Perimeter recon is a constantly changing environment, as companies grow
and flex there are constantly new targets introduced to the landscape.
Finding these for penetration testing is important, but more important
for Red Team emulating persistent attackers.
Introducing Moat. Used for perimeter recon to assist in understanding the perimeter from an OSINT perspective, using tools to rapidly assess the IP space, and return information about targets on the perimeter.
James 'Jim' Lahey is the former police officer turned trailer park supervisor for Sunnyvale. His past life as a police officer keeps him vigil looking for antics by the local criminal element present at the trailer park. He is currently on the mend with Randy and/or Barb who he hopes can return to in the future.
The FireEye Labs Obfuscated String Solver (FLOSS) is an open source tool that automatically
detects, extracts, and decodes obfuscated strings in Windows Portable Executable (PE) files.
Malware analysts, forensic investigators, and incident responders can use FLOSS to quickly
extract sensitive strings to identify indicators of compromise (IOCs).
Malware authors encode strings in their programs to hide malicious activity and impede reverse engineering. Even simple encoding schemes defeat the strings tool and complicate static and dynamic analysis. Reverse engineers are challenged to decode the obfuscated data in order to fully understand a program. This usually involves recognizing encoded strings, re-implementing the decoding function, and manually applying the algorithm to the data. This process may take several hours for each malware variant. FLOSS automates this down to seconds without requiring the analyst to examine the deobfuscation method.
Although FLOSS uses advanced static analysis techniques such as emulation, the tool can be used by anyone. Incident responders and forensic analysts that understand how to interpret the strings found in a binary will understand FLOSS’s output. FLOSS extracts higher value strings, as strings that are obfuscated typically contain the most sensitive configuration resources – including malicious domains, IP addresses, suspicious file paths, and other IOCs.
Moritz Raabe is a reverse engineer on the FireEye Labs Advanced Reverse Engineering (FLARE) team.
He currently focuses on automating and simplifying malware analysis.
William Ballenthin is also a reverse engineer on the FLARE team. He enjoys tackling malware and developing forensic analysis techniques. His favorite beer is La Chouffe.
The hardest part of cybercrime is the cashout. The strategy for cashing out needs to be easy enough to make it worth your while and safe enough to stay out of the klink. With more and more focus on identifying and stopping credit card fraud cybercrooks are diversifying their methods for cashing out. While criminals can, and do, sell whole and bundled online retailer accounts, credit card data, and fullz, I want to look at how they get their grubby paws on that cold hard cash. Lets dig into the tools, techniques, and procedures used by this new generation of e-launderers and cyber hustlers.
Benjamin Brown currently works on darknet research, threat intelligence, incident response, and adversarial resilience at Akamai Technologies. He has experience in the non-profit, academic, and corporate worlds as well as degrees in both Anthropology and International Studies. Research interests include darknet and deepweb ethnographic studies, novel and side-channel attack vectors, radio systems, the psychology and anthropology of information security, metacognitive techniques for intelligence analysis, threat actor profiling, and thinking about security as an ecology of complex systems.
In this talk, I ruin America's favorite single-cup coffee maker, the Keurig.
Evan Booth loves to build stuff out of other stuff. As an engineer for
Skookum, a full service software development company in Charlotte,
North Carolina, he works to solve a variety of business problems
through the creative use of technology. As a human for Earth, he
tends to ruin things.
Given the right ingredients, a big cardboard box can be a time machine, spaceship, minecart, or a telephone booth that only calls people named 'Steve' who live in the future.
What is a buffer overflow and how to use it to gain a command prompt on various processor architectures running linux. The presentation uses QEMU on linux to host the i386 and ARM virtual machines.
John is was trained as an electrical engineer, but a software engineer by trade. He believes in continuous learning and enjoys working with computers in all aspects. He has attended CarolinaCon for many years and DefCon once. He has presented at various conference in the United States and has worked around the world but this is his second presentation at CarolinaCon.
PS>Attack is a new project being released at CarolinaCon. It is a tool for generating a portable PowerShell attack environment that makes it easy for pentesters to incorporate PowerShell into their bag of tricks. The generated environment is a self contained exe that comes with a lot of the latest and greatest offensive PowerShell tools, including commands for Privilege Escalation, Recon and Data Exfiltration. It uses a couple of techniques to evade antivirus and Incident Response teams, making it suitable for use during live engagements. In this talk we will cover how PS>Attack came about, some of the design decisions behind it and how you can use it to wreck shop on your next assessment.
Jared Haight is a pentester for Gotham Digital Science in Charlotte who has an unnatural love for PowerShell. When he isn't hacking the gibson he enjoys hiking and taking pretty pictures.
