I am writing this on my way home from Wild West Hackin’ Fest 2019 as I rush to translate my sloppy notes into something more coherent. I wanted to highlight a few of the sessions I really enjoyed, but I cant write about them all. The full speaker schedule can be found (here) and the session recordings will be posted to the Wild West Hackin’ Fest YouTube channel in the near future.
This was my second time attending WWHF, and this has solidified my belief that this is the most valuable conference I attend each year. This seems to be a common sentiment, because the BHIS team is launching a second conference, this time in San Diego.
Right off the bat the conference started off with great content. “Offensive GoLang” by Michael Long. I consider myself very much a script kiddie, but am working at picking up different languages, at least enough to understand how various tools are working. I have been seeing GoLang pop up more and more, and Michael’s talk pushed me over the edge to finally get this onto my “To-Do” list. Michael was showing how useful tools written in GoLang have been for his team, including cross-platform executables and building payloads without any external dependencies.
Michael had some interesting projects highlighted at the end of his talk for learning more about GoLang, and I also found this repo with some helpful links.
There were several talks I’d like to point people to from Day Two, but the message coming out of “Hacking a Security Career” by Deviant Ollam needs to be shared far and wide. His full slide deck is available (here) but I strongly recommend watching the recording for Deviant’s messaging beyond the slides.
One of the messages that stuck out to me was the importance of loose connections. Many job opportunities seem to come from a friend of a friend, or someone that has heard of you from someone else. You don’t need to be close friends with everyone, and frankly you can’t be. You can, however, make an effort to network and at least introduce yourself to others – conferences like WWHF are perfect for this.
Deviant also spoke about the importance of sharing your knowledge. You may be hesitant, thinking that since you’re not the tip of the spear, you shouldn’t be sharing – when in reality you have plenty to share that others may not know. This line of thinking was a major factor in my starting to write blog posts – it helps me focus my thoughts on an area, and maybe there is a single person that learns something new.
The last theme I want to call out here is “leave it all on the field”. This is something the greatest in our industry do consistently. Release the research, share your knowledge, don’t try and hide the “secret sauce”. Not only does this help the industry get better overall, but by sharing the information, you build the reputation of being knowledgeable. Sure, maybe keeping that trick a secret can win you one more project, but you will likely see the returns come back 10x by sharing the information freely.
“Kerberos & Attacks 101” by Tim Medin was great – who better to speak about Kerberos attacks than the “Kerberoast Guy”? Slides for his talk are posted (here). There were a lot of interesting attack techniques covered in his talk – but the Skeleton Key attack stuck out the most to me. This attack is a backdoor into a Domain Controller that allows the Skeleton Key (password) be used for ANY account. Of course by default this is set to “mimikatz”.
“Elevating your Windows privileges like a boss!” by Jake Williams covered a ton of information around opportunities for escalating privileges that are missed by many system administrators. The overall theme was that these are typically default configurations that are buried deep in the GUI menus, or not in the GUI at all. Being able to use things like icacls in the command prompt to review these settings is key to finding escalation opportunities that are also harder to detect (outside of PS Script Block Logging).
Related to PS Script Block Logging, Edward Ruprecht gave a fireside chat (shorter talk) titles “When logging everything becomes an issue”. His slides and an accompanying Medium post are online (here). This talk was great at calling out resources for securing your logs, ranging from avoiding capturing passwords in your log files to enabling Protected Event Logging to encrypt the log files on disk.
In addition to the sessions I attending on Day Three, I completed the DNS Scavenger Hunt hosted by Active Countermeasures. I took a stab at this last year at WWHF, but got distracted and never completed the challenge. I didn’t place high enough for any of the rewards, but was happy to reach and pass the final question.
“Q65B Correct! You finished the hunt, congratulations! Scores at the Active Countermeasures booth, prizes on the last night.”
To top off an amazing conference, I got this gem of a trophy from @EanMeyer for finishing in first place in his Cubicles & Compromises workshop. That may sound impressive, but I merely got lucky with some big dice rolls.
I can’t say enough good things about the Player’s Guide Ean put together – I am already looking forward to running more table tops using this guide. The Player’s Guide can be found on Ean’s site here (CC License). There are other references on his site (here) including the Wheel of Business outcomes and other resources.
Not only did he make an incredibly detailed Player’s Guide, but Ean also put together 5 daily injects to our incident scenario, including some videos. Nothing like Anonymous launching #OpLabor against your company three days into responding to an incident.
Of course you can’t go to a place like Deadwood, SD without carving out a bit of time to be a tourist. We were able to swing by Mt. Rushmore, but the trails to get up close were closed down for construction. The scenery out here is amazing:
I am already marking my calendar for Wild West Hackin’ Fest 2020 (September 23-25, 2020)!