RTV - (07:30-07:59 PDT) - Red Team Village Announcements and Remarks - Joseph Mlodzìanowskì (cedoXx),Omar Ωr

BTVW1 - (11:15-11:59 PDT) - Kibana: An Introduction Into OpenSOC CTF Tools - TimDotZero
DC - (11:30-11:59 PDT) - DNSSECTION: A practical attack on DNSSEC Zone Walking - Hadrien Barral,Rémi Géraud-Stewart
RTV - cont...(10:30-11:30 PDT) - Guerrilla Red Team: Decentralize the Adversary - Christopher Cottrell
RTV - (11:45-12:45 PDT) - Evil Genius: Why you shouldn't trust that keyboard - Farith Perez,Mauro Cáseres

Thursday - 12:00 PDT

BTVW1 - (12:15-12:59 PDT) - OpenSOC CTF Tool Demo: Moloch
DC - (12:30-12:59 PDT) - Hacking the Hybrid Cloud - Sean Metcalf
RTV - cont...(11:45-12:45 PDT) - Evil Genius: Why you shouldn't trust that keyboard - Farith Perez,Mauro Cáseres

Thursday - 13:00 PDT

BTVW1 - (13:15-13:59 PDT) - Osquery: An Introduction Into OpenSOC CTF Tools - Whitney Champion
DC - (13:30-13:59 PDT) - Hacking traffic lights - Rik van Duijn,Wesley Neelen
HTS - Dockside with the US Coast Guard
RTV - Combining notebooks, datasets, and cloud for the ultimate automation factory - Ryan Elkins

Thursday - 14:00 PDT

BTVW1 - (14:15-14:59 PDT) - Velociraptor: An Introduction Into OpenSOC CTF Tools - Mike Cohen
DC - (14:30-14:59 PDT) - Hacking the Supply Chain – The Ripple20 Vulnerabilities Haunt Hundreds of Millions of Critical Devices - Ariel Schön,Moshe Kol,Shlomi Oberman
RTV - (14:15-15:15 PDT) - Deep Dive into Adversary Emulation - Ransomware Edition - Jorge Orchilles

Thursday - 15:00 PDT

BTVW1 - (15:15-15:59 PDT) - Zeek: An Introduction Into OpenSOC CTF Tools - Aaron Soto,Amber Graner
DC - (15:30-15:59 PDT) - Demystifying Modern Windows Rootkits - Bill Demirkapi
RTV - cont...(14:15-15:15 PDT) - Deep Dive into Adversary Emulation - Ransomware Edition - Jorge Orchilles
RTV - (15:30-16:30 PDT) - Introducing DropEngine: A Malleable Payload Creation Framework - Gabriel Ryan

Thursday - 16:00 PDT

BTVW1 - (16:15-16:59 PDT) - Suricata: An Introduction Into OpenSOC CTF Tools - Josh
DC - (16:30-16:59 PDT) - Domain Fronting is Dead, Long Live Domain Fronting: Using TLS 1.3 to evade censors, bypass network defenses, and blend in with the noise - Erik Hunstad
RTV - cont...(15:30-16:30 PDT) - Introducing DropEngine: A Malleable Payload Creation Framework - Gabriel Ryan
RTV - (16:45-17:45 PDT) - Zero Trust - A Vision for Securing Cloud and Redefining Security - Vandana Verma Sehgal

Thursday - 17:00 PDT

BTVW1 - (17:15-17:59 PDT) - OpenSOC CTF Tool Demo: Thinkst Canary
RTV - cont...(16:45-17:45 PDT) - Zero Trust - A Vision for Securing Cloud and Redefining Security - Vandana Verma Sehgal

Thursday - 18:00 PDT

RTV - What college kids always get wrong, the art of attacking newbies to blueteam - Forrest Fuqua

Thursday - 19:00 PDT

RTV - (19:15-20:15 PDT) - Android Malware Adventures - Kürşat Oğuzhan Akıncı,Mert Can Coşkuner

Thursday - 20:00 PDT

RTV - cont...(19:15-20:15 PDT) - Android Malware Adventures - Kürşat Oğuzhan Akıncı,Mert Can Coşkuner
RTV - (20:30-21:30 PDT) - Making Breach and Attack Simulation Accessible and Actionable with Infection Monkey - from IT to the C-suite - Shay Nehmad

Thursday - 21:00 PDT

RTV - cont...(20:30-21:30 PDT) - Making Breach and Attack Simulation Accessible and Actionable with Infection Monkey - from IT to the C-suite - Shay Nehmad
RTV - (21:45-22:45 PDT) - Android Application Exploitation - Kyle Benac (aka @B3nac)

Thursday - 22:00 PDT

RTV - cont...(21:45-22:45 PDT) - Android Application Exploitation - Kyle Benac (aka @B3nac)

Thursday - 23:00 PDT

RTV - Offensive Embedded Exploitation : Getting hands dirty with IOT/Embedded Device Security Testing - Kaustubh Padwad

Talk/Event Descriptions

RTV - Thursday - 21:45-22:45 PDT

Title: Android Application Exploitation
When: Thursday, Aug 6, 21:45 - 22:45 PDT
Where: Red Team Vlg

SpeakerBio:Kyle Benac (aka @B3nac)
Kyle Benac (aka @B3nac) currently works as a full time Security Researcher at Acronis SCS. Prior to this, he obtained his Bachelors of Science in Software Development and Security while active duty Air Force. He really enjoys hacking Android applications and participating in bug bounty programs. Creator of the InjuredAndroid Capture the Flag (CTF) training application and developer of HackerOne’s BountyPay Android application. Listed as a Top Contributor for the OWASP mobile security testing guide with over 58 contributions to the manual.
Twitter: @B3nac

Description:
Android applications are treasure chests of potential bugs waiting to be discovered. Having a structured, streamlined approach greatly improves your efficiency and assessment accuracy. This talk will go over methods used to identify the type of mobile framework to better assess possible attack vectors. Examples will be provided to demonstrate how to exploit those vectors.

Red Team Village events will be streamed to YouTube and Twitch.

Return to Index - Add to

- ics Calendar file

RTV - Thursday - 19:15-20:15 PDT

Title: Android Malware Adventures
When: Thursday, Aug 6, 19:15 - 20:15 PDT
Where: Red Team Vlg
Speakers:Kürşat Oğuzhan Akıncı,Mert Can Coşkuner

SpeakerBio:Kürşat Oğuzhan Akıncı
Kürşat Oğuzhan Akıncı is a Security Engineer at Trendyol. He is also a team leader of Blackbox Cyber Security which is Turkey's first cyber security volunteer group, coordinator and mentor of Turkcell CyberCamp and Turkish Airlines CyberTakeOff. In his free time Kürşat is performing security researches in the form of bug bounty in which he has found several vulnerabilities in critical institutions such as NSA as well as helping Mert Can to break into C&Cs.

SpeakerBio:Mert Can Coşkuner
Mert Can Coşkuner is a Security Engineer at Trendyol. He is maintaining a Penetration Testing and Malware Analysis blog at medium.com/@mcoskuner. In his free time Mert Can is performing mobile malware research and threat intelligence.

Description:
Android malware is evolving every day and they are everywhere, even in Google Play Store. Malware developers have found ways to bypass Google's Bouncer as well as antivirus solutions and many alternative techniques to operate like Windows malware do. Using benign looking application working as a dropper is just one of them. This talk is about android malware on Google Play Store and targeting Turkey. The talk will cover; Techniques to Analyze Samples: Unencrypted samples are often used to retrieve personal informations to sell and do not have obfuscation. Encrypted samples however are used for much sophisticated tasks like stealing banking information. They decrypt themselves by getting the key from a twitter account who owned by the malware developer and operate by communicating with the C&C. Also, most banking samples are using techniques like screen injection and dependency injection which is mostly used by android application developers. Bypassing Anti- Techniques: To be able to dynamically analyze the sample, defeating anti- techniques are often needed. We will introduce some (known) Frida scripts to be able to defeat common anti- checks malware uses. Extracting IoCs: Extracting twitter account as well as C&C from encrypted samples are often critical to perform threat intelligence over samples. Extracting IoCs while assets are still active was crucial for our research since we are also aiming to takeover C&Cs. We will introduce (known) automatization technique to extract twitter account, decryption key and C&C address. 4. Extract Stolen Information from C&Cs: In order to extract information from C&C, one should act swiftly. The speed of extraction process is critical since the actors change C&Cs often. We will give a detailed walkthrough about how we approach C&Cs as a target and extract the informations. The samples and informations in the talk is the product of our researches over many bankbot samples as well as other Turkish malware developer actors' samples. Detailed talk outline
• Google Play Store and Malware
• Common Android Malware Types
• Campaigns Aiming Turkish Users
• How To Approach An Android Malware — Techniques to Analyze • How To Approach An Android Malware — Defeating Anti- Techniques • How To Approach An Android Malware — Decrypting Bankbots • How To Approach An Android Malware — IoC Extraction • C&Cs — What Are They
• C&Cs — How To Infiltrate and Extract Information

Red Team Village events will be streamed to YouTube and Twitch.

