Popping my DoS Cherry at DerbyCon

DerbyCon (https://www.derbycon.com) is a conference that is hosted in Louisville, Kentucky in the US and this year ran from 21st to the 25th of September. I didn’t partake in the trainings and instead was just there for the conference that ran from the Thursday evening to Sunday afternoon.

TL;DR It was awesome. You should go. Book now!

Before heading out I traversed the schedule and recorded my top picks, you can find them here - https://gist.github.com/anonymous/bb8c557533618e149fafb66a1bb32587. There was a really great line up of offensive and defensive talks available. I knew it was going to be a tough choice on the day to decide between the Red and the Blue tracks. I have a foot in both areas, but on the day(s) I was slightly biased towards the Red. Luckily all the talks were streamed live for remote participants, and anyone there, but were too hungover to crawl out of bed. Additionally I knew that after the event all the talks would be archived on line for viewing at leisure. I recommend you head over to @irongeeks website (http://www.irongeek.com) as he has published the majority of the talks (http://www.irongeek.com/i.php?page=videos/derbycon6/mainlist).

My personal favourites are below but I’m sure as I work my way through the rest I will add to this list.:

Title: Thinking Purple Speaker: Carlos Perez (https://twitter.com/Carlos_Perez) Video: http://www.irongeek.com/i.php?page=videos/derbycon6/102-thinking-purple-carlos-perez

Title: Just Add Water Instant Privilege Escalation On All Versions Of Windows With Potato Speaker: Stephen Breen (https://twitter.com/breenmachine) and Chris Mallz (https://twitter.com/vvalien1) Video: http://www.irongeek.com/i.php?page=videos/derbycon6/302-rotten-potato-privilege-escalation-from-service-accounts-to-system-stephen-breen-chris-mallz

Title: A Year in the Empire Speaker: Will Schroeder (https://twitter.com/harmj0y) and Matt Nelson (https://twitter.com/enigma0x3) Video: http://www.irongeek.com/i.php?page=videos/derbycon6/105-a-year-in-the-empire-will-schroeder-matt-nelson

Title: Outlook and Exchange for the Bad Guys Speaker: Nick Landers (https://twitter.com/monoxgas) Video: http://www.irongeek.com/i.php?page=videos/derbycon6/206-outlook-and-exchange-for-the-bad-guys-nick-landers

Title: Attacking EvilCorp - Anatomy of a Corporate Hack Speaker: Sean Metcalf (https://twitter.com/PyroTek3) & Will Schroeder (https://twitter.com/harmj0y) Video: http://www.irongeek.com/i.php?page=videos/derbycon6/111-attacking-evilcorp-anatomy-of-a-corporate-hack-sean-metcalf-will-schroeder

Title: Abusing Linux Trust Relationships: Authentication Back Alleys and Forgotten Features Speaker: Ronnie Flathers (https://twitter.com/ropnop) Video: http://www.irongeek.com/i.php?page=videos/derbycon6/536-abusing-linux-trust-relationships-authentication-back-alleys-and-forgotten-features-ronnie-flathers

Title: Samsung Pay: Tokenized Numbers, Flaws and Issues Speaker: Salvador Mendoza (https://twitter.com/netxing) Video: http://www.irongeek.com/i.php?page=videos/derbycon6/537-samsung-pay-tokenized-numbers-flaws-and-issues-salvador-mendoza

Title: The Advanced Persistent Pentester (All Your Networks Are Belong 2 Us) Speaker: Beau Bullock (https://twitter.com/dafthack), Derek Banks (https://twitter.com/0xderuke) and Joff Thyer (https://twitter.com/joff_thyer) Video: https://www.derbycon.com/events/the-advanced-persistent-pentester-all-your-networks-are-belong-2-us/

As can be seen from the above listing I am keenly interested in all things Red. Specifically the top tier of this area; threat emulation and adversary simulation. Which is why whilst at the conference I seized the opportunity to converse with some of the guys that I consider to be in the top tier in these disciplines such as @PyroTek3, @_wald0, @harmj0y @subTee, @monoxgas, @enigma0x3 as well as others working with or for @verisgroup, @TrustedSec, @SilentBreakSec and @BHinfoSecurity etc. So much so, I think it was around 03:00 am one morning before I could tear my self away from some excellent knowledge sharing and awesome discussions. I was absolutely not DoS’d by a Cherry (https://twitter.com/hectaman/status/513785935029612545). Absolutely not. Did not happen. I was also not adversely effected by the excellent selection of Bourbon consumed at @BourbonCon (https://twitter.com/BourbonCon) or from smoking an excessive amount of fine cigars provided by @GuidePointSec (https://twitter.com/GuidePointSec).

