DCG 201
117 min readAug 12, 2022

Welcome to the DCG 201 guide to Hacker Double Summer! This is part of a series where we are going to cover all the various hacker conventions and shenanigans at the start of July to the end of August both In Person & Digital! 2022 is a GIGANTIC year for hacker hysteria with so many events this will break the most guides we have ever written with the lucky number 13 as the goal. As more blog posts are uploaded, you will be able to jump through the guide via these links:

HACKER DOUBLE SUMMER — Part One: Surviving Las Vegas, New York & Virtually Anywhere

HACKER DOUBLE SUMMER — Part Two: Capture The Flags & MLH INIT Hackathon

HACKER DOUBLE SUMMER — Part Three: SummerC0n




HACKER DOUBLE SUMMER — Part Seven: Back2Vegas by RingZero

HACKER DOUBLE SUMMER — Part Eight: BSides Las Vegas


HACKER DOUBLE SUMMER — Part Ten: The Diana Initiative



HACKER DOUBLE SUMMER — Part Thirteen: Wiki World’s Fair

HACKER DOUBLE SUMMER — Part Fourteen: Blue Team Con



Date: Thursday August 11th (12:30 PM EST) — Sunday, August 14th (8:00 PM EST)

Website: https://defcon.org/html/defcon-30/dc-30-index.html

Badge Firmware & Updates: https://defcon.org/signal/index.html

On-Site WiFi Registration: https://wifireg.defcon.org/

Location: Caesars Forum (3911 S Koval Ln, Las Vegas, NV 89109), Flamingo (3555 S Las Vegas Blvd, Las Vegas, NV 89109) Harrah’s Las Vegas (3475 S Las Vegas Blvd, Las Vegas, NV 89109), The LINQ Hotel (3535 S Las Vegas Blvd, Las Vegas, NV 89109)

Platform(s): Discord via Twitch TV, YouTube using Restream.io in addition to DEF CON FORUMS

Android App: https://play.google.com/store/apps/details?id=com.shortstack.hackertracker&hl=en

iOS App: https://itunes.apple.com/us/app/hackertracker/id1021141595

Schedule: https://defcon.org/html/defcon-30/dc-30-schedule.html

Live Streams:

YouTube: https://www.youtube.com/user/BlackHatOfficialYT

Twitch: https://www.twitch.tv/defconorg


Discord: http://discord.gg/defcon

Forums: https://forum.defcon.org/node/231980

Accessibility: The price to attend DEF CON in-person will be $360 USD. You may not attend in-person without purchasing a badge. Attending virtual on our Discord will be free, and those with Human+ will have more permissions and access.

You can support DEF CON and upgrade your account by purchasing the Human Plus role.

Tickets (In Person): https://shop.defcon.org/

Code Of Conduct: https://defcon.org/html/links/dc-code-of-conduct.html

DEFCON was started in 1993 by Dark Tangent (Jeff Moss) as a going away party for a friend who never showed. It has since grown to one of the biggest hacker security conventions around the world with over 20,000 attendees yearly.

DEF CON 30 will be a hybrid event this year, we will give hackers a choice in how they wish to experience DEF CON. We will host both an in-person experience in Las Vegas and a virtual con on our official Discord just as we did for DEF CON Safe Mode in 2020.

Either Virtual or In-Person, DEF CON 30 is still what DCG 201 classifies it as a “Mega Convention” aka a convention with smaller mid-sized conventions nested in it. You will be covering a wide area with a diverse mob of people with ten million activities going on all at once. It’s important to plan out your day, take your time and remember that it’s physically impossible to see and do everything in one con year never mind in one day. For those attending Virtually be thankful that unlike the previous this year you can see most of DEF CON 30 at mostly your leisure since most of the content will be pre-recorded and archived.

The convention this year is so massive we plan on listing all the important things to note, not exactly everything that is there. We highly suggest looking at their website and clicking around to give you a sense on what you would like to see.

A major thing this year is that it is DEF CON’s 30th Anniversary this year, meaning at this age it’s now switching carrier paths and is on antidepressants. Multiple activities and ceremonies will be planned to commemorate this occasion!


Caesars Floor Plan:

Flamingo Floor Plan:

Harrah’s Floor Plan

LINQ Floor Plan:


Thanks to @A_P_Delchi and Hackers with Disabilities for creating this helpful accessibility guide to DEF CON 30!


Hackers with disabilities (HDA) was assembled to provide resources, maps, guides and assistance to people attending DEFCON who need assistance due to disabilities. We acknowledge that not all disabilities are visible and that we are providing this information for all attendees & stand ready to assist anyone with ADA needs to the best of our ability and within the operational scope of DEFCON. If at any time you have questions or would like to suggest things that we should be doing please see the DEFCON forums page dedicated to HDA: https://forum.defcon.org/node/242953

While our goal is to make DEFCON more accessible to people with disabilities, we are limited in what we can do and provide this information and any assistance we can on a best effort basis.

Due to the complications involved in working with multiple hotels, federal, state, and local regulations, the requirements of operating a public gathering during a global pandemic we cannot promise nor provide accommodations for all people in all situations. Please understand that under no circumstances are we singling out, mocking, or intending to make anyone feel out of place. We want individuals with disabilities to be an active and contributing part of the DEFCON culture. If we must set a blanket rule or cannot provide specific items or services at scale, please understand the limitation is based on resources, legal implications, and restrictions put upon a large-scale social gathering and not from a place of discrimination.

Despite what our badges say at the end of the day we are all HUMAN. We strive to improve with your input and active involvement with the community to bring you the best conference that we can.

FULL GUIDE: https://forum.defcon.org/filedata/fetch?id=242954


What you need to access DEF CON 30:


You will need a Discord account to participate in the social aspects of DEF CON 30. You can find detailed instructions on getting on the DEF CON Discord server here. There is a FAQ for Humans on Discord as well.

Join with the DEF CON Discord Server signup link: https://discord.gg/defcon


You will need to get on the DEF CON Twitch for live streamed talk Q&A sessions, evening fireside talks and evening contests. Not to mention the live entertainment!

YouTube/DEF CON Media Server

The Talks for DEF CON will be released daily on the DEF CON YouTube channel so you might want to susbscribe! They will also be released in torrents on https://media.defcon.org

Accessing Talks

How to Access DEF CON 30Mode Talks and Q&A Sessions

DEF CON official presentations have been pre-recorded, and pre-released online individually and as a torrent on media.defcon.org and on our official YouTube channel.

The dates and times on the Speaker Page and Schedule Page are special live streamed Q&A sessions for each talk, as well as additional fireside lounges and panels. These sessions will be streamed on Twitch at https://www.twitch.tv/defconorg.

All discussions and attendee to speaker participation will be on the DEF CON Discord Server at: https://discord.com/channels/708208267699945503/733079621402099732

Main Tracks

DEF CON official presentations will be a mix of LIVE In-Person & pre-recorded. We will try to make note to the best of our ability which talks will be In-Person & Virtual.

Also watch the talks released later in the month on YouTube: https://www.youtube.com/user/DEFCONConference

Track 1 Talks Chat

Virtual Sessions will be streamed here

Speaker Q&A Live Chat — Ask a question

Fireside Lounge Panels

War Story Bunker & No Tech Talks


Master Channel (All Channels In One): https://multitwitch.tv/defconorg/defcon_dctv_one/defcon_dctv_four/defcon_music/defcon_chill/aivillage/biohackingvillage/blueteamvillage/bypassvillage/cryptovillage/dcpolicy/hackthesea/dchhv/hamradiovillage/ics_village/iotvillage/monerovillage/passwordvillage/paymentvillage/redteamvillage/roguesvillage/toool_us/votingvillagedc

DEF CON Streams

DEF CON org Twitch Stream // Schedule
Hacker Jeopardy Twitch Stream
DEF CON Music Twitch Stream
DEF CON Youtube Streams
DEF CON Chill Twitch Stream

DEF CON Village Streams

Blue Team Village Twitch Stream // Youtube Stream
Red Team Village Twitch Stream // Youtube Stream
Aerospace Village Twitch Stream // Youtube Stream
BiohackingVillage Twitch Stream // Youtube Stream
Career Hacking Village Twitch Stream // Youtube Stream
Hack The Sea Twitch Stream // Youtube Stream
Car Hacking Village (Track1) Twitch Stream // Youtube Stream
Car Hacking Village (Track2) Twitch Stream // Youtube Stream
Car Hacking Village (CHV 101) Twitch Stream // Youtube Stream
CryptoVillage Twitch Stream // Youtube Stream
Ethics Village Twitch Stream // Youtube Stream
Wall of Sheep/Packet Hacking Village Twitch Steam // Youtube Stream
Recon Village Twitch Stream // Youtube Stream
Cloud Hacking Village Youtube Stream
Ham Radio Village Twitch Stream
ICS Village Twitch Stream
IoT Village Twitch Stream
ByPass Village Twitch Stream
Toool US/Lockpick Village Twitch Stream
Monero Village Twitch Stream
Payments Village Twitch Stream
Password Village Twitch Stream
AppSec Village Youtube Stream
cpxSatAmericas Twitch Stream
Voting Village Twitch Stream
Hardware Hacking Village Twitch Stream
Rogues Village Twitch Stream
AI Village Twitch Stream

Other Streams Related

Second Order Chaos Twitch Stream
Hacker Gameshow Twitch Stream
The Many Hats Club Twitch Stream
ZephrPhish Twitch Stream

(Thanks To AngusRed!)


The core and heart of the convention are the “Villages”. These are spaces inside of DEFCON that act as their own miniature convention, including talks, contests, badges and swag. Many of them focus around a particular special interest. Here is a master list of almost every village at the convention plus a special highlight of one talk or activity they will have there.



Girls Hack Village is a conference village imagined for DefCon 30. Girls Hack Village seeks to bring gender diverse perspectives of the contributions, perspectives, and issues facing women/girl hackers. It is a space to discuss issues affecting girls in cybersecurity and will include Talks, Workshops, Discussions, and Panels.

Our village is designed to highlight the contributions and experiences of girls in cybersecurity. Women are underrepresented in cybersecurity and our goal is to highlight the female experience in Cybersecurity. Women are traditionally underrepresented at many cybersecurity conferences and girls hack village will give attendees the opportunity to learn about cybersecurity and hacking in a gender-friendly place.

GirlsHackVillage seeks to highlight the female experience as researchers, hackers, engineers, and pentesters within the cybersecurity industry. Our village highlights how the lack of gender equality in the field affects the culture and the experience of women in the industry. We will highlight the contributions of girls/women in the field and discuss how they’ve shaped and contributed to the cyber community.

Website: https://www.blackgirlshack.org/girlshackvillage

Twitter: https://twitter.com/girlshackvllg

Instagram: https://www.instagram.com/blackgirlshack

MisInformation Village

The Misinformation Village features lightning talks, workshops and fireside chats from a diverse list of speakers, first-time DEFCON attendees and returning champions. We seek to define, identify, understand, address, and combat misinformation, as well as strengthen online content credibility and information quality. The talk sessions present a comprehensive overview of misinformation tactics, current campaigns, potential methods for defence and inoculation, and discussions of current and future campaigns.

Website: https://defcon.misinfocon.com/

Twitter: https://twitter.com/MisinfoVillage

Policy Village

Friday, Roundtable Room (1200–2200)
1000 — Closed for Main Stage Talk
1200 — Hacking Law is for Hackers: how recent changes to CFAA, DMCA, and global policies affect security
1400 — Emerging Cyber Policy Topics
1600 — Moving Regulation Upstream: An increasing focus on the role of digital service providers
1800 — Chaotic Gavel Battles (micro-debates on policy topics)
1900 — Meet the Feds: CISA Edition (Lounge)
2000 — Meet the Feds: DHS Edition (Lounge)
2200 — Close

Friday, Collaboratorium Room (1200–2200)
1000 — Closed for Main Stage Talk
1200 — Red Teaming the Open Source Software Supply Chain
1400 — Meet the Feds: ONCD Edition
1600 — Election Security Bridge Building
1800 — Chaotic Gavel Battles (micro-debates on policy topics)
1900 — Fireside Lounge, Leonard Bailey, runs to 2030
2030 — Fireside Lounge, Gaurav Keerthi, runs to 2200
2200 — Close

Saturday, Roundtable Room (1000–2200)
1000 — Imagining a Cyber Policy Crisis: Storytelling and simulation for real-world risks
1200 — Addressing the Gap in Assessing the Harm of Cyberattacks
1400 — Return-Oriented Policy Making for Open Source Software Security
1600 — Right Hand, Meet Left Hand: The Cybersecurity Implications of Non-Cybersecurity Internet Regulation
1700 — Thinking About Election Security: Annual Debrief
1800 — Chaotic Gavel Battles (micro-debates on policy topics)
1900 — D0 N0 H4RM: A Healthcare Security Conversation (Lounge)
2200 — Close

Saturday, Collaboratorium Room (1000–2200)
1000 — Hacking Operational Collaboration
1200 — TSA Cybersecurity Policy Discussion
1400 — Confronting Reality in Cyberspace: Foreign policy for a fragmented internet
1600 — International Government Action Against Ransomware
1800 — Chaotic Gavel Battles (micro-debates on policy topics)
1900 — Fireside Lounge, DDoSecrets (Emma Best, Xan North), runs to 2030
2030 — Fireside Lounge, Chris Painter, runs to 2200
2200 — Close

Sunday, Roundtable Room (1000–1500)
1000 — Better Policies for Better Lives: Hacker input to international policy challenges
1200 — Protect Our Pentest Tools! Perks and hurdles in distributing red team tools
1400 — The Exploding Wireless Attack Surface: Policy considerations for a rapidly changing electromagnetic spectrum environment
1500 — Close

Sunday, Collaboratorium Room (1000–1500)
1000 — Improving International Vulnerability Disclosure: Why the U.S. and allies have to get serious
1200 — Offensive Cyber Capabilities Roundtable
1400 — ONCD Cyber Strategy Workshop
1500 — Close

Quantum Village

Have you heard about ‘Q-Day’? Or perhap had someone tell you that ‘Quantum is coming!’ — well, they were right! Quantum Village is here! QV is a place to Engage, Explore, Discover, and Discuss ‘Quantum Information Science & Technology’ (QIST) from the hacker’s point of view. Free from ‘quantum woo’ and sales pitches we have activities, talks, seminars, badges, stickers, and more for people to learn about this new and fast growing part of tech. From talks for experts to workshops for the newbie, if you want to get quantum aware we have something for you!

Come engage, explore, and discuss the future quantum technologies!

Twitter: https://twitter.com/quantum_village

Discord: https://discord.gg/6WUjH5cBXu

LinkedIn: https://www.linkedin.com/company/80555110/

Retail Hacking Village

Have you ever wondered about the inner workings of point of sale systems, remote pricing handsets, and wireless wheel locking systems?

Then the Retail Hacking Village is for you!

Here you can test and hack various retail devices — all in the name of security research.

Website: https://retailhacking.store/

Twitter: https://twitter.com/RetailHacking

Discord: https://discord.gg/DxG4Uj7WZV

Social Engineering Community Village

The Social Engineering Community is formed by a group of individuals who have a passion to enable people of all ages and backgrounds interested in Social Engineering with a venue to learn, discuss, and practice this craft. We plan to use this opportunity at DEF CON to present a community space that offers those elements through panels, presentations, research opportunities, and contests in order to act as a catalyst to foster discussion, advance the craft and create a space for individuals to expand their network.

Website: https://www.se.community/

Schedule: https://www.se.community/village-schedule/

Twitter: https://twitter.com/sec_defcon

Adversary Village

Adversary Village is a community torqued combat readiness platform which purely focuses on adversary tactics, adversary simulation/emulation, threat/APT/Ransomware emulation, breach and attack simulation, supply chain security, adversary life, adversary mindset, philosophy, urban survival skills and purple teaming.

Discussion Forum: https://forum.defcon.org/node/239787

Village Schedule: https://adversaryvillage.org/adversary-events/DEFCON-30/

More Info:





Aerospace Village

DEF CON 30 Aerospace Village is a researcher led, non-profit whose mission is to build a diverse community focused on the security of everything from airports, air traffic management, aircraft and space.

Discussion Forum: https://forum.defcon.org/node/240500

Village Schedule: https://aerospacevillage.org/events/upcoming-events/def-con-30/def-con-30-schedule/

More Info:

AI Village

Artificial Learning techniques are becoming more prevalent in core security technologies like malware detection and network traffic analysis. Its use has opened up new vectors for attacks against non-traditional targets, such as deep learning based image recognition systems used in self driving cars. There are unique challenges in defending and attacking these machine learning systems that the security community needs to be made aware of. This AI Village will introduce DEF CON attendees to these systems and the state of the art in defending and attacking them. We will provide a setting to educate DEF CON at large through workshops and a platform for researchers in this area to share the latest research.
Forum Link: https://forum.defcon.org/node/231058

More Info:




Appsec Village

The AppSec Village welcomes all travelers to choose from talks by expert community members, an awesome AppSec-focused (CTF)2, online workshops, and more. Bring your thirst for knowledge and passion for breaking things, and your visit to AppSec Village will be a thrill!

Discussion Forum: https://forum.defcon.org/node/240922

Village Schedule: https://www.appsecvillage.com/events/dc-2022

More Info:

BioHacking Village (VIRTUAL)

Borne in 2014, the Biohacking Village started with a small space and a big idea: Bring the forefront of citizen science and biomedical security to the world’s biggest hacker conference. With partners such as the FDA and Mayo Clinic, the Biohacking Village has become a primary conduit for the healthcare community to engage positively and proactively with security researchers.

Device Lab:
A high-collaboration environment to build trust and trustworthiness in healthcare, connecting security researchers, manufacturers, hospitals, and regulators, to learn from each other and develop their skills. Device Lab research benefits patients by providing manufacturers valuable feedback on cyber safety of their devices with high fidelity.

Speaker Lab:
Our speakers hail from varying fields in the biomedical ecosystem to engage security researchers and healthcare stakeholders. We welcome self made entrepreneurs, security researchers, inventors, government regulators makers, innovators to discuss real world solutions to some of humanity’s most pressing challenges and opportunities in the areas of health, security, and technology.

Catalyst Lab:
The Catalyst Lab provides the opportunity to interact with outstanding faculty, thought leaders and cutting edge experts in the biomedical industry who provide up-to-date advice and training in the developing field of translational medicine by fostering leadership, entrepreneurship, and commercialization activities.

Discussion Forum: https://forum.defcon.org/node/239958

More Info:

Blacks In Cybersecurty Village

This village seeks to highlight Black experiences, innovations in the field, Black culture, Black history as well as provide a platform for the discussion of social justice and its impact on the progression and development of Technology.


Forum Link: https://forum.defcon.org/node/239775

Blue Team Village

Blue Team Village is returning for our third DEF CON! Focusing on the defensive side of hacking, we aim to offer our hybrid community the same kind of talks and workshops that you would experience in person, adapted for this year’s remote circumstances. Likewise, we’ll be seeing the return of our popular OpenSOC CTF — the schedule can be found on our website at blueteamvillage.org. Come join us to learn about defensive-side hacking, and join our community of like-minded hackers for fun, learning, and mentorship.

Discussion Forum: https://forum.defcon.org/node/239776

Village Schedule: https://dc30.blueteamvillage.org/call-for-content-2022/schedule/

More Info:

Car Hacking

Learn, hack, play. The Car Hacking Village is an open, collaborative space to hack actual vehicles (this year virtually) that you don’t have to worry about breaking! Don’t have tools? No worries, since our challenges are virtual this year, you will only need a web browser and terminal access to access our challenges. Never connected to a car?

We also have great Car Hacking Village swag!! Head on over to our store and order today!! https://stores.customink.com/carhackingvillage

Discussion Forum: https://forum.defcon.org/node/240928

More Info:



Cloud Village

Cloud village is an open platform for researchers interested in area of cloud security. We plan to organize talks, tool demos, CTF and workshops around Cloud Security and advancements.

