DEFCON Convention – Black Badges, CTFs, and VEGAS!

While I know this may not be the preferred spelling, I want to repurpose ALL of my old DEFCON convention posts, so here we go!

Table of Contents

  1. DEF CON Security and VPNs
  2. DEFCON Convention – Introduction
  3. DEFCON Convention – DefCon 24 and BSidesLV 2016
  4. DEFCON Convention – DEF CON Black Badge (2016)
  5. DEFCON Convention – DEF CON 25 and BSidesLV 2017 (Hacker Summer Camp)
  6. DEFCON Convention – Black Hat 2018 and DEFCON 26 (Talks > CTFS???)
  7. DEFCON Convention – Conclusion

DEF CON Security and VPNs

If you are bringing your personal device(s) to DEF CON, then I HIGHLY recommend you protect yourself as best as possible.

While the DEFCON convention network has been secured over the years, it never hurts to have a VPN.

Don’t forget, there are hackers also on the Starbucks/hotel/etc. WiFi along with you.

Personally, I use NordVPN, and even have a NordVPN and OpenPYN setup for always-on Linux VPN.

Plus, I’m a NordVPN affiliate, so if you register using the button below, then it helps me out a bunch!

Get Your NordVPN Offer Now!

DEFCON Convention – Introduction

I’ve been to the DEFCON Las Vegas hacking convention for three years now, and I wanted to share my experiences.

During those years, I’ve managed to win a DEFCON black badge TWICE, and ended up +$645 in the casinos.

While Vegas definitely isn’t for everyone, if you have the opportunity, I highly recommend giving DEF CON, Black Hat, and BSidesLV a chance.

It’s also SUPER awesome to see people in person that you only get to talk to online.

Get Your NordVPN Offer Now!

DEFCON Convention – DefCon 24 and BSidesLV 2016

While I could easily fill post upon post about various talks, topics, contests, and people, I will try to keep it down to one (reasonably sized) post.

DEFCON Convention – Vegas in General

This was my first trip to Vegas ever, and it was definitely an eye opener. I have never been to anywhere in the world quite like it.

Between the people, the buildings, and all there is to do, it is definitely a unique place.

Vegas was a bit too hot for my liking, and being “just a dry heat” didn’t make it better.

I was finally able to gamble in a casino as well, and ended up $315 or so on the week. These winnings were from craps alone, and mostly thanks to secure_sean.

(the view from my hotel)
DEFCON Convention - DefCon 24 - Hotel view

The Cons/People

Going to the DEFCON convention (and BSides) for the first time was an amazing experience.

Seeing (and meeting) the people and places that I’ve only read about was pretty awesome, albeit overwhelming at times.

The sheer number of interesting conversations and talks alone was enough for me to think of hundreds of new side projects/ideas, which is awesome.

I also met some awesome people (including a 17-year-old reverse engineering wizard) through CTFs or just general conversations. Additionally, we grabbed a few drinks and sushi with MalwareTech, which was pretty awesome (super friendly guy).

Even if you don’t go to any talks (to quote Grifter, “No talks, not even one!”), the people and the environment alone are reason enough to head to DEF CON at least once.

Raspberry Pi and Kali Deluxe Spy workshop

I signed up for the Raspberry Pi and Kali workshop ($290 for all the toys), which was pretty enjoyable.

As Dallas mentioned at the beginning, Thursdays at DefCon do not go anywhere near to plan.

That said, while it took awhile to set up, and while there were definitely some hiccups, I had a good bit to takeaway from the course.

I got to refresh myself on circuits (which I haven’t done in awhile) and get some ideas for some projects. In the kit was resistors, LEDs, sensors, a breadboard, and more, which should be more than enough for now.

Plus finally having a Raspberry Pi and Ardunio means I can finally start trying some of the IoT/small hacking projects that I’ve seen and thought about doing.

The second half of the class was even more interesting and relevant to me.

Sean (0hm) walked us through the ARM distro he put together for Kali that included all the relevant tools we might need for wireless or small penetration testing engagements.

Additionally, he brought up the SCR (and the boosted Alfa) we had in our kits, and what sort of things we might be able to sniff and decrypt (including GSM).

I came away from this talk with a lot of toys, and even more ideas (though I can always use more) for what to use them for.

DefCon 24 - Raspberry Pi loot

DEFCON Convention – Talks

Instead of going over every talk that I attended or wanted to attend, I’ll just go a bit more in-depth on two more important talks. Below them I’ll list

Six Degrees of Domain Admin – Using Graph Theory to Accelerate Red Team Operations (Bloodhound)

  • Network defenders use charts and lists whereas attackers uses graphs; as long as this continues, attackers will have the advantage
  • Bloodhound obtains information about the current Active Directory environment (either stealthy or with AD queries)
  • With this information about AD Bloodhound then builds a graph of how everything in the network is interconnected
    • Active user sessions on specific systems
    • Group membership based on a user
    • Sub-groups of specific groups
    • Permissions held by a specific group
    • What local administrator accounts have derived privileges on other systems
  • The biggest Red Team takeaway from this is finding the shortest path to Domain Admin using this tool. For example: Server 1 has Steve logged in who is a member of Helpdesk. Helpdesk has admin on Server 2. Server 2 has Joe logged in who is a member of HR. HR has admin on Server 3. Jeff is logged in on Server 3 and is a Domain Admin.
  • Defensively this tool can see what groups have too many permissions, what servers have too many sessions, what bottlenecks you could remove to make compromises more difficult, etc.
  • This tool also creates amazing visuals that would be liked by Upper Management in reports and slide decks.

Secure Penetration Testing Operations: Demonstrated Weaknesses in Learning Material and Tools

  • This talk really hit home about some of the stuff I’ve been thinking about/saying regarding valuable targets and information, as well as going even further.
  • Eye opening talk about the security of penetration testers and their machines/environment is woefully insufficient.
  • There is the incentive for threat actors to attack Penetration Testers due to the tools and techniques they use, as well as their level of access.
  • Off the shelf equipment (Pwn Plug) and tools (for example: Metasploit) were found to be vulnerable, especially in default configurations, and attacked by the author.
  • Due to the lower bar for entry (widely available talks, tutorials, and basic tools) for some penetration testing, testers don’t take into account that real networks are more dangerous than the examples.
  • Also goes into various security points such as:
    • Host security (testing machine)
    • Host security (client/target machine)
    • COMSEC (secure communication, so encrypting e-mails to the dev team with actual vulnerabilities etc.)
    • Client Data in Transit (making sure exfiltrated information isn’t cleartext etc.)
    • Client Data at Rest (what’s being saved on attacking machines or the servers)
    • Potential Threats
    • Insecure Practices
  • Various other insecure TTPs were mentioned.
  • A live demo of hijacking a Meterpreter HTTP(s) session was performed.

Other Talks

  • Data Science or Data Pseudo-Science? Applying Data Science Concepts to Infosec without a PhD – Data science is quite useful in InfoSec, and quite possibly for more people than realize.
  • Beyond the Tip of the IceBerg — Fuzzing Binary Protocol for Deeper Code Coverage. – Awesome talk about gray or black box fuzzing binaries.
  • DARPA Cyber Grand Challenge Award Ceremony / CGC in general – Not 100% relevant to my job at this time, but I felt like I was watching the future occur the entire time.
  • Weaponizing Data Science for Social Engineering: Automated E2E Spear Phishing on Twitter – Interesting spear phishing approach, could be relevant for a red team engagement.
  • Sticky Keys To The Kingdom: Pre-auth RCE Is More Common Than You Think – Surprising how many vulns stay around and how many are remotely exploitable.
  • How to get good seats in the security theater? Hacking boarding passes for fun and profit. – Neat in general, but touched on the need to test things we take for granted (RFID badges, etc.).
  • Game over, man! – Reversing Video Games to Create an Unbeatable AI Player – While this isn’t relevant to anything that I’m doing at the moment, it was also probably my favorite talk. The discussion of reversing MELEE, fixing a bug, and creating an unbeatable AI for it.
  • Cyber Grand Shellphish – Follow-up to CGC including the idea of open sourcing EVERYTHING for the community.

(accurate programming flow chart)
DefCon 24 - Programming flow chart

(Melee talk)
DEFCON Convention - DefCon 24 - Melee talk

(The CGC machines and broadcast)
DefCon 24 - CGC machines

CTFs

CTFs are where I spent most of my time this week, and ended up with plenty to show for it.

