Thoughts from DerbyCon VIII “Evolution”

DerbyCon VIII Evolution

So I’m sitting here in the airport on my way back home from DerbyCon. I’m in town for ~24 hours before I have to head back out on the road to Omaha and St. Louis for a few days. After such a great time at DerbyCon, I’ve decided to try my hand a little more with blogging and deriving some original content. The hardest part about this whole thing is PRODUCING ORIGINAL CONTENT.

So anyways, I decided to jot some notes down about the conference, please feel free to let me know your thoughts as well.

Rolling Solo

I could write multi-volume books on my experiences with hotel rooms (that’s not a bad idea TBH). Needless to say I’ve tried tweaking things to get the best experience at the lowest price.  This time I tried rooming solo. It was an extra cost, but I justified it with booking a hotel about a half a mile from the Marriott where the conference was being held at. The room was perfectly fine. It felt a little…isolated. I think it would have been better had I booked a solo room AT the Marriott instead of off-site. That way I could re-charge back in the room without having to make a trip out of it. I tried to do that, but the hotel was booked up well in advance. I recommend booking your hotel rooms ASAP. Some hotel chains allow you to book a room up to a full year out. Their cancellation policies allow you to cancel up to 24-48 hours prior. If you’re even considering attending a conference in the future, I’d recommend trying to lock in a room if you can.

Additional Packing Items

  • Allergy Medication.
    • I’m not sure why, but I had multiple violent allergy attacks this last week. It sucked. I always keep a bottle of Afrin with for a nasal emergency, but this required significantly more heavy artillery. 🙂 DayQuil Severe, Muscinex D,  were life-savers but OMG so freaking expensive! I know they were much cheaper at Wallgreens’ or CVS, but when I’m sick, I’ll pay out the root to feel better. Next time, just pack the meds in advance.
    • Ear Plugs.
      • I have ear plugs, but I only keep them in my toiletry bag. I’d recommend moving the ear plugs from the toiletry bag to the EDC back. For me going forward, ear-plugs will be mandatory for all live music.
    • Hand Sanitizer
      • A lot of networking goes down in the halls of DerbyCon. Lots of hand-shaking, awkward hugs, fist-bumbs, etc. Lots of opportunity for germ exposure. Again, I had hand sanitizer and wet-wipes in my toiletry bag, but not in my EDC.
    • More Cash
      • I tend to do most of my spending with credit cards and don’t carry a lot of cash on me. However, for future conferences, I recommend taking a lot of fives and singles. People like bartenders, merch vendors, and artists often can’t take credit as easily.


I’ve heard bad things about the electric scooters “littering America’s Downtown”.  Honestly, I thought they were fantastic! Although this is by no means the only answer to the Last Mile challenge, It’s definitely a fun option!

Bird Scooter

  • Pros:
    • It was cheap! Most times riding from the hotel to the convention, it cost me about $1.50 per ride. At the very end of the conference, I had to ride the scooter from the venue to the hotel, back to the Marriott, then back to the hotel on a single fare. Total $8.00. I really liked how I could lock the scooter, go inside and do whatever I needed to do (pick up an AC adapter in my case), and not lose your scooter.
    • It’s FAST. It really made a difference getting from point A to point B. I was less tired and I was able to stay longer because I knew I didn’t have to walk as far.
  • Cons:
    • They were hard to find and in high demand.  I wasn’t really happy that i had to walk several blocks away in the wrong direction in order to find a scooter. No one wants to see those scooters littered everywhere, but at the same time, if you can’t find a ride, you are out of luck
    • It’s FAST! I know I said it before, but those scoots have some speed to them. I did fine steering the scooter, but the concrete was extremely rough and bumpy. I wouldn’t trust my parents or my kids on one of these things. I felt more comfortable riding on the sidewalks even though I believe you’re supposed to ride on the streets with them. Either way, I don’t think the general public (myself included) is fully versed in how to ride these things.

See More Talks!

I’m very lucky in that I have an amazing job that I love. One of my most favorite things to do is speak and work InfoSec conferences.   The drawback to this is that I don’t often get to attend the conferences. I’m too busy working. Instead, I’m working the booth, meeting with clients, taking a webex in the hallway, or something else keeping me from learning.  My goal for this DerbyCon was to see as many talks as I could. Between the printed materials and the Hacker Tracker App, I was able to always know where I was headed next. One thing that i REALLY liked about DerbyCon was that I didn’t have to wait in line like you do at Defcon. I think there was one session (Sean Metcalf’s talk) that was filled to capacity and they were turning people away. Outside of that one talk, it was really nice to know you could see any talk you wanted to without having to miss the previous session waiting in line. Next year I’ll see more talks.

See Less Talks!

