DerbyCon 2017

POP POP RETN; Intro to Win32 Shellcode

If you have ever worked with an exploit or Metasploit, you have probably used shellcode, but do you know how it is made? This talk has been designed to walk you through the ins and outs of basic shellcode, with a focus on Windows and the x86 architecture. There will be a review of the basic computer science behind shellcode, a look under the hood of msfvenom works and how you can recreate msfvenom’s shellcode in Assembly, and then a walkthrough and a demo of how you can create a custom connectback stager using Assembly.

Video: YouTube

Slides: GitHub

CodeMash 2017

Thinking Like a Hacker

When it comes to security and vulnerabilities, it can be difficult to understand how vulnerabilities are found and how different vulnerabilities can be strung together. Whether you want to be a penetration tester, move into application security, or just understand how this all works, the first essential step is thinking like an attacker. This is an often repeated idea in the security industry: to excel at defending, you must understand the attacks, and vice versa. Switching into an offensive mindset takes effort and practice. This switch requires breaking old habits and ideas. Instead of testing if an application will accept the intended input, you need to learn to twist your usual thinking and look for ways errors and different functions can be abused. This can be difficult to do when you are accustomed to only thinking about what your intended user will do with the application. This presentation will discuss basic concepts used by security researchers (e.g. fuzzing) and how penetration testers, and less friendly attackers, will attempt to break an application for their own designs. The presentation will include demos of a couple of offensive tools and stories detailing how attackers were able to map the design of an application and abuse it.

Video: YouTube

Slides: GitHub

SecTor 2016

Thinking Like a Hacker

A year of phishing and pen testing has resulted in two new tools. One for the creation of phishing emails and another for automating common OSINT and pen testing tasks. Each tool will be available on GitHub, free and open source.

This presentation will walk through these tools and how they can help you. However, the discussion will also include the benefits of developing your own tools and how you can get started using GitHub, working on your own tools, and start looking at the tools you use every day in a different way.

Video: Sector.ca

Slides: GitHub