Discussion Forum: https://forum.defcon.org/node/239788

Village Schedule: https://cloud-village.org

More Info:

Crypto & Privacy Village

A place for puzzles, privacy, and pseudorandom permutations. We will be streaming talks on a variety of cryptography and privacy topics, as well as hosting our annual Goldbug puzzle. The Gold Bug starts Friday at 10am PT until Sunday 12pm PT

Discussion Forum: https://forum.defcon.org/node/239788

Village Schedule: https://cloud-village.org/#talks

More Info:

Data Duplication Village (IN PERSON)

Check the schedule and/or dcddv.org for up-to-date information.

Ham Radio Village

Ham Radio is all about overcoming obstacles and communicating over long distances without physical contact. That’s why Ham Radio Village is excited to return for a second year as part of DEFCON 29. Join us on the DEF CON discord where we will be giving everyone the opportunity to learn more about ham radio than they do today.

Discussion Forum: https://forum.defcon.org/node/239779

More Info:


A basic bar to working with embedded electronics is learning to properly meld metal, creating both a electrical and physical bond. You can only get so far with a breadboard and wires hanging out everywhere. At some point you will need to take the device out of the lab and introduce it to the rigors of the world. We supply the irons and the skills to help you, whether that is your first time fusing metal or getting those lead wires on a UART breakout. Details @ dcssv.org
Forum Link: https://forum.defcon.org/node/239785

ICS Village

Connecting public, industry, media, policymakers, and others directly with ICS systems and experts.

Hack the Plan[e]t Capture the Flag (CTF) contest will feature Howdy Neighbor and the Industrial Control System (ICS) Range. Building off of last year’s, the CTF will integrate both Internet of Things (IoT) and ICS environments with interactive components for competitors to test their skills and knowledge.
Discussion Forum: https://forum.defcon.org/node/239780

Village Schedule: https://www.icsvillage.com/schedule-def-con-30

More Info:

IOT Village

IoT Village advocates for advancing security in the Internet of Things (IoT) industry through bringing researchers and industry together. IoT Village hosts talks by expert security researchers, interactive hacking labs, live bug hunting in the lastest IoT tech, and competitive IoT hacking contests. Over the years IoT Village has served as a platform to showcase and uncover hundreds of new vulnerabilities, giving attendees the opportunity to learn about the most innovative techniques to both hack and secure IoT. IoT Village is organized by security consulting and research firm, Independent Security Evaluators (ISE), and the non-profit organization, Village Idiot Labs (VIL).

Discussion Forum: https://forum.defcon.org/node/239789

Village Schedule: https://www.iotvillage.org/defcon.html

More Info:

Physical Security Village

Formerly known as the Lock Bypass Village, the Physical Security Village (PSV) is a security awareness initiative that makes appearances at security conferences and other educational functions. You can find some of the content we’ve created below.
Discussion Forum: https://forum.defcon.org/node/240734

More Info:

Lock Picking Village

Want to tinker with locks and tools the likes of which you’ve only seen in movies featuring secret agents, daring heists, or covert entry teams? Then come on by the Lockpick Village, run by The Open Organisation Of Lockpickers, where you will have the opportunity to learn the hands-on how the fundamental hardware of physical security operates and how it can be compromised.

The Lockpick Village is a physical security demonstration and participation area. Visitors can learn about the vulnerabilities of various locking devices, techniques used to exploit these vulnerabilities.

Experts will be on hand to demonstrate and discuss pick tools, and other devices that are generally available. By exploring the faults and flaws in many popular lock designs, you can not only learn about the fun hobby of sportpicking, but also gain a much stronger knowledge about the best methods and practices for protecting your own property.

Discussion Forum: https://forum.defcon.org/node/240931

More Info:

Payment Village

Payment technologies are an integral part of our lives, yet few of us know much about them. Have you ever wanted to learn how payments work? Do you know how criminals bypass security mechanisms on Point of Sales terminals, ATM’s and digital wallets? Come to the Payment Village and learn about the history of payments. We’ll teach you how hackers gain access to banking endpoints, bypass fraud detection mechanisms, and ultimately, grab the money!

Discussion Forum: https://forum.defcon.org/node/240942

Village Schedule: TBA

More Info:

The Password Village

The Password Village provides training, discussion, and hands-on access to hardware and techniques utilized in modern password cracking, with an emphasis on how password cracking relates to your job function and the real world . No laptop? No problem! Feel free to use one of our terminals to access a pre-configured GPGPU environment to run password attacks against simulated real-world passwords. Village staff and expert volunteers will be standing by to assist you with on-the-spot training and introductions to Hashcat, as well as other FOSS cracking applications. Already a password cracking aficionado? Feel free to give a lightning talk, show off your skills, help a n00b learn the basics, or engage in riveting conversation with other password crackers. Regardless of whether you’re just a little hash-curious, a veteran cracker still relying on rainbow tables, a novice desiring to learn more, or an expert eager to share, we guarantee there will be something for everyone at the Password Village!

Discussion Forum: https://forum.defcon.org/node/240939

Village Schedule: https://passwordvillage.org/schedule

More Info:

Packet Hacking Village

The Packet Hacking Village welcomes all DEFCON 29 attendees and we have something for every level of security enthusiast, from beginners to those seeking a black badge. PHV Speakers, Workshops, and Walkthrough Workshops delivers high quality content for all skill levels. Packet Detective and Packet Inspector offers hands-on exercises to help anyone develop or improve their Packet-Fu. WoSDJCo has some of the hottest DJs at con spinning virtual for your enjoyment. And finally… Capture The Packet, the ultimate cyber defense competition that has been honored by DEF CON as a black badge event for nearly a decade.

Discussion Forum: https://forum.defcon.org/node/239781

Village Schedule: https://www.wallofsheep.com/pages/dc30

Recon Village (VIRTUAL)

Recon Village is an Open Space with Talks, Live Demos, Workshops, Discussions, Beginner Sessions, CTFs with a common focus on Reconnaissance. The village is meant for professionals interested in areas of Open Source Intelligence (OSINT), Threat Intelligence, Reconnaissance, and Cyber Situational Awareness, etc. with a common goal of encouraging and spreading awareness around these subjects.

For DEFCON 29 we will be running a bunch of OSINT / RECON talks as well as our RECON CTF.

Website: https://reconvillage.org

Twitter: https://twitter.com/reconvillage

Discussion Forum: https://forum.defcon.org/node/239782

Red Team Village

The DEF CON Red Team Village is a community-driven effort for and by the offensive security community members (red teams and ethical hackers). The goal of the village is to expand the spectrum of red team and offensive security training, as well as to create opportunities for individuals to both, present and learn. The DEF CON Red Team Village community creates different activities including many technical presentations, hands-on workshops, trainings, demos, capture the flag (CTF), games, and other activities from participants.

Discussion Forum: TBA

Village Schedule: https://forum.defcon.org/node/240944

More Info:

Rogues Village

Rogues Village is a place to explore alternative approaches to existing security concepts by looking to non-traditional areas of knowledge. Incorporating expertise from the worlds of magic, sleight of hand, con games, and advantage play, this village has a special emphasis on Social Engineering and Physical Security.

Discussion Forum: https://forum.defcon.org/node/239786

More Info:

Voting Machine Hacking Village

The Voting Machine Hacking Village (“Voting Village”) returns for its fourth year at DEF CON! As the only public third-party assessment of voting infrastructure in the world, the Voting Village attracts thousands of white hat hackers, government leaders, and members of the media to partake in the mission of rigorously researching voting systems and raising awareness of voting vulnerabilities.

The Voting Village gives hackers a unique opportunity to directly audit voting machines and other election equipment. With the 2020 elections looming and efforts to combat election vulnerabilities ongoing at the state and federal levels, the educational mission of the Voting Village remains as critical as ever.

Discussion Forum: https://forum.defcon.org/node/239783

Radio Frequency Village

The RF Village (Formally the Wireless Village) is run by the RF Hackers Sanctuary as an environment where people come to learn about the security of radio frequency (RF) transmissions which includes wireless technology, applications of software defined radio (SDR), Bluetooth (BT), Zigbee, WiFi, Z-wave, RFID, and all other protocols within the useable RF spectrum. RF Hackers Sanctuary is supported by a group of experts in the areas of information security as it relates to RF technologies. RF Hackers Sanctuary’s common purpose is to provide an environment in which participants may explore these technologies with a focus on improving their skills through offense and defense. These learning environments are provided in the form of guest speakers, panels, and Wireless Capture the Flag games.

Discussion Forum: https://forum.defcon.org/node/240934

Tamper Evidence Village

Bypassing packages and tamper proof seals and leave no trace, formed by The Dark Tangent himself!

Discussion Forum: https://forum.defcon.org/node/240937



Master List: https://forum.defcon.org/node/239773

Workshops are a great way for instructors from the community to share information with others on a variety of subjects. We will be using EventBrite again to handle pre-registration and are anticipating the same level of response that we have seen in previous years.

To keep everyone safe while participating in workshops, we are making the following changes:

  • Max capacities listed, below, take into account keeping rooms at 80% capacity of the room.
  • More space between attendees while still ensuring there are power strips available.
  • Staggered check-in times in the morning in evening and an hour in-between sessions to reduce the number of people in the hallways at any given time.

Please note that all workshops are going to be in-person only with no parts of it streamed. Out of consideration for others, we ask that you do not pre-register unless you are certain you are able to attend.


Creating and uncovering malicious containers

Saturday from 1400 to 1800
EventBrite Link:

Containers are the future. Like it or not even the most technically conservative industries are shifting to them. What that means for the bad actors is they get access to an excellent delivery mechanism for malware deployment in organizations, offering a wide variety of detection avoidance and persistence mechanisms. Fear not protectors, containers also offer ways to detect these, but can be fraught with challenges. Whether you’re red, blue or just container curious this workshop is for you.

In this workshop, you will get hands-on with containers and kubernetes, — starting with introductory content — learning how they work, where and how to hide or find things, how to identify indicators of compromise, indicators of attack, and how to apply analysis to gain a deeper understanding of container malware and what is going on inside containers.

This workshop will utilize the Google Cloud Platform alongside command line operands and a small amount of open source tooling to learn both offensive and defense techniques on containers. By the end, you’ll have a solid mental model of how containers work, how they are managed and deployed, and be equipped with the ability to analyze container images, identify problems, and identify familiar patterns. Ultimately, these skills will allow you to generate valuable insights for your organization’s defense or aid you in your next attack.

This is a fast-paced course designed to take you deep into the world of containers, making tooling like Kubernetes much more intuitive and easy to understand. Labs will be used to reinforce your learnings, and the course comes with very detailed notes and instructions for setup which you can repeat on your own time. This course will provide references to scripts that make certain tasks easier, but we will be challenging you to learn the process and reasoning behind them rather than relying on automation.

Attendees will be provided with all the lab material used in the course in digital format, including labs, guides and virtual machine setup.

Skill Level: Beginner to Intermediate.
Materials Needed: A Google Cloud free tier account (basically a fresh gmail account), and an internet connected computer. We hope to send out instructions to attendees prior to the class, so they can be ready on the day.

Adrian Wood, aka threlfall, discovered a love for hacking from cracking and modding video games and from the encouragement of online friends. He has worked as a red team consultant for WHITEHACK, a company he founded, and later as a lead engineer for an offensive research team at a US bank, where he was very interested in appsec, container security, CI/CD security and also founded their bug bounty program. He currently works for Dropbox, working on application security. In his free time, he enjoys playing saxophone, working on vintage cars, and fly-fishing.

David Mitchell, aka digish0, started his hacking career as a script kiddie running 7th Sphere in mIRC in high school. Later falling in with some Linux/RedHat nerds at a local 2600 group at college while studying CS, etc. He got into Linux, started an IT career, later rediscovering his hacking script kiddie roots when a local hacker space opened up and shared members with a lockpicking group that worked in infosec as penetration testers, etc where he discovered he could get paid to do the things he liked doing in high school/college. He now works professionally as a red team member and cyber security researcher at a large financial institution. The rest of the time he spends being a dad/husband, trying not to get injured in Muay Thai/BJJ or mountain biking, and listening to either very expensive or very cheap vinyl.

Griffin Francis (@aussinfosec) is a lead information security research consultant at Wells Fargo. Previously having worked at Trustwave in Sydney, Australia. His interests are within Web Application security and Bug Bounty. His research has identified vulnerabilities in companies and organisations including Apple, Microsoft, Mozilla, Oracle, Riot Games & AT&T. When not at the computer, Griffin can be found attending music festivals and traveling.


Max Class Size: 45

CTF 101: Breaking into CTFs

Saturday from 0900 to 1300
EventBrite Link:

Breaking into the capture the flag (CTF) world can be daunting. With much of the world going virtual, many companies, organizations, and individuals are sponsoring capture the flag competitions and people are using these types of events, or various hacking platforms (e.g., Offensive Security’s Proving Grounds or Hack The Box), to learn and practice new skills. Unfortunately, many feel overwhelmed when faced with these challenges or don’t know where to start. This workshop will introduce the basics of CTFs and provide resources, tips, and fundamental skills that can be helpful when getting started.

This workshop will start with an overview of the CTF landscape, why we do them, and what value they have in the scope of the hacking community. This workshop will include various resources, a couple walkthroughs to show how to approach CTFs, and how it may differ from “real world” hacking challenges. Next, a short CTF will be hosted to give attendees hands-on experience solving challenges while being able to ask for help to successfully navigate the challenges. By the end of the workshop, the group will have worked through various types of CTF challenges, and have the confidence to participate in other CTFs hosted throughout the year.

Areas of focus will include:
* Common platforms and formats
* Overview of online resources
* Common tools used in CTFs and hacking challenges
* Basics of web challenges
* Basics of binary exploitation and reversing challenges
* Basics of cryptographic challenges
* Basics of forensic and network traffic challenges
* Some ways of preparing for your next CTF / Hacking challenge

Skill Level: Beginner
Materials Needed: Laptop

Christopher Forte is a security researcher, technology enthusiast, and cybersecurity professional. With experience ranging from software development to physical red teaming, he is passionate about keeping security and various forms of engineering at the center of his focus. Christopher leads his local TOOOL chapter and is a co-founder of DC702.

Robert Fitzpatrick is a military veteran of over 19 years. He began his cyber life leading the Information Assurance office, and quickly moved up to run the Network Operations Center, as well as the Network Test and Evaluation center. He has built multiple operations centers in both homeland and austere locations, purchased satellite infrastructures, and led vulnerability investigations for classified networks. He is also a co-founder of DC702 and enjoys training new students on an eclectic array of subjects surrounding his interests.

Max Class Size: 40

Dig Dug: The Lost Art of Network Tunneling

Saturday from 0900 to 1300
EventBrite Link:

In a world of decreasing privacy, it’s important that users can communicate P2P without any reliance on centralized solutions. But how do computers connect directly to each other without having external IP addresses, using an insecure protocol like UPnP, manually port forwarding, or routing through intermediary services like Signal, Skype, or Telegram? The traditional solution to this problem has been to trust companies and just route our data though their servers. We can totally trust them, right? If the future of secure communication depends on companies to route our traffic, then I would argue that the future of communications is insecure. There must be a better solution more in line with privacy fundamentals.

Reverse Network Tunneling, i.e. UDP Hole Punching, is a powerful technique that makes it possible for computers with internal IP addresses that are inaccessible on the Internet to be able to connect to each other directly, and therefore become accessible. As crazy as this sounds, it’s real and works. This has multiple applications in the real world, such as allowing a pentester to directly connect to a victim that is hidden behind a router. Network tunneling also invalidates the need of centralized services provided by companies that log, surveil and profit from our traffic. Imagine how the future of secure communications would change if all of our online interactions were off-the-grid?

This workshop shows you how to punch holes through external routers to allow computers that were once hidden from the Internet to connect to each other P2P. If you’ve ever wanted to tunnel into private networks and access internal computers, then this workshop is for you. Create a botnet, backdoor, or even the next great privacy app — the sky’s the limit! This is a beginner-level, technical workshop and requires that attendees have some prior experience in at least one programming language, such as Python, JavaScript or C++. Bring your laptop and a strong appetite for pwning network devices.

Skill Level: This is a beginner-level, technical workshop and requires that attendees have some prior experience in at least one programming language, such as Python, JavaScript or C++
Materials Needed: Laptop with Windows, Linux, or OSX. USB flash drive for copying program materials (optional).

Eijah is the founder of Code Siren, LLC and has 20+ years of software development and security experience. He is also the creator of Demonsaw, an encrypted communications platform that allows you to chat, message, and transfer files without fear of data collection or surveillance. Before that Eijah was a Lead Programmer at Rockstar Games where he created games like Grand Theft Auto V and Red Dead Redemption 2. In 2007, Eijah hacked multiple implementations of the Advanced Access Content System (AACS) protocol and released the first Blu-ray device keys under the pseudonym, ATARI Vampire. He has been a faculty member at multiple colleges, has spoken at DEF CON and other security conferences, and holds a master’s degree in Computer Science. Eijah is an active member of the hacking community and is an avid proponent of Internet freedom.

Cam is a developer and hacker with experience in C++, Java, and Android. He has spent the past 5 years writing software for secure communication platforms including VOIP and messaging services. In his free time, he enjoys Android reverse engineering, studying Mandarin, and writing software for human rights projects.


Max Class Size: 200

Jon Christiansen, Magnus Stubman — Hybrid Phishing Payloads: From Threat-actors to You

Saturday from 1400 to 1800
EventBrite Link:

The hard outer shell of cyber defenses often give way to a soft, gooey and easy-to-exploit centre, but all the lateral movement and escalation techniques in the world, isn’t going to be worth anything if initial access cannot be secured. For threat actors and Red Teamer’s alike, getting over that initial hurdle can be a long, arduous task with little hope of success and phishing in particular is often the bane of any aspiring attacker. Between EDRs, email scanner solutions, payload fingerprinting… what do you do?

This workshop has been developed with the aim of giving participants hands-on experience working with sophisticated payloads and techniques used by nation-state threat actors. Armed with payload automation tools, participants will learn to implement novel bypass techniques to circumvent state of the art anti-malware security products, both network-based and host-based technical controls, and iteratively improve their payloads throughout.

Topics will include:
* Multiple payload formats, the advantages and disadvantages
* Combining phishing techniques
* Automation, obfuscation and creation of payloads for quick turn around
* How to Improve payloads based on information gathered from earlier attacks
* Extracting technical information from threat actor intelligence breakdowns

Skill Level: Intermediate to Advanced
Just the laptop

Jon is the Red Team lead for Mandiant Europe. After spending a decade as a hands-on keyboard Red Teamer and malware dev, he recently took a step back to focus more on capability development and team expansion. He founded the APT66 research project team at Mandiant and currently focuses research interest in the latest bypass techniques, threat actor malware and in finding new ways to jump the IT/OT barrier.

Magnus is part of the European Red Team at Mandiant and the APT66 project. He currently resides within the groups Malware team where he specializes in research and application of offensive techniques in both overt and covert engagements, discovering zero days and custom C2 techniques for the team. His other focuses is on adversarial simulation of FIN & APT groups via enactment of known (and not so known) TTPs, incorporating the known bad into something that can be used as a force of good.


Max Class Size: 50

Introduction to Cryptographic Attacks

Friday from 0900 to 1300
EventBrite Link:

Using cryptography is often a subtle practice and mistakes can result in significant vulnerabilities. This workshop will cover many of these vulnerabilities which have shown up in the real world, including CVE-2020–0601. This will be a hands-on workshop where you will implement the attacks after each one is explained. I will provide a VM with Python dependencies and skeleton code included so you can focus on implementing the attack. A good way to determine if this workshop is for you is to look at the challenges at cryptopals.com and see if those look interesting, but you could use in person help understanding the attacks. While not a strict subset of those challenges, there is significant overlap.

Skill Level: Beginner to Intermediate
Materials Needed: A laptop with VMWare or VirtualBox installed and capable of running a VM.

Matt Cheung started developing his interest in cryptography during an internship in 2011. He worked on implementation of a secure multi-party protocol by adding elliptic curve support to an existing secure text pattern matching protocol. Implementation weaknesses were not a priority and this concerned Matt. This concern prompted him to learn about cryptographic attacks from Dan Boneh’s crypto 1 course offered on Coursera and the Matasano/cryptopals challenges. From this experience he has given workshops at the Boston Application Security Conference, BSidesLV, DEF CON, and the Crypto and Privacy Village.