Return to Index - Add to

- ics Calendar file

RTV - Thursday - 13:00-13:59 PDT

Title: Combining notebooks, datasets, and cloud for the ultimate automation factory
When: Thursday, Aug 6, 13:00 - 13:59 PDT
Where: Red Team Vlg

SpeakerBio:Ryan Elkins
Ryan Elkins leads the cloud security architecture program for Eli Lilly and Company. Elkins has over 12 years of security experience leading programs across the financial, insurance, and pharmaceutical industries. Throughout his career, he has developed cloud and application security programs, managed a global security services center, performed security consulting, and has led a global information security program. Elkins holds the CISSP and CCSP certifications, a bachelors degree in Computer Technology, and a masters degree in Information Security.

Description:
The technological landscape is rapidly transforming into a data driven, automated, and measured ecosystem. Cloud is an enabler for businesses to become more agile, scalable, and global to maintain a competitive advantage. There are numerous opportunities for red teamers to adopt these same modern strategies to level up their skills, platforms, and yes, even reporting. Attendees will learn how to begin integrating cloud capabilities, scientific notebooks, and aggregated datasets into a highly efficient operating model. We will walkthrough cloud technologies including AWS SageMaker, Athena, Lambda, and API Gateway to build an end-to-end ecosystem of automation. This session will provide demos, accelerators, and code releases to make both routine processes and innovative techniques faster, repeatable, and scalable. "

Red Team Village events will be streamed to YouTube and Twitch.

Discord: https://discordapp.com/channels/708208267699945503/735849065593438248/737077762845704224

Return to Index - Add to

- ics Calendar file

CNE - Thursday - 09:00-17:59 PDT

Title: Darknet Contest
When: Thursday, Aug 6, 09:00 - 17:59 PDT
Where: See Description or Village

Description:
Here at Darknet, We are a Real Life (RL) Massively Multiplayer Online Role Playing Game (MMORPG), where we teach you real life skills and you get in-game points for it. Some may call this Gamified learning. We assume no prior knowledge on a subject, teach you the basics, then challenge you to use what you have learned. Our contest has a range of quests, starting with simple tasks and working your way up to very complex problems.

In the past we have taught you how to lock pick, crack wifi, create a PGP Key and communicate online safely, as well as soldering, programming, and code cracking, just to name a few.From there we would have sent you on quests to go to the different villages to learn something from them, and then come back and test your skills.

But alas, we have been forced underground…And while the physical aspect of the conference has moved online, so have we. This year we will be focusing on the skills you will learn, past skills you will refresh, and your interactions with the community. There will not be a points scoreboard this year. Many of you who have previously bought the Darknet 8 Badge have not unlocked the full features. We have quests for you to learn how to interact, develop, and reprogram it. It’s time to Learn, Teach, and Play Agents, are you ready?

Info: https://dcdark.net/

Twitter DCDarkNet: https://twitter.com/DCDarknet

Twitter Holon: https://twitter.com/Holon_Network

Return to Index - Add to

- ics Calendar file

RTV - Thursday - 14:15-15:15 PDT

Title: Deep Dive into Adversary Emulation - Ransomware Edition
When: Thursday, Aug 6, 14:15 - 15:15 PDT
Where: Red Team Vlg

SpeakerBio:Jorge Orchilles
Jorge Orchilles is the Chief Technology Officer of SCYTHE and co-creator of the C2 Matrix project. He led the offensive security team at Citi for over 10 years; a SANS Certified Instructor; author of Security 564: Red Team Exercises and Adversary Emulation; founding member of MITRE Engenuity Center of Threat-Informed Defense; CVSSv3.1 working group voting member; co-author of a Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry; ISSA Fellow; and NSI Technologist Fellow. Jorge holds post-graduate degrees from Stanford and Florida International University in Advanced Computer Security & Master of Science.

Description:
A day hardly goes by without hearing about another ransomware attack. This talk will focus on how to emulate a ransomware attack without introducing risk. We will understand how ransomware works, learn how criminals are evolving to get paid, create an adversary emulation plan that is safe but valuable for enterprises, and discuss how to defend against ransomware attacks.

Adversary Emulation is a type of ethical hacking engagement where the Red Team emulates how an adversary operates, leveraging the same tactics, techniques, and procedures (TTPs), against a target organization. The goal of these engagements is to train and improve people, process, and technology. This is in contrast to a penetration test that focuses on testing technology and preventive controls. Adversary emulations are performed using a structured approach following industry methodologies and frameworks (such as MITRE ATT&CK) and leverage Cyber Threat Intelligence to emulate a malicious actor that has the opportunity, intent, and capability to attack the target organization. Adversary Emulations may be performed in a blind manner (Red Team Engagement) or non-blind (Purple Team) with the Blue Team having full knowledge of the engagement.

Red Team Village events will be streamed to YouTube and Twitch.

Return to Index - Add to

- ics Calendar file

DC - Thursday - 15:30-15:59 PDT

Title: Demystifying Modern Windows Rootkits
When: Thursday, Aug 6, 15:30 - 15:59 PDT
Where: DEF CON Q&A Twitch

SpeakerBio:Bill Demirkapi , Independent Security Researcher
Bill is a student at the Rochester Institute of Technology with an intense passion for Windows Internals. Bill's interests include game hacking, reverse engineering malware, and exploit development. In his pursuit to make the world a better place, Bill constantly looks for the next big vulnerability following the motto "break anything and everything".
Twitter: @BillDemirkapi

Description:
This talk will demystify the process of writing a rootkit, moving past theory and instead walking the audience through the process of going from a driver that says "Hello World" to a driver that abuses never-before-seen hooking methods to control the user-mode network stack. Analysis includes common patterns seen in malware and the drawbacks that come with malware in kernel-mode rather than user-mode. We'll walk through writing a rootkit from scratch, discussing how to load a rootkit, how to communicate with a rootkit, and how to hide a rootkit. With every method, we'll look into the drawbacks ranging from usability to detection vectors. The best part? We'll do this all under the radar, evading PatchGuard and anti-virus.

This is a live Question & Answer stream. You'll want to have watched the corresponding pre-recorded talk prior to this Q&A session.

All DEF CON Q&A streams will happen on Twitch. Discussions and attendee-to-speaker participation will happen on Discord (#track-1-live).

#track-1-live: https://discord.com/channels/708208267699945503/733079621402099732

Return to Index - Add to

- ics Calendar file

DC - Thursday - 09:30-09:59 PDT

Title: Discovering Hidden Properties to Attack Node.js ecosystem
When: Thursday, Aug 6, 09:30 - 09:59 PDT
Where: DEF CON Q&A Twitch

SpeakerBio:Feng Xiao , security researcher at Georgia Tech
Feng Xiao is a security researcher at Georgia Tech. His research interests include software/system security. He has published three papers on top security venues such as DEFCON, IEEE S&P, and CCS.
https://fxiao.me/

Description:
Node.js is widely used for developing both server-side and desktop applications. It provides a cross-platform execution environment for JavaScript programs. Due to the increasing popularity, the security of Node.js is critical to web servers and desktop clients.

