DEF CON 29

The Packet Hacking Village at DEF CON 29 will be both in-person and virtual. Our village hours:

  • Friday, August 6th:
    • Virtual-only: 09:00 - 13:00
    • Physical-only: 14:00 - 18:00
  • Saturday, August 7th:
    • Virtual-only: 09:00 - 13:00
    • Physical-only: 14:00 - 18:00
  • Sunday, August 8th: TBD

All times are in PDT. Schedules are subject to change.

Events and Contests

Packet Inspector

The perfect introduction to network analysis, sniffing, and forensics. Do you want to understand the techniques people use to tap into a network, steal passwords and listen to conversations? Packet Inspector is the place to develop these skills! For well over a decade, the Wall of Sheep has shown people how important it is to use end-to-end encryption to keep sensitive information like passwords private. Using a license of the world famous Capture The Packet engine from Aries Security, we have created a unique way to teach hands-on skills in a controlled real-time environment.

Packet Detective

Looking to upgrade your skills or see how you would fare in Capture The Packet? Come check out what Packet Detective has to offer! A step up in difficulty from Packet Inspector, Packet Detective will put your network hunting abilities to the test with real-world scenarios at the intermediate level. Take the next step in your journey towards network mastery in a friendly environment still focused on learning and take another step closer to preparing yourself for the competitive environment of Capture The Packet.

Capture The Packet

Come compete in the world's most challenging cyber defense competition based on the Aries Security Cyber Range. Tear through the challenges, traverse a hostile enterprise class network, and diligently analyze what is found in order to make it out unscathed. Not only glory, but prizes await those that emerge victorious from this upgraded labyrinth, so only the best prepared and battle hardened will escape the crucible.

Workshops Schedule

Friday, August 6, 2021 (all times PDT [GMT-7])
09:00 - 11:00 Web App Penetration Testing Workshop
Dr. Sunny Wear
12:00 - 14:00 Hunting Evil with Wireshark
Michael Wylie
Saturday, August 7, 2021
09:00 - 11:00 APT Hunting with Splunk
John Stoner
12:00 - 14:00 Security Investigations with Splunk
Robert Wagner
Sunday, August 8, 2021
09:00 - 11:00 Intrusion Analysis and Threat Hunting with Suricata
Josh Stroschein, Peter Manev
12:00 - 14:00 Hands-On TCP Deep Dive with Wireshark
Chris Greer

Workshops Abstracts and Bios

Web App Penetration Testing Workshop

Dr. Sunny Wear, Web Security Architect and Penetration Tester

Gain hands-on experience learning how to perform web application penetration testing in this two-hour workshop with the author of the Burp Suite Cookbook, Dr. Sunny Wear. Students will learn Injections attacks such as Cross-site Scripting and SQL Injection attacks, brute-forcing tactics, and optimization techniques for Burp Suite including configurations and macros.

Dr. Sunny Wear (Twitter: @SunnyWear) is a Web Security Architect and Penetration Tester. She provides secure coding classes, creates software, and performs penetration testing against web/API and mobile applications. Sunny has more than 25 years of hands-on software programming, architecture and security experience and holds a Doctor of Science in Cybersecurity. She is a published author, "Burp Suite Cookbook", a developer of mobile apps, such as the “Burp Tool Buddy,” and is a Pluralsight content creator, "Burp Suite for Beginners/Advanced/Writing Plugins". She regularly speaks and holds classes at security conferences such as Defcon, Hackfest, and BSides.

Hunting Evil with Wireshark

Michael Wylie, MBA, CISSP, Sr. Manager, Threat Hunting

This workshop will take attendees’ Wireshark skills to the next level with a heavy emphasis on incident response, threat hunting, and identifying anomalous network traffic. This workshop will begin with a brief introduction to Wireshark and other Network Security Monitoring (NSM) tools/concepts. Throughout the workshop, we’ll examine what different attacks and malware look like while using Wireshark. Attendees will then have hands-on time in the lab to search for Indicators of Compromise (IOCs) and TTPs utilizing staged packet capture files. Labs start out easy and quickly progress in difficulty. There will be plenty of take-home labs for additional practice.

Michael Wylie, MBA, CISSP (Twitter: @TheMikeWylie) is the Sr. Manager of a threat hunting team. In his role, Michael is responsible for managing a global team of analysts hunting for hands-on keyboards activity within customer environments. Michael has developed and taught numerous courses for the U.S. Department of Defense, DEFCON, Universities, and for clients around the world. Michael is the winner of numerous SANS challenge coins and holds the following credentials: CISSP, CCNA R&S, CCNA CyberOps, GMON, GPEN, GCFE, TPN, CEH, CEI, VCP-DCV, CHPA, PenTest+, Project+, and more.