Max Class Size: 30

House of Heap Exploitation

Thursday from 1400 to 1800
EventBrite Link:

Heap exploitation is an incredibly powerful tool for a hacker. As exploit mitigations have made exploitation more difficult, modern exploit development has moved to the heap. However, heap exploitation is a major wall in the binary exploitation journey because of its complexity. To conquer this difficultly, the workshop tackles the complexity head on by diving into the weeds of the allocator directly, taking on many hands-on exercises/challenges and creating easy to grasp diagrams to understand all of the concepts.

This workshop is for learning heap exploit development in glibc Malloc, which is the default allocator on most Linux distrobutions. With this hands-on introduction into glibc Malloc heap exploitation you will learn how the allocator functions, heap specific vulnerability classes and to pwn with a variety of techniques. To make the material easy to consumable, there are many hands-on exercises, a pre-built virtual machine with everything necessary for binary exploitation and an immense amount of visuals for explaining the material. After taking this course you will understand the internals of the glibc Malloc allocator, be able to uncover heap memory vulnerabilities and pwn the heap with a variety of techniques, with the capability to go further into the art afterwards.

Skill Level: Intermediate. This is not a beginner course; this will not go through the basics of binary exploitation very much.
Materials Needed:
Laptop with enough power for a moderately sized Linux VM
Administrative access to the laptop
8GB RAM minimum
30GB harddrive space
Virtualbox or another virtualization platform installed

Maxwell Dulin (also known as Strikeout) loves hacking all things under the sun. In his day job, he works as a security engineer primarily focused on web applications. But at night, he leaves the tangled web into the open space of radio signals, garage doors, scoreboards, RC cars, and pwn challenges. From the latter, he gained enough expertise to create a heap exploitation course that has been delivered at a number of security conferences, including DEFCON. In his spare time, he has found Linux kernel 0-days, and reverse engineered numerous wireless devices. To summarize, if you put something in front of him, he’ll find a way to break it and make it do what he wants.

Zachary Minneker is a security researcher and security engineer at Security Innovation. His first computer was a PowerPC Macintosh, an ISA which he continues to defend to this day. At Security Innovation, he has performed security assessments on a variety of systems, including robots for kids, audio transcription codecs, and electronic medical systems. He has previous experience administrating electronic medical systems, and deep experience in fuzzing, reverse engineering, and protocol analysis. His research has focused on techniques for in-memory fuzzing, macOS sandbox security, and IPC methods.

Kenzie Dolan (they/she) works for Security Innovation as a Senior Security Engineer focusing on engagements ranging from IoT hacking to kiosk exploitation. Their current research interests include emerging threats against Mobile and IoT devices. They have a degree in Computer and Information Science from University of Oregon. In their free time, Kenzie enjoys composing music, playing video games or hiking in the greater Seattle area.

Raised on a steady diet of video game modding, when Nathan found programming as a teenager, he fit right into it. Legend says he still keeps his coffee (and tear) stained 1980s edition of The C Programming Language by K&R stored in a box somewhere. A few borrowed Kevin Mitnick books later, he had a new interest, and began spending more and more time searching for buffer overflows and SQL injections. Many coffee fueled sleepless nights later, he had earned OSCP, and graduated highschool a few months later. After a few more years of working towards a math degree and trying fervently to teach himself cryptanalysis, he decided to head back to the types of fun hacking problems that were his real first love, and has worked at Security Innovation ever since.

Justin “drtychai” Angra (he/they) is former nuclear physicist and current security researcher. They have spent over a decade working on low-level vulnerability research and exploitation methodologies. Their primarily focusing has been on fuzzing JavaScript compilers, security validation, building weird shit in Rust, and software penetration testing. They’re a member of the OpenToAll and Neg9 CTF teams and enjoys working with spray paint in their free time.

Max Class Size: 100

CICD security: A new eldorado

Friday from 0900 to 1300
EventBrite Link:

CI/CD pipelines are increasingly becoming part of the standard infrastructure within dev teams and with the rise of solutions such as Infrastructure as Code, the sensitivity level of such pipelines is escalating. In case of compromise, it is not just the applications that are at risk but the underlying systems themselves and sometimes the whole information systems.
Attackers are beginning to exploit those weaknesses both for supply chains attacks but also to escalate their privileges within the victim IS.

Welcome to DataLeek company, after several decades of V-cycle development we have now decided to adopt the “agile” methodology. To do so, our IT teams have set up a CI/CD pipeline that rely on the most advanced and state-of-the-art tools available on the market.
However, for some reasons, our CISO seems to doubt the security level of this brand new infrastructure and insist to perform a pentest on it.

Your mission, should you choose to accept it, is to evaluate the security level of this CI/CD pipeline and offer solutions to fix the issues identified.

In this fully hands-on workshop, we’ll guide you through multiple vulnerabilities that we witnessed during numerous penetration tests. You’ll learn how to:

- Get a foothold within a CI/CD pipeline
- Find interesting secrets and other information within code repositories
- How to pivot and exploit weak configuration on the orchestrator
- Compromise building nodes in order to add backdoors to artifacts
- Pivot on cloud infrastructure
- Escape Kubernetes thanks to common misconfiguration
- Perform a privilege escalation in AWS

Hand-on exercises will be performed on our lab environment with a wide variety of tools. For each attack, we will also focus on prevention, mitigation techniques and potential way to detect exploitations.

Skill Level: Beginner to Intermediate
Materials Needed: All attendees will need to bring a laptop capable of running virtual machines (8GB of RAM is a minimum) and an up-to-date RDP client.

Rémi Escourrou (@remiescourrou) is leading the Red Team at Wavestone. Before moving to red team operation and exploiting CI/CD pipeline, he was involved in audits and pentests of large enterprise networks with emphasis on Active Directory. During his research time, he enjoys tackling technical problems to compromise its targets. He’s passionate about the security field and already teaches workshops at BSides Las Vegas, Brucon, BSides Lisbon.

Xavier Gerondeau is an penetration tester in Wavestone. He once performed a tests on a CI/CD pipeline and rocked it. Because of this so-cool-ness, he became a DevOps expert in Wavestone and pwned every CI/CD pipeline he encountered during his missions. He’s so talented that his clients now fear him!

Gauthier Sebaux has been performing penetration tests in Wavestone for years for a large number of clients. His passion for cybersecurity started even before he was already exploiting buffer overflows and participating to CTF competitions when he was in high school. When he is not pentesting, he administrates his personal infrastructure and contributes to open-source projects. It provided him with deep knowledge on Linux environments, Linux container isolation and more recently Kubernetes. He brought back his expertise in his work and specialized in penetration testing of DevOps infrastructure.


Max Class Size: 60


Friday from 1400 to 1800
EventBrite Link:

Blockchain technology has to be one of the biggest technology innovations of the past few years. The top emerging blockchain development trends are crypto coins, NFT, Defi, and even metaverse. Nowadays, Companies are adopting blockchain technology and moving to the decentralized world. Especially smart contract technologies, which open them to a new cyberattack in a new crypto world. While technology evolves cybercriminals evolve along and we constantly hear about the theft of millions of dollars at security breaches in smart contracts everywhere.

In our workshop, we will teach you what is a Blockchain, what is a smart contract and what security vulnerabilities it possesses. Our workshop is intended for beginner to intermediate level hackers who want to learn new blockchain and crypto hacking techniques based on dApps TOP 10 v2022.

In the workshop, we will teach how to find vulnerabilities in blockchain smart contracts according to the latest methods and techniques. We will demonstrate every vulnerability by giving an example on the blockchain and show everything from both attacker and defender perspectives.

Skill Level: Beginner to Intermediate

Materials Needed: Personal Laptop

Roman Zaikin is a Security Expert. His research has revealed significant flaws in popular services, and major vendors (Facebook, WhatsApp, Telegram, eBay, AliExpress, LG, DJI, Microsoft, and more). He has over 10 years of experience in the field of cybersecurity research. He spoke at various leading conferences worldwide and taught more than 1000 students.

Dikla Barda is a Security Expert. Her research has revealed significant flaws in popular services, and major vendors like Facebook, WhatsApp, Telegram, eBay, AliExpress, LG, DJI, Microsoft, TikTok, and more. She has over 15 years of experience in the field of cyber security research. She spoke at various leading conferences worldwide.

Oded Vanunu is the head of product vulnerability research and has more than 20 years of InfoSec experience, A Security Leader & Offensive Security expert.
Leading a vulnerability Research domain from a product design to product release. Issued 5 patents on cyber security defense methods. Published dozens of research papers & product CVEs.

Max Class Size: 200

Securing Smart Contracts

Friday from 1400 to 1800
EventBrite Link:

Learn how blockchains, cryptocurrency, NFTs, and smart contracts work, and their most important security flaws. We will also cover the underlying cryptography: hashes, symmetric encryption, and asymmetric encryption. We will configure wallets, servers, and vulnerable smart contracts, and exploit them.

We will configure systems using Bitcoin, Ethereum, Hyperledger, Multichain, Stellar, and more. We will perform exploits including double-spend, reentrancy, integer underflow, and logic flaws.

No previous experience with coding or blockchains is required.

This workshop is structured as a CTF competition, to make it useful to students at all levels. We will demonstrate the easier challenges from each topic, and detailed step-by-step instructions are available. We will have several instructors available to answer questions and help participants individually. Every participant should learn new, useful techniques.

Skill Level: Beginner

Materials Needed: Any computer with a Web browser. The capacity to run a local virtual machine is helpful but not required.

Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000, and is the founder of Infosec Decoded, Inc. He has given talks and hands-on trainings at Black Hat USA, RSA, DEF CON, DEF CON China, HOPE, and many other conferences.
Credentials: PhD, CISSP, DEF CON Black Badge Co-Winner

Elizabeth Biddlecome is a consultant and instructor, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to scripting languages in cybersecurity competitions, hackathons, and CTFs.

Irvin Lemus has been in the industry for 10+ years as an MSP technician, consultant, instructor and coordinator. He is currently the cybersecurity professor at Cabrillo College in Santa Cruz, CA. He also is the Bay Area Cyber Competitions Regional Coordinator as well as the contest creator for SkillsUSA CA and FL. Irvin has spoken at various cybersecurity and educational conferences. Irvin holds a CISSP and a Bachelor’s Degree in Information Security.

Kaitlyn Handelman is a security engineer and consultant, defending high-value networks professionally. She has extensive experience in aerospace, radio, and hardware hacking. Industry credentials: OSCP, OSED

Twitter: https://twitter.com/sambowne

Max Class Size: 120

Automated Debugging Under The Hood

Saturday from 1400 to 1800
EventBrite Link:

How do anti-debug tricks actually work? Is there a way to automate tedious debugging tasks like unpacking malware? Have you ever wondered what is happening under the hood of a debugger?

In this workshop you will build your own programmable Windows debugger from scratch (using Python). Each component in the debugger will be built as a separate module with an accompanying lab used to explain the concepts and Windows internals that support the component. In the final lab you will have the chance to test your new debugger against various malware samples and attempt to automatically unpack them, and extract IOCs.

This workshop is aimed at malware analysts and reverse engineers who are interested in learning more about debuggers and how programmable debuggers can be used to automate some reverse engineering workflows. Students must be able to write basic Python scripts, and have a working knowledge of the Windows OS.

You will be provided with a VirtualMachine to use during the workshop. Please make sure to bring a laptop that meets the following requirements.
- Your laptop must have VirtualBox or VMWare installed and working prior to the start of the course.
- Your laptop must have at least 60GB of disk space free.
- Your laptop must also be able to mount USB storage devices. (Make sure you have the appropriate dongle if you need one.)
- *Important* if you are using an Apple MacBook with an M1 CPU you will be responsible for installing and configuring your own Windows VM prior to the workshop. An Intel Windows 10 VM is preferred, however the labs can still be completed using an ARM Windows 10 VM.

Skill Level: Intermediate — basic Python scripting abilities are required

Materials Needed: Students will be provided with a VirtualMachine to use during the workshop. They will need to bring a laptop that meets the following requirements;
- The laptop must have VirtualBox or VMWare installed and working prior to class.
- The laptop must have at least 60GB of disk space free.
- The laptop must be able to mount USB storage devices (ensure you have the appropriate dongle if you need one).


Sergei is a co-founder of OpenAnalysis Inc. When he is not reverse engineering malware Sergei is focused on building automation tools for malware analysis, and producing tutorials for the OALABS YouTube channel. With over a decade in the security industry Sergei has extensive experience working at the intersection of incident response and threat intelligence.

Sean is a co-founder of OpenAnalysis Inc. He splits his time between reverse engineering malware and building automation tools for incident response. Sean brings over a decade of experience working in a number of incident response and application security roles with a focus on security testing and threat modelling. In his free time Sean loves fly fishing.


Max Class Size: 50

Network Hacking 101

Thursday from 0900 to 1300
EventBrite Link:

Come learn how to hack networks without needing to piss off your local coffee shop, housemates, or the Feds! Bring your laptop and by the end of this workshop, everyone can walk away having intercepted some packets and popped some reverse shells.

In the workshop you’ll solve a series of challenges, each in a contained virtualized network where it’s just you and your targets. We’ll start with a networking crash course to introduce you to packets and their layers, as well as how to use Wireshark to dig in and explore further. We’ll practice network sniffing and scanning to find your targets, and of course how to execute a man-in-the-middle attack via ARP spoofing to intercept local network traffic. With those techniques, we’ll go through challenges including extracting plaintext passwords, TCP session hijacking, DNS poisoning, and SMTP TLS downgrade. All together, this workshop aims to give you the tools you need to start attacking systems at the network layer.

Skill Level: Beginner

Materials Needed: A laptop with Linux or a Linux VM (MacOS can also work, but have a VM installed as a backup).
These software tools (detailed installation instructions will be provided in the materials ahead of DEFCON):
- OpenVPN: Connect to the challenges you will be hacking
- Wireshark (tcpdump also works): Capture and dissect network traffic
- netcat (nc): Swiss-army-knife of networking
- nmap: Scan and search for vulnerable targets
- bettercap: Man-in-the-middle attack tool and network attack platform
- python3 (optional): Build new attack tools


Victor is a hacker and software engineer from Seattle with a love of network security and cryptography. He most recently worked for a blockchain company designing and building peer-to-peer protocols and systems for non-custodial account recovery. Building and breaking networks was his first love in the world of computers, and he built the Naumachia platform starting in 2017 to bring network hacking to CTFs. With that he has hosted Network Hacking 101 workshops in San Francisco and now in Seattle.

Ben Kurtz is a hacker, a hardware enthusiast, and the host of the Hack the Planet podcast (symbolcrash.com/podcast). After his first talk, at DefCon 13, he ditched development and started a long career in security.
He has been a pentester for IOActive, head of security for an MMO company, and on the internal pentest team for the Xbox One at Microsoft. Along the way, he volunteered on anti-censorship projects, which resulted in his conversion to Golang and the development of the ratnet project (github.com/awgh/ratnet). A few years ago, he co-founded the Binject group to develop core offensive components for Golang-based malware, and Symbol Crash, which focuses on sharing hacker knowledge through trainings for red teams, a free monthly Hardware Hacking workshop in Seattle, and podcasts. He is currently developing a ratnet-based handheld device for mobile encrypted mesh messaging (www.crowdsupply.com/improv-labs/meshinger).

Twitter: https://twitter.com/tracerot and https://twitter.com/symbolcrash1

Max Class Size: 30


Explore the exploit the new haxor tools this year!

Full List: https://forum.defcon.org/node/239774


AADInternals: The Ultimate Azure AD Hacking Toolkit

AADInternals is an open-source hacking toolkit for Azure AD and Microsoft 365, having over 14,000 downloads from the PowerShell gallery. It has over 230 different functions in 15 categories for various purposes. The most famous ones are related to Golden SAML attacks: you can export AD FS token signing certificates remotely, forge SAML tokens, and impersonate users w/ MFA bypass. These techniques have been used in multiple attacks during the last two years, including Solorigate and other NOBELIUM attacks. AADInternals also allows you to harvest credentials, export Azure AD Connect passwords and modify numerous Azure AD / Office 365 settings not otherwise possible. The latest update can extract certificates and impersonate Azure AD joined devices allowing bypassing device based conditional access rules. https://o365blog.com/aadinternals/ https://attack.mitre.org/software/S0677

Dr Nestori Syynimaa is a white hat hacker working as a Senior Principal Security Researcher at Secureworks CTU. He holds Microsoft MVP and MVR awards and has published and maintained AADInternals since 2018.

AWSGoat : A Damn Vulnerable AWS Infrastructure

Jeswin Mathai, Sanjeev Mahunta

Compromising an organization’s cloud infrastructure is like sitting on a gold mine for attackers. And sometimes, a simple misconfiguration or a vulnerability in web applications, is all an attacker needs to compromise the entire infrastructure. Since cloud is relatively new, many developers are not fully aware of the threatscape and they end up deploying a vulnerable cloud infrastructure. When it comes to web application pentesting on traditional infrastructure, deliberately vulnerable applications such as DVWA and bWAPP have helped the infosec community in understanding the popular web attack vectors. However, at this point in time, we do not have a similar framework for the cloud environment. In this talk, we will be introducing AWSGoat, a vulnerable by design infrastructure on AWS featuring the latest released OWASP Top 10 web application security risks (2021) and other misconfiguration based on services such as IAM, S3, API Gateway, Lambda, EC2, and ECS. AWSGoat mimics real-world infrastructure but with added vulnerabilities. The idea behind AWSGoat is to provide security enthusiasts and pen-testers with an easy to deploy/destroy vulnerable infrastructure where they can learn how to enumerate cloud applications, identify vulnerabilities, and chain various attacks to compromise the AWS account. The deployment scripts will be open-source and made available after the talk.

Jeswin Mathai is a Senior Security Researcher at INE. Prior to joining INE, He was working as a senior security researcher at Pentester Academy (Acquired by INE). At Pentester Academy, he was also part of the platform engineering team who was responsible for managing the whole lab infrastructure. He has published his work at DEFCON China, RootCon, Blackhat Arsenal, and Demo labs (DEFCON). He has also been a co-trainer in classroom trainings conducted at Black Hat Asia, HITB, RootCon, OWASP NZ Day. He has a Bachelor degree from IIIT Bhubaneswar. He was the team lead at InfoSec Society IIIT Bhubaneswar in association with CDAC and ISEA, which performed security auditing of government portals, conducted awareness workshops for government institutions. His area of interest includes Cloud Security, Container Security, and Web Application Security.

Sanjeev Mahunta is a Cloud Software Engineer at INE with a strong background in web, mobile application design and has high proficiency in AWS. He holds a bachelor’s degree in Computer Science from Amity University Rajasthan. He has 2+ years of experience building front-end applications for the web and implementing ERP solutions. Having interned at Defence Research and Development Organisation (DRDO), he has acquired neat skills in application development. His areas of interest include Web Application Security, Serverless Application Deployment, System Design and Cloud.

CyberPeace Builders

The CyberPeace Builders are pro hackers who volunteer to help NGOs improve their cybersecurity. Through a portal that I’ll demo, hackers can access a variety of short engagements, from 1 to 4 hours, to provide targeted cybersecurity help to NGOs on topics ranging from staff awareness to DMARC implementation, password management and authentication practices, breach notification, OSINT and dark web monitoring, all the way to designing a cyber-related poster for the staff, reviewing their privacy policy and cyber insurance papers. The programme is the world’s first and only skills-based volunteering opportunity for professionals in the cybersecurity industry; it has been prototyped over 2 years, was launched in July 2021 and is now being used by over 60 NGOs worldwide, ultimately helping to protect over 350 million vulnerable people and $500 million in funds. I’ll demo the platform, show the type of help NGOs need and explain how NGOs and security professionals can leverage the programme.

