Coming to Vegas: My Picks and Schedule - Cobalt Strike Research and Development
fortra logo

Coming to Vegas: My Picks and Schedule

And, like most folks in the security industry, I’m getting ready to head to Las Vegas for the week. I’ll arrive in Sin City on Monday, 23 July 12.

I’m armed with Cobalt Strike comic fliers, business cards, and boring sell sheets. I also have a pile of Armitage stickers to give away.

In this (long) blog post, I recommend a few talks and provide my schedule. If you’d like to meet for a meal or a beverage, I’m definitely open to this. Contact me and we’ll discuss a way to sync up.

My Picks

Hacking into Smartphones

On Wednesday and Thursday at 11:45am in the BlackHat USA Arsenal, Georgia Weidman will demo her Smartphone Penetration Testing framework. This is not a tool for “hacking from” smartphones. It’s a tool set for hacking into smartphones. I highly recommend attending one of these demo sessions. I’m demoing Armitage at the same time, but if you go see Georgia twice, I’ll give you twice as many stickers.


At BSides Las Vegas on Wednesday at 11am, Matt Weeks will reveal a new defensive technology called Ambush to the world. We’ve had a few discussions about this technology. As usual, Matt is up to something incredibly novel.

This presentation will demonstrate the ability to configure signatures on everything from the highest to the lowest level API’s, catching whole classes of malware. It can prevent exploitation of certain vulnerabilities and identify shellcode, keylogging, remote control, and HTTPS-encrypted communications regardless of code obfuscation. Pentesters, red teams, and malware authors used to worry about getting caught while writing to disk. Now, no action is safe. The implementation, the Ambush Host Intrusion Prevention System, will be released open-source.

SNSCAT: Social Media Sites as Covert Command and Control

I’m really excited about this. My friends Dan Gunter and Solomon Sonya will reveal SNSCat at BlackHat USA at 2:15pm on Thursday.

“SNSCat provides a simple to use post-penetration data exfiltration/infiltration and C2 (Command and Control) platform using images and documents on social media sites (Facebook, Google Apps, twitter, imgur, etc).”

“will introduce our tool and show how one can easily move files in and out of a network using social media sites. We will next demonstrate how one can use SNSCat along with the implants we have created to establish full command and control between the controller and the listening agents.”

Grab thy Hashes

And, finally my friends Jon Claudius and Ryan Reynolds will present a survey of how different tools extract password hashes on Windows. The twist–most of them do it in a semi-broken way. They’ve analyzed the problem and they’re revealing fixes for key tools that penetration testers take advantage of.

This is extremely important. I feel like a lot of tools released at conferences are one-time things that will never see an update later on. It makes working with them frustrating as the work may be novel, make a great demo, but if it doesn’t work a year from now–what’s the benefit? It’s great to see someone looking at what we use every day, figuring out what’s wrong, and contributing back in a way that will benefit a lot of people immediately.

This talk is happening at 11am on Saturday at DEFCON.

My Schedule

Tuesday, 24 July 12

I’m hanging out at the Adaptive Penetration Testing course taught at BlackHat USA by the Veris Group LLC.

Wednesday, 25 July 12 (BlackHat USA)

I will demo Armitage in the BlackHat Arsenal at 11:45am. My goal during the demo is to explain Armitage to those who haven’t seen it and capture some of the cool tricks few people know about. For example, Ctrl+T takes a screenshot of the current tab and saves it to a preset place.

Thursday, 26 July 12. Morning (BSides Las Vegas)

At 10am, I will present Force Multipliers for Red Team Operations. Each year, in March and April, I spend most of these two months on the road hacking in several exercises. I treat these events as a laboratory for trying out ideas and making observations about how hackers work together. I will break down what I learned from this year’s season with a focus on how we organized ourselves, what worked, and offer ideas of what I’d like to see next.

Thursday, 26 July 12. Afternoon (BlackHat USA)

I’m back at BlackHat at 11:45am demoing in the Arsenal again. If you missed me on Wednesday, come by on Thursday and get a sticker. I really dig these kiosk style demos. It’s easier to connect with you and have a dialog.

Friday, 27 July 12 (DEFCON)

At noon on Friday, I’m presenting Cortana: Rise of the Automated Red Team. During this talk, I will reveal the fully scriptable version of Armitage and its stand-alone interpreter Cortana. You’ll learn how to add bots to your red team or add new features to Armitage. This project was a big effort to put together and I was very fortunate that DARPA’s Cyber Fast Track program helped make it possible.

Here’s a Hak5 segment from last year where I first talked about this next iteration for Armitage:

I also noticed that I’m speaking opposite of General Alexander from US Cyber Command and the NSA. I guarantee I will give far more live demos than he will. That said, I wish I wasn’t speaking at noon, I’d love to see his talk too.

Saturday, 28 July 12 and Sunday 29 July 12 (DEFCON)

I’m at DEFCON all weekend and I fly out Monday morning.