WELCOME TO

DEF CON is a time to celebrate hacking, hijinks, curiosity, but most importantly community.
Being with the people that get it. Not having to explain why you have a WIFI scanning
hat on or that bottle of nitrogen you are carrying for the beverage cooling contest. Over
the decades community has become one of the most important aspects of the con as the
mysteries and secrets of hacking have gone mainstream. No longer an underground
conference, we emerged above ground and like it here!

Hacking is where the rubber meets the road, where what is technically possible is different
than what its creators imagined. Hacking has also become political as technology runs the
world. But hacking is ultimately social, trying to understand the larger systems, building
and breaking things together, mentoring, partnering, and ultimately even some getting
married at DEF CON. If that’s not social I don’t know what is.

When I started DEF CON THIRTY (!) years ago it was a simple idea: throw a party for
hackers, phreakers, artists, lawyers, and everyone adjacent. Hear from people you would
normally never come into contact with, and have a party. I decided against being invite
only and to hold it in a city that never sleeps. Back then I never anticipated or imagined
the potential of gathering people with so many different backgrounds together. I’d like to
say it was my master plan, but really it was a combination of luck, timing, friends helping,
and a desire from the community that made this all possible.

I dedicate this conference to you, who have traveled to the desert in the middle of the
summer to be with the communities you care about. I hope you make new friends and
unlock some new knowledge.

Cheers!

The Dark Tangent

TH3 BADG3
We're excited to be back this year with another awesome electronic badge for you! This year's
concept came from talking with many of you last year and the overwhelming majority wanted
something music based. It seems that everywhere you go at DEF CON there's music being played.
Ah, the sounds of DEF CON. A chaotic mixture of techno and excited chatter. Whether it's an official
party or someone with a portable speaker, there's music all around. It's part of the very fabric of
the con and we wanted to give everyone the chance to contribute to the sounds of DEF CON.

The badge is a sampling keyboard, which means that you can record sounds and play
them back to your favorite beat. There's a built-in microphone, or you can record audio
through the line-in jack. Listen to your beats with the onboard speaker, or connect the line-
out to something larger. You can even chain badges together and jam with your fellow
hackers. So go out and add your unique voice to the amazing sounds of DEF CON!
Thank you for allowing us the honor of making the DEF CON badge again. There were so many people
who helped us in this journey from concept to design, assembly, testing and more. Thank you!

-MK Factor

4
 N3TW0RK AND DCTV
For updated information and instructions on
NETWORK how to connect to the Wi-Fi with the n0t-s0-1337
INSTRUCTIONS Operating Systems along with the link to
download the digital certificate to be used, visit:
DEF CON 30! And here we are, the DEF CON https://wifireg.defcon.org.
NOC is back, delivering the best questionable
And if you don’t know how to properly configure
zero-trust network access throughout the new
the Wi-Fiz on your üb3r-1337 linux distro, you
awesome Caesars Forum (not to be confused
should consider a new platform.
with the Forum Shops at Caesars. But if you go
there, make sure to say hi to Micah, #1 Genius For NOC updates visit https://noc.defcon.org ,
Bar Employee <3), Flamingo, LINQ and Harrah’s and also follow us on twitter @DEFCON_NOC.
conference floors. Machine Learning, AI Peace, love and taco grease!
optimization, shift-left, IPv7 and Malört drinking,
it all should be working by the time you are
reading this.
Now to the important stuff, what should you do
in order to connect to Wi-Fi?
DCTV RETURNS!
Remember there are three (and no more than
three) official ESSIDs you should use to HACK DEFCON will be televised! Visit
THE PLANET!!!:
https://dctv.defcon.org
- The encrypted one with 802.1X authentication
and digital certificate verification: DefCon for the latest info including hotels, channels, and
limited streaming.
- The (other, yet legit) encrypted one with 802.1X
authentication and digital certificate verification.
But also, with some shiny WPA3 benefits:
DefCon-WPA3
- And the original, unencrypted, stick-shift, no
ABS, wildest-westest of the wireless networks:
DefCon-Open
DEF CON 30
“Choice. The problem is choice”
CONVENTION MEDIA
Wi-Fi and 802.1X authentication have had a SERVER
pretty good relationship in the past few years.
And, believe or not, we test stuff before we go All DC 30 Content is HERE
onsite. But things might change and there might
be some devices out there that really do not like https://10.0.0.16/
802.1X with PEAP authentication.
or
Important 802.1X fact: By configuring 802.1X
and choosing for your device to “not verify https://dc30-media.defcon.org/
server certificate” will probably not only let that
device connect to one of the hundreds of rogue Find this year’s presentation materials, music,
access points on the show floor but will also send white papers, slides, and more plus leech files
your login credentials to a rogue radius server. from all the past DEF CON conferences and the
Despite technology advancements, this is still no infocon.org conference archives!
bueno and defeats the whole purpose of this
authentication method. We expect you to leech at full speed, and the
server is warmed up and ready to go. Enjoy!
And the usual Guy Fieri special: Be an advocate
of cyber common sense (™), and do not, I To make things easier for you here are some
repeat, do NOT choose the same credentials example wget commands:
(aka: username and password) used for stuff
that matters: shopping sites, online-banking, the EXAMPLE wget command to download all of DEF
twitterz AND, especially your windows domains CON 25:
(yeah, it keeps happening) to connect to the
hacker conference network. Make something up, wget -np -m “https://dc30-media.defcon.org/
be creative and funny. infocon.org/cons/DEF CON/DEF CON 25/”

5
 C0DE 0F C0NDUCT/R3SOURCES
CONFERENCE CODE
OF CONDUCT
Last updated 3.6.15

DEF CON provides a forum for open

discussion between participants, where radical
viewpoints are welcome and a high degree of
skepticism is expected. However, insulting or
harassing other participants is unacceptable.
We want DEF CON to be a safe and
productive environment for everyone. It’s not
about what you look like but what’s in your
mind and how you present yourself that counts
at DEF CON.

We do not condone harassment against any

participant, for any reason. Harassment
includes deliberate intimidation and targeting
individuals in a manner that makes them feel
uncomfortable, unwelcome, or afraid.
DEF CON SUPPORT
HOTLINE
Participants asked to stop any harassing
behavior are expected to comply immediately.
Sometimes you may not want to contact a
We reserve the right to respond to harassment
Goon at the Info Booth or walking around in
in the manner we deem appropriate, including
person with a problem, and for the second
but not limited to expulsion without refund and
year in a row we have a phone option to tell
referral to the relevant authorities.
us about concerns.
This Code of Conduct applies to everyone
You can reach DEF CON staff during
participating at DEF CON - from attendees and
normal hours of operation (8am to 4am) to
exhibitors to speakers, press, volunteers, and
anonymously report any behavior violating
Goons.
our code of conduct or to find an empathic ear
Anyone can report harassment. If you are by calling +1 (725) 222-0934.
being harassed, notice that someone else is
For relevant issues, we are collaborating
being harassed, or have any other concerns,
with several organizations including Kick at
you can contact a Goon, go to the registration
Darkness, The Rape Crisis Center Las Vegas,
desk, or info booth.
and the Nevada Coalition to End Domestic
Conference staff will be happy to help and Sexual Violence to provide expert
participants contact hotel security, local resources for survivors, including dedicated
law enforcement, or otherwise assist those support for LGBTQ+.
experiencing harassment to feel safe for the
duration of DEF CON.

Remember: The CON is what you make of it,

and as a community we can create a great
experience for everyone.

- The Dark Tangent

6
 MASK P0LICY
Masks requirements include: The following do not fulfill
the mask requirements:
•Mask should be a solid,
multi-layer piece of material •Face shields or goggles
without slits, exhalation (unless to supplement a proper
valves, or punctures. and properly worn mask)
•A properly worn mask •Scarves, ski masks,
completely covers the nose balaclavas, or bandannas
and mouth and is well-fitted.
•Shirt or sweater collars pulled
•May contain filter up over the mouth and nose.
pockets or sleeves.
•Masks made from loosely woven or
•Medical masks and N-95 knitted fabrics that let light pass through
respirators fulfill the requirements.
•Masks made from non porous or too dense
materials (such as vinyl, plastic or leather)
•Masks that do not fit properly

G00NS
DEF CON Goons are the electrons that enable the conference to run, and
should you have a question or need help they are there for you. Here are
some goon facts:

DEF CON 30 Goons should all have visible

patches with their nickname on them so it is
easier to remember who you talk to about
what.

Goons are in one of two states, either ON duty or OFF duty.

If they are ON DUTY they will be wearing a current year, red, DEF CON
30 Goon shirt, a current year Goon badge, and a name patch.

If Goons are OFF DUTY they will not be wearing the red Goon shirt,
but may still have a Goon badge on so they can still access the meeting
spaces.

Goons ON DUTY are not supposed to drink alcohol.

Goons OFF DUTY have been known to drink alcohol.

PAST Goons may seen wearing previous red shirts or badges as they
helped run a past DEF CON, but that DOES NOT make them a current
DEF CON 30 Goon.

Please use the name patch if you have any feedback on Goons, good or
bad. Feedback can be sent to [email protected]

Goons Goon for many reasons, but the pay isn’t one of them. They put
in long hours and many weeks or months of planning and take time off
work to make the con happen for everyone. Please feel free to ask them
questions if you have any desire to join the ranks at a future Con.

7
 HACKER TRACKER

Download the official DEF CON app! It contains all of the happenings
of DEF CON. It is easy to use and updated as things change during the
conference. It contains all of the maps and schedules so you can plan
your best DEF CON experience.

FORUM.DEFCON.ORG
No matter what part of the DEF CON
universe you’re interested in, you
should start at the DEF CON Forums.
With a forum account you can reach
out to a local DEF CON group, help
us plan future events or even chat with
other hackers. DEF CON’s heart is its
community, and the community meets
at the DEF CON Forums. Join us!

HTTPS://PLAY.GOOGLE.COM/
STORE/APPS/DEVELOPER?ID=
DEF+CON+COMMUNICATIONS,+INC.

8
 W0RKSH0PS SCH3DUL3
WORKSHOP REGISTRATION WAS HELD ONLINE JULY 5TH. THERE IS NO ONSITE
REGISTRATION. SIGNUP SHEET, AND ALL SEATS (INCLUDING STANDBY) ARE SOLD OUT. FOR
MORE INFO ON THE WORKSHOPS VISIT DEFCON.ORG. PRE-REGISTRATION WILL BE ONLINE
AGAIN FOR DEF CON 31!
THURSDAY
Goldfield + Tonopah Elko Ely Reno
Protect/hunt/respond with The Purple Malware Network Hacking 101 Hands-On TCP/IP Deep
10:00-14:00

Fleet and osquery Development Approach Dive with Wireshark - How

this stuff really worksRyan
Holeman

reno SILVER Ely Elko

House of Heap Exploitation Introduction to Azure Pentesting Industrial Control Introduction to Software
15:00-19:00

Security Finding Security Systems 101: Capture the Defined Radios and RF
Vulnerabilities Through Flag! Hacking
Fuzzing

FRIDAY
Elko Copper Ely Lake Tahoe Reno
Finding Security CICD security: A new Introduction to The Art of DFIR Against the
10:00-14:00

Vulnerabilities eldorado Cryptographic Modern Malware Digital Darkness: An

Through Fuzzing Attacks Analysis: Initial Intro to Forensicating
Infection Malware, Evil
Infrastructure, and C2
Frameworks

Elko Copper Ely Lake Tahoe Reno

Hand On Mainframe Hacking the Metal Securing Industrial From Zero To Hero In Securing Smart
15:00-19:00

Buffer Overflows - 2: Hardware and Control Systems from A Blockchain Security Contracts
RCE Edition the Evolution of C the core: PLC secure
Creatures coding practices

SATURDAY
Reno Silver Copper Ely Lake Tahoe
Windows Defence CTF 101: Breaking Pivoting, Tunneling, Master Class: Dig Dug: The Lost Art
10:00-14:00

Evasion and into CTFs (or “The and Redirection Delivering a New of Network Tunneling
Fortification Primitives Petting Zoo” - Master Class Construct in Advanced
Breaking into CTFs) Volatile Memory
Analysis for Fun and
Profit

Reno ELKO Copper SILVER Lake Tahoe

Securing Web Apps Creating and Hybrid Phishing Automated Evading Detection: A
uncovering malicious Payloads: From Debugging Under Beginner’s Guide to
15:00-19:00

containers Threat-actors to You The Hood - Building Obfuscation

A Programmable
Windows Debugger
From Scratch (In
Python)

9
10
11
 PARTI3S & M33TUPS
A RCADE PA RT Y
Party at Caesars Forum - 136, 104, 105
Saturday: 21:00 - 00:00
The Arcade Party is back! Come play your favorite classic arcade games
while jamming out to Keith Myers DJing. Your favorite custom built 16
player LED foosball table will be ready for some competitive games.
This epic party is hosted by the Military Cyber Professionals
Association (a tech ed charity) and friends.
More info: ArcadeParty.org (open to all DEF CON attendees)

B L A NK E TFO RT CO N
Party at Caesars Forum - 109-110
Saturday: 19:30 - 01:00
Blanket Fort Con: Come for the chill vibes and diversity, stay for the
Blanket Fort Building, Cool Lights, Music, and, Kid Friendly\Safe
environment. Now with less Gluten and more animal onesies!

B LU E TE A M VI L L AGE
Party at LINQ Pool
Pool Party - BTV’s Five Year Anniversary
This year BTV will be celebrating five years at DEF CON!!! Join
us Friday night 8pm-11pm at the LINQ pool. Libations will be
available at the cash bar. Free tacos, sliders, and other goodies.
Dual Core will be performing at 9pm!
We hope to see you during this special Homecoming event.

DC4 0 4/ DC678/ DC7 70/ DC470 (ATL A NTA

ME TRO) MEE TU P
Meetup at Caesars Forum - 109-110
Friday: 16:00 - 19:00
They say Atlanta is the city too busy to hate, but it also has too much
traffic for its widespread hacker fam to get together in a single meetup.
So instead we’re meeting up in the desert during DEF CON - the one
time of year when intown, northern burbs, south siders, and anyone
else connected to (or interested in!) DC404’s 20+ year legacy can
catch up, share stories, and make new connections. Come prepared
to share your interests, hacks, swag, stories, and good times!

DC70 2 PW N AGOTCHI PA RT Y
Meetup at Caesars Forum - 110
Thursday: 18:00 - 21:00
Join DC702 for a Pwnagotchi party. The DC702 team will be auctioning off
kits and donating the proceeds to the EFF, as well as providing instructions
and guidance for assembly. Everyone is welcome to come by, and if you
have your own assembled or unassembled kit, feel free to bring it!

12
DEFCO N HO L L A N D DC3115 & DC3120
GRO U P MEE TU P
Meetup at Bird Bar in Flamingo
Friday: 16:00 - 19:00
In The Netherlands it’s a tradition to catch up with your colleagues
just before the end of the workday on Friday when the weekend
starts to kick in. In The Netherlands this is called the “VrijMiBo”
(Vrijdag/Friday - Middag/Afternoon Borrel/Drink)
“VrijMiBo/Friday afternoon Drink” at DefCon is a perfect moment to talk
about what your favorite thing is at DefCon, show your cool handmade
badges, impress other hackers about your latest hacks, make new
friends, gossip about your boss and show your cat or dog pictures.
Vrijdag Middag Borrel, Freitag Mittags Getränk, Apéritif du
vendredi après-midi, trago de viernes por la tarde.

DENIA L , DECEPTIO N , A N D DRINKS WITH

MITRE ENGAGE
Meetup at Society boardroom
Saturday: 17:00 to 19:00
Interested in cyber denial, deception, and adversary
engagement? Come join the MITRE Engage team for
conversations, war stories, and cyber shenanigans.

FRIEN DS OF BI L L W
Meetup at Caesars Forum - Unity Room
Thursday: 12:00 / 17:00, Friday: 12:00 / 17:00,
Saturday: 12:00 / 17:00, Sunday: 12:00
For all those Friends of Bill W. looking for a meeting or just a
quiet moment to regroup, we have you covered with meetings
throughout #DEFCON - Noon & 5pm Thurs-Sat, Noon Sun.

GI RLS HACK VI L L AGE

Meetup at Caesars Forum - 409
Friday: 18:30 - 21:30
You miss 100% of the shots you don’t take’ - Wayne Gretzky’
-Michael Scott” - Girls Hack Village. This meetup will be a fun
networking event that gives attendees the opportunity to meet and
make connections. Are you awkward at social gatherings? Are
you the life of the party? We endeavor to create an environment
where those on either side and anywhere in between are welcome
and feel as though they belong. Want to grow your brand or just
make new Hacker Summer Camp friends? Come one, come all.

GI RLS HACK VI L L AGE 90 ’S HO US E PA RT Y

Party at Caesars Forum - 409
Saturday: 20:30 - 00:00
Nostalgia, maybe? I think so. In honor of DEF CON 30, we’re
throwing it back to the era of slow jams and house party mixtapes.
We’ll be playing everything from power ballads and rap to
r&b and pop. Do like Kris Kross and Jump on the opportunity
to have a good time with good people to good music.
13
 PARTI3S & M33TUPS
GOTHCO N (#DCGOTHCO N)
Party at Caesars Forum - 136, 104, 105
Friday: 21:00 - 02:00
Back for their 5th year, GOTHCON welcomes everyone to come
dance and stomp the night away at their Techno Coven. 9pm-2am
Friday Aug 12th. Follow @dcgothcon on twitter for updates and details
on location. All are welcome (except nazis), and dress however you
want - whatever makes you the most comfortable and happy.

HACK E R FL AI RGRO U N DS
Meetup at Caesars Forum - Accord Boardroom
Saturday: 20:00 - 22:00
The destination for badge collectors, designers, and hardware hacks
to celebrate the flashier side of DEF CON. It is a melding of the 1337
and the un1eet interested in hardware and IoT. We see #badgelife,
#badgelove, SAOs and badge hacking as a great potential for securing
IoT and keeping the power in the hands of the consumer by spreading
knowledge about the craft/trade. Those involved should be celebrated for
sharing their knowledge. Many of them do not like the limelight, so this
gives us a chance to personally say thank you in a chill environment.

HACK E R K A R AOK E
Meetup at Caesars Forum - 133
Friday: 19:30 - 02:00, Saturday: 19:30 - 02:00
For those who love to sing and perform in front of others,
we are celebrating our 14th year of Love, Laughter, and
Song from 8 PM to 2 AM Friday and Saturday night.
We are open to everyone of any age, and singing is not required.
For more information visit:
https://hackerkaraoke.org or Twitter @hackerkaraoke.

L AW YE RS MEE T
Meetup at Parlor D & The Veranda at Harrah’s
Friday: 18:00
If you’re a lawyer (recently unfrozen or otherwise), a judge
or a law student please make a note to join Jeff McNamara
for a friendly get-together, drinks, and conversation.

MEE T THE DIGITA L L AB AT CO NS UME R

REPO RTS
Meetup at Caesars Forum - Accord Boardroom
Friday: 17:00 - 20:00
Consumer Reports Digital Lab is a team of hackers, technologists
and advocates that break the products we use every day to identify
vulnerabilities that harm consumers. Come meet CR’s resident hackers
and learn how you can hack alongside us. We’ll be showcasing our
work in IoT, VPNs, and data rights and asking you how we can better
leverage our security testing and research to provoke industry change.

14
MEE T THE EFF
Meetup at Caesars Forum - 410
Saturday: 20:00 - 22:00
Join the Electronic Frontier Foundation - The leading non-profit fighting for
civil liberties in the digital world- to chat about the latest developments in
Tech and Law and how these can help each other to build a better future.
The discussion will include updates on current EFF issues such as
Disciplinary technologies, Stalkerware, LGBTQ+ Rights, Reproductive
Rights, drones, updates on cases and legislation affecting security
research, and law enforcement partnerships with industry.
Half of this session will be given over to question-and-answer, so
it’s your chance to ask EFF questions about the law and tech.

PI LOTS A N D HACK E RS MEE TU P

Meetup at Caesars Forum, Caucus & Society Boardrooms
Friday: 20:00 to 22:00
Aerospace Village presents....
Buzzing the tower – a Pilot / Hacker meetup
Whether you are a hacker, a pilot, or have an interest in either
you are welcome to join us at Buzzing the Tower, a meetup
hosted by the Aerospace Village. Come and relax, squawk with
others, and try your hand at our DEF CON 30 themed Flight Sim
challenge! So please stow your tray table in readiness for landing
at the destination favoured by pilots and hackers alike!

Q U EE RCO N MIXE R
Meetup at Caesars Forum - Chillout
Thursday: 16:00 - 18:00, Friday: 16:00 - 18:00, Saturday: 16:00 - 18:00
The lgbtqia+ community in InfoSec is throwing a party to bring our folk
together and have a good time. Meet others like you or hang out with
those you’ve met over the years. This is a safe and inclusive space meant
to make you feel comfortable and help you socialize with others like you.

Q U EE RCO N PA RT Y
Party at Caesars Forum - 108-110
Friday: 22:00 - 01:00
The lgbtqia+ community in InfoSec is throwing a party to bring our folk
together and have a good time. Meet others like you or hang out with
those you’ve met over the years. This is a safe and inclusive space meant
to make you feel comfortable and help you socialize with others like you.

VE TCO N
Party at Caesars Forum - 139, 106
Saturday: 21:00 - 02:00
Co-founded in 2018 by Jim McMurry and William Kimble, the founders
of Milton Security and Cyber Defense Technologies, respectively, the
VETCON conference is the official Veteran event of the DEFCON Hacker
Conference. VETCON, through its Discord server and in person events, we
connect and support veterans in the Information Security field. The event
is open to all DEFCON attendees with a focus on military veterans.
VETCON Is a Conference for Veterans, Run by Veterans,
During the Largest Hacker Conference, DEFCON
15
 VILLAG3S
A DV E RS A RY VILL AG E
Friday: 10:00 - 17:00, Saturday: 10:00
- 17:00, Sunday: 10:00 - 15:00
Location: Flamingo, Scenic Ballroom
Adversary Village is a community initiative which purely focuses
on Adversary simulation/emulation, threat/APT emulation,
Breach and adversarial attack simulation, supply chain security
simulation, adversary tactics, life, adversary philosophy,
survival skills and Purple teaming.Adversary Village will be
organizing technical talks, workshops, live demos, Adversary
Wars CTF, panel discussions and other hands-on activities
on adversary simulation, emulation and purple teaming.
This is different from any of what has been covered in the existing
villages, because our focus is on simulation of the actions of a threat actor or an adversary
and this being simulated here. As this domain matures, we anticipate active participation from
enterprises, as such simulations would help immensely towards internal capacity building
from having a “live fire” training opportunity. An increasing number of researchers too
are focusing on building tools and techniques for simulation of various adversarial actions
against an organization or Supply chain, instead of actual real-world exploitation.
The goal of the Adversary Village would be to build a vendor neutral open security
community for the researchers and organizations, who are putting together new means and
methodologies towards the simulation/emulation of adversary tactics then purple teaming.
Adversary Wars CTF
Adversary Village will be hosting a CTF named “Adversary Wars”, where
the participants will have to pose as adversaries and simulate adversarial
actions against each element of the dummy target organization.
Our end-goal is to build a CTF platform for adversary simulation/
emulation knowledge sharing and exercises.
Adversary Wars would have real world simulation CTF scenarios and challenges, where the
adversaries can simulate attacks and learn new attack vectors, TTPs, techniques, etc.
There would be combined exercises which include different levels
of threat/adversary emulation and purple teaming.
Adversary Simulator booth
Adversary Simulator booth has hands-on adversary emulation plans specific
to a wide variety of threat-actors, these are meant to provide the participant/
visitor with a better understanding of the Adversary tactics.
This is a volunteer assisted activity where anyone, both management and technical folks
can come-in and experience different categories of simulation, emulation and purple
scenarios. Adversary Simulator booth will be having a lab environment focused on
recreating enterprise infrastructure, aimed at simulation and emulating various adversaries.
Visitors will be able to view, simulate and control various TTPs used by adversaries.
The simulator is meant to be a learning experience, irrespective of whether one is
hands-on with highly sophisticated attack tactics or from the management.

