Registration opens at 8am and closes at 7pm. Hack3rcon party tickets can be found at the event. Look here : http://schedule.hack3rcon.org/event/2df68f59e4bf6a845bea30fd0679b466
So, you want to compute post-apocalypse?
Let's assume that the world as we know it has come to and end. How? EMP?
Financial Ruin? Mayans? Depending on how, it actually may make a
difference to us hackers. Once we are at the end of the world, how will
we get access to the 'tubez? Likely we won't, but we can apply the
hacker mentality to bringing it back. However, you'll need to practice,
be prepared and learn now in order to be the new Al Gore. Want to learn
about the technology and hacker perspective to communicate with the
world, when your "world" will end at the end of the block? If yes, this
talk is for you.
It's no secret, black hats have been using open sources of information to conduct precise targeting for social engineering and network attacks for years. Penetration testers, often confronted with time constraints, overlook this all important step in the attack process, and fail to show the true, complete threat that their customers face. Even when an honest attempt at reconnaissance is made, the ever-changing nature of search engines and web technologies make automating the reconnaissance process painful to accomplish and maintain. In many cases, it just isn't done right, which leads to improper reconnaissance and bad intelligence. I have been working to create several quality tools that leverage the power of search engines, social networks, and cloud CRMs to automate the reconnaissance process and increase the integrity of the intelligence gathered before the attack occurs. I'll be releasing these tools during the talk, and will begin to explore a new reconnaissance concept; conducting physical reconnaissance of a target without ever setting foot on the ground. As a part of this new discussion, I'll also be releasing an updated version of Pushpin, a social networking proximity geolocation tool.
Join JP (Ronin) in the hardware hacking village, and build your own Glitch!
Check this out for details on the Glitch, by Glitch Ops:
http://www.kickstarter.com/projects/1186217328/the-glitch
This packet capture crash course will provide students with the foundations for performing packet capture, traffic analysis, and the implementation of a NMS (Network Monitoring [System|Sensor]). Students of all levels of skill can gain from this workshop. These potential gains include operating system concepts, practical command-line usage and tools, increased knowledge of Linux networking, and TCP/IP stacks. Libpcap packet capture files (pcaps) will be distributed and analyzed by students. We will peruse malicious traffic (exploits, botnets, virii), bad users, loud users etc. Full-content data, session data, and statistical data will be touch upon. Students who wish to follow along should bring a laptop with a Linux distribution. I recommend having the following tools installed: tcpdump, iftop, tcpstat, netsniff-ng (compile it), ntop, tcpdstat, hping, nmap, speedometer, tcpflow, tcpick, snort, httpry, passivedns, ngrep, nfex, foremost, arpwatch, argus, vnstat, sar, mpstat, htop We'll do as many things as we have time for. Or, just bring a VM of Security Onion.
Possible drink and food reception. Details are being worked out.
This packet capture crash course will provide students with the foundations for performing packet capture, traffic analysis, and the implementation of a NMS (Network Monitoring [System|Sensor]). Students of all levels of skill can gain from this workshop. These potential gains include operating system concepts, practical command-line usage and tools, increased knowledge of Linux networking, and TCP/IP stacks. Libpcap packet capture files (pcaps) will be distributed and analyzed by students. We will peruse malicious traffic (exploits, botnets, virii), bad users, loud users etc. Full-content data, session data, and statistical data will be touch upon. Students who wish to follow along should bring a laptop with a Linux distribution. I recommend having the following tools installed: tcpdump, iftop, tcpstat, netsniff-ng (compile it), ntop, tcpdstat, hping, nmap, speedometer, tcpflow, tcpick, snort, httpry, passivedns, ngrep, nfex, foremost, arpwatch, argus, vnstat, sar, mpstat, htop We'll do as many things as we have time for. Or, just bring a VM of Security Onion.
