Introducing Hands-On Workshops at the Packet Hacking Village

We are pleased to announce a series of hands-on workshops at the Packet Hacking Village at DEF CON 25.

Why Are We Doing This: Because of the success of our Packet Detective and Capture The Packet events, and knowing the demand for hands-on workshops in cyber security, we are expanding our Packet Hacking Village this year to have hands-on workshops.

Location: This hands-on workshops area is will have 30 computers preloaded with the necessary tools so you will not need to bring your own laptop. Our hands-on workshops area will be directly across from the Speaker Workshops room.


Registration Link:

Registration will cost $10 USD with 100% of the proceeds benefiting Hackers for Charity; this will help ensure only interested people register, will actually attend and help a great charity.

Attendees that are late to the class forfeit their seat. This is non-negotiable and non-refundable so be on-time!

You need to register to reserve a seat.

You *MUST* have a DEF CON badge to enter the event and the printed ticket from your registration for entry into the workshop area.

Any fakes/hacks/scams/social engineers will be publically shamed in true DEF CON fashion.





Advanced Implant Detection with Bro and PacketSled

Aaron Eppert, Director of Engineering for PacketSled

With the release Double Pulsar by the Shadow Brokers malicious software ranging from EternalBlue, WannaCry, to the more recent (Not)Peyta cyberattacks have necessitated a deeper understanding of the SMB protocol found in virtually every network in the world. Given the extreme complexity of SMB it is very easy for C&C activity to go undetected due to the shear signal-to-noise ratio present in the protocol and the high volume of activity that it generates on a network without malicious activity being present. For this PacketSled extended the SMB analyzer in Bro to facilitate the detection of, what would generally be, anomalous behavior of the protocol itself, bringing the noise floor down and allowing for the detection of anomalous activity.

What is Bro? Bro is a powerful network analysis framework that allows for customized development via an internal scripting language that allows the creation of highly powerful detections via metadata extraction events.

Aaron Eppert (Twitter: @aeppert) is the Director of Engineering and lead developer of PacketSled’s core Sensor technology. Aaron has commits to the Bro Core project and resurrected the SMB Analyzer from the depths of a feature branch and has since extended it for the purposes of finding modern malware. Additionally, Aaron has two decades of experience reverse engineering network protocols and malware as well as developing as well as developing low-level software in a range of languages. Aaron has developed and presented Bro-centric trainings to Fortune 500 companies, and government organizations.

Introducing Mallet: An Intercepting Proxy for Arbitrary Protocols

Dane Goodwin

When it comes to HTTP interception, the tools of the trade are excellent. However, setting up an intercepting proxy for protocols other than HTTP can be time consuming and difficult. To address this gap, we've created a new proxy, which allows you to define a new protocol on the fly using Netty's built-in protocol encoders and decoders, as well as being able to create your own using the existing Netty libraries. Once defined, you can interact with the objects in real-time, modifying objects and properties as you see fit.
 This workshop will give you hands on experience with our new proxy.

Dane Goodwin (Twitter: @@dane_goodwin) has worked as a pentester for ~4 years, after deciding a career in development wasn't for him. He's presented some coolness at ZaCon, BSides Cape Town, and BlackHat Arsenal 2016. While not cycling, he currently spends his time learning all things SDR.

Introduction to 802.11 Packet Dissection

Megumi Takeshita, aka Packet Otaku, Ikeriri Network Service Co.,Ltd.

Have you ever wanted to capture, filter, examine, visualize, decrypted and followed sequences of 802.11 packets? This workshop demonstrates a typical and basic work flow of wireless packet analysis. This workshop will cover basic wireless packet analysis, using Wireshark, to examine the internals of 802.11 frames including the Radiotap header, looking at the importance and meaning of the fields, mark packets and understand processes of the link layer, input the decryption key for WPA2 to explore WPA2-PSK frames and how to create graphs to visualize the stats of a wireless network.