I ended up 3rd in EndGame’s programming and security quiz, but the 1st place guy blew everyone out of the water (415 points to my 140).

At BSides, we ended up tied for 9th with two other teams in their MicroCTF, which was a great start to the week CTF wise.

DefCon 24 - MicroCTF

Once we got to DefCon, we entered in the OpenCTF. OpenCTF was definitely harder than a lot of the CTFs that I’ve done in the past, but still enjoyable. In the end, we ended up tied for 7th (with 2 other teams)! This was an awesome feeling considering the number of teams with quality people that were competing. A big part of our success was the 17-year-old wizard who joined our team after we started, as well as my last second (they literally held shutting it down for a few seconds while I used their connections to submit a flag) solving of a crypto challenge.

(pic of the final scoreboard, misspelled team name (everscc -> eversec) and all)
DEFCON Convention - DefCon 24 - OpenCTF Scoreboard

(CTFtime post of the final scores)
DefCon 24 - OpenCTF on CTFtime

The final, and most important, CTF that we participated in this year was the IoT Village SOHOpelessly Broken CTF.

We ended up winning this CTF by 3000 points at the end, which was a great feeling.

DefCon 24 - SOHOpelessly Broken

To build on the excitement (and stress) of not only winning the CTF, we also found out that we were receiving DefCon Black Badges as well! This would be a wild feeling for anyone, let alone someone attending their first DefCon.

We got to go on stage during the closing ceremonies with the team that ran the competition. They announced the 3rd, 2nd, and 1st place finishers, as well as our award.

DEFCON Convention - DefCon 24 - Black Badge award

My teammate even got to give a brief speech about the contest and inspiring even more people to join the next year (as long as we win again of course).

DefCon 24 - Black Badge speech

This was an amazingly exciting and frightening moment that I’ll probably never forget for the rest of my InfoSec career.

DEFCON Convention – 2016 Conclusion

All in all, I’m even more excited about my career and side projects. I definitely want to go to DefCon every year that I can from now on.

Plus, you know when Rapid7 takes a screenshot of your snap from their party that you’ve made it big.

DefCon 24 - Rapid7 snap

Get Your NordVPN Offer Now!

DEFCON Convention – DEF CON Black Badge (2016)

The DEF CON Black Badge that Clayton Dorsey and myself won arrived last month, so I can finally blog about it!

DEF CON Black Badge – Introduction

If you did not know, we won a black badge from the SoHopelessly Broken CTF at DEF CON 24.

This contest was, and still is, sponsored by ISE.

It is a great competition, and we had a ton of fun competing in it.

By the end of the conference, we found out that we would be receiving a black badge for our victory!

DEFCON Convention – Closing Ceremonies

Finally, on Sunday, Clayton, myself, and Sean went on stage during the closing ceremonies.

DEFCON Convention - DEF CON Black Badge - Closing Ceremonies

It was crazy being up there, especially with that many people watching.

DEF CON Black Badge - Crowd Shot

That said, we gave a short speech, talked about the competition, and received our award.

DEF CON Black Badge - Speech

The Badge (Including Puzzles!)

We only got to see one of the demo badges that day, as we had to wait for DEF CON to ship out the rest.

That said, a few months later, it arrived in the mail!

DEFCON Convention - DEF CON Black Badge - Front

On the back of the badge were DT and Lost’s names.

DEF CON Black Badge - Back 1

Additionally, on the other side, shout-outs to DEF CON 24, Tknofile, and JonnyMac.

DEF CON Black Badge - Back #2

Finally, at the very bottom, were some badge puzzles.

DEFCON Convention - DEF CON Black Badge - Puzzles

The first puzzle looked hex encoded, with a different dictionary, but I couldn’t get anything useful out of it.

EE5VDEFSBFDOB1DHBMRLCKFYZUXVC1R4

The second puzzle looked like simple binary code. Unfortunately, even brute-forcing all binary strings of that length gave me nothing. I also thought that it might be out-of-order, based on the fact that Lost (1507) was slightly out-of-order as well.

10111001101110111101110100111507

If you have any hints, or solutions for these puzzles, then please let me know!

The Badge in Action

This is also a working badge, so here is a quick video of it in action!

This was actually designed by special effects artist Rick Galinson along with 1o57, so it was an awesome one.

