You are viewing badger

badgerblog - CarolinaCon 2013
March 18th, 2013
12:22 am


Previous Entry Add to Memories Share Next Entry
CarolinaCon 2013
Went to CarolinaCon 2013 this weekend. As usual a solid learning experience.

CarolinaCon 9 15March 2013

Intro to Lock Picking
FALE - the forum - buy locks - buy picks

Terminal Cornucopia
items readily available in an airport terminal that can make potentially dangerous weapons
sourced after security screening
walk in with cash and a Leatherman P5 (TSA-approved)

basic weapon types
overpriced convenience store/tcotchkes
duty free: fragrance, makeup, booze,
overpriced electronics
overpriced gadgets
overpriced nail/massage
overpriced designer stuff
overpriced sportz
overpriced regional goods - depends entirely on location
overpriced food

items of interest

2basic attack vectors
3research makeshift weapons
4ID collect materials
5proof of concept builds

where: family bathrooms
double-wall tumbler, Parrot AR drone, Zippo
blowgun: tumbler straw, metal rod from quadcopter, cotton from zippo

magazines, lady liberty fridge magnets, braided leather belts, scoths tape
chucks of liberty
(magazines rolled & taped as handles)
fell apart

version 2: dental floss, a lot of it, instead of cheap crappy leather belts

hair dryer, compression socks, umbrella, braided leather belts, condoms
makes a smallish sling bow

umbrellas are to improvised airports what buffalo were like: you use every part of it

fiberglass shaft, cut down at angle

grabber hand thing
magazines, etc.
crossbow - luggage handle is a collapsible stock

stick with a nail

zippo, disposable lighters, Parrot AR Deone, scotch tape = remote detonator

zippo flint wheel on drone motor, flint resting on on flint from disposable lighter

note: the Brookstone version you can control w/smartphone on wifi. That's scary.

RAWR - Rapid Assesment Web
python for pentesting

Kali Linux

Bing, search
returns all domains associated with that IP address

get physical access to the computer, iTunes on, syncing over wifi
encrypt iPhone backup is not turned on
~Library/Appllication Support/MobileSync/

use Metasploit

Manifest.mbdb file Commercial product for law enforcement

Sinatra Ruby app
add app def query files to the sqlite folder in binoculars

Apple loves SQLite & so should you because it's so easy to get data out of
default datastore for CoreData

if passcode locked, need to unlock it to back it up

Recover Deleted Items in SQLite
deleted data is present but not query able

how to protect yourself
password, preferably strong
keep phone in possession at all times
back up, encrypt your local backups
keep your computer password protected at all times


easier to get to jailbroken devices (because a shell)

Social Security cards, tax forms, credit cards, front&back custom Web searches enterprise engine

google doesn't care about robots.txt

google diving
do a lot of scrolling, the good stuff seems to be farther down
images "Credit card"
more sizes, visually similar
sort the size by large

"SSN", "creditcard". "social

reverse image search in Google
take a picture of the card, blur out the number, upload, search for similar

OR, |
"", .

virtual machines

in title:index of Windows filetype (vhd|vmdk|vdi)
in title:index of Windows (vhd|vmdk|vdi)

queries, think direct and indirect
search for related, sometimes google won't index vdi file, but will find related

Google as an FTP search engine
-inurl (http|https) inurl:ftp
14million hits

does portscanning through google

if Google removes a query return, they link to the DMCA complaint at

the DMCA complaints have all the good links

so search for keywords

awesome Firefox addons
Remove Google Redirects - most awesome ever
Unlinker -
DocsOnline Viewer -
FireFTP -
Google Reverse Image Search -

more links in presentation
Google Diggity
Google Hacking for Pen Testers
youtube: Stach & Liu, Johnny Long
online docs
Bing Query Language
other search engineers, Bing, Shdan, Napalm FTP, Docstoc, Pastebin

1pm speaker MIA

Low-Hanging Fruit of Pentesting
DNS, crawl, geomap IPs

virtual hosting
all the virtual hosts on a given server

headache detection
can't ping
people will track portscans

so do forward lookups on every IP in the DNS range
DNS isn't monitored as much

nmap -sL

load balancers

active filter detection

Basic Persistent Threats
Collapsed Ring Topology
logical ring for regulatory requirements
BGP Attack from Broadband Subscriber - rare, only seen once
Utility CATV Head End Scenario

Transport Network - Remote Support

basic Layer 2 security problems, never been properly secured

problems recommendations
STP/BPDU BPDU & Root Guard
ARP poisoning
VTP secure VTP
VLAN hopping Dynamic ARP inspection
FHRP limit MACs per port
rogue DHCP server secure FHRP
horiz, vertical pivoting PVLANs, VACLDHCP option 82
L2 NetFlow
Secure Information Flow Trust Relationships

also suggested
whitelist applications
whitelist network trust relationships
whitelist Trusted Information Flows in Monitoring

Tags: , ,

(1 comment | Leave a comment)

[User Picture]
Date:March 18th, 2013 12:29 pm (UTC)
I thought I had used lj-cut here but apparently I had not, according to someone who later deleted their "There is a nice feature called lj-cut." comment on this entry. For anyone inconvenienced by my I-thought-I-had-used-LJ-cut few minutes last evening, I apologize.
Surrounded By Skulls and Spiders Powered by