APT Hunting with Splunk

John Stoner, Principal Security Strategist at Splunk

Interested in practicing your hunting skills? If so, this is the workshop for you. Using a real-worldish dataset, this workshop will teach you how to hunt the “fictional” APT group Violent Memmes. We discuss the Diamond model, building hypotheses, LM Kill Chain, and MITRE ATT&CK and how these concepts can frame your hunting. Using Splunk, we will hunt for APT activity riddling a small startup's environment. During the event, we will be presented with a "notable event" and pull on that string to conduct our own hunts based on indicators that we uncover or are identified. Depending on the hunt, we will uncover persistence, exfiltration, c2 and other adversary tactics. We may even find some PowerShell scripts. We will regroup and review the specific hunt conducted and discuss the timeline of events, a narrative that could be shared with others on your team, the artifacts that were uncovered to better identify potential future hunts, ATT&CK techniques referenced as well as what could be operationalized. At the end, we will highlight some additional datasets and content that you can take with you and try newly learned techniques yourself.

John Stoner (Twitter: @stonerpsu) is a Principal Security Strategist at Splunk where he enjoys writing, problem solving and building stuff, including APT Scenarios. When not doing cyber things, you can find him watching his boys play hockey, reading or binge-watching TV series that everyone else has already seen.

Security Investigations with Splunk

Robert Wagner, Splunk and Co-Founder of Hak4Kidz

Investigating with Splunk is a hands-on workshop designed to familiarize participants with how to investigate incidents using Splunk and open source. This workshop provides users a way to gain experience searching in Splunk to answer specific questions related to an investigation. These questions are similar to what would be asked in their own organizations. The workshop leverages the popular Boss of the SOC (BOTS) dataset in a question-and-answer format. Users will leave with a better understanding of how Splunk can be used to investigate in their enterprise. The class includes access to download the free “Investigating with Splunk” app that can be used to review the exercises after the class.

Robert Wagner (Twitter: @mr_minion) is a security professional with 15+ years of InfoSec experience. He is a co-founder of the “Hak4Kidz” charity, a co-organizer of BurbSec and BurbSecCon in Chicago, and is on the Board of Directors of the ISSA Chicago Chapter.

Intrusion Analysis and Threat Hunting with Suricata

Josh Stroschein, Director of IT Training at Open Information Security Foundation (OISF)
Peter Manev, CSO of Stamus Networks

In today’s threat landscape, sophisticated adversaries have routinely demonstrated the ability to compromise enterprise networks and remain hidden for extended periods of time. In Intrusion Analysis and Threat Hunting with open-source Tools, you will learn how to dig deep into network traffic to identify key evidence that a compromise has occurred, learn how to deal with new forms of attack, and develop the skills necessary to proactively search for evidence of new breaches. We will explore key phases of adversary tactics and techniques - from delivery mechanisms to post-infection traffic to get hands-on analysis experience. Open-source tools such as Suricata and Moloch will be utilized to generate data, perform exhaustive traffic analysis, and develop comprehensive threat hunting strategies. By the end of this workshop, you will have the knowledge and skills necessary to discover new threats in your network.

Josh Stroschein (Twitter: @jstrosch) is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. He is the Director of Training for OISF, where he leads all training activity for the foundation and is also responsible for academic outreach and developing research initiatives. Josh is also an Associate Professor of Cyber Security at Dakota State University where he teaches malware analysis and reverse engineering, an author on Pluralsight, and a threat researcher for Bromium.

Peter Manev (Twitter: @pevma) is a co-founder of Stamus Networks, where he acts as CSO. He has been an active OISF member for a decade and has a 15 year-long record of activity in the field of IT security. An adamant admirer and explorer of innovative open-source security software, Peter is also the lead developer of SELKS.

Hands-On TCP Deep Dive with Wireshark

Chris Greer, Network Analyst and Wireshark Instructor at Packet Pioneer

A solid understanding of how TCP works is critical for anyone interested in cybersecurity. Almost all enumeration, incident response, and traffic forensics require the analyst to dig into and interpret TCP flows. In this video we will take a look at how TCP is used to investigate and establish connections, how data is transmitted and acknowledged, how connections are torn down, and what problem indicators should catch our eye in Wireshark. This video welcomes all cybersecurity and Wireshark experience levels.

Chris Greer is a network analyst and Wireshark instructor for Packet Pioneer, a Wireshark University partner. He has focused much of his career at the transport layer, specifically TCP, specializing in how this core protocol works to deliver applications, services, and attacks between systems. Chris is a regular speaker at Sharkfest - the Wireshark Developer and User Conference, as well as an author for Pluralsight.

Talks Schedule

Talks will be streamed on YouTube, Twitch, Facebook, and Periscope.