Adrien is currently Chief Operations Officer at the CyberPeace Institute, a cybersecurity non-profit based in Switzerland. At the Institute, he provides cybersecurity assistance to vulnerable communities around the world. Adrien has more than 15 years of experience in various cyber crisis response roles in the private sector, the French Cybersecurity Agency (ANSSI), the European Cybersecurity Agency (ENISA), and the World Economic Forum. Adrien holds an MEng in telecommunication and information systems, an MSc in Global Security and a Master in Business Administration.

FISSURE: The RF Framework

FISSURE is an open-source RF and reverse engineering framework designed for all skill levels with hooks for signal detection and classification, protocol discovery, attack execution, IQ manipulation, vulnerability analysis, automation, and AI/ML. The framework was built to promote the rapid integration of software modules, radios, protocols, signal data, scripts, flow graphs, reference material, and third-party tools. FISSURE is a workflow enabler that keeps software in one location and allows teams to effortlessly get up to speed while sharing the same proven baseline configuration for specific Linux distributions. The framework and tools included with FISSURE are designed to detect the presence of RF energy, understand the characteristics of a signal, collect and analyze samples, develop transmit and/or injection techniques, and craft custom payloads or messages. FISSURE contains a growing library of protocol and signal information to assist in identification, packet crafting, and fuzzing. Online archive capabilities exist to download signal files and build playlists to simulate traffic and test systems.

Chris Poore is a Senior Reverse Engineer at Assured Information Security in Rome, NY. He has expertise discovering vulnerabilities in wireless systems, gaining access to systems via RF, reverse engineering RF protocols, forensically testing cybersecurity systems, and administering RF collection events. He has been the main figure behind the design and implementation of FISSURE since its inception in 2014. Chris is excited about implementing ideas drawn from the community and taking advantage of increased networking opportunities, so please reach out to him.

Injectyll-HIDe: Pushing the Future of Hardware Implants to the Next Level

Enterprises today are shifting away from dedicated workstations, and moving to flexible workspaces with shared hardware peripherals. This creates the ideal landscape for hardware implant attacks; however, implants have not kept up with this shift. While closed source, for-profit solutions exist and have seen some recent advances in innovation, they lack the customization to adapt to large targeted deployments. Open-source projects exist but focus more on individual workstations (dumb keyboards/terminals) relying on corporate networks for remote control. Our solution is an open source, hardware implant which adopts IoT technologies, using non-standard channels to create a remotely managed mesh network of hardware implants. Attendees will learn how to create a new breed of open-source hardware implants. Topics covered in this talk include the scaling of implants for enterprise takeover, creating and utilizing a custom C2 server, a reverse shell that survives screen lock, and more. They will also leave with a new platform from which to innovate custom implants. Live demos will be used to show these new tactics against real world infrastructure. This talk builds off of previous implant talks but will show how to leverage new techniques and technologies to push the innovation of hardware implants forward evolutionarily.

Jonathan Fischer is a hardware and IoT security enthusiast that started off designing, programming, and implementing electronic controls for industrial control systems and off-highway machinery. After a decade in that industry, Jonathan obtained his BS in Computer Science and transitioned over to the cyber security industry where he has been working as a Red Team consultant and researcher for more than five years at a Fortune 500. Since joining the cyber security industry, Jonathan has since earned various industry certifications (OSCP, GPEN, etc.) and continues to leverage his unique experience in his research into hardware hacking.

Jeremy Miller is a 12+ year security professional that has worked in various industries including life-sciences, finance, and retail. Jeremy has worked both sides of the security spectrum ranging from Security Research, Red Teaming and Penetration Testing to Threat Intelligence and SOC Analyst. Jeremy currently works as a Security Technical Lead for an emerging R&D Life Science Platform where he works on product and infrastructure security.


Mercury is an open source package for network metadata extraction and analysis. It reports session metadata including fingerprint strings for TLS, QUIC, HTTP, DNS, and many other protocols. Mercury can output JSON or PCAP. Designed for large scale use, it can process packets in real time at 40Gbps on server-class commodity hardware, using Linux native zero-copy high performance networking. The Mercury package includes tools for analyzing PKIX/X.509 certificates and finding weak keys, and for analyzing fingerprints with destination context using a naive Bayes classifier.

David McGrew leads research and development into the detection of threats, vulnerabilities, and attacks using network data. He designed authenticated encryption algorithms and protocols, most notably GCM and Secure RTP, and he is a Fellow at Cisco Systems.

Brandon Enright is a lead DIFR investigator for Cisco CSIRT, an expert at DNS and network data analysis, and a contributor to Nmap and other open source projects.

PCILeech and MemProcFS

The PCILeech direct memory access attack toolkit was presented at DEF CON 24 and quickly became popular amongst red teamers and game hackers alike. We will demonstrate how to take control of still vulnerable systems with PCIe DMA code injection using affordable FPGA hardware and the open source PCILeech toolkit. MemProcFS is memory forensics and analysis made super easy! Analyze memory by clicking on files in a virtual file system or by using the API. Analyze memory dump files or live memory acquired using drivers or PCILeech PCIe FPGA hardware devices.

Ulf is a pentester by day, and a security researcher by night. Ulf is the author of the PCILeech direct memory access attack toolkit and MemProcFS. Ulf is interested in things low-level and primarily focuses on memory analysis and DMA.

Ian Vitek has a background as a pentester but now works with information security in the Swedish financial sector. Ian has held several presentations at DEF CON, BSidesLV and other IT security conferences.


ResidueFree is a privacy-enhancing tool that allows individuals to keep sensitive information off their device’s filesystem. It takes on-device privacy protections from TAILS and “incognito” web browser modes and applies them to any app running on a user’s regular operating system, effectively making the privacy protections offered by TAILS more usable and accessible while improving the on-device privacy guarantees made by web browsers and extending them to any application. While ResidueFree currently runs on Linux, its maintainers are hoping to port it to other operating systems in the near future. In addition, ResidueFree can help forensic analysts and application security engineers isolate filesystem changes made by a specific application. The same implementation ResidueFree uses to ensure that any file changes an application makes are not stored to disk can also be used to isolate those changes to a separate folder without impacting the original files.

Logan is a former student-turned-independent researcher and software developer. While he makes a living conducting IT, security, and privacy audits, his most impactful hacking is 1337ing his job’s policies as a union rep to elevate workplace privileges. He has an OSCP, other certs from days wooing federal hiring screeners to pass along his application, and The Time Warp stuck in his head from the time he heard “rm -rf” could be pronounced “rimm raff.”

Wakanda Land

Wakanda Land is a Cyber Range deployment tool that uses terraform for automating the process of deploying an Adversarial Simulation lab infrastructure for practicing various offensive attacks. This project inherits from other people’s work in the Cybersecurity Community, to which I have added some additional sprinkles to their work from my other research. The tool deploys the following for the lab infrastructure (of course, more assets can be added): -Two Subnets -Guacamole Server — This provides dashboard access to — Kali GUI and Windows RDP instances The Kali GUI, Windows RDP and the user accounts used to log into these instances are already backed into the deployment process — To log into the Guacamole dashboard with the guacadmin account, you need to SSH into the Guacamole server using the public IP address (which is displayed after the deployment is complete) and then change into the guacamole directory and then type cat .env for the password (the guacadmin password is randomly generated and saved as an environment variable) -Windows Domain Controller for the Child Domain (first.local) -Windows Domain Controller for the Parent Domain (second.local) -Windows Server in the Child Domain -Windows 10 workstation in the Child Domain -Kali Machine — a directory called toolz is created on this box and Covenant C2 is downloaded into that folder, so its just a matter of running Covenant once you are authenticated into Kali -Debian Server serving as Web Server 1 — OWASP’s Juice Shop deployed via Docker -Debian Server serving as Web Server 2 — Vulnerable web apps

Stephen Kofi Asamoah (q0phi80) is an Offensive Security professional, with over fifteen (15) years of experience running Offensive Security operations. Some of his previous places of employment include Ernst & Young, PwC and IBM X-Force Red. Currently as a Snr. Manager of Offensive Cybersecurity Operations, he runs an Enterprise’s Offensive Security programs and manages a team of Offensive Security Operators.

Xavier Memory Analysis Framework

Malware continues to advance in sophistication. Well-engineered malware can obfuscate itself from the user and the OS. Volatile memory is the unique structure malware cannot evade. I have engineered a new construct for memory analysis and a new open-source tool that automates memory analysis, correlation, and user-interaction to increase investigation accuracy, reduce analysis time and workload, and better detect malware presence from memory. This talk demos a new visualization construct that creates the ability to interact with memory analysis artifacts. Additionally, this talk demos new, very impactful data XREF and a system manifest analysis features. Data XREF provides an index and memory context detailing how your search data is coupled with processes, modules, and events captured in memory. The System Manifest distills the analysis data to create a new memory analysis snapshot and precise identification of malicious artifacts detectable from malware execution especially useful for exploit dev and malware analysis!

Solomon Sonya (@Carpenter1010) is the Director of Cyber Operations Training at a large organization. He has a background in software development, malware analysis, covert channels, steganography, distributed computing, computer hacking, information protection paradigms, and cyber warfare. He received his Undergraduate Degree in Computer Science and has Master’s degrees in Computer Science and Information System Engineering. Before becoming Director of Cyber Operations Training, he was a university Computer Science Assistant Professor of Computer Science and Research Director. Solomon’s current research includes computer system exploitation, cyber threat intelligence, digital forensics, and data protection. Solomon’s previous keynote and conference engagements include: BlackHat USA, SecTor Canada, Hack in Paris, France, HackCon Norway, ICSIS — Toronto, ICORES Italy, BruCon Belgium, CyberCentral — Prague and Slovakia, Hack.Lu Luxembourg, Shmoocon DC, BotConf — France, DerbyCon Kentucky, SkyDogCon Tennessee, HackerHalted Georgia, Day-Con Ohio, and TakeDownCon Connecticut, Maryland, and Alabama, AFCEA — Colorado Springs.

DEF CON 30 Trainings

When: Monday, August 15th — Tuesday, August 15th

Where: Ceaser’s Ballroom, 9am — 5pm PST

Website: https://training.defcon.org/

DEF CON has been the world’s most influential hacker con for thirty years. We work hard to bring interesting, technically rich and actionable information to our community through our speaker tracks, our hands-on Villages, our Workshops and our Demo Labs.

This year we’re adding DEF CON Training — intensive, two-day courses of study with world-class instructors aimed at building specific skills. In some cases, these courses will carry a certification.

DEF CON Training is for everyone who wants to hone their skills in a challenging, fast-paced environment with instructors who know their subject down to the metal. It’s the two days after DEF CON, and those two days could change everything

COVID safety: Masks required for indoor training — Registration now open!

Check out https://defcontrainings.myshopify.com/ to peruse training offerings and to and purchase training tickets!

If you need to book a room for Training, Our use our DEF CON 30 room block!


Defender’s Guide to Securing Public Cloud Infrastructures

Latest details, requirements, description, cost: https://defcontrainings.myshopify.co...nfrastructures

Training description:

This training focuses on elevating your threat detection, investigations, and response knowledge into the cloud. This hands-on training simulates real-life attack scenarios on cloud infrastructure & applications. It then teaches you to build your own defensive tools against such attacks by using cloud native services on AWS. This makes it an ideal class for red & blue teams.

Course overview:

- Introduction to IAM attack surface.
- Enumerating IAM Permissions for privilege escalations.
- Advance privilege escalation using policy chaining and evading scanning tools.
- Post Infection attack TTPs.

*Security Analytics & Automation at cloud scale*
- Using cloudtrail logs for investigation and Athena for querying.
- Automating athena queries for continuous assessment.
- Building highly scalable, multi-account logging and monitoring infrastructure in AWS.
- Establishing an alerting pipeline.

*Malware detection and investigation on/for cloud infrastructure*
- Quick Introduction to cloud infrastructure security.
- Building clamAV based static scanner for S3 buckets using AWS lambda.
- Integrating serverless scanning of S3 buckets with yara engine.
- Building signature update pipelines using static storage buckets to detect recent threats.
- Malware alert notification through SNS and slack channel.
- Adding advanced context to slack notification for quick remediation.
- Exercise on simulating a malware infection in AWS and building an automated detection & alerting system.

*Forensic Automation for Cloud infrastructure*
- Building an IR ‘flight simulator’ in the cloud.
- Creating a step function rulebook for instance isolation and volume snapshots.
- lambda functions to perform instance isolation and status alerts.
- Building forensic analysis playbook to extract key artifacts, run volatility and build case tracking.
- Automated timeline generation and memory dump.
- Storing the artifacts to S3 bucket.

Takeaways for the students after completing the class:

* Use cloud technologies to detect & build automated response against IAM attacks.
* Understand and mitigate cloud native pivoting and privilege escalation and defense techniques.
* Use serverless functions to perform on-demand threat scans.
* Deploy containers to deploy threat detection services at scale.
* Build notification services to create detection alerts.
* Analyze malware-infected virtual machines to perform automated forensic investigations.
* Define step functions to implement automated forensic artifacts collection for cloud resources.
* Build cloud security response playbooks for defense evasion, persistence and lateral movements.

Student skill level:


- Basic understanding of AWS.
- System administration, linux cli, AWS cli.
- Able to write basic programs in python.
- Familiarity with SQL and KQL queries will be a plus.

What should students bring to the Training?:

- System with 4 GB RAM and ability to install OpenVPN client and RDP to Windows boxes.
- Privileges to disable/change any antivirus or firewall.


Abhinav Singh is a cybersecurity researcher with close to a decade long experience working for global leaders in security technology, financial institutions and as an independent trainer/consultant. He is the author of Metasploit Penetration Testing Cookbook (first, second & third editions) and Instant Wireshark Starter, by Packt. He is an active contributor to the security community in the form of patents, open-source tools, paper publications, articles, and blogs. His work has been quoted in several security and privacy magazines, and digital portals. He is a frequent speaker at eminent international conferences like Black Hat, RSA & Defcon. His areas of expertise include malware research, reverse engineering, enterprise security, forensics, and cloud security.

Previous Trainings:

2022: Hack In Paris, Insomnihack, x33fcon, Troopers.


2021: Blackhat EU, Troopers, Hack In the Box.


DATE:Aug 15th to 16th 2022

TIME:9am to 5pm PDT

VENUE:Caesars Forum Ballroom

TRAINER:Abhinav Singh

CERTIFICATE TEST AVAILABLE (after class) Please purchase Certificate test

  • 16 hours of training with a certificate of completion for some classes
    - COVID safety: Masks required for indoor training
    - Note: Classes that do not meet their minimum class size by July 15 will be canceled, please register early
    - Note: Food is NOT included

Pragmatic API Exploration

Latest details, requirements, description, cost: https://defcontrainings.myshopify.co...pi-exploration

Training description:

The use of Application Programming Interfaces (APIs) have become ubiquitous as business expose and consume services.

Therefore, the threat landscape of organizations increases with the adoption of APIs. The content of the course creates awareness around the various attack vectors used targeting APIs and provides actionable mitigation strategies.

The aim of this course is to empower you to conduct a risk assessment of an API. This hands-on course covers API basics, setting up a test environment, API threat model, API protocols and architectures, typical vulnerabilities, enumerating an attack surface and best practices around security.

Moreover, it focuses on gaining practical experience of the OWASP Top 10 for APIs. In addition, you would be gaining practical experience on exploiting typical vulnerabilities on RESTful (REST) APIs and GraphQL. The course concludes with a capture the flag (CTF) to apply knowledge gained during the course.

Course overview:

This course consists of 6 High level Modules, +-26 Key concepts and +-30 Practicals.

Learning take-aways:
* Understanding the usage and business context around APIs
* Set up and create the adequate testing environment and configuration
* Assess and analyse real world API’s with industry leading methodologies

Below is the outline based on the 6 Modules and the 26 sub-modules as well as an indication where the practicals fit into the course flow.

Module 1: Introduction To API
* What is an API?
* The API ecosystem
* Threat model of an API
* Review of code representing an API endpoint

Practical 1 — What to do with APIs:
This practical engages candidates to look for open APIs and how they could use at least threee APIs withinin a ficticoinal scenario business / operational environment.

Module 2: Engaging with the Target API:
*Setup and configure Postman, cURL and Burp to connect to target API
*Demonstrate the various HTTP headers
*Interacting with Swagger
*Demonstrate the various HTTP methods
*Discuss the use of JWT for authetnication

Practical 2 — Abusing a JWT :
The practical would focus on creating a JWT to authenticate against an endpoint. In addition, the cracking of a JWT to target weak encryption protocols. Lastly how to resign the JWT and use with subsequent abuses.

Module 3: Enumerate API Attack Surface:
*Creating wordlists to enumerate endpoints
*Fuzzing endpoints to identify hidden endpoints
*Use of tools to create wordlists

Practical 3 — Using cewl and mentalist to create a wordlist:
The identification of endpoints are ciritical to enumerate the attack surface of APIs. This practical demonstrates the use of tools to create custom wordlists.

Module 4: Demystify the OWASP Top 10 for API:
Candidates would be exposed to the most common vulnerabilities targeting APIs. These vulnerabilities would be put into context through the use cases and allow candidates to perform the attack to get a better understanding. The focus would also be on identiifying mitigation strategies to address the risk.

*Unpack the OWASP Top 10 for APIs
*Analyze the vulnerability: Broken Object Level Authorization
*Analyze the vulnerability: Broken User Authentication
*Analyze the vulnerability: Broken Function Level Authorization
*Analyze the vulnerability: Excessive Data Exposure
*Analyze the vulnerability: Lack of Resources & Rate Limiting
*Analyze the vulnerability: Mass Assignment
*Analyze the vulnerability: Security Misconfiguration
*Analyze the vulnerability: Injection
*Analyze the vulnerability: Improper Assets Management
*Analyze the vulnerability: Insufficient Logging & Monitoring

Practical 4 — Getting to know the top vulnerabiliites for APIs :
The practicals are part of the module decribing each vulnerability. The use cases were developed to practically demonstrate each vulnerability and give the candidate opportunity to experience each vulnerability. This in turrn would create awareness on how to test for each of these vulnerabilites.
*Practical review of Use Case: Unauthorized Enumeration and Viewing
*Practical review of Use Case: Insecure JSON Web token (JWT) configuration
*Practical review of Use Case: Weak password complexity
*Practical review of Use Case: Authentication susceptible to brute force attack
*Practical review of Use Case: OTP Bypass
*Practical review of Use Case: Escalate Privileges to gain Administrative Access
*Practical review of Use Case: API Response contains Unfilter Data
*Practical review of Use Case: API Response contains Unnecessary Data
*Practical review of Use Case: Impact of Zipbombing
*Practical review of Use Case: Rate Limiting — Abuse Number of Calls to End Point
*Practical review of Use Case: Rate Limiting Enabled
*Practical review of Use Case: Privilege Escalation
*Practical review of Use Case: HTTP OPTIONS Method Enabled
*Practical review of Use Case: Verbose Error Messages
*Practical review of Use Case: Outdated Application Servers
*Practical review of Use Case: Overly permissive Cross-Origin resource sharing (CORS)
*Practical review of Use Case: SQL Injection
*Practical review of Use Case: XXE Injection
*Practical review of Use Case: Command Injection
*Practical review of Use Case: Ennumerate API to identify deprecated endpoints
*Practical review of Use Case: No authentication required to acces endpoint
*Practical review of Use Case: Logging of data
*Practical review of Use Case: Logs containing sensitive data
*Practical review of Use Case: Logs does not have sufficient data

Module 5: Exploring GraphQL from a security perspective:
*Introduction to GraphQL
*Describing the various vulnerabilities associated with GraphQL
*Discuss various techniques to secure GraphQL

Practical 5 — Introspection for the Win

Candidates would be provided with an endpoint to explore the various vulnerabilities. This includes:
• Abuse the default configuration for GraphQL could expose the supported schema and queries.
• Explore the impact of IDORs to gain access to information within the context of GraphQL.

Module 6: Capture the Flag:
The course concludes with candidates participating in a capture the flag where secret documents of a target company needs to be found. The candidates would use knowledge acquired during the course to apply this and exploit vulnerabilities within the exposed API.

