Breaking My Blog with WPscan

One of the tools offered by default in Kali and many other hacking related distros is WPscan, a black box WordPress vulnerability scanner. I wanted to learn how to use this tool because it would help with recon on CTF challenges, practice boxes from vulnhub, and even trying to keep my own blog vulnerability free.

Disclaimer

Before I tell you more about the tool and how it can be used, I have to throw out the usual disclaimer. Do not use this tool on any WordPress site you don’t own or have permission to scan. I ran WPscan on my own blog and brought the whole site to it’s knees. If you did that to a professional blog or your company’s blog then you could have major problems when you get caught.

Setup

If you don’t have a personal WordPress instance to test, then look at getting OWASP’s Broken Web App installed. It has a vulnerable instance of WordPress included that you can scan against and even try to harden. When things break, just reinstall the VM and start over from scratch.

I have a Kali VM installed on most of my computers. By opening a terminal and typing wpscan -h you can learn about all of the options and possibilities for how to scan a WordPress instance. If you want to avoid all the “bells and whistles” then just run wpscan –url <target> –enumerate p to scan and try to find vulnerable plugins.

The scan and the results

WPscan scans the site looking for version numbers and other exposed information that can be compared to a database of vulnerabilities. While running the scan against my site, there was one vulnerability found. There was also a small issue because the WordPress version was public. I was able to research the vulnerability using the links provided from the scan output. While the “fix” isn’t a perfect patch, it’s better than ignoring the vulnerability until the next update is ready. The version was easy enough to hide by deleting the stock readme.html file.

The issue wasn’t removed on the next scan. The scanner is a quick tool to find some vulnerabilities based on version numbers and other information from the site. There’s no proof of concepts or attempts to validate if a vulnerability is a false positive.

Unexpected fun with WPScan

While running the scanner the –enumerate p option will brute force the website with requests to gather information about plugins. This crippled my site when over 20 simultaneous database connections made the site unresponsive. This wasn’t solely due to the scanner, but to the fact that I created this blog in college. Which means I took the cheap and easy route. Digital Ocean’s one click solution on the smallest VM made that possible.

The reason I’m not afraid to tell all you hackers about this is because I was able to resolve the issue with some help from friends at #misec. They told me about adding a swapfile that could help boost some power to my little VM. Since then I’ve been able to run WPscan multiple times without a single fatal performance issue.

Converge 2017

May 11-12th was the Converge conference. If you’re in Michigan and are curious about information security, then I suggest you look at attending next year. For those that missed this year, Irongeek recorded all the talks and posted them online for you! Watch some of the talks and then put an alert on your phone to buy tickets for next year.

Converge is a great conference. I’ll admit I’m partial because it’s in my backyard. However that isn’t the only reason I like it. The talks cover great content, the speakers are friendly, and it’s not so big that guests feel like they’re lost in a see of other attendees.

Volunteering

On Thursday, I spent the morning volunteering with Irongeek recording talks for track 2. Helping with A/V is great because I get to volunteer and watch talks with a front row seat. In the afternoon I networked with people in the halls, after all that’s the most important part of a conference, right?

Friday was a lot of fun. I started off by playing with a new toy. A nexus phone loaded with Kali NetHunter. I’m still exploring the tools on it but one of them is called the Mana wireless toolkit that allows me to broadcast a wireless network. This makes for excellent trolling, especially for those who get the inside joke.. There was some evidence at GrrCON a few years ago.

I know at least one person noticed because they had a screenshot for me to share!

Learning how to pen test

The rest of the day, I was in training for web application pen testing. Kevin Johnson from SecureIdeas offered a 1 day version of his week long training course. We went over a lot of great topics, like his recommended methodology and the tools that pen testers can use.

While the training was amazing, it’s still something that Kevin offers others, so I don’t want to spill too many secrets. I do suggest that if you’re interested that you take a look at his site, secretideas.com.

I’ve said it before on these blog posts and I’ll say it again. Conferences are a great center for networking, learning, and growing if you’re looking at getting into the information security industry. Hopefully my stories from this year’s Converge has convinced you to attend the next conference in your area!

Building a community

At the #misec meeting I attended in mid April there was a panel on building a infosec community… so I’m borrowing their title for a post and giving my two cents in order to spread the topic!

I won’t give a huge synopsis of who said what like I did in my last post about a #misec panel. Instead, please watch #misec’s video on youtube if you’re interested in what was shared.

Community?

There were two general categories of discussion at the panel; meetups like #misec or BurbSec, and conferences like Converge or Thotcon. Your community is probably a collection of both. For instance, #misec was born from Bsides Detroit members who wanted more and created monthly meetings to have a smaller (more frequent) version of a Bsides conference. Two aspects are required to start or build a community; networking and attendance.

