Day 1
19 May 2017
Day 2
20 May 2017
Day 3
21 May 2017

Hacking the IoT: A Case Study

An IoT device is made up of 5 different components: the hardware, webapp, mobile apps, network communication and API.  Hacking an IoT device requires looking at each component individually, as well as looking at the whole picture.  In this talk, husband and wife team — Nancy and Phoenix Snoke — go through the process and findings of hacking an actual IoT device:  a baby monitor.  Both general methodology and specific examples will be presented.  This talk concludes with tips for setting up your own IoT device hacking lab.  Note: the detail level of the findings and whether the exact...
Read More
Nancy Snoke
Phoenix Snoke

Does DoD Level Security Work in the Real World?

After spending nearly 13 years working for the Department of Defense, I ventured out into the private sector to consult and advice on matters of information security. On many occasions, after explaining some basic security concept to a customer and outlining what they need to do to be secure, I often heard the retort, “yeah, but we don’t need DoD level security.” Well, after twenty years in the private sector, and especially over the past 2-3 years with the proliferation of data breaches against major companies, I find myself wanting to reply, “yeah, you really DO need DoD level...
Read More
Jeff Man

Hurt Me Plenty: The Design and Development of Arganium

This talk will cover the design, development, and state of Arganium, the cooperative hacking shooter.  Arganium is an open source project that splits a team into hackers and gamers who must work cooperatively and quickly to survive levels and solve hack challenges. The opening will cover how it fuses Jeopardy-style CTF with classic FPS.  Its usefulness for the security community is discussed since it makes running CTFs quick and easy for many skill levels.  There is also a discussion on games in education and how it can be used as a tool for team building and community engagement. After...
Read More
Todd Carr

Going past the wire: Leveraging Social Engineering in physical security assessments

Many organizations have started understanding the value they can get with a physical security assessment. However, after having one performed, they are left with a network penetration test report. Unfortunately, many consulting firms don’t know how to go past the wire and evaluate the physical security of an organization including their employees. During this talk, Stephanie will discuss the methodology she utilizes at Snowfensive when performing a physical security assessment. This methodology will cover everything from OSINT and on-site reconnaissance, crafting pretexts, multiple attack vectors, and tips and tricks.
“Snow” Stephanie Carruthers

Easy Indicators of Compromise: Creating a Deception Infrastructure

As an attacker there are certain things that I will go after that should never be seen in a network. This presentation will focus on deception techniques that any organization can implement in order to create fake infrastructure that attackers will use in order to identify them in the early stages of an attack. Deception techniques are interesting, because it really needs to be believable for an attacker to go after them. This presentation talks about different techniques that make it hard for an attacker to differentiate with what’s real and what’s not, and how to best build better...
Read More
David Kennedy

Arming Small Security Programs: Network Baseline Generation and Alerts with Bropy

Anomaly based IDS tools are expensive. Signature based IDS tools only work if a signature exists. Using a simple Bro script, organizations without large security budgets can generate alerts for anomalous packets IF they have a complete baseline of the ports and protocols their devices use. I wrote Bropy to simplify the process of generating a network baseline to be used with my baselinereport bro script.With this tool, small security teams can generate network baselines for systems in a matter of minutes, rather than hours or days. Armed with the data generated by Bropy, organizations have the option to...
Read More
Matt Domko

Lean Threat Intelligence: Detecting Intrusions and Combating Infiltrators with Open Source Software

With a vast increase in the amount of data and information coming in every second, it is important to have measures set in place to detect suspicious activity. By combining IDS events with network connection logs and enriching with threat intelligence data, you can detect attackers early, follow lateral movement, and investigate what actions an adversary performed while inside your system. In this talk, we will demonstrate how to combine and collect these logs from different sources using Graylog, an open source log management tool, in unison with Snort, an open source IDS tool. We will further elaborate on...
Read More
Lennart Koopmann

Make STEHM Great Again

Internet security threats continue to rise. Comparatively to the growing threats, there are too few security professionals in the field who are qualified to respond effectively. This session explores STEM’s success but the importance to include ‘Hacking’ into the acronym as a means to introduce a wider audience of future potential security practitioners to address the workforce shortage. A combination of use cases, hacking success stories, and lessons learned, we discuss the benefits of introducing younger students to ethical hacking and information security. We will future explore various programs which introduce basic skills through to advanced techniques used in...
Read More
David Schwartzberg

EDNS Client Subnet (ECS) – DNS CDN Magic or Security Black Hole?

