DEF CON
29

WORKSHOPS

DEF CON Discord Server
Discord
DEF CON Twitch Server
Twitch
DEF CON Entertainment Twitch Server
A&E
DEF CON Info Booth Server
Info
DEF CON YouTube Page
YouTube
DEF CON Forums Logo
Forums

DEF CON WORKSHOPS IS BACK LIVE AND IN-PERSON ONLY AT BALLY’S!

Workshops are a great way for instructors from the community to share information with others on a variety of subjects. Pre-registration for all DEF CON Workshops will open at 0900 PDT on Tuesday, July 6, and stay open until the last ticket is spoken for. We will be using EventBrite again to handle pre-registration and are anticipating the same level of response that we have seen in previous years, so be sure to check back here for the event links so you can be ready for Tuesday!

To keep everyone safe while participating in workshops, we are making the following changes:

  • Max capacities listed, below, take into account keeping rooms at 80% capacity of the room.
  • More space between attendees while still ensuring there are power strips available.
  • Staggered check-in times in the morning in evening and an hour in-between sessions to reduce the number of people in the hallways at any given time.

Please note that all workshops are going to be in-person only with no parts of it streamed. Out of consideration for others, we ask that you do not pre-register unless you are certain you are able to attend.

Analysis 101 and 102 for the Incident Responder

Friday from 1000 to 1400 in Las Vegas 3+4
Capacity: 50 | Beginner - Intermediate

Kristy Westphal Vice President, Security Operations

You have a theory about something you have found while roaming the network or conducting your own hackfest, but how do you go about proving it? This workshop will be a hands-on journey deep into the world of analysis. While analysis is a bit of an art form, there are methods that can be applied to make it less of a gut feeling and more of a scientific approach to support your hypothesis. From network forensics to log analysis to endpoint forensics and cloud log analysis, we will review numerous quick methods to gain context over the data you have gathered and apply critical thinking in an attempt to find the answers. Sometimes, the answers weren’t meant to be found, but we’ll also discuss how to make the best of any conclusion that you reach.

Registration Link: https://www.eventbrite.com/e/analysis-101-and-102-for-the-incident-responder-las-vegas-3-4-tickets-162216976343

Prerequisites:
None

Materials needed:
Laptop with Wireshark installed

Kristy Westphal
Kristy Westphal is a versatile information technology professional with specific experience in providing advisory and management services in the area of information security and risk is currently employed as the Vice President, Security Operations at a financial services company. Specializing in leadership and program development, specific expertise in security areas includes: process analysis, risk assessments, security awareness programs, operating system security, network security, incident handling, vulnerability analysis and policy development.

Back to top

Digital Forensics and Incident Response Against the Dark Arts: The Battle of Malicious Email and Downloaders

Saturday from 1000 to 1400 in Las Vegas 5+6
Capacity: 67 | Beginner - Intermediate

Michael Solomon Threat Hunter

Michael Register Threat Hunter

Ever wondered what it is like being a cybersecurity or incident response analyst? Here is your chance to experience an exciting 4-hour class taught by mR_F0r3n51c5 and S3curityN3rd. Phishing and malicious spam attacks continue to pose a significant risk in today’s cyber threat landscape. Using forensic and malware analysis fundamentals, this class will teach students how to analyze malicious downloaders, phishing emails, and malicious spam.

Upon successful class completion, students will be able to:

  • Build analysis skills that leverage complex scenarios and improve comprehension.
  • Demonstrate an understanding of forensic fundamentals used to analyze an email.
  • Use open-source information to collect and analyze threat actor data; identify indicators of compromise, and demonstrate how to pivot on that information.
  • Demonstrate how to analyze a malicious downloader; to include but not limited to debugging and deobfuscation.
  • Participate in a hand to keyboard combat capstone. Students will be given a malicious file sample and demonstrate how to analyze it.

Registration Link: https://www.eventbrite.com/e/digital-forensics-and-ir-against-the-dark-arts-las-vegas-5-6-tickets-162218185961

Prerequisites:
None

Materials needed:
Students will be required to download two virtual machines (OVA files). Students will be given a URL for download access. In regards to the downloaded virtual machines, these should be imported into your virtual machine software and ready before the start of class. If any additional technical support is needed, the instructors will make themselves available online.

Students must have a laptop that meets the following requirements:

  • A 64 bit CPU running at 2GHz or more. The students will be running two virtual machines on their host laptop.
  • Have the ability to update BIOS settings. Specifically, enable virtualization technology such as "Intel-VT."
  • The student must be able to access their system's BIOS if it is password protected. This is in case of changes being necessary.
  • 8 GB (Gigabytes) of RAM or higher
  • At least one open and working USB Type-A port
  • 50 Gigabytes of free hard drive space, allowing you the ability to host the VMs we distribute
  • Students must have Local Administrator Access on their system.
  • Wireless 802.11 Capability
  • A host operating system that is running Windows 10, Linux, or macOS 10.4 or later.
  • Virtualization software is required. The supplied VMs have been built for out of the box comparability with VMWare Workstation or Player. Students may use other software if they choose, but they may have to troubleshoot unpredictable issues.

At a minimum, the following VM features will be needed:

  • NATted networking from VM to Internet
  • Copy Paste of text and files between the Host machine and VM

Michael Solomon
Michael Solomon (mR_F0r3n51c5) is currently a Threat Hunter for a large managed security service provider. He has ten years of experience conducting Cyber Operations, Digital Forensics & Incident Response (DFIR), and Threat Hunting. He is very passionate about helping grow and inspire cybersecurity analysts for a better tomorrow.

Michael Register
Michael Register (S3curityN3rd) has 5 years of combined experience across IT, Networking, and Cybersecurity. He currently holds multiple certifications, including the GCIH. S3curityN3rd spent the last 3 years working in Incident Response before a recent transition into a Threat Hunting role. His areas of focus have been on forensics, malware analysis, and scripting.