I didn’t get the full DerbyCon experience. I don’t see how anyone could. There’s just too much to see and do. I wanted to participate in the Lockpicking village, the multiple CTF’s, chill and learn with the Vendors, but I was too busy enjoying the amazing talks. I missed out on Hacker Jeopardy and Who’s Slide is it Anyway. There were so many things to see and do, but things like the body’s need for sleep or food because too much to overcome. Next year, I’ll watch the talks on and hang out and do more activities.

Overall, there’s no one correct way to do one of these security conventions. Do what works for you. I’ll continue to tweak my experience till it works for me. Hopefully you picked up a few tricks to help you as well.

April Showers Bring May InfoSec Talks!

Missed seeing me talk in Des Moines this month? Don’t worry!  May is shaping up to be a heck of a month for awesome speaking engagements!

5/8/18 – St. Louis Tech Summit – Insider Threat – St. Louis, MO
5/9/18 – Secure World – Insider Threat – Kansas City, MO
5/10/18 – Omaha Tech Summit – Insider Threat – Omaha, NE
5/11-12/18 – BSides Denver – Hacking Demos – Denver, CO
5/14/18 – Central Ohio Infosec Conference – Hacking Demos – Columbus, OH
5/15/18 – San Antonio ISSA – Hacking Demos – San Antonio, TX

I’m really looking forward to hitting the road again and meeting everyone on this wild and crazy journey. Hopefully I’ll see you at one of these events! Pretty sure this will be me afterwards.

NTXISSA March 2018 Monthly Meeting – The Hackers Toolkit

I’m excited to announce that I’ll be speaking at the March 2018 North Texas ISSA chapter meeting. I’m planning on presenting the “Hacker Carpet Bomb” aka “Hacker’s Bag of Tricks” aka “Hackers Tooklit” presentation. This talk consists of nothing but live demos. Anyone who’s done IT presentations can tell you, live demos are dangerous. They rarely go right. Having a talk that consists of nothing but live demos is straight up insane. I’ve done this talk a handful of times. Not once has it ever gone perfectly, but that’s also the charm behind it. Exploits, even in perfect environments, sometimes fail. That’s part of it.  Here’s the demo’s I’m planning to present

Between now and then I need to find a device I can destroy on stage. If you have something you don’t mind literally going up in smoke, please let me know.

So please come out March 15th at 11:00AM. I’m sure it’ll be a fun and eye-opening event.



Hacking RDP with a MitM Password Attack

The other day, my friend and co-worker clued me in on a new attack he found. It worked so well, we had to share it.
As it says on their GitHub page,

Seth is a tool written in Python and Bash to MitM RDP connections by attempting to downgrade the connection in order to extract clear text credentials. It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks. The author is Adrian Vollmer (SySS GmbH).

Take a look how simple it is to steal an RDP credential off the network without ever having to touch the victim’s machine. Things like certificates and network level access are important security controls you should implement to protect from attacks like this.

Preventing PTH with Two Small Checks.

I read up harmj0y’s blog over the weekend and he had some killer points I wanted to share with you all. More than anything, just some major takeaways from this.

KB2871997 – Microsoft’s attempt to block pass the hash. More than anything it just complicates it, but doesn’t resolve it. It does a lot of good things to help prevent, but doesn’t resolve the issue.   The patch created two new SIDS that can be used with group policy to block local admin accounts from remote login (with one large exception). Any authenticated user to AD can enumerate policies to see if this is enabled on a client’s network.  PTH for local accounts with the exception of the RID 500 (local built in administrator) account are blocked.

The whole point of the article is twofold:

  1. It’s not the group policy that’s actually blocking the PTH of local account(though the other stuff is good), but rather “token filtering”. This is applicable to all local admin accounts with the exception of the RID 500 (built in local admin) account is it runs in a non-filtered state. Meaning, you can still PTH with the built-in local admin account.
  2. The registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy (which doesn’t exist by default) set to 1 grants high-integrity sessions to all remote connections thus enabling PTH of all local accounts. MS actually suggests doing this in a number of times (which is really a bad idea):\


KB2871997 = Good
LocalAccountTokenFilterPolicy = Bad


Check for these things next time you’re dealing with a client.

Oh yeah, at the end, he states that unique creds render this whole point moot. He mentions LAPS, which is fine…but whatever…

What he doesn’t mention is that PTH is still a huge issue with DOMAIN accounts.

Yes, I do work for a Privileged Account Security Company, so I am biased here. As long as domain accounts are being managed in a responsible way, that’s all I care about. This is where pushing the functional model of privileged accounts really proves its value in preventing pass the hash attacks.  I’ll probably go into further depth on that topic in a later blog post.

Also, harmj0y is the MAN. Main creator and contributor for Powershell Empire, Veil-Framework, and Bloodhound. The guy is a legend and deserves much respect.

Thanks and have a great week.