Megumi Takeshita, or Packet Otaku (Twitter: @ikeriri) runs a packet analysis company, Ikeriri Network Service, after having worked at BayNetworks and Nortel Networks in Japan. Ikeriri Network Service is a reseller of many wired/wireless capture and analysis devices and software for Riverbed, Metageek, Profitap, Dualcomm etc. Megumi has authored 18+ books about Wireshark and packet analysis in Japanese. She is a contributor to the Wireshark project and has presented multiple times at SharkFest, Interopt Tokyo and other conferences.

An Intro to Hunting with Splunk

Come to Packet Hacking Village and get a hands-on "Hunting with Splunk" training from the experts. You will learn how to deal with end point data, sort through wire data, and maybe even find some advanced threats. Then try your hand at searching for actors in a realistic dataset in Splunk.

Splunk Security Specialists (Twitter: @splunksec) are a group of Security practitioners who play with Splunk and get to help out at things like Wall of Sheep.

The Kali Linux Dojo - Angela Could Have Done Better

Mati Aharoni, Kali Linux Developer

This workshop will show you how to create your own personalized Kali Linux ISO, customizing virtually every aspect using the live-build utility. You'll learn how to create custom Kali appliances and dedicated tools for those ever-so-specific tasks.

Mati Aharoni (Twitter: @kalilinux) is an infosec dinosaur with over a decade of active involvement in the infosec community. Between Kali development and tinkering with mysterious hardware, Mati enjoys the evangelical role of convincing anyone who will listen about the virtues of Kali Linux.

Linux Lockdown: Jailing Programs with Linux Containers

Jay Beale, CTO and COO at InGuardians

Taught by Bastille Linux creator Jay Beale, this hands-on workshop will teach you to use Linux containers to better contain an attack on any program running on the system. You will be given a vulnerable program to protect, via a virtual machine that you can download beforehand. You will first compromise the application, then contain it and exploit it again. We'll discuss AppArmor, seccomp and SELinux, and you'll be able to download the virtual machines to try more advanced versions of this afterward. For purposes of ease, we'll use Docker, but you can take the concepts home and try them with LXC/LXD, runc, or another framework for managing containers. This workshop is being taught for the first time and provides one topic from the long-running Black Hat class, "Aikido on the Command Line.”

Jay Beale (Twitter: @jaybeale and @inguardians) has been working in Linux security since 1999, when he began creating several defensive security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which were used widely throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the "Stealing the Network" series. He has been invited to speak at and chair conferences around the world. His first talk at Def Con was in 2000. Jay is a founder and both the CTO and Chief Operating Officer of the information security consulting company InGuardians.

Reverse Engineering Malware 101

Malware Unicorn

This workshop provides the fundamentals of reversing engineering (RE) Windows malware using a hands-on experience with RE tools and techniques. Attendees will be introduced to RE terms and processes, followed by basic x86 assembly, and reviewing RE tools and malware techniques. It will conclude by attendees performing a hands-on malware analysis that consists of Triage, Static, and Dynamic analysis.

Prerequisites: Basic understanding of programming C/C++, Python, or Java

Provided: A virtual machine and tools will be provided.

Features: 5 Sections in 1.5 hours:

  • ~15 min Fundamentals
  • ~15 min Tools/Techniques
  • ~30 min Triage Static Analysis + Lab
  • ~30 min Dynamic Analysis + Lab

Amanda (Twitter: @malwareunicorn) absolutely loves malware. She works as a Senior Malware Researcher at Endgame who focuses on threat research focusing in dynamic behavior detection both on Windows and OSX platforms.

Serious Intro to Python for Admins

Davin Potts, Python Core Developer

Intended for an audience of IT managers and admins who are either responsible for systems with deployed Python apps and/or interested in the security implications of developing their own tools/scripts/apps in Python. This will be a hands-on exercise from start to finish designed to leave you with a sense of the mentality of Python and an ability to quickly look up what you need when expanding your knowledge of Python in the future. Prior programming experience not required. However it would be helpful if you've seen lots of Monty Python skits before.

Davin Potts is a Python Core Developer and lead dev for the multiprocessing module in the Python standard library. For a day job, Davin is a scientific software consultant working primarily on data science projects. Also refer to