Back to top

Windows Internals

Friday from 1500 to 1900 in Jubilee 1
Capacity: 115 | Intermediate

Sam Bowne Proprietor, Bowne Consulting

Elizabeth Biddlecome Consultant and Part-Time Instructor

Kaitlyn Handelman Hacker

Irvin Lemus Cybersecurity Professor

Explore the structure of Windows executable files and the operating system itself, to better understand programs, services, malware, and defenses. Projects include: cheating at games, building malicious DLL libraries, stealing passwords from the API, building a keylogger, and debugging a driver. Tools used include FLARE-VM, pestudio, API Monitor, Visual Studio, OllyDbg, IDA Pro, Ghidra, and WinDbg. No previous experience with programming is required.

To prepare for this workshop, please prepare a FLARE-VM in advance, as explained here: https://samsclass.info/126/proj/PMA40.htm

Registration Link: https://www.eventbrite.com/e/windows-internals-jubilee-1-tickets-162217227093

Prerequisites:
Previous experience troubleshooting Windows is helpful but not required

Materials needed:
A computer that can run virtual machines locally, or a few dollars to rent cloud servers

Sam Bowne
Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks and hands-on trainings at DEF CON, DEF CON China, HOPE, BSidesSF, BSidesLV, RSA, and many conferences and colleges.

Elizabeth Biddlecome
Elizabeth Biddlecome is a consultant and a part-time instructor at City College San Francisco, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to scripting languages in cybersecurity competitions, hackathons, and CTFs.

Kaitlyn Handelman
I like to hack stuff, and I’m like really good at computers.

Irvin Lemus
Irvin Lemus has been in the industry for 10+ years as an MSP technician, consultant, instructor and coordinator. He is currently the cybersecurity professor at Cabrillo College in Santa Cruz, CA. He also is the Bay Area Cyber Competitions Regional Coordinator as well as the contest creator for SkillsUSA CA and FL. Irvin has spoken at various cybersecurity and educational conferences. Irvin holds a CISSP and a Bachelor's Degree in Information Security.

Back to top

Hacking the Metal: An Introduction to Assembly Language Programming

Saturday from 1000 to 1400 in Las Vegas 3+4
Capacity: 60 | Beginner - Intermediate

eigentourist Programmer

Deep below the surface of the web, the visible desktop, and your favorite mobile apps, lies a labyrinth where the rules of most programming languages cease to exist. This is the world of the reverse engineer, the malware analyst, and the veteran systems programmer. Here, we write code in assembly language, the lowest level at which a computing machine can be programmed. This workshop will introduce you to the world of assembly language programming, give you the opportunity to write some real-world code, and finally, to play the role of reverse engineer and try your hand at some guided malware analysis.

Registration Link: https://www.eventbrite.com/e/hacking-the-metal-an-introduction-to-assembly-language-programming-lv-34-tickets-162218563089

Prerequisites:
Some previous programming experience is helpful but not vital.

Materials needed:
Laptop

eigentourist
Eigentourist is a programmer who learned the craft in the early 1980s. He began formal education in computer science when the height of software engineering discipline meant avoiding the use of GOTO statements. Over the course of his career, he has created code of beautiful simplicity and elegance, and of horrific complexity and unpredictability. Sometimes it's hard to tell which was which. Today, he works on systems integration and engineering in the healthcare industry.

Back to top

House of Heap Exploitation

Friday from 1000 to 1400 in Las Vegas 5+6
Capacity: 60 | Intermediate

Maxwell Dulin Security Consultant

James Dolan Security Engineer

Nathan Kirkland Security Researcher & Engineer

Zachary Minneker Security Researcher & Engineer

Heap exploitation is an incredibly powerful tool for a hacker. As exploit mitigations have made exploitation more difficult, modern exploit development has moved to the heap. However, heap exploitation is a subject that has evaded many people for years for one reason: they focus on the techniques instead of the allocator. By learning with an allocator first style, the techniques are easily understood and practical to use.

This workshop is for learning heap exploit development in GLibC Malloc. GLibC Malloc is the default allocator on most Linux distros. With this hands-on introduction into GLibC Malloc heap exploitation you will learn how the allocator functions, heap specific vulnerability classes and to pwn with a variety of techniques. Whether you're an avid CTFer or just trying to get into heap exploitation on your pwnables site, this course is good for adding another tool to the tools arsenal. After taking this course you will understand the GLibC Malloc allocator, be able to discover heap specific vulnerability classes and pwn the heap with a variety of techniques, with the capability to easily learn more.

Registration Link: https://www.eventbrite.com/e/house-of-heap-exploitation-las-vegas-5-6-tickets-162214679473

Prerequisites:
Basic computer science background (x86_64 assembly, stack, programming skills in C & Python) Basic binary exploitation skills (buffer overflow exploitation, ROP, ASLR, etc.) Familiar with Linux developer tools such as the command line, Python scripting and GDB. Previous usage of pwntools is a plus

Materials needed:
Laptop with enough power for a moderately sized Linux VM Administrative access to the laptop 8GB RAM minimum 50GB harddrive space Virtualbox or another virtualization platform installed

Maxwell Dulin
Maxwell Dulin (Strikeout) is a security consultant at Security Innovation hacking all things under the sun, from robots to web applications. Additionally, he started the Spokane Mayors Cyber Cup and has written pwnables for SSD. Maxwell has published many articles for a plethora of heap exploitation techniques, assorted web application hacking exploits and IoT device vulnerability hunting. He has previously spoken at DEFCON 27 IoT Village. In his free time, he plays with RF toys, hikes to fire lookouts and catches everything at dodgeball.

James Dolan
James Dolan works for Security Innovation as a Security Engineer focusing on engagements ranging from IoT hacking to kiosk exploitation. His current research interests include emerging threats against Mobile and IoT devices. He has a degree in Computer and Information Science from University of Oregon. In his free time, James enjoys composing music, playing video games or hiking in the greater Seattle area.

Nathan Kirkland
Raised on a steady diet of video game modding, when Nathan found programming as a teenager, he fit right into it. Legend says he still keeps his coffee (and tear) stained 1980s edition of The C Programming Language by K&R stored in a box somewhere. A few borrowed Kevin Mitnick books later, he had a new interest, and began spending more and more time searching for buffer overflows and SQL injections. Many coffee fueled sleepless nights later, he had earned OSCP, and graduated highschool a few months later. After a few more years of working towards a math degree and trying fervently to teach himself cryptanalysis, he decided to head back to the types of fun hacking problems that were his real first love, and has worked at Security Innovation ever since.

