The Dirty South - Getting Justified with Technology

Presented at DEF CON 21 (2013), Aug. 2, 2013, noon (45 minutes)

It seems that every day there's a new NextGen firewall, whitelisting and blacklisting, DLP, or the latest technology thats suppose to stop us. But does it really stop "hackers"? Truth is, naw not really. In this talk we'll be showing off the latest bypass techniques for the "latest" hacker stoppers, using a universally whitelisted website as our middle man for a command and control, social engineering our way into some of the toughest companies, and showing off some techniques that work for us. This talk is about throwing misconceptions of protection and safety out the window, and going back the dirty south. Where thinking outside of the box is a requirement. We'll be releasing two new tools, one that makes meterpreter invisible over the network, and the other a shell that uses a popular third party as the command and control. A vulnerability scanner won't help you herrrrrrre.

Presenters:

  • David Kennedy / ReL1K - Founder & Principal Security Consultant, TrustedSec   as David Kennedy
    David Kennedy (@dave_rel1k) is founder and principal security consultant of TrustedSec - An information security consulting firm located in Cleveland Ohio. David was the former Chief Security Officer (CSO) for a Fortune 1000 where he ran the entire information security program. Kennedy is a co-author of the book "Metasploit: The Penetration Testers Guide," the creator of the Social-Engineer Toolkit (SET), and Artillery. Kennedy has presented on a number of occasions at Black Hat, Defcon, ShmooCon, BSIDES, Infosec World, Notacon, AIDE, ISACA, ISSA, Infragard, Infosec Summit, and a number of other security-related conferences. Kennedy has been interviewed by several news organizations including CNN, Fox News, and BBC World News. Kennedy is on the Back|Track and Exploit-DB development team and co-host of the Social-Engineer.org podcast. Kennedy is one of the co-authors of the Penetration Testing Execution Standard (PTES); a framework designed to fix the penetration testing industry. Kennedy is the co-founder of DerbyCon, a large-scale conference in Louisville Kentucky. Prior to Diebold, Kennedy was a VP of Consulting and Partner of a mid-size information security consulting company running the security consulting practice. Prior to the private sector, Kennedy worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions.
  • Nick Hitchcock - Senior Security Consultant, TrustedSec
    Nick Hitchcock (@nick8ch) is a Senior Security Consultant at TrustedSec and has a relentless pursuit to break security and make things do things they were not meant to do. He also has experience working in the IT/information security field for several years and has performed large scale security assessments/penetration tests, risk assessments, forensic analysis, physical security assessments, social engineering engagements. In addition to secular work Nick is also actively involved in the Infosec community, being one of the organizers of DerbyCon and head of security for BSidesLV and BSidesDE. He also is a contributor to social-engineer.org and part of the Social Engineering CTF team at DEF CON. OSCP, GPEN

Links: