, he brought up the SCR (and the boosted Alfa) we had in our kits, and what sort of things we might be able to sniff and decrypt (including GSM).

I came away from this talk with a lot of toys, and even more ideas (though I can always use more) for what to use them for.

DefCon 24 - Raspberry Pi loot

Talks

Instead of going over every talk that I attended or wanted to attend, I'll just go a bit more in-depth on two more important talks. Below them I'll list

Six Degrees of Domain Admin - Using Graph Theory to Accelerate Red Team Operations (Bloodhound)

  • Network defenders use charts and lists whereas attackers uses graphs; as long as this continues, attackers will have the advantage
  • Bloodhound obtains information about the current Active Directory environment (either stealthy or with AD queries)
  • With this information about AD Bloodhound then builds a graph of how everything in the network is interconnected
    • Active user sessions on specific systems
    • Group membership based on a user
    • Sub-groups of specific groups
    • Permissions held by a specific group
    • What local administrator accounts have derived privileges on other systems
  • The biggest Red Team takeaway from this is finding the shortest path to Domain Admin using this tool. For example: Server 1 has Steve logged in who is a member of Helpdesk. Helpdesk has admin on Server 2. Server 2 has Joe logged in who is a member of HR. HR has admin on Server 3. Jeff is logged in on Server 3 and is a Domain Admin.
  • Defensively this tool can see what groups have too many permissions, what servers have too many sessions, what bottlenecks you could remove to make compromises more difficult, etc.
  • This tool also creates amazing visuals that would be liked by Upper Management in reports and slide decks.

Secure Penetration Testing Operations: Demonstrated Weaknesses in Learning Material and Tools

  • This talk really hit home about some of the stuff I've been thinking about/saying regarding valuable targets and information, as well as going even further.
  • Eye opening talk about the security of penetration testers and their machines/environment is woefully insufficient.
  • There is the incentive for threat actors to attack Penetration Testers due to the tools and techniques they use, as well as their level of access.
  • Off the shelf equipment (Pwn Plug) and tools (for example: Metasploit) were found to be vulnerable, especially in default configurations, and attacked by the author.
  • Due to the lower bar for entry (widely available talks, tutorials, and basic tools) for some penetration testing, testers don't take into account that real networks are more dangerous than the examples.
  • Also goes into various security points such as:
    • Host security (testing machine)
    • Host security (client/target machine)
    • COMSEC (secure communication, so encrypting e-mails to the dev team with actual vulnerabilities etc.)
    • Client Data in Transit (making sure exfiltrated information isn't cleartext etc.)
    • Client Data at Rest (what's being saved on attacking machines or the servers)
    • Potential Threats
    • Insecure Practices
  • Various other insecure TTPs were mentioned.
  • A live demo of hijacking a Meterpreter HTTP(s) session was performed.

Other Talks

  • Data Science or Data Pseudo-Science? Applying Data Science Concepts to Infosec without a PhD - Data science is quite useful in InfoSec, and quite possibly for more people than realize.
  • Beyond the Tip of the IceBerg -- Fuzzing Binary Protocol for Deeper Code Coverage. - Awesome talk about gray or black box fuzzing binaries.
  • DARPA Cyber Grand Challenge Award Ceremony / CGC in general - Not 100% relevant to my job at this time, but I felt like I was watching the future occur the entire time.
  • Weaponizing Data Science for Social Engineering: Automated E2E Spear Phishing on Twitter - Interesting spear phishing approach, could be relevant for a red team engagement.
  • Sticky Keys To The Kingdom: Pre-auth RCE Is More Common Than You Think - Surprising how many vulns stay around and how many are remotely exploitable.
  • How to get good seats in the security theater? Hacking boarding passes for fun and profit. - Neat in general, but touched on the need to test things we take for granted (RFID badges, etc.).
  • Game over, man! – Reversing Video Games to Create an Unbeatable AI Player - While this isn't relevant to anything that I'm doing at the moment, it was also probably my favorite talk. The discussion of reversing MELEE, fixing a bug, and creating an unbeatable AI for it.
  • Cyber Grand Shellphish - Follow-up to CGC including the idea of open sourcing EVERYTHING for the community.

(accurate programming flow chart)
DefCon 24 - Programming flow chart

(Melee talk)
DefCon 24 - Melee talk

(The CGC machines and broadcast)
DefCon 24 - CGC machines

CTFs

CTFs are where I spent most of my time this week, and ended up with plenty to show for it.

I ended up 3rd in EndGame's programming and security quiz, but the 1st place guy blew everyone out of the water (415 points to my 140).

At BSides, we ended up tied for 9th with two other teams in their MicroCTF, which was a great start to the week CTF wise.

DefCon 24 - MicroCTF

Once we got to DefCon, we entered in the OpenCTF. OpenCTF was definitely harder than a lot of the CTFs that I've done in the past, but still enjoyable. In the end, we ended up tied for 7th (with 2 other teams)! This was an awesome feeling considering the number of teams with quality people that were competing. A big part of our success was the 17-year-old wizard who joined our team after we started, as well as my last second (they literally held shutting it down for a few seconds while I used their connections to submit a flag) solving of a crypto challenge.

(pic of the final scoreboard, misspelled team name (everscc -> eversec) and all)
DefCon 24 - OpenCTF Scoreboard

(CTFtime post of the final scores)
DefCon 24 - OpenCTF on CTFtime

The final, and most important, CTF that we participated in this year was the IoT Village SOHOpelessly Broken CTF.

We ended up winning this CTF by 3000 points at the end, which was a great feeling.

DefCon 24 - SOHOpelessly Broken

To build on the excitement (and stress) of not only winning the CTF, we also found out that we were receiving DefCon Black Badges as well! This would be a wild feeling for anyone, let alone someone attending their first DefCon.

We got to go on stage during the closing ceremonies with the team that ran the competition. They announced the 3rd, 2nd, and 1st place finishers, as well as our award.

DefCon 24 - Black Badge award

My teammate even got to give a brief speech about the contest and inspiring even more people to join the next year (as long as we win again of course).

DefCon 24 - Black Badge speech

This was an amazingly exciting and frightening moment that I'll probably never forget for the rest of my InfoSec career.

Conclusion

All in all, I'm even more excited about my career and side projects. I definitely want to go to DefCon every year that I can from now on.

Plus, you know when Rapid7 takes a screenshot of your snap from their party that you've made it big.

DefCon 24 - Rapid7 snap

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Principal Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.