Takeaways for the students after completing the class:

* Understanding the usage and business context around APIs
* Set up and create the adequate testing environment and configuration
* Assess and analyze real world API’s with industry leading methodologies

More Details:
* 2-day course
* 60% practical and 40% theoretical
* Real-world attacks and methodologies
* CTF at the end of the course
* Delivered by active penetration testers and red team members

Student skill level:

Beginner Level
This is a beginner course in penetration testing of APIs. No security related experience is required but a technical understanding of computers, networks, Linux and Windows are a must.

Please ensure you are comfortable with the Linux command line before enrolling for this course. The students will be executing some commands from the command line when executing cURL to interact with the APIs.

What should students bring to the Training?:

You should bring a laptop with a working modern browser like Firefox or Chrome to access the APIs.
Ensure cURL (https://curl.se/), Postman (https://www.postman.com/) and Burp (https://portswigger.net/burp) are installed as these tools would be used to interact with the APIs.


Aubrey is a security analyst at SensePost. Over the years he has had many roles which included project management, product management, development, training and being a security analyst. Interest for security grew from emergence into information warfare. His hobbies include the development of sensor centric platforms. He has a big passion for training and has completed his masters on how to improve the effectiveness of security awareness programs. He currently holds several certifications which include OSCP, ECSA and ISO 27032 certifications.

Marianka is a security analyst for the SensePost team at Orange Cyberdefense. She studied Information Technology at the North-West University (Pukke) in South Africa and has a big passion for hacking. In her off time she will study up some Dad jokes or find the best places to order chicken wings.

Trainer(s) social media links:

DATE:Aug 15th to 16th 2022
TIME:9am to 5pm PDT
VENUE:Caesars Forum Ballroom
TRAINERS:Aubrey Labuschagne (William) & Marianka Botes

CERTIFICATE TEST AVAILABLE (after class) Please purchase Certificate test

  • 16 hours of training with a certificate of completion for some classes
    - COVID safety: Masks required for indoor training
    - Note: Classes that do not meet their minimum class size by July 15 will be canceled, please register early
    - Note: Food is NOT included

Zero 2 Emulated Criminal: Intro to Windows Malware Dev

Latest details, requirements, description, cost: https://defcontrainings.myshopify.co...-malware-dev-1

Training description:
Step up your emulated criminal game with a practical, hands-on introduction to malware development. Join a prior US Special Operations Cyber Operator to learn the building blocks and techniques used in real-world malware variants.
You don’t need fancy, expensive tools to get a C2 implant executed while evading antivirus. You need basic knowledge, ingenuity, and elbow grease.
In this course, we don’t cut corners. You will learn by doing, not by copying and pasting with modules and labs that will give you the ability to deviate and improvise on your very first malware variants in C++, even if you have no prior C++ experience.
Where this course differs from others is its reduced need for prior knowledge, and enhanced emphasis on hands-on learning.
By the end of the course, you will understand and be able to implement:
- Techniques to use the native Win32 API for adversarial tactics, enhancing stealth and offensive efficiency
- Maintaining data/shellcode integrity while using multiple ciphers for obfuscation and encryption
- Modular antivirus evasion techniques that will remain useful through your pen testing career

Student skill level:
Will be programming in C++ and Python but will not need to have knowledge in either, just an understanding of how programming languages work (e.g., if, then, else, loops, etc.).

What should students bring to the Training?:
A laptop that can run two virtual machines concurrently
Machine 1: Windows 10 machine w/ Visual Studio 19
Machine 2: Linux machine (Kali preferred) with Metasploit and Mythic
Downloads can be available from a shared folder
Dahvid is the Offensive Security Lead at Echelon Risk + Cyber. As an experienced professional with over 12 years of cyber-attack and defense experience, Dahvid has previously worked as a Red Team Operator with a Big 4 consulting firm leading and conducting Adversarial Emulation exercises. He also served in the military, leading, conducting, and advising on special operations offensive cyber operations. He has a wide background in cyber security including logical, social, and physical exploitation as well as leading malware development enabling c2 execution while evading endpoint detection solutions.
DATE:Aug 15th to 16th 2022
TIME:9am to 5pm PDT
VENUE:Caesars Forum Ballroom
TRAINER:Dahvid Schloss

CERTIFICATE TEST AVAILABLE (45 minutes after class) Please purchase Certificate test
- 16 hours of training with a certificate of completion for some classes
- COVID safety: Masks required for indoor training
- Note: Classes that do not meet their minimum class size by July 15 will be canceled, please register early
- Note: Food is NOT included

Madhu Akula — A Practical Approach to Breaking & Pwning Kubernetes Clusters

Latest details, requirements, description, cost: https://defcontrainings.myshopify.co...netes-clusters

Training description:

The adoption of Kubernetes use in production has increased to 83% from a survey by CNCF. Still, most security teams struggle to understand these modern technologies.

In this real-world scenario-based training, each participant will be learning Tactics, Techniques, and Procedures (TTPs) to attack and assess Kubernetes clusters environments at different layers like Supply chain, Infrastructure, Runtime, and many others. Starting from simple recon to gaining access to microservices, sensitive data, escaping containers, escalating to clusters privileges, and even its underlying cloud environments.

By end of the training, participants will be able to apply their knowledge to perform architecture reviews, security assessments, red team exercises, and pen-testing engagements on Kubernetes Clusters and Containerized environments successfully. Also, the trainer will provide step by step guide (Digital Book) with resources and references to further your learning.

Student skill level:


* Able to use Linux CLI
* Basic understanding of system administration
* Experience with Docker and Containers ecosystem would be useful
* Security Experience would be plus

What should students bring to the Training?:

- laptop computer and Web access.


Madhu Akula is a pragmatic security leader and creator of Kubernetes Goat, an intentionally vulnerable by design Kubernetes Cluster to learn and practice Kubernetes Security. Also published author and cloud native security architect with extensive experience. Also, he is an active member of the international security, DevOps, and cloud native communities (null, DevSecOps, AllDayDevOps, AWS, CNCF, USENIX, OWASP, etc). Holds industry certifications like OSCP (Offensive Security Certified Professional), CKA (Certified Kubernetes Administrator), etc.

Madhu frequently speaks and runs training sessions at security events and conferences around the world including DEFCON (24, 26, 27 & 29), BlackHat (2018, 19, 21 & 22), USENIX LISA (2018, 19 & 21), SANS Cloud Security Summit 2021 & 2022, O’Reilly Velocity EU 2019, GitHub Satellite 2020, Appsec EU (2018, 19 & 22), All Day DevOps (2016, 17, 18, 19, 20 & 21), DevSecCon (London, Singapore, Boston), DevOpsDays India, c0c0n(2017, 18 & 20), Nullcon (2018, 19, 21, 22), SACON 2019, Serverless Summit, null and multiple others.

His research has identified vulnerabilities in over 200+ companies and organizations including; Google, Microsoft, LinkedIn, eBay, AT&T, WordPress, NTOP, Adobe, etc, and is credited with multiple CVEs, Acknowledgements, and rewards. He is co-author of Security Automation with Ansible2 (ISBN-13: 978–1788394512), which is listed as a technical resource by Red Hat Ansible. He is the technical reviewer for Learn Kubernetes Security, Practical Ansible2 books by Packt Pub. Also won 1st prize for building Infrastructure Security Monitoring solution at InMobi flagship hackathon among 100+ engineering teams.

Trainer(s) social media links:


Previous Trainings:



DATE:Aug 15th to 16th 2022
TIME:9am to 5pm PDT
VENUE:Caesars Forum Ballroom
TRAINER:Madhu Akula

CERTIFICATE TEST AVAILABLE (after class) Please purchase Certificate test

  • 16 hours of training with a certificate of completion for some classes
    - COVID safety: Masks required for indoor training
    - Note: Classes that do not meet their minimum class size by July 15 will be canceled, please register early
    - Note: Food is NOT included

Offensive IoT Exploitation

Latest details, requirements, description, cost: https://defcontrainings.myshopify.co...t-exploitation

Training description:

As IoT becomes more integrated and integral into personal and work lives, there is a growing need to understand the inner workings of IoT devices. The base skills required are the same as many other security disciplines, whether the task is to perform defensive-based penetration testing or gain covert access for evidence or intelligence collection. Testing IoT devices for security bridges several skill sets from application security, operating systems penetration testing, wireless signals analysis, and embedded hardware security. Unfortunately, many courses in this industry deal with each topic individually, either taking a deep dive into hardware hacking, teaching advanced web application security, or teaching exploit development of different microarchitectures. This training is curated to take a step back and look at the bigger picture of IoT security testing, teaching the basics of each skill set to bridge the gaps and enable students to apply modern penetration testing techniques to IoT devices.

Course Outline:

The course is broken down into the following sections:

Introduction to IoT
Trends in IoT and IoT Security
Penetration testing Methodology Overview for IoT
o How it differs from other methodologies
Linux Command Refresher (Command line fu)
Hardware Recon and Analysis
o Physical Embedded Hardware Inspection
▪ Includes Analyzing and Identifying Chips, Ports and Circuits Connections
o Hardware analysis
▪ eMMC
o Hardware attacks
▪ Glitching (Boot Loader Attacks)
▪ Side Channel Attacks

Software Recon and Analysis
o Firmware Analysis
▪ Introduction to Binwalk
▪ Introduction to Manual Firmware Analysis
o Emulating firmware
▪ Introduction to QEMU
o IoT Software Protocols
▪ Configuration & Discovery Protocols (UPnP)

Communication Protocols in IoT
o Wireless Communications Protocols and how to attack them
▪ ZigBee
▪ Thread
▪ LoRa

Student skill level:

Beginner to Intermediate. This is a compressed course and will move quickly. Students should have:
- Understanding of common networking protocols
- Basic familiarity of virtualization technologies
- Basic familiarity of Windows and Linux
- Basic understanding of penetration testing

What should students bring to the Training?:

Laptop with 16GB RAM and at least 40GB free disk space
- External ethernet adapter
- VMware Player/Workstation/Fusion or VirtualBox installed
- Administrator/Root access to their host Operating System


Trevor Stevado
• 12+ years in offensive application and network security
• Led and contributed to over 100 security assessments (Red Team, VA, Pen Test)
• DEF CON 26 Black Badge holder (part of 3-person team)
• Leads Pros versus Joes (PvJ) Red Cell
• Founding Partner & Hacker @ Loudmouth Security

Trevor Hough
• 10+ years in offensive application and network security
• Led and contributed to dozens of security assessments (Red Team, VA, Pen Test)
• DEF CON 26 Black Badge holder (part of 3-person team)
• Member of Pros versus Joes (PvJ) Red Cell
• Managing Partner & Hacker @ Loudmouth Security

Nicholas Coad
• 5+ years in offensive application and network security
• 10+ years in network administration and security operations
• Contributed to dozens of security assessments (Red Team, VA, Pen Test)
• Managed security operations for Fortune 500 company
• Winner of the IoT CTF, DEF CON 27
• Member of Pros versus Joes (PvJ) Red Cell
• Hacker @ Loudmouth Security

Patrick Ross
• 7+ years in offensive security roles
• 10+ years in security architecture
• DEF CON 26 Black Badge holder (part of 3-person team)
• Member of Pros versus Joes (PvJ) Red Cell
• Hacker @ Village Idiot Labs

Trainer(s) social media links:



Previous Trainings:

Private corporate trainings only.

DATE:Aug 15th to 16th 2022
TIME:9am to 5pm PDT
VENUE:Caesars Forum Ballroom
TRAINERS:Trevor Stevado, Trevor Hough, Nicholas Coad & Patrick Ross

CERTIFICATE TEST AVAILABLE (45 minutes after class) Please purchase Certificate test

  • 16 hours of training with a certificate of completion for some classes
    - COVID safety: Masks required for indoor training
    - Note: Classes that do not meet their minimum class size by July 15 will be canceled, please register early
    - Note: Food is NOT included


Location: Virginia City — Flamingo

Remember when going to a security conference meant that you were going to sit around in a large room with 30 or so people watching presentations about subjects that contained highly sensitive information that usually was presented with some type of a legal disclosure? Yeah, some of you weren’t even alive then and don’t remember a DEF CON without a LINE CON, but we promise, it DID exist! And since DEF CON 16, Skytalks has been bringing you Old School DEF CON: technical deep dives, off-the-beaten path discussions, early-access talks, cool technology, and plenty of shenanigans. We pride ourselves on a simple creed: “No recording. No photographs. No bullshit.”

The Skytalks track at DEF CON is completely off the record — we do not allow cameras or recording. This is for the safety of our presenters, some of whom have reason to be speaking “off the record”. We also feel that this encourages a more intimate and collegial atmosphere. We encourage interaction and discussion with our speakers, and we encourage them to be creative with their talks. If you don’t come away wondering “what just happened here?” something certainly went wrong somewhere.

Hosted and produced by the hacker collective simply known as “303”, Skytalks is not sponsored by any specific company or organization. We believe in content by the community, for the community. We accept donations to help defray our costs, both in production of the speaking track and our parties, but we put a lot of time and money into this event because we want to present the best for you — not present whatever company has the deepest pocket this year. And from popular response, we seem to excel in this, year after year.

So we invite you to bring your best, be it in technology, thought, rant, or deed. Our for this year is completed, but we look forward to making you part of the Skytalks experience.

Website: https://skytalks.info


This is the section where we have comb through the entire list of talks on both days and list our highlights for the talks that stand out to us. Note that this does not invalidate any talks we didn’t list, in fact, we highly recommend you take a look at the full convention scheduel beforehand and make up your own talk hilight lists. These are just the talks that for us had something stand out, either by being informative, unique or bizzare. (Sometimes, all three!)

Friday, August 12th, 2022

10:00 AM

Track 1

“So It’s your first DEF CON” — How to get the most out of DEF CON, What NOT to do.



Track 2

DEF CON Policy Department — What is it, and what are we trying to do for hackers in the policy world?

Description: “The nature of global power has changed. Cybersecurity is national security, economic stability, and public safety. Hackers — and the DEF CON community — sit at the intersection of technology and public policy. Policymakers seek our counsel and many of us have become regulars in policy discussions around the world. The DEF CON Policy Department creates a high-trust, high-collaboration forum unlike any other in the world for hackers and policymakers to come together.

Join this session to hear the vision for public policy at DEF CON, including where we’ve been, where we are, and where we’re going — as well as how you can be a part of it. Guest speakers will describe the history of hacking and hackers in public policy and provide a preview of this year’s sessions. “

The Dark Tangent
Members of the Policy Department

Track 3

Old Malware, New tools: Ghidra and Commodore 64, why understanding old malicious software still matters

Why looking into a 30 years old “malicious” software make sense in 2022? Because this little “jewels”, written in a bunch of bytes, reached a level of complexity surprisingly high. With no other reason than pranking people or show off technical knowledge, this software show how much you can do with very limited resources: this is inspiring for us, looking at modern malicious software, looking at how things are done and how the same things could have been done instead.

Cesare Pizzi is a Security Researcher, Analyst, and Technology Enthusiast at Sorint.lab.
He develops software and hardware, and tries to share this with the community. Mainly focused on low level programming, he develops and contributes to OpenSource software (Volatility, OpenCanary, Cetus, etc), sometimes hardware related (to interface some real world devices) sometimes not. Doing a lot of reverse engineering too, so he feels confident in both “breaking” and “building” (may be more on breaking?).

Twitter: @red5heep
Github: https://github.com/cecio/

Track 4

Computer Hacks in the Russia-Ukraine War

The Russia-Ukraine war has seen a lot of computer hacking, on both sides, by nations, haxor collectives, and random citizens, to steal, deny, alter, destroy, and amplify information. Satellite comms have gone down. Railway traffic has been stymied. Doxing is a weapon. Fake personas and false flags are expected. Every major platform has had issues with confidentiality, integrity, and availability. Hacked social media and TV have been a hall of mirrors and PSYOP. Russian comms are unreliable, so Ukrainian nets have become honeypots. Hackers have been shot in the kneecaps. Talking heads have called for a RUNET shutdown. The Ukrainian government has appealed for hacker volunteers — just send your expertise, experience, and a reference. The Great Powers are hacking from afar, while defending their own critical infrastructure, including nuclear command-and-control. Ukraine has many hacker allies, while Russian hackers are fleeing their country in record numbers. Some lessons so far: connectivity is stronger than we thought, info ops are stealing the day, drones are the future, and it is always time for the next hack.


Dr. Kenneth Geers works at Very Good Security. He is an Atlantic Council Cyber Statecraft Initiative Senior Fellow, a NATO Cooperative Cyber Defence Centre of Excellence Ambassador, and a Digital Society Institute-Berlin Affiliate. Kenneth served for twenty years in the US Government: in the Army, National Security Agency (NSA), Naval Criminal Investigative Service (NCIS), and NATO. He was a professor at the Taras Shevchenko National University of Kyiv in Ukraine from 2014–2017. He is the author of “Strategic Cyber Security”, editor of “Cyber War in Perspective: Russian Aggression Against Ukraine”, editor of “The Virtual Battlefield”, and technical expert to the “Tallinn Manual”.


11:00 AM

Track 1

Welcome to DEF CON & The Making of the DEF CON Badge


The Dark Tangent, Michael and Katie Whiteley (Mkfactor)

Track 4

Running Rootkits Like A Nation-State Hacker

Code Integrity is a threat protection feature first introduced by Microsoft over 15 years ago. On x64-based versions of Windows, kernel drivers must be digitally signed and checked each time they are loaded into memory. This is also referred to as Driver Signature Enforcement (DSE).

The passing year showed high-profile APT groups kept leveraging the well-known tampering technique to disable DSE on runtime. Meanwhile, Microsoft rolled out new mitigations: driver blocklists and Kernel Data Protection (KDP), a new platform security technology for preventing data-oriented attacks.

Since using blocklist only narrows the attack vector, we focused on how KDP was applied in this case to eliminate the attack surface.

We found two novel data-based attacks to bypass KDP-protected DSE, one of which is feasible in real-world scenarios. Furthermore, they work on all Windows versions, starting with the first release of DSE. We’ll present each method and run them on live machines.

We’ll discuss why KDP is an ineffective mitigation. As it didn’t raise the bar against DSE tampering, we looked for a different approach to mitigate it. We’ll talk about how defenders can take a page out of attackers’ playbook to cope with the issue until HVCI becomes prevalent and really eliminates this attack surface.


Omri has over a decade of experience in cyber-security. He serves as the CTO of a security research group at Fortinet focused on OS internals, malware and vulnerabilities and spearheads development of new offensive and defensive techniques. Prior to Fortinet, Omri was the security research team leader at enSilo. Before that, He led the R&D of unique network and endpoint security products for large-scale enterprise environments and was part of an incident response team, conducting investigations and hunting for nation-state threat actors.

12:00 NOON

Track 1

One Bootloader to Load Them All

Introduced in 2012, Secure Boot — the OG trust in boot — has become a foundational rock in modern computing and is used by millions of UEFI-enabled computers around the world due to its integration in their BIOS.

The way Secure Boot works is simple and effective, by using tightly controlled code signing certificates, OEMs like Microsoft, Lenovo, Dell and others secure their boot process, blocking unsigned code from running during boot.

But this model puts its trust in developers developing code without vulnerabilities or backdoors; in this presentation we will discuss past and current flaws in valid bootloaders, including some which misuse built-in features to inadvertently bypass Secure Boot. We will also discuss how in some cases malicious executables can hide from TPM measurements used by BitLocker and remote attestation mechanisms.

Come join us as we dive deeper and explain how it all works, describe the vulnerabilities we found and walk you through how to use the new exploits and custom tools we created to allow for a consistent bypass for secure boot effective against every X86–64 UEFI platform.