Zachary Minneker
Zachary Minneker is a security researcher and security engineer at Security Innovation. His first computer was a PowerPC Macintosh, an ISA which he continues to defend to this day. At Security Innovation, he has performed security assessments on a variety of systems, including robots for kids, audio transcription codecs, and electronic medical systems. He has previous experience administrating electronic medical systems, and deep experience in fuzzing, reverse engineering, and protocol analysis. His research has focused on techniques for in-memory fuzzing, macOS sandbox security, and IPC methods.

Back to top

Modern Malware Analysis for Threat Hunters

Sunday from 1000 to 1400 in Las Vegas 1+2
Capacity: 50 | Beginner - Intermediate

Aaron Rosenmund Security Researcher

Ryan Chapman Principal IR Consultant

Malware authors go to great lengths to bypass enterprise security to deliver malware, avoid detection after the initial intrusion and maintain persistence to compromise an organization. To achieve this, malware authors employ a wide variety of obfuscation and anti-analysis techniques at each phase of an attack. In this workshop, you will get hands-on with real-world malware and learn how to identify key indicators of compromise (IOCs)/indicators of attack (IOAs), apply analysis to enhance security products to protect users and infrastructure and gain a deeper understanding of malware behavior through reverse engineering.

This workshop will utilize open-source and limited use tools such as Ghidra, IDA Pro Free/Demo, Oledump/OleVBA, PE Studio, and Suricata to perform deep technical analysis of malware, focusing on developing effective strategies to maximize your time spent. By the end of this workshop, you will be able to analyze malicious office documents, identify signs of packing, defeat obfuscation and other anti-analysis techniques and use traffic analysis to aid in detection and identifying of prevalent malware families. These skills ultimately allow you to generate valuable threat intelligence to aid in your efforts to defend your organization or respond to an incident.

This is a fast-paced course designed to take you deep into malware operations – from delivery methods to payloads! Numerous labs will reinforce key learning objectives throughout the workshop and each lab comes with a detailed lab guide. Comprehensive analysis activities and exercises are used to to test and reaffirm key learning objectives and ensure attendees have a start-to-finish understanding of the material.

Attendees will be provided with all the lab material used throughout the course in a digital format. This includes all lab material, lab guides and virtual machines used for training. This workshop will also utilize several live classroom sharing resources, such as chat and notes to ensure that attendees have access to all material discussed throughout the training. All the material provided will help to ensure that students have the ability to continue learning well after the course ends and maximize the knowledge gained from this course.

Registration Link: https://www.eventbrite.com/e/modern-malware-analysis-for-threat-hunters-las-vegas-1-2-tickets-162214781779

Prerequisites:
The primary requirement for this course is a desire to learn and the determination to tackle challenging problems. In addition, having some familiarization with the following topics will help students maximize their time in this course:

  • Basic familiarity with Linux and the terminal
  • An understanding of programming languages such as control structures (IF statements, loops and functions), data structures (objects, structures, arrays) and variable usage will be helpful

Materials needed:

  • Linux/Windows/Mac desktop environment
  • A laptop with the ability to run virtualization software such as VMWare or VirtualBox
  • Access to the system BIOS to enable virtualization, if disabled via the chipset
  • Ability to temporarily disable anti-virus or white-list folders/files associated with lab material
  • A laptop that the attendee is comfortable handling live malware on
  • Enough disk space to store at least a single 40 GB VM, although multiple VMs may be used

Aaron Rosenmund
Aaron M. Rosenmund is a cyber security operations subject matter expert, with a background in federal and business defensive and offensive cyber operations and system automation. Leveraging his administration and automation experience, Aaron actively contributes to multiple open and closed source security operation platform projects and continues to create tools and content to benefit the community. As an educator & cyber security researcher at Pluralsight, he is focused on advancing cyber security workforce and technologies for business and national enterprises alike. In support of the Air National Guard, he contributes those skills part time in various initiatives to defend the nation in cyberspace. Certifications: GIAC GCIA, GIAC GCED, CCNA Cyber Operations, Pentest+, CySa+ www.AaronRosenmund.com @arosenmund "ironcat"

Ryan Chapman
Ryan is an experienced incident response practitioner, malware analyst, and trainer. He is a Principal IR Consultant for BlackBerry, the lead organizer of CactusCon, a SANS trainer for FOR610: Reverse Engineering Malware, and a Pluralsight author. Ryan strives to imbue comedy into his trainings and loves being able to teach others while learning from them at the same time. He is a veteran speaker having presented talks and/or workshops at conferences including DefCon, SANS Summits, BSides events, CactusCon, and more. Prior to working in IR, Ryan worked as a technical trainer for over five years. "We must not teach people how to press buttons to get results. We must teach people what happens when these buttons are clicked, such that they fully understand the processes occurring in the background," says Ryan.

Back to top

Evading Detection a Beginner's Guide to Obfuscation

Saturday from 1500 to 1900 in Las Vegas 3+4
Capacity: 60 | Intermediate

Anthony "Cx01N" Rose Lead Security Researcher

Jake "Hubbl3" Krasnov Red Team Operations Lead

Vincent "Vinnybod" Rose Lead Tool Developer

Defenders are constantly adapting their security to counter new threats. Our mission is to identify how they plan on securing their systems and avoid being identified as a threat. This is a hands-on class to learn the methodology behind malware delivery and avoiding detection. This workshop explores the inner workings of Microsoft's Antimalware Scan Interface (AMSI), Windows Defender, and Event Tracing for Windows (ETW). We will learn how to employ obfuscated malware using Visual Basic (VB), PowerShell, and C# to avoid Microsoft's defenses. Students will learn to build AMSI bypass techniques, obfuscate payloads from dynamic and static signature detection methods, and learn about alternative network evasion methods.

In this workshop, we will:

i. Understand the use and employment of obfuscation in red teaming.
ii. Demonstrate the concept of least obfuscation.
iii. Introduce Microsoft's Antimalware Scan Interface (AMSI) and explain its importance.
iv. Demonstrate obfuscation methodology for .NET payloads.

