Phew! This year’s hacker summer camp is packed with presentations from several hackers across the globe at Orange Cyberdefense. I can’t possibly go into all of the many details, but hope to give a somewhat compressed view of the highlights!
This year we have a total of 10 representations. Four of those are DEF CON 29 talks, where two are main stage talks, one a demo labs talk and one a radio frequency village talk. On the training side of things, we’re delivering five courses at BlackHat USA 21, and one course at Ringzer0. I’ve been fortunate enough to see the behind the scenes preparation that goes into these and can’t wait for the world to see and experience them too!
talks
It’s easy to forget the amount of work that goes into delivering research in the form of a world class talk at a conference such as DEF CON 29, let alone doing the research to begin with. Internally we go through many, many phases to not only encourage research, but also to “polish” the talks themselves. A successfully delivered talk is a function of many hours of work and dedication, and I am humbled by the effort everyone has put in. Speaking at DEF CON is a big deal, so a well deserved congratulations to those that made it!
It’s a tiring rhetoric by now, but COVID still complicates things. As a result, our talks will all be delivered virtually. The DEF CON 29 format this year (partially following suit from last year) is a pre-recorded video that will be played at the hybrid event and online, and will be made available as VOD afterwards.
A summary of the talks that we’ll deliver at DEF CON 29 is:
- Main stage – Claire Vacherot: Sneak into buildings with KNXnet/IP | Youtube Video
- Main stage – Justin Perdok: Hi! I’m DOMAIN\Steve, please let me access VLAN2 | Youtube Video
- Demo labs – William Vermaak: Frack | Youtube Video
- Radio Frequency Village – Dominic White & Michael Kruger: Assless Chaps: why MSCHAPv2 is so broken, it’s showing it’s whole ass | Youtube Video
talk details
Like I’ve mentioned before, talks take a ton of work behind the scenes to both research and prepare. I’d love to take a moment to summarise what each person has been working on and what you can expect from their talks.
Claire Vacherot – Sneak into buildings with KNXnet/IP
Delivered as a Main Stage talk, Claire’s work on Building Management Systems in an enlightening one focussing on the KNXnet/IP protocol from an offensive perspective. Her talk takes a journey into understanding how a TCP/IP stack effectively got bolted-on to a frame/field-level protocol (via a gateway), and why that is interesting for security research. She will also be releasing an updated version of her tooling called BOF that you can use to perform both rudimentary interactions with KNXnet/IP enabled BMS and more advanced fuzzing at a lower field level.
Justin Perdok – Hi! I’m DOMAIN\Steve, please let me access VLAN2
Also delivered as a Main Stage talk, Justin describes how he discovered and built a practical attack against firewalls that perform what is called client-probing. Leveraging Impacket, a new patch he wrote will let you spoof logged in user information for any product that relies on this information to make security decisions.
William Vermaak – Frack
Being a self proclaimed breach data hoarder, in this demo labs session William will show the tooling he has been working on that allows one to maintain huge sets of breach data in the cloud, on the cheap. The data itself is useful for those both on the offence and defence side, and using Frack, William will show how you too can maintain your own instance of that.
Dominic White & Michael Kruger – Assless Chaps: why MSCHAPv2 is so broken, it’s showing it’s whole ass
Presenting at radio frequency hacking village, Michael and Dominic will be revisiting hash shucking in the context of MSCAPv2 in two different ways; both releasing new tooling. The first being a new kernel contribution to hashcat that will let you crack a NetNTLMv1/NetNTLMv2 to an NTLM hash using something like the Have I Been Pwned NTLM list as a wordlist, rather than a brute-force against the DES key space. The second being a form of space vs time tradeoff optimisation that relies on using the efficient recovery of the two bytes at the end of a NT hash to perform a fast DB lookup from a large hash list. Tooling for generating these hash lists as well as cracking them will be released.
training
SensePost has been delivering training at BlackHat for many years now. This year marks our 19th and we have one heck of a line up planned. Each of the course owners have spent a bunch of time iterating and updating their content, while others have built completely new ones from the ground up! We’re passionate about sharing what we learn, and I can genuinely say that apart from interacting with clients, delivering training is one of the funnest ways to do just that. All of the trainers pentest by day, so you’ll quite literally be exposed to the brains of the operation.
Successfully delivering training is not just about the content though. We’re proud of the fact that nearly every bit of our training has a practical, hands-on component to it. For most, that comes in the form of a dedicated lab per student where you can experiment, play and solve the challenges that we have prepared for you. Many of these labs are realistic Active Directory environments, complete with Exchange servers and other interesting applications. Behind the scenes, this infrastructure takes a lot of work to get right. In addition to ensuring our training courses are relevant and exciting, we’ve also spent time enhancing the experience when interacting with our cloud based infrastructure. By automating significant parts of our labs leveraging Infrastructure as Code, adding Apache Guacamole as a means to access your lab instance via our class portal and more, we’re continuing our journey to ensure both the content and the infrastructure we provide is a truly excellent experience.
Whether you want to level up your web app hacking-fu by hand, exploiting 25 different practical exercises, or want to better understand how to approach modern WiFi exploitation, there’s something for everyone. A summary of our BlackHat trainings this year follows, and if you’re quick you may be able to grab a spot last minute:
- Applied Web Application Hacking; delivered by Reino Mostert and Shaun Kammerling;
- Enterprise Infrastructure Hacking; delivered by Dane Goodwin and Michael Higgo
- Hands-on Hacking Fundamentals; delivered by Darryn Cull and Deon Willemse
- Tactical Hacking Essentials – Extended Edition; a brand new course delivered by Jason Spencer, Ulrich Swart and Marianka Botes.
- Unplugged: Modern WiFi Hacking; delivered by Jacques Coertze and William Vermaak
We’re also presenting a brand new course at Ringzer0 this year titled Advanced Active Directory Exploitation; delivered by Sergio Lazaro and John Iatridis.
conclusion
I’m proud of everyone involved in this year’s hacker summer camp, albeit it being virtual, and hope you’ll have a blast with some of the content we’ve got planned!