Russ From

Russ From

Micro And Nano-Segmentation: Lessons Learned From The Field, Thoughts On The Future

This presentation introduces Micro-Segmentation and includes industry adoption statistics, strategies, and implementation examples. This presentation came from my personal experience implementing Micro-Segmentation in a fully virtualized hosted infrastructure environment for many large hospital systems. This talk will cover why we need segmentation, what the benefits are, how it evolved, and what it enables before explaining a flaw of Micro- Segmentation and how it is addressed using the recently defined term Nano-Segmentation. I also briefly touch on the famous Zero Trust Model and how Micro-Segmentation makes security more effective by following the principles of the Zero Trust Framework. Last, I will briefly cover how any organization can implement Micro and Nano-Segmentation using Tanium in a physical and/or virtual environment that scales up to millions of endpoints.


Rick Ramgattie

Rick Ramgattie

Journey to Command Injection: Hacking the Lenovo ix4-300d

Fully comprising an embedded device isn’t always as easy as sending a GET request with admin=true. Sometimes, owning an embedded device takes multiple different vulnerabilities, creativity, and a little finesse. In this live demo, we show how we were able to chain multiple vulnerabilities in the Lenovo ix4-300d network attached storage (NAS) device into a remote exploit that can be executed with little user interaction. As a result, an adversary can provide the victim with a link to a malicious page that grants the attacker the ability to extract all information stored on the victim’s NAS, and the ability to execute arbitrary operating system (OS) commands on the compromised NAS. In the talk we cover how we first identified command injection, then used cross-site scripting (XSS) and cross-site request forgery (CSRF) to build an exploit that would hijack values stored in the victim’s browser storage, issue a malicious request on the user’s behalf, and issue an OS command to open a remotely accessible operating system shell.


Johnny Xmas

Johnny Xmas Sam Crowther

Sam Crowther

Sorry About your WAF: Modern Bypass Techniques for Autonomous Attacks

Scripting and automation are absolutely critical to many aspects of an attacker’s effectiveness, penetration tester or otherwise. Modern WAFs and “bot detections” often add a small layer of intelligence to their monitoring, attempting to determine whether or not an attack is being automated, and shut the bot/botnet down. This presentation will be a mini-tutorial on how the various forms of “bot detection” out there work, and how to modify/spoof the necessary client environments to bypass nearly all of them using anything from Python Requests to Selenium, Puppet and beyond.


Jim Nitterauer

Decrypting the Mess that is SSL /TLS Negotiation – Preparing for the 2020 Apocalypse

Recently, all major browser vendors agreed in principle to end support for TLS (Transport Layer Security) versions 1.0 and 1.1 in 2020. SSL (Secure Sockets Layer) version 3.0 support was removed from Chrome in early 2015 effectively ending the use of SSL completely. Akamai will discontinue support for TLS 1.0/1.1 on January 7th, 2019. These protocols have all been found to have various vulnerabilities that no longer make them safe for use in the negotiation of secure connections between end points.

With the deprecation of these cryptographic protocols, several new security exploits have come to light. These exploits including Heartbleed, POODLE, BEAST, CRIME and others attempt to disrupt the availability of services or stealing data. The most common service using TLS is obviously web traffic that is transmitted via https. Since SSL and TLS are secure connection negotiation protocols, the process for establishing a secure connection can be used for almost any type of traffic. Some of the more common ones aside from https are DNS, VPN, SMTP, POP3 and IMAP. All rely on the ability of client and server to understand a common protocol and the ability to negotiate a connection based upon a commonly understood version.

Many server-side instances still utilize older versions that support deprecated SSL/TLS versions leaving them vulnerable to availability and integrity attacks. Many client applications have the same issues with many of those built into IOT devices which are rarely upgraded.

We needed to find a means to understand what types of conversations were happening on our publicfacing proxy services. We noticed a rash of SSL downgrade attacks that resulted in intermittent outages.

We also wanted to be able to proactively engage our customers by letting them know that they had devices on their network reaching out to us using deprecated or soon to be deprecated SSL/TLS versions.

This talk will provide a quick overview of the major SSL/TLS versions along with their major vulnerabilities. I will then discuss how we were able to use some F5 iRule magic on our load balancers combined with Graylog (a log aggregation platform) to track as well as block undesirable client and server connections to our proxy end points. This strategy can easily be adapted to any protocol scenario that uses TLS connection negotiation.


Eric Escobar

Eric Escobar Matt Orme

Matt Orme

Remote Wireless Pentesting in a nutshell (or ammo can)

Wireless pentesting typically requires physical proximity to a target which requires time, limited resources, and constant traveling. Eric & Matt have pioneered an inexpensive device to covertly perform wireless pentests anywhere on earth. Their unique solution to the problem centers around the ability to perform a wireless pentest remotely. To achieve this lofty goal they did what any hackers would do; scrounge up pieces and parts until they had a workable prototype that could phone home via multiple LTE connections and give remote access to the wireless environment surrounding their device. Much improved since it’s tangle of wires and packing peanuts, a year later their device has compromised dozens of enterprise networks spanning 3 continents. In this talk we’ll discuss why we built it, how it works, and why we think it will revolutionize wireless pentesting.


Dustin Heywood (EvilMog)

Dustin Heywood (EvilMog)

Automating Hashtopolis

This talk will cover the basics of using the Hashtopolis user-api to automate functions in Hashtopolis. This talk will cover connecting to an HTP instance, creating hashlists, creating attacks, recovering plaintext, user creation and more.

James Arndt

James Arndt

Always Look a Gift (Trojan) Horse in the Mouth

It could be said that the city of Troy needed to update its antivirus or intrusion detection signatures. Maybe they needed to dust off their acceptable use policy on their SharePoint site? Or did their end users need more security training? Didn’t anyone warn the CEO of Troy that it is dangerous to push the “Enable Content” button on strange horses that show up outside the city wall? If only the city of Troy had a citizen that could have torn apart the Trojan Horse to see what was really going on inside.
The same goes for malicious emails. Someone will report a suspicious email because they think it might be malicious. But how bad is it really? Unless you are able to dig into the email and perform a thorough analysis on its attachments, you’ll never know how bad it is, how it behaves, and what it may be trying to contact.
In this talk, attendees will learn various tools and techniques that can be used to thoroughly analyze a malicous attachment and everything that comes after it. In order to get as many stones as possible, we will want to leave no stone unturned. This information can then be used to look for indicators of compromise throughout your environment.

Ed Skoudis

Ed Skoudis

KeyNote: I, For One, Welcome Our New AI Over Lords

Title: I, For One, Welcome Our New AI Over Lords
Subtitle: The Ultimate Insider in the Cloud
By: Ed Skoudis and Surprise Guest
Amazing new AI-based services from Amazon, Google, and Microsoft let organizations rely on automated technology to crawl through their cloud-based data stores to identify sensitive data, security weaknesses, and hacking attempts. These AI offerings are impressive and can automate security at a scale impossible to achieve by humans alone. But, to use these commercial services, organizations must allow their cloud providers access to all of that information, exposing it to the deep gaze of an AI. In this talk, Ed will analyze the security implications of such offerings, along with the ethical, business, and privacy issues they raise as cloud-based AI intertwines itself in our lives more deeply every day. Oh, and it can turn on and off your lights too!