[DEF_CON_31]
talks_2023
Social A and Social B, Hotel Linq + Experience, Las Vegas, USA · 11th, 12th and 13th August 2023
> speakers_2023Microsoft Azure Active Directory (Azure AD) is used by 90 per cent of Fortune 500 organizations. During the past few years, we have witnessed several attacks against these organizations by nation-state adversaries. But how do adversaries find the weakest targets? The answer is OSINT! Azure AD and other Microsoft cloud services expose a lot of information via public DNS records and various open APIs. In this talk, I’ll share what OSINT is available and how to gather it using AADInternals and other open-source tools. The talk shows how to list all domains of the target organization registered to Azure AD, available authentication methods, how to enumerate users, what Microsoft services are used, and more!
Most bug bounty hunters are missing a huge attack surface when conducting their scans. Often large companies have GeoDNS enabled. If a hunter doesn’t actively bypass GeoDNS by toggling multiple different proxies, or VPNs in different regions, then the hunter only sees the services running on the server located closest to them geographically. The issue with this is that companies often have different services running on servers in different regions. All of which the hunter is missing during their recon phase. Ensemble, a free open-source tool being released during Defcon 31, will solve this issue. By creating a load balanced, regionally distributed cluster of nodes and a friendly web portal to control them, Ensemble allows attackers to run identical commands simultaneously across multiple geographic regions. The results of the scans are then aggregated and returned to the hunter in an easy-to-use web platform. These commands can then be scheduled to run regularly so that hunter can get back to focusing on the technical details and not need to focus on manually switching proxy locations, VPNs, and rerunning the same commands over and over again which is highly error prone.
The most fun of any con is swapping war stories. With this in mind, we're excited to bring you "Bugs, Bounties, & Breaches," a unique panel discussion (with visuals) where seasoned red teamers and prolific bug bounty hunters share their stories from the front lines of offensive security. Our panelists will dive deep into their first-hand experiences, revealing the thrill of the chase, the ingenuity of their exploits, and some inevitable close calls. From discovering logic-defying bugs and claiming high-profile bounties, to behind-the-scenes accounts of breaching some insane clients, these insider tales will give you a taste of the adrenaline, cunning, and perseverance that define these fields. Whether you're a seasoned veteran, a budding professional, or just curious about the field, this panel promises a unique and exciting exploration into the minds of those who've been on the front lines of offensive security. So, come join us for and unforgettable swap of war stories, and gain insights from the thrilling tales of those who've lived to tell them.
Public service websites, including government websites, can inadvertently leak small pieces of information about a target, sometimes just parts of email addresses, the mother's name, year of birth, or parts of phone numbers. While these leaks may seem insignificant individually, these crumbs of data when pieced together are valuable to the open source intelligence (OSINT) community, they can help narrow the scope of a search or increase the knowledge we have about a target. These partial data points can be combined with other available information to reveal the full details of a target. In this talk, I will show some examples in Brazil, where with little or no information we managed to expand the knowledge about a target in addition to demonstrating a tool in beta to help with this task. Outline (Not go public with this please) Introduction about the problem(10 min): What do you know about the target? What you can get to know about the target with the information that you already have? Scattered crumbs of information around websites and public services. My approach to the problem given the Brazilian context (15min): Catalog and graph basic information. Plot a graph and find patterns. Figure out the minimum amount of information that you need to know to get more info about your target. Demo tool (5min) Roadmap for the tool (3min) Conclusion (2 min)
Easy EASM is just that... the easiest to set-up tool to give your organization visibility into its external facing assets. The industry is dominated by "Attack Surface Management," but OG bug bounty hunters and red teamers know the truth. External ASM was born out of the bug bounty scene. With ten lines of setup or less, using open source tools, and one button deployment, Easy EASM will give your organization a complete view of your online assets. Easy EASM scans you daily and alerts you via Slack or Discord on newly found assets! Easy EASM also spits out an Excel skeleton for a Risk Register or Asset Database! This isn't rocket science.. but it's USEFUL. Grab Easy EASM and feel confident you know what's facing attackers on the internet. Easy EASM uses a collection of tools tied together to perform recon on a target or set of targets. Utilizing Amass, Subfinder, Chaos, Notify, r7 Sonar, eyewitness, and Cloud Certs. It will run daily and track all assets discovered for your targets. With a Discord or Slack key, you'll get this output to chat every morning if any new assets have appeared. You can choose the "fast" or "comprehensive" deployment, which adds additional methods to the discovery (brute force, permutation discovery, screenshots, and tech profiling). BUT... literally, all the user does is one-click deploy and add a Slack or Discord token. Then they start receiving bacon... I mean recon... I mean EASM data.
