How to update ewf-tools on Kali Linux - Eliminate the "No sub system to mount EWF format." error.

Update ewf-tools to remove the no sub system to mount EWF format error.
Read more →

Packet Hacking Village Talks at DEF CON 26 Call for Presentations Now Open


The Wall of Sheep would like to announce a call for presentations at DEF CON 26 at the Caesars Palace in Las Vegas, NV from Thursday, August 9th to Sunday, August 12th. Speaker Workshops has been renamed Packet Hacking Village Talks as we now offer hands-on workshops. Packet Hacking Village Talks goal is to deliver talks that increase security awareness and provide skills that can be immediately applied after the conference. Our audience ranges from those who are new to security to the most seasoned practitioners in the security industry. Introductory talks are welcome.

Topics of interest include:

  • Tools on network sniffing, intrusion detection, monitoring, forensics
  • How to find and evict people harvesting cryptocurrency on your devices
  • How to do refresh your PC without losing all your stuff and eliminate the malware
  • Incident response recovery
  • Justifying hacking / security tools in the corporate world
  • Finding rootkits and malware
  • General Digital Forensics and Incident Response (DFIR) talks
  • How to use regulatory compliance requirements in your favor to enhance your overall funding and security posture
  • Security awareness program success and failure stories
  • Enterprise defense using open source tools (e.g., Yara, Cuckoo Sandbox)
  • Tool / task automation and optimization
  • New and innovative ways of using old tools
  • Incident response process and procedures
  • Tools for data collection and visualization
  • Purple teaming

The Wall of Sheep will not accept product or vendor related pitches. If your talk is a thinly-veiled advertisement for a product or service your company is offering, please do not apply!

All accepted talks will be announced, recorded, and published by Aries Security, LLC. and DEF CON Communications, Inc. Please see our YouTube channel for all talks from previous years:

The Call for Presentations will close on Friday, June 15th at 11:59 PM. The list of talks will be finalized and published on Saturday, June 30th.

Speaking Format

Each presentation slot is 1 hour maximum, including time for Q&A. If we have time and it is in line with our goals mentioned above, then there is a good chance you will be selected.

To submit a presentation, please provide the following information in the form below to cfp2018[at]wallofsheep[dot]com

Primary Speaker Name:

Primary Speaker Title and Company (if applicable):

Primary Speaker Email Address:

Primary Speaker Phone Number (to contact you if necessary during the conference):

Primary Speaker Twitter name (if you want it known if you are accepted):

Primary Speaker Facebook page (if you want it known if you are accepted):

Additional Speakers' name(s), titles, and social information:

Additional Email Addresses:

Is there a specific day or time you MUST speak by?

Name of Presentation:

Length of presentation:

(20 minutes or 50 minutes)


Your abstract will be used for the website and printed materials. Summarize what your presentation will cover. Attendees will read this to get an idea of what they should know before your presentation, and what they will learn after. Use this to inform about how technical your talk is. This abstract is the primary way people will be drawn to your session. CFP reviews like to see what tools will be used and what materials you suggest to read in advance to get the most out of your presentation.

Equipment Needs & Special Requests:

The Wall of Sheep will provide 1 projector feed, and microphones. If you need to use multiple outputs for a demo, please mention this below.

Speaker's Bio(s):

This text will be used for the website and printed materials and should be written in the third person. Cover any professional history that is relevant to the presentation, including past jobs, tools that you have written, etc. Let people know who you are and why you are qualified to speak on your topic. Presentations that are submitted without biographies will not be considered.

Detailed Outline:

You must provide a detailed outline containing the main points and navigation through your talk. Show how you intend to begin, where you intend to lead the audience and how you plan to get there. The outline may be provided in a separate attachment and may be as simple as a text file or as detailed as a "bare bones" presentation. The better your outline then the better we are able to best review your presentation against other submissions (and the higher chance you have of being accepted). SUBMISSION NOTE: Presentations that are submitted without abstracts, outlines, or speaker bios (e.g., that have only PDFs, PPTs, or white papers attached or only point to a URL) will not be considered.

Supporting File(s):

Additional supporting materials such as code, white papers, proof of concept, etc. should be sent along with this email to cfp2018[at]wallofsheep[dot]com. Note that additional files that may help in the selection process should be included. We are not asking for a complete presentation for this initial submission. That will only be required if you are selected for presenting.

Terms and Conditions

By submitting you agree to the Terms and Conditions below. Please read and accept these terms by inserting your name in the appropriate area, otherwise your application will be considered incomplete and returned to you.

Grant of Copyright Use

I warrant that the above work has not been previously published elsewhere, or if it has, that I have obtained permission for its publication by DEF CON Communications, Inc. and Aries Security, LLC. and that I will promptly supply DEF CON Communications, Inc. and Aries Security, LLC. with wording for crediting the original publication and copyright owner. If I am selected for presentation, I hereby give DEF CON Communications, Inc. and Aries Security, LLC. permission to duplicate, record and redistribute this presentation, which includes, but is not limited to, the conference proceedings, conference CD, video, audio, and hand-outs to the conference attendees for educational, on-line, and all other purposes.

Terms of Speaking Requirements

1. I will submit a completed (and possibly updated) presentation and a reference to all of the tool(s), law(s), Web sites and/or publications referenced to at the end of my talk and as described in this CFP submission by noon PST, June 30th, 2018.