A E ROS PAC E VILL AG E

Friday: 10:00 - 17:00, Saturday:
10:00 - 17:00, Sunday: 10:00 - 13:00
Location: Caesars Forum, Forum Ballroom 112-117
The aviation and space industries, security researchers, and the public share a common goal:
safe, reliable, and trustworthy aviation and space operations. For too long, negative perceptions
and fractured trust on all sides have held back collaboration between the aviation, space, and

16
security researcher communities that has advanced safety, reliability, and security of other
industries. As the traditional domains of aviation safety and cybersecurity increasingly overlap,
more effective collaboration between stakeholders ensures we will be safer, sooner, together.
Through the Aerospace Village, the security research community invites industry leaders,
researchers and academia interested in aviation and space security, safety, and resilience
to attend, understand, collaborate together to achieve our common goals. Empathy
and understanding build common ground, while acts and words likely to increase
division between these two communities undermine these efforts. The Aerospace Village
welcomes those who seek to improve aviation and space security, safety, and resilience
through positive, productive collaboration among all ecosystem stakeholders.
Our Goal
The Aerospace Village is a volunteer team of hackers, pilots, and policy advisors who come
from the public and private sectors. We believe the flying public deserves safe, reliable, and
trustworthy air travel which is highly dependent on secure aviation and space operations.
Our Mission
Create, sustain, and grow an inclusive community focused on aerospace cybersecurity;
Inspire the next generation of aerospace cybersecurity leaders;
Promote and develop aerospace cybersecurity expertise and knowledge.
The Aviation Village will do this by:
- Building connections, trust, and understanding among all Village participants.
- Developing aerospace security skills among DEF CON attendees
through workshops and hands-on activities.
- Promoting constructive dialog through talks and interaction.

AI VILL AG E
Friday: 10:00 - 17:00, Saturday: 10:00 - 17:00,
17:00 - 19:00 meetup, Sunday: 10:00 - 14:00
Location: Caesars Forum, Summit Ballroom 236
Artificial Learning techniques are becoming more prevalent in core
security technologies like malware detection and network traffic
analysis. Its use has opened up new vectors for attacks against non-
traditional targets, such as deep learning based image recognition
systems used in self driving cars. There are unique challenges in
defending and attacking these machine learning systems that the security community needs to be
made aware of. This AI Village will introduce DEF CON attendees to these systems and the state
of the art in defending and attacking them. We will provide a setting to educate DEF CON at
large through workshops and a platform for researchers in this area to share the latest research.
We will have talks from our CFP, tutorials, and trainings during the earlier part of each day. On
Friday, our afternoon sessions will focus on the ethical use of AI technologies unlying different
business activities and the policies around them. We have commitment from federal government
policymakers to attend and participate in the policy panel discussion. On Saturday, our focus
will be how AI and artists are hacking creative endeavors in the visual arts and music. This
will include a generative art workshop, a gallery showing, and a music performance from the
Dadabots. Sunday will contain more talks from our CFP and our ending talk about AI.

17
 VILLAG3S
A P P S E C VILL AG E
Friday: 10:00 - 17:00, Saturday: 10:00
- 17:00, Sunday: 10:00 - 14:00
Location: Flamingo, Twilight Ballroom
The first three AppSec Villages were a resounding success. We
learned that whether in person or online, our AppSec community
is fantastic. We are pumped to be back bigger and better.
Come immerse yourself in everything the world of application security
has to offer. Whether you are a red, blue, or purple teamer, come
learn from the best of the best to exploit software vulnerabilities and secure software. Software is
everywhere, and Application Security vulnerabilities are lurking around every corner, making the
software attack surface attractive for abuse. If you are just an AppSec n00b or launch deserialization
attacks for fun and profit, you will find something to tickle your interest at the AppSec Village.
Software runs the world. Everything from IoT, medical devices, the power grid, smart
cars, voting apps - all of it has software behind it. Such a variety of topics will be reflected
in our cadre of guest speakers representing all backgrounds and walks of life.
AppSec Village welcomes all travelers to choose from talks by expert community members, an all
AppSec-focused CTF, contests that challenge your mind and your skillz, and more. Bring your thirst
for knowledge and passion for breaking things, and your visit to AppSec Village will be a thrill!

BIO HACK IN G
VILL AG E
Friday: 10:00 - 18:00,
Saturday: 10:00 - 18:00,
Sunday: 10:00 - 13:00
Location: Flamingo, Laughlin I,II,III
DEVICE LAB: The highly-collaborative environment builds health care, connecting
security researchers, manufacturers, clinicians, and regulators, to learn from each other
and develop skills, codifying best practices and paths for high fidelity cyber safety.
SPEAKER LAB: Speakers foster critical thinking, problem solving, human interaction literacy,
ethics debates, creativity, and collaboration. Subject matter experts and researchers share
the future of their research, reflecting the biological technologies and emerging threats.
CATALYST LAB: Providing interaction with thought leaders from the medical device
and citizen science communities through training and hands-on workshops and solutions
design, to cover the entirety of the biomedical device and security ecosystem.
CAPTURE THE FLAG: Featuring the virtual learning environment of St. Elvis Hospital, the CTF offers
protocol, regulatory, and biological challenges to access and assess vulnerabilities in real devices.
TABLE TOP EXERCISES: Discussion-based sessions of increasing complexity and difficulty
regarding vulnerabilities in a series of Machiavellian healthcare industry scenarios

18
 B L ACK S IN C YB E RS E CU RIT Y
VILL AG E
Friday: 10:00 - 16:00, Saturday:
10:00 - 16:00, Sunday: -
Location: Flamingo, Twilight Ballroom
The Blacks In Cybersecurity (B.I.C.) Village seeks to bring culturally
diverse perspectives to the holistic Cybersecurity community; by
way of a series of talks and a capture the flag event. In providing
these activities, we hope to help highlight Black experiences,
innovations in the field, Black culture and educate the community about Black history.
In doing this, we believe that we can better educate and normalize the discussion of deficiency or
prejudices in Cybersecurity education/development for minority communities. We also believe this
effort can be translated to aid in eradication of these issues in the Cybersecurity and Hacker/Maker
community and allow for more diverse hobbyists and professionals to engage and contribute.

B LU E TE A M VILL AG E
Friday: 10:00 - 18:00, Saturday: 10:00
- 18:00, Sunday: 10:00 - 15:00
Location: Flamingo, Savoy Ballroom
Welcome to the other side of the hacking mirror. Blue Team Village (our
friends just call us BTV) is both a place and a community built by defenders
for defenders. It’s a place to gather, talk, share, and learn from each
other about the latest tools, technologies, and tactics that our community
can use to detect attackers and prevent them from achieving their goals.
This year BTV will be running a series of hands-on workshops and
panel discussions that are part of BTV’s Project Obsidian project.
Project Obsidian is an immersive, defensive cybersecurity
learning experience that provides attendees with the opportunity to gain knowledge
of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM),
Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH). Deep dive into technical
topics through workshops and exercises that provide practical hands-on experience across
each discipline. Workshops provide the training necessary to help attendees develop
skills needed to be successful in their current and/or future role in cybersecurity.
Two of the most important takeaways we highlight is how to strategically approach a task and
the operational processes that support the goals and objectives behind each task. Knowing
ʻhow’ to do something is only part of the challenge. Knowing ʻwhen’ and ʻwhy’ to perform
certain tasks adds the required context for developing the full story of defensive security.
Sunday will include a recap and discussion on how we created three killchains that our redteam
executed for Project Obsidian. We’ll also discuss our approach and provide a behind-the-scenes
look at all the things that went into building content for Project Obsidian. Everything built for
Project Obsidian, from the ansible scripts used to build the infrastructure to the source code used
to develop our malware emulation programs will be provided to the community under the Creative
Commons Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) license.

19
 VILLAG3S
C A R HACK IN G VILL AG E
Friday: 10:00 - 17:00, Saturday: 10:00
- 17:00, Sunday: 10:00 - 12:00
Location: Caesars Forum,
Forum Ballroom 124-128
Learn, hack, play. The Car Hacking Village is an
open, collaborative space to hack actual vehicles
that you don’t have to worry about breaking! Don’t
have tools? We’ll loan you some. Never connected
to a car? We’ll show you how. Don’t know where the
controllers are? We’ll show you how to take it apart.
Check out CarHackingVillage.com or @CarHackVillage on Twitter for up-to-date information.
Want to learn more about automotive hacking and cyber security? Check
out our Discord server - https://discord.gg/JWCcTAM
We’ll also have a Car Hacking CTF which allows one to challenge their
automotive security skills. Come learn, hack and play!

C LO U D VI LL AG E
Friday: 10:00 - 17:00, Saturday: 10:00
- 17:00, Sunday: 10:00 - 13:00
Location: Flamingo, Scenic Ballroom
With the industry shifting towards cloud infrastructure at a
rapid speed, the presence of an open platform to discuss
and showcase cloud research becomes a necessity.
Cloud village is an open platform for researchers interested in the area of cloud security. We plan
to organize talks, tool demos, CTF, and workshops around Cloud Security and advancements.
Our CTF will be a jeopardy style 2.5 days contest where participants will have
to solve challenges around Cloud infrastructure, security, recon, etc. These
challenges will cover different cloud platforms including AWS, GCP, Azure, Digital
Ocean, Alibaba, etc. We will also reward our top 3 teams with awards.

C RYP TO P RIVAC Y
VILL AG E
Friday: 10:00 - 18:00, Saturday: 10:00
- 18:00, Sunday: 10:00 - 15:00
Location: Flamingo, Vista Ballroom
Crypto & Privacy Village helps bring cryptography &
privacy knowledge and practical skills to the hacker
community. Learn how to secure your own systems while picking up some tips and tricks on
how to break classical and modern encryption. CPV features workshops and talks on a wide
range of cryptography and privacy topics from experts. We’ll also have some Crypto 101 talks,
crypto-related games and puzzles, as well as running our imfamous Goldbug Challenge.

20
DATE DU P LIC ATION VILL AG E
Thursday: 16:00 - 19:00 Dropoff, Friday:
10:00 - 17:00, Saturday: 10:00 - 17:00,
Sunday: 10:00 - 11:00 Pickup
Location: Flamingo, exec conf ctr,
Lake Meade and Valley of Fire
The Data Duplication Village is ready for DC 30! We have all the
updated bits and bytes available from infocon.org packed up into
nice, neat packages. If you’re looking for something to fill up all
your unused storage, we have a few nice hash tables and all of
the DefCon talks. Add to that just about every other security con
talk known to human-kind! We provide a “free-to-you” service
where of direct access to terabytes of useful data to help build those hacking skills.
Check the schedule and/or dcddv.org for the most up-to-date information.
HOW IT WORKS
The DDV provides a core set of drive duplicators and data content options. We accept 6TB and
larger drives on a first come, first served basis and duplicate ʻtill we can no longer see straight.
Bring in your blank SATA3 drives - check them in early - to get the data you want. Come back
in about 24 hours to pick up your data-packed drive. Space allowing, we’ll accept drives all
the way through until Saturday morning - but remember, it’s FIFO - get those drives in early!
WHAT YOU GET
We’re working on more content right up until the last minute but for dc29, we provided:
- 6TB drive 1-3: All past hacking convention videos that DT could find, built on last years collection
and always adding more for your data consuming appetite.
- 6TB drive 2-3: freerainbowtables.com hash tables (1-2)
- 6TB drive 3-3: GSM A5/1 hash tables plus remaining freerainbowtables.com data (2-2)
The DC 30 content will be posted at dcddv.org once finalized
DT and KnightOwl post the up-to-date details in the DC Forum thread and you
are encouraged to ask any questions you have there as con approaches.

GI R L S HACK VILL AG E
Friday: 10:00 - 18:00, Saturday: 10:00
- 18:00, Sunday: 10:00 - 15:00
Location: Flamingo, Virginia City III
Girls Hack Village seeks to bring gender diverse perspectives of the
contributions, perspectives, and issues facing women/girl hackers.
It is a space to discuss issues affecting girls in cybersecurity and will
include Talks, Hands on Workshops, and Discussion Panels. The village
will also be having a networking event and a 90s house party.
Conference Day 1
Friday, August 12, 2022
Intro: Girls Hack Village Welcome- Tennisha Martin
Keynote 1: Mary Chaney
Workshop 1: Intro to CTF
LUNCH
Panel 1: Leading the Way – Mari Galloway, Tennisha Martin, Rebekah Skeete, Tayla Parker,
Monique Head, Eric Belardo, Yatia Hopkins: Moderator - Alshlon Banks
Session 1: First Year 1&2- Tasha Halloway & Crystal Phinn

21
 VILLAG3S
Workshop 2: Network Penetration Testing
Session 2: First Year 3 -Slam
Session 3: Varsity 1 – Melissa Miller
Session 4: Upper Class- Chantel Simms aka Root
Party: Shoot your Shot Networking
Conference Day 2
Saturday, August 13, 2022
Keynote 2: Yatia ( Tia) Hopkins
Session 5: Upperclassmen 1- Tanisha O’Donoghue
Session 6: Varsity 2- Saman Fatiman
Session 7: Upperclass 2 - Katorah Williams
Session 8: Upperclass 3- Ebony Pierce
LUNCH
Panel 2: Hacking Diversity – Tracey Z. Maleeff, Tennisha Martin, Rebekah Skeete, Tayla Parker,
Ebony Pierce, Melissa Miller, Sonju Walker: Moderator - Tessa Cole
Workshop 3: Protect the Pi
Session 8: Upperclass 4- Rebekah Skeete
Session 9: Varsity 3 – Tracy Z. Maleeff
Session 10: Upperclass 5- Tessa Cole
Closing: - Tennisha Martin
Party: 90s House Party
Conference Day 3
Sunday, August 14, 2022
Workshop 4: Mobile Penetration Testing

HA M R A DIO VILL AG E
Friday: 9:00 - 18:00, Saturday: 9:00
- 18:00, Sunday: 10:00 - 12:00
Location: Flamingo, Virginia City I, II
Ham radio isn’t just what your grandpa does in the shed
out back. Radios are an important piece of technology we
use everyday, and amateur (“ham”) radio has been at the
forefront of its development since day one -- we are some
of the original hardware hackers! DIY, exploration, and
sharing has always been a vital part of our community and the goal of Ham Radio Village is
to nurture this growth into the next generation with all of the amazing people at DEF CON.
Our village will have demos, talks, presentations, and of course, free license exams!
So come visit Ham Radio Village to learn more about the hobby, including how antennas
work (and how to build your own), how to actually use that software defined radio sitting
on the shelf, how to trackdown a rogue transmitter with a handheld radio, and how you can
*legally* transmit 1,500 Watts into the airwaves after taking a simple multiple-choice test!

22
 HA RDWA R E HACK IN G
VILL AG E
Friday: 10:00 - 18:00, Saturday: 10:00
- 18:00, Sunday: 10:00 - 13:00
Location: Flamingo, exec conf
ctr, Red Rock VI, VII, VII
Every day our lives become more connected to consumer
hardware. Every day the approved uses of that hardware
are reduced, while the real capabilities expand. Come discover
hardware hacking tricks and tips regain some of that capacity, and
make your own use for things! We have interactive demos to help you learn new skills. We have
challenges to compete against fellow attendees. We have some tools to help with your fever
dream modifications. Come share what you know and learn something new. Details @ dchhv.org

IC S VI LL AG E
Friday: 10:00 - 18:00, Saturday: 10:00
- 18:00, Sunday: 10:00 - 15:00
Location: Caesars Forum, Alliance
Ballroom 314 - 319
| Mission. ICS Village is a non-profit organization with the
purpose of providing education and awareness of Industrial
Control System security. Connecting public, industry,
media, policymakers, and others directly with ICS systems
and experts. Providing educational tools and materials to
increase understanding among media, policymakers, and
general population. Providing access to ICS for security
researchers to learn and test.Hands on instruction for industry to defend ICS systems.
Why. High profile Industrial Controls Systems security issues have grabbed
headlines and sparked changes throughout the global supply chain. The ICS
Village allows defenders of any experience level to understand these systems and
how to better prepare and respond to the changing threat landscape.
Exhibits. Interactive simulated ICS environments, such as Hack the Plan(e)t and Howdy Neighbor,
provide safe yet realistic examples to preserve safe, secure, and reliable operations. We bring
real components such as Programmable Logic Controllers (PLC), Human Machine Interfaces
(HMI), Remote Telemetry Units (RTU), actuators, to simulate a realistic environment throughout
different industrial sectors. Visitors can connect their laptops to assess these ICS devices
with common security scanners, network sniffers to sniff the industrial traffic, and more!
The Village provides workshops, talks, and training classes.

IOT VILL AG E
Friday: 10:00 - 18:00, Saturday: 10:00
- 18:00, Sunday: 10:00 - 15:00
Location: Caesars Forum, Alliance
Ballroom 310, 320
IoT Village advocates for advancing security in the Internet of
Things (IoT) industry through bringing researchers and industry
together. IoT Village hosts talks by expert security researchers,
interactive hacking labs, live bug hunting in the latest IoT tech, and
competitive IoT hacking contests. Over the years IoT Village has served as a platform to showcase

23
 Friday 1000 - 1800 | Saturday 1000 - 1800 | Sunday 1000 - 1300
For scehdules and other info: https://www.wallofsheep.com/pages/dc30
The Packet Hacking Village at DEF CON provides a learning experience for people of all skill levels, from absolute
beginners to seasoned professionals. We host practical training, network forensics and analysis games, and the renowned
Capture The Packet event, which has been a Black Badge contest over 10 times and draws the best of the best elite hackers
from around the world. Our mission has always been simple: to teach people good internet safety practices, and to provide
an atmosphere that encourages everyone to explore and learn. Everyone is welcome, period - regardless of industry or
experience. And when it’s time to relax and escape the convention craziness, our DJs provide a chill atmosphere while they
spin for the crowd in an open lounge area.

Wall Of Sheep
An interactive look at what can happen when you let your guard down on public networks, the infamous Wall of Sheep
passively monitors the DEF CON network looking for traffic utilizing insecure protocols. Drop by, hang out, and see for yourself
just how easy it can be! We strive to educate the “sheep” we catch, and provide a good-natured reminder that security
matters, and someone is always watching.

Wall of Sheep DJ Community - WoSDJCo

Come chill with us while we play all your favorite deep tracks,
underground house, techno, psytrance, dubstep yodeling, breaks, and
DnB beats mixed live all weekends. Chill and enjoy the sick beats and ill
stylings of our talented hacker DJs while you hack all the things. Check
website for schedule.

D J C o | Wa l l o f
OS Sh
|W ee
s
p

p
ho

|C
ks

ap
l k t h r o u gh Wor

tur
e The Pack

@wallofsheep

@capturetp
a

e
|W

t |P
o r

a
ct

ke
tD e
ete I n sp
ctive | Packet
 The Packet Hacking Village offers a revolving series of Walkthrough Workshops for people of all ages and skills, where
participants will take a deep dive into a variety of topics. Join the self-guided journey to learn about topics like honeypots,
botnets, RegEx, and more guided by our expert mentors! Check website for schedule of activities.

Capture The Packet - CTP

Come compete in the world’s most challenging cyber defense competition based on the Aries Security Cyber Range,
which DT has honored as a Black Badge event over 10 years. Tear through the challenges, traverse a hostile enterprise class
network, and diligently analyze your findings in order to make it out unscathed. Glory and prizes await those that emerge
victorious from this upgraded labyrinth, and only the best prepared and battle hardened will escape the fiendish crucible.
Follow us on Twitter at @Capturetp for the latest information on competition dates and times, as well as prizes.
Teams consist of up to 2 players and can register at the CTP table in the Packet Hacking Village.

Packet Inspector - Beginner/Intermediate

The perfect introduction to network analysis, sniffing, and forensics. Do you want to understand how hackers tap into
a network, steal passwords, and listen to conversations? Packet Inspector is your boot camp! Using a license of the world
famous Capture The Packet engine from Aries Security, we teach hands-on skills in a controlled real-time environment.
Join us in the Packet Hacking Village to start your quest towards getting a black belt in Packet-Fu.

Packet Detective - Intermediate/Advanced

Ready to upgrade your skills or see how you would fare in Capture The Packet? It’s time to play Packet Detective. A step
up in difficulty from Packet Investigator, Packet Detective will test your network hunting abilities t with real-world scenarios
at the intermediate level. Improve your network mastery in a friendly environment, learn from mentors and peers, and take
another step closer to preparing yourself for the highly competitive Capture The Packet contest.
 VILLAG3S
and uncover hundreds of new vulnerabilities, giving attendees the opportunity to learn about
the most innovative techniques to both hack and secure IoT. IoT Village is organized by security
consulting and research firm, Independent Security Evaluators (ISE), and Loudmouth Security.
Follow both ISE (@ISEsecurity) and IoT Village (@IoTvillage) on Twitter for updates.

LO CK PICK VILL AG E
Friday: 10:00 - 18:00, Saturday: 10:00
- 18:00, Sunday: 10:00 - 13:00
Location: Caesars Forum, Summit Ballroom 235
Want to tinker with locks and tools the likes of which you’ve
only seen in movies featuring police, spies, and secret
agents? Then come on by the Lockpick Village, run by The
Open Organization Of Lockpickers, where you will have the
opportunity to learn hands-on how the fundamental hardware
of physical security operates and how it can be compromised.
The Lockpick Village is a physical security demonstration and participation area. Visitors can
learn about the vulnerabilities of various locking devices, techniques used to exploit these
vulnerabilities, and practice on locks of various levels of difficultly to try it themselves.
Experts will be on hand to demonstrate and plenty of trial locks, pick tools, and other devices
will be available for you to handle. By exploring the faults and flaws in many popular lock
designs, you can not only learn about the fun hobby of sport-picking, but also gain a much
stronger knowledge about the best methods and practices for protecting your own property.

MIS IN FO R M ATION
VI LL AG E
Friday: 10:00 - 18:00, Saturday:
10:00 - 18:00, Sunday: -
Location: Caesars Forum, Summit Ballroom 218,236
Cognitive security is the application of information security principles, practices, and
tools to misinformation, disinformation, and influence operations. Cognitive Security
takes a socio-technical lens to high-volume, high-velocity, and high-variety forms of
“something is wrong on the internet”. Cognitive security can be seen as a holistic view
of disinformation and misinformation from a security practitioner’s perspective”.
MisinfoCon is a global movement focused on building solutions to promote online
trust, boost research and raise the profile of reliable and credible information.
The MisinfoCon event series are a learning, social and network opportunities for the
industry to come together and address the challenges of misinformation in all of its forms
and interdisciplinary domains. The first MisinfoCon was held at MIT in 2017. 5 years
later, we have hosted 8 MisininfoCon’s in Europe and the USA. This MisinfoCon 9.0. will
feature important sessions that advance our understanding of new content moderation
policies, regulating disinformation, protecting democratic elections and building trust.

PACK E T HACK IN G VILL AG E

Friday: 10:00 - 18:00, Saturday: 10:00
- 18:00, Sunday: 10:00 - 15:00
Location: Caesars Forum, Acadamy Ballroom 411-414, 420

26
 PA S S WO R D VILL AG E
Friday: 10:00 - 18:00, Saturday: 10:00
- 18:00, Sunday: 10:00 - 15:00
Location: Caesars Forum, Summit Ballroom 221
The Password Village provides training, discussion, and hands-
on access to hardware and techniques utilized in modern
password cracking, with an emphasis on how password
cracking relates to your job function and the real world . No
laptop? No problem! Feel free to use one of our terminals
to access a pre-configured GPGPU environment to run
password attacks against simulated real-world passwords.
Village staff and expert volunteers will be standing by to assist you with on-the-spot training
and introductions to Hashcat, as well as other FOSS cracking applications. Already a
password cracking aficionado? Feel free to give a lightning talk, show off your skills, help a
n00b learn the basics, or engage in riveting conversation with other password crackers.

PAYM E NT VI LL AG E
( VI RTUA L ON LY )
Friday: 10:00 - 18:00, Saturday: 10:00
- 18:00, Sunday: 10:00 - 15:00
Location: Virtual ONLY - Discord channels
Payment technologies are an integral part of our lives, yet few
of us know much about them. Have you ever wanted to learn
how payments work? Do you know how criminals bypass security
mechanisms on Point of Sales terminals, ATM’s and digital wallets?
Payment technologies are an integral part of our lives, yet few of us know much about them.
Have you ever wanted to learn how payments work? Do you know how criminals bypass
security mechanisms on Point of Sales terminals, ATM’s and digital wallets? Come to the Payment
Village and learn about the history of payments. We’ll teach you how hackers gain access to
banking endpoints, bypass fraud detection mechanisms, and ultimately, grab the money!

PHYS IC A L S E CU RIT Y
VILL AG E
Friday: 10:00 - 18:00, Saturday: 10:00
- 18:00, Sunday: 10:00 - 15:00
Location: Caesars Forum, Summit Ballroom 201-202
The Physical Security Village (formerly known as the Lock Bypass
Village) explores the world of hardware bypasses and techniques
generally outside of the realm of cyber security and lockpicking. Come
learn some of these bypasses, how to fix them, and have the opportunity to try them out for yourself!
We’ll be covering the basics, including the under-the-door-tool and latch slipping
attacks, as well as an in-depth look at more complicated bypasses. Learn about
elevator hacking, try out alarm system attacks at the sensor and communication
line, and have an inside look at common hardware to see how it works..
No prior experience or skills necessary - drop in and learn as much or as little as you’d like!
Looking for a challenge? Show us you can use lock bypass to escape from a
pair of standard handcuffs in under 30 seconds and receive a prize!

27
 VILLAG3S
P O LIC Y@ DE FCON .O RG
Friday: 10:00 - 18:00, Saturday: 10:00 - 18:00, Sunday: 10:00 - 15:00
Location: Caesars Forum, Summit Ballroom 224-227
Interested in the cutting edge of hacking technology and its policy implications? Interested
in talking with policy folks wanting an honest assessment of what is possible?
Hackers are early users and abusers of technology, and that technology is now critical to modern life.
As governments make policy decisions about technology hackers, researchers and academics need to
be part of that conversation before the decisions are made, and not after policies are implemented.
To do that DEF CON is a place for everyone on the policy and technology spectrum
to interact, learn from each other, and improve outcomes. As with previous
years, the Policy Team will be supporting DEF CON 30 in several ways:
1. By helping the policy community register for the event and orient themselves with the
opportunities to participate and join the conversation.
2. By building connections with technical and policy experts.
3. By providing opportunities for those interested in learning more about the challenges at the
intersection of policy and technology.
Our Policy program will consist of Main stage presentation and panels, daytime
sessions in our policy track, and some evening lounges that will provide an off the
record and more intimate setting to have policy-focused conversations.

Q UA NTUM VILL AG E
Friday: 10:00 - 18:00, Saturday: 10:00
- 18:00, Sunday: 10:00 - 15:00
Location: Caesars Forum, Summit Ballroom 217
!! CALLING ALL QUANTUM HACKERS !!
Q-Day is coming! Or is it…?
Welcome to DEF CON’s inaugural Quantum Village. At QV we want you to come and engage with,
explore, and discuss quantum technologies, and we have brought a few for you to play with, too!
We have a track of talks and workshops, and hands-on interactive ways you will learn how to use
(and hack) quantum tech. Come and play with quantum computers, learn about quantum sensors,
and see that you don’t need a PhD in physics to write quantum software (and maybe exploit it)!!

R A DIO FR EQU E N C Y VILL AG E

Friday: 10:00 - 18:00, Saturday: 10:00
- 18:00, Sunday: 10:00 - 15:00
Location: Flamingo, Eldarado Ballroom
After 14 years of evolution, from the WiFi Village, to the Wireless
Village, RF Hackers Sanctuary presents: The Radio Frequency Village
at DEF CON 30. The Radio Frequency Village is an environment where people come to learn
about the security of radio frequency (RF) transmissions, which includes wireless technology,
applications of software defined radio (SDR), Bluetooth (BT), Zigbee, WiFi, Z-wave, RFID, IR
and other protocols within the usable RF spectrum. As a security community we have grown
beyond WiFi, and even beyond Bluetooth and Zigbee. The RF Village includes talks on all
manner of radio frequency command and control as well as communication systems.
While everyone knows about the WiFi and Bluetooth attack surfaces, most of us rely on many
additional technologies every day. RF Hackers Sanctuary is supported by a group of experts in the
area of information security as it relates to RF technologies. RF Hackers Sanctuary’s common purpose
is to provide an environment in which participants may explore these technologies with a focus on

28
improving their skills through offense and defense. These learning environments are provided in the
form of guest speakers, panels, and Radio Frequency Capture the Flag games, to promote learning
on cutting edge topics as it relates to radio communications. We promise to still provide free WiFi.
https://rfhackers.com/the-crew
Speaker and contest schedule can be found on our website:
https://rfhackers.com/calendar
Co-located with the RF Village is the RF Capture the Flag. Come for
the talks, stay for the practice and the competition.

R E CON VI LL AG E
Friday: 10:00 - 18:00, Saturday: 10:00
- 18:00, Sunday: 10:00 - 13:00
Location: Linq, 3rd flr Social B and C
Recon Village is an Open Space with Talks, Live Demos, Workshops,
Discussions, CTFs, etc. with a common focus on Reconnaissance.
The core objective of this village is to spread awareness about the
importance of reconnaissance, open-source intelligence (OSINT) and demonstrate how even a small
information about a target can cause catastrophic damage to individuals and organizations.
As recon is a vital phase for infosec as well as investigations, folks should definitely have this
skill set in their arsenal. People should check out Recon Village, as they get to learn novel
osint / recon techniques, play hands-on CTF, and most of all, have fun. At RV, we keep things
simple and the focus is on generating quality content using talks, CTF, hackathons, etc.
We will also have our Jeopardy Style OSINT CTF Contest throughout the Village timings. Based on
the feedback from last year, we plan to make the CTF more challenging this year. The challenges will
be around harvesting information about target organizations, their employee’s social media profiles,
their public svn/gits, password breach dumps, darknet, paste(s) etc. followed by active exploitation,
bug hunting, investigation and pentest scenarios of virtual targets. All the target organizations,
employees, servers, etc. will be created by our team and hence will not attract any legal issues.
Similar to the previous years, there will be Awesome rewards for CTF winners, along with free
t-shirts, stickers, village coins, and other schwag which attendees can grab and show off.
Guess what! our Badge will also be more interesting this time and as usual, it will be free.

R E D TE A M VILL AG E
Friday: 10:00 - 18:00, Saturday: 10:00
- 18:00, Sunday: 10:00 - 13:00
Location: Flamingo, Mesquite Ballroom
The Red Team Village is focused on training the art of critical
thinking, collaboration, and strategy in offensive security. The
RTV brings together information security professionals to share
new tactics and techniques in offensive security. Hundreds of
volunteers from around the world generate and share content with
other offensively minded individuals in our workshops, trainings, talks, and conferences.

29
 VILLAG3S
R E TAI L HACK IN G
VILL AG E
Friday: 10:00 - 18:00, Saturday:
10:00 - 18:00, Sunday: 10:00 - 15:00
Location: Caesars Forum, Alliance Ballroom
320
Cha-ching. Love it or not we are surrounded by retail, be a point of sale systems, grocery
stores, clothing stores, and more. At the Retail Hacking Village, you will be able to lay hands
on retail technology such as point of sale units, electronic tags and systems, and more. And,
we can dig in and explore retail talks, with insiders showing you a glimpse into this industry.

RO G U E S VILL AG E
Friday: 10:00 - 18:00, Saturday: 10:00
- 18:00, Sunday: 10:00 - 15:00
Location: Linq, 3rd flr Evolution
Rogues Village is a place to explore alternative approaches
and uses for security concepts, tools, and techniques by
looking to non-traditional areas of knowledge. Incorporating
expertise from the worlds of magic, sleight of hand, con games,
and advantage play, this village has a special emphasis on
the overlap between Social Engineering, Physical Security, and Playful Mischief.

S K Y TA LK S 3 0 3
Friday: 08:30-
18:30, Saturday: 08:30-18:30, Sunday: 08-30-14:00
Location: Linq, 5th flr BLOQ
Since DEF CON 16, Skytalks has been proud to bring you Old School DEF CON in a non-
recorded, off-the-record track. Talks include technical deep dives, off-the-beaten path
discussions, name-and-shame rants, cool technology projects, and plenty of shenanigans.
We pride ourselves on a simple creed: “No recording. No photographs. No bullshit.”

S O CIA L E N GIN E E RIN G

COM MU NIT Y
Friday: 10:00 - 19:00, Saturday: 10:00
- 19:00, Sunday: 10:00 - 15:00
Location: Linq, 3rd flr Social A
The Social Engineering Community is formed by a group of individuals
who have a passion to enable people of all ages and backgrounds
interested in Social Engineering with a venue to learn, discuss,
and practice this craft. We plan to use this opportunity at DEF CON to present a community
space that offers those elements through panels, presentations, research opportunities, and
contests in order to act as a catalyst to foster discussion, advance the craft and create a space
for individuals to expand their network. DEF CON attendees can either participate in these
events (watch for our Call for Papers, Call for Contestants, Call for Research, etc.), or they

30
can watch the events unfold and learn about Social Engineering as an audience member.
JC and Snow plan to accomplish the above by bringing together passionate individuals to have a
shared stake in building this community. To do this, positions which can be rotated such as judges,
coaches, speakers and panelists will be offered to different community members each year allowing
for new faces and ideas so that more individuals have an opportunity to give back equally. You can
stay up-to-date with the SE Community by visiting our Twitter account https://twitter.com/sec_defcon

S O LDE R S K ILL S VILL AG E

Friday: 10:00 - 18:00, Saturday: 10:00 - 18:00, Sunday: 10:00 - 13:00
Location: Flamingo, exec conf ctr, Red Rock I, II, III, IV, V
Have you ever fused metal to create electronic mayhem? Do you want to learn? Travel too far
to take your solder tools with you? Hotel take your irons cause they thought it was a fire risk?
Come on over to the Solder Skills village. We have irons and supplies. Volunteers (and some
attendees) help teach, advise or just put out fires. We aim to grow the skill-set of the community
and overcome inhibitions to this most basic skill to make electronic dreams happen.

TA M P E R E VIDE N C E VILL AG E
Friday: 10:00 - 18:00, Saturday: 10:00 - 18:00, Sunday: 10:00 - 13:00
Location: Caesars Forum, Summit Ballroom 235
“Tamper-evident” refers to a physical security technology that provides evidence of tampering
(access, damage, repair, or replacement) to determine authenticity or integrity of a container
or object(s). In practical terms, this can be a piece of tape that closes an envelope, a
plastic detainer that secures a hasp, or an ink used to identify a legitimate document.
Tamper-evident technologies are often confused with “tamper resistant” or “tamper proof”
technologies which attempt to prevent tampering in the first place. Referred to individually
as “seals,” many tamper technologies are easy to destroy, but a destroyed (or missing) seal
would provide evidence of tampering! The goal of the TEV is to teach attendees how these
technologies work and how many can be tampered with without leaving evidence.

VOTIN G M ACHIN E VILL AG E

Friday: 10:00 - 18:00, Saturday: 10:00
- 18:00, Sunday: 10:00 - 15:00
Location: Caesars Forum, Alliance
Ballroom 313-314, 320
Voting Machine Village explores all aspects of election
security and works to promote a more secure democracy.

31
 DEF CON CTF powered by

NAUTILUS INSTITUTE
After a spectacular run by the Order of the Overflow, the
Nautilus Institute is looking forward to bringing you the future
of DEF CON Capture The Flag: three days of attack-defense
action with sixteen of the best hacking teams in the world.
Our teams will be reverse engineering, pwning, and pushing
other hackers off their boxes in a head to head computing
competition to directly demonstrate effective exploitation for
the future.

How to Qualify
DEF CON CTF is a popular contest. Over 1200 teams played
in DEF CON CTF Qualifiers in May, with over 200 solving
two or more challenges. We qualified last year’s champions,
Katzebin, and 15 of the top quals teams.
Our competitors hacked their way through an ARM trustzone
applet, dug deep into the Missouri Encryption Standard
(base64, of course), and pieced together a flag by reverse
engineering 24,315 binaries for 16 different architectures.
Interested in bringing a team to DEF CON 31? Study up on
previous DEF CON CTF challenges, perfect your techniques,
and stay tuned for news about how to qualify in 2023.

Game schedule, Scores, and More

https://nautilus.institute
 Quals Scores
2649
perfect r✪✪✪t
Spectating CTF 2303
[email protected]
Visit the CTF room to take 2069
The Duck
in the ambience of the 1921
contest. CTF is a marathon, Sauercloud
1889
not a sprint, so the vibes in Water Paddler
1829
the room may shift as the PTB_W TL
1823
contest progresses through ./V /home/r/.bin/tw
1722
Sunday. Straw Hat
1567
PPP
Enjoy yourself, learn about 1556
Katzebin
the game, but please be 1489
StarBugs
respectful! The competitors 1388
Shellphish
have worked very hard to 1311
r3kapig
qualify, and distractions 1287
DiceGuesser
may not be appreciated. 1151
OSUSEC
If you have questions the new organizers
1148
about CTF, members of 侍
1128
the Nautilus Institute can More Bush Smoked Whack
ers 1084
probably help you with mhackeroni
1054
answers! 1054
0xEA

Brighter Tomorrows
We’re excited to be making the world of DEF CON CTF a
better place. As we grow, we hope to allow more disciplines
to flex at CTF, and we hope you’ll be a part of that. Thank you
to the CTF and DEF CON communities for this incredible
opportunity. We hope to build a bright future for you to break.

Announcements and News

https://twitter.com/nautilus_ctf
 C0NT3STS & EV3NTS
A L PAC@TAC K
In-person Contest
Alpac@tack is an interactive defense simulation
suite, which challenges participants to
apply a wide variety of tools, knowledge
and problem-solving skills to assess
network and log activity, and build threat
intelligence in a honeypot environment.
Unlike most Defcon contests, Alpac@tack
provides a unique opportunity for participants to
develop and hone a more holistic skill set when
it comes to threat assessment. Other contests
will focus on breaking machines or defending
systems from a particular threat, where Alpac@
tack presents a leveled-up experience and
challenges attendees to evaluate whether the
honeypot is under attack, and if so, by what.
Teams achieve success during the contest by
expeditiously analyzing activity and accurately
identifying threats. Every team will be presented
with a graph and a set of tools––the game
platform––including Wireshark, Suricata,
Velociraptor, and Wazuh, which will act as their
source of truth for analyzing network and logging
activity in the honeypot. The graph will update
every 5 seconds, reflecting events and packets
on ports and services. Participant teams must
then select and leverage the appropriate tools to
investigate and determine whether the incident is
a benign anomaly or an attack. For each event
and packet cataloged in the game platform, the
team submits a report classifying the activity.
While Alpac@tack is designed for players with
some degree of literacy in defense systems, we
will offer an associated workshop to provide
an overview of the relevant systems and
technologies the day prior to the contest with
the goal of lowering the barrier to entry. So,
if you’re a beginner––or just a little rusty––
don’t be discouraged! Alpac@tack is for you!
AU TODR IVIN G C TF  to autonomous driving in a well-controlled,
Hybrid Contest
#Overview
Last year, we organized the AutoDriving CTF as
an official contest of DEF CON 29 (https://forum.
defcon.org/node/237292) and did reasonably
well: more than 100 teams participated and 93
teams had valid scores. Last year, due to the
pandemic, the contest was online only with on-site
demonstrations. All the challenges were deployed
34
in 3D simulators. This year, we propose a hybrid
event with in-person challenges on-site. We also
plan to introduce some new challenges with real
vehicles involved, in addition to those based
on autonomous driving simulators. We hope
to continue the engagement with the hacking
community to raise the awareness of real-world
security challenges in autonomous driving.
The AutoDriving CTF contest focuses on the
emerging security challenges in autonomous
driving systems. Various levels of self-driving
functionalities, such as AI-powered perception,
sensor fusion and route planning, are entering
the product portfolio of automobile companies.
From the security perspective, these AI-powered
components not only contain common security
problems such as memory safety bugs, but
also introduce new threats such as physical
adversarial attacks and sensor manipulations.
Two popular examples of physical adversarial
attacks are camouflage stickers that interfere
with vehicle detection systems, and road graffitis
that disturb lane keeping systems. The AI-
powered navigation and control relies on the
fusion of multiple sensor inputs, and many of the
sensor inputs can be manipulated by malicious
attackers. These manipulations combined
with logical bugs in autonomous driving
systems pose severe threats to road safety.
We design autonomous driving CTF
(AutoDriving CTF) contests around the
security challenges specific to these self-
driving functions and components.
The goals of the AutoDriving
CTF are the followings:
- Demonstrate security risks of poorly designed
autonomous driving systems through hands-
on challenges, increase the awareness
of such risks in security professionals,
and encourage them to propose defense
solutions and tools to detect such risks.
- Provide CTF challenges that allow players
to learn attack and defense practices related
repeatable, and visible environment.
- Build a set of vulnerable autonomous
driving components that can be used for
security research and defense evaluation.
The contest is based on a Jeopardy style of CTF
game with a set of independent challenges. A
typical contest challenge includes a backend
that runs autonomous driving components in
simulated or real environments, and a frontend
that interacts with the players. This year’s
contest will follow the style of last year and
includes the following types of challenges:
- “attack”: such as constructing adversarial
patches and spoofing fake sensor inputs,
- “forensics”: such as investigating a security
incident related to autonomous driving,
- “detection”: such as detecting spoofed
sensor inputs and fake obstacles,
- “crashme on road!”: such as creating
dangerous traffic patterns to expose logical
errors in autonomous driving systems.
Most of these challenges will be developed
using game-engine based autonomous driving
simulators, such as CARLA and SVL.
The following link containssome challenge
videos from AutoDriving CTF at DEF CON 29
https://www.youtube.com/channel/
UCPPsKbVpxwk-464KIzr8xKw
# What’s new in 2022
This year, we will unlock new security-critical
driving scenarios such as stop-controlled and
signalized intersections. New difficulty levels
will be added to challenges in such scenarios
by integrating real downstream AI modules
such as object tracking from open-source
autonomous driving software like Apollo,
Autoware and OpenPilot. For example, players
will be required to generate adversarial masks
which will be overlayed on the surface of a
stop sign to prevent the self-driving vehicle from
stopping. The self-driving vehicle is equipped
with a tracking component so merely hiding
the stop sign in several frames will not work.
A video demonstrating an attacked
scenario is available at
https://youtu.be/4aedG1GNfRw
In addition to the simulation challenges, we
will add challenges with real vehicles in the
loop. In this setup, the vehicle under attack
will be placed on a rack and the driving
environment will be displayed on a monitor in
front of the windshield camera. We will have
the real vehicle running in a lab and players
and players will interact with the vehicle by
remotely manipulating the virtual surrounding
environments (such as the projected road signs
in front of the vehicle). The attack results will
be judged based on systems logs (for open-
source systems, such as openpilot) or dashboard
visualizations (for closed-source vehicles).
The following URL shows some
specifications about the real vehicles
https://docs.google.com/
document/d/1oFC5Swn-UQ3hqIBA_
Pw511o8WZqToU4TcQCb3UYocFc/
edit?usp=sharing
In order to enable the audience to experience
the challenges more directly, we plan to set
up a vehicle wheel controller on site this year.
Audiences can drive themselves to compete with
the self-driving vehicle in some of the challenges.
# For players
- What do players need to do to
participate AutoDriving CTF?
Most of the challenges do not require domain
knowledge of autonomous driving software
or adversarial machine learning, although
knowledge of those helps. For example, the
players can generate images the way they
like (e.g., drawing, photoshopping) to fool the
AI-components or write a short python script to
control the vehicle. Some challenges, such as
incident forensics likely would require players
to learn domain knowledge such as sensor
information format and how fusion works.
- What do we expect players to
learn through the CTF event?
Players can (1) gain a deep understanding of
real-world autonomous driving systems’ design,
implementation, and their corresponding
security properties and characteristics; and (2)
learn the attack and defense practices related
to autonomous driving in a well-controlled,
repeatable, visible, and engaging environment.
@autodrivingctf
B E VE R AG E COOL IN G
CON TR A P TION CON TE S T
In-person Contest
3 0
6
It’s DEFCON 30 and the world is a tumultuous
place. Maybe Putan has invaded NATO.
Maybe China has invaded Taiwan or doubled
down on its bid to claim the oddly sack-shaped
“nine dash line”. I think Pooh Bear may be
trying to compensate for something. Whatever
the current events, I’m going to claim WWIII
is right around the corner and you should be
prepared! Prepared to chill your beverage
that is. If the world is ending, do you really
want to see it out with a warm beverage!? I
thought not! If I’m going out in a nuclear hellfire
I want it to be with ice cold suds. So come on
down and let’s get prepped! In person only
Friday 1100 - 1400
Maybe something on Saturday if
beverage remains and interest exists.
35
 C0NTESTS & EV3NTS
BIC VIL L AG E C A P TUR E
TH E FL AG  C TF
Hybrid Contest
The BIC Village Capture The Flag Event is
a jeopardy style event designed to practice
solving challenges in multiple categories.
This event seeks to not only be a series of puzzles
and challenges to solve, but a gamified way to
learn concepts of social justice and Black history.
The gamified and challenge oriented sections
of the event will not only challenge one’s mind
in problem solving and critical thinking but also
charge one with the mission of identifying and
learning about historical facts and figures that
they would not otherwise be exposed to.
https://www.blacksincyberconf.com/ctf
@BlackInCyberCo1
C A P TUR E TH E PAC K E T
In Packet Hacking Village
The time for those of hardened mettle is
drawing near; are you prepared to battle?
Compete in the world’s most challenging
cyber defense competition based on the Aries
Security cyber range. Tear through hundreds
of bleeding-edge challenges, traverse a
hostile enterprise-class network, and diligently
analyze the findings to escape unscathed.
Glory and prizes await those who emerge
victorious from this upgraded labyrinth.
While Capture The Packet can easily scale for
users of every level, for DEF CON we pull out all
the stops and present our most fiendishly difficult
puzzles. Capture The Packet has been a DEF
CON Black Badge event for over 10 years, and
we don’t plan on stopping. This event attracts the
best of the best from around the world to play
– are you ready to show us what you’ve got?
https://www.capturethepacket.com/
@capturetp, @wallofsheep
36
C A R HAC K IN G VIL L AG E
In-person Contest
The Car Hacking
Village CTF is a
fun interactive
challenge which gives
contestants first hand
experience to interact
with automotive
technologies. We
work with multiple
automotive OE’s
and suppliers
to ensure our challenges give a real-world
experience to hacking cars. We understand
car hacking can be expensive, so please
come check out our village and flex your
skills in hacking automotive technologies.
https://www.carhackingvillage.com/
@CarHackVillage
C M D + C TR L 
Hybrid Contest
Friday 1000 PDT (GMT -7) to
Saturday 1800 PDT (GMT -7)
HEY HACKERS! ARE YOU LEET? PROVE
IT BY BEATING MAILJAY, OUR NEW
CYBER RANGE. POSTMESSAGE XSS!
MFA BYPASS! RCE! LEENUX PRIVESC!
HTTP DESYNC!?!?!? AND MORE!?!?!?
Join CMD+CTRL @ DEF CON 30
for this challenging CTF.
CMD+CTRL Cyber Range is an interactive
learning and hacking platform where
development, security, IT, and other roles
come together to build an appreciation for
protecting the enterprise. Players learn security
techniques in a real-world environment where
they compete to find vulnerabilities. Real-time
scoring keeps everyone engaged and creates
friendly competition. Our Cloud and App
Cyber Ranges incorporate authentic, fully
functioning applications and vulnerabilities
often found in commercial web platforms.
At DEF CON 30: We will be debuting our latest
Cloud Cyber Range, MailJay, which focuses on
exploiting a modern email marketing platform
comprised of web applications, services, and a
variety of cloud resources. Inspired by the latest
trends and real world exploits, try your hands at
bypassing a WAF, HTTP Desync, postMessage
XSS, RCE, MFA bypass, and so, so much more!
With twice as many challenges as our past Cloud
Ranges do you think you can complete them all?
This year we are happy to announce that we will
be returning to DEF CON in person. We will be
running this event both on site and online via
Discord. Join us Friday (8/12) through Saturday
(8/13) for this invite-only CTF by signing up
with the registration form below. This event is
limited to 250 players, so save your seat now!
Register here: https://forms.
gle/3TbT4JWsTfWVwr6r9
More info: http://defcon30.cmdnctrl.net
Twitter: @cmdnctrl_defcon
defcon30.cmdnctrl.net(will be online shortly)
@cmdnctrl_defcon
C R AC K M E IF YO U C A N
(C M IYC)
Contest
In its 13th year,
the premiere
password
cracking
contest
“CrackMeIfYouCan” is back again to challenge
the world’s best password crackers. The contest
is broken up into Pro and Street teams - so
ʻtake a chill pill’ if you are new to password
cracking (and don’t have jigowatts of GPU
power), there is still plenty of fun to be had.
We’ve spent all year coming up with password-
related challenges for our Pro teams that
are DaBomb! So listen up home skillet, come
see us in the Villages area where we will
have some hella nice professional password
crackers who are all that, and a bag of chips!
This year’s contest is going to be totally radical!
We are like, totally psyched to be partnering
with the Password Village this year. I kid you
not, the contest is going to be so easy that
even an airhead or a jock could crack these
passwords! PYSCH! The challenges are going
to be bodacious and like totally dope. This
year, it is not about wordlists, rules, patterns,
or about forensics. In the past we’ve asked our
teams how passwords have changed over time...
now we are going to ask them to go back, to
the future of password cracking. Like, totally.
https://contest.korelogic.com/
@CrackMeIfYouCan
C R A S H A ND COM P IL E 
In-person Contest
What happens when you take an ACM style
programming contest, smash it head long into
a drinking game, throw in a mix of our most
distracting helpers, then shove the resulting
chaos incarnate onto a stage? You get the
contest known as Crash and Compile.
Teams are given programming challenges and
have to solve them with code. If your code
fails to compile? Take a drink. Segfault? Take a
drink. Did your code fail to produce the correct
answer when you ran it? Take a drink. We set
you against the clock and the other teams. And
because our “Team Distraction” think watching
people simply code is boring, they have taken it
upon themselves to be creative in hindering you
from programming, much to the enjoyment of
the audience. At the end of the night, one team
will have proven their ability, and walk away
with the coveted Crash and Compile trophy.
Crash and Compile is looking for the top
programmers to test their skills in our contest.
Can you complete our challenges? Can you
do so with style that sets your team ahead
of the others? To play our game you must
first complete our qualifying round. Gather
your team and see if you have the coding
chops to secure your place as one of the
top teams to move on to the main contest.
Qualifications for Crash and Compile
will take place Friday from 10am to 3pm
online at https://crashandcompile.org.
You may have up to two people
per team. (Having two people on
a team is highly suggested)
Of the qualifiers, nine teams will move on to
compete head to head on the contest stage.
The main contest takes place
Saturday 17:00 - 20:00.
Contest Area Stage
web: https://crashandcompile.org/
@CrashAndCompile
C R E ATIVE WR ITIN G
S HORT S TORY CON TE S T 
online Contest
The DEF CON Short Story contest is a pre-
con contest that is run entirely online utilizing
the DEF CON forums, Twitter, and reddit. This
contest follows the theme of DEF CON for the
year and encourages hackers to roll up their
sleeves, don their proverbial thinking cap, and
write the best creative story that they can. The
Short Story Contest encourages skills that are
37
 C0NTESTS & EV3NTS
invaluable in the hacker’s world, but are often
overlooked. Creative writing in a contest setting
helps celebrate creativity and originality in
arenas other than hardware or software hacking
and provides a creative outlet for individuals who
may not have another place to tell their stories.
More Info: @dcshortstory
https://twitter.com/dcshortstory
DA R K N E T- N G 
Hybrid Contest
Darknet-NG is an In-Person Massively Multiplayer
Online Role Playing Game (MMO-RPG), where
the players take on the Persona of an Agent who
is sent on Quests to learn real skills and gain
in-game points. If this is your first time at DEF
CON, this is a great place to start, because we
assume no prior knowledge. Building from basic
concepts, we teach agents about a range of
topics from Lock-picking, to using and decoding
ciphers, to Electronics 101, just to name a few,
all while also helping to connect them to the
larger DEF CON Community. The “Learning
Quests” help the agent gather knowledge from
all across the other villages at the conference,
while the “Challenge Quests” help hone their
skills! Sunday Morning there is a BOSS FIGHT
where the Agents must use their combined
skills as a community and take on that year’s
challenge! There is a whole skill tree of personal
knowledge to obtain, community to connect
with and memories to make! To get started,
check out our site https://darknet-ng.network
and join our growing Discord Community!
Friday: 10 am - 4:30 pm
Saturday: 10 am - 4:30 pm
Sunday: 10 am - 12 pm
https://darknet-ng.network/
@DarknetNg
38
DE F CON 3 0 C H E S S
TO UR N A M E N T
In-person Contest
Chess, computers, and hacking. In the 18th
century, the Mechanical Turk appeared to play
a good game, but there was a human ghost in
the shell. Some of the first computer software was
written to play chess. In 1997, world champion
Garry Kasparov lost to Deep Blue, but he
accused IBM of cheating, alleging that only a
rival grandmaster could make certain moves.
At DEF CON 30, we will run a human
chess tournament with a “blitz” time control
of 5 minutes on each player’s clock, in a
Swiss-system format. In each round, match
pairings are based on similar running scores.
Everyone plays the full tournament, and the
winner has the highest aggregate score.
The Las Vegas Chess Center (LVCC) will
manage the tournament. To help crown
the best chess player at DEF CON 30, we
will register the rated players first, on site,
starting one hour prior to the tournament.”
Saturday 15:00 - 18:00 Room 133 Forum
DE F CON BIK E R IDE
“ C YC L E OVE R R IDE ”
Hybrid Event
At 6am on
Friday, the
cycle_override
crew will be
hosting the
10th Defcon
Bikeride. We
miscounted
last year which
was really
the 9th. We’ll
meet at a local
bikeshop,
get some
rental bicycles, and about 7am will make the
ride out to Red Rocks. It’s about a 15 mile ride,
all downhill on the return journey. So, if you
are crazy enough to join us, get some water, DE F CON S C AVE N G E R
and head over to cycleoverride.org for more
info. See at 6am Friday! jp_bourget gdead
HU N T
heidishmoo. Go to cycleoverride.org for more In-person Contest
info. In the event that there is no on site Defcon,
we will do a virtual ride during Defcon,.