Registration Link: https://www.eventbrite.com/e/evading-detection-a-beginners-guide-to-obfuscation-las-vegas-3-4-tickets-162219734593

Prerequisites:
Basic level of PowerShell or C# experience.

Materials needed:
Laptop VMWare or Virtual Box Windows Dev machine or other Windows VM Kali Linux VM

Anthony "Cx01N" Rose
Anthony "Cx01N" Rose, CISSP, is the Lead Security Researcher at BC Security, where he specializes in adversary tactic emulation planning, Red and Blue Team operations, and embedded systems security. He has presented at numerous security conferences, including Black Hat, DEF CON, and RSA conferences. Cx01N is the author of various offensive security tools, including Empire and Starkiller, which he actively develops and maintains. He is recognized for his work, revealing wide-spread vulnerabilities in Bluetooth devices and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.

Jake "Hubbl3" Krasnov
Jake "Hubbl3" Krasnov is the Red Team Operations Lead at BC Security. He has spent the first half of his career as an Astronautical Engineer overseeing rocket modifications for the Air Force. He then moved into offensive security, running operational cyber testing for fighter aircraft and operating on a red team. Hubbl3 has presented at DEF CON, where he taught courses on offensive PowerShell and has been recognized by Microsoft for his discovery of a vulnerability in AMSI. Jake has authored numerous tools, including Invoke-PrintDemon and Invoke-ZeroLogon, and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.

Vincent "Vinnybod" Rose
Vincent "Vinnybod" Rose is the Lead Tool Developer for Empire and Starkiller. He is a software engineer with expertise in cloud service and has over a decade of software development and networking experience. Recently, his focus has been on building ad-serving technologies, web and ad-tracking applications. Vinnybod has presented at Black Hat has taught courses at DEF CON on Red Teaming and Offensive PowerShell. He currently maintains a cybersecurity blog focused on offensive security at https://www.bc-security.org/blog/.

Back to top

Bug bounty Hunting Workshop

Saturday from 1000 to 1400 in Las Vegas 1+2
Capacity: 60 | Beginner

Philippe Delteil Computer Science Engineer

David Patten

Bug bounty hunting is (probably) the most hype topic in the hacking subworld, some people read amazing stories of how a 18 years old won 1 million dollars only doing legal hacking. Many hit a wall when they realize that after two months they only won points, thanks or cheap swag. Where's the money?, they ask. What should I learn and how? How many books should I read? How many minutes of Youtube tutorials? What if I lose some weight? [always recommended] How can I be the next bug bounty millionare? In this workshop I will show you a path to be a bug bounty hunter, from my experience starting by chance and from scratch. I will teach you how to use the tools I use everyday to find bugs, but most importantly how to see bug bounty hunting as a complex business process .

What to know before
Basic idea of bugs (and bounty hunting)
Basic Linux commands (sed, awk, grep)
Shell scripting basics
Have some practice doing recon

What you will learn
How bug bounty programs/platforms work
What tools hunters use and how do they work
How to hunt for bugs (hopefully for profit)
Automatization of your hunting process

How technical is the class
30% theory and concepts
70% Installing, configuring and using tools to find bugs. Send some reports if we are lucky.

What tools are we going to use
Scanners/automated tools: nuclei, axiom, bbrf, dalfox, Burp.
Recon tools (subfinder, amass, assetfinder, waybackurls, httpx and more)

What to read/watch in advance
Books
The Web Application Hacker's Handbook, 2nd Edition
Hands-On Bug Hunting for Penetration Testers (Joseph E. Marshall)
Web Hacking 101 (Peter Yaworski)

Videos
Live Recon and Distributed Recon Automation Using Axiom with @pry0cc (https://bit.ly/3gPsonz) The Bug Hunter's Methodology Full 2-hour Training by Jason Haddix (https://bit.ly/2PzHUsr)
Finding Your First Bug: Choosing Your Target by InsiderPhD (https://bit.ly/3uiF3n7)
HOW TO GET STARTED IN BUG BOUNTY (9x PRO TIPS) by STÖK (https://bit.ly/3u81U4m)

Registration Link: https://www.eventbrite.com/e/bug-bounty-hunting-workshop-tickets-162219297285

Prerequisites:
Basic knowledge about Bug bounty programs Basic Linux Commands

Materials needed:
Laptop with Kali Linux (native or virtual machine).

Philippe Delteil
Philippe Delteil is Computer Science Engineer from the University of Chile, he gave his first talk at Defcon 26 Skytalks, called "Macabre stories of a hacker in the public health sector", his country's government sent 3 officials to record the talk, they did. He's been reporting bugs for a year. He's an annoying github issue opener of some opensource tools like axiom, nuclei, dalfox and bbrf; also makes small contributions to 'Can I take Over XYZ?'

David Patten

Back to top

Learning to Hack Bluetooth Low Energy with BLE CTF

Friday from 1500 to 1900 in Las Vegas 3+4
Capacity: 80 | Beginner - Intermediate

Ryan Holeman Global Security Overlord

BLE CTF is a series of Bluetooth low energy challenges in a capture the flag format. It was created to teach the fundamentals of interacting with and hacking Bluetooth Low Energy services. Each exercise, or flag, aims to interactively teach a new concept to the user. For this workshop, we will step through a series of exercises to teach beginner students new concepts and allow more seasoned users to try new tools and techniques. After completing this workshop, you should have a good solid understanding of how to interact with and hack on BLE devices in the wild.

If you have done BLE CTF in the past, this class is still valuable. For advanced users we offer BLE CTF Infinity which is a sequel to BLE CTF. BLE CTF Infinity offers new exercises where each flag challenge is hosted in a completely separate GATT service. The new version allows for more advanced challenges which were not possible in the past.

To prepare for the workshop, please follow the setup documentation located at https://github.com/hackgnar/ble_ctf/blob/master/docs/workshop_setup.md

Registration Link: https://www.eventbrite.com/e/learning-to-hack-bluetooth-low-energy-with-ble-ctf-las-vegas-3-4-tickets-162217343441

Prerequisites:
To prepare for the workshop, please follow the setup documentation located at https://github.com/hackgnar/ble_ctf/blob/master/docs/workshop_setup.md

Materials needed:
Preferably a Linux box with a bluetooth controller or a bluetooth usb dongle. An OSX or Windows machine with a Linux VM and usb passthough works as well but should be setup and tested before the workshop.