In order to have a community, people need to attend and contribute. In order for people to know where to show up, there needs to be some kind of networking and outreach. “Grabbing people” is a good way to start a meetup. Find people at a conference, ask around, and tweet to see what the interest is. Welcome everyone and follow up with people and the rest will fall into place. A conference works in the same way as there is a dependency on people. Volunteering, speaking, and attending is the core of networking.

Why me?

Meeting people and networking is a two way street. You get chances to volunteer at conferences, speak out about your interests and get feedback from others in the industry, and there are usually job offers and professional networking involved as well. Even if you’re an introvert and it’s stressful, making a name for yourself and showing people what you’re made of is huge in this industry and there’s a lot of great connections to be made through these communities.

Be involved. It keeps you busy. There are many ways to grow, whether through volunteering at a conference or stumbling through your first talk at a meeting. Being able to inspire others and help them grow is also an awesome part of being in a infosec community. A community is nothing without people, and you are one of those people.

Summary

To keep it short and sweet, try to use the following checklist:

  1. Go to conferences
    • Volunteer if it’s too expensive
    • Volunteer if it’s local and you want to contribute
    • Respond to the CFP or call for papers if you have something fun to share
  2. Join twitter and ask for help
  3. Find the closest city meeting and go
    • Start your own if the closest isn’t close enough
  4. Wash, rinse, and repeat

My experience setting up an Algo VPN

First off, I don’t know if you’ve been avoiding the political storm as much as I have but there’s one thing that’s been so retweeted, shared, and updated that I couldn’t avoid it. The discussion about the privacy of our internet content.

The Problem

ISPs are able to sell your data. While it is possible that similar data is already being collected and used by social media, applications, and other providers… It’s brought up an interesting conversation about how to secure ourselves while browsing the internet.

Using TLS to encrypting the communication between a client and server is a good way to secure the content between you and a website. However what about your destination, ip address, and other information that’s required to connect to that server? Virtual private networks (VPNs) have been used by corporations and security focused individuals for years. Lately VPNs are the center of attention because they offer a way to encrypt information about your host and prevent your real location from being collected. To learn more about what a VPN is, check out https://www.bestvpn.com/blog/38176/vpns-beginners-need-know/.

A Solution

I’ve been toying with the idea of using a VPN for a while now. Going to security conventions and using the hotel’s public wifi has never let me sleep well at night. A VPN would minimize that issue. I’ve considered a few paid services but ultimately decided to go for the “create your own for cheap” route.  The infosec community has been buzzing about Algo. Algo VPN “is a set of Ansible scripts that simplify the setup of a personal IPSEC VPN. It uses the most secure defaults available, works with common cloud providers, and does not require client software on most devices. See our release announcement for more information.”

This blog is hosted on a DigitalOcean droplet. I’m familiar with how droplets work and when I heard that Algo can create a droplet and use it as a VPN provider, I jumped at the opportunity.

How I setup my Algo VPN

Following the README.md of the Algo github repo is very straightforward. The idea is to clone the repo to your local computer. After installing the dependencies and setting up the config file for the number of users to expect, Algo takes care of all the heavy lifting by using DigitalOcean’s APIs to create the droplet and setup the VPN.

I cloned the repo onto my mac, installed the python dependencies and only had one hiccup. On a mac, you need to have Xcode installed and agree to the license. All of the files required to setup the VPN clients are saved to the config folder after running the script. To connect my mac, all I had to do was double click the <username>.mobileconfig file and everything was fully setup.

I’ll have to update this post as I setup my other devices. Windows computers and Android phones are on my to do list.

To test if the VPN is working, visit whoer.net. Check to see if the host connecting to the site is the droplet IP or your computer’s IP. The caveat of using such a VPN is that it’s not fully anonymous. Website hosts can know your connection is coming from a DigitalOcean droplet because who owns the IP range is publicly available. Similar to the risk of someone watching a Tor node, well known VPN providers can also be monitored. It is only a matter of time before the usage of that droplet is mapped out.

That’s not all folks

VPNs are only one part of a secure digital life. Using HTTPS when connecting to websites, resetting passwords every few months, and enabling two factor authentication is also important. As far as “providers selling our data”… The best way to prevent that is to choose providers with a stronger commitment to their users than those who care more about improving their profits.

How I got to Shmoocon2017

Shmoocon is a hacker conference in Washington DC. I’ve been interested in going since 2015 but this is the first year I’ve been able to make it out. The conference was really hard to get into. Not because it’s expensive or that it’s hard to get to DC, but because the process to get my ticket was a unique challenge in itself. It required me to rely on good friends, new skills, and a whole lot of luck.

Trying for a badge

I roomed with @infosystir for the weekend, we saw an awesome deal on flights and rushed to get tickets and the hotel settled away. That was the easy part. Getting Shmoocon tickets was the worst experience I’ve dealt with compared to other conferences. There were three “rounds” of people rapidly refreshing the tickets webpage. Each time, I failed to get one. While @infosystir had the connections to score a media badge, I was bound to attend lobby con.