We present a novel attack method against the Node.js platform, called hidden property abusing (HPA). The new attack leverages the widely-used data exchanging feature of JavaScript to tamper critical program states of Node.js programs, like server-side applications. HPA entitles remote attackers to launch serious attacks, such as stealing confidential data, bypassing security checks, and launching denial of service attacks. To help developers detect the HPA issues of their Node.js applications, we develop a tool, named LYNX, that utilizes hybrid program analysis to automatically reveal HPA vulnerabilities and even synthesize exploits. We apply LYNX on a set of widely-used Node.js programs and identify 13 previously unknown vulnerabilities. LYNX successfully generates 10 severe exploits. We have reported all of our findings to the Node.js community. At the time of paper writing, we have received the confirmation of 12 vulnerabilities and got 12 CVEs assigned. Moreover, we collaborated with an authoritative public vulnerability database to help them use a new vulnerability notion and description in related security issues.

The talk consists of four parts. First, we will introduce recent offensive research on Node.js. Second, we will introduce HPA by demonstrating an exploit on a widely-used web framework. Third, we will explain how to leverage program analysis techniques to automatically detect and exploit HPA. In the end, we will have a comprehensive evaluation which discusses how we identified 13 HPA 0days with the help of our detection method.

This is a live Question & Answer stream. You'll want to have watched the corresponding pre-recorded talk prior to this Q&A session.

All DEF CON Q&A streams will happen on Twitch. Discussions and attendee-to-speaker participation will happen on Discord (#track-1-live).

#track-1-live: https://discord.com/channels/708208267699945503/733079621402099732

Return to Index - Add to

- ics Calendar file

DC - Thursday - 11:30-11:59 PDT

Title: DNSSECTION: A practical attack on DNSSEC Zone Walking
When: Thursday, Aug 6, 11:30 - 11:59 PDT
Where: DEF CON Q&A Twitch
Speakers:Hadrien Barral,Rémi Géraud-Stewart

SpeakerBio:Hadrien Barral , Hacker
Hadrien Barral is an R&D engineer, focusing on security and high-assurance software. He enjoys hacking on exotic hardware.

SpeakerBio:Rémi Géraud-Stewart , Hacker
Rémi Géraud-Stewart is a cryptologist and security expert with École Normale Supérieure in Paris, focusing on intrusion and cyberwarfare.

Description:
Domain Name System (DNS) is an ubiquitous and essential component of the Internet. It performs translations between identifiers and resources (mostly domain names and computers, but not only), yet remains often invisible to the user. But DNS is not harmless: although not intended to be a general purpose database, it has been extended to incorporate additional types of information. Including information that should not be there.

In this talk we show how to exploit DNSSEC zone walking to perform advanced recon operations, on a real case, namely to obtain client private information from a large European cloud provider. This constitutes the first practical zone walking attack at such a scale.

Using this exploit we collected a substantial amount of private information, enough to share some interesting statistics. By the end of this talk, you will have everything you need to know to perform similar attacks -- and resist them.

This is a live Question & Answer stream. You'll want to have watched the corresponding pre-recorded talk prior to this Q&A session.

All DEF CON Q&A streams will happen on Twitch. Discussions and attendee-to-speaker participation will happen on Discord (#track-1-live).

#track-1-live: https://discord.com/channels/708208267699945503/733079621402099732

Return to Index - Add to

- ics Calendar file

DC - Thursday - 16:30-16:59 PDT

Title: Domain Fronting is Dead, Long Live Domain Fronting: Using TLS 1.3 to evade censors, bypass network defenses, and blend in with the noise
When: Thursday, Aug 6, 16:30 - 16:59 PDT
Where: DEF CON Q&A Twitch

SpeakerBio:Erik Hunstad , CTO, SIXGEN
Erik Hunstad is a security expert and researcher who realized the power of programming and security when he coded an algorithm to reduce the search space of possible Master Lock combinations in RAPTOR. Erik is the CTO and Adversary Emulation Lead at SIXGEN where he specializes in deploying the latest offensive security techniques against customers. He previously worked for the Department of Defense.
Twitter: @SixGenInc

Description:
Domain fronting, the technique of circumventing internet censorship and monitoring by obfuscating the domain of an HTTPS connection was killed by major cloud providers in April of 2018. However, with the arrival of TLS 1.3, new technologies enable a new kind of domain fronting. This time, network monitoring and internet censorship tools are able to be fooled on multiple levels. This talk will give an overview of what domain fronting is, how it used to work, how TLS 1.3 enables a new form of domain fronting, and what it looks like to network monitoring. You can circumvent censorship and monitoring today without modifying your tools using an open source TCP and UDP pluggable transport tool that will be released alongside this talk.

This is a live Question & Answer stream. You'll want to have watched the corresponding pre-recorded talk prior to this Q&A session.

All DEF CON Q&A streams will happen on Twitch. Discussions and attendee-to-speaker participation will happen on Discord (#track-1-live).

#track-1-live: https://discord.com/channels/708208267699945503/733079621402099732

Return to Index - Add to

- ics Calendar file

WLV - Thursday - 09:00-09:01 PDT

Title: DragonOS - How I kept busy during COVID19
When: Thursday, Aug 6, 09:00 - 09:01 PDT
Where: Wireless Vlg

SpeakerBio:cemaxecuter
I'd rather keep my job experience private. I am from a small town, but have been all over. I've met the developers of OpenWRT in Germany, developed my own line of dual mesh radios under the AWDMESH name, back when OpenMesh used the OM1P's, put together the ZoneMinder DVD using remastersys, and now fast forward I've put all my effort during COVID19 into making the Linux distributions called DragonOS 10, DragonOS LTS, and DragonOS Focal specifically for SDRs.

I've easily put hundreds and hundreds of hours into testing and making everything work along with making videos for YouTube in the hopes they'll help others develop a passion for Linux and SDRs.

A buddy of mine by the name of Rick from Wireless Village encouraged me to talk about DragonOS 10/LTS and now my latest work, DragonOS Focal.

Description:
Intro
Why I started DragonOS
What is DragonOS
What problems and challenges I had to overcome What companies and developers helped and who donated equipment

This talk is available on YouTube.

Talk: https://www.youtube.com/watch?v=69k1Dmr2Ruk

Return to Index - Add to

- ics Calendar file

RTV - Thursday - 11:45-12:45 PDT

Title: Evil Genius: Why you shouldn't trust that keyboard
When: Thursday, Aug 6, 11:45 - 12:45 PDT
Where: Red Team Vlg
Speakers:Farith Perez,Mauro Cáseres

SpeakerBio:Farith Perez
No BIO available

SpeakerBio:Mauro Cáseres
Mauro Cáseres (@mauroeldritch) is an argentine hacker and speaker. He spoke at DEF CON 26 Las Vegas (Recon & Data Duplication Villages), DevFest Siberia, DragonJAR Colombia, Roadsec Brasil, and DC7831 Nizhny Novgorod. Currently working as SecOps for the Argentine Ministry of Production.
Twitter: @mauroeldritch

Description:No Description available

Red Team Village events will be streamed to YouTube and Twitch.

Return to Index - Add to

- ics Calendar file

BTVT1 - Thursday - 10:15-10:59 PDT

Title: Graylog: An Introduction Into OpenSOC CTF Tools
When: Thursday, Aug 6, 10:15 - 10:59 PDT
Where: Blue Team Vlg - Talks Track 1

SpeakerBio:Lennart Koopmann
No BIO available
Twitter: @_lennart

Description:
Learn. Play. Do.

Every year the Blue Team Village hosts OpenSOC. A unique defense CTF meant to teach and test practical incident response skills in an environment that's as close to "the real thing" as it gets.

This year BTV wanted to do more. We know that some Blue Teamers might be unfamiliar with some of the tools used by OpenSOC. And we didn't want that to keep anyone from playing this incredible defense simulation.

So this year we are dedicating all day Thursday to demo the various OpenSOC tools, before OpenSOC starts on Friday. These are tools like Graylog, Moloch, Zeek, Osquery, and others that Blue Teamers rely on every day to defend their networks against attackers.

That means that after you LEARN the tools, you can PLAY the OpenSOC CTF, and then take that knowledge back to your own Blue Team to DO the work of defending your network.