In January, 2011, the first version of Client subnet in DNS requests (draft-vandergaast-edns-client-subnet-00) was published as a collaborative effort by researchers from Google, Verisign and Neustar. This document defines a specific option 8 – which “conveys network information that is relevant to the message but not otherwise included in the datagram,” allowing for both recursive and authoritative DNS servers to gain information regarding the network origin of the DNS request. This draft has been adopted as RFC 7871 and is currently undergoing review. The theory behind EDNS0 Option 8, more commonly known as EDNS0 Client Subnet, is that by...
Read More
Jim Nitterauer

Designing and Implementing a Universal Meterpreter Payload

While Windows has always been well supported with Metasploit’s Meterpreter payload, other platforms have not historically had similarly sophisticated options available. Metasploit has four alternative Meterpreter implementations, targeting Android, Java, Python and PHP, but these also are not always usable, since they target a particular software platform as well. This is especially a problem with embedded devices, where one must fall back to a simple unencrypted TCP shell. While this is fine for research purposes, it is not optimal for practical exploitation or red-teaming, where an offensive security professional would prefer to maintain as high operational safety and integrity...
Read More
Brent Cook

Rooting out evil: defend your data center like the Secret Service protects the President

Intruders spent more than a year inside the DNC and six months inside OPM. The 2013 Yahoo hack wasn’t discovered until stolen data appeared for sale in 2016. Everything we know about security suggests that while intruders have the advantage at the perimeter (they only have to be right once to get in), that balance should flip once they get inside (where every move could expose them). But they seem to have an advantage even once they get inside. We’ve spent years trying to defending the interior, but until we solve this puzzle, all the defense in depth in...
Read More
Nathaniel Gleicher

Attacking Modern SaaS Companies

Modern software-as-a-service (SaaS) companies have a large footprint and a lot of automation which enables them to build their service quickly. However, because many devops and cloud tools and processes are new, many companies don’t understand the risks and don’t plan with security in mind. Even some practiced network pentesters don’t always know the best way to find vulnerabilities in these complex cloud-based systems. This talk is an introduction to pentesting these companies and is focused on giving attendees a breadth of knowledge on the new tech – like microservices, serverless computing, configuration management, and containers – that modern...
Read More
Sean Cassidy

Happy Hour!

Open Bar happy hour, sponsored by


Dave Lewis

Iron Sights for Your Data

Data breaches have become all too common. Major security incidents typically occur at least once a month.  With the rise of both security incidents and full data breaches, blue teams are often left scrambling to put out fires and defend themselves without enough information.  This is something that can be changed with the right tools.  Tools now available allow blue teams to weaponize data and use it to their advantage.  This talk reviews frameworks for clean, consistent data collection and provides an overview of how predictive analytics works, from data collection to data mining to predictive analytics to forecasts....
Read More
Leah Figueroa

Phishing for Shellz: Setting up a Phishing Campaign

Phishing for clicks is like the VA portion of a Pentest. It feels nice being a hacker, but that fuzzy feeling wears off quickly, once you learn about command and control. Everyone knows in theory what phishing is, what phishing emails looks like, they even may even theoretically know how it all works. What about executing a Phishing campaign? This talk will show you the journey of setting up and executing a Phishing campaign to gain command and control. I have tried a few frameworks, coded some pages myself and will show the way I learned to Phish. This...
Read More
Haydn Johnson


1-hour break for lunch, enjoy the amazing food of New Orleans!

Talk Roulette

Random speakers make up random talks based on randomly generated topics what could go wrong? Sign up at Registration

Security Guards — LOL!

During onsite “black box” penetration assessments, it is quite common that you will encounter a security guard, especially when forced to enter via a lobby or other single point of entry. For situations where guards are unavoidable, we will share several war stories and social engineering techniques that have helped us turn these potential issues into successful engagements. During this presentation you will hear real-world stories from various Red Team assessments that we’ve performed. These assessments will be broken down to discuss the various social engineering and physical security bypass methods and tools used. We will also provide our...
Read More
Tim Roberts
Brent White

Embrace the Bogeyman: Tactical Fear Mongering for Those Who Penetrate

When it comes to cyber penetration, evolving threat landscapes mandate advanced persistent tac.… ha ha, just kidding. Look, let’s be real, as an internal red team things can get really weird. A day job carrying out a company’s most apocalyptic self-destructive fantasies presents a strange duality of helping and hurting. General public and corporate fear of ‘hackers’ has been both a blessing and a curse. You might say it’s a gray area, but is it really that simple? In this talk i’ll share the ups, downs, and lessons learned during my adventures as the corporate bogeyman.

