CypherCon 2024

BoomerSec: 25 Years of Abusing Microsoft Windows Passwords

Joe Mondloch


Joe will share his quarter-century journey through the wonderful world of Windows password flaws. This includes how the Foofus group developed techniques and tools to extract password hashes, brute-force passwords and otherwise misuse credential information. He’ll share that history, as well as his current research on abusing legacy authentication protocols.


Importance: This talk is part history lesson, part a dive into the methodology we used to solve security problems. It’s also a demonstration that older attack approaches are still relevant in today’s world.

Joe Mondloch

Cybersecurity practitioner, not shampoo conditioner

Joe (jmk) is an offensive-focused security practitioner. He contributed ideas, code and support in the early days of the penetration testing industry as a longtime member of the Foofus group. This included creating the Medusa password guesser, contributing to the FgDump/PwDump password extraction utility, as well as other critical tools of yesteryear.

Joe shifted his efforts in recent years from red to blue. He now spends his time creating complicated challenges for penetration testers as a security architect and engineer for the hosting division of a healthcare software company.