We've all heard of phishing and spear-phishing. We've even heard of twishing and spear-twishing to a limited extent. After all, Twitter is an excellent target for social engineering due to conditioned users, anonymous connections via pseudonyms, and a lack of content filtering. For example, shortened URLs are typically flagged by detection software in e-mail, but it's almost a necessity in Twitter with the 140 character length restriction. So we have a ripe target base of users clicking on shortened URLs, but let's be honest: developing targeted tweets can be annoying. Plus, to really target users and take advantage of trust relationships, you need to map out who's following who, and that is pretty arduous given existing tools. So, we built Hypertwish, a Twitter visualization and spear-twishing framework that uses small generative grammars and a hyberbolic tree. Yaay math! This tool is also a trial of some of our existing research into computer linguistics and automated content generation, so that when Doomsday arrives, at least Skynet will be able to use social media. You'll never trust people on Twitter again.
---------------------------------- Detailed Outline ----------------------------------
I: Targeting
a) Dynamically mapping twitter accounts with the Hyperbolic Browser (part of JavaScript InfoVis Toolkit)
b) Mapping following-follower paths between Twitter accounts and building a useful target list.
c) Creating bogus accounts for testing
i) Twitter locks account automatically because of certain email domains
ii) Microsoft Live works great though for hotmail accounts
iii) Common mistakes in bogus accounts
II: Generating Content
a) @ vs. #
i) @ for targeting specific accounts, ie. spear-twishing
ii) # for potentially getting users who are searching on popular tags, ie. normal twishing
b) Autobuild content:
i) Tool utilizes a small generative grammar to develop tweet contents using a variety of options:
1) Reference previous post and reply, or generate new
2) Parse out # references from previous tweets
3) Pick from various predefined schemes
c) Sending Tweet
i) Different platforms apparently support different default display/notification options
ii) Tie in twidge for sending via multiple accounts
d) Tracking
i) Public posts instantly get checked by various bots and spiders
ii) Bots don't do a deep dive, we can limit tracking to secondary resources like frame contents
III: Demo: Hypertwish
One thing is for certain, surviving the inevitable Zombie Apocalypse will not be easy. Many of you will die, potentially creating a larger army of the undead to attack the rest of us. Not sure what to do when the zombie apocalypse hits? How do you and your loved ones survive an army of the undead with your brains (and sanity) intact? This presentation will cover some VERY real scenarios that may bring about the zombie apocalypse and provide you will invaluable information to make sure you are one of those left to retake the earth.
Abstract: By aggregating and creating new dictionaries and manipulating them to guess plaintext and hashed passwords in high profile password exposures, we'll demonstrate which dictionary attacks are the most effective. Further research will allow for the building of passphrase dictionaries from commonly accessible sources and their effectiveness will be analyzed. Outline: 1. Overview of recent high profile passwords exposures and analysis of exposed passwords 2. Analysis of available dictionary files 3. Setup of Amazon EC2 for password cracking 4. Analysis of effectiveness of various dictionary files and cracking rulesets 5. Analysis of effectiveness of Amazon EC2 for password cracking 6. Building passphrase dictionaries 7. Analysis of effectiveness of passphrase dictionaries and cracking rulesets 8. Demonstration and release of passphrase dictionaries and tool for building passphrase dictionaries 9. Q&A (though this will be an interactive presentation and there will be audience engagement throughout)
Description:
Hack3rcon CTF will be brought to you this year by the XRG, a
relentless group of bloodthirsty savages from outer space. From deep
within their hive they have hatched multiple challenges to include
web, traffic analysis, reversing, and more. Rigorous fun on all
levels from the newbist larva to the leetist overmind.
CTF Rules:
1. All flag submissions have to be received by 10 am Sunday in order
to be accepted.
2. Do not attack other participants. Only attack computers which are
hosted at IP addresses we have specifically given you on the CTF
network. If you are in doubt, ask a CTF staff member.
3. Do not launch “denial of service” attacks against the CTF network
or systems. Please promptly report any system outages you notice.
4. Do not delete contest flags from systems
5. Event organizers will not be held responsible for any damages that
occur to your systems as a result of connecting to the CTF network;
remember that this is a hostile network. Connect to it at your own
risk.
6. Double check the access point or switch you have connected to prior
to engaging in any attacks - ensure you are on the CTF network.
7. Teams are welcome.
Set within a dystopian world that is a collision between technology and humanity, "Reboot" touches upon many of the current social and political concerns that arise from becoming more and more intertwined with the virtual.