DEF CON Black Badge – Conclusion

While I wish I could have shared this sooner, it was still an incredible honor.

I love the badge, and it is super convenient only having to share it between two people.

That said, in the meantime, I was on yet another black badge winning team! Team “What does the Fox Say?” won the Wireless CTF at DEF CON 25.

DEF CON Black Badge - DEF CON 25 Wireless

We (well, one of us per year) now get free entry for life, and get to keep that awesome badge.

Other than that, we’re also enshrined on the DEF CON black badge winners page!

Get Your NordVPN Offer Now!

DEFCON Convention – DEF CON 25 and BSidesLV 2017 (Hacker Summer Camp)

Just like last year, I could fill multiple posts with everything that went on this year. That said, I’ll try to keep the content as limited as possible.

DEFCON Convention – Back in Vegas

While Vegas is still the same, it was still nice being back.

Another hot year, but I didn’t expect anything less from Vegas in the summer.

My wallet ended up down $410 this year, but I’ll just blame secure_sean for not doing as well as he did last year.

I ended up switching hotels twice this year, which was probably a mistake. I was at Caesar’s for DEF CON itself, but Bally’s for everything else. Staying at the same hotel as the DEFCON convention is super convenient, but switching twice can definitely be a hassle.

The Cons/People

Another year where I got to either meet or catch-up with some great people.

EverSec found their more remote team members this year, including Tom from last year!

I grabbed lunch with Lee this year along with a bunch of other PowerShell people (DBo, Carlos, etc.).

It was also really nice being able to meet some more of my co-workers in person. We had an impromptu team meeting at an Irish pub this year, and that was a ton of fun.

This year I actually made it to a few more talks (sorry Grifter) at both cons, but I’ll go more in-depth on those below.

Windows Post-Exploitation and Malware Forward Engineering workshop

If you think that the name of this workshop is a mouthful, that was just the beginning.

zerosum and Aleph Naught taught this workshop on Saturday afternoon. Like most workshops, 4 hours was definitely not enough for everything they could have demonstrated.

The first half of this course was basically a deluge of Windows Internals. While pretty overwhelming, there were definitely some useful nuggets I got even in sections I didn’t understand. I don’t know how EVERY part of this was relevant to the title/core content, but that could also be from inexperience. That said, maybe picking up a Win Internals book is in my near future…

Once we got passed the first half, we delved into the actual malware development. This course wasn’t about building ransomware or anything particularly malicious, but that isn’t to say that someone couldn’t.

They designed the workshop to bring up a topic, and show a small demo built around that topic. That said, I’ll definitely have to do some work on my own combining a few of these demos into an actual Red Team C2 project.

The most interesting demo modules were toxicserpent and puppetstrings. Toxicserpent was the closest to a fully fledged malware, with the ability to log all network traffic, poison, and port knock C2. Puppet Strings is an awesome method for hitching a free ride to Ring 0 with signed drivers.

You can find code and slides from the workshop in zerosum’s Github repository.

Talks

I made it to a few talks at both conferences this year, so here’s a quick list of each of them.

BSides LV 2017

  • Password Cracking 201: Beyond the Basics – this talk made me want to get into password cracking. From the description, “My goal with this talk is to help occasional, casual, and non-specialist practitioners bootstrap themselves to the next level of password auditing.” As of now, my workflow has generally been: get hashes, run john hashes.txt, wait, if nothing, then send to someone with a rig. This talk brought up various tools and techniques, and I will likely buy a budget rig because of it soon!
  • How To Obtain 100 Facebook Accounts Per Day Through Internet Searches – A surprisingly simple vulnerability that easily led to the compromise of Facebook accounts. It was incredible to me that Facebook security overlooked this, but there might even be a similar vulnerability that still exists.

DEF CON 25

  • Jailbreaking Apple Watch – this was the first talk I went to at DEF CON this year, but it was way over my head. If you have any interest in Apple Watch exploitation, then this is the talk for you.
  • Real-time RFID Cloning in the Field – this talk brought up a few interesting ideas, but seemed way too similar to Mike’s Wiegotcha for me to try to build that one instead.
  • Exploiting Old Mag-stripe information with New technology – some cool ideas for mag stripe hacking, but I didn’t quite grasp the benefit over just cloning the mag card.
  • A Pineapple, a Turtle, a Bunny, and a Squirrel walk into a bar – Hak5 talking about their upcoming products and changes. Be on the lookout for the new 3G Lan Turtle and the Packet Squirrel (programmable MiTM device)!