Jesse Michael — Jesse is an experienced security researcher focused on vulnerability detection and mitigation who has worked at all layers of modern computing environments from exploiting worldwide corporate network infrastructure down to hunting vulnerabilities inside processors at the hardware design level. His primary areas of expertise include reverse engineering embedded firmware and exploit development. He has also presented research at DEF CON, Black Hat, PacSec, Hackito Ergo Sum, Ekoparty, and BSides Portland.
Twitter: @JesseMichael

Mickey Shkatov — Mickey has been doing security research for almost a decade, one of specialties is simplifying complex concepts and finding security flaws in unlikely places. He has seen some crazy things and lived to tell about them at security conferences all over the world, his past talks range from web pentesting to black badges and from hacking cars to BIOS firmware.
Twitter: @HackingThings

1:00 PM

Track 1

Emoji Shellcoding: 🛠️, 🧌, and 🤯

Shellcodes are short executable stubs that are used in various attack scenarios, whenever code execution is possible. After quickly recalling what a shellcode is and why designing shellcodes under constraints is an art, we’ll study a new constraint for which (to the best of our knowledge) no such shellcode was previously known: emoji shellcoding. We’ll tackle this problem by introducing a new and more generic approach to shellcoding under constraints. Brace yourselves, you’ll see some black magic weaponizing these cute little emojis 🥰 into merciless exploits 👿.

Hadrien Barral is an R&D engineer and security expert, focusing on intrusion and high-assurance software. He enjoys hacking on exotic hardware.

Georges-Axel Jaloyan is an R&D engineer, focusing on formal methods applied to cybersecurity. He enjoys reverse-engineering and formalizing anything he comes by, always for fun and sometimes for profit.

Track 4

Weaponizing Windows Syscalls as Modern, 32-bit Shellcode

Windows syscalls, while increasingly trendy in red team efforts, have only been very rarely used as pure shellcode, outside of being used for Egghunters. Typically, they are used as part of red team malware, utilizing projects like SysWhispers2. An Internet search, in fact, reveals only one non-Egghunter use of syscalls, from a Windows XP-era shellcode. This is hardly surprising though, as many Windows syscalls can be extremely difficult to use and set up in as position-independent shellcode, which is a far cry from red team malware. Often syscalls require significant additional set up not required for performing equivalent actions done by calling WinAPI functions via PEB-walking.

While much knowledge exists on using syscalls for red team efforts, information on writing original shellcode with syscalls so in modern x86 is sparse and lacking. Our reverse engineering efforts, however, have revealed the necessary steps to take to successfully perform syscalls in shellcode, both for Windows 7 and 10, as there are some significant differences.

In this talk, we will embark upon a journey that will show the process of reverse engineering how Windows syscalls work in both Windows 7 and 10, while focusing predominately on the latter. With this necessary foundation, we will explore the process of effectively utilizing syscalls inside shellcode. We will explore the special steps that must be taken to set up syscalls — steps that may not be required to do equivalent actions with WinAPI functions.

This talk will feature various demonstrations of syscalls in x86 shellcode.


Tarek Abdelmotaleb is a security researcher at VERONA Labs, and he is a graduate student at Dakota State University, who will soon graduate with a MS in Computer Science. Tarek specializes in malware development, software exploitation, reverse engineering, and malware analysis. Tarek recently published an IEEE paper that provides a new way for finding the base address of kernel32, making it possible to do shellcode without needing to make use of walking the Process Environment Block (PEB).

Dr. Bramwell Brizendine completed his Ph.D. in Cyber Operations recently, where he did his dissertation on Jump-Oriented Programming, a hitherto, seldom-studied and poorly understood subset of code-reused attacks. Bramwell developed a fully featured tool that helps facilitate JOP exploit development, the JOP ROCKET. Bramwell is the Director of the Vulnerability and Exploitation Research for Offensive and Novel Attacks (VERONA Lab), specializing in vulnerability research, software exploitation, software security assessments, and the development of new, cutting-edge tools and techniques with respect to software exploitation and malware analysis. Bramwell also teaches undergraduate, graduate, and doctoral level courses in software exploitation, reverse engineering, malware analysis, and offensive security. Bramwell teaches the development of modern Windows shellcode from scratch in various courses. Bramwell is a PI on an NSA grant to develop a shellcode analysis framework. Bramwell has been a speaker at many top security conferences, such as DEF CON, Black Hat Asia, Hack in the Box Amsterdam, Hack, and more.

2:00 PM

Track 1

Space Jam: Exploring Radio Frequency Attacks in Outer

Satellite designs are myriad as stars in the sky, but one common denominator across all modern missions is their dependency on long-distance radio links. In this briefing, we will turn a hacker’s eye towards the signals that are the lifeblood of space missions. We’ll learn how both state and non-state actors can, and have, executed physical-layer attacks on satellite communications systems and what their motivations have been for causing such disruption.

Building on this foundation, we’ll present modern evolutions of these attack strategies which can threaten next-generation space missions. From jamming, to spoofing, to signal hijacking, we’ll see how radio links represent a key attack surface for space platforms and how technological developments make these attacks ever more accessible and affordable. We’ll simulate strategies attackers may use to cause disruption in key space communications links and even model attacks which may undermine critical safety controls involved in rocket launches.

The presentation will conclude with a discussion of strategies which can defend against many of these attacks.

While this talk includes technical components, it is intended to be accessible to all audiences and does not assume any prior background in radio communications, astrodynamics, or aerospace engineering. The hope is to provide a launchpad for researchers across the security community to contribute to protecting critical infrastructure in space and beyond.


Dr. James Pavur is a Digital Service Expert at the DoD Directorate of Digital Services where he advises and assists the US Department of Defense in implementing modern digital solutions to urgent and novel challenges. Prior to joining DDS, James received his PhD. from Oxford University’s Department of Computer Science as a Rhodes Scholar. His thesis “Securing New Space: On Satellite Cybersecurity” focused on the security of modern space platforms — with a particular interest in vulnerability identification and remediation. His previous research on satellite security has been published at top academic venues, such as IEEE S&P and NDSS, presented at major cybersecurity conferences, including Black Hat USA and DEFCON, and covered in the popular press. Outside of tech, James enjoys flying kites and collecting rare and interesting teas.

Track 4

Phreaking 2.0 — Abusing Microsoft Teams Direct Routing

Microsoft Teams offers the possibility to integrate your own communication infrastructure, e.g. your own SIP provider for phone services. This requires a Microsoft-certified and -approved Session Border Controller. During the security analysis of this federation, Moritz Abrell identified several vulnerabilities that allow an external, unauthenticated attacker to perform toll fraud.

This talk is a summary of this analysis, the identified security issues and the practical exploitation as well as the manufacturer’s capitulation to the final fix of the vulnerabilities.


Moritz Abrell is an experienced expert in Voice-over-IP and network technologies with a focus on information security.
He works as a senior IT security consultant and penetration tester for the Germany-based pentest company SySS GmbH, where he daily deals with the practical exploitation of vulnerabilities and advises customers on how to fix them.
In addition, he regularly publishes his security research in blog posts or presents it at IT security conferences.

2:30 PM

Trace me if you can: Bypassing Linux Syscall Tracing

In this talk, we will present novel vulnerabilities and exploitation techniques that reliably bypass Linux syscall tracing. A user mode program does not need any special privileges or capabilities to reliably avoid system call tracing detections by exploiting these vulnerabilities. The exploits work even when seccomp, SELinux, and AppArmor are enforced.

Advanced security monitoring solutions on Linux VMs and containers offer system call monitoring to effectively detect attack behaviors. Linux system calls can be monitored by kernel tracing technologies such as tracepoint, kprobe, ptrace, etc. These technologies intercept system calls at different places in the system call execution. These monitoring solutions can be deployed on cloud compute instances such as AWS EC2, Fargate, EKS, and the corresponding services from other cloud providers.

We comprehensively analyzed the Time-of-check-to-time-of-use (TOCTOU) issues in the Linux kernel syscall tracing framework and showed that these issues can be reliably exploited to bypass syscall tracing. Our exploits manipulate different system interactions that can impact the execution time of a syscall. We demonstrated that significant syscall execution delays can be introduced to make TOCTOU bypass reliable even when seccomp, SELinux, and AppArmor are enforced. Compared to the phantom attacks in DEFCON 29, the new exploit primitives we use do not require precise timing control or synchronization.

We will demonstrate our bypass for Falco on Linux VMs/containers and GKE. We will also demonstrate bypass for pdig on AWS Fargate. In addition, we will demonstrate exploitation techniques for syscall enter and explain the reason why certain configurations are difficult to reliably exploit. Finally, we will summarize exploitable TOCTOU scenarios and discuss potential mitigations in various cloud computing environments.


Rex Guo works as a Principal Engineer at Lacework where he leads data-driven cloud security product development, detection efficacy roadmap and research on new attack vectors in the cloud. Previously, he was the Head of Research at Confluera where he led the research and development of the cloud XDR product which offers real-time attack narratives. Before that, he was an Engineering Manager at Cisco Tetration where his team bootstrapped the cloud workload protection product deployed on millions of workloads. Before that, Rex worked at Intel Security and Qualcomm. In these positions, he worked on application security, infrastructure security, malware analysis, and mobile/IoT security. Most notably, he led the Intel team to secure millions of iPhones which had Intel cellular modems inside. He has presented at Blackhat and Defcon multiple times. He has 30+ patents and publications. He received a PhD from New York University.

Junyuan Zeng is Senior Software Engineer at Linkedin. Before Linkedin, he was Staff Security Architect at JD.com where he designed and architected container security monitoring solutions. Before that he was Staff Software Engineer for mobile payment security at Samsung and a security researcher at FireEye where he worked on mobile malware analysis. He has spoken multiple times at Blackhat and Defcon. He has published in ACM CCS, USENIX ATC, and other top academic conferences. He obtained his PhD in Computer Science from The University of Texas at Dallas.

3:00 PM

Track 1

Exploring the hidden attack surface of OEM IoT devices: pwning thousands of routers with a vulnerability in Realtek’s SDK for eCos OS.

In this presentation, we go over the main challenges we faced during our analysis of the top selling router in a local eCommerce, and how we found a zero-click remote unauthenticated RCE vulnerability. We will do a walkthrough on how we located the root cause of this vulnerability and found that it was ingrained in Realtek’s implementation of a networking functionality in its SDK for eCos devices.

We then present the method we used to automate the detection of this vulnerability in other firmware images. We reflect on the fact that on most routers this functionality is not even documented and can’t be disabled via the router’s web interface. We take this as an example of the hidden attack surface that lurks in OEM internet-connected devices.

We conclude by discussing why this vulnerability hasn’t been reported yet, despite being easy to spot (having no prior IoT experience), widespread (affecting multiple devices from different vendors), and critical.

Our research highlights the poor state of firmware security, where vulnerable code introduced down the supply chain might never get reviewed and end up having a great impact, evidencing that security is not a priority for the vendors and opening the possibility for attackers to find high impact bugs with low investment and little prior knowledge.

Octavio Gianatiempo is a Security Researcher at Faraday and a Computer Science student at the University of Buenos Aires. He’s also a biologist with research experience in molecular biology and neuroscience. The necessity of analyzing complex biological data was his point of entry into programming. But he wanted to achieve a deeper understanding of how computers work, so he enrolled in Computer Science. An entry-level CTF introduced him to the world of computer security, and there he won his first ticket to a security conference. This event was a point of no return, after which he began taking classes on computer architecture and organization and operating systems to deepen his low-level knowledge. As a Security Researcher at Faraday, he focuses on reverse engineering and fuzzing open and closed source software to find new vulnerabilities and exploit them.

Octavio Galland is a computer science student at Universidad de Buenos Aires and a security researcher at Faraday. His main topics of interest include taking part in CTFs, fuzzing open-source software and binary reverse engineering/exploitation (mostly on x86/amd64 and MIPS).

3:30 PM

Track 1

How Russia is trying to block Tor

In December 2021, some ISPs in Russia started blocking Tor’s website,
along with protocol-level (DPI) and network-level (IP address) blocking to
try to make it harder for people in Russia to reach the Tor network. Some
months later, we’re now at a steady-state where they are trying to find
new IP addresses to block and we’re rotating IP addresses to keep up.

In this talk I’ll walk through what steps the Russian censors have taken,
and how we reverse engineered their attempts and changed our strategies
and our software. Then we’ll discuss where the arms race goes from here,
what new techniques the anti-censorship world needs if we’re going to
stay ahead of future attacks, and what it means for the world that more
and more countries are turning to network-level blocking as the solution
to their political problems.


Roger Dingledine is president and co-founder of the Tor Project, a
nonprofit that develops free and open source software to protect people
from tracking, censorship, and surveillance online.

Wearing one hat, Roger works with journalists and activists on many
continents to help them understand and defend against the threats they
face. Wearing another, he is a lead researcher in the online anonymity
field, coordinating and mentoring academic researchers working on
Tor-related topics. Since 2002 he has helped organize the yearly
international Privacy Enhancing Technologies Symposium (PETS).

Among his achievements, Roger was chosen by the MIT Technology Review
as one of its top 35 innovators under 35, he co-authored the Tor design
paper that won the Usenix Security “Test of Time” award, and he has
been recognized by Foreign Policy magazine as one of its top 100 global
Twitter: @RogerDingledine is me, @TorProject is Tor

Track 4

Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling

The recent rise of HTTP Request Smuggling has seen a flood of critical findings enabling near-complete compromise of numerous major websites. However, the threat has been confined to attacker-accessible systems with a reverse proxy front-end… until now.

In this session, I’ll show you how to turn your victim’s web browser into a desync delivery platform, shifting the request smuggling frontier by exposing single-server websites and internal networks. You’ll learn how to combine cross-domain requests with server flaws to poison browser connection pools, install backdoors, and release desync worms. With these techniques I’ll compromise targets including Apache, Akamai, Varnish, Amazon, and multiple web VPNs.

While some classic desync gadgets can be adapted, other scenarios force extreme innovation. To help, I’ll share a battle-tested methodology combining browser features and custom open-source tooling. We’ll also release free online labs to help hone your new skillset.

I’ll also share the research journey, uncovering a strategy for black-box analysis that solved several long-standing desync obstacles and unveiled an extremely effective novel desync trigger. The resulting fallout will encompass client-side, server-side, and even MITM attacks; to wrap up, I’ll demo breaking HTTPS on Apache.

James ‘albinowax’ Kettle is the Director of Research at PortSwigger — he’s best known for his HTTP Desync Attacks research, which popularized HTTP Request Smuggling. James has extensive experience cultivating novel attack techniques, including web cache poisoning, HTTP/2 desync attacks, Server-Side Template Injection, and password reset poisoning. James is also the author of multiple popular open-source tools including Param Miner, Turbo Intruder, and HTTP Request Smuggler. He is a frequent speaker at numerous prestigious venues including both Black Hat USA and EU, OWASP AppSec USA and EU, and DEF CON.

Personal site: https://skeletonscribe.net/
Twitter: https://twitter.com/albinowax

4:00 PM

Track 3

Wireless Keystroke Injection (WKI) via Bluetooth Low Energy (BLE)

“We present a Microsoft Windows vulnerability that allows a remote attacker to impersonate a Bluetooth Low Energy (BLE) keyboard and perform Wireless Key Injection (WKI) on its behalf. It can occur after a legitimate BLE keyboard automatically closes its connection because of inactivity. In that situation, an attacker can impersonate it and wirelessly send keys.
In this talk we will demonstrate the attack live and we will explain the theoretical basis behind it and the process that led us to discover the vulnerability. We will also release the tool that allows to reproduce the attack and we will detail how to use it.”

Jose Pico is co-founder and senior security analyst in LAYAKK. Apart from carrying out red team activities and product security evaluations, he is a researcher in wireless communications security. In this field he has published books, articles and research in the form of talks in top events, both in Spain and worldwide. He is also an appointed member of the Ad hoc Working Group on the candidate European Union 5G Cybersecurity Certification Scheme (EU5G AHWG).

“Fernando Perera has been a Security Engineer at LAYAKK for 5 years, where he collaborates on RedTeam projects, development of security tools and software analysis. He has previously presented at RootedCON Satelite VLC 2016 and 2019, among other security events.”

4:30 PM

Track 4

A dead man’s full-yet-responsible-disclosure system

Do you ever worry about responsible disclosure because they could instead exploit the time-to-patch to find you and remove you from the equation? Dead man switches exist for a reason…
In this talk we present a new form of vulnerability disclosure relying on timelock encryption of content: where you encrypt a message that cannot be decrypted until a given (future) time. This notion of timelock encryption first surfaced on the Cypherpunks mailing list in 1993 by the crypto-anarchist founder, Tim May, and to date while there have been numerous attempts to tackle it, none have been deployed at scale, nor made available to be used in any useful way.

This changes today: we’re releasing a free, open-source tool that achieves this goal with proper security guarantees. We rely on threshold cryptography and decentralization of trust to exploit the existing League of Entropy (that is running a distributed, public, verifiable randomness beacon network) in order to do so. We will first cover what all of these means, we will then see how these building blocks allow us to deploy a responsible disclosure system that guarantees that your report will be fully disclosed after the time-to-patch has elapsed. This system works without any further input from you, unlike the usual Twitter SHA256 commitments to a file on your computer.

Yolan is an applied cryptographer delving into (and mostly dwelling on) cryptography, secure coding, and other fun things. He has previously spoken at Black Hat USA, BSidesLV, Cryptovillage, NorthSec, GopherConEU and DEF CON on topics including automation in cryptography, public keys vulnerabilities, elliptic curves, post-quantum cryptography, functional encryption, open source security, and more! He notably introduced the first practical fault attack against the EdDSA signature scheme, and orchestrated the full-disclosure with code of the CurveBall vulnerability.

5:30 PM

Track 4

Deanonymization of TOR HTTP hidden services

Anonymity networks such as Tor are used to protect the identity of people or services. Several deanonymization techniques have been described over time. Some of them attacked the protocol, others exploited various configuration issues. Through this presentation I will focus on deanonymization techniques of the http services of such networks by exploiting configuration issues.

In the first part of the presentation, I will present deanonymization techniques on TOR which are public, and I will also present the techniques developed by me and the interesting story of how I came to develop them.

In the last part of my presentation, I will do a demo with the exploitation of http hidden services in TOR and I will present each technique separately. I will also present how one of the techniques can be used successfully not only in the TOR network, but also on the internet in order to obtain information about the server that will help you discover other services.

Ionut Cernica started his security career with the bug bounty program from Facebook. His passion for security led him to get involved in dozens of such programs and he found problems in very large companies such as Google, Microsoft, Yahoo, AT&T, eBay, VMware. He has also been testing web application security for 9 years and has had many projects on the penetration testing side.

Another stage of his career was to get involved in security contests and participated in more than 100 such contests. He also reached important finals such as Codegate, Trend Micro and Defcon with the PwnThyBytes team. He also won several individual competitions, including the mini CTF from the first edition of Appsec village — Defcon village.

Now he is doing research in the field of web application security, being also a PhD student at University Polytechnic of Bucharest. Through his research he wants to innovate in the field and to bring a new layer of security to web applications.


6:00 PM

Track 1

Killer Hertz

Governments and the private sector around the world spend billions of dollars on Electronic Counter Measures (ECMs) which include jamming technologies. These jammers are used by police departments to disrupt criminal communication operations as well as in prisons to disrupt prisoners using smuggled in cell phones. The military use jammers to disrupt radar communications, prevent remote IEDs from triggering and radio communications. The private sector use jammers to disrupt espionage in the board room and to protect VIPS from RC-IEDs.

What if there was a way of communicating that was immune to jammers without knowing the point of origin. A way of communicating at short to medium distances, an Electronic Counter Countermeasure ECCM to the jammer.

Using a custom-built Tx/Rx, I will use the earth’s crust to generate a H-field Near Field Communication (NFC) channel spanning 1–11km away in the sub 9 kHz range to communicate encrypted messages in a jammed environment.


Chris Rock is a Cyber Mercenary who has worked in the Middle East, US and Asia for the last 30 years working for both government and private organizations. ˇHe is the Chief Information Security Officer and co-founder of SIEMonster.

Chris is an Information Security researcher who specializes on vulnerabilities in global systems. He presented at the largest hacking conference in the world, I Will Kill You? at DEFCON 23 in Las Vegas. Where he detailed how hackers could create fake people and kill them using vulnerabilities in the Birth and Death Registration systems around the world. Chris also presented How to Overthrow a Government? at DEFCON 24, working with the coup mercenary Simon Mann.