Blue Team Village activities in 'Talks Track 1' will be streamed to Twitch.

Twitch: https://twitch.tv/BlueTeamVillage

Return to Index - Add to

- ics Calendar file

RTV - Thursday - 10:30-11:30 PDT

Title: Guerrilla Red Team: Decentralize the Adversary
When: Thursday, Aug 6, 10:30 - 11:30 PDT
Where: Red Team Vlg

SpeakerBio:Christopher Cottrell
Christopher Cottrell is a security engineer and leader, focusing most of my career on offensive operations. I have built red teams, contributed to published works, open-sourced tools, and publicly discussed adversarial techniques. When I am not doing operations, I am refining long term strategy, uplifting the security community through red team mentoring programs, or learning about new adversarial techniques.

Description:
"Guerrilla Red Team is a methodology by which a company can grow security IQ, technical expertise, and security brainpower, resulting in an internal mesh network of trusted decentralized ethical hackers. The program requires minimal capital investment from the hosting red team. It achieves its primary goals through weekly group mentorship hosted during a four-hour block, once per week, during the workday. It forms a peer network in which guerrilla operators share ideas and techniques, and ultimately grow technically and professionally as a unit. Members of the program come from various technical disciplines, but not necessarily security-focused verticals. The cohort of five to six members follows a nine-week syllabus that takes them from someone with minimal red team experience to autonomous operations. Guerrilla Operators will have a regular cadence of operations, which will require deconfliction from the parent red team to only ensure there are no safety concerns with the proposed target. Expected outcomes for the nine-week cohort are as follows: Guerrilla operators are armed with the skills to continue their red team learning, as well as a support network for challenging tasks The parent red team has an expanded network of internal, trusted, ethical hackers. This strengthens idea generation for campaigns, and enables communication through the use of a shared and common technical language. Over time, the Guerrilla Red Team provides a steady flow of trained homegrown red team operators or security analysts The company itself benefits by having security-focused mindsets placed throughout technical disciplines, resulting in staff that are poised to ward off attacks by thinking like an attacker, functioning similarly to security-focused Site Reliability Engineers (SRE) Provides the company with verification that their security program and infrastructure are as robust as they say it is through the use of decentralized, independent low-tier actors attacking the network: an Offsec ChaosMonkey Provides the guerrilla operators real world, hands on experience in a career field that is hard to break into outside of the Federal pipeline "

Red Team Village events will be streamed to YouTube and Twitch.

Return to Index - Add to

- ics Calendar file

DC - Thursday - 12:30-12:59 PDT

Title: Hacking the Hybrid Cloud
When: Thursday, Aug 6, 12:30 - 12:59 PDT
Where: DEF CON Q&A Twitch

SpeakerBio:Sean Metcalf , CTO, Trimarc
Sean Metcalf is founder and CTO at Trimarc (www.TrimarcSecurity.com), a professional services company which focuses on improving enterprise security. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory & Microsoft Cloud attack and defense at security conferences such as Black Hat, BSides, DEF CON, and DerbyCon. He currently provides security consulting services to customers and posts interesting Active Directory security information on his blog, ADSecurity.org.
Twitter: @Pyrotek3

Description:
Most companies have moved into the cloud and on-premises applications and systems remain. This configuration is reasonably referred to as "hybrid"; in the cloud and not at the same time. Hybrid cloud requires integration and communication between the remaining on-prem infrastructure and the new(er) cloud services.

This talk describes several scenarios that appear to subvert typical security and protections which involve federation configuration, Identity Access Management (IAM), and interaction between SaaS and IaaS in the Microsoft Cloud.

This is a live Question & Answer stream. You'll want to have watched the corresponding pre-recorded talk prior to this Q&A session.

All DEF CON Q&A streams will happen on Twitch. Discussions and attendee-to-speaker participation will happen on Discord (#track-1-live).

#track-1-live: https://discord.com/channels/708208267699945503/733079621402099732

Return to Index - Add to

- ics Calendar file

DC - Thursday - 14:30-14:59 PDT

Title: Hacking the Supply Chain – The Ripple20 Vulnerabilities Haunt Hundreds of Millions of Critical Devices
When: Thursday, Aug 6, 14:30 - 14:59 PDT
Where: DEF CON Q&A Twitch
Speakers:Ariel Schön,Moshe Kol,Shlomi Oberman

SpeakerBio:Ariel Schön , Security Researcher
Ariel Schön is an experienced security researcher with unique experience in embedded and IoT security as well as vulnerability research.

Ariel is a veteran of the IDF Intelligence Corps, where he served in research and management positions. Currently, he is consuming caffeine and doing security research at JSOF.

SpeakerBio:Moshe Kol , Security Researcher
Moshe Kol Moshe is a wickedly talented security researcher, currently finishing his Computer Science studies at the Hebrew University of Jerusalem. He has many years of networking and security research experience working for the MOD where he honed his skills originally developed at home – as he was led by sheer curiosity into the world of reverse engineering and security research.

SpeakerBio:Shlomi Oberman , CEO, JSOF
Shlomi Oberman is an experienced security researcher and leader with over a decade of experience in security research and product security. In the past few years his interest has been helping secure Software - while it is being written and after it has shipped. Shlomi is a veteran of the IDF Intelligence Corps and has many years of experience in the private sector working with companies who are leaders in their field. He has spoken internationally and his research has been presented in industry conferences such as CodeBlue Tokyo and Hack-In-The-Box as well as other conferences. He is also an experienced teacher, training researchers and engineers in Embedded Exploitation and Secure Coding, as well as an organizer of local community cyber-security events. Shlomi has the unique advantage of a broad technical understanding of the Security Field as well as deep knowledge of the attacker’s mindset, which is extremely useful when securing software.

Description:
This is the story of how we found and exploited a series of critical vulnerabilities (later named Ripple20) affecting tens or hundreds of millions of IoT devices across all IoT sector conceivable - industrial controllers, power grids, medical, home, networking, transportation, enterprise, retail, defense, and a myriad of other types of IoT devices, manufactured and deployed by the largest American and international vendors in these fields.

These vulnerabilities were found in a TCP/IP software library located at the very beginning of a complex supply chain and have lurked undetected for at least 10 years, likely much more. Over the past two decades this library has spread around the world by means of direct use as well as indirectly, through "second hand" use, rebranding, collaborations, acquisitions and repackaging, having been embedded and configurated in a range of different ways. Many of the vendors indirectly selling and using this library were not aware of their using it. Now that they know, the patch propagation dynamics are very complex and may not be possible in some cases.

This library is a little known, but widely used, embedded library developed by Treck Inc.known for its high reliability, performance, and configurability. Its features make it suitable for real-time operating system usage and low-power devices.

Despite being used by many large, security-aware vendors, these vulnerabilities lay dormant and undiscovered - while actors of all types could have discovered these vulnerabilities by finding one of several bugs in any of the components, exposing hundreds of others immediately. This would provide a field day of affected devices for the picking.

In this presentation, we will discuss one of the vulnerabilities in technical depth, demonstrating an RCE exploit on a vulnerable device. We will explain how the vulnerabilities became so widespread, and what we still don’t know. We will speculate as to why these vulnerabilities survived for so long and show why some vendors are worse affected than others.

This is a live Question & Answer stream. You'll want to have watched the corresponding pre-recorded talk prior to this Q&A session.

All DEF CON Q&A streams will happen on Twitch. Discussions and attendee-to-speaker participation will happen on Discord (#track-1-live).