2. I will submit a final Abstract and Biography to the Wall of Sheep by noon PST, June 30th, 2018.

3. I will include a detailed bibliography as either a separate document or included within the presentation of all resources cited and/or used in my presentation.

4. I will complete my presentation within the time allocated to me - not running over the time allocation.

5. I understand that the Wall of Sheep will provide 1 LCD projector feed, 2 screens, and microphones. I understand that I am responsible for providing all other necessary equipment, including laptops and machines (with VGA output), to complete my presentation.

6. I understand that I will be responsible for my own hotel and travel expenses, and admissions to the DEF CON Conference.

Yes, I, (insert primary speaker name), have read and agree to the Grant of Copyright Use.

I, (insert your name here), have read and understand and agree to the terms as detailed in the Agreement to Terms of Speaking Requirements.

In the case that a speaker is a child under the age of 13 years old: in compliance with the Children's Online Privacy Protection Act (COPPA) regulations,, any child under age 13 must have parental consent for the collection, use, or disclosure of that child's personal information by a website. Parent/Guardian Consent: I (insert parent/guardian's name here) am the parent or guardian of the minor/s named above. I have read and understand and agree to the terms as detailed in the Agreement to Terms of Speaking Requirements.

Read more →

Text of the Opening Remarks / Introduction at the Speaker Workshops (DEF CON 25)

Good morning and welcome to the Packet Hacking Village at DEF CON 25 in Las Vegas, Nevada! We cannot thank you enough for your support and for your continuing support for all these years. The Wall of Sheepʼs mission is and has always been security awareness. This year, the Packet Hacking Village have a number of events and learning opportunities including the venerable Packet Detective and Capture The Packets. We have a fantastic slate of DJs to entertain and keep this village lively. Sheep City and Honeypots have returned this year.  We are also excited for something new this year: hands-on workshops as there is a tremendous demand for training and continuing education in this cyber security. We hope that you will take advantage of the many opportunities here at the Packet Hacking Village and ultimately at DEF CON to learn, to collaborate, and to be inspired.

And of course, here we are at the Speaker Workshops. This is a special year: this is the fifth anniversary of the Speaker Workshops at the Packet Hacking Village. We are going to kick it off right-off-the-bat with a very special keynote. Dan Geer said in his keynote at Black Hat 2014: "cyber security is now a riveting concern, a top issue in many venues more important than this one." Or as Matt Blaze said bluntly at The Eleventh HOPE: "we are in a national cybersecurity crisis." So what does this have to do with our keynote? There are many people now starting to study or entering the field of cyber security which is very welcoming to see. However, the body of knowledge is now too deep and intimidating to grasp and history is easily forgotten. So how did we get into the mess we are in now? In May of 1998, a group of hackers testified in front of a panel of US Senators. The hacker group was L0pht. One of the members of L0pht who testified was Weld Pond, Chris Wysopal. L0pht warned that the Internet, software, and hardware are not safe and security is an afterthought. Their warning was a disaster foretold and tragically ignored (please read the stellar Washington Post article "A Disaster Foretold --And Ignored"). Their warning and efforts also paved way for many of our careers and lifestyles in this field, and why most of us are here today at DEF CON. It is my fantastic honor to introduce you all to Chris Wysopal.

Read more →

Order processing will be delayed while we are at DEF CON

It's that time of the year again.  Our team will be in Las Vegas at DEF CON which means there will be no one to process online orders.  There will be no orders processed from July 20th 2017 - August 5th 2017.

Thank you

Wall of Sheep Team

Read more →

Introducing Hands-On Workshops at the Packet Hacking Village

We are pleased to announce a series of hands-on workshops at the Packet Hacking Village at DEF CON 25.

Why Are We Doing This: Because of the success of our Packet Detective and Capture The Packet events, and knowing the demand for hands-on workshops in cyber security, we are expanding our Packet Hacking Village this year to have hands-on workshops.

Location: This hands-on workshops area is will have 30 computers preloaded with the necessary tools so you will not need to bring your own laptop. Our hands-on workshops area will be directly across from the Speaker Workshops room.


Registration Link:

Registration will cost $10 USD with 100% of the proceeds benefiting Hackers for Charity; this will help ensure only interested people register, will actually attend and help a great charity.

Attendees that are late to the class forfeit their seat. This is non-negotiable and non-refundable so be on-time!

You need to register to reserve a seat.

You *MUST* have a DEF CON badge to enter the event and the printed ticket from your registration for entry into the workshop area.

Any fakes/hacks/scams/social engineers will be publically shamed in true DEF CON fashion.





Advanced Implant Detection with Bro and PacketSled

Aaron Eppert, Director of Engineering for PacketSled

With the release Double Pulsar by the Shadow Brokers malicious software ranging from EternalBlue, WannaCry, to the more recent (Not)Peyta cyberattacks have necessitated a deeper understanding of the SMB protocol found in virtually every network in the world. Given the extreme complexity of SMB it is very easy for C&C activity to go undetected due to the shear signal-to-noise ratio present in the protocol and the high volume of activity that it generates on a network without malicious activity being present. For this PacketSled extended the SMB analyzer in Bro to facilitate the detection of, what would generally be, anomalous behavior of the protocol itself, bringing the noise floor down and allowing for the detection of anomalous activity.

What is Bro? Bro is a powerful network analysis framework that allows for customized development via an internal scripting language that allows the creation of highly powerful detections via metadata extraction events.