DE F CON M UD
Hybrid Contest
Multi User Dungeons or MUD’s are the text
based precursors to MMO’s. THe DEFCON
MUD is an intentionally vulnerable game written
in a language called LPC. The theme every
year varies. This year we will be going back
to the original engine as featured in DEFCON
27. All new areas will be built to frustrate
players. The game will launch 2 weeks before
DEFCON and will run until DEFCON Sunday.
Can you beat the game, can you find the sword
of 1000 truths, can you find the exploits?
Game opens 2 weeks before DEFCON to
allow people time to explore and play.
There will be a formal scoring system which
will be released thursday evening. On site
The DEF CON Scavenger Hunt is back for
activity will be related to shenanigans and
the 25th hunt. We are gearing up to once
powerful item drops at random locations.
again catch Las Vegas with its pants down
Friday: 24 hours #pantslessvillage. This year, we return
Saturday: 24 hours to in-person only operations with up to 5
people per team and table submissions.
Sunday: 24 hours (scoring cutoff at noon)
For those new to DEF CON, or otherwise
A website documenting the MUD is uninitiated, the DEF CON Scavenger Hunt is
at https://mog.ninja and a CTFd is regarded by many as the best way to interact
setup at https://ctf.mog.ninja with the con. We do our best to encourage
you to challenge your comfort zone, meet
people, and otherwise see and do a bit of
DE F CON R E D TE A M C TF  everything that DEF CON 30 has to offer.
For those who have aspirations to become
In-person Contest more involved with DEF CON in the future,
many of our veteran contestants include
Website: https://threatsims.
goons, speakers, and contest organizers.
com/redteam-2022.html
So, how does a scavenger hunt run for 25
Once again this year’s DEF CON Red Team CTF
years? As this is DEF CON, this is not your
will be hosted by Threat Simulations! We have
ordinary scavenger hunt. The list is open to
an amazing, immersive scenario that stresses
interpretation, it is a hacker con after all,
strong red team skills as players traverse through
so hack the list. Because how you interpret
an enterprise network. This event is not for the
the list is entirely out of our hands, we have
faint of heart, first you will battle with hundreds
posted trigger warnings. You will be finding
of teams in a jeopardy board style ctf, then the
and doing a variety of things, it is up to you to
top teams will enter the finals where your Red
convince the judges whatever you are turning
Team skills will be tested in a full Active Directory
in meets the criteria and is worth the points.
environment. Your team will compete against
some of the best red teamers in the world as you You don’t have to devote all of your time to play
exploit, pivot, and loot the target environment. and have fun, come turn in a couple items and
enjoy yourself. If you want to win however, you
will have to scavenge as much as you can over
the weekend. While the hunt starts on Friday
morning, with determination and a lack of sleep,
we have seen people start at 2AM on Saturday

39
 C0NTESTS & EV3NTS
night and place. Likewise, if you don’t play well As part of our challenge we will present
with others, we have seen single-players also contestants with the exact same design
place. In other words, we work very hard to and compare the outputs they produce
keep the barrier to entry as low as possible. You against a number of categories in order
don’t need to be some binary reversing wizard, to identify a winner and crown DEF
and there’s no qualifier to compete, you can CON’s Next Top Threat Model(er).
just show up and win if you want it enough. Friday: 10:00-18:00
The hunt was started by Pinguino at DEF Saturday: 10:00-18:00
CON 5 simply to avoid being bored; there
was no hunt at DEF CON 8, for those Contest Area Stage
doing math. In the intervening years, to
further avoid boredom, we have been out
scavenging and went from having a simple
cardboard sign to a truly mesmerizing table.
D C 3 0 HA M R A DIO FOX
So come to the scav hunt table in the contest HU N T CON TE S T
area (it’s hard to miss us) with a team name In-person Contest
ready. Once you get a list, your assignment is
to turn in as many items as you can before noon
on Sunday. The team with the most points wins.
Items are worth more points the sooner you turn
them in, so come on down and turn in frequently.
We want to thank Pinguino, Grifter, Siviak
, Salem, all of the judges, and all of the
players that have made it possible for us to
host the 25th DEF CON Scavenger Hunt.
The DEF CON 30 Scavenger Hunt is
brought to you by DualD, EvilMoFo,
Kaybz, Sconce, Shazbot, Zhora.
THE RULES:
In the world of amateur radio, groups of hams
1: the judges are always right will often put together a transmitter hunt (also
2: not our problem called “fox hunting”) in order to hone their
radio direction finding skills to locate one or
3: make it weird more hidden radio transmitters broadcasting.
4: don’t disappoint the judge(s) The Defcon Ham Radio Fox Hunt will require
participants to locate a number of hidden radio
5: team name, item number, present your item transmitters broadcasting at very low power
If you capture pictures or video of items from which are hidden throughout the conference.
our list happening, or have some from previous A map with rough search areas will be given
years, please send it to us via email scavlist@ to participants to guide them on their hunt.
gmail.com . http://defconscavhunt.com/ Additional hints and tips will be provided
throughout Defcon at the contest table to help
@DefConScavHunt people who find themselves stuck. This contest
is designed to be an introduction to ham radio
fox hunting and as such will be simple to
participate in and all people who participate
will be guided towards successful completion!
Friday: 10:00-20:00
Saturday: 10:00-20:00
DE F CON ’ S N E X T TOP Sunday: None
THR E AT M ODE L  In-person only.
Hybrid Contest defcon27foxhunt.com
Threat Modeling is arguably the single most @richsentme
important activity in an application security
program and if performed early can identify
a wide range of potential flaws before a
single line of code has been written. While
being so critically important there is no single
correct way to perform Threat Modeling, many
techniques, methodologies and/or tools exist.
40

E FF TE C H TR IVIA  Hack the Plan[e]t Capture the Flag (CTF)
In-person Contest
EFF’s team of technology experts have crafted
challenging trivia about the fascinating, obscure,
and trivial aspects of digital security, online
rights, and Internet culture. Competing teams
will plumb the unfathomable depths of their
knowledge, but only the champion hive mind
will claim the First Place Tech Trivia Plaque
and EFF swag pack. The second and third
place teams will also win great EFF gear.
Room 410 Friday, 20:00-22:00
https://eff.org
@EFF
HAC K FORTR E S S
In-person Contest
Hackfortress is a
unique blend of
Team Fortress 2
and a computer
security contest.
Teams are made
up of 6 TF2
players and 4
hackers, TF2
players duke
it out while
hackers are busy with challenges like application
security, network security, social engineering, or
reverse engineering. As teams start scoring they
can redeem points in the hack fortress store for
bonuses. Bonuses range from crits for the TF2,
lighting the opposing team on fire, or preventing
the other teams hackers from accessing the
store. HackFortress challenges range from
beginner to advanced, from serious to absurd.
http://hackfortress.net
@tf2shmoo
HAC K TH E P L A N [ E ]T
In-person Contest
https://www.icsvillage.com/
https://twitter.com/ICS_Village
contest will feature Howdy Neighbor and
the Industrial Control System (ICS) Range.
This first of its kind CTF will integrate both
Internet of Things (IoT) and ICS environments
with interactive components for competitors
to test their skills and knowledge.
Howdy Neighbor is an interactive IoT CTF
challenge where competitors can test their
hacking skills and learn about common
oversights made in development, configuration,
and setup of IoT devices. Howdy Neighbor is
a miniature home - made to be “smart” from
basement to garage. It’s a test-bed for reverse
engineering and hacking distinct consumer-
focused smart devices, and to understand
how the (in)security of individual devices can
implicate the safety of your home or office,
and ultimately your family or business. Within
Howdy Neighbor there are over 25 emulated
or real devices and over 50 vulnerabilities
that have been staged as challenges. Each of
the challenges are of varying levels to test a
competitors ability to find vulnerabilities in an
IoT environment. Howdy Neighbor’s challenges
are composed of a real and simulated devices
controlled by an App or Network interface
and additional hardware sensors; each Howdy
Neighbor device contains 1 to 3 staged
vulnerabilities which when solved present a key
for scoring/reporting that it was discovered.
In the same vein, this CTF challenge will
also leverage the ICS Village’s ICS Ranges
including physical and virtual environments
to provide an additional testbed for more
advanced challenges in critical infrastructure
and ICS environments. There will be integrated
elements from DHS/CISA with their ranges
that are realistically miniaturized assets (ie -
operational oil and natural gas pipeline, etc.)..
https://www.icsvillage.com
@ICS_Village
HAC K3 R R U N W@Y
In-person Contest
After 2 years virtual and one in person, we’d
like to return to stage for our 4th year where
this contest shines best. Hack3r Runw@y brings
out all the sheek geeks out there. It encourages
rethinking fashion in the eyes of hackers. Be it
smartwear, LED additions, obfuscation, cosplay
or just everyday wear using fabrics and textures
that are familiar to the community. Contestants
can enter clothing, shoes, jewelry, hats or
accessories. If it can be worn, it is perfect for
the runway. For convenience, contestants can
enter the contest with designs made ahead
of the conference, however it needs to be
41
 C0NT3STS & 3V3NTS
made by them and not just store bought.
Awards will be handed out in 4 categories and
HO S P ITA L U NDE R S E IG E
one trophy for the People’s Choice category Contest
where the winner is anyone’s guess: Hospital Under
Digital wearable - LED, electronic, passive Siege is a
scenario-driven
Smart wear - interactive, temperature sensing, Capture the Flag
mood changing, card skimmers, etc contest run by
Aesthetics and More - 3d printed, geeky the Biohacking
wear, passive design, obfuscation, cosplay Village, pitting
teams of
Functional wear - did you bling out your
participants
mask and/or shield, have a hazmat suit,
against
lock pick earrings, cufflinks shims
adversaries
Winners will be selected based and against a
on, but no limited to: clock, to protect
Uniqueness human life and public safety. Participants will
compete against each other on both real and
Trendy simulated medical devices, in the fully immersive
Practical Biohacking Village: Device Lab, laid out as a
working hospital. Teams of any size are welcome,
Couture as are players from all backgrounds and skill
Creativity levels. Challenges will be tailored for all skill
levels and draw from expertise areas including
Relevance forensics, RF hacking, network exploitation
Originality techniques, web security, protocol reverse
engineering, hardware hacking, and others.
Presentation
You will hack actual medical devices and play
Mastery with protocols like DICOM, HL7 and FHIR.
Friday: 2pm – 4pm https://www.villageb.io/
Saturday: 4pm – 6pm (or 2 hours before @DC_BHV
the contest stage and then 1 hr on stage)
Hack3rRunway.square.site , https://
hack3rrunway.github.io/ IOT C TF C R E ATOR S
@Hack3rRunway
C HA L L E N G E (IOT CCC)
In-person Contest
HAC K E R J E OPA R DY  https://www.iotvillage.org/
In-person Event @IoTvillage
Hacker Jeopardy, the classic DEF CON
game show, is returning for yet another
year of answers, questions, NULL beers, P TFS PR E S E N TS : M AYH E M
and occasionally some impressive feats
of knowledge. You don’t want to miss this IND US TR I E S - O U TS IDE
opportunity to encourage the contestants,
your fellow Humans, “DON’T FUCK IT UP! TH E BOX
We will be opening auditions, with the call In-person Contest
posted on the dfiu.tv website, and linked to DEF There’s a cube. It
CON formus. (promoted on social media) does stuff. IoT stuff.
Track 4 Hack it and find
out! Capture flags
Friday: 2000-2200 and turn them in for
Saturday: 2000-2200 points. Team with
the most points wins!
https://dfiu.tv
This contest is
@HackerJeopardy being ran by team
pTFS. We’ve won
black badges in
the past, and this is our way to contribute back
42
What’s this all about
It’s a cube that has
IoT stuff that can
be hacked. This
may include SDR,
Bluetooth, Wifi,
Infrared / Sonar,
Zigbee, etc... People
who hack in may
be able to interact
with the physical
elements on the
box (such as the display, door, LED array,
speakers, etc...) and enter flags they capture
into an online scoring engine for points.
IOT VIL L AG E HAC K IN G
C TF - ( TH E C TF
FOR M A L LY K NOWN A S
S OHOP L E S S LY BROK E N)  where teams and
In-person Contest
IoT Village Hacking CTF is hosted in IoT Village,
teams of 1-6 players access a local network filled
with IoT devices primed to be exploited. You will
compete against others by successfully exploiting
real IoT products and finding the hidden flags
in each. The hacking contest features more
than 30 real-world, vulnerable IoT devices.
This event has been redesigned to include
challenges which highlight tangible impacts
when exploiting real vulnerabilities on real IoT
devices. Hidden in the network are devices
which require advanced skills to exploit or
require creative attack chaining to find the
flag. Players will encounter unique hacking
scenarios like, exfiltrating files off a NAS to
find “clues” or bypassing a router firewall to
access a camera on a hidden network to “see”
a flag. Prepare to outwit, see, sneak, move,
and listen your way through these hidden
scenarios which have a cyber-physical effect.
The IoT devices in the contest are not simulated
and do not contain contrived/made-up
vulnerabilities. Competitors must figure out what
real-world vulnerabilities exist in these devices
and exploit them to get a shell and find the flag.
This is what makes the IoT Village CTF special.
This 3-time DEF CON Black Badge awarded
contest CTF is open to anyone! Our
contest provides a wonderful experience
to learn more about security and test your
skills, and the IoT CTF provides the most
realistic hacking experience around!
A few devices are approachable for entry
level people to experience getting their first
root shell, but to win this CTF your team must
perform detailed network reconnaissance,
lateral pivoting, vulnerability research,
hardware hacking, firmware analysis, reverse
engineering, and exploit development.
So, join a team (or even by yourself) and
compete for fun and prizes! Exploit as
many as you can during the con and the
top three teams will be rewarded.
https://www.iotvillage.org/#yolo
@IoTvillage
KUB E R N E TE S C A P TUR E
TH E FL AG 
Online-only Contest
The DEF CON
Kubernetes Capture
the Flag (CTF)
contest features a
Kubernetes-based
CTF challenge,
individuals can
build and test
their Kubernetes
hacking skills. Each
team/individual
is given access to a single Kubernetes cluster
that contains a set of serial challenges, winning
flags and points as they progress. Later flags
pose more difficulty, but count for more points.
A scoreboard tracks the teams’ current and
final scores. In the event of a tie, the first
team to achieve the score wins that tie.
Friday: 10:00-20:00
Saturday: 10:00-17:00
https://containersecurityctf.com/
@ctfsecurity
M A P S OF TH E DIGITA L
L A NDS
In-person Contest
Maps of the digital lands is a fusion of network
engineering and drawing. This is a contest for all
levels to come and show how good you are with
a pen. We give you a few scenarios to choose
from and you have to draw a map to show what
the scenario would look like. Maybe apply your
1337 skills to show how you’d take control of the
network! All skills are welcome. Also come join
us for some TBD brainstorming sessions! Check
out https://www.alienvualt.com for schedule!
https://www.alienvualt.com
@mapsofdigiland
43
 C0NT3STS & 3V3NTS
O C TOP US GA M E  discord, on Twitter rf_ctf, rfhackers, and the
In-person Contest
“Are you the next Octopus Champion? Find
out at DEF CON 30! Enter here: https://
www.mirolabs.info/octopusgame
Once entered, contestants are provided a
random opponent. Locate your opponent and
challenge them to a contest: rock-paper-scissors,
Ddakji, staring contest, etc. Winners receive
their opponents’ targets and the game continues
until we reach the top 4. The Octopus Champion
is then decided at a special tournament with
events designed by the Octopus Master.”
https://www.mirolabs.info/octopusgame
@OctopusGameDC
R A DIO FR E Q U E NC Y
C A P TUR E TH E FL AG
Hybrid Contest
Do you have what it
takes to hack WiFi,
Bluetooth, and Software
Defined Radio (SDR)?
RF Hackers Sanctuary
(the group formerly
known as Wireless
Village) is once again
holding the Radio Frequency Capture the
Flag (RFCTF) at DEF CON 30. RFHS runs this
game to teach security concepts and to give
people a safe and legal way to practice attacks
against new and old wireless technologies.
We cater to both those who are new to radio
communications as well as to those who have
been playing for a long time. We are looking
for inexperienced players on up to the SIGINT
secret squirrels to play our games. The RFCTF
can be played with a little knowledge, a
pen tester’s determination, and $0 to $$$$$
worth of special equipment. Our new virtual
RFCTF can be played completely remotely
without needing any specialized equipment
at all, just using your web browser! The key
is to read the clues, determine the goal of
each challenge, and have fun learning.
There will be clues everywhere, and we will
provide periodic updates via discord and
twitter. Make sure you pay attention to what’s
44
happening at the RFCTF desk, #rfctf on our
interwebz, etc. If you have a question - ASK!
We may or may not answer, at our discretion.
FOR THE NEW FOLKS
Our virtual RFCTF environment is played
remotely over ssh or through a web browser.
It may help to have additional tools installed
on your local machine, but it isn’t required.
Read the presentations at: https://
rfhackers.com/resources
Hybrid Fun
For DEF CON 30 we will be running in “Hybrid”
mode. That means we will have both a physical
presence AND the virtual game. All of the
challenges we have perfected in the last 2 years
in our virtual game will be up and running,
available to anyone all over the world (including
at the conference), free of charge. In addition
to the virtual challenges, we will also have a
large number of “in person” only challenges.
These “in-person” only challenges will include
our traditional fox hunts, hide and seeks, and
king of the hill challenges. Additionally, we will
have many challenges which we simply haven’t
had time or ability to virtualize. It should be
clear that playing only the virtual game will put
you in a severe available point disadvantage.
Please don’t expect to place if you play virtual
only, consider the game an opportunity to
learn, practice, hone your skills, and still get
on the scoreboard. The virtual challenges
which are available will have the same flags
as the in-person challenges, allowing physical
attendees the choice of hacking those challenges
using either (or both) methods of access.
THE GAME
To score you will need to submit flags which
will range from decoding transmissions in the
spectrum, passphrases used to gain access to
wireless access points, or even files located on
servers. Once you capture the flag, submit it to
the scoreboard right away, if you are confident
it is worth *positive* points. Some flags will
be worth more points the earlier they are
submitted, and others will be negative. Offense
and defense are fully in play by the participants,
the RFCTF organizers, and the Conference
itself. Play nice, and we might also play nice.
To play our game at DEF CON 30 join SSID:
RFCTF_Contestant with password: iluvpentoo
Getting started guide: https://
github.com/rfhs/rfhs-wiki/wiki
Helpful files (in-brief, wordlist, resources) can
be found at https://github.com/rfhs/wctf-files
Support tickets may be opened at https://
github.com/rfhs/wctf-support/issues
TL;DR
Twitter: rf_ctf and rfhackers halls of DEF CON, one can see more modern
versions manifesting as stickers - especially
Discord: https://discordapp.com/invite/JjPQhKy
on laptops and other electronic equipment.
Website: http://rfhackers.com - play with us
The DEF CON art contest showcases art of many
Github: https://github.com/rfhs different forms - wallpapers etc. However, there
Official Support Ticketing System: https:// is not presently a medium for expression that is
github.com/rfhs/rfctf-support/issues more portable and ubiquitous in hacker culture,
especially at DEF CON. Just like DEF CON
https://rfhackers.com usually bundles stickers in its conference schedule
@rf_ctf booklet, which ends up on a majority of laptops
and other devices of attendees, the winning
entry in this contest could be either added to
that list of stickers, or sold standalone as swag.
R E D A L E RT IC S C TF We use stickers to break the ice with
In-person Contest strangers, as a barter currency, to tell the
Red Alert ICS CTF tales of our struggles and triumphs. After
is a competition all, is a hacker really a hacker without a
for Hackers by laptop adorned with these markings?
Hackers. The event Here’s your chance to be part of hacker culture,
exclusively focuses by creating something that people around
on having the the world will treasure and proudly display.
participants break Submit original artwork in the theme of the
through several con, that you believe best exemplifies hacker
layers of security in culture, that will be used as printed stickers.
our virtual SCADA
On your marks... Make your mark.
environment and
eventually take over - The contest is open to artists of
complete control of the SCADA system. any age, in any country.
The contest would house actual ICS (Industrial - Please submit a PNG file of no more than 6
Control System) devices from various vendors inches x 6 inches (or 4096 px x 4096 px), any
on a testbed showcasing different sectors of shape inside these dimensions is acceptable.
critical infrastructure. The participants would - Artwork can be an original painting,
be able to view and engage with the devices drawing, photo, computer generated
in real time and understand how each of them illustration or screen print.
control each of the aspects of the testbed and
leverage this to compromise the devices. - Artwork must be original/copyright-
free - please do not include copyrighted
Red Alert ICS CTF is back with a ton of content in your submissions.
fun challenges after successfully running
the CTF at DEF CON 29, DEF CON 27 Submissions must be made via email
and DEF CON 26 (Black Badge). ([email protected])
Highlights of the Red Alert ICS CTF is available On the forums as: https://forum.defcon.
at: https://youtu.be/AanKdrrQ0u0 org/member/47018-247arjun
@icsctf Follow: https://twitter.com/
InfosecStickers For updates.
@infosecStickers
S TIC K E R DE S IG N
CON TE S T  TE L E C HA L L E N G E 
Pre-con contest (like the short story contest)
Hybrid Contest
Ancient warriors
used tattoos as a
means of indicating
rank in battle; it was
the sort of mark that
told the tales of their
various conquests -
The TeleChallenge is a fast-paced, epic battle
their struggles and
of wits and skill. Previous winners are few in
triumphs. Similarly,
number, and are among the most elite hackers
traversing the
at DEF CON. Designed to be played by teams,
45
 C0NT3STS & 3V3NTS
and running through the whole weekend, the top Vegas style hacking contest for Defcon
TeleChallenge is entirely playable over a touch attendees. Once joined, attendees can
tone phone. Don’t let fear of the Challenge hold run the game anywhere in Vegas and hack
you for ransom. Your voice is your passport! nearby locations for points and prizes. Wi-
Fi Cracking? Got it. Exploit research? Got
https://www.youtube.com/channel/
it. Betraying your friends for prizes? Got it!
UCWxrz1cHRbiy5bDRTNDlQkg/playlists
Throughout the weekend, we will be
@TeleChallenge
broadcasting location events, bonuses,
and news through Twitter, Discord, and
our YouTube live stream at our booth.
TH E G OL D B U G – C RYP TO Watch this space for more information
A ND PR IVAC Y VIL L AG E on dates, prizes, and promotions.
Hack. Slash. Crash. Burn. Fun!
P UZ Z L E https://www.hacknattack.com
Hybrid Contest
@hack_n_attack
Love puzzles? Need a
place to exercise your
classical and modern
cryptography skills? TH E S C H E M AVE R S E
This puzzle will keep
you intrigued and busy
C HA M P ION S HIP 
throughout Defcon Online Contest
- and questioning
how deep the layers
of cryptography
go.The Gold Bug an annual Defcon puzzle hunt,
focused on cryptography. You can learn about
Caesar ciphers, brush up your understanding
of how Enigma machines or key exchanges
work, and try to crack harder modern crypto.
Accessible to all - and drop by for some kids’ Online Only this year.
puzzles too!PELCGBTENCUL VF UNEQ The Schemaverse [skee-muh vurs] is a space
https://goldbug.cryptovillage.org/ battleground that lives inside a PostgreSQL
database. Mine the hell out of resources
@CryptoVillage and build up your fleet of ships, all while
trying to protect your home planet. Once
you’re ready, head out and conquer the
map from other DEF CON rivals.
TH E HAC K- N - AT TAC K
This unique game gives you direct access to
HAC K E R HOM E COM IN G the database that governs the rules. Write
SQL queries directly by connecting with any
H E IS T supported PostgreSQL client or use your favourite
In-person Contest language to write AI that plays on your behalf.
This is DEF CON of course so start working
The Hack-n- on your SQL Injections - anything goes!
Attack Hacker
Homecoming Heist https://schemaverse.com
Real-World hacking, @schemaverse
real world rewards!
Hack-N-Attack is an
online mobile game
where you hack real
world locations for
points and prizes.
Pizza shop? Hack
it! Friend next to you? Hack them! If you take
Defcon, Pokémon Go, and Oceans 11, and
squished them all together, you’d get…a lot of
copyright complaints. But also Hack-N-Attack.
The Hacker Homecoming Heist an over-the-

46
47
 C0NT3STS & 3V3NTS
TIN FOIL HAT CO N TE S T TR AC E L A B S O S IN T
In-person Contest S E A RC H PA RT Y C TF 
Want to block Hybrid Contest
those pesky 5G
microchips coursing The Trace Labs
through your Search Party CTF is
vaccinated body? a non theoretical,

TFH Were you hacking

back against
Putin, and need to
gamified effort
that allows for the
crowdsourcing
DEFCON 30 hide? Or do those of contestants to
alien mind control perform a single
rays just have you task: Conduct open
down lately? Fear source intelligence
not, for we here operations
at the Tin Foil Hat contest have your back for to help find missing persons
all of these! Come find us in the contest area, You can have teams of 1-4 people, 4 person
and we’ll have you build a tin foil hat which is teams provide many benefits which include
guaranteed to provide top quality protection the coaching of more junior members. Often a
for your noggin. How you ask? SCIENCE! great learning opportunity if you are able to
Show us your skills by building a tin foil pair up with OSINT veterans. Get your team
hat to shield your subversive thoughts, together and join us in our Discord group to get
then test it out for effectiveness. started here: https://tracelabs.org/discord
There are 2 categories: stock and unlimited. https://www.tracelabs.org/
The hat in each category that causes the initiatives/search-party
most signal attenuation will receive the @tracelabs
“Substance” award for that category. We all
know that hacker culture is all about looking
good, though, so a single winner will be
selected from each category for “Style”. WHO S E S L IDE IS IT
http://www.psychoholics.org/tfh A N Y WAY? 
@DC_Tin_Foil_Hat In-person Event
It’s our sixth year
but since we had
TOX IC B BQ to be virtual last
year this will
In-person Event
be our 5 YEAR
16:00- 22:00 ANNIVERSARY
Thursday, Off-site at show of
Sunset Park, Pavilion F, “Whose Slide
(36.0636, -115.1178) Is It Anyway?”!
The humans of We’re an unholy
Vegas invite you to union of improv
the 16th in-carne- comedy, hacking
tion of this unofficial and slide deck
welcome party. sado-masochism.
Go AFK 4 BBQ off-Strip and make us the first Our team of slide monkeys will create a stupid
stop on your DC30 reunion tour. Burgers and amount of short slide decks on whatever
dogs are provided; attendees are encouraged nonsense tickles our fancies. Slides are not
to pitch in with more food, drinks, volunteer exclusive to technology, they can and will be
labor, rides, and and everything that makes about anything. Contestants will take the stage
this cookout something to remember. and choose a random number corresponding
Grab flyers from an Info Booth after to a specific slide deck. They will then improvise
Linecon, check out https://www.toxicbbq. a minimum 5 minute / maximum 10 minute
org for the history of this event, and watch lightning talk, becoming instant subject
#ToxicBBQ on Twitter for the latest news. matter experts on whatever topic/stream
of consciousness appears on the screen.
https://www.toxicbbq.org
Whether you delight in the chaos of watching
your fellow hackers squirm or would like to
48
sacrifice yourself to the Contest Gods, it’s a and defenses by actual companies.
night of schadenfreude for the whole family. Teams can consist of 1-3 individuals, which we
Oh, and prizes. Lots and lots of prizes. hope allows for teams to utilize novel techniques
to implement different Social Engineering tactics.
ImprovHacker.com
Each team is provided limited time to place
@WhoseSlide as many calls as possible from a soundproof
booth. During that time, their goal is to elicit
from the receiver as many objectives as possible.
Whether you’re an attacker, defender, business
S O C IA L E N GIN E E R IN G executive, or brand new to this community, you
COM M U NIT Y (S E C) can learn by witnessing firsthand how easy it
is for some competitors to schmooze their way
YO U TH C HA L L E N G E to their goals and how well prepared some
companies are to shut down those competitors!
In-person Contest
Friday: 9:00 – 16:00
VI CALLING ALL
E S LL KIDS! Come Saturday: 9:00 – 16:00
R O AI use your In the SEC Village Linq
HE VS
N
S super skills
and powers https://www.såe.community/
to work with a events/vishing-competition/
team of heroes @sec_defcon
SE COMMUNITY YOUTH CHALLENGE
or villains.
The balance of good and evil will be determined
by individual participants completing various
challenges in this ʻChoose Your Own Adventure’ B E T TIN G ON YO UR
style event. By participating in this event, you
will have opportunities to interact and learn
DIGITA L R IG HTS : E FF
from many other incredible villages at DEF CON
while at the same time improving your Social
P OK E R TO UR N A M E N T
Engineering abilities. If successful, you may even In-person Contest
have the chance to help your team prevail and
become the ultimate Superhero or Supervillain!
Friday: 9:00 – 18:00
Saturday: 9:00 – 18:00
Sunday: 9:00 – 14:00
In the SEC Village Linq
https://www.se.community/
events/youth-challenge/
@sec_defcon
Betting on Your Digital Rights: EFF
Benefit Poker Tournament
We’re going all in on internet freedom. Take a
S E COM M U NIT Y (S E C) break from hacking the Gibson to face off with
VIS HIN G COM P E TITION / your competition at the tables—and benefit EFF!
Your buy-in is paired with a donation to support
#S E C VC EFF’s mission to protect online privacy and free
expression for all. Play for glory. Play for money.
In-person Contest Play for the future of the web. Seating is limited,
so reserve your spot today at eff.org/poker.
Tournament Specs: $100 Bally’s tournament
buy-in with a suggested donation of $250 to
EFF to sign up. Rebuys are unlimited to level
6 with each having a suggested donation of
In this competition, teams go toe to toe by $100. Levels will be fifteen minutes, and the
placing live vishing (voice phishing) phone calls blinds go up at each level. Attendees must
in front of the Social Engineering Community be 21+. More details at eff.org/poker.
audience at DEF CON. These calls showcase
the duality of ease and complexity of the craft Friday, August 12th 12:00 to 15:00
against the various levels of preparedness https://eff.org/poker

49
 PR3S3NTATI0NS
Listed by Day, Time, Track
FRIDAY
COMPUTER HACKS IN THE
PANEL - “SO IT’S YOUR FIRST DEF RUSSIA-UKRAINE WAR
CON” - HOW TO GET THE MOST Friday at 10:00 in Track 4
20 minutes
OUT OF DEF CON, WHAT NOT Kenneth Geers
TO DO. Very Good Security / NATO Cyber Centre / Atlantic Council
Friday at 10:00 in Track 1
45 minutes
DEF CON Goons
Panel - “So It’s your first DEF CON” - How to
get the most out of DEF CON, What NOT to
do. This talk is a guide to enjoying DEF CON.
We hope to talk about how to get the most out
of your first con and asnwer questions live from
the audience. Feel free to come meet some long
time goons, attendees, and DEF CON staff as
we discuss how to navigate Las Vegas hotels
with 30k hackers surrounding around you.
PANEL - DEF CON POLICY DEPT -
WHAT IS IT, AND WHAT ARE WE
TRYING TO DO FOR HACKERS IN
THE POLICY WORLD?
Friday at 10:00 in Track 2
75 minutes
DEF CON Policy Dept
DEF CON Policy Dept - What is it, and what are
we trying to do for hackers in the policy world?
OLD MALWARE, NEW TOOLS:
GHIDRA AND COMMODORE
64, WHY UNDERSTANDING OLD
MALICIOUS SOFTWARE STILL
MATTERS
Friday at 10:00 in Track 3
45 minutes | Tool
Cesare Pizzi
Hacker
Why looking into a 30 years old “malicious”
software make sense in 2022? Because this little
“jewels”, written in a bunch of bytes, reached
a level of complexity surprisingly high. With no
other reason than pranking people or show off
technical knowledge, this software show how
much you can do with very limited resources: this
50
is inspiring for us, looking at modern malicious
software, looking at how things are done and how
the same things could have been done instead.
The Russia-Ukraine war has seen a lot of computer
hacking, on both sides, by nations, haxor collectives,
and random citizens, to steal, deny, alter, destroy,
and amplify information. Satellite comms have gone
down. Railway traffic has been stymied. Doxing
is a weapon. Fake personas and false flags are
expected. Every major platform has had issues with
confidentiality, integrity, and availability. Hacked
social media and TV have been a hall of mirrors
and PSYOP. Russian comms are unreliable, so
Ukrainian nets have become honeypots. Hackers
have been shot in the kneecaps. Talking heads
have called for a RUNET shutdown. The Ukrainian
government has appealed for hacker volunteers
– just send your expertise, experience, and a
reference. The Great Powers are hacking from afar,
while defending their own critical infrastructure,
including nuclear command-and-control. Ukraine
has many hacker allies, while Russian hackers are
fleeing their country in record numbers. Some
lessons so far: connectivity is stronger than we
thought, info ops are stealing the day, drones are
the future, and it is always time for the next hack.
OOPSSEC -THE BAD, THE WORST
AND THE UGLY OF APT’S
OPERATIONS SECURITY
Friday at 10:30 in Track 4
45 minutes | Demo, Tool
Tomer Bar
Director of Security Research at SafeBreach
Advanced Persistent Threat groups invest in
developing their arsenal of exploits and malware
to stay below the radar and persist on the
target machines for as long as possible. We
were curious if the same efforts are invested in
the operation security of these campaigns.
We started a journey researching active campaigns
from the Middle East to the Far East including the
Palestinian Authority, Turkey, and Iran, Russia,
China, and North Korea. These campaigns were
both state-sponsored, surveillance-targeted attacks
and large-scale financially-motivated attacks.
We analyzed every technology used throughout
the attack chain: Windows (Go-lang/.Net/
Delphi) and Android malware; both on
Windows and Linux-based C2 servers.
We found unbelievable mistakes which allow
us to discover new advanced TTPs used by
attackers, for example: bypassing iCloud two-
factor authentication’ and crypto wallet and
NFT stealing methods. We were able to join the
attackers’ internal groups, view their chats, bank
accounts and crypto wallets. In some cases, we
were able to take down the entire campaign.
We will present our latest breakthroughs from our
seven-year mind-game against the sophisticated
Infy threat actor who successfully ran a 15-
year active campaign using the most secured
opSec attack chain we’ve encountered. We
will explain how they improved their opSec
over the years and how we recently managed
to monitor their activity and could even cause
a large-scale misinformation counterattack.
We will conclude by explaining how
organizations can better defend themselves.
THE PACMAN ATTACK:
BREAKING PAC ON THE APPLE
M1 WITH HARDWARE ATTACKS
Friday at 11:00 in Track 3
45 minutes | Demo, Tool, Exploit
Joseph Ravichandran
First year PhD Student working with Dr. Mengjia Yan at MIT
What do you get when you cross pointer
authentication with microarchitectural side
channels?
The PACMAN attack is a new attack technique
that can bruteforce the pointer authentication
code (PAC) for an arbitrary kernel pointer without
causing any crashes using microarchitectural
side channels. We demonstrate the PACMAN
attack against the Apple M1 CPU.
THE DARK TANGENT &
MKFACTOR - WELCOME TO DEF
CON & THE MAKING OF THE
DEF CON BADGE
Friday at 11:00 in Track 1
45 minutes
The Dark Tangent
Mkfactor, Michael and Katie Whiteley
The Dark Tangent welcomes you to DEF CON
and introduces the DEF CON 30 badge makers
Mkfactor, they discuss the labor of love that
went into producing the DEF CON 30 Badge.
FRIDAY
DEF CON POLICY DEPT - SPECIAL
EDITION POLICY TALK
Friday at 11:30 in Track 2
45 minutes
DEF CON Policy Dept
TBA
RUNNING ROOTKITS LIKE A
NATION-STATE HACKER
Friday at 11:30 in Track 4
20 minutes | Demo, Tool
Omri Misgav
CTO, Security Research Group Fortinet
Code Integrity is a threat protection feature first
introduced by Microsoft over 15 years ago. On
x64-based versions of Windows, kernel drivers
must be digitally signed and checked each time
they are loaded into memory. This is also referred
to as Driver Signature Enforcement (DSE).
The passing year showed high-profile APT
groups kept leveraging the well-known
tampering technique to disable DSE on runtime.
Meanwhile, Microsoft rolled out new mitigations:
driver blocklists and Kernel Data Protection
(KDP), a new platform security technology
for preventing data-oriented attacks.
Since using blocklist only narrows the attack
vector, we focused on how KDP was applied
in this case to eliminate the attack surface.
We found two novel data-based attacks to
bypass KDP-protected DSE, one of which is
feasible in real-world scenarios. Furthermore,
they work on all Windows versions, starting
with the first release of DSE. We’ll present each
method and run them on live machines.
We’ll discuss why KDP is an ineffective mitigation.
As it didn’t raise the bar against DSE tampering,
we looked for a different approach to mitigate
it. We’ll talk about how defenders can take
a page out of attackers’ playbook to cope
with the issue until HVCI becomes prevalent
and really eliminates this attack surface.
51
 PR3S3NTATI0NS
GLITCHED ON EARTH BY
HUMANS: A BLACK-BOX
SECURITY EVALUATION OF
THE SPACEX STARLINK USER
TERMINAL
Friday at 12:00 in Track 1
45 minutes | Demo, Exploit
Lennert Wouters
researcher at imec-COSIC, KU Leuven
This presentation covers the first black-box hardware
security evaluation of the SpaceX Starlink User
Terminal (UT). The UT uses a custom quad-core
Cortex-A53 System-on-Chip that implements verified
boot based on the ARM trusted firmware (TF-A)
project. The early stage TF-A bootloaders, and in
particular the immutable ROM bootloader include
custom fault injection countermeasures. Despite the
black-box nature of our evaluation we were able
to bypass signature verification during execution of
the ROM bootloader using voltage fault injection.
Using a modified second stage bootloader we
could extract the ROM bootloader and eFuse
memory. Our analysis demonstrates that the fault
model used during countermeasure development
does not hold in practice. Our voltage fault
injection attack was first performed in a laboratory
setting and later implemented as a custom printed
circuit board or ʻmodchip’. The presented attack
results in an unfixable compromise of the Starlink
UT and allows us to execute arbitrary code.
Obtaining root access on the Starlink UT is a
prerequisite to freely explore the Starlink network
and the underlying communication interfaces.
This presentation will cover an initial exploration
of the Starlink network. Other researchers
should be able to build on our work to
further explore the Starlink ecosystem.
DEF CON POLICY DEPT - SPECIAL
EDITION POLICY TALK
Friday at 12:30 in Track 2
45 minutes
DEF CON Policy Dept
TBA
52
AVOIDING MEMORY SCANNERS:
CUSTOMIZING MALWARE TO
EVADE YARA, PE-SIEVE, AND
MORE
Friday at 12:00 in Track 3
45 minutes
Kyle Avery
Hacker
Tired of encoding strings or recompiling to
break signatures? Wish you could keep PE-sieve
from ripping your malware out of memory?
Interested in learning how to do all of this with
your existing COTS or private toolsets?
For years, reverse engineers and endpoint security
software have used memory scanning to locate
shellcode and malware implants in Windows
memory. These tools rely on IoCs such as signatures
and unbacked executable memory. This talk will dive
into the various methods in which memory scanners
search for these indicators and demonstrate a
stable evasion technique for each method. A new
position-independent reflective DLL loader, AceLdr,
will be released alongside the presentation and
features the demonstrated techniques to evade
all of the previously described memory scanners.
The presenter and their colleagues have used
AceLdr on red team operations against mature
security programs to avoid detection successfully.
This talk will focus on the internals of Pe-sieve,
MalMemDetect, Moneta, Volatility malfind, and
YARA to understand how they find malware
in memory and how malware can be modified
to fly under their radar consistently.
ONE BOOTLOADER TO LOAD
THEM ALL
Friday at 12:00 in Track 4
45 minutes | Demo, Tool, Exploit
Mickey Shkatov
Hacker
Jesse Michael
Hacker
Introduced in 2012, Secure Boot - the OG
trust in boot - has become a foundational
rock in modern computing and is used by
millions of UEFI-enabled computers around the
world due to its integration in their BIOS.
The way Secure Boot works is simple and
effective, by using tightly controlled code signing
certificates, OEMs like Microsoft, Lenovo, Dell
and others secure their boot process, blocking
unsigned code from running during boot.
But this model puts its trust in developers developing
code without vulnerabilities or backdoors; in this
presentation we will discuss past and current flaws
in valid bootloaders, including some which misuse
built-in features to inadvertently bypass Secure Boot.
We will also discuss how in some cases malicious
executables can hide from TPM measurements used
by BitLocker and remote attestation mechanisms.
Come join us as we dive deeper and explain
how it all works, describe the vulnerabilities we
found and walk you through how to use the
new exploits and custom tools we created to
allow for a consistent bypass for secure boot
effective against every X86-64 UEFI platform.
EMOJI SHELLCODING: , ,
AND
Friday at 13:00 in Track 1
45 minutes | Demo, Tool
Hadrien Barral
Hacker
Georges-Axel Jaloyan
Hacker
Shellcodes are short executable stubs that are
used in various attack scenarios, whenever code
execution is possible. After quickly recalling what
a shellcode is and why designing shellcodes
under constraints is an art, we’ll study a new
constraint for which (to the best of our knowledge)
no such shellcode was previously known:
emoji shellcoding. We’ll tackle this problem by
introducing a new and more generic approach to
shellcoding under constraints. Brace yourselves,
you’ll see some black magic weaponizing these
cute little emojis into merciless exploits .
BACKDOORING PICKLES: A
DECADE ONLY MADE THINGS
WORSE
Friday at 13:00 in Track 3
20 minutes | Demo, Tool
ColdwaterQ
Senior Security Engineer at Nvidia
Eleven years ago, “Sour Pickles” was presented by
Marco Slaviero. Python docs already said pickles
were insecure at that time. But since then, machine
learning frameworks started saving models in
pickled formats as well. So, I will show how simple
it is to add a backdoor into any pickled object using
machine learning models as an example. As well
as an example of how to securely save a model to
prevent malicious code from being injected into it.
FRIDAY
YOU’RE MUTED ROOTED
Friday at 13:00 in Track 4
45 minutes | Demo, Tool, Exploit
Patrick Wardle
Founder, Objective-See Foundation
With a recent market cap of over $100
billion and the genericization of its name, the
popularity of Zoom is undeniable. But what
about its security? This imperative question is
often quite personal, as who amongst us isn’t
jumping on weekly (daily?) Zoom calls?
In this talk, we’ll explore Zoom’s macOS
application to uncover several critical security
flaws. Flaws, that provided a local unprivileged
attacker a direct and reliable path to root.
The first flaw, presents itself subtly in a core
cryptographic validation routine, while the second
is due to a nuanced trust issue between Zoom’s
client and its privileged helper component.
After detailing both root cause analysis and full
exploitation of these flaws, we’ll end the talk by
showing how such issues could be avoided …both
by Zoom, but also in other macOS applications.
WEAPONIZING WINDOWS
SYSCALLS AS MODERN, 32-BIT
SHELLCODE
Friday at 13:30 in Track 3
20 minutes | Demo
Tarek Abdelmotaleb
Security Researcher, VERONA Labs
Dr. Bramwell Brizendine
While much knowledge exists on using syscalls
for red team efforts, information on writing
original shellcode with syscalls so in modern x86
is sparse and lacking. Our reverse engineering
efforts, however, have revealed the necessary
steps to take to successfully perform syscalls
in shellcode, both for Windows 7 and 10,
as there are some significant differences.
In this talk, we will embark upon a journey that
will show the process of reverse engineering how
Windows syscalls work in both Windows 7 and 10,
while focusing predominately on the latter. With this
necessary foundation, we will explore the process
of effectively utilizing syscalls inside shellcode. We
will explore the special steps that must be taken
to set up syscalls – steps that may not be required
to do equivalent actions with WinAPI functions.
This talk will feature various demonstrations
of syscalls in x86 shellcode.
53
 PR3S3NTATI0NS
DEF CON POLICY DEPT - SPECIAL
EDITION POLICY TALK
Friday at 13:30 in Track 2
45 minutes
DEF CON Policy Dept
TBA
SPACE JAM: EXPLORING RADIO
FREQUENCY ATTACKS IN OUTER
SPACE
Friday at 14:00 in Track 1
45 minutes | Demo, Tool
James Pavur
Digital Service Expert, Defense Digital Service
Satellite designs are myriad as stars in the
sky, but one common denominator across all
modern missions is their dependency on long-
distance radio links. In this briefing, we will turn
a hacker’s eye towards the signals that are the
lifeblood of space missions. We’ll learn how
both state and non-state actors can, and have,
executed physical-layer attacks on satellite
communications systems and what their motivations
have been for causing such disruption.
Building on this foundation, we’ll present
modern evolutions of these attack strategies
which can threaten next-generation space
missions. From jamming, to spoofing, to signal
hijacking, we’ll see how radio links represent a
key attack surface for space platforms and how
technological developments make these attacks
ever more accessible and affordable. We’ll
simulate strategies attackers may use to cause
disruption in key space communications links and
even model attacks which may undermine critical
safety controls involved in rocket launches.
The presentation will conclude with a
discussion of strategies which can defend
against many of these attacks.
While this talk includes technical components,
it is intended to be accessible to all audiences
and does not assume any prior background
in radio communications, astrodynamics,
or aerospace engineering. The hope is to
provide a launchpad for researchers across the
security community to contribute to protecting
critical infrastructure in space and beyond.
54
PROCESS INJECTION: BREAKING
ALL MACOS SECURITY LAYERS
WITH A SINGLE VULNERABILITY
Friday at 14:00 in Track 3
45 minutes | Exploit
Thijs Alkemade
Security Researcher at Computest
macOS local security is shifting more and more
to the iOS model, where every application is
codesigned, sandboxed and needs to ask for
permission to access sensitive data. New security
layers have been added to make it harder for
malware that has gained a foothold to compromise
the user’s most sensitive data. Changing the security
model of something as large and established as
macOS is a long process, as it requires many
existing parts of the system to be re-examined. For
example, creating a security boundary between
applications running as the same user is a large
change from the previous security model.
CVE-2021-30873 is a process injection
vulnerability we reported to Apple that affected
all macOS applications. This was addressed in
the macOS Monterey update, but completely
fixing this vulnerability requires changes to all
third-party applications as well. Apple has even
changed the template for new applications
in Xcode to assist developers with this.
In this talk, we’ll explain what a process injection
vulnerability is and why it can have critical impact
on macOS. Then, we’ll explain the details of this
vulnerability, including how to exploit insecure
deserialization in macOS. Finally, we will explain
how we exploited it to escape the macOS sandbox,
elevate our privileges to root and bypass SIP.
PHREAKING 2.0 - ABUSING
MICROSOFT TEAMS DIRECT
ROUTING
Friday at 14:00 in Track 4
20 minutes | Demo, Exploit
Moritz Abrell
SySS GmbH
Microsoft Teams offers the possibility to integrate
your own communication infrastructure, e.g.
your own SIP provider for phone services. This
requires a Microsoft-certified and -approved
Session Border Controller. During the security
analysis of this federation, Moritz Abrell identified
several vulnerabilities that allow an external,
unauthenticated attacker to perform toll fraud.
This talk is a summary of this analysis, the
identified security issues and the practical
exploitation as well as the manufacturer’s
capitulation to the final fix of the vulnerabilities.