DEFCON Convention – CTFs

Of course, CTFs are where I spent most of my con time this week, and it was another banner year.

I only ended up in 13th in the Amazon MicroCTF this year, which was a little disappointing. That said, I was solo until the 11th hour, and was very close to solving a challenge that would have gotten me 7th.

DEF CON 25 - MicroCTF

There was no DEF CON 25 OpenCTF this year, which was a mixed blessing. I would have loved to compete and do even better this year, but not having it gave me time for other competitions and relaxing.

While EverSec competed in the IoT CTF this year, I was a minor member of the team at best. This year Tom and Dave led the team, who did a great job of representing. We ended up in 6th place I believe, so kudos to those guys.

DEF CON 25 – Wireless CTF

The final, and most important, CTF that I competed in this year was the Wireless CTF.

(The CTF setup)
DEFCON Convention - DEF CON 25 - Wireless CTF Gear

DEF CON 25 - CTF Gear 2

This was my first time really trying to compete in this CTF at any con, and I had a blast. The fox hunts in particular were pretty fun, and a new experience for me.

DEF CON 25 - Fox Hunt

I had the honor of competing with Eric and a number of co-workers/friends on team “What does the fox say?”

DEFCON Convention - DEF CON 25 - WCTF Team

We ended up killing it, and wound up in first by over double the score.

DEF CON 25 - Scoreboard

DEF CON 25 - Scoreboard screenshot

Though this was my first time competing, I was still able to contribute with flags on some of the lower hanging WEP/WPA access points. Additionally, I helped a little, but learned a lot more, on a few of the SDR challenges.

This is something that I’d like to continue doing at various cons, but I have a little work to do. First, I need to upgrade the gear that I have. The 5GHz spectrum was out of my reach, and the organizers mentioned that they also plan on adding 60GHz in the future. Additionally, my SDR skills are mediocre at best still. Other than that, I need a more portable solution for fox-hunting (walking around with my laptop was a hassle).

Other than that, I learned that a tasty Belgian beer from unclebeer is worth 150 points.

DEFCON Convention - DEF CON 25 - Unclebeer

DEF CON 25 Wireless CTF Prizes

As a team, we got a ton of swag from the organizers for winning.

  • WiFi Pineapple Tetra
  • 5 ESP8266 boards
  • Lock Picks
  • Telefreaks pager watch
  • Ettus b200 with metal case
  • Lan Turtle 3G
  • Bash Bunny
  • Hak5 long-range amp
  • Hak5 WiFi Card
  • HackRF
  • No Starch T-shirt
  • HFC Shirt
  • Wireless Village 2017 coin for each member

DEF CON 25 - USRP

DEF CON 25 - Hak5 Gear

DEFCON Convention - DEF CON 25 - Pager Watch

Once we divvied it all out, I managed to take home a LAN Turtle 3G (gave Eric my old Lan Turtle), the challenge coin, the No Starch shirt, and an ESP8266. Even better, our work pitched in $500 for each employee on the winning team!

DEFCON Black Badge – DEF CON 25

More importantly than that, we also found out that we won a DEFCON Black Badge this year as well! We drew names for this, and steveo ended up winning. Try as he might, he wasn’t able to get Eric to accept it instead.

The badge this year was a solid gold ($1300 worth according to DT) medallion with the DEFCON convention logo on it.

DEF CON 25 - Black Badge

DEF CON 25 - Black Badge 2

DEFCON Convention - DEF CON 25 - Black Badge 3

This was a wild feeling, and I loved being back up on that stage for a second year in a row. If I’m being completely honest though, it was a lot less nerve-wracking with the Buffalo Trace (thanks Steve!) in me and my experience doing it last year.

We got to go on stage during the closing ceremonies with the team that ran the competition. They announced the 3rd, 2nd, and 1st place finishers, as well as our award. I apologize for the finger in some of the photos…blame unclebeer.

DEF CON 25 - Closing Ceremonies

DEF CON 25 - Closing Ceremonies 2

DEFCON Convention - DEF CON 25 - Closing Ceremonies 3

DEF CON 25 - Closing Ceremonies 4

Eric got to give a brief speech about the contest and inspiring even more people to join the next year.