For those who don’t know, lobby con is where non-badge attendees settle in at the hotel bar and network with others who were able to attend. Badges usually float around from person to person. More than a few last minute cancellations are made each year, so people have extras as well. It is better to attempt to social engineer a ticket then to cancel a flight and lose any deposits. Either way I wasn’t going to bail on a conference.

Starting out right

Thursday night before the conference started, @infosystir and I set out for the bars. Before long, we met up with @lintile and he told me about an extra ticket. There was just one problem, it was a prize to a small cryptochallenge he made. On twitter, there was a post with random characters and a #shmoocon tag. Someone had responded that they ended up with gibberish after a failed attempt. At first I was worried that I could not beat the challenge before Shmoocon started. Even if the person on Twitter was joking, I’ve never tried a cryptography challenge before.

Step 1 – Decoding

As we sat at the bar, I asked @lintile where to start. He asked @TheSweetKat what it meant to have a message that ended with “==” and her immediate response was “it’s base64 encoded”. I quickly pulled out my phone and decoded the string, the answer I got was “<to be added here>”. Great another task, of course it would not be that easy.

I overheard @lintle mention md5 hashes so I looked that up next. It’s safe to assume that if the hash is 32 characters long, that it is MD5 or something similar to MD5. Thirty-two characters at least narrows it down to a handful of options, rather than a ton of options. So that’s what I started on next. My phone wasn’t powerful enough to brute force a hash, it was a Samsung S4  with a dying battery. However, after the conference I found there is an android app called Hash Suite so it is possible for phones to crack some md5 hashes.

Step 2 – The hash

While I was desperately googling for online hash cracking websites, I reached out to a experienced friend who would know where to start. My googling skills failed me, but @ashioni did not. He was able to get on his laptop and start up hashcat to start guessing strings that would result in a matching hash.

Lintile's tweet with the encoded hash
The hash that started it all and the first hint.

We came to the correct answer by using OSINT research.

 

OpenSource Intelligence leverages publicly available information, in this case @lintile’s Twitter page, to gather information and generate a profile of a target. Target profiles can then be leveraged in many ways. Providing better word lists or giving hints to crack a code are a few examples. In this case the target profile was used to come up with possible passwords the target may be using. We were able to narrow the string down to be something with only 10 lowercase letters and contained “@shmoo”.  “?l” is a hashcat variable for lowercase letters. In order to guess the string that made the hash we were trying”?l?l?l?l@shmoo”. @Ashioni’s laptop should have been able to crack this within an hour but for some reason, there were no matches by the time my phone died later that night.

Cracking the code

I woke up the next morning and struggled to think what else I could do. @Ashioni had started up his password cracking rig that can do roughly 10 billion MD5 bruteforce attempts per second. Yet still no luck. I wanted to help, but I didn’t have hashcat on my mac or a connection to download the tool. While trying to think what else was possible; I was lucky to find out that it’s possible to hash strings using terminal on mac.

terminal output from hashing strings
These are some of my guesses.. The last hash on the bottom is the hash from the challenge.

I started guessing random 4 letter works that @lintile might have used. Failure after failure, the hashes I made didn’t match. Free, move, goto, tick, cryp… none of them were working. It wasn’t until I checked @lintile’s Twitter again that I thought to use his handle truncated to 4 letters. the hash of “lint@shmoo” was as close as I got to matching the hash, but I had a “off by one” error. The last character of the hashes didn’t match. I tried capitalizing the L, I tried “tile” and other combinations of @lintile. Each of those created hashes with entirely different hashes. Nothing was as close of a match as “lint@shmoo”. When talking to @ashioni about the cracking rig not being able to find a match and my guess being so close. We though that using CTRL-C to copy may have been the culprit for the spelling error.

At the same time I figured this out, @lintile reached out to me and said I could have his second badge, the conference was about to start and I was the closest to cracking the hash. When I met up with him, I asked if “lint@shmoo” was correct and he said yes. I was ecstatic! Cracking the code and getting it right felt great. Wait… what about the last character of the hash? As it turns out, it was just a typo when copying the hash into the base64 encoder. That’s why @ashioni’s hashcat brute force attempts never matched.

Success!

It was really cool to get a Shmoocon ticket by completing a crypto challenge. Attending shmoocon wouldn’t have been possible without @infosystir, @lintile, and @ashioni. I really enjoyed completing my first crypto challenge as well. I talked to @lintile throughout shmoocon and am looking into more common ciphers and ways to practice for challenges in the future. He creates challenges for fun and also runs the Circle city con CTF and I’m looking forward to that. rumkin.com is a website he shared with me to learn about some other common ciphers… I think that in order to practice them, I’m going to try and create a little webpage with a simple crypto challenge.

2016 in review

2016 has been a crazy year, and I’m not talking about celebrities, politics or world news. A lot of security related things have happened for me personally. I wanted to base this post chronologically on what I’ve done.