I don’t want you think to DerbyCon is all about the drinking of craft brews and silky smooth bourbon. However they did effectively lubricate the many excellent LobbyCon conversations I had with like minded folk. The availability and approachability of the guys behind such awesome and useful projects and research that I and the guys and girls at MWR make regular use of, is a testament to them and DerbyCon.

As well as some excellent talks and imparting of wisdom, several tools of note were dropped at the conference that would be well worth your time checking out. A selection of these are below. Again, you’ll notice an offensive theme - however I am also aware that many Blue Team tools were also dropped. You should really head over to http://www.irongeek.com/i.php?page=videos/derbycon6/mainlist and check these out.

Rotten Potato

Rotten Potato is a local privilege escalation from service account to SYSTEM (https://github.com/foxglovesec/RottenPotato). I can already think of many situations I have been in where this would have been very useful. I’m positive it will be staple of my tool box for a long time. Check out their talk for the why - http://www.irongeek.com/i.php?page=videos/derbycon6/302-rotten-potato-privilege-escalation-from-service-accounts-to-system-stephen-breen-chris-mallz.

Lucky Strike

Lucky Strike is a PowerShell based utility for the creation of malicious Office macro documents (https://github.com/Shellntel/luckystrike). This is very similar tooling to wePWNise that MWR Labs is due to release very soon (https://t2.fi/schedule/2016/#speech8).

OWA-Toolkit

From the same guys, OWA-Toolkit a Powershell module to assist in attacking Exchange/Outlook Web Access (https://github.com/Shellntel/OWA-Toolkit). This is a nice complement to the tooling released by MWR Labs https://github.com/mwrlabs/XRulez (a Windows executable that can add malicious rules to Outlook from the command line of a compromised host) and Sensepost ruler, a tool that allows you to interact with Exchange servers through the MAPI/HTTP protocol (https://github.com/sensepost/ruler).

Exchange is taking quite a beating these days. For some background and context, make sure you check out the Tool Drop 2.0 - Free As In Pizza talk from Scot Berner (https://twitter.com/slobtresix0) & Jason Lang (https://twitter.com/curi0usJack) available here http://www.irongeek.com/i.php?page=videos/derbycon6/407-tool-drop-20-free-as-in-pizza-scot-berner-jason-lang. As well as Nick Landers (https://twitter.com/monoxgas) talk Outlook and Exchange for the Bad Guys here http://www.irongeek.com/i.php?page=videos/derbycon6/206-outlook-and-exchange-for-the-bad-guys-nick-landers. This blog post by MWR Lab may also be of interest - https://labs.mwrinfosecurity.com/blog/malicous-outlook-rules.

MailSniper

In a related area, I was also impressed with and can’t wait to use the MailSniper (https://github.com/dafthack/MailSniper) tooling. MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment created by the guys over at Black Hills (https://twitter.com/BHinfoSecurity).

Hashview

Finally another project worth checking out is http://www.hashview.io - a web front-end for password cracking and analytics from the Shellntel team (http://www.shellntel.com). For background on this check out their talk at http://www.irongeek.com/i.php?page=videos/derbycon6/319-hashview-a-new-tool-aimed-to-improve-your-password-cracking-endeavors-casey-cammilleri-hans-lakhan.

In summary - an awesome conference where you can hang out and share thoughts with some truly excellent, skilled and knowledgeable folks, get visibility of new tooling as well as emerging research in the offensive and defensive realms. Best of all a place to sample fine craft ales and sweet bourbons. What more do you want from a conference?