LEAK THE PLANET: VERITATEM
COGNOSCERE NON PEREAT
MUNDUS
Friday at 14:30 in Track 2
45 minutes
Emma Best
Distributed Denial of Secrets
Xan North
Distributed Denial of Secrets
As leaks become more prevalent, they come from an
increasing variety of sources: from data that simply
isn’t secured, to insiders, to hacktivists, and even
occassional state-actors (both covert and overt).
Often treated as a threat, when handled responsibly
leaks are a necessary part of the ecosystem of a
healthy and free society and economy. In spite
of prosecutors’ love of prosecution, the eternal
fixation with Fear, Uncertainty and Doubt and
DDoSecrets’ apocalyptic motto, leaks won’t
destroy the world - they can only save it.
In this presentation, we’ll discuss the necessity
and evolution of leaks, and how various
types of leaks and sources can offer different
sorts of revelations. We’ll then explore how
we can responsibly handle different types
of leaks even during volatile and politically
charged situations, as well as past failures.
We’ll also debunk the myth that hacktivism is just
a cover for state actors by exploring examples of
entities with state ties and how they were identified,
as well as how both hacktivists and state actors
have been misidentified or mishandled in the past.
Finally, we’ll discuss some of the lessons
activists, newsrooms and governments can
learn from the last decade, and where
we should collectively go from here.
TRACE ME IF YOU CAN:
BYPASSING LINUX SYSCALL
TRACING
Friday at 14:30 in Track 4
45 minutes | Demo, Tool, Exploit
Rex Guo
Principal Researcher, Lacework
Junyuan Zeng
Senior Software Engineer, Linkedin.com
In this talk, we will present novel vulnerabilities and
exploitation techniques that reliably bypass Linux
syscall tracing. A user mode program does not need
any special privileges or capabilities to reliably
avoid system call tracing detections by exploiting
these vulnerabilities. The exploits work even when
seccomp, SELinux, and AppArmor are enforced.
FRIDAY
Advanced security monitoring solutions on Linux
VMs and containers offer system call monitoring
to effectively detect attack behaviors. Linux
system calls can be monitored by kernel tracing
technologies such as tracepoint, kprobe, ptrace, etc.
These technologies intercept system calls at different
places in the system call execution. These monitoring
solutions can be deployed on cloud compute
instances such as AWS EC2, Fargate, EKS, and the
corresponding services from other cloud providers.
We comprehensively analyzed the Time-of-check-
to-time-of-use (TOCTOU) issues in the Linux kernel
syscall tracing framework and showed that these
issues can be reliably exploited to bypass syscall
tracing. Our exploits manipulate different system
interactions that can impact the execution time
of a syscall. We demonstrated that significant
syscall execution delays can be introduced
to make TOCTOU bypass reliable even when
seccomp, SELinux, and AppArmor are enforced.
Compared to the phantom attacks in DEFCON
29, the new exploit primitives we use do not
require precise timing control or synchronization.
We will demonstrate our bypass for Falco on
Linux VMs/containers and GKE. We will also
demonstrate bypass for pdig on AWS Fargate.
In addition, we will demonstrate exploitation
techniques for syscall enter and explain the reason
why certain configurations are difficult to reliably
exploit. Finally, we will summarize exploitable
TOCTOU scenarios and discuss potential mitigations
in various cloud computing environments.
EXPLORING THE HIDDEN ATTACK
SURFACE OF OEM IOT DEVICES:
PWNING THOUSANDS OF
ROUTERS WITH A VULNERABILITY
IN REALTEK’S SDK FOR ECOS OS.
Friday at 15:00 in Track 1
45 minutes
Octavio Gianatiempo
Security Researcher at Faraday
Octavio Galland
Security Researcher at Faraday
In this presentation, we go over the main challenges
we faced during our analysis of the top selling
router in a local eCommerce, and how we found a
zero-click remote unauthenticated RCE vulnerability.
We will do a walkthrough on how we located the
root cause of this vulnerability and found that it
was ingrained in Realtek’s implementation of a
networking functionality in its SDK for eCos devices.
We then present the method we used to automate
the detection of this vulnerability in other firmware
images. We reflect on the fact that on most routers
this functionality is not even documented and can’t
55
 PR3S3NTATI0NS
be disabled via the router’s web interface. We take
this as an example of the hidden attack surface
that lurks in OEM internet-connected devices.
We conclude by discussing why this vulnerability
hasn’t been reported yet, despite being easy
to spot (having no prior IoT experience),
widespread (affecting multiple devices
from different vendors), and critical.
Our research highlights the poor state of firmware
security, where vulnerable code introduced down
the supply chain might never get reviewed and end
up having a great impact, evidencing that security
is not a priority for the vendors and opening the
possibility for attackers to find high impact bugs
with low investment and little prior knowledge.
LSASS SHTINKERING: ABUSING
WINDOWS ERROR REPORTING
TO DUMP LSASS
Friday at 15:00 in Track 3
45 minutes | Demo, Tool
Asaf Gilboa
Security Researcher, Deep Instinct
This presentation will show a new method of
dumping LSASS that bypasses current EDR
defenses without using a vulnerability
but by abusing a built-in mechanism in the
Windows environment which is the WER
(Windows Error Reporting) service.
WER is a built-in system in Windows designed
to gather information about software crashes.
One of its main features is producing a
memory dump of crashing user-mode
processes for further analysis.
We discovered a new attack vector for
dumping LSASS, dubbed LSASS Shtinkering,
by manually reporting an exception to WER
on the LSASS process without crashing it.
The technique can also be used to dump the
memory of any process on the system.
This attack can bypass defenses that wrongfully
assume that a memory dump generated from
the WER service is a benign activity.
In this talk, we’ll show a step-by-step approach
of how we reverse-engineered the WER dumping
process, the challenges we found along the way,
as well as how we have managed to solve them.
56
HOW RUSSIA IS TRYING TO
BLOCK TOR
Friday at 15:30 in Track 2
45 minutes | Tool
Roger Dingledine
The Tor Project
In December 2021, some ISPs in Russia started
blocking Tor’s website, along with protocol-level
(DPI) and network-level (IP address) blocking to
try to make it harder for people in Russia to reach
the Tor network. Some months later, we’re now
at a steady-state where they are trying to find
new IP addresses to block and we’re rotating IP
addresses to keep up. In this talk I’ll walk through
what steps the Russian censors have taken, and
how we reverse engineered their attempts and
changed our strategies and our software. Then
we’ll discuss where the arms race goes from here,
what new techniques the anti-censorship world
needs if we’re going to stay ahead of future
attacks, and what it means for the world that more
and more countries are turning to network-level
blocking as the solution to their political problems.
BROWSER-POWERED DESYNC
ATTACKS: A NEW FRONTIER IN
HTTP REQUEST SMUGGLING
Friday at 15:30 in Track 4
45 minutes | Demo, Exploit
James Kettle
Director of Research, PortSwigger
The recent rise of HTTP Request Smuggling has seen
a flood of critical findings enabling near-complete
compromise of numerous major websites. However,
the threat has been confined to attacker-accessible
systems with a reverse proxy front-end... until now.
In this session, I’ll show you how to turn your
victim’s web browser into a desync delivery
platform, shifting the request smuggling frontier
by exposing single-server websites and internal
networks. You’ll learn how to combine cross-
domain requests with server flaws to poison
browser connection pools, install backdoors, and
release desync worms. With these techniques I’ll
compromise targets including Apache, Akamai,
Varnish, Amazon, and multiple web VPNs.
While some classic desync gadgets can be
adapted, other scenarios force extreme
innovation. To help, I’ll share a battle-tested
methodology combining browser features and
custom open-source tooling. We’ll also release
free online labs to help hone your new skillset.
I’ll also share the research journey, uncovering a
strategy for black-box analysis that solved several
long-standing desync obstacles and unveiled
an extremely effective novel desync trigger.
The resulting fallout will encompass client-side,
server-side, and even MITM attacks; to wrap
up, I’ll live-demo breaking HTTPS on Apache.
HACKING ISPS WITH POINT-
TO-PWN PROTOCOL OVER
ETHERNET (PPPOE)
Friday at 16:00 in Track 1
45 minutes | Demo
Gal Zror
Vulnerability Research Manager at CyberArk Labs
Hello, my name is BWL-X8620, and I’m a SOHO
router. For many years my fellow SOHO routers
and I were victims of endless abuse by hackers.
Default credentials, command injections, file
uploading - you name it. And it is all just because
we’re WAN-facing devices. Just because our
ISP leaves our web server internet-facing makes
hackers think it’s okay to attack and make
us zombies. But today, I say NO MORE!
In this talk, I will show that if a web client
can attack a web server, then an ISP
client can attack the ISP servers!
I will reveal a hidden attack surface and
vulnerabilities in popular network equipment used by
ISPs worldwide to connect end-users to the internet.
BRAS devices are not that different from us SOHO
routers. No one is infallible. But, BRAS devices
can support up to 256,000 subscribers, and
exploiting them can cause a ruckus. Code executing
can lead to a total ISP compromise, mass client
DNS poisoning, end-points RCE, and more!
This talk will present a high severity logical
DOS vulnerability in a telecommunications
vendor implementation of PPPoE and a critical
RCE vulnerability in PPP. That means we, the
SOHO routers, can attack and execute code
on the ISP’s that connect us to the internet!
Today we are fighting back!
WIRELESS KEYSTROKE
INJECTION (WKI) VIA
BLUETOOTH LOW ENERGY (BLE)
Friday at 16:00 in Track 3
45 minutes | Demo, Tool, Exploit
Jose Pico
Founder at LAYAKK
Fernando Perera
Security Analyst at LAYAKK
We present a Microsoft Windows vulnerability
that allows a remote attacker to impersonate
a Bluetooth Low Energy (BLE) keyboard and
FRIDAY
perform Wireless Key Injection (WKI) on its
behalf. It can occur after a legitimate BLE
keyboard automatically closes its connection
because of inactivity. In that situation, an attacker
can impersonate it and wirelessly send keys.
In this talk we will demonstrate the attack
live and we will explain the theoretical
basis behind it and the process that led us
to discover the vulnerability. We will also
release the tool that allows to reproduce the
attack and we will detail how to use it.”
DEF CON POLICY DEPT - SPECIAL
EDITION POLICY TALK
Friday at 16:30 in Track 2
45 minutes
DEF CON Policy Dept
TBA
A DEAD MAN’S FULL-YET-
RESPONSIBLE-DISCLOSURE
SYSTEM
Friday at 16:30 in Track 4
45 minutes | Demo, Tool
Yolan Romailler
Applied Cryptographer
Do you ever worry about responsible disclosure
because they could instead exploit the time-
to-patch to find you and remove you from the
equation? Dead man switches exist for a reason...
In this talk we present a new form of vulnerability
disclosure relying on timelock encryption of
content: where you encrypt a message that
cannot be decrypted until a given (future) time.
This notion of timelock encryption first surfaced
on the Cypherpunks mailing list in 1993 by the
crypto-anarchist founder, Tim May, and to date
while there have been numerous attempts to
tackle it, none have been deployed at scale, nor
made available to be used in any useful way.
This changes today: we’re releasing a free,
open-source tool that achieves this goal with
proper security guarantees. We rely on threshold
cryptography and decentralization of trust to
exploit the existing League of Entropy (that is
running a distributed, public, verifiable randomness
beacon network) in order to do so. We will first
cover what all of these means, we will then see
how these building blocks allow us to deploy a
responsible disclosure system that guarantees that
your report will be fully disclosed after the time-
to-patch has elapsed. This system works without
any further input from you, unlike the usual Twitter
SHA256 commitments to a file on your computer.
57
 PR3S3NTATI0NS
HUNTING BUGS IN THE TROPICS
Friday at 17:00 in Track 1
45 minutes | Exploit
Daniel Jensen
Aruba Networks makes networking
products for the enterprise. I make
enterprise products run arbitrary code.
Over the past couple of years, I’ve been hunting
for vulnerabilities in some of Aruba’s on-premise
networking products and have had a bountiful
harvest. A curated (read: patched) selection of
these will be presented for your enjoyment. Pre-
auth vulnerabilities and interesting bug chains
abound, as well as a few unexpected attack
surfaces and a frequently overlooked bug class.
This talk will explore some of the vulnerabilities
I’ve found in various products in the Aruba range,
and include details of their exploitation. I’ll
elaborate on how I found these bugs, detailing
my workflow for breaking open virtual appliances
and searching for vulnerabilities in them.
LET’S DANCE IN THE CACHE -
DESTABILIZING HASH TABLE ON
MICROSOFT IIS
Friday at 17:00 in Track 3
45 minutes | Demo, Tool, Exploit
Orange Tsai
Principal Security Researcher of DEVCORE
Hash Table, as the most fundamental Data Structure
in Computer Science, is extensively applied in
Software Architecture to store data in an associative
manner. However, its architecture makes it prone
to Collision Attacks. To deal with this problem, 25
years ago, Microsoft designed its own Dynamic
Hashing algorithm and applied it everywhere in IIS,
the Web Server from Microsoft, to serve various
data from HTTP Stack. As Hash Table is everywhere,
isn’t the design from Microsoft worth scrutinizing?
We dive into IIS internals through months of Reverse-
Engineering efforts to examine both the Hash
Table implementation and the use of Hash Table
algorithms. Several types of attacks are proposed
and uncovered in our research, including (1) A
specially designed Zero-Hash Flooding Attack
against Microsoft’s self-implemented algorithm.
(2) A Cache Poisoning Attack based on the
inconsistency between Hash-Keys. (3) An unusual
Authentication Bypass based on a hash collision.
By understanding this talk, the audience won’t be
surprised why we can destabilize the Hash Table
easily. The audience will also learn how we explore
the IIS internals and will be surprised by our results.
These results could not only make a default installed
IIS Server hang with 100% CPU but also modify
arbitrary HTTP responses through crafted HTTP
58
request. Moreover, we’ll demonstrate how we
bypass the authentication requirement with a single,
crafted password by colliding the identity cache!
DEANONYMIZATION OF TOR
HTTP HIDDEN SERVICES
Friday at 17:30 in Track 4
20 minutes | Demo, Exploit
Ionut Cernica
PHD Student Department of Computer Science, Faculty of Automatic
Control and Computer Science, University Politehnica of Bucharest
Anonymity networks such as Tor are used
to protect the identity of people or services.
Several deanonymization techniques have been
described over time. Some of them attacked the
protocol, others exploited various configuration
issues. Through this presentation I will focus on
deanonymization techniques of the http services of
such networks by exploiting configuration issues.
In the first part of the presentation, I will
present deanonymization techniques on TOR
which are public, and I will also present the
techniques developed by me and the interesting
story of how I came to develop them.
In the last part of my presentation, I will do a demo
with the exploitation of http hidden services in TOR
and I will present each technique separately. I will
also present how one of the techniques can be used
successfully not only in the TOR network, but also
on the internet in order to obtain information about
the server that will help you discover other services.
DEF CON POLICY DEPT - SPECIAL
EDITION POLICY TALK
Friday at 17:30 in Track 2
45 minutes
DEF CON Policy Dept
TBA
KILLER HERTZ
Friday at 18:00 in Track 1
45 minutes | Demo, Tool, Exploit
Chris Rock
Hacker
Governments and the private sector around the
world spend billions of dollars on Electronic
Counter Measures (ECMs) which include
jamming technologies. These jammers are
used by police departments to disrupt criminal
communication operations as well as in prisons
to disrupt prisoners using smuggled in cell
phones. The military use jammers to disrupt
radar communications, prevent remote IEDs from
FRIDAY
09:30 COMBATTING SEXUAL ABUSE WITH THREAT
INTELLIGENCE TECHNIQUES // AARON DEVERA
10:35 HUNDREDS OF INCIDENTS, WHAT CAN WE
SHARE? // GUY BARNHART-MAGEN & BRENTON
MORRIS
11:40 ANDROID, BIRTHDAY CAKE, OPEN WIFI...
OH MY! // A.KRONTAB
12:10 THE RICHEST PHISHERMAN IN COLOMBIA //
NICK ASCOLI AND MATT MOSLEY
12:45 TAKING DOWN THE GRID // JOE SLOWIK
13:50 DON'T BLOW A FUSE: SOME TRUTHS ABOUT
FUSION CENTRES // 3NCR1PT3D
14:55 CLOUD THREAT ACTORS: NO LONGER
CRYPTOJACKING FOR FUN AND PROFIT //
NATHANIEL QUIST
16:00 AUTOMATED TROLLING FOR FUN AND NO
PROFIT // BURNINATOR
17:05 DEADLY RUSSIAN MALWARE IN UKRAINE //
CHRIS KUBECKA
SATURDAY SUNDAY
09:30 CONFESSIONS OF A CISO // LAURA 09:30 ERADICATING DISEASE WITH BIOTERRORISM
WHITT-WINYARD // MIXÆL S. LAUFER
10:35 WHAT YOUR STOLEN IDENTITY DID ON ITS 10:35 BASIC BLOCKCHAIN FORENSICS // K1NG_CR4B
COVID VACATION // JUDGE TAYLOR
11:40 THIS ONE TIME, AT THIS HOSPITAL, I GOT 11:40 ABORTION TECH // MAGGIE MAYHEM
RANSOMWARE // EIRICK LURAAS
12:45 VOTER TARGETING, LOCATION DATA, AND YOU
// L0NGRANGE
OFF THE RECORD.
13:50 INTERNET WARS 2022: THESE WARS AREN'T NO VIDEO RECORDING ALLOWED.
JUST VIRTUAL // JIVESX, HARRI HURSTI, CHERYL BISWAS, BE THERE OR MISS IT FOREVER.
CHRIS KUBECKA, RUSS HANDORF, BRYSON BORT, AND GADI EVRON
16:00 DANCING AROUND DRM // GAME TECH CHRIS & CHECK SKYTALKS.INFO
ギンジー ターラノー �� FOR ANY SCHEDULE UPDATES
LOCATION INFO
17:05 COMING HOME TO DEF CON: A DEEP DIVE LINQ HOTEL
INTO THE REAL ESSENCE AND ETHOS OF BLOQ BALLROOM
HACKING // RICHARD THIEME
ILLUSTRATION BY: @RAYGUNRX
ASSISTED BY: @HACKTHELIGHT
MODELS: SPOON & SEHRO
59
 PR3S3NTATI0NS
triggering and radio communications. The private
sector use jammers to disrupt espionage in the
board room and to protect VIPS from RC-IEDs.
What if there was a way of communicating
that was immune to jammers without knowing
the point of origin. A way of communicating at
short to medium distances, an Electronic Counter
Countermeasure ECCM to the jammer.
Using a custom-built Tx/Rx, I will use the
earth’s crust to generate a H-field Near Field
Communication (NFC) channel spanning 1-11km
away in the sub 9 kHz range to communicate
encrypted messages in a jammed environment.
DRAGON TAILS: SUPPLY-SIDE
SECURITY AND INTERNATIONAL
VULNERABILITY DISCLOSURE
LAW
Friday at 18:30 in Track 2
20 minutes
Stewart Scott
Assistant Director, Cyber Statecraft Initiative, Atlantic Council
Trey Herr
Director, Cyber Statecraft Initiative, Atlantic Council
This talk will present a study of the reliance
of proprietary and open source software on
Chinese vulnerability research. A difficult political
environment for Chinese security researchers
became acute when a law requiring vulnerability
disclosure to government and banning it to all
others but the affected vendor took effect in Sept.
2021. No public evaluation of this law’s impact
has yet been made. This talk will present results of
a quantitative analysis on the changing proportion
of Chinese-based disclosures to major software
products from Google, Microsoft, Apple, and
VMWare alongside several major open source
packages. The analysis will measure change over
time in response to evolving Chinese legislation,
significant divergence from data on the allocation
of bug bounty rewards, and notable trends in
the kinds of disclosed vulnerabilities. The Chinese
research community’s prowess is well known,
from exploits at the Tianfu Cup to preeminent
enterprise labs like Qihoo 360. However, the
recent law aiming to give the Chinese government
early access to the community’s discoveries—and
the government’s apparent willingness to enforce
it even on high-profile corporations as seen in its
punishment of Alibaba—demand more thorough
scrutiny. This talk will address implications for
policy and the wider hacker community.
60
PULLING PASSWORDS OUT OF
CONFIGURATION MANAGER:
PRACTICAL ATTACKS AGAINST
MICROSOFT’S ENDPOINT
MANAGEMENT SOFTWARE
Friday at 18:00 in Track 3
45 minutes | Demo, Tool
Christopher Panayi
Chief Research Officer, MWR CyberSec
System Center Configuration Manager, now
Microsoft Endpoint Configuration Manager
(MECM), is a software management product
that has been widely adopted by large
organizations to deploy, update, and manage
software; it is commonly responsible for
the deployment and management of the
majority of server and workstation machines
in enterprise Windows environments.
This talk will provide an outline of how MECM
is used to deploy machines into enterprise
environments (typically through network booting,
although it supports various Operating System
deployment techniques), and will explore attacks
that allow Active Directory credentials to be
extracted from this process. The common MECM
misconfigurations leading to these attacks will be
detailed and, in so doing, the talk will aim to show
how to identify and exploit these misconfigurations
and how to defend against these attacks. Each
viable attack will be discussed in depth (mostly by
discussing the protocols and architecture in use, but
sometimes by diving into relevant code, if necessary)
so that the context of how and why the attack works
will be understood. These concepts will be illustrated
through the demo and release of a tool that allows
for the extraction of credentials from several of the
onsite deployment techniques that MECM supports.
TEAR DOWN THIS ZYWALL:
BREAKING OPEN ZYXEL
ENCRYPTED FIRMWARE
Friday at 18:00 in Track 4
45 minutes
Jay Lagorio
Independent Security Researcher
How do you go bug hunting in devices you own
when the manufacturer has slapped some pesky
encryption scheme on the firmware? Starting from
an encrypted blob of bits and getting to executable
code is hard and can be even more frustrating
when you already know the bug is there, you
just want to see it! Join me on my expedition to
access the contents of my Zyxel firewall’s firmware
using password and hash cracking, hardware and
software reverse engineering, and duct taping
FRIDAY/SATURDAY
puzzle pieces together. We’ll start with a device
and a firmware blob, flail helplessly at the crypto,
tear apart the hardware, reverse engineer the
software and emulate the platform, and finally
identify the decryption routine – ultimately breaking
the protection used by the entire product line to
decrypt whatever firmware version we want.
SATURDAY
BRAZIL REDUX: SHORT
CIRCUITING TECH-ENABLED
DYSTOPIA WITH THE RIGHT TO
REPAIR
Saturday at 10:00 in Track 1
75 minutes
Paul Roberts
Founder, SecuRepairs.org, Editor in Chief, The Security Ledger
Joe Grand
Founder and CEO, Grand Idea Studios
Corynne McSherry
Legal Director, Electronic Frontier Foundation
Louis Rossmann
Founder, Rossmanngroup.com
Kyle Wiens
CEO, iFixit
Terry Gilliam’s 1985 cult film Brazil posits a
polluted, hyper-consumerist and totalitarian
dystopia in which a renegade heating engineer,
Archibald Tuttle, takes great risks to conduct repairs
outside of the stifling and inefficient bureaucracy of
“Central Services.” When Tuttle’s rogue repairs are
detected, Central Services workers demolish and
seize repaired systems under the pretext of “fixing”
them. It’s dark. It’s also not so far off from our
present reality in which device makers use always-on
Internet connections, DRM and expansive copyright
and IP claims to sustain “Central Services”-like
monopolies on the service and repair of appliances,
agricultural and medical equipment, personal
electronics and more. The net effect of this is a
less- not more secure ecosystem of connected things
that burdens consumers, businesses and the planet.
Our panel of repair and cybersecurity experts will
delve into how OEMs’ anti-repair arguments trumpet
cybersecurity risks, while strangling independent
repair and dissembling about the abysmal state of
embedded device security. We’ll also examine how
the emergent “right to repair” movement aims to
dismantle this emerging “Brazil” style dystopia and
lay the foundation for a “circular” economy that
reduces waste while also ensuring better security
and privacy protections for technology users.
LITERAL SELF-PWNING:
WHY PATIENTS - AND THEIR
ADVOCATES - SHOULD BE
ENCOURAGED TO HACK,
IMPROVE, AND MOD MED TECH
Saturday at 10:00 in Track 4
45 minutes
Cory Doctorow
Science fiction author, activist and journalist
Christian “quaddi” Dameff MD
Emergency Medicine Physician & Hacker at The University of California
San Diego
Jeff “r3plicant” Tully MD
Anesthesiologist at The University of California San Diego
What do Apple, John Deere and Wahl Shavers
have in common with med-tech companies? They
all insist that if you were able to mod their
stuff, you would kill yourself and/or someone
else... and they’ve all demonstrated, time and
again, that they are unfit to have the final
say over how the tools you depend on should
work. As right to repair and other interoperability
movements gain prominence, med-tech wants
us to think that it’s too life-or-death for
modding. We think that med-tech is too life-or-
death NOT to to be open, accountable and
configurable by the people who depend on
it. Hear two hacker doctors and a tech activist
talk about who’s on the right side of history
and how the people on the wrong side of
history are trying to turn you into a walking
inkjet printer, locked into an app store.
SCALING THE SECURITY
RESEARCHER TO ELIMINATE OSS
VULNERABILITIES ONCE AND
FOR ALL
Saturday at 10:00 in Track 3
45 minutes | Demo
Jonathan Leitschuh
OSS Security Researcher - Dan Kaminsky Fellowship @ HUMAN Security
Hundreds of thousands of human hours are invested
every year in finding common security vulnerabilities
with relatively simple fixes. These vulnerabilities
aren’t sexy, cool, or new, we’ve known about
them for years, but they’re everywhere!
The scale of GitHub & tools like CodeQL (GitHub’s
code query language) enable one to scan for
vulnerabilities across hundreds of thousands of
OSS projects, but the challenge is how to scale the
61
 PR3S3NTATI0NS
triaging, reporting, and fixing. Simply automating
the creation of thousands of bug reports by itself
isn’t useful, & would be even more of a burden
on volunteer maintainers of OSS projects. Ideally
the maintainers would be provided with not only
information about the vulnerability, but also a fix
in the form of an easily actionable pull request.
When facing a problem of this scale, what is
the most efficient way to leverage researcher
knowledge to fix the most vulnerabilities across
OSS? This talk will cover a highly scalable solution
- automated bulk pull request generation. We’ll
discuss the practical applications of this technique
on real world OSS projects. We’ll also cover
technologies like CodeQL & OpenRewrite (a style-
preserving refactoring tool created at Netflix & now
developed by Moderne). Let’s not just talk about
vulnerabilities, let’s actually fix them at scale.
HOW TO GET MUMPS THIRTY
YEARS LATER (OR, HACKING
THE GOVERNMENT VIA FOIA’D
CODE)
Saturday at 11:00 in Track 4
45 minutes | Demo, Exploit
Zachary Minneker
Senior Security Engineer, Security Innovation
In the 60s, engineers working in a lab at
Massachusettes General Hospital in Boston
invented a programming environment for use in
medical contexts. This is before C, before the
Unix epoch, before the concept of an electronic
medical records system even existed. But if you
have medical records in the US, or if you’ve
banked in the US, its likely that this language
has touched your data. Since the 1960s, this
language has been used in everything from
EMRs to core banking to general database
needs, and even is contained in apt to this day.
This is the Massachusettes General Hospital Utility
Multi-Programming System. This is MUMPS.
This talk covers new research into common open-
source MUMPS implementations, starting with an
application that relies on MUMPS: the Department
of Veterans Affairs’ VistA EMR. We’ll cover a
short history of VistA before diving into its guts and
examining MUMPS, the language that VistA was
written in. Then we’ll talk about 30 memory bugs
discovered while fuzzing open source MUMPS
implementations before returning to VistA to
cover critical vulnerabilities found in credential
handling and login mechanisms. We’ll close by
taking a step back and asking questions about
how we even got here in the first place, the right
moves we made, and what we can do better.
62
MY FIRST HACK WAS IN
1958 (THEN A CAREER IN
ROCK’N’ROLL TAUGHT ME
ABOUT SECURITY)
Saturday at 11:00 in Track 2
45 minutes
Winn Schwartau
Security Thinker Since 1983
My first hack was in 1958, and it was all my
mother’s fault. Or perhaps I should also blame
my father. They were both engineers and I got
their DNA. As a kid I hacked phones… cuz,
well, phones were expensive! (Cardboard was
an important hacking tool.) At age 6 I made a
decent living cuz I could fix tube TVs. True!
In roughly 1970 (thanks to NYU) we moved
on to hacking Hollerith (punch) cards
to avoid paying for telephone and our
utilities, and of course, shenanigans.
As a recording studio designer and builder, we
dumpster dived for technology from AT&T. We
never threw anything out and learned how to
repurpose and abuse tech from the 1940s.
As a rock’n’roll engineer, I learned to live with
constant systems epic failures. Anything that
could break would break: before a live TV
event or a massive concert. Talk about lessons
in Disaster Recovery and Incident Response.
This talk, chock full of pictures and stories
from the past, covers my hacking path as a
kid then as a necessary part of survival in
the entertainment industry. 1958-1981.
Come on down for the ride and see how 64
years of lessons learned can give you an entirely
different view of Hacking and how and why I
have embraced failure for both of my careers!
NO-CODE MALWARE:
WINDOWS 11 AT YOUR SERVICE
Saturday at 11:00 in Track 3
45 minutes | Demo, Tool, Exploit
Michael Bargury
Co-Founder and CTO, Zenity.io
Windows 11 ships with a nifty feature called
Power Automate, which lets users automate
mundane processes. In a nutshell, Users can build
custom processes and hand them to Microsoft,
which in turn ensures they are distributed to
all user machines or Office cloud, executed
successfully and reports back to the cloud. You
can probably already see where this is going..
In this presentation, we will show how Power
Automate can be repurposed to power malware
operations. We will demonstrate the full cycle of
distributing payloads, bypassing perimeter controls,
executing them on victim machines and exfiltrating
data. All while using nothing but Windows baked-in
and signed executables, and Office cloud services.
We will then take you behind the scenes and
explore how this service works, what attack
surface it exposes on the machine and in the
cloud, and how it is enabled by-default and can
be used without explicit user consent. We will
also point out a few promising future research
directions for the community to pursue.
Finally, we will share an open-source command
line tool to easily accomplish all of the above,
so you will be able to add it into your Red
Team arsenal and try out your own ideas.
REVERSING THE ORIGINAL XBOX
LIVE PROTOCOLS
Saturday at 11:30 in Track 1
45 minutes | Demo, Tool
Tristan Miller
Hacker
Xbox Live for original Xbox systems launched
on November 15, 2002 and was subsequently
discontinued on April 15, 2010. The first half of
this talk will be an infromation dense overview of
the gritty details of how the underlying protocols
work and intermixing a retrospective of two
decades of how the industry has approached
IOT and network security. The second half of the
talk will use that base to discuss the architecture
of drop in replacement server infrastructure,
how the speaker approaches the ethics of third
party support for non-updatable abandoned
networked devices, and culminating in a demo.
ALL ROADS LEADS TO GKE’S
HOST : 4+ WAYS TO ESCAPE
Saturday at 12:00 in Track 3
45 minutes | Demo, Exploit
Billy Jheng
Security Researcher at STAR Labs
Muhammad ALifa Ramdhan
Security Researcher at STAR Labs
Container security is a prevalent topic in security
research. Due to the great design and long-
term effort, containers have been more and
more secure. Usage of container technology is
increasingly being used. Container security is a
topic that has started to be discussed a lot lately.
SATURDAY
In late 2021, Google increased the vulnerability
reward program in kCTF infrastructure, which
was built on top of Kubernetes and Google
Container Optimized OS, with a minimum
reward of $31,337 per submission.
In this talk, we will share about how we
managed to have 4 successful submissions on
kCTF VRP by exploiting four Linux kernel bugs
to perform container escape on kCTF cluster,
we will explain some interesting kernel exploit
techniques and tricks that can be used to bypass
the latest security mitigation in Linux kernel.
We will also share what we did wrong that
causes us to nearly lose 1 of the bounty.
As of writing, there are 14 successful entries to
kCTF. In this presentation, we are willing to share
our full, in-depth details on the research of kCTF.
To the best of our knowledge, this presentation
will be the first to talk about a complete
methodology to pwn kCTF (find and exploit
bugs within 0-day and 1-day) in public.
THE EVIL PLC ATTACK:
WEAPONIZING PLCS
Saturday at 12:00 in Track 4
20 minutes | Demo, Tool, Exploit
Sharon Brizinov
Vulnerability Research Team Lead @ Claroty
These days, Programmable Logic Controllers
(PLC) in an industrial network are a critical attack
target, with more exploits being identified every
day. But what if the PLC wasn’t the prey, but
the predator? This presentation demonstrates a
novel TTP called the “Evil PLC Attack”, where
a PLC is weaponized in a way that when an
engineer is trying to configure or troubleshoot
it, the engineer’s machine gets compromised.
We will describe how engineers diagnose PLC
issues, write code, and transfer bytecode to PLCs
for execution with industrial processes in any
number of critical sectors, including electric, water
and wastewater, heavy industry, and automotive
manufacturing. Then we will describe how we
conceptualized, developed, and implemented
different techniques to weaponize a PLC in order to
achieve code execution on an engineer’s machine.
The research resulted in working PoCs
against ICS market leaders which fixed all
the reported vulnerabilities and remediated
the attack vector. Such vendors include
Rockwell Automation, Schneider Electric,
GE, B&R, Xinje, OVARRO and more.
63
SUNDAY