One of the first screenshots from 2016 is a constant reminder for me. What’s the first rule of infosec? Troll first, work later. I’ve come to realize that Twitter is the diving platform everyone needs. Twitter allows us to get lost in the world of meme’s, jokes, and sometimes useful rant’s from infosec’s favorite rockstars.

We had fun hacking Queen lyrics

Bsides Indy

Bsides Indy was a lot of fun. I got to meet some great people and attempted a CTF. Even if the CTF bombed hard, the team I was on had fun trying to attempt to play. The takeaway that I remembered most is networking. I met a lot of people I had only seen mentioned on Twitter feeds before. I took some of the stuff I learned at Bsides and messed around at Spartan Hacker’s SpartaHack hackathon.

For most of the conferences I’ve been to, I’ll say networking is the most important. The people I meet, the conversations we have, and the advice I get are invaluable to me. Networking is the main reason to continue to attending conferences.

Circle City Con

This conference was my first attempt at volunteering for a security team. Circle City was good experience. I learned a lot while on the job and met some great people. However at the same time, it was at this conference I learned that it’s not always best to volunteer for every shift you can make. After Circle City, I started shifting from a “ALL THE SHIFTS!” mindset to “I’ll fill a shift or two”. Circle City is a fun conference and a lot of stuff happens, I’ll be happy to get to go next year without being “on the job” for the entire conference.

My wall of badges after circle city con

Over the wire

Jayson from CBI introduced me to the Over the Wire challenges this year as well. It’s great training and proof that basic linux commands is all you need to be a 1337 H4CK3R. I learned a lot and that information helps me to gain a competitive edge in CTFs and during ethical hacking exercises at work. So far I’ve tackled Bandit with Jayson and friends, and also Leviathan by myself. Check out those posts if you want to know more about Over the Wire.

Converge Detroit

Pokemon Go was proof I was there!

The conference that started MiSec. I was happy to volunteer at this conference in our own backyard. There was a lot of great talks, I got to network with a lot of my favorite people and help out with Hak4Kidz all day Saturday.

 

 

 

I was lucky to get to play Jayon’s CTF-NG. Jayson has done an amazing job creating a new style of CTF. It’s far above any other CTF I’ve attempted. The point of the game is to get cards and use them to beat other players. Cards are distributed across customized VMs inside the game’s network. I was able to get into a few machines and find some annoyance cards. Not bad for my first attempt at the game. Since playing I’ve learned there’s a lot of networking and basic linux commands that I need to master.

At least I can prove I was really annoying!

Since my first attempt at Jayson’s CTF, I’ve had a few more chances to redeem myself. I’ve had a couple helpful hints. There’s been improvement in my network analysis and tool usage. In the latest attempt, I was able to find a legendary card.

School’s out for summer!

In May I graduated from MSU with a major in Media and information and a minor in Computer Science. I continue to learn what I can about information security, but I’m hesitant to sign up for more another degree. At the same time I moved from an internship to a full time position at Vertafore where I get to work with application security and vulnerability management.

Misec Panel – Path to the dark side

MiSec had a really cool panel in May where some experienced infosec professionals shared their journey of getting to where they are today. There was a lot of great tips and live tweeting so check out the post I did to follow up on that.

TLS research & talks

One of the first projects I did while working full time at Vertafore was researching TLS. The goal was to find how it worked, why it was required and what standards are the most important to secure connections. I drafted some standards, locked down this website by using Let’s Encrypt, and gave a lightning talk at MiSec Jackson about some of my research.

Hacker Summer Camp

Hackers and DefCon go together like PB&J. Add BsidesLV, guns, and black hat parties and there’s a whole week of fun, training, and more in Vegas. I met so many people while volunteering, standing in lines for talks, or visiting work shops. Hacker summer camp was a great experience and I’m pumped for 2017. DefCon 25 is going to be huge, being the 25th anniversary of the original DefCon means they’re going all out. A new location, more villages and workshops, there’s going to be something for everyone. I hope to see you there!

Defcon Smiley

HPKP research

The next research project I worked on at work that I also brought over into my personal websites was enabling Public Key Pinning. It’s a header that compares the TLS certificate to a pin that client’s browsers saves after the first visit to a website. I wrote a post about it and if you frequently visit this blog, you may have had a issue when my TLS certificate expired and I failed to correctly renew it. A few readers were blocked from seeing the blog because the HPKP pins didn’t match. I’m just happy I learned this lesson (and what’s required to fix it) on my personal websites and not while one of work’s applications!

I’ve done a little more for work that was based in application authentication. Specifically, I looked at 2FA, salted hashes, and other factors that goes into a securing login process. There’s blog posts on that research but those posts haven’t moved from drafts to something publishable. There will be a few time traveling posts appearing in 2016 next year.

Misec Lansing

September 14th was the first meeting of a new chapter of MiSec. Tek Systems hosted the first meeting in Lansing for MiSec and we have since moved on campus so students have a better chance of attending. It’d be great to have students and infosec professionals working together to improve the community.

Kyle and I had the idea to start another location. Since Kyle organizes the Jackson meetings, I’m the coordinator for the Lansing chapter. I get to be the guy that finds speakers for each month and organizes other events in the area. If anyone wants to give a talk or is interested in another event for MiSec Lansing, please reach out to me about it.

Other MiSec projects I contributed to this year is the MiSec slack channel and the wordpress redesign for the website. If you want to join us on slack, there’s an invite app that just requires an email. The wordpress redesign is something @taco_pirate and I worked on.

GrrCon

GrrCon 2015 was one of the jumping points of my security career. I can’t believe it’s already been a year since then. Going back to GrrCon, (having my employer pay for it), was really different this year. I wasn’t working behind the scenes but the organizers and team leads remembered me from last year. I played hacker Jeopardy (and somehow survived the aftermath), I was able to attend talks and still got a chance to network.

My journey into infosec is still just beginning and I’m excited to see where it goes from here! I plan on attending more conferences, be active in the community and continue to learn as much as I can. I hope you’ll join me!

Setting up Slack for MiSec

Some time last year, I wrote a post about setting up an IRC client on my VM. The idea was that since it’s always online, I’d always have the chat history for the #misec IRC channel. That way I’d never miss a mention or interesting conversation.

Since then, a lot has changed and I don’t connect to that machine as much as I used to.  I had to restart it a few times so the “always online” theory quickly fizzled out as well. I found that a majority of my MiSec conversations were on twitter or in person.

Why Slack?

At the RuCTF, we used misecredteam.slack.com to transfer notes and share files. For those that don’t know about Slack, it’s a modern chat client. While it may be just another messaging app to some people. I’ve used it through college, at work, and for groups like MiSec and lansing.codes. There’s been talk about trying to get an official MiSec slack channel.

During the November Lansing social, we did just that and misecgroup.slack.com was created. Later that night I found a project on Github that had a “push button” solution for creating a auto-invite application on heroku.com. Shortly after setting that up, I was able to tweet out the URL and people starting joining the new channel. If you’d like to set up a similar invitation application, then read the Github description and press either the Heroku or Azure deploy buttons based on what service you want to use to deploy the application.

How it works

The app works great. Heroku even took care of a lot of the hosting details, like handling TLS. Within a day, the channel had 30 members and I didn’t have to manually invite anyone. The only change I made to the app was cosmetic. I didn’t like the gradient background so I replaced it with a more “cyber” background. In order to change the application, I had to fork the github repository and connect it to my Heroku app. I used git and the Heroku CLI to do the heavy lifting. To change the background I simply replaced the bg.jpg in the images directory and redeployed the app.

IRC or death

A lot of MiSec members prefer to stay on IRC. In an attempt to accommodate their preferences, I opened an IRC gateway to connect to the channel from their favorite IRC client. However that still requires to be on the #misec IRC channel and the irc channel for MiSec slack… The only thing more annoying than having to be in multiple chats is being in multiple chats for the same reason.

So I found an alternative with the help of some MiSec friends. Another Github project called slack-irc.  The bot uses nodeJS to run, so hopefully anyone attempting this themselves have some experience with npm. Slack-irc made it possible to set up a slack bot that integrates with another IRC channel. So now #misec is in misec.slack.com’s #general channel and vice versa.

Demo from GitHub, show's how it looks for each client.
Demo from GitHub, show’s how it looks for each client.

Becoming a Slacker

If you’re interested in joining the MiSec slack channel, follow the steps below:

  1. Get an invite by going to misec.herokuapp.com and entering your email address you’d like to use for the account
  2. Finish creating an account for the channel
    (Please note the team URL is misec.slack.com)
  3. Sign in from a Slack application on whatever device you prefer if you don’t want to use the web client.
  4. Optional: Go to https://misec.slack.com/account/gateways for instructions on connecting over IRC

GrrCON 2016

October 6th & 7th was GrrCON. For those that don’t know, it is a security conference in Grand Rapids, Michigan. 2015 was the first year I started going to conferences and GrrCON was my first. That year I volunteered because it’s really hard for poor students to pay their way for the fun stuff. This year, I have a job that actually pays for me to go and learn about security.

Since I wasn’t volunteering this time, I got to explore a lot more of the con and see what goes on for everyone who isn’t behind the scenes. Last year, I was helping set up, getting there early, and got stuck at one spot hours. This time I was able to visit with sponsors, go to all the talks I wanted to see, test out the lock pick village and more. One thing that never changes is that I always have fun at GrrCON.

After attending the keynote speech on Thursday, I met up with friends from MiSec. One of the best reasons for going to a conference is to network. Twitter is one of the best places to stay in touch with your favorite hackers. However conferences are where you get to see them in person.

screen-shot-2016-10-09-at-1-02-39-pm
There’s always too many people to mention at once… if you’re looking to expand your network though, Sam’s got our backs!