Aaron Eppert (Twitter: @aeppert) is the Director of Engineering and lead developer of PacketSled’s core Sensor technology. Aaron has commits to the Bro Core project and resurrected the SMB Analyzer from the depths of a feature branch and has since extended it for the purposes of finding modern malware. Additionally, Aaron has two decades of experience reverse engineering network protocols and malware as well as developing as well as developing low-level software in a range of languages. Aaron has developed and presented Bro-centric trainings to Fortune 500 companies, and government organizations.

Introducing Mallet: An Intercepting Proxy for Arbitrary Protocols

Dane Goodwin

When it comes to HTTP interception, the tools of the trade are excellent. However, setting up an intercepting proxy for protocols other than HTTP can be time consuming and difficult. To address this gap, we've created a new proxy, which allows you to define a new protocol on the fly using Netty's built-in protocol encoders and decoders, as well as being able to create your own using the existing Netty libraries. Once defined, you can interact with the objects in real-time, modifying objects and properties as you see fit.
 This workshop will give you hands on experience with our new proxy.

Dane Goodwin (Twitter: @@dane_goodwin) has worked as a pentester for ~4 years, after deciding a career in development wasn't for him. He's presented some coolness at ZaCon, BSides Cape Town, and BlackHat Arsenal 2016. While not cycling, he currently spends his time learning all things SDR.

Introduction to 802.11 Packet Dissection

Megumi Takeshita, aka Packet Otaku, Ikeriri Network Service Co.,Ltd.

Have you ever wanted to capture, filter, examine, visualize, decrypted and followed sequences of 802.11 packets? This workshop demonstrates a typical and basic work flow of wireless packet analysis. This workshop will cover basic wireless packet analysis, using Wireshark, to examine the internals of 802.11 frames including the Radiotap header, looking at the importance and meaning of the fields, mark packets and understand processes of the link layer, input the decryption key for WPA2 to explore WPA2-PSK frames and how to create graphs to visualize the stats of a wireless network.

Megumi Takeshita, or Packet Otaku (Twitter: @ikeriri) runs a packet analysis company, Ikeriri Network Service, after having worked at BayNetworks and Nortel Networks in Japan. Ikeriri Network Service is a reseller of many wired/wireless capture and analysis devices and software for Riverbed, Metageek, Profitap, Dualcomm etc. Megumi has authored 18+ books about Wireshark and packet analysis in Japanese. She is a contributor to the Wireshark project and has presented multiple times at SharkFest, Interopt Tokyo and other conferences.

An Intro to Hunting with Splunk

Come to Packet Hacking Village and get a hands-on "Hunting with Splunk" training from the experts. You will learn how to deal with end point data, sort through wire data, and maybe even find some advanced threats. Then try your hand at searching for actors in a realistic dataset in Splunk.

Splunk Security Specialists (Twitter: @splunksec) are a group of Security practitioners who play with Splunk and get to help out at things like Wall of Sheep.

The Kali Linux Dojo - Angela Could Have Done Better

Mati Aharoni, Kali Linux Developer

This workshop will show you how to create your own personalized Kali Linux ISO, customizing virtually every aspect using the live-build utility. You'll learn how to create custom Kali appliances and dedicated tools for those ever-so-specific tasks.

Mati Aharoni (Twitter: @kalilinux) is an infosec dinosaur with over a decade of active involvement in the infosec community. Between Kali development and tinkering with mysterious hardware, Mati enjoys the evangelical role of convincing anyone who will listen about the virtues of Kali Linux.

Linux Lockdown: Jailing Programs with Linux Containers

Jay Beale, CTO and COO at InGuardians

Taught by Bastille Linux creator Jay Beale, this hands-on workshop will teach you to use Linux containers to better contain an attack on any program running on the system. You will be given a vulnerable program to protect, via a virtual machine that you can download beforehand. You will first compromise the application, then contain it and exploit it again. We'll discuss AppArmor, seccomp and SELinux, and you'll be able to download the virtual machines to try more advanced versions of this afterward. For purposes of ease, we'll use Docker, but you can take the concepts home and try them with LXC/LXD, runc, or another framework for managing containers. This workshop is being taught for the first time and provides one topic from the long-running Black Hat class, "Aikido on the Command Line.”

Jay Beale (Twitter: @jaybeale and @inguardians) has been working in Linux security since 1999, when he began creating several defensive security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which were used widely throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the "Stealing the Network" series. He has been invited to speak at and chair conferences around the world. His first talk at Def Con was in 2000. Jay is a founder and both the CTO and Chief Operating Officer of the information security consulting company InGuardians.

Reverse Engineering Malware 101

Malware Unicorn

This workshop provides the fundamentals of reversing engineering (RE) Windows malware using a hands-on experience with RE tools and techniques. Attendees will be introduced to RE terms and processes, followed by basic x86 assembly, and reviewing RE tools and malware techniques. It will conclude by attendees performing a hands-on malware analysis that consists of Triage, Static, and Dynamic analysis.

Prerequisites: Basic understanding of programming C/C++, Python, or Java

Provided: A virtual machine and tools will be provided.

Features: 5 Sections in 1.5 hours:

  • ~15 min Fundamentals
  • ~15 min Tools/Techniques
  • ~30 min Triage Static Analysis + Lab
  • ~30 min Dynamic Analysis + Lab

Amanda (Twitter: @malwareunicorn) absolutely loves malware. She works as a Senior Malware Researcher at Endgame who focuses on threat research focusing in dynamic behavior detection both on Windows and OSX platforms.