#track-1-live: https://discord.com/channels/708208267699945503/733079621402099732

Return to Index - Add to

- ics Calendar file

DC - Thursday - 13:30-13:59 PDT

Title: Hacking traffic lights
When: Thursday, Aug 6, 13:30 - 13:59 PDT
Where: DEF CON Q&A Twitch
Speakers:Rik van Duijn,Wesley Neelen

SpeakerBio:Rik van Duijn , Hacker & co-founder at Zolder
Rik is a security researcher with 7+ years of experience as a penetration tester. Nowadays Rik focusses on malware research and defense. His hobbies include cooking, bouldering and long walks on the beach. Rik has presented at SHA2017, (whiskey|fristi)leaks, DefCon BlueTeam Village and Tweakers Security/DEV Meetups.
Twitter: @rikvduijn

SpeakerBio:Wesley Neelen , Hacker & co-founder at Zolder
Wesley has about 7 years’ experience in the offensive security area working as a penetration tester. Next to his work assessing the security of infrastructures, he spends time researching trends within IT security and on developing defensive measures. Wesley likes to actively assess the security of home automation, internet of things and 'smart' innovations. One of the vulnerabilities discovered by Wesley, is a remote command execution (RCE) vulnerability in the Fibaro home center appliance. The vulnerability allowed to remotely obtain root access on the Fibaro device whenever the web interface is reachable. Also, he discovered vulnerabilities within a smartwatch cloud that disclosed the location history of about 300.000 of its users.
Twitter: @wesleyneelen

Description:
New systems are connected to the internet every day to make our lives easier or more comfortable. We are starting to see connected traffic and smart traffic lights innovations to improve traffic flow, safety and comfort. With smart systems entering and controlling our physical world, ethical hacking such systems to find possible ways of manipulation becomes even more important to society.

In the Netherlands there are some public innovations where traffic light systems are being connected to smartphone apps. We have looked at these innovations to see if these systems could be manipulated and how manipulation could benefit an attacker. Specifically, we found a way in two different platforms, that allows us to successfully fake a continuous flow of bicyclists that turns the cyclist traffic light instantly green or decreases the time to green.

More than 10 municipalities in the Netherlands connected a part of their cyclist traffic lights to the affected platforms. It was possible to perform these hacks from any remote location, which allows someone to remotely influence the traffic at scale. The hack results in turning the cyclists lights to green, while other lights on the intersection will turn to red.

The regular security systems that make sure lights are not turned green simultaneously stays intact. There are similar projects that turn the car traffic lights green for ambulances or trucks. If an attacker succeeds to exploit these projects with a similar attack, he could remotely influence the car traffic lights directly.

This is a live Question & Answer stream. You'll want to have watched the corresponding pre-recorded talk prior to this Q&A session.

All DEF CON Q&A streams will happen on Twitch. Discussions and attendee-to-speaker participation will happen on Discord (#track-1-live).

#track-1-live: https://discord.com/channels/708208267699945503/733079621402099732

Return to Index - Add to

- ics Calendar file

RTV - Thursday - 15:30-16:30 PDT

Title: Introducing DropEngine: A Malleable Payload Creation Framework
When: Thursday, Aug 6, 15:30 - 16:30 PDT
Where: Red Team Vlg

SpeakerBio:Gabriel Ryan
Gabriel Ryan is an offensive security engineer at SpecterOps with nearly 8 years of programming experience in C and Python. Previously, he worked at Gotham Digital Science, where he was heavily involved in their research program GDS Labs. He is the creator and active developer of EAPHammer, a weaponized version of hostapd for performing rogue access point attacks against WPA/2-EAP networks. He is also credited with the first working bypass of 802.1x-2010, along with improvements to existing techniques for bypassing 802.1x-2004. Gabriel's most recent research involved novel proof-of-concept attacks against WPA3's "Enhanced Open." His current endeavors involve deep dives into Kerberos abuse on both Windows and Linux platforms.

Description:
In this talk, we'll introduce DropEngine -- a modular framework for creating malleable initial access payloads (also known as "droppers" or "shellcode runners").

Initial access payloads serve a deceptively simple purpose: loading implants from disk into memory. However, a number of obstacles stand in the way of this seemingly mundane task. To start with, the payload must safely be delivered to its intended target (usually via spearphishing). During delivery, the payload is exposed to signature-based detections and analyzed from within an automated sandbox. The payload must then be saved to disk without triggering antivirus, and must load the implant into memory without alerting Endpoint Detection and Response (EDR). Due to the widespread use of application whitelisting, payload authors are restricted to languages that are compatible with "Live Off the Land Binaries and Scripts" (LOLBAS), most of which are executed through the Windows Common Language Runtime (CLR). This means that most payloads must also contend with Microsoft's Anti-Malware Scan Interface (AMSI). Finally, the payload must be able to withstand analysis by threat hunters and reverse engineers. These obstacles are not insurmountable. However, defense evasion techniques tend to have a short shelf-life, and become particularly stale after repeated use. Because of this, payloads are often prepared on a per-engagement basis, which is hardly an easy feat when done by hand. DropEngine addresses this problem by providing a malleable framework for creating shellcode runners. Operators can choose from a selection of components and combine them to create highly sophisticated payloads within seconds. Available payload components include crypters, execution mechanisms, and environmental and remote keying functions. Also included are pre-execution modules such as sandbox checks and AMSI bypasses, as well cleanup modules that execute after the implant is loaded into memory. DropEngine comes pre-packaged with example modules that are more than sufficient to bypass signature and heuristic-based detections at the time of writing. However, DropEngine's true strength is that it improves operational efficiency by providing a high degree standardization, while allowing operators to control just about every aspect of the payload's signature and behavior.

Red Team Village events will be streamed to YouTube and Twitch.

Return to Index - Add to

- ics Calendar file

WLV - Thursday - 09:00-09:01 PDT

Title: Introduction to WiFi Security
When: Thursday, Aug 6, 09:00 - 09:01 PDT
Where: Wireless Vlg

SpeakerBio:Nishant Sharma , R&D Manager, Pentester Academy
Nishant Sharma (Twitter: @wifisecguy) is an R&D Manager at Pentester Academy and Attack Defense. He is also the Architect at Hacker Arsenal where he leads the development of multiple gadgets for WiFi pentesting such as WiMonitor, WiNX and WiMini. He also handles technical content creation and moderation for Pentester Academy TV. He has 7+ years of experience in information security field including 5+ years in WiFi security research and development. He has presented/published his work at Blackhat USA/Asia, DEF CON China, Wireless Village, IoT village and Demo labs (DEFCON USA). Prior to joining Pentester Academy, he worked as a firmware developer at Mojo Networks where he contributed in developing new features for the enterprise-grade WiFi APs and maintaining the state of art WiFi Intrusion Prevention System (WIPS). He has a Master's degree in Information Security from IIIT Delhi. He has also published peer-reviewed academic research on HMAC security. His areas of interest include WiFi and IoT security, AD security, Forensics and Cryptography.
Twitter: @wifisecguy

Description:
Every year a lot of new people attend DEF CON to explore new topics and some even move to new fields based on their newly discovered interests. The workshops organised by the DEF CON villages always played an important role. This year the DEF CON has gone virtual and it is apt for the workshops to do so too.

Our workshop is focused on the beginner people who want to explore/learn WiFi security and understand how the WiFi network attacks work. To adapt to this new normal, we will change the approach a little, we will explain the basics and theory (in brief) using slides and then give the users access to our cloud labs. The labs consist of an emulated WiFi environment and the users have everything they need to get cracking along with step by step instructions. We are planning to cover the following:

Basics of WiFi (What is WiFi, important standard, bands, channels, SSID, BSSID)
Introduction to WiFi Recon (Locating nearby APs and clients)

-WEP (What is WEP, How it works, Why WEP is broken, How to hack WEP)

-WPA2-PSK (What is WPA2-PSK, How 4-way handshake works, How to crack WPA2-PSK)

-WPA2-ENT (What is WPA2-ENT, How MSCHAPv2 auth works, How to crack WPA2-ENT MSCHAPv2)

This talk is available on YouTube.

Link from instructor: http://linux-basics-bootcamp-pa-beta.ue.r.appspot.com/courses/

Talk: https://www.youtube.com/watch?v=zV_yWVTbhlc

Return to Index - Add to

- ics Calendar file

BTVW1 - Thursday - 11:15-11:59 PDT

Title: Kibana: An Introduction Into OpenSOC CTF Tools
When: Thursday, Aug 6, 11:15 - 11:59 PDT
Where: Blue Team Vlg - Workshop Track 1

SpeakerBio:TimDotZero
No BIO available
Twitter: @TimDotZero

Description:
Every year the Blue Team Village hosts OpenSOC. A unique defense CTF meant to teach and test practical incident response skills in an environment that's as close to "the real thing" as it gets.