Chris is also the author of the Baby Harvest, a book based on criminals and terrorists using virtual babies and fake deaths for financing. He has also been invited to speak at TED global.

Twitter @chrisrockhacker

SATURDAY, August 13th, 2022

10:00 AM

Track 1

Brazil Redux: Short Circuiting Tech-Enabled Dystopia with The Right to Repair

Terry Gilliam’s 1985 cult film Brazil posits a polluted, hyper-consumerist and totalitarian dystopia in which a renegade heating engineer, Archibald Tuttle, takes great risks to conduct repairs outside of the stifling and inefficient bureaucracy of “Central Services.” When Tuttle’s rogue repairs are detected, Central Services workers demolish and seize repaired systems under the pretext of “fixing” them. It’s dark. It’s also not so far off from our present reality in which device makers use always-on Internet connections, DRM and expansive copyright and IP claims to sustain “Central Services”-like monopolies on the service and repair of appliances, agricultural and medical equipment, personal electronics and more. The net effect of this is a less- not more secure ecosystem of connected things that burdens consumers, businesses and the planet. Our panel of repair and cybersecurity experts will delve into how OEMs’ anti-repair arguments trumpet cybersecurity risks, while strangling independent repair and dissembling about the abysmal state of embedded device security. We’ll also examine how the emergent “right to repair” movement aims to dismantle this emerging “Brazil” style dystopia and lay the foundation for a “circular” economy that reduces waste while also ensuring better security and privacy protections for technology users.

Paul Roberts (Moderator)
Paul Roberts is the publisher and Editor in Chief of The Security Ledger (securityledger.com), and the founder of SecuRepairs.org, an organization of more than 200 information security professionals who support a right to repair.

Twitter: @paulfroberts | @securepairs | @securityledger
Web: https://www.securepairs.org | https://www.securityledger.com | https://fighttorepair.substack.com/

Kyle Wiens (Panelist)
Kyle Wiens is the cofounder and CEO of iFixit, an online repair community and parts retailer internationally renowned for its open source repair manuals and product teardowns.

Twitter: @kwiens | @ifixit

Corynne McSherry (Panelist)
Corynne McSherry is the Legal Director at EFF, specializing in intellectual property, open access, and free speech issues.

Twitter: @cmcsherr

Joe Grand (Panelist)
Joe Grand is a product designer, hardware hacker, and the founder of Grand Idea Studio, Inc. He specializes in creating, exploring, manipulating, and teaching about electronic devices.

Twitter: @joegrand
YouTube: https://www.youtube.com/c/JoeGrand

Louis Rossmann (Panelist)
Louis Rossmann is the owner of Rossmann Repair Group, a computer repair shop established in 2007 that specializes in repair of MacBooks, iPhones and other electronic devices. Louis’s YouTube channel, with more than 1.7 million subscribers, documents repairs as and dispenses advice and opinions on the right to repair.

YouTube: https://www.youtube.com/user/rossmanngroup
Twitter: @rossmannsupply

Track 4

Literal Self-Pwning: Why Patients — and Their Advocates — Should Be Encouraged to Hack, Improve, and Mod Med Tech

What do Apple, John Deere and Wahl Shavers have in common with med-tech companies? They all insist that if you were able to mod their stuff, you would kill yourself and/or someone else… and they’ve all demonstrated, time and again, that they are unfit to have the final say over how the tools you depend on should work.

As right to repair and other interoperability movements gain prominence, med-tech wants us to think that it’s too life-or-death for modding. We think that med-tech is too life-or-death NOT to to be open, accountable and configurable by the people who depend on it. Hear two hacker doctors and a tech activist talk about who’s on the right side of history and how the people on the wrong side of history are trying to turn you into a walking inkjet printer, locked into an app store.

Cory Doctorow (craphound.com) is a science fiction author, activist and journalist. He is the author of many books, most recently RADICALIZED and WALKAWAY, science fiction for adults, IN REAL LIFE, a graphic novel; INFORMATION DOESN’T WANT TO BE FREE, a book about earning a living in the Internet age, and HOMELAND, a YA sequel to LITTLE BROTHER. His next book is ATTACK SURFACE.

Christian (quaddi) Dameff MD is an Assistant Professor of Emergency Medicine, Biomedical Informatics, and Computer Science (Affiliate) at the University of California San Diego. He is also a hacker, former open capture the flag champion, and prior DEF CON/RSA/Blackhat/HIMSS speaker. Published works include topics such as therapeutic hypothermia after cardiac arrest, novel drug targets for myocardial infarction patients, and other Emergency Medicine related works. Published security research topics including hacking critical healthcare infrastructure, medical devices and the effects of malware on patient care. This is his eighteenth DEF CON.

Jeff (r3plicant) Tully is a security researcher with an interest in understanding the ever-growing intersections between healthcare and technology. His day job focuses primarily on the delivery of oxygen to tissues.

11:00 AM

Track 2

My First Hack Was in 1958 (Then A Career in Rock’n’Roll Taught Me About Security)

My first hack was in 1958, and it was all my mother’s fault. Or perhaps I should also blame my father. They were both engineers and I got their DNA. As a kid I hacked phones… cuz, well, phones were expensive! (Cardboard was an important hacking tool.) At age 6 I made a decent living cuz I could fix tube TVs. True!

In roughly 1970 (thanks to NYU) we moved on to hacking Hollerith (punch) cards to avoid paying for telephone and our utilities, and of course, shenanigans.

As a recording studio designer and builder, we dumpster dived for technology from AT&T. We never threw anything out and learned how to repurpose and abuse tech from the 1940s.

As a rock’n’roll engineer, I learned to live with constant systems epic failures. Anything that could break would break: before a live TV event or a massive concert. Talk about lessons in Disaster Recovery and Incident Response.

This talk, chock full of pictures and stories from the past, covers my hacking path as a kid then as a necessary part of survival in the entertainment industry. 1958–1981.

Come on down for the ride and see how 64 years of lessons learned can give you an entirely different view of Hacking and how and why I have embraced failure for both of my careers!

“After talking to Winn for an hour and a half, you’re like, what the f*** just happened? — Bob Todrank

Winn has lived Cybersecurity since 1983, and now says, “I think, maybe, I’m starting to understand it.”
Since 1988, his predictions about security have been scarily spot on. He coined “Electronic Pearl Harbor” while testifying before Congress in 1991 and prognosticated a future with massive surveillance, loss of personal privacy, nation-state hacking, cyberwar and cyber-terrorism. He was named the “Civilian Architect of Information Warfare,” by Admiral Tyrrell of the British MoD.

His latest book, “Analogue Network Security” is a math and time-based, probabilistic approach to security with designs “fix security and the internet. It will twist your mind.

Fellow, Royal Society of the Arts
Distinguished Fellow: Ponemon Institute
Int’l Security Hall of Fame: ISSA
Top 20 industry pioneers: SC Magazine
Top 25 Most Influential: Security Magazine
Top 5 Security Thinkers: SC Magazine
Power Thinker (and one of 50 most powerful people) Network World
Top Rated (4.85/5) RSA Speaker
Top Rated ISC2: 4.56
.001% Top Influencer RSAC 2019

Author: Information Warfare, CyberShock, Internet & Computer Ethics for Kids, Time Based Security, Pearl Harbor Dot Com (Die Hard IV)
Founder: www.TheSecurityAwarenessCompany.Com
Producer: Hackers Are People Too


Track 3

No-Code Malware: Windows 11 At Your Service

Windows 11 ships with a nifty feature called Power Automate, which lets users automate mundane processes. In a nutshell, Users can build custom processes and hand them to Microsoft, which in turn ensures they are distributed to all user machines or Office cloud, executed successfully and reports back to the cloud. You can probably already see where this is going..

In this presentation, we will show how Power Automate can be repurposed to power malware operations. We will demonstrate the full cycle of distributing payloads, bypassing perimeter controls, executing them on victim machines and exfiltrating data. All while using nothing but Windows baked-in and signed executables, and Office cloud services.

We will then take you behind the scenes and explore how this service works, what attack surface it exposes on the machine and in the cloud, and how it is enabled by-default and can be used without explicit user consent. We will also point out a few promising future research directions for the community to pursue.

Finally, we will share an open-source command line tool to easily accomplish all of the above, so you will be able to add it into your Red Team arsenal and try out your own ideas.

Michael Bargury is the Co-Founder and CTO of Zenity, where he helps companies secure their low-code/no-code apps. In the past, he headed security product efforts at Azure focused on IoT, APIs and IaC. Michael is passionate about all things related to cloud, SaaS and low-code security, and spends his time finding ways they could go wrong. He also leads the OWASP low-code security project and writes about it on DarkReading.

Track 4

How To Get MUMPS Thirty Years Later (or, Hacking The Government via FOIA’d Code)

In the 60s, engineers working in a lab at Massachusettes General Hospital in Boston invented a programming environment for use in medical contexts. This is before C, before the Unix epoch, before the concept of an electronic medical records system even existed. But if you have medical records in the US, or if you’ve banked in the US, its likely that this language has touched your data. Since the 1960s, this language has been used in everything from EMRs to core banking to general database needs, and even is contained in apt to this day.

This is the Massachusettes General Hospital Utility Multi-Programming System. This is MUMPS.

This talk covers new research into common open-source MUMPS implementations, starting with an application that relies on MUMPS: the Department of Veterans Affairs’ VistA EMR. We’ll cover a short history of VistA before diving into its guts and examining MUMPS, the language that VistA was written in. Then we’ll talk about 30 memory bugs discovered while fuzzing open source MUMPS implementations before returning to VistA to cover critical vulnerabilities found in credential handling and login mechanisms. We’ll close by taking a step back and asking questions about how we even got here in the first place, the right moves we made, and what we can do better.

Zachary Minneker is a senior security engineer and security researcher at Security Innovation. His first computer was a PowerPC Macintosh, an ISA which he continues to defend to this day. At Security Innovation, he has performed security assessments on a variety of systems, including robots for kids, audio transcription codecs, and electronic medical systems. He has previous experience administrating electronic medical systems, and deep experience in fuzzing, reverse engineering, and protocol analysis. His research has focused on techniques for in-memory fuzzing, IPC methods, and vulnerability discovery in electronic medical record systems and health care protocols. In his free time he works on music and synthesizers.

11:30 AM

Track 1

Reversing the Original Xbox Live Protocols

Xbox Live for original Xbox systems launched on November 15, 2002 and was subsequently discontinued on April 15, 2010. The first half of this talk will be an infromation dense overview of the gritty details of how the underlying protocols work and intermixing a retrospective of two decades of how the industry has approached IOT and network security. The second half of the talk will use that base to discuss the architecture of drop in replacement server infrastructure, how the speaker approaches the ethics of third party support for non-updatable abandoned networked devices, and culminating in a demo.


monocasa has over a decade of industry experience as an engineer in related sub-fields such as firmware development, binary reversing, cloud based device and identity management, and custom tunneling of IP.

12:00 NOON

Track 2

Tracking Military Ghost Helicopters over Washington, D.C.

There’s a running joke around Washington D.C. that the “State Bird” is the helicopter. Yet 96% of helicopter noise complaints from 2018–2021 went unattributed: D.C. Residents can not tell a news helicopter from a black hawk. Flight tracking sites remove flights as a paid service to aircraft owners and government agencies; even in the best case these sites do not receive tracking information from most military helicopters due to a Code of Federal Regulations exemption for “sensitive government mission for national defense, homeland security, intelligence or law enforcement.” This makes an enormous amount of helicopter flights untraceable even for the FAA and leaves residents in the dark.

What if we could help residents identify helicopters? What if we could crowd source helicopter tracking? What if we could collect images to identify helicopters using computer vision? What if we could make aircraft radio as accessible as reading a map? What if we could make spotting helicopters a game that appeals to the competitive spirit of Washingtonians? And what if we could do all of this… on Twitter?

Andrew Logan is an audio engineer, videographer and DJ based in Washington, D.C. He is an aerospace and radio nerd, and a fierce defender of the First Amendment.

Twitter: @HelicoptersofDC
Website: CopterSpotter.com

12:30 AM

Track 1

The hitchhacker’s guide to iPhone Lightning & JTAG hacking

Apple’s Lightning connector was introduced almost 10 years ago — and
under the hood it can be used for much more than just charging an
iPhone: Using a proprietary protocol it can also be configured to give
access to a serial-console and even expose the JTAG pins of the
application processor! So far these hidden debugging features have not
been very accessible, and could only be accessed using expensive and
difficult to acquire “Kanzi” and “Bonobo” cables. In this talk we
introduce the cheap and open-source “Tamarin Cable”, bringing
Lightning exploration to the masses!

In this talk we are diving deep into the weeds of Apple Lightning:
What’s “Tristar”, “Hydra” and “HiFive”? What’s SDQ and IDBUS? And how
does it all fit together?

We show how you can analyze Lightning communications, what different
types of cables (such as DCSD, Kanzi & co) communicate with the
iPhone, and how everything works on the hardware level.

We then show how we developed the “Tamarin Cable”: An open-source,
super cheap (~$5 and a sacrificed cable) Lightning explorer that
supports sending custom IDBUS & SDQ commands, can access the iPhone’s
serial-console, and even provides a full JTAG/SWD probe able to debug

We also show how we fuzzed Lightning to uncover new commands, and
reverse engineer some Lightning details hidden in iOS itself.


stacksmashing is a security researcher with a focus on embedded
devices: From hacking payment terminals, crypto-wallets, secure
processors or Apple AirTags, he loves to explore embedded & IoT
security. On his YouTube channel he attempts to make
reverse-engineering & hardware hacking more accessible. He is known
for trying to hack everything for under $5, which is probably related
to him living in the stingiest part of Germany.


Track 4

Analyzing PIPEDREAM: Challenges in testing an ICS attack toolkit.

Identified early in 2022, PIPEDREAM is the seventh-known ICS-specific
malware and the fifth malware specifically developed to disrupt
industrial processes. PIPEDREAM demonstrates significant adversary
research and development focused on the disruption, degradation, and
potentially, the destruction of industrial environments and physical
processes. PIPEDREAM can impact a wide variety of PLCs including Omron
and Schneider Electric controllers. PIPEDREAM can also execute attacks
that take advantage of ubiquitous industrial protocols, including
CODESYS, Modbus, FINS, and OPC-UA.

This presentation will summarize the malware, and detail the
difficulties encountered during the reverse engineering and analysis
of the malware to include acquiring equipment and setting up our
lab. This talk will also release the latest results from Drago’s lab
including an assessment of the breadth of impact of PIPEDREAM’s
CODESYS modules on equipment beyond Schneider Electric’s PLCs, testing
Omron servo manipulation, as well as OPC-UA server manipulation.
While a background in ICS is helpful to understand this talk, it is
not required. The audience will learn about what challenges they can
expect to encounter when testing ICS malware and how to overcome them.

Jimmy Wylie is a Principal Malware Analyst at Dragos, Inc. who spends
his days (and nights) searching for and analyzing threats to critical
infrastructure. He was the lead analyst on PIPEDREAM, the first ICS
attack “utility belt”, TRISIS, the first malware to target a safety
instrumented system, and analysis of historical artifacts of the
CRASHOVERRIDE attack, the first attack featuring malware specifically
tailored to disrupt breakers and switchgear in an electric
transmission substation.

Jimmy has worked for various DoD contractors, leveraging a variety of
skills against national level adversaries, including network analysis,
dead disk and memory forensics, and software development for detection
and analysis of malware. After leaving the DoD contracting world, he
joined Focal Point Academy, where he developed and taught malware
analysis courses to civilian and military professionals across the
country. In his off-time, Jimmy enjoys learning about operating
systems internals, playing pool, cheap beer, and good whiskey. He can be found on Twitter @mayahustle.

1:30 PM

Track 2

HACK THE HEMISPHERE! How we (legally) broadcasted hacker content to all of North America using an end-of-life geostationary satellite, and how you can set up your own broadcast too!

The Shadytel cabal had an unprecedented opportunity to legally uplink to and use a vacant transponder slot on a geostationary satellite about to be decommissioned. This talk will explain how we modified an unused commercial uplink facility to broadcast modern HD DVB-S2 signals and created the media processing chain to generate the ultimate information broadcast. You’ll learn how satellite transponders work, how HDTV is encoded and transmitted, and how you can create your own hacker event broadcast.


Karl Koscher is a technology and security generalist with an emphasis on wireless and embedded systems security. As part of his dissertation work at the University of Washington, he and his collaborators were the first to demonstrate a complete remote compromise of a car over cellular, Bluetooth and other channels. He is a co-organizer of the Crypto and Privacy Village and holds an Amateur Extra license.

Andrew Green is a multidisciplinary jack of all trades, who specializes in information technology and broadcasting. He brings together many years of unique experiences, with a talent for understanding complex systems on the fly. He currently holds an Advanced amateur radio license, VO1VO.

2:00 PM

Track 1

OpenCola. The AntiSocial Network

The internet, as it stands today, is not a very trustworthy environment, as evidenced by the numerous headlines of companies abusing personal data and activity. This is not really surprising since companies are responsible for optimizing revenue, which is often at odds with user benefit. The result of these incentives has produced or exacerbated significant problems: tech silos, misinformation, privacy abuse, concentration of wealth, the attention economy, etc. We built OpenCola, free and open source, as an alternative to existing big-tech applications. It puts users in control of their personal activity and the algorithms that shape the flow of data to them. We believe that this solution, although simple, can significantly mitigate the challenges facing the Internet.

John Midgley was born and raised in Toronto, Canada. He studied computer science at the University of Toronto where he earned a B.Sc. and a Masters in Computer Vision. His first job out of school was building the search algorithms for openCola, an early peer to peer collaboration tool that was arguably 20 years ahead of its time. Not being able to afford a time machine, he busied himself by working at a string of startups and then a couple larger companies (Microsoft and Netflix). From 2011 to 2021 he worked at Netflix on Facebook integration, search, video ranking, content promotion and ended up managing the personalization organization, responsible for the systems and algorithms that construct the Netflix experience. Now that it’s 20 years later, the world may finally be ready for a new and improved version of OpenCola.

2:30 PM

Track 2

Digging into Xiaomi’s TEE to get to Chinese money

The Far East and China account for two-thirds of global mobile payments in 2021. That is about $4 billion in mobile wallet transactions. Such a huge amount of money is sure to attract the attention of hackers. Have you ever wondered how safe it is to pay from a mobile device? Can a malicious app steal money from your digital wallet? To answer these questions, we researched the payment system built into Xiaomi smartphones based on MediaTek chips, which are very popular in China. As a result, we discovered vulnerabilities that allow forging payment packages or disabling the payment system directly from an unprivileged Android application.

Mobile payment signatures are carried out in the Trusted Execution Environment (TEE) that remains secure on compromised devices. The attacker needs to hack the TEE in order to hack the payment. There is a lot of good research about mobile TEEs in the public domain, but no one pays attention to trusted apps written by device vendors like Xiaomi and not by chip makers, while the core of mobile payments is implemented there. In our research, we reviewed Xiaomi’s TEE for security issues in order to find a way to scam WeChat Pay.

Slava Makkaveev is a Security Researcher at Check Point Research. Holds a PhD in Computer Science. Slava has found himself in the security field more than ten years ago and since that gained vast experience in reverse engineering and vulnerability research. Recently Slava has taken a particularly strong interest in mobile platforms and firmware security. Slava was a speaker at DEF CON, CanSecWest, REcon, HITB and others.

Track 4

Doing the Impossible: How I Found Mainframe Buffer Overflows

Mainframes run the world, literally. Have you ever paid for something,
a mainframe was involved, flown? Used a bank? Gone to college? A
mainframe was involved. Do you live in a country with a government?
Mainframes! The current (and really only) mainframe OS is z/OS from
IBM. If you’ve ever talked to a mainframer you’ll get told how they’re
more secure because buffer overflows are (were) impossible. This talk
will prove them all wrong!