Talks Abstracts and Bios

*nix Processes. Starting, Stopping, and Everything In Between

Nick Roy

Core Topic: Operating Systems: *nix

Recording discusses Linux and Unix processes, starting with a high level overview of what a process is and what the key components are. We then take a look at how the operating system manages multiple processes, what are the main components of a running process, and finally some common syscalls used in Linux when creating processes. Finally, we look at a few code samples to show how these calls are used with a simple shell. All code can be found here to compliment the video: https://github.com/superducktoes/syscall_processes

Nick Roy (Twitter: @superducktoes) currently works for a global security vendor creating training content and researching new attacker patterns and techniques. Previously he worked at an automation platform startup teaching people about the joys and benefits of automation. While not working he lives in Boston with his wife and two cats hunting out the best dive bars in Boston and solving math problems on college chalkboards overnight.

Internet Protocol (IP)

Roy Feng

Core Topic: Core Networking

The Internet Protocol is one of the foundational protocols of the Internet, and is what keeps devices connected. This video talks about the fundamentals of the Internet Protocol.

Roy Feng (Twitter: @LPF613) is a networking and cybersecurity enthusiast. He has six years of experience working as a network engineer and one year working in threat intelligence. His latest role is at a managed security service provider, where he leads a team of incident responders and threat hunters to help investigate and respond to incidents as well as hunt for threats in customer environments. In his spare time, Roy can be seen building and maintaining his home lab, and learning about and tinkering with the latest and greatest technologies.

Linux Binary Analysis w/ Strace

Jared Stroud, Lacework

Core Topic: File Analysis

The strace utility allows for deep insight into what an application is doing on a nix host. While the amount of data produced can be overwhelming, in this video I'll demonstrate how to filter, log and obtain relevant information for a wide variety of use cases around file analysis. From diagnosing a bisheaving application, to revealing a malware's secrets. This video will give a practical introduction in using strace to spy on *nix applications at the syscall level.

Jared Stroud (Twitter: @DLL_Cool_J) is a Cloud Security Researcher at Lacework where he focuses on emerging Linux and Cloud platform threats. Previously, he worked at The MITRE Corporation where he contributed Unix and Windows tooling for the ATT&CK Fin7/CARBANAK Evaluation and the Open Source adversary emulation utility CALDERA.

MITRE Engage: A Framework for Adversary Engagement Operations

Stan Bar, Capability Area Lead, Cyber Denial, Deception, and Adversary Engagement, The MITRE Corporation
Gabby Raymond, Co-Capability Area Lead, Cyber Denial, Deception, and Adversary Engagement, The MITRE Corporation
Maretta Morovitz, Senior Cyber Security Engineer, The MITRE Corporation

Core Topic: File/Network Monitoring

For 10+ years MITRE has been engaged in denial, deception, and adversary engagement operations for internal defense and research purposes. We have created MITRE Engage as a framework for planning and communicating about adversary engagement operations. In our talk we include:

  • A brief overview of what we mean when we say denial, deception, and adversary engagement
  • Our vision for the future and why we think this technology matters
  • A brief history of our past experiences (and failures) in this space and how that shaped where we are today
  • The official release of MITRE Engage 0.9 Beta and ask for community feedback
  • A fictional walkthrough of how you can use Engage to get started in adversary engagement operations

Dr. Stanley Barr is a three-time graduate of University of Massachusetts Lowell. He has a BS in Information Sciences, an MS in Mathematics, and a PhD in Computer Science. He has coauthored papers in malware analysis, barrier coverage problems, expert systems for network security, and robotic manufacturing. He has spoken at MILCOM and been a panelist for several conferences. Additionally, he has appeared on several podcasts on adversary engagement and presented at TEDx. Currently, he is a Principal Scientist at The MITRE Corporation. He currently is the Capability Area Leader for Cyber Denial, Deception, and Adversary Engagement. Stan lives with his wife, 5 rescue dogs, and 15 chickens.

Gabby Raymond is a two-time graduate from Tufts University. She holds a B.S. in Mathematics and Computer Science and a M.S. in Computer Science. Her research has spanned topics in intrusion detection, cyber-physical systems, and machine learning applications for security. Gabby recently co-authored a Choose Your Own Adventure style book called "The Toolbox of Innovation" with members of MITRE's Innovation Toolkit team. Outside of work, Gabby enjoys knitting and judging science fairs. Gabby is the Co-Capability Area Lead for Cyber Deception and Adversary Engagement at The MITRE Corporation.

