The following are my notes from the talks I attended at Derbycon 2014.

Keynotes
Johnny Long - Hackers Saving The World From A Zombie Apocalypse
http://www.youtube.com/watch?v=IBAbzS5JlEc

• Hackers For Charity helped rebuild a village that burned. 200 homes were destroyed.
• After rebuilding HFC were able to create jobs for some of the villagers. They started a leather-working shop.
• Johnny needs help building servers for remote sites to connect back to their computer center.
• They need 13k for the computer center to operate and 6k for a new hackerspace.
• UPDATE: At the closing ceremonies Johnny announced that two different individuals approached him at the conference and wrote him checks for both of those numbers. Also, the HFC merch table brought in 32k.

Ed Skoudis - How to Give the Best Pentest of Your Life
http://www.youtube.com/watch?v=6_5Sj5iahSU

• Write the report for operations teams so they can take action on any items you find. Help them to fix the problem.
• Ed looks to PTES for inspiration
• Ed recommends a minimum of five people on every pen test. Collaboration is key. If you don't have the resources to put five pentesters on a test there should at least be a designated collaboration time of the day where pentesters can bounce ideas off each other.
• Work on the report during the test. It may be slower but there is less chance you would miss something (I.e. A screenshot containing an item you may have previously overlooked).
• Tell the customer to utilize me as a pentester to get the resources they need. They probably already know about the weaknesses they have. If they can share those we can focus our report to detail how large the problem actually is, and hopefully get the point across to upper management.
• Most pentesters don't operate in the zero day realm. Current numbers put zero day development in the 2-12 month timeframe, and usually they only have a 24 hour to 10 day shelf life before being patched.
• Sometimes when Ed is having a really hard time of finding anything on a pen test he uses the "zero-day card". Basically, this means that we could spend 12 months and probably write a custom zero day for a given software but that is not feasible. Instead, let's assume a dedicated attacker already has a zero day for it and give us access to that system so we can move forward in the pen test.

Kevin Mitnick and Dave Kennedy - Adaptive Pentesting part 2
http://www.youtube.com/watch?v=tcnAWhFf5QM

• Unicorn - a tool for PowerShell injection into memory https://github.com/trustedsec/unicorn
• IBM communicator - Dave discussed how he found this software on a system he was pentesting. He was not admin. Looking through the processes he found some unnamed ones. He started migrating to them and found that one was running with SYSTEM prigs.
• List yourself.net - Kevin used this site to register his phone number to Microsoft. When you Google his number it will show Microsoft.
• Pidatabase - find ssn's, address, phone number of anyone. Kevin demonstrated this by getting a random volunteer to come up on stage and he showed them their SSN.
• vitalsearch.com - find Mother's maiden name

Day One Talks
Larry Pesce - If It Fits It Ships: Adventures in Warshipping
http://www.youtube.com/watch?v=tcnAWhFf5QM

• Send a package containing WiFi hacking rig to someone who doesn't exist at an organization or is on vacation. Mail room at organization may leave it there for a few days before shipping it back.
• Larry uses a Raspberry Pi B+ with AWUS051NH, and battery pack with 30 AA batteries. No need for GPS. We can geolocate based on BSSID's of AP's.
• ISniffGPS - can query Apple for BSSID geolocation.
• Larry wrote a tool that uses the Apple do as well called loc-nogps. https://github.com/haxorthematrix/loc-nogps
• Larry mentioned that shipping active electronics is illegal.

Josh Schwartz – Red Teaming: Back and Forth – 5ever
http://www.youtube.com/watch?v=FTiBwFJQg64

• Use OSINT to start crafting profiles on employees.
• Josh created a CnC tool that creates encoded tweets to tell a compromised host to change CnC servers.
• Internal recon – check internal wiki’s
• osascript to tell osx to present a dialog to the user with a field.
• osascript -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return & "Password:" default answer "" with icon 1 with hidden answer '
• Get caught. If you make a lot of noise and didn’t get caught that is a finding.

Carlos Perez - Abusing Active Directory In Post-Exploitation
http://www.youtube.com/watch?v=sTU-70dD-Ok

• We can query AD as a computer object, not just a domain user.
• Carlos considers AD as "Microsoft's way of doing LDAP"
• Use AD management tools in post-exploitation.
• RSAT - nltest.exe, dcdiag.exe, ntdsutil.exe.
• extapi – Extended API in Metasploit. Carlos wrote modules to query the domain.
• ADSI – Active Directory Service Interfaces – Can be used to add users, add users to groups, enumerate groups, etc.
• If “Auditing” is enabled in a domain many windows will be generated when using ADSI.
• It is possible to perform host discovery without sending a single packet to hosts on the network besides the DC. AD can be queried to find RDP, MSSQL, Exchange servers.
• SPN – Service Principal Name
• Carlos wrote Metasploit modules for enumerating the domain: https://github.com/darkoperator/Meterpreter-Scripts/tree/master/post/windows/gather
• Carlos mentioned it is possible to enumerate phones connecting to OWA through the CAS server. May be able to get OS/phone number.
• Some other items that can be gathered from AD: OU’s, GPO’s, subnet listings.
• The enum_ad_users module writes to CSV for easy parsing.
• In summary, as “NETWORK SERVICE” it is possible to get all systems FQDN’s, OS version, and OU from AD.

John Strand and Joff Thyer – How Not to Suck at Pentesting
http://www.youtube.com/watch?v=Yo4oP2eyDtI

• John gave examples of how low and medium vulnerabilities can be devastating to an organization.
• Manually visit web servers. Don’t trust your tools.
• On a pentest Ethan found a web server that had a file called hello.php. This file was an injected web shell.
• Get caught on a pentest. If you have successfully compromised an organization without being detected start to get noisier on the wire. This can help an organization find where their weakpoints and strongpoints are.
• John mentioned that he still recommends application whitelisting products as an AV replacement but gave the caveat that they are not an end-all-be-all solution.
• Most of the application whitelisting products still allow tools like PowerShell to run.
• Management of these app whitelisting products can be tough and sysadmins may create broad rules to make management easier. For example they may whitelist entire folders or certain types of files.
• Joff discussed some of the hunt teaming items BHIS are working on.

Benjamin Donnelly and Tim Tomes – Ball and Chain (A New Paradigm in Stored Password Security)
http://www.youtube.com/watch?v=GfyM8lFkjo8

• Storage of passwords needs to change so that offline password cracking can be eliminated.
• The idea of Ball and Chain is that the mechanism used to store passwords is so large, in terms of file size, that an attacker wouldn’t be able to exfiltrate it from an organization.
• Create a file multiple terabytes in size.
• Implement an authentication platform that ties into this file.
• An attacker may be able to still do online attacks but removing this file from an organization would be infeasible.
• Even if an attacker were to get it there are protections in place that would still make cracking passwords with it very hard to do.

Day Two Talks