That means that after you LEARN the tools, you can PLAY the OpenSOC CTF, and then take that knowledge back to your own Blue Team to DO the work of defending your network.

This is a workshop that requires pre-registration. Details for how to participate in this workshop can be obtained by contacting the Blue Team Village staff.

Return to Index - Add to

- ics Calendar file

RTV - Thursday - 20:30-21:30 PDT

Title: Making Breach and Attack Simulation Accessible and Actionable with Infection Monkey - from IT to the C-suite
When: Thursday, Aug 6, 20:30 - 21:30 PDT
Where: Red Team Vlg

SpeakerBio:Shay Nehmad
Shay Nehmad is a lead developer at Guardicore, where he is working on the Infection Monkey, an open-source breach and attack simulation tool. Over the last few years in the IDF, Shay amassed extensive experience in both Information Security and Software Development.

Description:
Oftentimes one of the greatest challenges for security professionals today is finding a way to effectively communicate the state of a network’s security posture, and what steps are necessary to achieve the organization’s security goals. Red teamers are already familiar with executing a typical Breach and Attack simulation, but how can they take greater advantage of their findings, and better yet, share those with the C-suite? The Infection Monkey is a mature, widely-used Open Source GPLv3 licensed tool specifically developed for enterprise red teams. Designed to test an organization’s detection and response methods and teams, the Monkey simulates all steps of an attack by mimicking a variety of adversary moves such as scanning, exploitation, lateral movement, password stealing, network mapping, security control bypass and more. Overall, the Infection Monkey’s simulation reveals it contains a lot of stages one might find in a manual penetration test (or in a real attack). The Monkey is easily configurable, and starts from a single machine and propagates according to the test scenario while collecting data, employing attack tactics, performing security tests and looking for more machines to attack. The results are generated in real-time, shown in a network map and also presented in 3 detailed reports. With the Monkey, red teams can autonomously test specific parts of the network with multiple attack scenarios on a regular basis - like executing a lateral movement scenario from an internet-facing server to a sensitive system deployed in a different part of the network. Further, the Monkey maps its findings to both the MITRE ATT&CK knowledgebase and Forrester’s Zero Trust framework to provide in-depth reports with actionable recommendations for achieving a stronger security posture. When mapping to the Zero Trust framework, the report identifies and prioritizes the steps and decisions required to achieve a true Zero Trust network - whether that’s verifying that the current security stack meets Zero trust requirements or outlining specific actions that blue teams can perform to implement better security measures. By mapping the reports to MITRE ATT&CK, the Monkey communicates the results of the attack in plain language, making the advanced tool accessible and effective for any red team. These reports enable security professionals to address and improve their security posture using the metrics, methods, and ideas they already care about aka if your CISO wants to achieve Zero Trust, their team can clearly map out the steps required to get there with the Monkey’s reports. In this talk, Penetration Testers, Network Engineers, Exploit Developers, and other Security professionals will experience a typical Breach & Attack simulation through the lens of the Monkey to learn how open source solutions can improve and add efficiencies to their teams. Shay will take attendees through a demo of Infection Monkey to demonstrate a typical “before and after” scenario with the Monkey. He will run the Monkey in a test environment, aka the “before,” to identify security gaps and then mitigate the issues using advice offered by the Monkey’s reporting. Finally, Shay will run the Monkey in the “after” environment to show how effective this Breach and Attack simulation can be in strengthening security posture.

Red Team Village events will be streamed to YouTube and Twitch.

Return to Index - Add to

- ics Calendar file

RTV - Thursday - 23:00-23:59 PDT

Title: Offensive Embedded Exploitation : Getting hands dirty with IOT/Embedded Device Security Testing
When: Thursday, Aug 6, 23:00 - 23:59 PDT
Where: Red Team Vlg

SpeakerBio:Kaustubh Padwad
Kaustubh is a Product security Assurance Manager at Reliance Jio Platform limited, his main work include Securing JIO’s Cutting Edge Enterprise, Consumer, and SMB(small,Medium,Big) business products. His main area of interest is Device security,Reverse engineering, discovering RCE,Priv-esc bugs in proprietary or close source devices. He was Null champion, He had deliver more than dozens of talk in null meet and he was champion for 3 years in null community. Also he was a speaker at Owasp SeaSide 2020,Bsides Boston 2020. Some of his works are published in SecurityWeek, ExploitDB, 0day.today and have more than Dozens of CVE, Recently he was the winner of SCADA CTF @ nullcon 2019.

Description:
The world is moving towards smart culture everything nowadays is smart, and mostly all are those smart devices are basically embedded devices with internet connectivity or some provision to connect with the internet. Since these devices are booming in market this also tempting lots of people/groups for hacking. In this 1 hour talk we will discuss how to test the embedded/IoT devices, it would give you a methodology for assessment, how to perform firmware analysis, identifying vulnerable components, basic approach for reverse engineering the binaries to discover potential remote code execution, memory corruption vulnerabilities by looking for native vulnerable functions in C or bad implementation of functions like System, popen, pclose etc. After conducting static analysis, firmware analysis we will move towards dynamic testing approach which include web application testing, Underlying OS security testing, identifying vulnerabilities and misconfiguration in device. At last we will move towards fuzzing the device via web application parameters and installing appropriate debugger on device to identify memory corruption vulnerabilities.

DELIVERABLES
Methodology for testing embedded devices Deep dive into device security testing from beginner level to developing exploit And At last, a good intro into how to break known security boundary of embedded/IoT devices by knowing its weakness and thereby securing it.

Red Team Village events will be streamed to YouTube and Twitch.

Return to Index - Add to

- ics Calendar file

BTVW1 - Thursday - 13:15-13:59 PDT

Title: Osquery: An Introduction Into OpenSOC CTF Tools
When: Thursday, Aug 6, 13:15 - 13:59 PDT
Where: Blue Team Vlg - Workshop Track 1

SpeakerBio:Whitney Champion
Whitney is the lead architect at Recon InfoSec. In the last 15 years, she has worked on security, operations, support, development, and consulting teams, in both the private and public sector, supporting anywhere from a handful of users to hundreds of thousands. No matter the role, security has always been an area of passion and focus.
Twitter: @shortxstack

Description:
Learn. Play. Do.

Every year the Blue Team Village hosts OpenSOC. A unique defense CTF meant to teach and test practical incident response skills in an environment that's as close to "the real thing" as it gets.

That means that after you LEARN the tools, you can PLAY the OpenSOC CTF, and then take that knowledge back to your own Blue Team to DO the work of defending your network.

This is a workshop that requires pre-registration. Details for how to participate in this workshop can be obtained by contacting the Blue Team Village staff.

Return to Index - Add to

- ics Calendar file

RTV - Thursday - 07:30-07:59 PDT

Title: Red Team Village Announcements and Remarks
When: Thursday, Aug 6, 07:30 - 07:59 PDT
Where: Red Team Vlg
Speakers:Joseph Mlodzìanowskì (cedoXx),Omar Ωr

SpeakerBio:Joseph Mlodzìanowskì (cedoXx)
No BIO available
Twitter: @cedoxX

SpeakerBio:Omar Ωr
No BIO available

Description:No Description available

Red Team Village events will be streamed to YouTube and Twitch.

Return to Index - Add to

- ics Calendar file

RTV - Thursday - 09:00-08:59 PDT

Title: Red Team Village CTF - Prequal
When: Thursday, Aug 6, 09:00 - 08:59 PDT
Where: Red Team Vlg

Description:
The first part of the CTF will be qualifiers in jeopardy format, then the top teams will move into finals where each will compete in the Pendulum Red Team environment, a full corporate network (each team will have their own env) .

Skills required to win: pentesting/red team, scripting, reversing, exploitation, privilege escalation, pivoting, exploit development and anti-virus evasion.

Info: https://redteamvillage.io/ctf.html

Red Team Village events will be streamed to YouTube and Twitch.