Ryan Holeman
Ryan Holeman resides in Austin Texas where he works as the Global Security Overlord on Atlassian's Security team. He is also an advisor for the endpoint security software company Ziften Technologies. He received a Masters of Science in Software Engineering from Kent State University. His graduate research and masters thesis focused on C++ template metaprograming. He has spoken at many respected venues such as Black Hat, DEF CON, Lockdown, BSides, Ruxcon, Notacon, and Shmoocon. He has also published papers though venues such as ICSM and ICPC . You can keep up with his current activity, open source contributions and general news on his blog. His spare time is mostly spent digging into various network protocols, random hacking, creating art, and shredding local skateparks.

Back to top

The Joy of Reverse Engineering: Learning With Ghidra and WinDbg

Friday from 1000 to 1400 in Jubilee 2
Capacity: 150 | Beginner

Wesley McGrew Senior Cybersecurity Fellow

While it can be intimidating to "get into" software reverse engineering (RE), it can be very rewarding. Reverse engineering skills will serve you well in malicious software analysis, vulnerability discovery, exploit development, bypassing host-based protection, and in approaching many other interesting and useful problems in hacking. Being able to study how software works, without source code or documentation, will give you the confidence that there is nothing about a computer system you can't understand, if you simply apply enough time and effort. Beyond all of this: it's fun. Every malicious program becomes a new and interesting puzzle to "solve".

The purpose of this workshop is to introduce software reverse engineering to the attendees, using static and dynamic techniques with the Ghidra disassembler and WinDbg debugger. No prior experience in reverse engineering is necessary. There will be few slides--concepts and techniques will be illustrated within the Ghidra and WinDbg environments, and attendees can follow along with their own laptops and virtual environments. We will cover the following topics:

  • Software Reverse Engineering concepts and terminology
  • Setting up WinDbg and Ghidra (and building the latter from source)
  • The execution environment (CPU, Virtual Memory, Linking and Loading)
  • C constructs, as seen in disassembled code
  • Combining static and dynamic analysis to understand and document compiled binary code
  • Methodology and approaches for reverse engineering large programs
  • Hands-on malware analysis
  • How to approach a "new-to-you" architecture

Registration Link: https://www.eventbrite.com/e/the-joy-of-reverse-engineering-learning-with-ghidra-and-windbg-jubilee-2-tickets-162215935229

Prerequisites:
No previous reverse engineering experience required. Basic familiarity with programming in a high-level language is necessary (C preferred).

Materials needed:

  • A laptop with a fresh Windows 10 Virtual Machine.
  • Being able to dedicate 8GB RAM to the VM (meaning, you probably have 16GB in your laptop) will make the experience smoother, but you can get by with 4GB
  • 10 GB storage free in the VM (after installing Windows)
  • Administrative privileges
  • Ability to copy exercise files from USB

We will be working with live malware samples. Depending on your comfort level with this, bring a "burner" laptop, use a clean drive, or plan on doing a clean install before and after the workshop.

Wesley McGrew
Dr. Wesley McGrew directs research, development, and offensive cyber operations as Senior Cybersecurity Fellow for MartinFederal. He has presented on topics of penetration testing and and malware analysis at DEF CON and Black Hat USA and taught a self-designed course on reverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. Wesley has a Ph.D. in Computer Science from Mississippi State University for his research in vulnerability analysis of SCADA HMI systems.

Back to top

From Zero to Hero in Web Security Research

Saturday from 1000 to 1400 in Juilee 2
Capacity: 150 | Beginner - Intermediate

Roman Zaikin Security Expert

Yaara Shriki Security Researcher

Dikla Barda Security Expert

Oded Vanunu Security Leader and Offensive Security Expert

Web applications play a vital role in every modern organization. If your organization does not properly test and secure its web apps, adversaries can compromise these applications, damage business functionality, and steal data. Unfortunately, many organizations operate under the mistaken impression that a web application security scanner will reliably discover flaws in their systems.

Customers expect web applications to provide significant functionality and data access. Even beyond the importance of customer-facing web applications, internal web applications increasingly represent the most commonly used business tools within any organization. Unfortunately, there is no "patch Tuesday" for custom web applications, so major industry studies find that web application flaws play a major role in significant breaches and intrusions.

In this workshop we will teach you how to find vulnerabilities in web security according to the latest methods and techniques. We will demonstrate every vulnerability by giving an example from vulnerability we have found in major tech companies like: Facebook, WhatsApp, Amazon, AliExpress, Snapchat, LG and more!

Registration Link: https://www.eventbrite.com/e/from-zero-to-hero-in-web-security-research-jubilee-2-tickets-162214757707

Prerequisites:
Basic Web Concepts, Basic Web Development Skills, Ability to Understand JavaScript.

Materials needed:
Personal Laptop

Roman Zaikin
Roman Zaikin is a Security Expert at Check Point Software Technologies. His research has revealed significant flaws in popular services, and major vendors (Facebook, WhatsApp, Telegram, eBay, AliExpress, LG, DJI, Microsoft and more). He has over 10 years of experience in the field of cyber security research. He spoke at various leading conferences worldwide and taught more than 1000 students, he is also responsible for the design and the material of various cyber courses worldwide. He holds more than 15 Certifications and extensive experience with system administration, network architecture, software development, penetration testing and reverse engineering. He has outstanding self-taught skills, having the ability to develop and thinking outside the box. Love technology and want to know exactly how things work behind the scenes at lowest level of the bit and the bytes. He has an innate curiosity of how software can be broken down or bypassed so you can do things with it that weren't intended to be done.

Yaara Shriki
Yaara Shriki is an experienced security researcher at Check Point. She is an IDF technological unit graduate with experience in penetration testing, vulnerability research and forensics. Outside of work, Yaara volunteers to promote women and girls in tech.

Dikla Barda
Dikla Barda is a Security Expert at Check Point Software Technologies. Her research has revealed significant flaws in popular services, and major vendors like: Facebook, WhatsApp, Telegram, eBay, AliExpress, LG, DJI, Microsoft, TikTok and more. She has over 15 years of experience in the field of cyber security research. She spoke at various leading conferences worldwide.