In contemporary Los Angeles, a young female hacker (Stat) awakens from unconsciousness to find an iPhone glued to her hand and a mysterious countdown ticking away on the display. Suffering from head trauma, and with little recollection of who she is or what is happening, Stat races against time to figure out what the code means, and what unknown event the pending zero-hour will bring.
Set within a dystopian world that is a collision between technology and humanity, "Reboot" touches upon many of the current social and political concerns that arise from becoming more and more intertwined with the virtual.
In contemporary Los Angeles, a young female hacker (Stat) awakens from unconsciousness to find an iPhone glued to her hand and a mysterious countdown ticking away on the display. Suffering from head trauma, and with little recollection of who she is or what is happening, Stat races against time to figure out what the code means, and what unknown event the pending zero-hour will bring.
Overview: this brief presentation will explore a different view into the window of resilience, touching both a personal and professional perspective. Using the June 29th Derecho storm that impacted 11 states and Washington, DC, the presenter gives an unusual insight into preparedness, planning and response initiatives that can provide insight into enhancing one’s personal skill set. The attentive ear is afforded the opportunity to expand their personal collaborative web; gaining new knowledge, and if applied properly, can create new wisdom.
While I'm not an expert, I figured it would be an interesting idea to research and report on considering the theme of the conference. I plan to cover the basics of electronics, what an EMP is (and why some equipment gets fried), ideas for scrounging parts and other information to keep tech functional. I also plan to lightly cover useful tech to learn for a situation where society breaks down.
Join JP (Ronin) in the hardware hacking village, and build your own Glitch!
Check this out for details on the Glitch, by Glitch Ops:
http://www.kickstarter.com/projects/1186217328/the-glitch
In this course we will be teaching basic exploit development on a linux os. If you haven't used gdb or done much reverse engineering, this class will be a good introduction. We will be looking at some old school attacks, showing you why they are a problem, and writing some basic exploits from scratch. This is not an advanced class so rop pirates and heap ninjas shouldn't attend unless you want a review of the basics. This course will consist of both lecture and hands on exercises, so please bring your laptop with your favorite VM player.
DigiSo Hackathon Noon, October 20 – Noon, October 21
Up to four local non-profits will stock up on coffee, Red Bull and munchies in preparation for the 304 Geeks-powered DigiSo all-nighter Hackathon. DigiSo Anchors, 304 Geeks and teams from WV State University’s communications, business and art departments will come together during this first ever branding blitz.
Teams consisting of at least one copy writer, graphic artist, business plan specialist, and Wordpress geek will work intensely with organizational leadership for 24 hours non-stop. The goal? A logo, a one page advertisement, and a Website powered by Wordpress for each non-profit.
In this course we will be teaching basic exploit development on a linux os. If you haven't used gdb or done much reverse engineering, this class will be a good introduction. We will be looking at some old school attacks, showing you why they are a problem, and writing some basic exploits from scratch. This is not an advanced class so rop pirates and heap ninjas shouldn't attend unless you want a review of the basics. This course will consist of both lecture and hands on exercises, so please bring your laptop with your favorite VM player.
Exclusively at Hack3rCon's hardware hacking village, come and build the
prototype of The Glitch hardware hacking platform. The Glitch is a
small reprogrammable Arduino compatible micro-processor development
platform. Be part of a limited beta testing group to use the Glitch
before its official release.
For $100 you'll get all the parts for building the prototype of The
Glitch at the hardware village. The build workshop will walk you
through step-by-step building the hardware. Attendees do not need any
previous soldering skills to assemble the hardware and will walk away
with a working (Proto)Glitch. (NOTE: For those not comfortable with
assembling the hardware themselves, they can be assembled for you.)
BONUS: Since it is self serving to have individuals beta testing the
hardware and software, participants will also get a factory built Glitch
plus adapters in the mail once they are available.
Find out more about the project at theglitch.sourceforge.net
Over the past 10 years, organizations have spent time, resources and considerable financial investments to protect their external perimeter from potential information security threats. Most advanced threat agents know if and when they bypass the hardened perimeter, successfully compromising assets within the internal environment is trivial, with very few controls in place to stop a focused and motivated intruder.
This talk will discuss why spear phishing penetration testing is a necessary exercise for all organizations. We will walkthrough and demonstrate live our methodology that has proven extremely effective on numerous engagements. We will also focus on why advanced techniques should be used to assess internal user environments as a whole and that approaching a social engineering exercise as a user awareness exercise is not beneficial for an enterprise.