After networking and visiting at the MiSec sponsor booth I stopped by the lock pick village. I can officially say that I’ve picked deadbolt locks now, I’ve moved up from just being able to open padlocks. GrrCON had some amazing villages this year. The lock pick village switched up the challenges this year. Instead of the cage escape there was a race to free yourself from being handcuffed to 3 other contestants.

@infosec_rogue's invention for the lockpick village challenge this year
@infosec_rogue’s invention for the lockpick village challenge this year

The other villages included IoT hacking, car hacking, enterprise hacking, and an osint (open source intelligence) CTF. IoT and car hacking were set up as demo’s which looked really cool. There was so much going on that the booths were always busy. The osint CTF was a challenge to find out the most information about two con attendee’s. Finding information like their DOB by using social media and more was the idea being the CTF.

Hacker Family Feud was a lot of fun as well. Amanda (@Infosystir) invited me to play along with Aaron and Adrian. I had no idea what to expect for some of the answers… but I do know I won’t be forgotten any time soon. One of the questions was “Name a 2015 vulnerability that was big in the media” and I froze when it was my turn to answer. The only media I’ve watched lately is Netflix.  What was my answer you ask? “The Target hack”. While I didn’t get any points for that answer, I got some free drinks and candy for my attempt and left a lasting impression on the con’s organizers.

I wish I could show you a picture... but I didn't want to get kicked out of the conference!
I wish I could show you a picture… but I didn’t want to get kicked out of the conference!

There were some great costumes, mature jokes, inappropriate comments and more at the hacker family feud. Due to recording restrictions, I can’t tell you more… if you want to see what really happens at night during GrrCON I only have one word of advice for you, get a ticket for next year!

A lot of my friends and mentors gave talks throughout the con. I attended as many as I could. The rest are recorded and posted on Irongeek’s website. You should definitely check it out and see what you missed.

Hak4Kidz made another appearance this year. From what I heard, there was an awesome turn out. Hak4Kidz held a all day workshop on Friday to get kids involved with ethical hacking. They participated in tech destruction, crpytochallenges, an online CTF, and more. One of the goals of Hak4Kidz is to include hacking into STEM programs (vote STEHM). It’s great to see the interest in sharing the “hacker” mindset with kids, or really, seeing how kids are going to improve our hacker mindset tomorrow. If you have kids or are interesting in helping out, check out their website.

There was a lot of great content this year. GrrCON has a collection of amazing speakers, staff, and volunteers that knock it out of the park every year. I have a lot of good material that I want to bring into work on Monday and share with my boss. Hopefully it will be a means to getting work to help me attending even more conferences next year.

One thing I want to attempt at the next conference is to sit down and attempt some of the challenges. It’s great to attend the talks and get so much information. However they’re also recorded so you can see them on your own time. Networking is important but that also isn’t exclusive. It can even help you win a challenge by asking for help or by joining up to create a team.

Lastly I want to say thanks to everyone who helped make GrrCON 2016 a reality. It’s awesome to have con like this thats so close to home. I can’t wait for next year, it looks like GrrCON 2017 will be on Oct 26th and 27th. Plan now so you don’t miss out! (There may be halloween costumes, be prepared)

GrrCON debauchery with @infosystir and @vajkat. After parties are also a lot of fun at GrrCON!
GrrCON debauchery with @infosystir and @vajkat. After parties are also a lot of fun at GrrCON!

My first hacker summer camp

April 26th was when I booked my flights to and from Las Vegas for hacker summer camp. I had no idea what was in store for me. The plan was to attend some conferences with Amanda Berlin, who had offered to to let me stay with her. Originally I did not plan to go at all. Although after discussing with her, I really only had one option left.

I was walking into one of the best hacker experiences I’ve had to date. The week long journey into Las Vegas that was hacker summer camp is a back to back combination of BsidesLV, Blackhat, and Defcon. It was nothing like I imagined but it definitely has me saving up for next year.

Preparation

Amanda had shared a few links with me to prepare for Defcon. There were packing lists and notes like this one from JK-47. I signed up to volunteer at Bsides and to go to the “unoffical” Defcon shoot. There were plans to buy a burner phone and get all paranoid about getting hacked, but that didn’t last long. I entered every event I knew about into my calendar and Amanda shared hers with me as well. There were accounts on Twitter that I started following as well, like Defcon Parties.

When I was packing for the plane, I had originally imagined needing a checked bag and that I’d have a ton of gear to bring. As it turns out, a lot of technology is at risk of being hacked (who knew?). Meaning that the extra computers, raspberry pi, and other tools I thought would be fun to bring had to be left behind. I made do with just my carry on and a backpack. The only tech I brought was a computer with Kali, my phone, and a new MiFi I bought. The MiFi was because I was still too paranoid to trust any of the wifi networks.

BsidesLV

Hacker summer camp started with BsidesLV at the Tuscany. For those who aren’t familiar with Bsides conferences, they are “smaller” conferences that accept talks that didn’t make it into the “main” conference. Imagine the B side of a cassette tape.