Return to Index - Add to

- ics Calendar file

DC - Thursday - 10:30-10:59 PDT

Title: Room for Escape: Scribbling Outside the Lines of Template Security
When: Thursday, Aug 6, 10:30 - 10:59 PDT
Where: DEF CON Q&A Twitch
Speakers:Alvaro Munoz,Oleksandr Mirosh

SpeakerBio:Alvaro Munoz
Alvaro Muñoz (@pwntester) works as Staff Security Researcher with GitHub Security Lab. His research focuses on different programming languages and web application frameworks searching for vulnerabilities or unsafe uses of APIs. Before joining the research field, he worked as an Application Security Consultant helping enterprises to deploy their application security programs. Muñoz has presented at many Security conferences including Defcon, RSA, AppSecEU, Protect, DISCCON, etc and holds several InfoSec certifications, including OSCP, GWAPT and CISSP, and is a proud member of int3pids CTF team.
Twitter: @pwntester

SpeakerBio:Oleksandr Mirosh , Software Security Researcher, Micro Focus Fortify
Oleksandr Mirosh has over 12 years of computer security experience, including vulnerability research, penetration testing, reverse engineering, fuzzing, developing exploits and consulting. He is working for Fortify Software Security Research team in Micro Focus investigating and analyzing new threats, vulnerabilities, security weaknesses, new techniques of exploiting security issues and development vulnerability detection, protection and remediation rules.
Twitter: @olekmirosh

Description:
Now more than ever, digital communication and collaboration are essential to the modern human experience. Shared digital content is everywhere and Content Management Systems (CMS) play a crucial role allowing users to design, create, modify and visualize dynamic content. In our research we discovered multiple ways to achieve Remote Code Execution (RCE) on CMS platforms through which an attacker can take full control of the resources your organization relies on.

Using a Microsoft SharePoint server as our main CMS attack surface, we combined flaws in its implementation and design with framework and language specific features to find six unique RCE vulnerabilities. In addition, we discovered ways to escape template sandboxes of the most popular Java Template engines and achieved RCE in many products including: Atlassian Confluence, Alfresco, Liferay, Crafter CMS, XWiki, Apache OfBiz, and more. We will analyze how these products and frameworks implement security controls and review the various techniques that we used to bypass them. We will describe all the vulnerabilities we uncovered in detail and show working demos of the most interesting attacks. Finally, we will present our general review methodologies for systems with dynamic content templates and provide practical recommendations to better protect them.

This is a live Question & Answer stream. You'll want to have watched the corresponding pre-recorded talk prior to this Q&A session.

All DEF CON Q&A streams will happen on Twitch. Discussions and attendee-to-speaker participation will happen on Discord (#track-1-live).

#track-1-live: https://discord.com/channels/708208267699945503/733079621402099732

Return to Index - Add to

- ics Calendar file

RTV - Thursday - 09:15-10:15 PDT

Title: Securing AND Pentesting the Great Spaghetti Monster (k8s)
When: Thursday, Aug 6, 09:15 - 10:15 PDT
Where: Red Team Vlg

SpeakerBio:Kat Fitzgerald
Based in Pittsburgh and a natural creature of winter, you can typically find me sipping Grand Mayan Extra Anejo whilst simultaneously defending my systems using OSS, magic spells and Dancing Flamingos. Honeypots & Refrigerators are a few of my favorite things! Fun Fact: I rescue Feral Pop Tarts and have the only Pop Tart Sanctuary in the Pittsburgh area.

Description:
We've all heard of it - Kubernetes - but do you really know what it is and, more importantly, how to set it up securely? The Great Spaghetti Monster isn’t too difficult to secure if you just stop and use common sense (wait, WHAT?) security best practices. These techniques are for everyone - even those who have been playing with Kubernetes for some time.

Let’s talk about Docker, baby!

You have to start somewhere, and containers are the place. Next, let’s intro Kubernetes and the magic world of orchestration and what it really means to orchestrate containers. A quick recorded demo of my raspberry pi cluster will be shown here. As the brief Kubernetes demo concludes, it’s time to bring in security by demonstrating the security plug-ins and tools used. Techniques are shown for best-in-show k8s security configuration. Remember this concept - “Common Sense”? Let’s see if we can apply it with some best practices and build out the secure cluster. The focus on this is security threats to a Kubernetes cluster, containers and the apps deployed. A review of typical attack vectors in containers and Kubernetes clusters are shown with fun and exciting(?) pentesting tools specifically formulated for k8s. Now the fun begins - we have secured our cluster and our containers but how can we be sure? Let’s put our blue-skills to the test with some red-skills and pentest our cluster. It’s time to present some live security testing tools that are best suited for testing k8s. This is where the rubber meets the road, or in this case, where, wait for it —– common sense prevails!!

Red Team Village events will be streamed to YouTube and Twitch.

Return to Index - Add to

- ics Calendar file

BTVW1 - Thursday - 16:15-16:59 PDT

Title: Suricata: An Introduction Into OpenSOC CTF Tools
When: Thursday, Aug 6, 16:15 - 16:59 PDT
Where: Blue Team Vlg - Workshop Track 1

SpeakerBio:Josh
No BIO available

Description:
Every year the Blue Team Village hosts OpenSOC. A unique defense CTF meant to teach and test practical incident response skills in an environment that's as close to "the real thing" as it gets.

That means that after you LEARN the tools, you can PLAY the OpenSOC CTF, and then take that knowledge back to your own Blue Team to DO the work of defending your network.

This is a workshop that requires pre-registration. Details for how to participate in this workshop can be obtained by contacting the Blue Team Village staff.

Return to Index - Add to

- ics Calendar file

WLV - Thursday - 09:00-09:01 PDT

Title: The Basics Of Breaking BLE v3
When: Thursday, Aug 6, 09:00 - 09:01 PDT
Where: Wireless Vlg

SpeakerBio:FreqyXin
Maxine is a US Army Veteran, and recent graduate from the University of Washington – Tacoma completing a degree in Information Assurance and Cybersecurity. She has experience as a Security Analyst hunting wireless threats and vulnerabilities, and currently works for IOActive as a Security Consultant applying her knowledge to help companies identify wireless risks within their environments and products. She has taught wireless security concepts as a guest lecturer at the University of Washington, a speaker at industry conferences, and as an outside consultant for the US Army. Maxine was also selected for the SANS Women’s Immersion Academy 2018 Cohort and holds the GSEC, GCIH, and GPEN GIAC certifications.

Description:
Evolving over the past twenty-two years, Bluetooth, especially Bluetooth Low Energy (BLE), has become the ubiquitous backbone modern devices use to perform low energy communications. From mobile, to IoT, to Auto, most smart devices now support Bluetooth connections, meaning that the attack vector is becoming an increasingly important aspect of security testing. This talk will breakdown the various phases of testing Bluetooth devices with an emphasis on sniffing BLE connections, spoofing devices, and exploiting GATT services. We will cover key components of the Bluetooth protocol stack, and the tools required to start testing BLE in your home, or as part of a Bluetooth pentest. This talk will also demonstrate that all you need to start testing BLE is an Android or iOS device, and a bit of curiosity.

This talk is available on YouTube.

Talk: https://www.youtube.com/watch?v=7giQCeNBJek

Return to Index - Add to

- ics Calendar file

RTV - Thursday - 08:00-08:59 PDT

Title: The Bug Hunter’s Methodology
When: Thursday, Aug 6, 08:00 - 08:59 PDT
Where: Red Team Vlg

SpeakerBio:Jason Haddix
Jason Haddix is the Head of Security for a leading videogame production company. Previously he was VP of Trust and Security at Bugcrowd and currently holds the 29th all-time ranked researcher position. Before joining Bugcrowd Jason was the Director of Penetration Testing for HP Fortify and also held the #1 rank on the Bugcrowd leaderboard for two years. He is a hacker and bug hunter through and through and specializes in recon and web application analysis. He has also held positions doing mobile penetration testing, network/infrastructure security assessments, and static analysis. Jason lives in Colorado with his wife and three children.

Description:
The Bug Hunter’s Methodology is an ongoing yearly installment on the newest tools and techniques for bug hunters and red teamers. This version explores both common and lesser-known techniques to find assets for a target. The topics discussed will look at finding a targets main seed domains, subdomains, IP space, and discuss cutting edge tools and automation for each topic. By the end of this session a bug hunter or red team we will be able to discover and multiply their attack surface. We also discuss several vulnerabilities and misconfigurations related to the recon phase of assessment.