In today's world, where temporary mail services are widely used, our project aims to monitor these services according to the provided configuration and to discover valuable gems. For this research, we developed a command and control Python tool. This tool is hosted on our private Amazon server. So, what does this tool do? It constantly scans the most popular temporary mail services (yopmail, tempr.email, dispostable, guerrila, maildrop) and indexes the emails delivered to them based on specified keywords. The tool then notifies us via Telegram using the integrated Telegram API. This tool has been running on our server for about a year and has stored, and continues to store, more than 1 million emails. In our research, we analyzed these emails, the types of emails sent through these services, and their potential uses for hackers. We were able to take over accounts containing money from these mail services during our research. Our ongoing investigation has uncovered confidential personal information, account reset emails, hundreds of game accounts, and bitcoin wallet information. Some of these findings will be presented in a censored manner during our presentation. Moreover, we will release the tool on GitHub after the presentation. This tool includes a configuration file that allows it to continuously crawl and monitor emails from specified URLs, and optionally save them. It filters the emails to record based on the keywords in the config file, making this tool highly effective. For instance, I installed this tool and entered keywords such as eBay, password reset, bitcoin, and OTP. This tool saves or notifies you when emails containing these words are delivered to the relevant email services. Additionally, this tool features Telegram API integration, allowing you to receive real-time notifications via Telegram when relevant emails are received. All these aspects are included in our research. During our project presentation, we will demonstrate a live proof of concept and showcase valuable findings we can obtain during the presentation. In the bonus section, we will highlight red team activities we observed while examining these mail services. This part may be quite interesting 🙂
Detecting adversaries ahead of time is the holy grail to any defender. In this presentation we propose the usage of internet scanning services as a hunting ground of adversaries. Services like Shodan and BinaryEdge provide a great source of adversarial indicators, allowing defenders to get ahead of the risk. While this is not possible all the time many defenders try to get ahead by collecting information from several sources, some open some through private feeds. In this presentation we will demonstrate how these services can be used to find unknown adversarial infrastructure. We will illustrate how this can be done hunting for ip addresses serving payloads that match the MZ header. This allows the identification of attack framework hosting sites serving executable payloads directly, Metasploit is a good example of such frameworks. The technique does not end with the MZ header, other patterns can be searched which contribute to a better mapping of the Internet threat landscape. The presentation will continue to explain how this data can be processed in order to be transformed into something useful for defenders and threat researchers. During our research we also found different results, from funny stuff without any harm to powershell scripts or even source to be compiled locally. This method has been used to triage logs on incident response cases where we wanted to see if CobalStrike had been used. By supplying a list of recent CS servers delivering payloads we were able to identify the initial attack vector and corresponding patient zero of that incident. The presentation will finish with the presentation of other use cases, for this kind of data analysis.