Oded Vanunu
Oded Vanunu has more than 15 years of InfoSec experience. He is a Security Leader and Offensive Security Expert who leads a security research domain from product design stages until post release. Vanunu leads security ideas into products. His expertise is in building a security research team, vulnerability research, security best practice and security design. He has been issued five patents on cybersecurity defense methods and has published dozens of research papers and product CVEs.

Back to top

Writing Golang Malware

Friday from 1500 to 1900 in Las Vegas 5+6
Capacity: 15 | Intermediate

Benjamin Kurtz Hacker

Participants will learn how to design and build their own multi-platform Golang-based implants and c2 frameworks by building on samples provided.

Topics will include:

  • Communication between the implant and the command and control system including encrypted darknets with pluggable transports, covert exfiltration methods, detection evasion, and fault tolerant infrastructure design.
  • Binary transformation techniques designed to allow offensive practitioners the freedom of writing conventional binaries, yet maintaining the mobility of shellcode-like operating conditions.
  • Parsing and rewriting all binary formats to inject shellcode using a variety of reconfigurable methods.
  • On-the-wire modification of binaries and archives from a man-in-the-middle or malicious server perspective.
  • Methods of avoiding EDR with your implant, including loading modules direct from the c2 to memory without touching disk (on all platforms), customizable encrypting packers, and direct system calls/DLL unhooking (on Windows).

Registration Link: https://www.eventbrite.com/e/writing-golang-malware-las-vegas-5-6-tickets-162217403621

Prerequisites:
Programming experience required, some experience with Golang would be helpful.

Materials needed:
Laptop (any operating system)

Benjamin Kurtz
Ben Kurtz is a hacker, a hardware enthusiast, and the host of the Hack the Planet podcast (https://symbolcrash.com/podcast). After his first talk, at DefCon 13, he ditched development and started a long career in security. He has been a pentester for IOActive, head of security for an MMO company, and on the internal pentest team for the Xbox One at Microsoft. Along the way, he volunteered on anti-censorship projects, which resulted in his conversion to Golang and the development of the ratnet project (https://github.com/awgh/ratnet). A few years ago, he co-founded the Binject group to develop core offensive components for Golang-based malware, and Symbol Crash, which focuses on sharing hacker knowledge through trainings for red teams, a free monthly Hardware Hacking workshop in Seattle, and podcasts. He is currently developing a ratnet-based handheld device for mobile encrypted mesh messenging, planned for release next year.

Back to top

Network Analysis with Wireshark

Saturday from 1500 to 1900 in Jubilee 2
Capacity: 150 | Beginner

Irvin Lemus Instructor

Sam Bowne Proprietor, Bowne Consulting

Elizabeth Biddlecome Consultant and Part-Time Instructor

Kaitlyn Handelman Hacker

Summarize what your training will cover, attendees will read this to get an idea of what they should know before training, and what they will learn after. Use this to section to broadly describe how technical your class is, what tools will be used, and what materials to read in advance to get the most out of your training. This abstract is the primary way people will be drawn to your session.

This workshop will introduce participants to Network Analysis by understanding Wireshark. Participants will learn to understand packet activity, abnormalities and anomalies to detect attacks, troubleshoot network problems, and perform network forensics. This workshop is structured as a CTF.

Registration Link: https://www.eventbrite.com/e/network-analysis-with-wireshark-tickets-162219979325

Prerequisites:
Basic networking knowledge

Materials needed:
Any laptop with Wireshark installed.

Irvin Lemus
Irvin Lemus is an instructor at Cabrillo College, teaching cyber security courses for 3 years. Irvin runs the cybersecurity competition program for the Bay Area Community Colleges. He also creates the SkillsUSA Cybersecurity contests for California and Florida. He has Security+, CySA+, WCNA, CISSP.

Sam Bowne
Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks and hands-on trainings at DEF CON, DEF CON China, HOPE, BSidesSF, BSidesLV, RSA, and many conferences and colleges.

Elizabeth Biddlecome
Elizabeth Biddlecome is a consultant and a part-time instructor at City College San Francisco, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to scripting languages in cybersecurity competitions, hackathons, and CTFs.

Kaitlyn Handelman
I like to hack stuff, and I’m like really good at computers.

Back to top

Advanced Wireless Attacks Against Enterprise Networks

Saturday from 1500 to 1900 in Las Vegas 5+6
Capacity: 90 | Intermediate

Solstice Offensive Security Engineer

This workshop will instruct attendees on how to carry out sophisticated wireless attacks against corporate infrastructure. Attendees will learn how to attack and gain access to WPA2-Enterprise networks using relay attacks, how to abuse MSCHAPv2 and GTC to efficiently capture network credentials, perform effective target selection with zero prior knowledge, leverage rogue access point attacks to deliver malware and harvest keystrokes, and abuse Opportunistic Wireless Encryption (OWE) to perform PITM attacks. All material discussed in the lectures will be practiced within a realistic lab environment.

Registration Link: https://www.eventbrite.com/e/advanced-wireless-attacks-against-enterprise-networks-las-vegas-5-6-tickets-162214769743

Prerequisites:
A previous wireless security background is helpful but certainly not required.

Materials needed:
Students will be required to provide their own laptops, which must meet the following requirements:

  • must be capable of running virtualization software such as VMWare or VirtualBox
  • must have at least 100gb of free disk space OR have a free USB port and supplementary external hard drive with at least 100gb of free disk space available
  • must be provisioned with a 64-bit operating system

Corporate / managed laptops are not recommended due to software restrictions.

Solstice
Solstice is an offensive security engineer at a major cloud provider. He currently specializes in kinetic threats, identifying attack vectors against "edge" devices deployed in hostile environments. Previously, he worked as a red team operator at companies such as SpecterOps, specializing in SIGINT and Windows-focused adversarial tradecraft. He is the author of EAPHammer, SilentBridge, DropEngine, and has contributed to high-profile projects such as hostapd-wpe and Empire.