Finding exploits on z/OS is no different than any other platform. This
talk will walk through how you too can become a mainframe exploit

Remote code execution is extra tricky on a mainframe as almost all
sockets read data with the ASCII character set and convert that to
EBCDIC for the application. With this talk you will find out how to
find and then remotely overflow a vulnerable mainframe C program and
create a ASCII -> EBCDIC shellcode to escalate your privileges
remotely, without auth. Previous mainframe talks focused on
infrastructure based attacks. This talk builds on those but adds a
class of vulnerabilities, opening up the mainframe hacking community.


Hi, I’m Jake, a security consultant from Basingstoke, UK. Over the
pandemic, I got my hands on a licensed emulator for z/OS , and
considering that we have been in and out of lockdown for the past two
years, I started playing around with it for a fairly good portion of
time. As someone who adores the 80s cyber aesthetic, I love mucking
around with it, but also there is nothing legacy about mainframes,
docker, node js, python all your modern applications/programs are on
there. Over the past year, I have found and reported a number of z/OS
LPEs and RCEs vulns to IBM.

twitter: @Jabellz2

3:00 PM

Track 1

Déjà Vu: Uncovering Stolen Algorithms in Commercial Products

In an ideal world, members of a community work together towards a common goal or greater good. Unfortunately, we do not (yet) live in such a world.

In this talk, we discuss what appears to be a systemic issue impacting our cyber-security community: the theft and unauthorized use of algorithms by corporate entities. Entities who themselves may be part of the community.

First, we’ll present a variety of search techniques that can automatically point to unauthorized code in commercial products. Then we’ll show how reverse-engineering and binary comparison techniques can confirm such findings.

Next, we will apply these approaches in a real-world case study. Specifically, we’ll focus on a popular tool from a non-profit organization that was reverse-engineered by multiple entities such that its core algorithm could be recovered and used (unauthorized), in multiple commercial products.

The talk will end with actionable takeaways and recommendations, as who knows, this may happen to you too! For one, we’ll present strategic approaches (and the challenges) of confronting culpable commercial entities (and their legal teams). Moreover, we’ll provide recommendations for corporations to ensure this doesn’t happen in the first place, thus ensuring that our community can remain cohesively focused on its mutual goals.


Patrick Wardle:
Patrick Wardle is the creator of the non-profit Objective-See Foundation, author of the “The Art of Mac Malware” book series, and founder of the “Objective by the Sea” macOS Security conference.

Having worked at NASA and the NSA, as well as presenting at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy.

Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0days, analyzing macOS malware, and writing free open-source security tools to protect Mac users.

Tom McGuire:
Tom has been working in the security industry since the late 90s. He is the CTO of a cybersecurity firm and an Instructor at Johns Hopkins University where he teaches Reverse Engineering, OS Security, Cryptology and Cyber Risk Management. He loves his family, all things security, biotech and the Red Sox!

Track 2

The Big Rick: How I Rickrolled My High School District and Got Away With It

What happens when you have networked projectors, misconfigured devices, and a bored high school student looking for the perfect senior prank? You get a massive rickroll spanning six high schools and over 11,000 students at one of the largest school districts in suburban Chicago.

This talk will go over the coordination required to execute a hack of this scale and the logistics of commanding a botnet of IoT systems. It will also describe the operational security measures taken so that *you* can evade detection, avoid punishment, and successfully walk at graduation.


Minh Duong is an undergraduate studying Computer Science at the University of Illinois at Urbana-Champaign. Over the summer, he worked as an application security intern for Trail of Bits, focusing on compositor security and the Wayland protocol. In his free time, he plays CTFs with SIGPwny, UIUC’s cybersecurity club. This will be his first time at DEF CON.


3:30 PM

Track 1

Automotive Ethernet Fuzzing: From purchasing ECU to SOME/IP fuzzing

Car hacking is a tricky subject to hackers because it requires lots of money and hardware knowledge to research with a real car. An alternative way would be to research with an ECU but it also difficult to know how to setup the equipment. Moreover, in order to communicate with Automotive Ethernet services running on the ECU, you need additional devices such as media converters and Ethernet adapters supporting Virtual LAN(VLAN).
Even if you succeed in building the hardware environment, you can’t communicate with the ECU over SOME/IP protocol of Automotive Ethernet if you don’t know the network configuration, such as VLAN ID, service IDs and IP/port mapped to each service.

This talk describes how to do fuzzing on the SOME/IP services step by step.
First, we demonstrate how to buy an ECU, how to power and wire it.
Second, we explain network configurations to communicate between ECU and PC.
Third, we describe how to find out the information required to perform SOME/IP fuzzing and how to implement SOME/IP Fuzzer.
We have conducted the fuzzing with the BMW ECUs purchased by official BMW sales channels, not used products.

We hope this talk will make more people to try car hacking and will not go through the trials and errors that we have experienced.


Jonghyuk Song is lead for Autocrypt’s Red Team. His current tasks are security testing for automotive including fuzzing, penetration testing, and vulnerability scanning.
He researches security issues in not only in-vehicle systems, but also V2G and V2X systems. Jonghyuk received his Ph.D. in Computer Science and Engineering at POSTECH, South Korea in 2015. He has worked in Samsung Research as an offensive security researcher, where his work included finding security issues in smartphones, smart home appliances and network routers.

Soohwan Oh is an automotive engineer and security tester at Autocrypt blue team.
He is mainly working on fuzzing test and issue analysis on the in-vehicle networks, such as CAN/CAN-FD, UDSonCAN and Automotive Ethernet.
Also, he has designed the requirements of automotive security test solutions.

Woongjo Choi is in charge of team leader of blue team and also vehicle security test engineer at Autocrypt. Also, he designed automotive security test solution and conducted the fuzzing test.Experienced in various fields : Vehicle security, Mobile phone, Application Processor, Ultrasound system, etc.

Track 2

Tor: Darknet Opsec By a Veteran Darknet Vendor & the Hackers Mentality

The hacking subculture’s closest relative is that of the Darknet. Both have knowledgeable people, many of whom are highly proficient with technology and wish to remain somewhat anonymous. They are both composed of a vast amount of introverts and abide by the same first rule: “Don’t get caught.” Both tend to love Sun Tzu quotes as well. What happens when the hacker mentality discussed in the Hackers Manifesto is applied to things such as OpSec on the Darknet?

Over the past decade, there have been many DEF CON talks that have discussed Tor and the Darknet. None have ever come from a Darknet vendor. The approach was more academic, as opposed to economical. Having a background in IT, Infosec, and hacking, the goal is to present a unique perspective from a hacker’s point of view, as we look at how the hacker mentality applied functions in various hostile environments such as a Darknet Vendor, staff member of multiple Darknet Markets, and co-found of Dread, who then later would be a federal prisoner. Shortly after, he talks about how he was able to get himself out of federal prison 3 years early.

All of which was possible through the reconnaissance of various systems and methodologies. From the anticipated linguistical analysis that the feds were making of posts on Darknet forums to how to write a motion to a federal judge from a prison cell in order to make him understand what it was like there, we will take a journey through a variety of interesting places and times from a tour guide with unparalleled experience and access.

By focusing less on the basics of Tor and more on how insiders operate within it, we will uncover what it takes to navigate this ever-evolving landscape with clever OpSec. In addition to seeing what happens if you get caught. All through the perspective of the hacker spirit that refuses to submit.


Former admin and co-founder on Dread Forum (Darknet), staff on multiple Darknet sites, Darknet vendor: 2happytimes2, lockpicker, hacker, hak5 enthusiast, haxme.org admin (Clearnet), Sam Bent spends his days writing technical manuals and doing graphics (using all Adobe Products) for the company he works for, while also doing federal prison consulting on the side. He is a certificated paralegal. Runs his blog where he does federal prison consulting, is currently about to publish a book on compassionate release for federal prisoners, and runs multiple youtube channels. He is a student in college,

He has been in the scene for almost 20 years. He has written multiple guides and published numerous whitepapers and how-to’s on hacking, including one article written in combination with r4tdance (of #suidrewt) published on packetstomsecurity called A Newbies Guide To The Underground Volume 2. Sam Bent’s former handles include killab, 2happytimes, 2happytimes2, and most recently, DoingFedTime.

Facebook: https://www.facebook.com/doing.fedtime
Twitter: https://twitter.com/DoingFedTime
Reddit (my subreddit): https://www.reddit.com/r/theFeds/
Sites: https://www.doingfedtime.com , https://2happytimes2.com , https://haxme.org/
All Hacking Cons: https://www.youtube.com/c/allhackingcons/ ,
Doing FedTime: https://www.youtube.com/channel/UCUP...MfpN4vxW3FYJLQ

4:30 PM

Track 2

Why did you lose the last PS5 restock to a bot?

The rise of the machines.

Whenever you buy online, especially if it’s a limited stock item, you compete against bots and most likely lose miserably.

Have you tried to buy a GPU/PS5 or even baby formula and couldn’t understand how stock ran out after 3 minutes?

Maybe, you tried to online schedule an appointment with government services but couldn’t find available spots for the next months?

Have you ever seen your favorite artist’s concert tickets — sold for 4–5X of his original price?

Bots operators are to blame.

Every bot user can simulate thousands of concurrent human-like web interactions.

They will buy everything you want before you even google it, take appointment spots with government services you will pay for later, win at every online auction you attend, and fake positive reviews that will make you buy scam products.

Even when you are asleep, there’s a good chance that a bot is trying to log into one of the 200+ digital accounts you own by guessing your ridiculously — predicted password.

Malicious automation is here to stay, serving tens of thousands of hackers and retail scalpers while driving billions of dollars worth of marketplaces.

During my talk, we will dive deep into the fascinating architecture, business modules, and techniques top-performing account crackers and retail bots developer uses to maximize their success rate and revenue.

If you’re:

  • In the hacking community: you’ll learn techniques top-performers probably won’t share so they won’t lose their relative advantage over you.
  • Part of the CyberSec community: this talk will trigger many research leads you probably never thought of.
  • Own E-shop — you’ll learn how bots sabotage your supply, stock, client experience, and marketing analytics.
  • Sneakerhead/Gamer — get to know how your GPU/PS5/Sneakers sellers really get their stock.

Arik’s Bio

For the last four years, Arik spent most of his time on darknet and deep web marketplaces, hunting threat intelligence and interacting with hackers under 64 identities.

As a Threat Intelligence Researcher in PerimeterX, Arik trades cracking tools and executes multiple honeypot operations that provide valuable intelligence about web-automated attacks and their actors. Arik’s research focuses primarily on retail bots, NTF bots, and account take-over vectors: brute-force and cookie infostealers.

Previously, Arik worked as the first Threat Researcher at BrightData (Formally Luminati networks). Between 2018 and 2020, Arik was responsible for investigating, limiting, and blocking 50K$/Month+ clients that misused the Brightdata residential proxy network for cyberattacks.
Analyzing the proxy server logs exposed him to complex fraud operations — from the attacker’s perspective.

As a proxy network gatekeeper, he investigated and enticed app-sec hackers to share their pain points, hacking mindsets, and techniques,
information He leverages in his current role at PerimeterX when researching relevant attack groups and increasing the accuracy of the company’s products.

Track 4

Defeating Moving Elements in High Security Keys

A recent trend in high security locks is to add a moving element to the key: this prevents casting, 3D printing and many other forms of unauthorised duplication. Pioneered by the Mul-T-Lock Interactive locks, we see the technique used in recent Mul-T-Lock iterations, the Abloy Protec 2 and most recently, the Medeco M4, which is only rolling out to customers now.

We have identified a major vulnerability in this technology, and have developed a number of techniques to unlock these locks using a key made from a solid piece of material, which defeats all of the benefits of an interactive key. I’ll demonstrate how it can be applied to Mul-T-Lock Interactive, Mul-T-Lock MT5+ and the Medeco M4, allowing keys to be duplicated by casting, 3D printing and more. I’ll also cover other techniques to defeat moving elements in a key, such as printing a compliant mechanism and printing a captive element directly. With this talk, we’re also releasing a web application for anyone to generate 3D printable files based on this exploit.

Finally, I’ll also discuss the responsible disclosure process, and working with the lock manufacturers to patch the vulnerability and mitigate the risk.


Bill Graydon is a principal researcher at GGR Security, where he hacks everything from locks and alarms to critical infrastructure; this has given him some very fine-tuned skills for breaking stuff. He’s passionate about advancing the security field through research, teaching numerous courses, giving talks, and running DEF CON’s Lock Bypass Village. He’s received various degrees in computer engineering, security, and forensics and comes from a broad background of work experience in cyber security, anti-money laundering, and infectious disease detection.




5:00 PM

Track 1

Hacking The Farm: Breaking Badly Into Agricultural Devices

Hacking the farm. In this session, I’ll demonstrate tractor-sized hardware hacking techniques, firmware extraction, duplication, emulation, and cloning. We’ll be diving into how the inner workings of agricultural cyber security; how such low-tech devices are now high-tech devices. The “connected farm” is now a reality; a slurry of EOL devices, trade secrets, data transfer, and overall shenanigans in an industry that accounts for roughly one-fifth of the US economic activity. We’ll be discussing hacking into tractors, combines, cotton harvesters, sugar cane and more.


Ordinary everyday hacker.

Sick Codes is an alleged Australian hacker, who resides somewhere in Asia: I love finding vulns, the thrill of the the 0day, emulation, free software, reverse engineering, standing up for other researchers & fast motorbikes. I hack anything with an electromagnetic pulse, including TV’s, cars, tractors, ice cream machines, and more. My heart lies with Free Software but I like to go where no researcher has gone before. My works include Docker-OSX, which regularly trends on GitHub with 22k+ stars, 300k+ downloads.


5:30 PM

Track 4

Black-Box Assessment of Smart Cards

You probably have at least two smart cards in your pockets right now. Your credit card, and the SIM card in your cell phone. You might also have a CAC, metro card, or the contactless key to your hotel room. Many of these cards are based on the same basic standards and share a common command format, called APDU.

This talk will discuss and demonstrate how even in the absence of information about a given card, there are a series of ways to enumerate the contents and capabilities of a card, find exposed information, fuzz for input handling flaws, and exploit poor authentication and access control.


Daniel Crowley is the head of research and a penetration tester for X-Force Red. Daniel denies all allegations regarding unicorn smuggling and questions your character for even suggesting it. Daniel is the primary author of both the Magical Code Injection Rainbow, a configurable vulnerability testbed, and FeatherDuster, an automated cryptanalysis tool. Daniel enjoys climbing large rocks and is TIME magazine’s 2006 person of the year. Daniel has been working in the information security industry since 2004 and is a frequent speaker at conferences including Black Hat, DEF CON, Shmoocon, and SOURCE. Daniel does his own charcuterie and brews his own beer. Daniel’s work has been included in books and college courses. Daniel also holds the noble title of Baron in the micronation of Sealand.

Twitter @dan_crowley

6:30 PM

Track 4

Digital Skeleton Keys — We’ve got a bone to pick with offline Access Control

Offline RFID systems rely on data stored within the key to control access and configuration. But what if a key lies? What if we can make the system trust those lies? Well then we can do some real spooky things…
This is the story of how a strange repeating data pattern turned into a skeleton key that can open an entire range of RFID access control products in seconds.

Miana is a lifelong tinkerer who likes breaking things almost as much as she likes building them.

Twitter: @NiamhAstra

Micsen: At 5 years old Micsen began his career of dismantling things. He had just gotten his first RC car and wanted to fix it since it didn’t drive straight. Luckily the skills have evolved significantly from that time as the car never drove again! When a company is affected by ransomware he will happily use his hacking skills to trade for booze.

Twitter: @micsen97
Keybase: micsen

SUNDAY August 14th, 2022

12:00 NOON

Track 2

Taking a Dump In The Cloud

Taking a Dump In The Cloud is a tale of countless sleepless nights spent reversing and understanding the integration between Microsoft Office resources and how desktop applications access them. The release of the TeamFiltration toolkit, a modern toolkit connecting all the data points to more effectively launch attacks against Microsoft Azure Tenants, understanding the benefits of non-interactive logins and how one can abuse the magic of Microsofts OAuth implementation with Single-Sign-On to automagically exfiltrate all the loot. Streamlining the process of account enumeration and validation. Thoughts on working effectively against Azure Smart Lockout. Exploring options of vertical movement given common AAD configurations, and more!


Melvin started as a C# Azure developer and integrations consultant after finishing his bachelor’s degree in computer engineering. During his time as a developer, he got hands-on experience with rapidly creating and deploying critical backend infrastructure for an international client base. It was during this period Melvin started to pursue his goal of transiting into offensive security. Melvin broke into the HackTheBox cybersecurity platform “Hall Of Fame” and subsequently successfully landed as a security consultant. While working as a penetration tester, Melvin has contributed to the infosec community by releasing open-source and offensively targeted C# based tools and techniques, such as BetterSafetyKatz, SharpProxyLogon, AzureC2Relay, and CobaltBus. Melvin is also the creator and maintainer of the SharpCollection project, a project which utilizes Azure DevOps PipeLines to automatically release pre-compiled binaries of the most common offensive C# projects, triggered by updates from their respective main branch


1:00 PM

Track 4

ElectroVolt: Pwning popular desktop apps while uncovering new attack surface on Electron

Electron based apps are becoming a norm these days as it allows encapsulating web applications into a desktop app which is rendered using chromium. However, if Electron apps load remote content of attackers choice either via feature or misconfiguration of Deep Link or Open redirect or XSS it would lead to Remote Code Execution on the OS.

Previously, it was known that lack of certain feature flags and inefficiency to apply best practices would cause this behavior but we have identified sophisticated novel attack vectors within the core electron framework which could be leveraged to gain remote code execution on Electron apps despite all feature flags being set correctly under certain circumstances.

This presentation covers the vulnerabilities found in twenty commonly used Electron applications and demonstrates Remote Code Execution within apps such as Discord, Teams(local file read), VSCode, Basecamp, Mattermost, Element, Notion, and others.

The speaker’s would like to thank Mohan Sri Rama Krishna Pedhapati, Application Security Auditor, Cure53 and William Bowling, Senior Software Developer, Biteable for their contributions to this presentation.


Aaditya Purani is a senior security engineer at a leading automotive company. Aaditya’s primary areas of expertise are web/mobile application penetration testing, product security reviews, blockchain security, and source code review.

He contributes to responsible disclosure programs and is included in the hall of fame for Apple, Google and AT&T. He also participates in capture the flag (CTF) from perfect blue which is a globally ranked top-1 CTF team since 2020.

As a researcher, his notable public findings include BTCPay Pre-Auth RCE, Brave Browser Address Bar Vulnerability, and Akamai Zero Trust RCE. As a writer, Aaditya has authored articles for InfoSec Institute, Buzzfeed, and Hakin9. In the past, Aaditya has interned for Bishop Fox and Palo Alto Networks.

Maxwell Garrett is a 17-year-old Application Security Auditor formerly at Cure53. He also enjoys his spare time playing CTF’s, doing security research, and playing basketball.
Max has found vulnerabilities in Google Chrome, DOMPurify, Outlook Web App and more.

2:00 PM

Track 4

Solana JIT: Lessons from fuzzing a smart-contract compiler

Solana is a blockchain with a $37 billion dollar market cap with the security of that chain relying on the security of the smart contracts on the chain — and we found very little research on the actual execution environment of those contracts. In contrast to Ethereum, where contracts are mostly written in Solidity and then compiled to the Ethereum Virtual Machine, Solana uses a different approach: Solana contracts can be written in C, Rust, and C++, and are compiled to eBPF. Underneath the hood, Solana uses rBPF: A Rust BPF implementation with a just-in-time compiler. Given the security history of eBPF in the Linux kernel, and the lack of previous public, low-level Solana research, we decided to dig deeper: We built Solana reverse-engineering tooling and fuzzing harnesses as we slowly dug our way into the JIT — eventually discovering multiple out-of-bounds vulnerabilities.

Thomas Roth is a security researcher from Germany. In the past he has published research on topics like TrustZone, fault injection, payment terminals, cryptocurrency-wallets and embedded security.

3:00 PM

Tracks 1 + 2

DEF CON Closing Ceremonies & Awards

The Dark Tangent
Till it ends. minutes



DCG 201

North East New Jersey DEFCON Group Chapter. Dirty Jersey Represent! We meet at Sub Culture once a month to hack on technology projects! www.defcon201.org