In the current cybersecurity scene, there is many different ways to perform recon. You can log into your server and run commands or write scripts until the sun goes down. Or you could use one of the existing recon frameworks either locally or on your server of choice. But at some point whether you are an industry professional, independent researcher/consultant, or a bug bounty hunter performing reconnaissance, you will need to manage infrastructure to scale. Currently, this normally means managing handfuls of tools and servers spread out across the internet. Scaling this kind of infrastructure can be confusing, costly, and more importantly TIME CONSUMING. But this can all end now. Using a group of AWS serverless options, we can create a recon framework that brings a heap of benefits. This recon framework can up split up into microservices, making updates and changes a breeze. It can also be scaled up and down at will. Since your resources will scale with your workload, this also will reduce the cost of running recon, so that you only have to pay for the resources you are actually using. In my talk, I will go over my architecture for the framework that I have built thus far. To begin, I will go over AWS step functions, and how I used them to easily set up exactly the workflow that I wanted. I will go over how to set them up, how to embed step functions inside step functions, as well as how I automatically fire off my workflows using an AWS EventBridge rule that triggers every time a new “job” is put in an AWS SQS queue! Inside the step functions I have a variety of AWS tools I use to actually make the workflows. I use AWS lambda functions in parallel to handle computational workloads, DynamoDB to store and handle data, S3 to handle program onboarding and upkeep, and other services as well. My framework that I present is used for recon from a bug bounty perspective, but can really be applied to any aspect of offensive security. The framework will passively and actively collect subdomains of a root domain, clean the domains to only those that resolve AND are not wildcard domains, use the existing domains to discover outliers and permutations that resolve to even more domains, port scan the domains for interesting ports, and perform fingerprinting as well as content discovery on the domains found to host web servers. As time goes on, thorough recon is becoming more and more important. And especially against larger targets, having automation in place to gather as much information as possible in real time gives hackers a leg up! I currently don’t use this framework for actual exploitation, but I will touch on how easy it would be to expand something like this into the actual exploitation phase. I think the serverless and cloud-managed route is the future of automation for offensive security experts everywhere. At the end of the day, the most ideal solution is something that both works extremely well, and can be spun up or changed easily/quickly. And that is exactly what this type of setup provides. I am SO excited about all the work I have done to make this a working reality, and I really hope that you will let me share it with the amazing recon village community at DEFCON! If you have any further questions please feel free to reach out!
Quotes: "Research & Destroy (RaD) is a private security research group with big dreams. We are driven to impact the hacker community in big ways, by publicly releasing valuable research and forming relationships within the community. We strive to inspire those around us and encourage others to join our efforts in advancing our community's understanding and capabilities. DEF CON, being the epicenter of the culture that spawned us, we are highly motivated to give back to the community." --unixnerd "Our goal is to normalize Breach Data Research in the hacker community. So much of this research happens under our noses without mention beyond the existing taboos associated with the origin of this data. Through our research, we’ve determined a method by which any US based company and/or independent researcher can work with their legal team or a lawyer to create a policy for curating publicly breached data to be utilized in Red Team operations and Penetration tests. We want to change the narrative as to how we utilize breach data in our daily lives within the industry. The more we talk about it, the more normalized it becomes. We cannot keep ignoring the elephant in the room. DEF CON is the cornerstone of the hacker culture; the masthead of a community where hackers gather to be with each other and learn from one another. We’re grateful to be part of such a vast community of brilliant minds and the opportunity to share our research." --M4x 5yn74x Breach Data Research (BDR) Legal Policy Guidance: Our aim is to dispel misinformation and normalize BDR for security professionals. While researching this topic we were preparing to seek legal council at work. Along the way we discovered guidance outlined by the federal government that spells out how to keep BDR legal. Armed with this guidance, we drafted a charter document along other artifacts to bring to our legal council. After our legal discussion we met with our CISO to ensure that we conform with company policy. We are currently in the final stages of approval with this initative. DorXNG: DorXNG (pronounced "Dorks NG") is a next generation solution for harvesting OSINT data using advanced search engine operators through multiple upstream search providers. On the backend it leverages a custom, containerized, privacy focused meta-search engine called "SearXNG". The DorXNG client application is written in Python3. It interacts with SearXNG's API to issue search queries concurrently and stores resulting search results in a SQL database. Deliverables: Template BDR charter documentation, DorXNG tool release
We try to deter stalkers by lowering our digital footprint, hiding our online presence; sometimes sacrificing our enjoyment of participating in online communities in an effort to feel safer while we still have to look over our shoulders and turn around each corner with caution. What happens if we amplify our presence, our digital footprint, with one caveat...it's all garbled non-sense. Let's waste our pursuer(s)' time by feeding into our own disinformation campaigns.
This year Artificial Intelligence and Machine Learning (AI/ML) have quickly transitioned from buzzwords to useful capabilities. ChatGPT has received a lot of attention, but new AI/ML tools are being released every day and they’re changing the way we process and interpret vast amounts of publicly available information. In this talk we will delve into specific use-cases to look at how these tools can help you solve real world problems to increase your effectiveness and efficiency.