Serious Intro to Python for Admins

Davin Potts, Python Core Developer

Intended for an audience of IT managers and admins who are either responsible for systems with deployed Python apps and/or interested in the security implications of developing their own tools/scripts/apps in Python. This will be a hands-on exercise from start to finish designed to leave you with a sense of the mentality of Python and an ability to quickly look up what you need when expanding your knowledge of Python in the future. Prior programming experience not required. However it would be helpful if you've seen lots of Monty Python skits before.

Davin Potts is a Python Core Developer and lead dev for the multiprocessing module in the Python standard library. For a day job, Davin is a scientific software consultant working primarily on data science projects. Also refer to

Read more →

How to remove blank rows in Excel

We've been asked how to remove blank rows in Excel an absurd amount of times, so we decided to post it as it truly is a FAQ.

While there are a few ways, here is a super simple one that anyone should be able to follow.

Press the F5 Key to cause the "Go To Special" dialog box to pop up.

Select "Blanks"

This will highlight all blanks in the sheet.  From here, simply delete the rows that are selected.






Read more →

Upgrading ESX from 6.0 to 6.5 using the CLI the SUPER easy way!


A new license is not needed for this upgrade
Ensure your 6.0.x host has a working internet connection

1) Back everything up!!!

2) Download/Install needed software

  • PuTTY or equivalent SSH client

3) Temporarily Enable SSH

  • We don’t recommend leaving SSH on permanently. SSH can be temporarily enabled via the ESXi vSphere. Step-by-step instructions can be found at:

3) Put the ESXi system into maintenance mode

  • Make sure you have all of your VM’s backed up somewhere else just in case. While we have never had any corruption during an upgrade, it’s always wise to have quality backups prior to an upgrade.

4) Follow the steps below

  1. SSH into your system.
  2. Enable the httpClient (Copy/Paste the following command into PuTTY)

esxcli network firewall ruleset set -e true -r httpClient

  • Perform the upgrade (Copy/Paste the following command into PuTTY)

esxcli software profile update -p ESXi-6.5.0-4564106-standard -d

  • Disable the httpClient (Copy/Paste the following command into PuTTY)
esxcli network firewall ruleset set -e False -r httpClient
Read more →

Super Secret DEF CON 25 MAP - How to get to the Packet Hacking Village - SHHHHH!!!

Secret Map - How to get to the Packet Hacking Village
Read more →

New Batch of Accepted Speakers and Our Schedule at DEF CON 25 Now Available

Read more →

First Batch of Speaker Workshops at DEF CON 25 Announced

The Packet Hacking Village will be located in TBD at Caesars Palace.

Speaker Workshops Schedule

Friday, July 28th Saturday, July 29th Sunday, July 30th
10:10 Opening Ceremony / How Hackers Changed The Security Industry
Chris Wysopal
14:10 Closing Ceremony
16:10 CLOSED
17:10 CLOSED
18:10 CLOSED

Speaker Workshops Abstracts and Bios

The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots

Gabriel Ryan, Security Engineer at Gotham Digital Science

Most forms of WPA2-EAP have been broken for nearly a decade. EAP-TTLS and EAP-PEAP have long been susceptible to evil twin attacks, yet most enterprise organizations still rely on these technologies to secure their wireless infrastructure. The reason for this is that the secure alternative, EAP-TLS, is notoriously arduous to implement. To compensate for the weak perimeter security provided by EAP-TTLS and EAP-PEAP, many organizations use port based NAC appliances to prevent attackers from pivoting further into the network after the wireless has been breached. This solution is thought to provide an acceptable balance between security and accessibility.

The problem with this approach is that it assumes that EAP is exclusively a perimeter defense mechanism. In a wireless network, EAP actually plays a subtle and far more important role. WPA2-EAP is the means through which the integrity of a wireless network's physical layer is protected. Port-based access control mechanisms rely on the assumption that the physical layer can be trusted. Just as NACs can be bypassed on a wired network if the attacker has physical access to the switch, they can also be bypassed in a wireless environment if the attacker can control the physical layer using rogue access point attacks.

In this presentation, we will apply this concept by presenting a novel type of rogue access point attack that can be used to bypass port-based access control mechanisms in wireless networks. In doing so, we will challenge the assumption that reactive approaches to wireless security are an acceptable alternative to strong physical layer protections such as WPA2-EAP using EAP-TLS.

Gabriel Ryan (Twitter: @s0lst1c3) is a penetration tester and researcher with a passion for wireless and infrastructure testing. His career began as a systems programmer at Rutgers University, where he assessed, diagnosed, and resolved system and application issues for a user community of over 70,000 faculty, students, and staff. Gabriel then went on to work as a penetration tester and researcher for the Virginia-based defense contractor OGSystems. While at OGSystems, he worked as a lead engineer on the Mosquito project, a geospatial intelligence tool that leverages wireless technology to track potential threats. Gabriel currently works for the international security consulting firm Gotham Digital Science at their New York office, where he performs full scope red team penetration tests for a diverse range of clients. He also contributes heavily to his company's research division, GDS Labs. Some of his most recent work includes a whitepaper on rogue access point detection, along with the popular tool Eaphammer, which is used for breaching WPA2-EAP networks. On the side, he serves as a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys live music, exploring the outdoors, and riding motorcycles.

Demystifying the OPM Breach: WTF Really Happened

Ron Taylor

In September 2016 the House Committee on oversight finally released their report. Four years after the original breach, we are still asking how the f*#! did this happen. This talk with go over the key findings of the report and the impact on those who were effected.

Ron Taylor (Twitter: @Gu5G0rman) has been in the Information Security field for almost 20 years. Ten of those years were spent in consulting where he gained experience in many areas. In 2008, he joined the Cisco Global Certification Team as an SME in Information Assurance . In 2012, he moved into a position with the Security Research & Operations group (PSIRT) where his focus was mostly on penetration testing of Cisco products and services. He was also involved in developing and presenting security training to internal development and test teams globally. Additionally, he provided consulting support to many product teams as an SME on product security testing. In his current role, he is a Consulting Systems Engineer specializing in Cisco's security product line. Certifications include GPEN, GWEB, GCIA, GCIH, GWAPT, RHCE, CCSP, CCNA, CISSP and MCSE. Ron is also a Cisco Security Blackbelt, SANS mentor, Co-Founder and President of the Raleigh BSides Security Conference, and member of the Packet Hacking Village team at DEF CON.

Fooling the Hound: Deceiving Domain Admin Hunters

Tom Sela, Head of Security Research at illusive networks

The conflict between cyber attackers and defenders is too often in favor of attackers. Recent results of graph theory research incorporated into red-team tools such as BloodHound, shift the balance even more dramatically towards attackers Any regular domain user can map an entire network and extract the precise path of lateral movements needed to obtain domain admin credentials or a foothold at any other high-value asset. Knowing the precise path needed to reach a target decreases the chances of an attacker making mistakes and being detected, putting defenders at a very clear disadvantage.

One traditional defensive approach is to make the ability to map the network more difficult by restricting access to information. However, such restrictions cannot be applied to all platforms, and even if they could be, it is not a trivial task in production environments.

In this talk, we present a new practical defensive approach: deceive the attackers. Since the time of Sun Tzu, deceptions have been used on the battlefield to win wars. In recent years, the ancient military tactic of deceptions has been adopted by the cyber-security community in the form of HoneyTokens. Cyber deceptions, such as fictitious high-privilege credentials, are used as bait to lure the attackers into a trap where they can be detected.

To shift the odds back in favor of the defenders, the same BloodHound graphs that are generated by attackers should be used by defenders to determine where and how to place bait with maximum effectiveness. In this way, we ensure that any shortest path to a high-value asset will include at least one deceptive node or edge. Effectively designed and placed bait would make it very difficult for the attacker to avoid detection, shifting the odds back in favor of defenders.

Tom Sela is Head of Security Research at illusive networks, specializing in Reverse Engineering, Malware Research, and OS internals. Prior to joining illusive, Tom lead the Malware Research team at Trusteer (acquired by IBM). Tom majored in Computer Science at Ben-Gurion University and studied at the Israeli Naval Academy, University of Haifa.

Fortune 100 InfoSec on a State Government Budget

Eric Capuano, SOC Manager at Texas Department of Public Safety

A common misconception is that it takes spending millions to be good at security. Our security team at Texas Department of Public Safety has proved this to be untrue. We run a full-fledged Security Operations Center and leverage some very proactive controls and incident response techniques while spending a fraction of what similar agencies are allocated.

This talk outlines many of the thought processes and "tricks" to doing security well, without breaking the bank. Some concepts include thinking critically about ROIs of existing equipment, not buying into every "shiny box", not being afraid to explore open source options, and where to spend your money for the highest ROI (people!).

This is not the typical "Problem, problem, problem...." talk.... This is a solution-based talk where I'll share SOLUTIONS to very real-world scenarios facing SOC teams everywhere.

Eric Capuano (Twitter: @eric_capuano) is an Information Security professional serving state and federal government as well as SMBs, start-ups and non-profits. Also, a member of the Packet Hacking Village team at DEF CON.

Go Beyond Tabletop Scenarios by Building an Incident Response Simulation Platform

Eric Capuano, SOC Manager at Texas Department of Public Safety

Ask yourself - how prepared is your incident response team for a worse case scenario event on your network? How well can your team function as a cohesive unit while executing fast and effective incident response in an "all hell breaking loose" situation? Even seasoned blue teams often lack the experience performing in these situations because they are (hopefully) far and few. Most organizations approach to this is "if we're breached, we'll just rely on our policies and procedures"....that is akin to paramedics learning first responder skills by reading healthcare magazines. Waiting for a crisis to happen before training for a crisis is a losing approach. Not to mention, it is often during a crisis that critical blind spots present themselves--too little too late. Tabletop scenarios are a great option as they require zero resources aside from conversation. However, referring to my previous example, first responders do not learn CPR by talking about it. For things that must become muscle memory, instinctive, you must simulate the event and go through the motions. That is exactly what I am doing with my team - and we're doing it with in-house resources and spare equipment. This talk is a deep-dive technical discussion on how we built a mockup enterprise network so that we could unleash hell on it in order to practice operating as a focused IR team. Some of the concepts will be familiar, but I do have a few clever tricks and tools to share that will significantly increase the "realism" of the exercises. I will also share a few of the red team scenarios that we have employed in past events. Best part -- almost all of this can be accomplished with open source tools and inexpensive equipment, but I'll also share tips and tricks on getting free commercial hardware and software for use in your new simulation environment!

Eric Capuano (Twitter: @eric_capuano) is an Information Security professional serving state and federal government as well as SMBs, start-ups and non-profits. Also, a member of the Packet Hacking Village team at DEF CON.

How Hackers Changed The Security Industry

Chris Wysopal, CTO and Co-Founder of Veracode

Before hackers got involved in cybersecurity the industry was focused on products and compliance. Security was security features: firewalls, authentication, encryption. Little thought was given to vulnerabilities that allowed the bypassing of those features. Gene Stafford famously said SSL between two PCs is like using an armored car to deliver money from one park bench to another. Hackers came along with the idea that you use offensive techniques to simulate how an attacker would discover vulnerabilities in a networks, a system, or an application. Offensive skills have been on the rise ever since and now the best way to secure something it to try and break it yourself before the attacker does.

This history will be told from a member of the hacker group The L0pht who lived the arc from the underground, to consumer advocates, to speaking at the U.S. Senate, to forming a 200 employee security consultancy, to schooling Microsoft and changing how people build software.

Attendees will learn why we need the kind of tools hackers build to secure our systems and why we need people who are taught to think like hackers, 'security champions', to be part of software development teams.

Chris Wysopal (Twitter: @WeldPond) Chris Wysopal is currently Veracode's CTO and co-founder. He is one of the original vulnerability researchers and an early member of L0pht Heavy Industries, which he joined in 1992. He is the author of netcat for Windows and one of the authors of L0phtCrack. He has testified on Capitol Hill in the US on the subjects of government computer security and how vulnerabilities are discovered in software. He published his first advisory in 1996 on parameter tampering in Lotus Domino and has been trying to help people not repeat this type of mistake for 15 years. He is also the author of "The Art of Software Security Testing" published by Addison-Wesley.

Hunting Down the Domain Admin and Rob Your Network

Keith Lee, Senior Security Consultant at Trustwave SpiderLabs

Portia: it's a new tool we have written at SpiderLabs to aid in internal penetration testing test engagements. The tool allows you to supply a username and password that you have captured and cracked from Responder or other sources as well as an IP ranges, subnet or list of IP addresses. The tool finds its way around the network and attempts to gain access into the hosts, finds and dumps the passwords/hashes, resuses them to compromise other hosts in the network. In short, the tool helps with lateral movements in the network and automating privilege escalation as well as find sensitive data residing in the hosts.

Keith Lee (Twitter: @keith55) is a Senior Security Consultant with Trustwave's SpidersLabs Asia-Pacific. SpiderLabs is one of the world's largest specialist security teams, with over 100 consultants spread across North America, South America, Europe and the Asia Pacific. Keith Lee has presented in Hack In The Box, BlackHat Arsenal and PHDays.

IP Spoofing

Marek Majkowski, Cloudflare

At Cloudflare we deal with DDoS attacks every day. Over the years we've gained a lot of experience in defending from all different kinds of threats. We have found that the largest attacks that cause the internet infrastructure to burn are only possible due to IP spoofing.

In this talk we'll discuss what we learned about the L3 (Layer 3 OSI stack) IP spoofing. We'll explain why L3 attacks are even possible in today's internet and what direct and reflected L3 attacks look like. We'll describe our attempts to trace the IP spoofing and why attack attribution is so hard. Our architecture allows us to perform most attack mitigations in software. We'll explain a couple of effective L3 mitigation techniques we've developed to stop our servers burning.

While L3 attacks are a real danger to the internet, they don't need to be. With a bit of cooperation and couple of technical tricks maybe we can fix the IP spoofing problem for all.

Marek Majkowski (Twitter: @majek04). After fruitful encounters with such diverse topics as high performance key value databases, distributed queueing systems, making real time web communication enjoyable, and accelerating the time so that testing servers and protocols takes seconds, Marek Majkowski finally settled for working on DDoS mitigation in the CloudFlare London office, where he appreciates most the parking space for his motorbike.

Iron Sights for Your Data

Leah Figueroa

Data breaches have become all too common. Major security incidents typically occur at least once a month. With the rise of both security incidents and full data breaches, blue teams are often left scrambling to put out fires and defend themselves without enough information. This is something that can be changed with the right tools. Tools now available allow blue teams to weaponize data and use it to their advantage. This talk reviews frameworks for clean, consistent data collection and provides an overview of how predictive analytics works, from data collection to data mining to predictive analytics to forecasts. The allows the blue team to focus on potential risks instead of trying to put out every fire.

Leah Figueroa (Twitter: @Sweet_Grrl) is a 13 year veteran of the data analytics field and works as a data analyst in higher education. She holds a Master's in Education, an ABD in research psychology, and taught kindergarten. A data aficionado, Leah focuses on research on improving students outcomes at the higher education level, including focusing on both minority students issues as well as issues pertaining to students who come from a background of poverty. While not at work, Leah is interested in improving blue teams by helping bring data analytics into the team. Leah also enjoys being a fiber artist (knitter), loves cats, InfoSec, picking locks, cooking, and reading.

Layer 8 and Why People are the Most Important Security Tool

Damon Small, Technical Director, Security Consulting at NCC Group North America

People are the cause of many security problems, but people are also the most effective resource for combating them. Technology is critical, but without trained professionals, it is ineffective. In the context two case studies, the presenter will describe specific instances where human creativity and skill overcame technical deficiencies. The presenter believes this topic to be particularly relevant for the Packet Hacking Village, as many techniques used are the same that are pertinent for Capture the Packet and Packet Detective.

Technical details will include the specific tools used, screenshots of captured data, and analysis of the malware and the malicious user's activity. The goal of the presentation is show the importance of technical ability and critical thinking, and to demonstrate that skilled people are the most important tool in an information security program.

Damon Small (Twitter: @damonsmall) began his career studying music at Louisiana State University. Pursuing the changing job market, he took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Following the dotcom bust in the early 2000s, Small began focusing on cyber security. This has remained his passion, and over the past 17 years as a security professional he has supported infosec initiatives in the healthcare, defense, and oil and gas industries. In addition to his Bachelor of Arts in Music, Small completed the Master of Science in Information Assurance degree from Norwich University in 2005. As Technical Director for NCC Group, Small has a particular interest in research and business development in the Healthcare and Oil & Gas industries. His role also includes working closely with NCC consultants and clients in delivering complex security assessments that meet varied business requirements.

Make Your Own 802.11ac Monitoring Hacker Gadget

Vivek Ramachandran, Founder of Pentester Academy and
Thomas d'Otreppe, Author of Aircrack-ng

802.11ac networks present a significant challenge for scalable packet sniffing and analysis. With projected speeds in the Gigabit range, USB Wi-Fi card based solutions are now obsolete! In this workshop, we will look at how to build a custom monitoring solution for 802.11ac using off the shelf access points and open source software. Our "Hacker Gadget" will address 802.11ac monitoring challenges such as channel bonding, DFS channels, spatial streams and high throughput data rates. We will also look different techniques to do live streaming analysis of 802.11 packets and derive security insights from it!

Vivek Ramachandran (Twitter: @securitytube) is the Founder and Chief Trainer at Pentester Academy. He discovered the Caffe Latte attack, broke WEP Cloaking, conceptualized enterprise Wi-Fi Backdoors, created Chellam - the world's first Wi-Fi Firewall and Chigula - a Wi-Fi data mining and IDS framework. He is also the author of multiple five star rated books which have together sold over 13,000+ copies worldwide and have been translated to multiple languages. Vivek started in 2007, a YouTube for security which current aggregates the largest collection of security research videos on the web. SecurityTube Training and Pentester Academy now serve thousands of customers from over 90 countries worldwide. Vivek's work on wireless security has been quoted in BBC online, InfoWorld, MacWorld, The Register, IT World Canada etc. places. He has spoken/trained at top conferences around the world including Black Hat USA, Europe and Abu Dhabi, Defcon, Hacktivity, Brucon, Mundo Hacker Day and others.

Thomas d'Otreppe (Twitter: @aircrackng) is a wireless security researcher and author of Aircrack-ng, the most popular and complete suite of tools for WiFi network security assessments. He also created OpenWIPS-ng, an open source Wireless Intrusion Prevention System. Thomas is a contributor to the WiFi stack and toolset in Backtrack Linux, which has now become Kali Linux, the de facto top choice Linux distribution for penetration testing and vulnerability assessment across multiple technology domains. He is also known as an author of a pro-active wireless security course which has been delivered to large numbers of IT Security professionals worldwide. Thomas speaks and teaches in the Americas and Europe and is a well-known speaker at DefCon, BlackHat, DerbyCon, SharkFest, Mundo Hacker Day, BruCON and other venues

Modern Day CovertTCP with a Twist

Mike Raggo, CSO at 802 Secure, Inc.
Chet Hosmer, Owner of

Taking a modern day look on the 20 year anniversary of Craig Rowland's article on Covert TCP, we explore current day methods of covert communications and demonstrate that we are not much better off at stopping these exploits as we were 20 years ago. With the explosion of networked devices using a plethora of new wired and wireless protocols, the covert communication exploit surface is paving new paths for covert data exfiltration and secret communications. In this session we explore uPnP, Zigbee, WiFi, P25, Streaming Audio Services, IoT, and much more. Through real-world examples, sample code, and demos; we bring to light this hidden world of concealed communications.

Mike Raggo (Twitter: @MikeRaggo) Chief Security Officer, 802 Secure (CISSP, NSA-IAM, ACE, CSI) has over 20 years of security research experience. His current focus is wireless IoT threats impacting the enterprise. Michael is the author of “Mobile Data Loss: Threats & Countermeasures” and “Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols” for Syngress Books, and contributing author for “Information Security the Complete Reference 2nd Edition”. A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, is a participating member of FSISAC/BITS and PCI, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, RSA, DoD Cyber Crime, OWASP, HackCon, and SANS.

Chet Hosmer (Twitter: @ChetHosmer) is the Founder of Python Forensics, Inc. a non-profit organization focused on the collaborative development of open-source investigative technologies using the Python programming language. Chet is also the founder of WetStone Technologies, Inc. and has been researching and developing technology and training surrounding forensics, digital investigation and steganography for over two decades. He has made numerous appearances to discuss emerging cyber threats including National Public Radio's Kojo Nnamdi show, ABC's Primetime Thursday, NHK Japan, CrimeCrime TechTV and ABC News Australia. He has also been a frequent contributor to technical and news stories relating to cyber security and forensics and has been interviewed and quoted by IEEE, The New York Times, The Washington Post, Government Computer News, and Wired Magazine. He is the author of three recent Elsevier/Syngress Books: Python Passive Network Mapping, Python Forensics, and Data Hiding. Chet serves as a visiting professor at Utica College where he teaches in the Cybersecurity Graduate program. He is also an Adjunct Faculty member at Champlain College in the Masters of Science in Digital Forensic Science Program. Chet delivers keynote and plenary talks on various cyber security related topics around the world each year.