Unfortunately for our team, it was also announced that Eric would be banned from competing in the future, as he’s won three years in a row. That said, it was also followed up with the great announcement that Eric would be sitting on the other side of the table next year! While I was hoping to get another year of learning from Eric, I’m looking forward to the challenges that he’ll bring next year.

At this point, I’ve won 2 black badges in 2 DEFCON conventions, and now I want to win them in even more competitions! This was another exciting moment, and I’ll never forget it for the rest of my career.

Plus, we got to take some fun pictures afterwards.

(The off-stage photographer took these, and I’ve been unable to find them so far).

Other than that, if you ask really nicely, I might be able to upload a video of Eric practicing for the shock collar shootout.

DEFCON Convention – 2017 Conclusion

Another year in Vegas, and another 100 tabs in my TODO folder to show for it.

As hot and expensive as Vegas is, I know that I’m not one of those people who says, “I’m not going next year.”

Plus, Caesar’s was far more enjoyable than Paris/Bally’s last year, so that helped out a lot.

Other than that, I may try to submit a talk to DEF CON Beijing when DT finally officially announces it! I’ve never been to China, and I’d love to help him build the community over there.

Get Your NordVPN Offer Now!

DEFCON Convention – Black Hat 2018 and DEFCON 26 (Talks > CTFS???)

I took my third trip to Vegas for Black Hat / DEF CON 26.

DEFCON Convention – Black Hat / DEF CON – Back to Vegas!

Since I was taking training at Black Hat this year, I ended up spending eleven total days (3 August – 14 August) in Vegas this year. That definitely took a lot out of me, and I was a bit worn down by Friday at DEF CON. That said, the training was awesome, and I’m sure I’ll end up back in Vegas again.

I was a bit surprised that I didn’t get a TSA golden ticket in my bag this year. Not only did I have all of my gear with me, but I also packed some protein powder. I was hoping to keep up my diet as best I could, but that didn’t work out as well as I’d have hoped.

Black Hat / DEF CON - Protein powder

It was almost an even more awesome year, with Evo going on around the same time as Black Hat. Unfortunately, I was in class during the entirety of the tournament.

DEFCON Convention - Black Hat / DEF CON - EVO

As always, it was hotter than I expected, or hotter than I’d ever want.

The tables were VERY kind to me this year, and I ended up +$500 in Blackjack and +$240 in Craps. That brings my three-year total to up $645 ($315 – $410 + $740)!

I also stayed at Caesar’s the entire time this year, so didn’t have to deal with last year’s fiasco of switching.

Black Hat / DEF CON - Caesar's

Cons, People, and Vegas

I got to catch up with a few people this year, but missed out on a few others. That was alright, but I’m hoping to catch up with them again next year!

There were even more co-workers there this year, and we even went out for a round of Top Golf.

Black Hat / DEF CON - Top Golf

Since so many of us left at the same time, we also got to grab a “limo” on the way back to the casino.

DEFCON Convention - Black Hat / DEF CON - Limo

Las Vegas Distillery

The RTP SecBeers group planned a day trip out to the LV Distillery, which was tons of fun.

This was actually the first distillery in Nevada, and they’ve operated for a while.

Black Hat / DEF CON - Distillery equipment

They make everything from vodka and gin, to various whiskeys, and even liqueurs. During our tasting, we got to try whatever we wanted, so I decided to taste the entire lineup!

Black Hat / DEF CON - Distillery offerings

In the end, I’m still a whiskey man though, so I had some extra tastes of those offerings.

DEFCON Convention - Black Hat / DEF CON - LV Whiskey

Afterwards, we went to the Hi-Scores Bar Arcade, which was also a lot of fun.

Food

Another year in Vegas, and another year of delicious (albeit expensive) food.

Just like last year, we had a wonderful group dinner at Momofuku. And, like last year, we got the fried lobster and shrimp bowl of joy.

Black Hat / DEF CON - Momofuku

We also stopped at the Bacchanal Buffet again for one meal, which is always far too filling.

Finally, I got to try a sushi burrito this year. It was definitely unique, especially considering I got a side of chips and queso.