Red Team Village events will be streamed to YouTube and Twitch.

Return to Index - Add to

- ics Calendar file

BTVW1 - Thursday - 14:15-14:59 PDT

Title: Velociraptor: An Introduction Into OpenSOC CTF Tools
When: Thursday, Aug 6, 14:15 - 14:59 PDT
Where: Blue Team Vlg - Workshop Track 1

SpeakerBio:Mike Cohen
Mike is a digital forensic researcher and senior software engineer. He's supported leading open-source DFIR projects including as a core developer of Volatility and lead developer of both Rekall and Grr Rapid Response while working for the Google IR team. Mike founded Velocidex in 2018 - the company behind Velociraptor. Mike is our "Digital Paleontologist" and brings his years of expertise to the role of principal developer of Velociraptor.
Twitter: @velocidex

Description:
Learn. Play. Do

We then demonstrate some of the major features that you can use to rapidly investigate, triage and contain adversaries on your network.

Try Velociraptor by downloading it from Github at https://github.com/Velocidex/velociraptor

Every year the Blue Team Village hosts OpenSOC. A unique defense CTF meant to teach and test practical incident response skills in an environment that's as close to "the real thing" as it gets.

That means that after you LEARN the tools, you can PLAY the OpenSOC CTF, and then take that knowledge back to your own Blue Team to DO the work of defending your network.

This is a workshop that requires pre-registration. Details for how to participate in this workshop can be obtained by contacting the Blue Team Village staff.

Return to Index - Add to

- ics Calendar file

RTV - Thursday - 18:00-18:59 PDT

Title: What college kids always get wrong, the art of attacking newbies to blueteam
When: Thursday, Aug 6, 18:00 - 18:59 PDT
Where: Red Team Vlg

SpeakerBio:Forrest Fuqua
Forrest Fuqua (JRWR) - JRWR creator of Hatchan, 3 years of NECCDC (Collegiate Cyber Defense Competition) Redteam, and defense industrial base cybersecurity pentester / auditor has been seeing all the mistakes everyone is making and works hard to try and get people to understand why its important to get your shit together.

Description:
I’ve done a few years at NECCDC (Collegiate Cyber Defense Competition) Red team and teams make the same mistakes over and over again with the approach of trying to harden a system that is so far compromised that it's better if they could just reinstall everything.

This talk I will detail things that have worked and not worked over the last three years that everyone seems to miss and grounds the fact that the simpler the attack. the overall better you will have in endpoints responding home. Managing rapid response to teams who are actively dealing with your malware and other tidbits.

Red Team Village events will be streamed to YouTube and Twitch.

Return to Index - Add to

- ics Calendar file

WLV - Thursday - 09:00-09:01 PDT

Title: wicked wardriving with gps and glonass
When: Thursday, Aug 6, 09:00 - 09:01 PDT
Where: Wireless Vlg

SpeakerBio:wytshadow
Wytshadow is a wireless security researcher who learned RF fundamentals while working for Air Force Space Command. After transitioning to the civilian world, Wytshadow became a security consultant with a specialization in wireless security where he continues to perform independent research on wireless attacks and defensive strategies on existing and emerging wireless technologies. Wytshadow has presented on independent work in the past including the wireless pentesting framework SniffAir and he also presented on attacks against WPA3 OWE.

Description:
I'll begin the talk giving my experience working in Air Force Space Command and how they fly GPS satellites. GPS is only one constellation of “GPS” satellites in space. Several other countries have their own version of GPS. Russia has GLONASS, China has Beidou, Europe has Galileo, Japan and India also have their own satellite constellations. All these satellites speak a common language known as GNSS. With the correct dongle, NOT THE BU-353, you can receive location data from more than the US controlled GPS satellites in space, this gives you more reliable location data for war driving.

I’ll then go into a description of war driving with kismet and all the things kismet can collect on. I’ll then show off a dongle box I slapped together that is similar to El Kentaro’s kismet box. It is a pelican case with a 7 port, USB hub hot glued inside with holes drilled in it so antennas can be mounted externally.

After talking about wardriving, I’ll talk about uploading results to WiGLE or uploading a kismet pcapppi file to google earth to keep wardrive data private. This is how you can review actively collected war drive data, but what if you want to review the work that others have done? Enter wigleQuery (https://github.com/wytshadow/wigleQuery). Querying WiGLE through their web interface provides a weak user experience, the access points are hard to see, even when you zoom in, and getting additional details on each access point is not very intuitive. WigleQuery provides an easier way to query WiGLE for WiFi Access Points based on BSSID(s), ESSID(s), Lat/Long and plots the result on google maps using easy to see colors and also outputs the results in CSV format for further processing. This output data can also be used when asking WiGLE admins to have your access points removed from the WiGLE database.

I’ll conclude talking about future improvements to be made to wigleQuery.

This talk is available on YouTube.

Talk: https://www.youtube.com/watch?v=2h8H3XEgWvw

Return to Index - Add to

- ics Calendar file

WLV - Thursday - 09:00-09:01 PDT

Title: Wireless Blue Team
When: Thursday, Aug 6, 09:00 - 09:01 PDT
Where: Wireless Vlg

SpeakerBio:Eric Escobar
Eric is a seasoned pentester and a Principal Security Consultant at Secureworks. On a daily basis he attempts to compromise large enterprise networks to test their physical, human, network and wireless security. He has successfully compromised companies from all sectors of business including: Healthcare, Pharmaceutical, Entertainment, Amusement Parks, Banking, Finance, Technology, Insurance, Retail, Food Distribution, Government, Education, Transportation, Energy and Industrial Manufacturing.

His team consecutively won first place at DEF CON 23, 24, and 25's Wireless CTF, snagging a black badge along the way. Forcibly retired from competing in the Wireless CTF, he now helps create challenges!

Description:
Wireless security is often overlooked, or deemed "good enough". However, for many companies, access to the corporate Wi-Fi means direct access to the internal network. This talk will demonstrate a variety of opening attacks performed by threat actors whose goal it is to infiltrate your organization. These tactics are detectable to the vigilant sysadmin, but all too often go unnoticed in a sea of log files. Check out this talk for access to the "Free Public WiFi".

This talk is available on YouTube.

Talk: https://www.youtube.com/watch?v=tvYpd6sbH2g

Return to Index - Add to

- ics Calendar file

BTVW1 - Thursday - 15:15-15:59 PDT

Title: Zeek: An Introduction Into OpenSOC CTF Tools
When: Thursday, Aug 6, 15:15 - 15:59 PDT
Where: Blue Team Vlg - Workshop Track 1
Speakers:Aaron Soto,Amber Graner

SpeakerBio:Aaron Soto
Aaron Soto is at Corelight, training users on the Zeek (formerly Bro) network monitoring platform. He was recently on Rapid7's Metasploit team. In his off-time, he enjoys endurance automotive racing, ham radio, and helping at the DEF CON OpenSOC Blue Team Village CTF.
Twitter: @_surefire_

SpeakerBio:Amber Graner
No BIO available

Description:
Learn. Play. Do.

Every year the Blue Team Village hosts OpenSOC. A unique defense CTF meant to teach and test practical incident response skills in an environment that's as close to "the real thing" as it gets.

That means that after you LEARN the tools, you can PLAY the OpenSOC CTF, and then take that knowledge back to your own Blue Team to DO the work of defending your network.

This is a workshop that requires pre-registration. Details for how to participate in this workshop can be obtained by contacting the Blue Team Village staff.

Return to Index - Add to

- ics Calendar file

RTV - Thursday - 16:45-17:45 PDT

Title: Zero Trust - A Vision for Securing Cloud and Redefining Security
When: Thursday, Aug 6, 16:45 - 17:45 PDT
Where: Red Team Vlg

SpeakerBio:Vandana Verma Sehgal
No BIO available
Twitter: @InfosecVandana

Description:No Description available

Red Team Village events will be streamed to YouTube and Twitch.