Data leaks have become an omnipresent concern in our digital landscape, demanding an understanding of their anatomy and the evolving trends that shape this realm. Join us at the Recon Village as we embark on a journey through the past year's data leaks, exploring their causes, consequences, and impact on organizations and the criminal underworld. We will dissect the anatomy of data leaks, examining vectors such as misconfigured cloud resources, insider threats, third-party vulns, and cybercrime group in-fighting. Through real-world case studies of the last year, including the Luxottica leak, the Toyota incident, the RAID forums leak, we will identify the common patterns and vulnerabilities that pave the way for breaches. Understanding the fallout from these breaches is crucial. We will analyze the consequences beyond financial and reputational damage, including the impact on customers and the broader ecosystem. No discussion of data leaks would be complete without exploring the criminal underworld. We will talk about where stolen data is sold and exchanged, drawing insights from recent posts on various cybercrime forums. Lastly, we will provide a panoramic view of the trends observed in the past year's data leaks. The increasing volume of cloud-based attacks, the persistence of legacy vulnerabilities, and the evolving tactics employed by cybercriminals will be explored. By understanding these trends, organizations can proactively adapt their security measures to counter emerging threats. Join us in this captivating talk as we navigate through Leakonomics 101: The Last Year in Data Leaks.
In the session titled "Mastering OSINT: Advanced Techniques in the Realm of Big Data," I will provide a deep dive into the intricacies of Open Source Intelligence (OSINT) and Big Data. Leveraging my extensive experience in the field, this presentation will elucidate the techniques, tools, and challenges in deploying OSINT methodologies in the context of Big Data. As an expert with years of practical experience in OSINT and Big Data analysis, I have a rich understanding of the possibilities and complexities that both these fields present. I will share this knowledge and experiences to help others more effectively navigate this exciting yet challenging landscape. The discussion will commence with an introduction to OSINT, including its origins, utility, and implications within the contemporary digital arena. This will lead us to the vast and complex realm of Big Data, where we'll understand its significance, challenges, and the role it plays in improving the efficacy of OSINT. A detailed overview of Google BigQuery will be provided, exploring how this powerful tool can be used for managing and analyzing big data. I will delve into its features, advantages, use-cases, and practical examples demonstrating how it can help in OSINT. I will also discuss other key resources such as CommonCrawl, which provides web crawl data, and Rapid7 Open-Data, a goldmine for security research. I will elucidate how these datasets can be harnessed for comprehensive analysis and deriving actionable intelligence. The section on Passive Search will cover various methods and best practices, with a special focus on how to leverage this technique in the context of Big Data. Finally, I will talk about Internet Search Engines' pivotal role in OSINT and how to extract maximum value from them. What sets this presentation apart is not only the comprehensiveness of the coverage but also the practical, hands-on approach, featuring real-world examples and demonstrative scenarios. It promises to be an enlightening session for anyone interested in advanced OSINT techniques and the potential of Big Data.
As distributed radio systems have matured, they have opened up OSINT possibilities far beyond simply listening to voice transmissions. This session will provide a brief overview of how modern radio systems work, what additional data is up for grabs, and walk through exactly what's needed to add this untapped resource to your own area - including how to use a $30 software defined radio to get better functionality than a $700 scanner. Multiple demos and stories from over three years of 24/7 coverage in the Atlanta metro area will illuminate how real-world applications of this data and these techniques can help uncover corruption and keep people safe when public safety officials overstep their bounds.