Black Hat / DEF CON - Sushi burrito

SpecterOps Adversary Tactics: Red Team Operations

This course was incredible, and I could easily write an entire blog post about it. Actually, I still might, but we’ll see…

I’ve never done any stealthy red teaming before, so that was a new experience for me. I’ve also never used Cobalt Strike before, but I was pretty enthralled with it by the end of the course.

Being actively “hunted” during the lab/CTF was incredibly valuable, as was the real-time feedback from the Cerberus IDS.

The class covered everything from infiltration, to stealth, to AD abuse, infrastructure, defense mechanisms, and everything in between.

One of my biggest takeaways was thinking about my infrastructure, how to configure and protect it, and the willingness to burn it at a moment’s notice.

I also realized that I’ve never had visibility into my own attacks before, especially having never been a blue team member.

This has gotten me setting up more appropriate Windows lab environments, as well as multiple domains to practice those attacks.

I’ve also stood up my instance of HELK , so that I can actively hunt myself when it is all said and done.

DEFCON Convention - Black Hat / DEF CON - HELK

Even if I don’t write an entire post about this course, I’ve got plenty in the pipe after taking it.

Also, none of this mentions how awesome the instructors were. They were willing to help, many were experts in their own right, and they made a grueling 4 day course a ton of fun.

I think my only qualm about the course was how engaging the CTF was. There were times that I was more focused on the CTF than actually learning what they were trying to cover. That said, I came home with all the materials and solutions, so I can go over them at my leisure. It was worth it though, as we ended up tied for second when it was all said and done!

If you want to take this class, then I can HIGHLY recommend it.

BlackHat and Swag

After my training course, I had a little time to stop by the Black Hat vendor area. Having only heard tales and seen pictures before, this was definitely a new experience.

While I wasn’t like my teammates attempting to get every piece of swag in the building, I did come home with a few bags, shirts, and trinkets.

My favorite piece of swag is probably this hat that I got. Infosec plus Marvel humor? I’m in.

Black Hat / DEF CON - Root hat

Other than that, it was interesting interacting with the vendors. Even after telling them what I did, many of them gave me the same generic CISO spiel for their product. The most interesting were the ones that actually talked to me like a person, and a penetration tester. I have to commend Bromium over the rest at this. I spent awhile talking to one of their CTOs I believe, and it was engaging. We discussed how their product actually works, and what potential downsides it might have. He picked my brain about how I might try to avoid it (staying in memory), and he said that would probably work. I’d like to reach out to them for a demo and to perform some research after that conversation.

Pluralsight

I also stopped by the Pluralsight booth, and they had a “Security for Hackers and Developers” quiz with a leaderboard. I decided to give it a spin, and ended up beating second place by 21 points! This was a pretty intense quiz, but definitely heavy on the advanced exploit development side. If you’re interested, you can find it here.

Black Hat / DEF CON - Pluralsight score

They gave me a $100 Tapplock for my troubles, which was pretty awesome. Of course, it’s the one that already has a few vulnerabilities, so I’m not sure if I’ll find anything interesting.

DEFCON Convention - Black Hat / DEF CON - Tapplock

Unfortunately, my reign atop the leaderboard didn’t last very long. As I was finishing up the quiz, Sean showed up behind me. We talked for a while, and I finally convinced him to take it as well.

He ended up beating my score by 4 points, and we stayed on top until the end of the conference (as far as I know).

Black Hat / DEF CON - Leaderboard

It was all in good fun, and we got to explain to the vendors how we knew each other and what we did. Plus, we got a cute picture in front of our final scores!

Black Hat / DEF CON - Sean and Me

DEFCON Convention – Talks

I managed to catch a lot more talks this year than the last two combined. It was nice not having to wait for them on YouTube, and I do enjoy some DCTV + food/recharging in my room.

While I’m not going to go over every talk I saw like in earlier years, there are a few that I’d like to cover.