Back to top

Secure messaging over unsecured transports

Friday from 1500 to 1900 in Las Vegas 1+2
Capacity: 40 | Intermediate

Ash Hacker

Summarize what your training will cover, attendees will read this to get an idea of what they should know before training, and what they will learn after. Use this to section to broadly describe how technical your class is, what tools will be used, and what materials to read in advance to get the most out of your training. This abstract is the primary way people will be drawn to your session.

You need to send a message, avoiding traditional channels like email and SMS, to someone who's on a different network, somewhere else in the world. The tools at your disposal are Python, DNS, and an unauthenticated MQTT broker. This message must be end-to-end encrypted, and the recipient must be able to confirm that it was undeniably you who sent it. Now add another constraint: you can't communicate directly with this other party to perform a public key exchange before signing, encrypting, and transmitting the message. This can be a difficult problem to solve, and many specialized secure messaging apps have sprung up to address the challenge of end-to-end secured messaging. We will build our own. While our application won't be as sophisticated as Signal, you'll leave the workshop with an understanding of how DNS can be used to enable end-to-end authenticated and encrypted communication across nearly any public system that can be made to support the publisher/subscriber communication pattern.

Registration Link: https://www.eventbrite.com/e/secure-messaging-over-unsecured-transports-las-vegas-1-2-tickets-162214713575

Prerequisites:
Students should have a good understanding of DNS, Docker, and the Python programming language. An understanding of how to configure DNSSEC with their DNS server/provider of choice is necessary, and a basic understanding of how PKI works (roots of trust and the use of public keys to secure the conveyance of public keys) will be beneficial.

Materials needed:

  • Hardware: Laptop with 4GB of RAM, 20GB hard drive space free after installing software prerequisites
  • Software: Please arrive with git, Docker engine, and docker-compose already installed

Other:

  • Attendees must have administrative access to a public DNS zone on a server which supports the TLSA record type. Many SaaS DNS services support this, and PowerDNS supports the record type as well. Configure this zone for DNSSEC before class.
  • If for some reason you cannot configure DNSSEC for your zone, you must be able to host static content over HTTPS under your domain. For example: if you're bringing mydomain.example to the workshop, you must be able to host static content on a server at https://device.mydomain.example/. If you can't do DNSSEC, bring a web server.

Ash
Ash is just some dude. In the past he's been a network engineer, created a variety of security tools, and is currently working in R&D and protocol development in spaces adjacent to email security. He has spoken at DEFCON, Black Hat, and Bsides San Diego. He has recently developed a weird fascination with hacking vintage electromechanical tech.

Back to top

Inspecting Signals from Satellites to Shock Collars

Friday from 1000 to 1400 in Las Vegas 1+2
Capacity: 25 | Intermediate

Trenton Ivey Senior Security Researcher

Eric Escobar Principal Security Consultant

Invisible signals control everything from satellites to shock collars. Wireless security can be intimidating, especially when research requires a low-level understanding of the many ways radio waves can carry data. The concept of using light to send messages is not hard to grasp, but the several abstraction layers between physical radio waves and decoded data packets obscure what is really happening when wireless devices communicate. By examining several topics that are rarely presented together, this workshop provides the introduction to wireless hacking that we both wish we had when starting out. If you want the ability to see and manipulate the unseen, this workshop is for you.

Registration Link: https://www.eventbrite.com/e/inspecting-signals-from-satellites-to-shock-collars-tickets-162215666425

Prerequisites:
Students are expected to have basic familiarity with the Linux command line.

Materials needed:
Students will need to bring a wifi-enabled laptop with a modern browser.

Trenton Ivey
Trenton is a Senior Security Researcher for Secureworks’ Counter Threat Unit and is a Technical Lead for Secureworks Adversary Group. He currently builds tools to assist with offensive testing, and helps defenders find creative ways to respond. Prior to joining Secureworks, Trenton helped build the network penetration team for a Fortune 500 company, performed web-application and device testing for a PA-QSA company, and provided IT support for one of the largest health systems in the US. Trenton received his Bachelors of Science in Biology and Chemistry and now regularly tries to find ways to apply lessons learned from the physical world to the digital one. Trenton has his Expert Class Amateur Radio license and is a lifelong member of AMSAT (Amateur Radio in Space).

Eric Escobar
Eric is a seasoned pentester and a Principal Security Consultant at Secureworks. On a daily basis he attempts to compromise large enterprise networks to test their physical, human, network and wireless security. His team consecutively won first place at DEF CON 23, 24, and 25's Wireless CTF, snagging a black badge along the way. Forcibly retired from competing in the Wireless CTF, he’s now a member of the DEF CON Wireless Village team. Before entering the cyber security arena, Eric attained both a BS and MS in Civil Engineering along with his Professional Engineering license.

Back to top

Windows Internals

Sunday from 1000 to 1400 in Jubilee 1
Capacity: 112 | Intermediate

Sam Bowne Proprietor, Bowne Consulting

Elizabeth Biddlecome Consultant and Part-Time Instructor

Kaitlyn Handelman Hacker

Irvin Lemus Cybersecurity Professor

Explore the structure of Windows executable files and the operating system itself, to better understand programs, services, malware, and defenses. Projects include: cheating at games, building malicious DLL libraries, stealing passwords from the API, building a keylogger, and debugging a driver. Tools used include FLARE-VM, pestudio, API Monitor, Visual Studio, OllyDbg, IDA Pro, Ghidra, and WinDbg. No previous experience with programming is required.

To prepare for this workshop, please prepare a FLARE-VM in advance, as explained here: https://samsclass.info/126/proj/PMA40.htm

Registration Link: https://www.eventbrite.com/e/windows-internals-jubilee-1-tickets-162218647341

Prerequisites:
Previous experience troubleshooting Windows is helpful but not required

Materials needed:
A computer that can run virtual machines locally, or a few dollars to rent cloud servers

Sam Bowne
Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks and hands-on trainings at DEF CON, DEF CON China, HOPE, BSidesSF, BSidesLV, RSA, and many conferences and colleges.

Elizabeth Biddlecome
Elizabeth Biddlecome is a consultant and a part-time instructor at City College San Francisco, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to scripting languages in cybersecurity competitions, hackathons, and CTFs.

Kaitlyn Handelman
I like to hack stuff, and I’m like really good at computers.