The Advanced Reconnaissance Framework is a new tool to assist with
your OSINT collection. Phase 1 of the framework will be released
at CC12 and will primarily be an aggregation and categorization of
free online resources and some *minor* automation. Phase 2 and
beyond will be expanding on the automation based on some existing
pain points in OSINT discovery. Phase 3 is still TBD and could
change depending on any feedback I receive.
Talk will discuss the current state of the framework, how to use the framework and work flow in your OSINT investigations. Will follow that with future plans for the framework, how the community can help if they are interested, and of course, some related OSINT lulz discovered when doxxing bad guys.
FALE, 10+ years in InfoSec, bunch of certs no one cares about
During this talk I will be sharing knowledge on some free and
inexpensive tools for reverse engineering ios apps, particularly
when the source code is not available; such as when cheating at
mobile games, investigating privacy issues, or participating in a
bug bounty, to name a few. There is a distinct lack of eyes on mobile
applications, and I hope to encourage listeners to play with and
explore the possibilities within ios applications.
I will be (hopefully) showing how to:
-examine machine code when you don't know much about machine code, and how to remove ads from applications.
-MITM traffic and analysis
-disabling input validation
-stealing crypto keys and passwords
-determining the quality of an app.
-general processes and time-saving things.
I will also attempt to subtly introduce Australian slang as part of a cultural exchange, which should really increase the prestigious nature of this event.
I am head of gang prevention at an infosec consultancy in Australia, but privacy research is my passion. My background and comfort zone is in cryptography and cryptanalysis, I am an adjunct (a volunteer role) at a university on the side of my day job, helping with infosec related units and fraud prevention; lecturing, phd mentoring and course direction there.
Criminals use Vishing to trick victims in order to commit fraud or for other
nefarious purposes. In this presentation we’ll will cover a bit of
background, the current state of Vishing attacks along with how
fraudsters use these tactics for their benefit.
Vishing is often overlooked vector and as a result of CarolinaCon 2016, I wrote PhreakMe; an open source tool that lowers the bar for security professionals to add the Vishing vector to their toolkit. Using this I’ll demonstrate how penetration testers can use open source software to utilize vishing tactics in their tests and how organizations can use this to their benefit.
There is only one phishing vendor I am aware of that claims to provide "vishing" services, and PhreakMe is a little different. Mainly because it is OSS and can be adapted and developed depending on the communities needs.
Owen started his career as a developer and has worked in other areas including server administration, DevOps, Application Security and most recently penetration testing and red teaming. He has over 10 years of experience with security in some form or another. He grew up in a small coastal town in the UK and moved to the states in his teens. He enjoys building, breaking things and geeking out.
This talk will examine issues to consider when building a
process to check password strength using John the Ripper. Covering the
items to consider before dumping the hashes and running John.
Considerations include control over who will know both the user id and
cracked passwords, methods to use when cracking passwords, and choosing
when to stop and report.
Once the passwords have been cracked, the challenges continue. Decisions around reporting are not trivial. Questions around who should receive the reports and what data needs to be delivered all have to be answered. This talk will cover the challenges faced and some solutions as well.
I have spent the last 9 years in Information Security and prior to that 15 years as a unix/linux administrator. Husband, father and farmer my interests are a bit scattered.
The ArmaLite pattern rifle, specifically the AR-15, is arguably
America's most popular long arm. Villainized in the press, issued by
the military, equipped in numerous video games, and kept legally in
countless US homes... the famous ""black rifle"" is one of the most
extensible and configurable firearms, yet so many users do little
beyond attaching a new optic or other accessory on their picattiny
This talk will be an exploration of how many features and modifications are possible on AR rifles. Deviant will showcase his custom AR-15 which can function as upwards of five very distinct firearms. Yes, five. One single gun (the lower receiver is the only serialized and controlled element, regulated by the ATF) can shoot a variety of calibers of ammunition, launch exotic projectiles, and serve in a great many roles: from defense to plinking to weekend craziness and more.
If you can only own one gun... why not opt to make it one that easily converts to multiple guns?
As a member and director of the US division of TOOOL (The Open Organisation Of Lockpickers) Deviant Ollam has given numerous physical security presentations and trainings at events around the world. In addition to coordinating the Lockpick Village at DEFCON and ShmooCon, he also runs the 24- hour ""DEFCON Shoot"" which takes place in the Nevada desert every summer. Deviant has spoken about locks, access controls, firearms, and security tactics at DEFCON, Black Hat, ShmooCon, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, the United States Naval Academy at Annapolis, and the United States Military Academy at West Point. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th.