Maretta Morovitz is a graduate of Tufts University School of Engineering, where she graduated with a degree in Computer Science. She is a Senior Cyber Security Engineer at the MITRE Corporation where she works in the areas of adversary engagement, malware analysis, and reverse engineering. She is a founding member of MITRE's Cyber Deterrence and Adversary Management (CDAM) team and has helped shape MITRE's adversary engagement work for the last two years. She was recently named as one fo the AFCEA 40 Under 40 Awardees for 2021. Outside of work you can find her nerding out about the latest Brandon Sanderson novel, still anxiously awaiting her letter from Hogwarts, or snuggling with her dog and hedgehog.

RCE via Meow Variant along with an Example 0day

Özkan Mustafa AKKUŞ, Senior Cyber Security Consultant and Vulnerability Researcher at Turk Telekom

Core Topic: Operating Systems: *nix

I will touch Some Alternative Bypass Restriction Techniques. Then I will present a vulnerability of Ericsson Network Location that provides the infrastructure of the research and we are going to touch on the meow variant with details through this vulnerability Towards the end we are going to prepare a Metasploit module and exploit the vulnerability.

Ozkan (Twitter: @ehakkus) is a vulnerability researcher and senior cyber security consultant in Turkey. Ozkan publishes security vulnerabilities on international platforms that he has discovered. He shares his experiences and works on his personal blog (https://www.pentest.com.tr). He gave training and presentations in many universities and institutions in his country. In addition to these studies, He gave the presentation of "The Vulnerability That Gmail Overlooked and Enabling Threat Hunting" in Packet Hacking Village at DEF CON 28 and "0day Hunting and RCE Exploitation in Web Applications" in AppSec Village at DEF CON 27.

Seeing the Forest Through the Trees – Foundations of Event Log Analysis

Jake Williams, CTO of BreachQuest

Core Topic: System Forensics

During an incident, everyone knows you need to review the logs – but what are they actually telling you? There's a wealth of information to be had in your logs event logs, but most analysts miss the forest because they don't understand the trees. In this talk, Jake will walk you through some of the most impactful event logs to focus on in your analysis. We'll target some old favorites covering login events, service creation, and process execution. We'll also examine task scheduler logs, useful in uncovering lateral movement and privilege escalation. Finally, we'll discuss some of the new event logs available in Windows 10 (if only you enable them first). If you don't want to be barking up the wrong tree during your next insider investigation or getting axed because you failed to identify the lateral movement attempts, make sure to watch this video.

Jake Williams (Twitter: @malwarejake) is an incident responder, red teamer, occasional vCISO, and prolific infosec shitposter. He has traveled the world, but isn't welcome in China or Russia (and avoids most countries they have extradition treaties with). When not speaking at a conference like this one, it's a good bet that Jake is engaged in hand to hand combat with an adversary rooted deep in a network or engineering ways to keep them out. Jake's career in infosec started in the intelligence community, but has taken around the world securing networks of all shapes and sizes, from utilities to hospitals to manufacturing plants.

Seeing Through The Windows: Centralizing Windows Logs For Greater Visibility

Matthew Gracie, Senior Engineer at Security Onion Solutions

Core Topic: Operating Systems: Windows

This talk is a brief summary of how to collect and centralize Windows Event Logs for analysis and free tools that can be used to do so. There is also a demonstration of how to use Elastic Stack to investigate an incident using these collected logs.

Matthew Gracie (Twitter: @InfosecGoon) has over a decade of experience in information security, working to defend networks in higher education, manufacturing, and financial services. He is currently a Senior Engineer at Security Onion Solutions and the founder of the Infosec 716 monthly meetup. Matt enjoys good beer, mountain bikes, Debian-based Linux distributions, and college hockey.

The War for Control of DNS Encryption

Dr. Paul Vixie, Chairman and CEO and Cofounder of Farsight Security, Inc.

Core Topic: Core Networking

Pervasive monitoring of the Internet by both government, corporate, and criminal actors has triggered an encryption wavefront as wide as the Internet itself. DNS, as the map of the Internet's territory, is seen as especially sensitive and there are now several competing encryption standards waiting to be deployed. In this short talk, Dr. Vixie will explain the original problem, describe the protocol-level solutions, and then show how vendors like Google, Mozilla Corporation, Microsoft, and Apple are deploying these technologies across their product lines. Opinions may also be offered.

Dr. Paul Vixie (Twitter: @PaulVixie) is an Internet pioneer. Currently, he is the Chairman, Chief Executive Officer and Cofounder of Farsight Security, Inc. He was inducted into the Internet Hall of Fame in 2014 for work related to DNS and DNSSEC. Dr. Vixie is a prolific author of open-source Internet software including BIND, and of many Internet standards documents concerning DNS and DNSSEC. In addition, he founded the first anti-spam company (MAPS, 1996), the first non-profit Internet infrastructure software company (ISC, 1994), and the first neutral and commercial Internet exchange (PAIX, 1991). He earned his Ph.D. from Keio University.