Past, Present and Future of High Speed Packet Filtering on Linux

Gilberto Bertin, CLoudflare

As internet DDoS attacks get bigger and more elaborate, the importance of high performance network traffic filtering increases. Attacks of hundreds of millions of packets per second are now commonplace. Unfortunately line rate filtering is still an open problem.

In this session we will introduce modern techniques for high speed network packet filtering on Linux. We will follow the evolution of the subject, starting with Iptables and userspace offload solutions (such as EF_VI and Netmap), discussing their use cases and their limitations. We will then move on to a new technology recently introduced in the Linux kernel called XDP (express data path), which works by hooking an eBPF program into the lowest possible layer in the Linux kernel network stack, allowing network traffic to be filtered at high speeds. We will discuss the strengths of this solution, show some sample XDP programs and give operational tips.

Gilberto Bertin (Twitter: @jibi42) originally from a little Italian town near Venice, loves tinkering with low level systems, especially networking code. After working on variety of technologies like P2P VPNs and userspace TCP/IP stacks, he decided to move to London to help the Cloudflare DDoS team filter all the bad internet traffic.

When the Current Ransomware and Payload of the Day (CRAP of the day) Hits the Fan: Breaking the Bad News

Catherine Ullman, Senior Information Security Analyst at University at Buffalo
Chris Roberts, Chief Security Architect at Acalvio Technologies

Enabling better communications between geeks and management. As humans we have had 60,000 years to perfect communication, but those of us working in IT, regardless of which side (Blue or Red Team), still struggle with this challenge. We have done our best over the centuries to yell "FIRE!" in a manner befitting our surroundings, yet today we seem utterly incapable of providing that very basic communication capability inside organizations. This talk will endeavor to explain HOW we can yell "FIRE!" and other necessary things across the enterprise in a language both leadership, managers and end-users understand.

Dr. Catherine Ullman (Twitter: @investigatorchi) began her IT career nearly 20 years ago as a Technical Support Specialist for Corel Word Perfect. After gaining valuable experience, as well as several technical certifications while working for Ingram Micro and subsequently Amherst Systems, she was offered and accepted a position at UB as a Systems Administrator in 2000 in which she provided both server and workstation support for several departments within Undergraduate Education. While she enjoyed her support role, she began to specialize in computer security and computer forensics. As a result, Cathy was often utilized by the Information Security Office to assist in the investigation of security breaches. Ultimately, she was asked to join the Information Security Office full time in 2009. In her current role as a Senior Information Security Analyst, Cathy is responsible for performing computer forensic investigative services for compliance on potentially compromised machines as well as personnel issues. She also assists with incident management involving intrusion detection and analysis and provides security awareness training to departments on campus upon request. In her (minimal) spare time, she enjoys researching death and the dead, and learning more about hacking things.

Chris Roberts (Twitter: @sidragon1) is considered one of the world's foremost experts on counter threat intelligence within the Information security industry. At Acalvio, Roberts helps drive Technology Innovation and Product Leadership. In addition, Roberts directs a portfolio of services within Acalvio designed to improve the physical and digital security posture of both enterprise, industrial and government clients. With increasingly sophisticated attack vectors, Roberts' unique methods of addressing the evolving threat matrix and experience with a variety of environments - Enterprise, Industrial, and IoT, make Roberts and his team an indispensable partner to organizations that demand robust, reliable, resilient and cost-effective protection.

YALDA - Large Scale Data Mining for Threat Intelligence

Gita Ziabari, Senior Threat Research Engineer at Fidelis Cybersecurity

Every SOC is deluged by massive amounts of logs, suspect files, alerts and data that make it impossible to respond to everything. It is essential to find the signal in the noise to be able to best protect an organization. This talk will cover techniques to automate the processing of data mining malware to derive key indicators to find active threats against an enterprise. Techniques will be discussed covering how to tune the automation to avoid false positives and the many struggles we have had in creating appropriate whitelists. We'll also discuss techniques for organizations to find and process intelligence for attacks targeting them specifically that no vendor can sell or provide them. Audiences would also learn about method of automatically identifying malicious data submitted to a malware analysis sandbox.

Gita Ziabari (Twitter: @gitaziabari) is working at Fidelis Cybersecurity as a Senior Threat Research Engineer. She has more than 13 years of experience in threat research, networking, testing and building automated frameworks. Her expertise is writing automated tools for data mining. She has unique approaches and techniques in automation.

You're Going to Connect to the Wrong Domain Name.

Sam Erb

Can you tell the difference between gоо and How about and Both domain names are valid and show up in the Certificate Transparency log. This talk will be a fun & frustrating look at typosquatting, bitsquatting and IDN homoglyphs. This talk will cover the basics, show real-world examples and show how to use Certificate Transparency to track down particularly malicious impersonating domain names which have valid X.509 certificates.

Sam Erb (Twitter: @erbbysam) is a software engineer hell-bent on making the internet asafer place. He is a Defcon Black Badge holder (badge challenge with @thecouncilof9, won 2x - DC23, DC24). Outside of Defcon he has co-authored two IETF draft documents.

Read more →