This talk will describe a novel technique that we developed to uncover the organizational structure and behavior of an ongoing coordinated inauthentic influence operation. The novelty of this technique comes from pairing image-search APIs and platform-search APIs with media metadata extraction and hashing. I will describe the technique, illustrate it with a case-study of a prominent pro-PRC influence operator, Dragonbridge, and delineate the advantages and disadvantages of this approach, relative to the more typical methods of discovering and analyzing these operations. The talk will be structured as follows: I. An introduction to Dragonbridge and their narrative-flooding approach to influence. a. Targets and Techniques b. Narrative Flooding c. Cartoons and animations II. Image Variants as Data a. Reverse Search: - Measuring the spread across sites and platforms - Using near-match hashing to identify variants b. Platform Search - Timing - Discriminating between connected accounts and organic spreaders - Expansion of connected image set: More grist for the mill c. Metadata as Data - Tumblr vs. Twitter: Exifs in the wild! - Homogeneity and Heterogeneity as an indicator of structure - The holy grail: Lat-Long III. Advantages of this method of detection, analysis, and attribution a. Cross-platform! b. Linguistically agnostic c. Increasingly effective against higher-investment campaigns d. Complementary to more traditional techniques IV. Take it to 11! a. Automation b. Video c. Computer vision d. Narrative
Embark on a whimsical journey into the realm of OSINT (Open Source Intelligence) through this captivating talk inspired by Dr. Seuss' "Oh the things you can think." Delve into the power of gathering information from open sources and explore the endless possibilities it presents. Discover the various sources available, from social media platforms to public records, news articles, and more. Unleash your inner digital detective as you learn to wield OSINT tools, uncover hidden secrets, and connect the dots. But don't forget about the ethical considerations and legal boundaries of OSINT. Privacy concerns, data protection, and responsible information handling will be emphasized, ensuring you become a conscientious OSINT practitioner. Join us on this enchanting journey into the world of OSINT, where you'll gain the skills to see beyond the surface, unveil hidden stories, and embrace the power of open source intelligence. Let your imagination soar as we dive into the wonders of OSINT together!
In an era where information is abundant and easily accessible, OSINT has become a powerful tool for organizations and individuals. However, this wealth of data comes with a cost - the erosion of privacy. Our digital footprints have grown larger and more vulnerable, exposing us to threats and unwanted attention. In this thought-provoking talk, attendees will be introduced to the evolving landscape of OSINT privacy, exploring how organizations and individuals can regain control of their digital presence and minimize the risks associated with an ever-growing online footprint. Participants will learn the current state of digital privacy, actionable strategies for organizations and individuals to protect their sensitive data from OSINT collection and analysis, and control their data to limit their digital footprint. By the end of the session, participants will be equipped with the knowledge and tools necessary to safeguard their privacy and limit their exposure in the vast world of OSINT. This presentation will empower organizations and individuals alike to take control of their digital destiny and foster a more secure and privacy-conscious online environment.
Riding with the Chollimas: Our 100-Day Quest to Identify a North Korean State-Sponsored Threat Actor
Step into the Labyrinth with us as we uncover the true identity of a state-sponsored threat actor from North Korea. This is a hacker and journalist's 100-days quest to unravel the mystery of what seemed like a homemade malware sample but turned out to be a dangerous artifact backed by a nation-state. Our talk takes a deep dive into the technical analysis of the malware and its supporting C2 infrastructure, using open-source (OSINT) and Cyber Threat Intelligence (CTI) to profile the threat actor and hunt its infrastructure. We then explore the social aspects of the matter by interviewing government agencies, security forces, and private intelligence companies to provide a comprehensive understanding of the North Korean affair. This talk is aimed at both beginners and seasoned intel practitioners/analysts and threat hunters.