In the presentation that threat intel vendors do not want you to see, open source and internal data meets home grown resources to produce actionable threat intelligence that your organization can leverage to stop the bad guys. This presentation discusses and shows examples of using what you already have to bootstrap this capability using existing data management platforms with open and flexible schemas to ease identification of advanced threats. Specific topics covered include the advantages of using open and flexible platforms that can be molded into a data repository, a case tracking system, an indicator database, and more. By analyzing this data organizations can discovery trends across attacks that help them understand their adversaries. An example nosql schema will be release to help attendees create their own implementations.
grecs has two decades of industry experience, undergraduate and graduate engineering degrees, and a really well known security certification. Despite his formal training, grecs has always been more of a CS person at heart going back to his VIC-20, Commodore 64, and high school computer club days. After doing the IT grind for five years, he discovered his love of infosec and has been pursuing this career ever since. Currently, he spends his days as a senior cyber intelligence analyst enhancing customer defenses through advanced analysis, customized training, and engineering improvements. In his free time grecs is an international speaker and blogger covering a range of topics, including incident response, malware analysis, and threat intelligence.
In this talk we will be looking at some practical ways to use the Windows Performance Toolkit. Not many people know about this little gem. It's kind of like procmon on steroids. This talk is for security researchers, malware analysts, system administrators, and the rest of us who want to know more about what goes on under the hood.
DeBuG has traveled to and attended every CarolinaCon since the first one back in 2005. The last 3 cons he has ran CTF with his crew ""The XRG"". DeBuG started his career in the late 90s humping a pack and carrying an M-16 in the United States Marine Corps. Since then he has worked in various technical roles and taught as an adjunct professor for George Washington University.
The massive growth of internet connected smart devices like phones and toasters is truly amazing, but it also expands an attack surface for those dead-set on stealing your stuff. Making sure an Android app does what it says - and ONLY what it says - is a life skill these days. Bill will use his experience doing vulnerability analysis on Android phone apps and walk you through the process of taking an app apart. No slides, just a walkthrough from 'look here's an app in the store' to 'here's the spot in the code where it does (or doesn't) do what it says.'
Bill Sempf is a software security architect. His breadth of experience includes business and technical analysis, software design, development, testing, server management and maintenance, and security. In his 20 years of professional experience he has participated in the creation of well over 200 applications for large and small companies, managed the software infrastructure of two Internet service providers, coded complex software happily in every environment imaginable, tested the security of all natures of applications and APs, and made mainframes talk to cell phones. He is the author of C# 5 All in One for Dummies and Windows 8 Programming with HTML5 For Dummies; a coauthor of Effective Visual Studio.NET and many other books, a frequent contributor to industry magazines; and has recently been an invited speaker for the ACM and IEEE, BlackHat, CodeMash, DerbyCon, BSides, DevEssentials, the International XML Web Services Expo and the Association of Information Technology Professionals. Bill also serves on the board of the Columbus branch of the Open Web Application Security Project, and is the Administrative Director of Locksport International.
My name is Jon Molesa (@th3mojo). Hello again. I had a great time last
year. But this time I want to bring something of real value. I’ve
thought about it for a while and I’m ready to share a personal labor of
love. An idea that was born and acted upon over a year and a half ago.
I present to you "Reporting for Hackers" or "Create Amazing Reports
with asciidoc, vim, and git" or "Word Sucks for Reporting!"
Reporting for Hackers is the vim-loving, terminal cowboy wannabee’s, wet dream. I will show you how you too can generate reports pleasing to even the most discriminating of metric-loving-pointy-haired-boss and executive types. By combining vim, git, asciidoc, and a few other tools, you too can generate nice looking, easily navigable, and portable reports in pdf, html, docbook, man page, and slidy. I think it’s pretty sick and I hope you do too.
Jon Molesa has been tearing things apart since he could abuse a butter
\or steak knife as a screwdriver. He learned to code on a Commadore 16.
Mojo is a nickname. And like any other nickname it was imposed upon me. However, it was the first truly awesome nickname I’ve ever had. Some cool dudes at @knowclassici, @ocet and @davidnorman, came up with a Bobby Name.
Basically your redneck name. Take the first syllable of your last name excluding the consonant if last, and the first syllable of your first name excluding the consonant if last. Now transpose them and prefix with a "Bobby". That’s your Bobby name. [Jo]n [Mo]lesa becomes "Bobby Mojo". Eventually everyone dropped Bobby and Mojo stuck. Completely optional. I still answer to Jon for now.
An overview of all most asinine, stupid, bone headed, and silly mistakes made by hackers and info sec professionals in recent history. Stunt hacking, out of scope blunders, bloopers, bragging about your illegal activities, etc will be covered. Along with a short lesson at the end about ethics, opsec and other techniques that could help you avoid being listed on any followup talks.
Randy lives in Sunnyvale Trailer Park and has had a long career in security as assistant to the park supervisor, where he would enforce the rules and keep the park peaceful and orderly. The late submission is because he just heard that you can request anything that was needed by the speaker, and he'll need at least 3 cheeseburgers to do this talk. Also, he's hoping to get some space from his former "partner" Jim Lahey.