Skynet Will Use PsExec: When SysInternals Go Bad

The Sysinternals Suite: A set of legitimate tools designed to make system administrator’s lives easier. However, often times system administrators are not alone: Attackers really love these tools too! This presentation will take a hard look at how attackers, both legal and not, are bending the Sysinternals suite to their will. Without needing any 0-days, custom malware, or advanced knowledge of network topology, attackers are moving through compromised networks with skill and ease. We’re going to expose how attackers are utilizing these tools, and common flaws that we see within many networks. We won’t name names, but it might...
Read More
Matt Bromiley
Brian Marks

Red Teaming Newbies – A look into CCDC

CCDC (Collegiate Cyber Defense Competition) competitions ask student teams to assume administrative and protective duties for an existing “commercial” network – typically a small company with 50+ users, 7 to 10 servers, and common Internet services such as a web server, mail server, and e-commerce site. Each team is scored on their ability to protect their network, keep services running, and handle business requests while balancing security needs with business needs. This presentation goes over the journey of joining the ‘other side’ of these competitions: the red team. This team consists of industry professionals volunteering their time for the...
Read More
Trey Underwood

Layer 8 and Why People are the Most Important Security Tool

People are the cause of many security problems, but people are also the most effective resource for combating them. Technology is critical, but without trained professionals, it is ineffective. In the context two case studies, the presenter will describe specific instances where human creativity and skill overcame technical deficiencies. The presenter believes this topic to be particularly relevant for “blue teamers” who often must defend their organization’s’ information assets under less-than-ideal circumstances. Technical details will include the specific tools used, screenshots of captured data, and analysis of the malware and the malicious user’s activity. The goal of the presentation...
Read More
Damon J. Small

Tor-Pi-Do NOW with Bloomin’ Onion

Tor-Pi-Do is a Linux distro that brings together a specific set of tools to allow for secure Tor use on the Raspberry Pi 3. Due to the standard Tor Browser bundle’s inability to support the ARMHF architecture. Included in the distro is Mozilla Firefox setup as a Tor browser with custom privacy settings to harden it and privacy add-ons which allow for extra layers of security. Bloomin’ Onion is a Red Team inspired leave-behind device (based on RPi3) that opens your targets network up like an Onion blossom. Deploy a rogue hotspot remotely and tunnel traffic back to your...
Read More
Jim Allee
Justin Whitehead

22 Short Films About Security

Inspired by The Simpsons’ homage to Pulp Fiction titled ‘22 Short Films About Springfield’, this talk delivers a fast-paced summary of a decade’s worth of rejected and abandoned presentation pitches. More than just a list of bad ideas, it’s an exploration of changing interests and technologies. We’ll cover a range of topics, from Tor hidden services to Windows credential protection, and review lessons learned from numerous failed projects.
Charlie Vedaa

The Devil’s Bargain: Emerging Trends in the Ransomware Ecosystem

2016 was hailed as the “Year of Ransomware” but the growth of this criminal industry isn’t slowing down. As more money is pumped into the ransomware ecosystem, the means by which ransomware is distributed are evolving. This talk covers a number of emerging trends in ransomware, including RaaS, attacks targeting vulnerable databases such as MongoDB and MySQL, and longer recon times during which ransomware distributors tailor the ransom demands to the company they are targeting, and a more detailed case study of ransomware using a non-traditional infection vector (neither spear phishing nor malicious websites). There will also be coverage...
Read More
Joshua Galloway

Security is dead. Long live Infosec!

The information security industry is profoundly ineffective at preventing security incidents. Major breaches of increasing severity continue to occur, often without major detriment to the victim. If the multi-billion dollar information security industry constantly fails to protect organizations, how can we succeed moving forward? What does the future hold for our industry? These topics (and more) will be covered and discussed in this 20-minute session.
David Shaw


Our Saturday Night Party! Music by DJ FuzzyNop, DualCore and more!

An Employee, their Laptop and a Hacker walk into a Bar

If one of your company laptops were lost, what might an attacker be able to do with it? In this string of live hacking demos, we begin as an attacker who has no corporate accounts and demonstrate how to hack into the warm juicy center of the corporate domain and then STEAL ALL THE THINGS. Learn some easy parlor trick hacks that really work, and more than a dozen ways to protect your organization from them.
Shannon Fritz

Beyond OWASP Top 10

We’ve all heard of the OWASP Top 10- it is the standard first reference we give web developers who are interested in making their applications more secure. It is also the categorization scheme we give to web vulnerabilities on our pentest reports. But surely there is more to web application security than the OWASP Top 10, right? In this talk, we will discuss 5 vulnerabilities that don’t quite fit into the OWASP Top 10 categories, but are just as dangerous if present in a web application. Both developers and pentesters will benefit from this talk, as both exploits and...
Read More
Aaron Hnatiw

Scamming the Scammers: Hacking scammers with pwns and knowledge with good intentions

In the world of information, it’s easy to see how people can get tricked and deceived. Social Engineering is spreading like wildfire on the internet and telephony, but in a very black hat way. Phone scams are becoming more of a problem, and it doesn’t seem like it’s stopping soon. This talk with help gain more understanding on how these scams are structured, where data is, how data is transmitted, how an call center is setup, why this happens, and insight from an actual scammer on how he was tricked. You will also gain useful knowledge on how to...
Read More
Nathan Clark