64
65
 PR3S3NTATI0NS
TRACKING MILITARY GHOST
HELICOPTERS OVER OUR
NATION’S CAPITAL
Saturday at 12:00 in Track 2
20 minutes
Andrew Logan
There’s a running joke around Washington D.C.
that the “State Bird” is the helicopter. Yet 96% of
helicopter noise complaints from 2018-2021 went
unattributed: D.C. Residents can not tell a news
helicopter from a black hawk. Flight tracking sites
remove flights as a paid service to aircraft owners
and government agencies; even in the best case
these sites do not receive tracking information from
most military helicopters due to a Code of Federal
Regulations exemption for “sensitive government
mission for national defense, homeland security,
intelligence or law enforcement.” This makes an
enormous amount of helicopter flights untraceable
even for the FAA and leaves residents in the dark.
What if we could help residents identify
helicopters? What if we could crowd source
helicopter tracking? What if we could collect
images to identify helicopters using computer
vision? What if we could make aircraft radio as
accessible as reading a map? What if we could
make spotting helicopters a game that appeals
to the competitive spirit of Washingtonians? And
what if we could do all of this... on Twitter?
ANALYZING PIPEDREAM:
CHALLENGES IN TESTING AN
ICS ATTACK TOOLKIT.
Saturday at 12:30 in Track 4
45 minutes | Demo
Jimmy Wylie
Principal Malware Analyst II , Dragos, Inc.
Identified early in 2022, PIPEDREAM is the
seventh-known ICS-specific malware and the fifth
malware specifically developed to disrupt industrial
processes. PIPEDREAM demonstrates significant
adversary research and development focused
on the disruption, degradation, and potentially,
the destruction of industrial environments and
physical processes. PIPEDREAM can impact
a wide variety of PLCs including Omron and
Schneider Electric controllers. PIPEDREAM
can also execute attacks that take advantage
of ubiquitous industrial protocols, including
CODESYS, Modbus, FINS, and OPC-UA.
This presentation will summarize the malware,
and detail the difficulties encountered during the
reverse engineering and analysis of the malware
to include acquiring equipment and setting up our
lab. This talk will also release the latest results
66
from Drago’s lab including an assessment of the
breadth of impact of PIPEDREAM’s CODESYS
modules on equipment beyond Schneider
Electric’s PLCs, testing Omron servo manipulation,
as well as OPC-UA server manipulation.
While a background in ICS is helpful to
understand this talk, it is not required. The
audience will learn about what challenges
they can expect to encounter when testing
ICS malware and how to overcome them.
THE HITCHHACKER’S GUIDE TO
IPHONE LIGHTNING & JTAG
HACKING
Saturday at 12:30 in Track 1
20 minutes | Demo, Tool
stacksmashing
Hacker
Apple’s Lightning connector was introduced almost
10 years ago - and under the hood it can be used
for much more than just charging an iPhone: Using
a proprietary protocol it can also be configured
to give access to a serial-console and even expose
the JTAG pins of the application processor! So
far these hidden debugging features have not
been very accessible, and could only be accessed
using expensive and difficult to acquire “Kanzi”
and “Bonobo” cables. In this talk we introduce
the cheap and open-source “Tamarin Cable”,
bringing Lightning exploration to the masses!
In this talk we are diving deep into
the weeds of Apple Lightning:
What’s “Tristar”, “Hydra” and “HiFive”? What’s
SDQ and IDBUS? And how does it all fit together?
We show how you can analyze Lightning
communications, what different types of cables (such
as DCSD, Kanzi & co) communicate with the iPhone,
and how everything works on the hardware level.
We then show how we developed the “Tamarin
Cable”: An open-source, super cheap (~$5
and a sacrificed cable) Lightning explorer
that supports sending custom IDBUS & SDQ
commands, can access the iPhone’s serial-
console, and even provides a full JTAG/
SWD probe able to debug iPhones.
We also show how we fuzzed Lightning to
uncover new commands, and reverse engineer
some Lightning details hidden in iOS itself.

UFOS, ALIEN LIFE, AND THE
LEAST UNTRUTHFUL THINGS I
CAN SAY.
Saturday at 12:30 in Track 2
45 minutes
Richard Thieme
ThiemeWorks
I have explored the subject of UFOs seriously and
in depth and detail for 44 years. I have worked
with some of the best and brightest in the “invisible
college” to do academic research and reach
conclusions based on the evidence. I contributed to
the celebrated history, “UFOs and Government: A
Historical Inquiry,” the gold standard for historical
research into the subject now in over 100 university
libraries. This talk more than updates the latest
government statements on the subject--it is the most
complete, honest, and forthright presentation I
can make. I will tell the most truth I can, based
on data and evidence. As an NSA analyst told
me, “Richard, they are here. They’re here.”
CHROMEBOOK BREAKOUT:
ESCAPING JAIL, WITH YOUR
FRIENDS, USING A PICO DUCKY
Saturday at 13:00 in Track 1
45 minutes | Demo
Jimi Allee
CEO @ Lost Rabbit Labs
Learn how we used our Pico Ducky to escape
Chromebook jail, rescue our friends along the way,
and have some fun Living Off the Land! Leveraging
a discovered (but previously disclosed) Command
Injection vulnerability in the ChromeOS crosh shell,
we rabbithole into the internal ChromeOS Linux
system, obtain persistence across reboots, and
exfiltrate user data even before Developer Mode
has been enabled. Learn how to provision and
utilize local services in order to perform Privilege
Escalations, and also create a ʻMaster Key’ with
the Pico Ducky and custom GTFO 1-liners, in
order to perform a full Chromebook Breakout!
SATURDAY
EXPLORING ANCIENT RUINS
TO FIND MODERN BUGS:
DISCOVERING A 0-DAY IN AN
MS-RPC SERVICE
Saturday at 13:00 in Track 3
45 minutes | Demo, Tool, Exploit
Ben Barnea
Senior Security Researcher, Akamai
MS-RPC is Microsoft’s implementation of the Remote
Procedure Calls protocol. Even though the protocol
is extremely widespread, and serves as the basis
for nearly all Windows services on both managed
and unmanaged networks, little has been published
about MS-RPC, its attack surface and design flaws.
In this talk, we will walkthrough and demonstrate
a 0-day RCE vulnerability which we discovered
through our research of MS-RPC. When exploited,
this vulnerability allows an attacker to execute
code remotely and potentially take over the
Domain Controller. We believe this vulnerability
may belong to a somewhat novel bug-class
which is unique to RPC server implementations,
and would like to share this idea as a possible
research direction with the audience.
To aid future research into the topic of MS-RPC, we
will share a deep, technical overview of the RPC
system in Windows, explain why we decided to
target it, and point out several design flaws. We
will also outline the methodology we developed
around RPC as a research target along with some
tools we built to facilitate the bug-hunting process.
EXPLORING ANCIENT RUINS
TO FIND MODERN BUGS:
DISCOVERING A 0-DAY IN AN
MS-RPC SERVICE
Saturday at 13:00 in Track 3
45 minutes | Demo, Tool, Exploit
Ophir Harpaz
Senior Security Research Team Lead, Akamai
MS-RPC is Microsoft’s implementation of the Remote
Procedure Calls protocol. Even though the protocol
is extremely widespread, and serves as the basis
for nearly all Windows services on both managed
and unmanaged networks, little has been published
about MS-RPC, its attack surface and design flaws.
In this talk, we will walkthrough and demonstrate
a 0-day RCE vulnerability which we discovered
through our research of MS-RPC. When exploited,
this vulnerability allows an attacker to execute
code remotely and potentially take over the
Domain Controller. We believe this vulnerability
may belong to a somewhat novel bug-class
67
 PR3S3NTATI0NS
which is unique to RPC server implementations,
and would like to share this idea as a possible
research direction with the audience.
To aid future research into the topic of MS-RPC, we
will share a deep, technical overview of the RPC
system in Windows, explain why we decided to
target it, and point out several design flaws. We
will also outline the methodology we developed
around RPC as a research target along with some
tools we built to facilitate the bug-hunting process.
DO NOT TRUST THE ASA,
TROJANS!
Saturday at 13:30 in Track 4
45 minutes | Tool, Exploit
Jacob Baines
Lead Security Researcher, Rapid7
Cisco ASA and ASA-X are widely deployed
firewalls that are relied upon to protect internal
networks from the dangers of the outside world.
This key piece of network infrastructure is an
obvious point of attack, and a known target
for exploitation and implantation by APT such
as the Equation Group. Yet it’s been a number
of years since a new vulnerability has been
published that can provide privileged access
to the ASA or the protected internal network.
But all good things must come to an end.
In this talk, new vulnerabilities affecting the Cisco
ASA will be presented. We’ll exploit the firewall,
the system’s administrators, and the ASA-X
FirePOWER module. The result of which should
call into question the firewall’s trustworthiness.
The talk will focus on the practical exploitation of
the ASA using these new vulnerabilities. To that
end, new tooling and Metasploit modules will be
presented. For IT protectors, mitigation and potential
indicators of compromise will also be explored.
68
HACK THE HEMISPHERE! HOW
WE (LEGALLY) BROADCASTED
HACKER CONTENT TO ALL OF
NORTH AMERICA USING AN
END-OF-LIFE GEOSTATIONARY
SATELLITE, AND HOW YOU CAN
SET UP YOUR OWN BROADCAST
TOO!
Saturday at 13:30 in Track 2
45 minutes | Demo
Karl Koscher
Hacker
Andrew Green
Hacker
The Shadytel cabal had an unprecedented
opportunity to legally uplink to and use a vacant
transponder slot on a geostationary satellite
about to be decommissioned. This talk will
explain how we modified an unused commercial
uplink facility to broadcast modern HD DVB-S2
signals and created the media processing chain
to generate the ultimate information broadcast.
You’ll learn how satellite transponders work, how
HDTV is encoded and transmitted, and how you
can create your own hacker event broadcast.
OPENCOLA. THE ANTISOCIAL
NETWORK
Saturday at 14:00 in Track 1
45 minutes | Demo, Tool
John Midgley
Cult of the Dead Cow
Oxblood Ruffin
Cult of the Dead Cow
The internet, as it stands today, is not a very
trustworthy environment, as evidenced by the
numerous headlines of companies abusing personal
data and activity. This is not really surprising since
companies are responsible for optimizing revenue,
which is often at odds with user benefit. The result
of these incentives has produced or exacerbated
significant problems: tech silos, misinformation,
privacy abuse, concentration of wealth, the
attention economy, etc. We built OpenCola, free
and open source, as an alternative to existing
big-tech applications. It puts users in control of
their personal activity and the algorithms that
shape the flow of data to them. We believe that
this solution, although simple, can significantly
mitigate the challenges facing the Internet.