My volunteer shifts were Tuesday and Wednesday from 8am to 5pm. The shifts I had were laid back, I worked the information desk and was a floater for speaker ops. Most of the time my job was to inform any attendees that might have questions and I think I did pretty well with that. The only negative to working all the shifts I did meant that I left no time for actually attending talks. I’m still shifting though the videos that were uploaded to their youtube channel.

My favorite shifts were working the information booth with Kate from misec. Those shifts flew by because we talked the entire time. Some other volunteers would stop by and talk to us as well.

The parties were good too. Tuesday night I went to Queercon, a gathering of the LGBT hacker community. They really know how to throw a party, everyone was talkative and it was pretty fun while I was there. Wedneday night was the BsidesLV pool party. We took over the entire pool area and had an awesome party. I played “volleyball” with a beach ball for a majority of the time, it was a lot of fun.

The best part of BsidesLV (for me) was getting to network with everyone. Volunteering allows me to get close to the organizers and other staff and I get to see a different side of the conference. There’s still the parties, events, and after-hours stuff that allows me to experience the rest of the conference with the regular attendees.

Defcon Shoot

Between BsidesLv and Defcon, there was the shoot. The Defcon shoot is an opportunity to unleash some lead downrange in a variety of amount and speed. Basically, pay to shoot guns. Lanes are bought and can be shared with the public or “reserved” for private parties.

The idea behind the Defcon shoot is to gather together some gun loving hackers and have a fun time. It’s a great opportunity to shoot for the first time or for foreigners to shoot if they’re not allowed to back home. The range is closely monitored by experienced volunteers (and this year, someone from range staff) so the entire event is extremely safe.

The lane I shot at was provided by some friends of Amanda’s from across the pond. They brought bleeding zombie targets, something they’ve made a name for themselves by doing. Throughout the night I shot a range of firearms from .22 caliber rifles to .40 caliber pistols. I could have social engineered my way to shoot even more exotic weaponry, but time flew by. One missed opportunity was a Defcon shoot veteran who brings machine guns every year.

The “badges” for the shoot were 40mm grenade launcher shells. Practice shells of course, with the primer removed as well. At the end of the badge making process, the shell was reduced to an amount of chalk in a plastic case, perfect for those going through the TSA to get back home. There were even stickers to personalize your badge.

Blackhat

Unfortunately I couldn’t attend Blackhat myself. While signing up to volunteer for as many shifts as I did at BsidesLV, I was unable to volunteer at Blackhat as well. Not to mention it was probably way too late to offer. I was able to experience it vicariously through Amanda who was a speaker liaison and was able to get me into a few Blackhat afterparties. Thanks to her I was able to get some cool swag. I’m waiting for the recorded talks to go live on their website.

Defcon

Not to say we saved the best for last, but we did save the biggest conference for last. I had no idea what I was in store for. There’s so many rumors flying around what happens, it was hard to sort through it all to find what really happens. I’m just glad it wasn’t canceled this year.

The badge

This year’s defcon badge was a terminator themed skull. The core of the chip was an Intel Quark. The eyes of the skull had blue LEDs and there were eight buttons as well. After registration I met up with some more friends from misec and we gathered in Kate’s hotel room to take a shot at the badge’s crypto challenge.

We found a lot of initial hints on the defcon reddit page. Lost shared a picture about the lanyards and the codes on the back of the badges had been collected in one reddit post. We were able to decode one of the encoded messages on the back of our badges, it was chameleon. Lost used ROT2 because it was the inverse of 24.

Within a couple hours we found that a modified konami code would activate a sequence on the LED eyes. The code is Up Up Down Down Left Right Left Right on the left four buttons and then Left Right (A, B) on the right four buttons. There was encoded text being displayed while running the konami code. We had to connect a computer to decrypt the messages. For a complete write up on the badge challenge, there’s an awesome post from the team that won.

Vendors

There were a lot of vendors this year at defcon. Hak5 and the Hacker Warehouse were two of my favorite vendors. There were a lot of great companies, Rapid7 and Pwnie Express to name a few. As well as some important organizations like TOOOL and EFF. That’s a lot of big name companies and organizations that are key to hacker conventions like Defcon, I’ll let you take your pick and explore the links if interested.

I picked up a few new toys while at Defcon. The first thing I got was WiFi Pineapple Tetra. I also picked up new clear padlocks, a deadbolt, and a different style of tension wrenches.

Car Hacking Village

On Friday, I had breakfast with Amanda and Chris. After that, the first place Chris and I stopped at was the car hacking village. Rapid7 sponsored the badges. Each badge had a CAN adapter, which I thought was pretty cool.

The car hacking village was really cool. There was a driving simulator with a Dodge Challenger. Throughout the length of the conference, there were talks in the village about different kinds of car hacks.