Abstract: The rapid advancement and proliferation of Generative AI in social media and other digital platforms have sparked significant discussion about their potential impact on various sectors, including Open Source Intelligence (OSINT) research. OSINT, a critical resource in security, intelligence, and research fields, heavily relies on social media and other platforms to gather and analyze publicly available data. With the recent proliferation of Large Language Models (LLMs) and their interaction with these platforms, concerns have emerged about their potential to hinder the efficacy and integrity of OSINT. This talk will first provide a background on Generative AI and OSINT, explaining the capabilities of LLMs and the importance of OSINT in various fields. It will then delve into how LLMs are/can be used with social media and other platforms, and their potential influence on OSINT research. We will discuss several challenges posed by LLMs to OSINT. These include issues of data validity and reliability, as the difficulty in distinguishing between human generated and Generative AI generated content can lead to skewed or false data. The potential for information pollution and spread of misinformation is another significant concern, especially given the capacity of LLMs to generate large volumes of persuasive and contextually relevant content. Moreover, problems related to source attribution and provenance may arise, adding a layer of complexity to the analysis of open source data. Lastly, the potential of Generative AI for AI driven influence operations could distort the information landscape, posing further challenges to OSINT. Possible solutions and mitigation strategies will be proposed, which include enhancing data validation and verification techniques, improving AI literacy among OSINT researchers, advocating for more transparency around Generative AI usage in social media, and employing AI tools to detect and flag AI generated content. The future of LLMs and other forms of Generative AI and their potential impact on OSINT will be discussed, with a focus on emerging trends and technologies. Suggestions for further research and study on this issue will be provided, highlighting the urgent need for continued vigilance and proactive measures in the face of rapidly evolving LLM capabilities. In conclusion, the talk will underscore the importance of this issue for the OSINT community, emphasizing the need for ongoing research and adaptive strategies to navigate the challenges posed by the increasing use of Generative AI in social media and other platforms. The session will close with Q&A, offering an opportunity for further discussion by the Recon village audience. I. Introduction Introduction to me the speaker A. Brief explanation of Generative AI and open source intelligence (OSINT) Overview of the proliferation of Generative in social media and other platforms Statement of the problem: the potential perils of Generative AI for OSINT research II. Background Development and capabilities of Generative AI Pace of improvements between 2022 and 2023 Explanation of OSINT and its importance in security, intelligence, and research fields The role of social media and other platforms in OSINT III. The Intersection of Generative AI and OSINT Explanation of how Generative AI are used in social media and other platforms Proliferation of bots Fake images of individuals e.g. LinkedIn Discussion on the potential of AI to enhance or hinder OSINT Election interference: hexad categories of attack vectors. Can we use LLM to find fake accounts? Large number of fake images interfering with missing persons tracking e.g. TraceLabs style CTF Real-world example of Generative AI usage affecting OSINT Linkedin a proliferation of fake profiles: NPR: “That smiling LinkedIn profile face might be a computer-generated fake” https://www.npr.org/2022/03/27/1088140809/fake-linkedin-profiles IV. The Perils of Generative AI for OSINT Issues of data validity and reliability with LLM generated text content The danger of information pollution and misinformation Election 2024 Fake news articles Fake photos - Trump arrest photo The problem of source attribution and provenance Challenges in discerning human versus Generative AI created content Images Text Sound Potential for AI driven influence operations V. Possible Solutions and Mitigation Strategies Developing more robust data validation and verification techniques Enhancing AI literacy among OSINT researchers Advocating for transparency and regulations for Generative AI usage in social media Could this even work? Employing AI tools to detect and flag AI generated content VI. Future Outlook Discussion on the potential future developments of Generative AI Predicting the impact on OSINT, considering emerging trends and technologies Open source libraries already appearing e.g.: https://github.com/sshh12/llm_osint Suggestions for further research and study on this subject VII. Conclusion Recap of the main points of the talk Restatement of the importance of this issue for the OSINT community Final thoughts on the need for vigilance, research, and proactive measures to address this challenge VIII. Q&A Session Open the floor for questions and further discussion on the topic
Are you ready to take your attack surface mapping to the next level? Join us at Recon Village as we unveil the game-changing integration of the Open Asset Model into the OWASP Amass Project v4.0! The Open Asset Model (OAM) enhances the way we define and understand assets exposed on the internet. Traditionally, asset specifications have been confined to technical, infrastructure-specific details. However, this narrow approach limits organizations' ability to grasp the full scope of their attack surface. The OAM breaks these barriers, enabling users to encompass both digital and physical assets, empowering organizations to see the bigger picture. At the core of the OAM lies its ability to capture intricate relationships among different asset types, mirroring the real-world interconnectedness that exists between assets. This approach allows security professionals to identify critical attack vectors that might otherwise remain hidden. In this talk, we will walk you through how OWASP Amass users can harness the OAM's power through simple and efficient integration with sqlite3 and PostgreSQL. Join us for an immersive session, and be among the first to explore the potential of the Open Asset Model. Unleash the true power of OWASP Amass and fortify your organization's defense like never before!