  • Weaponizing Unicode: Homographs Beyond IDNs – while I’ve talked a bit about homoglyphs in the past, this was awesome. Not only were there some really neat attacks, there were also a few fun PoCs that I want to try. Other than that, the idea of using OCR as a defense completely blew my mind. It’s so obvious, and a field that has already been studied quite a bit.
  • Practical & Improved Wifi MitM with Mana – I’ve never actually used Mana before, so this was nice. Mana seems like it can automate a lot of the wireless rogue device attacks that I’ve performed manually. Additionally, they’ve added a lot of functionality about enterprise networks, which might be nicer than the tools that I’m using. Finally, I really want to play in the simulated wireless lab that they mentioned.
  • Your Bank’s Digital Side Door – this was an eye-opening talk, especially having worked in the financial industry before. I never really knew how OFX worked, or the differences between the versions. There were plenty of examples of potential vulnerabilities, poor implementations, and banks unnecessarily leaking information left and right.
  • Inside the Fake Science Factory – this talk was CRAZY. I knew of the publish or perish nature of science and academia, but not how bad it could get. The level to which some organizations, companies, and people will stoop is incredible. While it is not in English, I at least recommend you watch their documentary. Spoiler alert: their paper that was 100% computer generated they won best talk at a conference.
  • Demystifying MS17-010: Reverse Engineering the ETERNAL Exploits – this was definitely a technically heavy talk, and it was cut down to fit in the time slot. That said, zerosum obviously knows his stuff, and we have him to thank for the porting of some of the ETERNAL* exploits. I took his Malware Forward Engineering workshop last year, so I knew what to expect. That said, I got lost myself about halfway through or so. If you’ve ever been curious about how you’ve been able to own so many boxes with one exploit, then this is the talk for you.

Finally, while this was at the DEF CON vendor area and not an actual talk, it is still worth including. While walking around, we spotted a beagle wandering around near the Hacker Warehouse table! This was awesome, as I have one of these at home myself.

DEFCON Convention - Black Hat / DEF CON - Beagle

DEF CON Workshop – Fuzzing with AFL (American Fuzzy Lop)

I took another free workshop this year at the DEFCON convention, and this year it was about fuzzing.

While it isn’t up yet, you should eventually be able to find the slides on the media server.

This was a 4-hour AFL workshop taught by Jakub Botwicz and Wojciech Rauner from Samsung Poland. Unfortunately, this wasn’t really enough time to do a proper deep dive into some of the topics, and the sections felt a little sporadic here and there.

That said, I did get a few ideas for make flies and targets to assess, so that was good. I would have liked a bit more manual processing, as the provided make files abstracted almost everything out. Additionally, some exploitation (or at least triage) would have been awesome, but I know we were severely time limited.

I am looking forward to playing with AFL more, but the most interesting part was combining it with Qemu for black box fuzzing.

Black Hat / DEF CON – CTFs

Unlike the last two years, I did not spend a lot of time CTF-ing this year. After the grueling SpecterOps CTF, plus my time in Vegas already, I was a bit worn down by the time Thursday rolled around.

I started out in the Wireless CTF room. That said, most of the 802.11 challenges weren’t working, so that was a little disheartening. Additionally, even with the bigger room, it was crazy crowded this year.

I was also invited by Tom/Dave/Joe to the OpenCTF room, but was never able to make it.

Finally, Welcome Thrillhouse Group had a small team rolling in the IoT CTF, but I just helped them with ideas and suggestions from a distance. That said, Matt did post a few write-ups, so definitely check them out!

While I would have loved to go 3/3 for DEF CON black badges, I’m ok with the way this year went. There are definitely pros and cons to spending the entire conference participating in CTFs. That said, I’m glad that I took a break from it all this year.

DEFCON Convention – 2018 Conclusion

This was my third year in Vegas, so I’ve at least got a FEW less tabs to show for it.

I did have some great fun and food this year, even including my airport nachos before leaving.

Black Hat / DEF CON - Nachos

That said, this was the first year that I thought about saying, “I’m not going next year.” I’ll probably still go, but I’m not sure if I can handle another 11 day trip next year.

Black Hat / DEF CON - Goodbye Vegas

Caesar’s is still a better venue, but it cannot handle the sheer number of people who show up. Next year should add another 80,000 sq ft., but we’ll see.

The only cons left on my docket for 2018 are DerbyCon and BSidesRDU, so it’s time for the closing stretch!

DEFCON Convention – Conclusion

I’m sad that conflicts or global viruses prevented me from making it to any of the Vegas hacker conferences in 2019 or 2020.

That said, I might go in 2021 or 2022 depending on how things play out.

I’d still recommend giving DEF CON a shot, but don’t feel bad if you need to take a break or two in between.

Maybe next time, I’ll find a healthy balance between the CTFs and the other activities!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.