Friday night

After an afternoon of lock-picking and struggling to watch the recorded talks on the hotel tv network. An evening of parties awaited me. Amanda had an entire evening planned. For those who don’t have the same luck, this is where the Hacker Tracker app and the Defcon parties twitter account comes in handy.

Before getting to any parties, Amanda and I stopped at Drone Wars. They were racing small drones around obstacles and then attempting to knock down a solo cup pyramid without crashing the plane.

There are countless groups that attend Defcon, and a lot host parties in the hotel sweets. I joined Milton Security for a bourbon tasting party before going to meet with some friends I met at the BsidesLV pool party.

Hack Fortress

Saturday morning started with a combination of a CTF and Team Fortress 2 called Hack Fortress. Hack Fortress originated from Shmoocon in DC. Hackers get points they can redeem at a store that will affect the gamers. Special awards in game will also give more points towards the final team score.

Misec was able to represent with an entire team made up of Michigan hackers. The time limit was only 30 minutes. Unfortunately Misec didn’t win. If we were to play again, I would prepare by playing more Team Fortress 2 and understanding the game dynamics. Hacking was an important aspect, but a majority of the game points came from the gamers.

More talks on TV

The recorded talks on the hotel TVs were working a lot better on Saturday. The Misec group met back up at one of the hotel rooms to watch what was being broadcasted instead of dealing with linecon (waiting for hours to get into a talk).

The first talk we watched was on phishing campaigns. Tactics of a good campaign and what separates success from failure were the main topics. The speaker mentioned not reinventing the wheel for every campaign, and using a certain framework. (I’ll add more details when I get to rewatch that talk. Another talk we watched was about attribution. Attribution as in which hacker did what. For instance, did Russia really hack the DNC? It was really interesting to see where researchers, media, and more get their information from that allows them to attribute an attacker. I know I’ll be sticking to using Attribute Dice.

Saturday Night

The last night of partying at Defcon (for me) started with Hacker Karaoke. Misec grouped together to sing Journey. It was a fun gathering. We then moved to the Social Engineering party which consisted of more bourbon tasting. (I hope you see the theme here).

Closing Ceremonies

Sunday morning was bitter sweet. After five days of conference, I was ready for it to close… but at the same time, I didn’t want it to end. The closing ceremony started with my longest linecon of the conference. Winners of the larger challenges from the conference were recognized. The black badge was shown to the audience, the eyes pop out and looks really cool. The animator that made the dinosaurs for Jurassic Park is hand crafting each one. A super computer was the first to win DARPA’s cyber grand challenge. Defcon 25 has a lot of potential.

What else happened at hacker summer camp?

There is so much that goes on at summer camp that it was impossible for me to attend it all. It’s been a week and I’ve only seen some of the Bsides talks that were recorded. What I talked about above was what I was able to participated in. There’s official and unofficial events, conferences, and parties throughout the entire week that I didn’t even know about outside of twitter. For instance there’s Tiaracon and Queercon (at defcon). There’s the open and official CTFs at Defcon. There’s honestly so much that I’m not even sure what else I missed. All I know is that I’ll find something fun and new to do next year!

First SecOps Job at Circle City Con 2016

Hey guys, I know it’s been a while since I posted. Thank you for coming back to read more. I hope you find these interesting. This post is a follow up of my SecOps experience at Circle City Con. I learned a lot and am looking forward to doing it again.

The Conference

Circle City Con is a annual security conference in Indianapolis. This year’s theme was Game of Pwns. The theme added a fun aspect to the usual conference atmosphere. The organizers dressed up in Renaissance garb and became “heads of houses”. Each of which offered challenges based on a specific field in security. A few of my favorites were social engineering, incident response, and penetration testing. Winning these challenges gave points for the CTF that lasted the entire conference.

Social engineering involved challenges like taking a group photo of a few houses together, making an organizer hold something purple, and more. The Incident response challenge was a quiz to test your skill and knowledge of the trade. The penetration testing challenge was a test to gain access to a network by figuring out the wifi password by decrypting a poem and finding the right information online. I’m still hoping to find a more complete writeup of the challenges.

I like to volunteer at conferences. Volunteering allows me to connect with the organizers and get a view of what happens “behind the curtain” at conferences. It’s great for networking. I offered to help Security Operations (SecOps) for the conference and shortly after was signed up to work 5 shifts for the weekend.

Working SecOps

I learned a lot from working on the SecOps team. First and foremost, they get to use radios and let’s be honest, that’s the coolest part of the job. I worked a few different spots on my shift, watching different areas of the con. However the end goal was always the same: Check for badges and keep everyone safe.

The only downside I found to working security for Circle City con was how long the shifts were. I’m always trying to help however I can, and that means that I try to take as many shifts that are open. At the same time, that means I miss things at the conference, like checking out the CTF, talking to vendors, and going to see speakers. Next time I sign up to help out, it’ll definitely not be for every shift and I’ll be sure to save some time for actually going to the conference.