DNS Reconnaissance
Carlos will be covering the basics of DNS Reconnaissance using the normal types of methods used by penetration testers and several new ones not so frequently use using real world results to show how it is still a very viable way for enumeration and information gathering using his DNSRecon set of tools. The presentation will also cover how to parse and use the data generated and why it is important the management of the information collected.
I'mmmmmmm back. So I've moved from crazy technical hacker to a CSO, and now back to a crazy technical hacker. The times couldn't be better and the fun just beginning. This talk is going to dive down in a number of penetration tests that I've been on and new and innovative ways into compromising organizations in unique ways. Learn the tricks of the trade, and some really wicked ways to pop some boxes.
Possible drink and food reception. Details are being worked out.
It seems everywhere you look there are analysts and product/service providers promising you the magic bullet when it comes to securing your environment and lowering you risk. While some products might be better than others, nothing will help you with the basics which seem to be where most of us are still failing. The presentation will focus on the concept of keep it simple stupid. It will dive into learning your environment and more importantly correlating that to maintaining the profitability of your organization. It will show you how to bypass all the blinking lights and build cost effective security program that will inherently lower your risk.
While we all love being able to just roll in, pop some boxes and walk
away with the hashes then call it a day; This type of mindset doesn't
bring return customers. In this presentation we'll be discussing some
of the common issues with managing technical assessments to ensure
that the customers we hack today will call us back again in the future
to hack them again.
As a follow up to building The Glitch, come and learn how to use it.
This workshop will teach attendees how to use some of The Glitchs'
capabilities; including keystroke injection, embedding in hardware,
Bluetooth command and control, and more. Attendees will be able to
create their own attacks and payloads during the workshop.
304Geeks and Rapid 7 Presents:
Hack3rCon Neighborhood Watch Block Party!!
Description:
Hack3rcon CTF will be brought to you this year by the XRG, a
relentless group of bloodthirsty savages from outer space. From deep
within their hive they have hatched multiple challenges to include
web, traffic analysis, reversing, and more. Rigorous fun on all
levels from the newbist larva to the leetist overmind.
CTF Rules:
1. All flag submissions have to be received by 10 am Sunday in order
to be accepted.
2. Do not attack other participants. Only attack computers which are
hosted at IP addresses we have specifically given you on the CTF
network. If you are in doubt, ask a CTF staff member.
3. Do not launch “denial of service” attacks against the CTF network
or systems. Please promptly report any system outages you notice.
4. Do not delete contest flags from systems
5. Event organizers will not be held responsible for any damages that
occur to your systems as a result of connecting to the CTF network;
remember that this is a hostile network. Connect to it at your own
risk.
6. Double check the access point or switch you have connected to prior
to engaging in any attacks - ensure you are on the CTF network.
7. Teams are welcome.
"Exploiting faulty firmware patch services to compromise MFP Devices" An in depth examination of the patch/upgrade process on Xerox Multifunction devices, for the purpose of exploitation. By taking advantage of faulty patch/upgrade design we will show how an attacker can gain root level access privileges on MFP devices. We will start our discussion by examining historical research, and methods used in the past to compromise MFP devices in relationship to our attack method. Following from there we will discuss the steps I took during my research. This will include the evaluation of patch and firmware packages built using Xerox Downloadable modules (DLM) format. Examining Xerox patch process, including how they are obtained and deployed. We will Also discuss the structure and extraction of data from DLMs. Leveraging this information we will demonstrate how an attacker could easily create their own rogue DLMs and deploy them to take aver a Xerox MFP device with root level privileges without needing to authenticate. In conclusion we will discuss methods that could be used to reduce or mitigate the risk caused by these issues.
Join JP (Ronin) in the hardware hacking village, and build your own Glitch!
Check this out for details on the Glitch, by Glitch Ops:
http://www.kickstarter.com/projects/1186217328/the-glitch
What do you do if you are not a prepper but have been handed virtually unlimited funds to protect your family? Well you spend the money and have fun doing it! This presentation will cover the plans, process, and fun of prepping on a budget that would but some small countries GDP to shame.
Wielding Katana: A Pentesters Portable Pal