Irvin Lemus
Irvin Lemus has been in the industry for 10+ years as an MSP technician, consultant, instructor and coordinator. He is currently the cybersecurity professor at Cabrillo College in Santa Cruz, CA. He also is the Bay Area Cyber Competitions Regional Coordinator as well as the contest creator for SkillsUSA CA and FL. Irvin has spoken at various cybersecurity and educational conferences. Irvin holds a CISSP and a Bachelor's Degree in Information Security.

Back to top

Analysis 101 and 102 for the Incident Responder

Saturday from 1500 to 1900 in Las Vegas 1+2
Capacity: 50 | Beginner - Intermediate

Kristy Westphal Vice President, Security Operations

You have a theory about something you have found while roaming the network or conducting your own hackfest, but how do you go about proving it? This workshop will be a hands-on journey deep into the world of analysis. While analysis is a bit of an art form, there are methods that can be applied to make it less of a gut feeling and more of a scientific approach to support your hypothesis. From network forensics to log analysis to endpoint forensics and cloud log analysis, we will review numerous quick methods to gain context over the data you have gathered and apply critical thinking in an attempt to find the answers. Sometimes, the answers weren’t meant to be found, but we’ll also discuss how to make the best of any conclusion that you reach.

Registration Link: https://www.eventbrite.com/e/analysis-101-and-102-for-the-incident-responder-las-vegas-1-2-tickets-162220226063

Prerequisites:
None

Materials needed:
Laptop with Wireshark installed

Kristy Westphal
Kristy Westphal is a versatile information technology professional with specific experience in providing advisory and management services in the area of information security and risk is currently employed as the Vice President, Security Operations at a financial services company. Specializing in leadership and program development, specific expertise in security areas includes: process analysis, risk assessments, security awareness programs, operating system security, network security, incident handling, vulnerability analysis and policy development.

Back to top

From Zero to Hero in Web Security Research

Sunday from 1000 to 1400 in Jubilee 2
Capacity: 150 | Beginner - Intermediate

Roman Zaikin Security Expert

Yaara Shriki Security Researcher

Dikla Barda Security Expert

Oded Vanunu Security Leader and Offensive Security Expert

Web applications play a vital role in every modern organization. If your organization does not properly test and secure its web apps, adversaries can compromise these applications, damage business functionality, and steal data. Unfortunately, many organizations operate under the mistaken impression that a web application security scanner will reliably discover flaws in their systems.

Customers expect web applications to provide significant functionality and data access. Even beyond the importance of customer-facing web applications, internal web applications increasingly represent the most commonly used business tools within any organization. Unfortunately, there is no "patch Tuesday" for custom web applications, so major industry studies find that web application flaws play a major role in significant breaches and intrusions.

In this workshop we will teach you how to find vulnerabilities in web security according to the latest methods and techniques. We will demonstrate every vulnerability by giving an example from vulnerability we have found in major tech companies like: Facebook, WhatsApp, Amazon, AliExpress, Snapchat, LG and more!

Registration Link: https://www.eventbrite.com/e/from-zero-to-hero-in-web-security-research-jubilee-2-tickets-162219662377

Prerequisites:
Basic Web Concepts, Basic Web Development Skills, Ability to Understand JavaScript.

Materials needed:
Personal Laptop

Roman Zaikin
Roman Zaikin is a Security Expert at Check Point Software Technologies. His research has revealed significant flaws in popular services, and major vendors (Facebook, WhatsApp, Telegram, eBay, AliExpress, LG, DJI, Microsoft and more). He has over 10 years of experience in the field of cyber security research. He spoke at various leading conferences worldwide and taught more than 1000 students, he is also responsible for the design and the material of various cyber courses worldwide. He holds more than 15 Certifications and extensive experience with system administration, network architecture, software development, penetration testing and reverse engineering. He has outstanding self-taught skills, having the ability to develop and thinking outside the box. Love technology and want to know exactly how things work behind the scenes at lowest level of the bit and the bytes. He has an innate curiosity of how software can be broken down or bypassed so you can do things with it that weren't intended to be done.

Yaara Shriki
Yaara Shriki is an experienced security researcher at Check Point. She is an IDF technological unit graduate with experience in penetration testing, vulnerability research and forensics. Outside of work, Yaara volunteers to promote women and girls in tech.

Dikla Barda
Dikla Barda is a Security Expert at Check Point Software Technologies. Her research has revealed significant flaws in popular services, and major vendors like: Facebook, WhatsApp, Telegram, eBay, AliExpress, LG, DJI, Microsoft, TikTok and more. She has over 15 years of experience in the field of cyber security research. She spoke at various leading conferences worldwide.

Oded Vanunu
Oded Vanunu has more than 15 years of InfoSec experience. He is a Security Leader and Offensive Security Expert who leads a security research domain from product design stages until post release. Vanunu leads security ideas into products. His expertise is in building a security research team, vulnerability research, security best practice and security design. He has been issued five patents on cybersecurity defense methods and has published dozens of research papers and product CVEs.

Back to top

Hacking the Metal: An Introduction to Assembly Language Programming

Sunday from 1000 to 1400 in Las Vegas 3+4
Capacity: 60 | Beginner - Intermediate

eigentourist Programmer

Deep below the surface of the web, the visible desktop, and your favorite mobile apps, lies a labyrinth where the rules of most programming languages cease to exist. This is the world of the reverse engineer, the malware analyst, and the veteran systems programmer. Here, we write code in assembly language, the lowest level at which a computing machine can be programmed. This workshop will introduce you to the world of assembly language programming, give you the opportunity to write some real-world code, and finally, to play the role of reverse engineer and try your hand at some guided malware analysis.

Registration Link: https://www.eventbrite.com/e/hacking-the-metal-an-introduction-to-assembly-language-programming-lv-34-tickets-162218597191

Prerequisites:
Some previous programming experience is helpful but not vital.

Materials needed:
Laptop

eigentourist
Eigentourist is a programmer who learned the craft in the early 1980s. He began formal education in computer science when the height of software engineering discipline meant avoiding the use of GOTO statements. Over the course of his career, he has created code of beautiful simplicity and elegance, and of horrific complexity and unpredictability. Sometimes it's hard to tell which was which. Today, he works on systems integration and engineering in the healthcare industry.

Back to top