THE COW (CONTAINER ON
WINDOWS) WHO ESCAPED THE
SILO
Saturday at 14:00 in Track 3
45 minutes | Demo, Tool, Exploit
Eran Segal
Security research team leader at SafeBreach
Virtualization and containers are the
foundations of cloud services. Containers
should be isolated from the real host’s
settings to ensure the security of the host.
In this talk we’ll answer these questions:
“Are Windows process-isolated containers
really isolated?” and “What can an attacker
achieve by breaking the isolation?”
Before we jump into the vulnerabilities, we’ll explain
how Windows isolates the container’s processes,
filesystem and how the host prevents the container
from executing syscalls which can impact the host.
Specifically, we’ll focus on the isolation
implementation of Ntoskrnl using
server silos and job objects.
We’ll compare Windows containers to Linux
containers and describe the differences
between their security architectural designs.
We’ll follow the scenario of an attacker-crafted
container running with low privileges. We’ll show
in multiple ways how to gain privilege escalation
inside the container to NT/System. After gaining
NT/System permissions, we’ll talk about how
we escaped the isolation of the container and
easily achieved a dump of the entire host’s
kernel memory from within the container. If the
host is configured with a kernel debugger, we
can even dump the host’s Admin credentials.
We’ll finish by demonstrating how an attacker-
crafted container with low privileges can read UEFI
settings and then set them. Using this technique an
attacker can communicate between containers and
cause a permanent Denial-of-Service (DoS) to a host
with default settings, through the UEFI interface.
DIGGING INTO XIAOMI’S TEE TO
GET TO CHINESE MONEY
Saturday at 14:30 in Track 2
20 minutes | Demo, Exploit
Slava Makkaveev
Security Researcher, Check Point
The Far East and China account for two-thirds of
global mobile payments in 2021. That is about $4
billion in mobile wallet transactions. Such a huge
amount of money is sure to attract the attention of
hackers. Have you ever wondered how safe it is
to pay from a mobile device? Can a malicious app
SATURDAY
steal money from your digital wallet? To answer
these questions, we researched the payment system
built into Xiaomi smartphones based on MediaTek
chips, which are very popular in China. As a result,
we discovered vulnerabilities that allow forging
payment packages or disabling the payment system
directly from an unprivileged Android application.
Mobile payment signatures are carried out in the
Trusted Execution Environment (TEE) that remains
secure on compromised devices. The attacker needs
to hack the TEE in order to hack the payment.
There is a lot of good research about mobile TEEs
in the public domain, but no one pays attention
to trusted apps written by device vendors like
Xiaomi and not by chip makers, while the core
of mobile payments is implemented there. In our
research, we reviewed Xiaomi’s TEE for security
issues in order to find a way to scam WeChat Pay.
DOING THE IMPOSSIBLE: HOW
I FOUND MAINFRAME BUFFER
OVERFLOWS
Saturday at 14:30 in Track 4
45 minutes | Demo, Tool, Exploit
Jake Labelle
Mainframes run the world, literally. Have
you ever paid for something, a mainframe
was involved, flown? Used a bank? Gone to
college? A mainframe was involved. Do you live
in a country with a government? Mainframes!
The current (and really only) mainframe OS
is z/OS from IBM. If you’ve ever talked to a
mainframer you’ll get told how they’re more
secure because buffer overflows are (were)
impossible. This talk will prove them all wrong!
Finding exploits on z/OS is no different than any
other platform. This talk will walk through how you
too can become a mainframe exploit researcher!
Remote code execution is extra tricky on a
mainframe as almost all sockets read data with the
ASCII character set and convert that to EBCDIC for
the application. With this talk you will find out how
to find and then remotely overflow a vulnerable
mainframe C program and create a ASCII ->
EBCDIC shellcode to escalate your privileges
remotely, without auth. Previous mainframe talks
focused on infrastructure based attacks. This talk
builds on those but adds a class of vulnerabilities,
opening up the mainframe hacking community.
69
 PR3S3NTATI0NS
DÉJÀ VU: UNCOVERING STOLEN
ALGORITHMS IN COMMERCIAL
PRODUCTS
Saturday at 15:00 in Track 1
20 minutes | Demo
Patrick Wardle
Founder, Objective-See Foundation
Tom McGuire
In an ideal world, members of a community work
together towards a common goal or greater good.
Unfortunately, we do not (yet) live in such a world.
In this talk, we discuss what appears to be a
systemic issue impacting our cyber-security
community: the theft and unauthorized use of
algorithms by corporate entities. Entities who
themselves may be part of the community.
First, we’ll present a variety of search techniques
that can automatically point to unauthorized
code in commercial products. Then we’ll show
how reverse-engineering and binary comparison
techniques can confirm such findings.
Next, we will apply these approaches in a real-
world case study. Specifically, we’ll focus on a
popular tool from a non-profit organization that
was reverse-engineered by multiple entities such
that its core algorithm could be recovered and used
(unauthorized), in multiple commercial products.
The talk will end with actionable takeaways
and recommendations, as who knows, this may
happen to you too! For one, we’ll present strategic
approaches (and the challenges) of confronting
culpable commercial entities (and their legal teams).
Moreover, we’ll provide recommendations for
corporations to ensure this doesn’t happen in the
first place, thus ensuring that our community can
remain cohesively focused on its mutual goals.
THE BIG RICK: HOW I
RICKROLLED MY HIGH SCHOOL
DISTRICT AND GOT AWAY WITH
IT
Saturday at 15:00 in Track 2
20 minutes
Minh Duong
Student at University of Illinois at Urbana-Champaign
What happens when you have networked
projectors, misconfigured devices, and a bored
high school student looking for the perfect senior
prank? You get a massive rickroll spanning six
high schools and over 11,000 students at one of
the largest school districts in suburban Chicago.
70
This talk will go over the coordination required
to execute a hack of this scale and the logistics
of commanding a botnet of IoT systems. It will
also describe the operational security measures
taken so that *you* can evade detection, avoid
punishment, and successfully walk at graduation.
YOU HAVE ONE NEW
APPWNTMENT - HACKING
PROPRIETARY ICALENDAR
PROPERTIES
Saturday at 15:00 in Track 3
45 minutes | Demo, Tool, Exploit
Eugene Lim
Cybersecurity Specialist, Government Technology Agency of Singapore
First defined in 1998, the iCalendar standard
remains ubiquitous in enterprise software. However,
it did not account for modern security concerns
and allowed vendors to create proprietary
extensions that expanded the attack surface.
I demonstrate how flawed RFC implementations
led to new vulnerabilities in popular applications
such as Apple Calendar, Google Calendar,
Microsoft Outlook, and VMware Boxer. Attackers
can trigger exploits remotely with zero user
interaction due to automatic parsing of event
invitations. Some of these zombie properties were
abandoned years ago for their obvious security
problems but continue to pop up in legacy code.
Furthermore, I explain how iCalendar’s integrations
with the SMTP and CalDAV protocols enable
multi-stage attacks. Despite attempts to secure
these technologies separately, the interactions
that arise from features such as emailed event
reminders require a full-stack approach to
calendar security. I conclude that developers
should strengthen existing iCalendar standards
in terms of design and implementation.
I advocate for an open-source and open-
standards approach to secure iCalendar
rather than proprietary fragmentation. I will
release a database of proprietary iCalendar
properties and a technical whitepaper.

AUTOMOTIVE ETHERNET
FUZZING: FROM PURCHASING
ECU TO SOME/IP FUZZING
Saturday at 15:30 in Track 1
20 minutes | Tool
Jonghyuk Song
Leader of Verification and Validation, Autocrypt
Soohwan Oh
Blueteam Engineer, Autocrypt
Woongjo choi
Blueteam Leader, Autocrypt
Car hacking is a tricky subject to hackers because
it requires lots of money and hardware knowledge
to research with a real car. An alternative way
would be to research with an ECU but it also
difficult to know how to setup the equipment.
Moreover, in order to communicate with Automotive
Ethernet services running on the ECU, you need
additional devices such as media converters and
Ethernet adapters supporting Virtual LAN(VLAN).
Even if you succeed in building the hardware
environment, you can’t communicate with the
ECU over SOME/IP protocol of Automotive
Ethernet if you don’t know the network
configuration, such as VLAN ID, service IDs
and IP/port mapped to each service.
This talk describes how to do fuzzing on
the SOME/IP services step by step.
First, we demonstrate how to buy an
ECU, how to power and wire it.
Second, we explain network configurations
to communicate between ECU and PC.
Third, we describe how to find out the information
required to perform SOME/IP fuzzing and
how to implement SOME/IP Fuzzer.
We have conducted the fuzzing with the
BMW ECUs purchased by official BMW
sales channels, not used products.
We hope this talk will make more people to
try car hacking and will not go through the
trials and errors that we have experienced.
SATURDAY
PERIMETER BREACHED! HACKING
AN ACCESS CONTROL SYSTEM
Saturday at 15:30 in Track 4
45 minutes | Demo
Sam Quinn
Senior Security Researcher, Trellix
Steve Povolny
Principal Engineer & Head of Advanced Threat Research, Trellix
The first critical component to any attack is an entry
point. As we lock down firewalls and routers, it
can be easy to overlook the network-connected
physical access control systems. A study done by
IBM in 2021 showed that the average cost of a
physical security compromise is $3.54 million and
takes an average of 223 days to identify a breach.
Carrier’s LenelS2 is a global distributor of
access control systems, deployed across
multiple industries and certified for use in
federal and state government facilities.
Trellix’s Threat Labs team uncovered 8 0-day
vulnerabilities leading to remote, unauthenticated
code execution on the LenelS2 Mercury 4420
access control panel. These findings lead to full
system control including the ability for an attacker
to remotely manipulate door locks. During this
presentation, we will deep dive into our hardware
hacking process including the challenges faced
such as bypassing the bootloader, hardware-
based watchdog timers, and authentication. We
will describe emulation and provide a detailed
walkthrough of the 8 discovered zero-day
vulnerabilities, and end to end exploitation using
malware we designed to control system functionality.
We culminate the talk with a live demo featuring
full system control, unlocking doors remotely
without triggering any software notifications.
TOR: DARKNET OPSEC BY A
VETERAN DARKNET VENDOR
Saturday at 15:30 in Track 2
45 minutes
Sam Bent
KS LLC
The hacking subculture’s closest relative is that of the
Darknet. Both have knowledgeable people, many
of whom are highly proficient with technology and
wish to remain somewhat anonymous. They are
both composed of a vast amount of introverts and
abide by the same first rule: “Don’t get caught.”
Over the past decade, there have been many
DEF CON talks that have discussed topics related
to Tor and the Darknet. Having an IT, Infosec,
and hacking background, the goal is to present a
unique perspective from a hacker turned Darknet
Vendor, who then learned about the law and–
71
 PR3S3NTATI0NS
using metaphorical privilege escalation and social
engineering–got himself out of federal prison after
a year and a half by acting as his own lawyer.
The focus of this talk will surround operational
security policies that a skilled Darknet Market
Vendor (DMV) implements to avoid compromising
their identity. We will look at tactics used by Law
Enforcement and common attacks prevalent on
the Darknet, ranging from linguistic analysis and
United States Postal Inspector operations all the
way to correlation attacks and utilizing long-range
wifi antennas to avoid detection as a failsafe.
By focusing less on the basics of Tor and more
on how insiders operate within it, we will
uncover what it takes to navigate this ever-
evolving landscape with clever OpSec.
LOW CODE HIGH RISK:
ENTERPRISE DOMINATION VIA
LOW CODE ABUSE
Saturday at 16:00 in Track 3
45 minutes | Demo, Tool, Exploit
Michael Bargury
Co-Founder and CTO, Zenity.io
Why focus on heavily guarded crown
jewels when you can dominate an
organization through its shadow IT?
Low-Code applications have become a
reality in the enterprise, with surveys showing
that most enterprise apps are now built
outside of IT, with lacking security practices.
Unsurprisingly, attackers have figured out ways
to leverage these platforms for their gain.
In this talk, we demonstrate a host of attack
techniques found in the wild, where enterprise
No-Code platforms are leveraged and abused
for every step in the cyber killchain. You will
learn how attackers perform an account takeover
by making the user simply click a link, move
laterally and escalate privileges with zero network
traffic, leave behind an untraceable backdoor,
and automate data exfiltration, to name a few
capabilities. All capabilities will be demonstrated
with POCs, and their source code will be shared.
Next, we will drop two isolation-breaking
vulnerabilities that allow privilege escalation
and cross-tenant access. We will explain
how these vulnerabilities were discovered
and assess their pre-discovery impact.
Finally, we will introduce an open-source recon tool
that identifies opportunities for lateral movement
and privilege escalation through low-code platforms.
72
TRAILER SHOUTING: TALKING
PLC4TRUCKS REMOTELY WITH
AN SDR
Saturday at 16:00 in Track 1
45 minutes | Demo, Tool, Exploit
Ben Gardiner
Senior Cybersecurity Research Engineer, National Motor Freight Traffic
Association Inc.,
Chris Poore
Senior Reverse Engineer, Assured Information Security
Ben Gardiner, Chris Poore and other security
researchers have been analyzing signals and
performing research against trailers and Power Line
Communication for multiple years. This year the
team was able to disclose two vulnerabilities focused
on the ability to remotely inject RF messages onto
the powerline and in turn send un-authenticated
messages to the brake controller over the link. The
team will discuss the details of PLC4TRUCKS, identify
what led to this research and the discovery of the
vulnerabilities, and then highlight the details of
the SDR and software used to perform the attack.
The talk will conclude with the demonstration of
a remotely induced brake controller solenoid test
using an FL2K and the release of the GNU radio
block used to perform the test to the community
to promote further research in the area.
DEFEATING MOVING ELEMENTS
IN HIGH SECURITY KEYS
Saturday at 16:30 in Track 4
45 minutes | Tool, Exploit
Bill Graydon
Principal, Physical Security Analytics, GGR Security
A recent trend in high security locks is to add
a moving element to the key: this prevents
casting, 3D printing and many other forms of
unauthorised duplication. Pioneered by the Mul-
T-Lock Interactive locks, we see the technique
used in recent Mul-T-Lock iterations, the Abloy
Protec 2 and most recently, the Medeco M4,
which is only rolling out to customers now.
We have identified a major vulnerability in this
technology, and have developed a number of
techniques to unlock these locks using a key made
from a solid piece of material, which defeats all of
the benefits of an interactive key. I’ll demonstrate
how it can be applied to Mul-T-Lock Interactive,
Mul-T-Lock MT5+ and the Medeco M4, allowing
keys to be duplicated by casting, 3D printing
and more. I’ll also cover other techniques
to defeat moving elements in a key, such as
printing a compliant mechanism and printing a
captive element directly. With this talk, we’re
also releasing a web application for anyone to
generate 3D printable files based on this exploit.
Finally, I’ll also discuss the responsible disclosure
process, and working with the lock manufacturers
to patch the vulnerability and mitigate the risk.
WHY DID YOU LOSE THE
LAST PS5 RESTOCK TO A
BOT TOP-PERFORMING APP-
HACKERS BUSINESS MODULES,
ARCHITECTURE, AND
TECHNIQUES
Saturday at 16:30 in Track 2
45 minutes
Arik
Threat Intelligence Researcher, PerimeterX
The rise of the machines.
Whenever you are buying online, especially if it’s a
limited stock item, you are competing against Bots
and lose miserably. Even when you are asleep,
there’s a 14% chance that a bot trying to log
into one of the 200+ digital accounts you own.
Your mom called to say someone from her bank
ask for 4 digit SMS? It was an OTP bot.
Malicious automation is here to stay as it serves
tens of thousands of hackers and retail scalpers and
drives billions of dollars worth of marketplaces.
During my talk, we will deep dive into
the most fascinating architecture, business
modules, and techniques top-performing
of account crackers and retail bots use to
maximize their success rate and revenue.
HACKING THE FARM: BREAKING
BADLY INTO AGRICULTURAL
DEVICES.
Saturday at 17:00 in Track 1
45 minutes | Demo, Tool, Exploit
Sick Codes
Hacker
Hacking the farm. In this session, I’ll demonstrate
tractor-sized hardware hacking techniques,
firmware extraction, duplication, emulation,
and cloning. We’ll be diving into how the inner
workings of agricultural cyber security; how such
low-tech devices are now high-tech devices. The
“connected farm” is now a reality; a slurry of
EOL devices, trade secrets, data transfer, and
overall shenanigans in an industry that accounts
for roughly one-fifth of the US economic activity.
We’ll be discussing hacking into tractors, combines,
cotton harvesters, sugar cane and more.
SATURDAY
INTERNAL SERVER ERROR:
EXPLOITING INTER-PROCESS
COMMUNICATION WITH
NEW DESYNCHRONIZATION
PRIMITIVES
Saturday at 17:00 in Track 3
45 minutes | Demo, Tool, Exploit
Martin Doyhenard
Security Researcher at Onapsis
In this talk I will show how to reverse engineer
a proprietary HTTP Server in order to leverage
memory corruption vulnerabilities using high level
HTTP protocol exploitation techniques. To do so, I
will present two critical vulnerabilities, CVE-2022-
22536 and CVE-2022-22532, which were found
in SAP’s proprietary HTTP Server, and could be
used by a remote unauthenticated attacker to
compromise any SAP installation in the world.
First, I will explain how to escalate an error in
the request handling process to Desynchronize
data buffers and hijack every user’s account with
Advanced Response Smuggling. Furthermore, as the
primitives of this vulnerability do not rely on header
parsing errors, I will show a new technique to persist
the attack using the first Desync botnet in history.
This attack will prove to be effective even in an
“impossible to exploit” scenario: without a Proxy!
Next I will examine a Use-After-Free in the shared
memory used for Inter-Process Communication. By
exploiting the incorrect deallocation, I will show
how to tamper messages belonging to other TCP
connections and take control of all responses using
Cache Poisoning and Response Splitting theory.
Finally, as the affected buffers could
also contain IPC control data, I will
explain how to corrupt memory address
pointers and end up obtaining RCE.
BLACK-BOX ASSESSMENT OF
SMART CARDS
Saturday at 17:30 in Track 4
45 minutes | Demo, Tool
Daniel Crowley
Head of Research, X-Force Red
You probably have at least two smart cards in
your pockets right now. Your credit card, and
the SIM card in your cell phone. You might also
have a CAC, metro card, or the contactless key
to your hotel room. Many of these cards are
based on the same basic standards and share
a common command format, called APDU.
73
 PR3S3NTATI0NS
This talk will discuss and demonstrate how even
in the absence of information about a given
card, there are a series of ways to enumerate the
contents and capabilities of a card, find exposed
information, fuzz for input handling flaws, and
exploit poor authentication and access control.
CROSSING THE KASM -- A
WEBAPP PENTEST STORY
Saturday at 17:30 in Track 2
45 minutes | Exploit
Samuel Erb
Hacker
Justin Gardner
Full-time Bug Bounty Hunter
In this talk we will tell the story of an insane exploit
we used to compromise the otherwise secure
KASM Workspaces software. KASM Workspaces
is enterprise software for streaming virtual
workstations to end users built on top of Docker.
This talk will span python binary RE, header
smuggling, configuration injection, docker
networking and questionable RFC interpretation.
We hope to show you a little bit of what
worked and a lot a bit of what didn’t work
on our quest to exploit this heisenbug.
THE CSRF RESURRECTIONS! EMULATION-DRIVEN REVERSE-
STARRING THE UNHOLY TRINITY: ENGINEERING FOR FINDING
SERVICE WORKER OF PWA, VULNS
Sunday at 11:00 in Track 2
SAMESITE OF HTTP COOKIE, 45 minutes | Demo, Tool
AND FETCH atlas
Saturday at 18:00 in Track 3
45 minutes | Demo, Tool
Dongsung Kim
IT-Security Expert, Truesec
CSRF is (really) dead. SameSite killed it.
Browsers protect us. Lax by default!
Sounds a bit too good to be true, doesn’t it? We
live in a world where browsers get constantly
updated with brand new web features and new
specifications. The complexity abyss is getting
wider and deeper. How do we know web
technologies always play perfectly nice with each
other? What happens when something slips?
In this talk, I focus on three intertwined web
features: HTTP Cookie’s SameSite attribute,
PWA’s Service Worker, and Fetch. I will start
by taking a look at how each feature works
in detail. Then, I will present how the three
combined together allows CSRF to be resurrected,
bypassing the SameSite’s defense. Also, I will
demonstrate how a web developer can easily
74
introduce the vulnerability to their web apps when
utilizing popular libraries. I will end the talk by
sharing the complex disclosure timeline and the
difficulty of patching the vulnerability due to the
interconnected nature of web specifications.
DIGITAL SKELETON KEYS - WE’VE
GOT A BONE TO PICK WITH
OFFLINE ACCESS CONTROL
SYSTEMS
Saturday at 18:30 in Track 4
20 minutes | Demo, Tool, Exploit
Miana E Windall
Software Development Engineer
Micsen
Software developer, Installer, And much more!
Offline RFID systems rely on data stored within the
key to control access and configuration. But what if a
key lies? What if we can make the system trust those
lies? Well then we can do some real spooky things…
This is the story of how a strange repeating
data pattern turned into a skeleton key
that can open an entire range of RFID
access control products in seconds.
chief pwning officer, 0fd00m c0rp0ration
do your eyes hurt? is your brain aching? is
your pain caused from too much deciphering
difficult assembly (or decompiled C) code?
assembly can hurt, C code can be worse.
partial emulation to the rescue!
let the emulator walk you through the code,
let it answer hard questions/problems you
run into in your reversing/vuln research.
this talk will introduce you the power of emulator-
driven reversing. guide your RE with the help of
an emulator (one that can survive limited context),
emulate code you don’t want to reverse, be better,
learn more, be faster, with less brain-drain.
make no mistake, RE will always have room
for magicians to show their wizardry...
but after this talk, you may find yourself
a much more powerful wizard.
 SATURDAY/SUNDAY
EXPLOITATION IN THE ERA OF
FORMAL VERIFICATION: A PEEK
AT A NEW FRONTIER WITH
ADACORE/SPARK
Sunday at 11:00 in Track 1
45 minutes | Demo
Adam ʻpi3’ Zabrocki
Principal System Software Engineer (Offensive Security) at NVIDIA
Alex Tereshkin
Principal Offensive Security Researcher at NVIDIA
For decades, software vulnerabilities have remained
an unsolvable security problem regardless of years
of investment in various mitigations, hardening
and fuzzing strategies. In the last years there have
been moves to formal methods as a path toward
better security. Verification and formal methods can
produce rigorous arguments about the absence
of the entire classes of security bugs, and are a
powerful tool to build highly secure software.
AdaCore/SPARK is a formally defined programming
language intended for the development of
high integrity software used in systems where
predictable and highly reliable operation is crucial.
The formal, unambiguous, definition of SPARK
allows a variety of static analysis techniques to
be applied, including information flow analysis,
proof of absence of run-time exceptions, proof
of termination, proof of functional correctness,
and proof of safety and security properties.
In this talk we will dive-into AdaCore/SPARK, cover
the blind spots and limitations, and show real-
world vulnerabilities which we met during my work
and which are still possible in the formally proven
software. We will also show an exploit targeting
one of the previously described vulnerabilities.
SAVE THE ENVIRONMENT
(VARIABLE): HIJACKING
LEGITIMATE APPLICATIONS WITH
A MINIMAL FOOTPRINT
Sunday at 11:00 in Track 3
45 minutes | Demo, Tool
Wietze Beukema
Threat Detection & Response at CrowdStrike
DLL Hijacking, being a well-known technique
for executing malicious payloads via trusted
executables, has been scrutinised extensively,
to the point where defensive measures are
in a much better position to detect abuse. To
bypass detection, stealthier and harder-to-
detect alternatives need to come into play. In
this presentation, we will take a closer look at
how process-level Environment Variables can be
abused for taking over legitimate applications.
Taking a systemic approach, we will demonstrate
that over 80 Windows-native executables are
vulnerable to this special type of DLL Hijacking.
As this raises additional opportunities for User
Account Control (UAC) bypass and Privilege
Escalation, we will discuss the value and further
implications of this technique and these findings.
STRACE - A DTRACE ON
WINDOWS REIMPLEMENTATION.
Sunday at 11:00 in Track 4
45 minutes | Demo, Tool
Stephen Eckels
II’ll document the kernel tracing APIs in modern
versions of windows, implemented to support
Microsofts’ port of the ʻDTrace’ system to windows.
This system provides an officially supported
mechanism to perform system call interception
that is patchguard compatible, but not secure boot
compatible. Alongside the history and details of
DTrace this talk will also cover a C++ and Rust
based reimplementation of the system that I call
STrace. This reimplementation allows users to write
custom plugin dlls which are manually mapped to
the kernel address space. These plugins can then
log all system calls, or perform any side effects
before and after system call execution by invoking
the typical kernel driver APIs – if desired.
DEFAULTS - THE FAULTS.
BYPASSING ANDROID
PERMISSIONS FROM ALL
PROTECTION LEVELS
Sunday at 12:00 in Track 4
45 minutes | Demo, Exploit
Nikita Kurtin
Hacker
Exploring in depth the android permission
mechanism, through different protection levels.
Step by step exploitations techniques that
affect more than 98% of all Android devices
including the last official release (Android 12).
In this talk I reveal a few different techniques that I
uncovered in my research, which can allow hackers
to bypass permissions from all protection levels in
any Android device, which is more than 3 billion
active devices according to the google official stats.
These vulnerabilities enable the hacker to
bypass the security measures of android, by
abusing default (built in) services and get
access to abilities and resources which are
protected by permission mechanism.
75
 PR3S3NTATI0NS
Some vulnerabilities are partially fixed, others won’t
be fixed as google considers as intended behavior.
In this talk I’ll survey the different vulnerabilities,
and deep dive into a few of different exploitations.
Finally, I’ll demonstrate how those techniques
can be combined together to create real life
implications and to use for: Ransomware,
Clickjacking, Uninstalling other apps and more,
completely undetected by security measures.
PREAUTH RCE CHAINS ON AN
MDM: KACE SMA
Sunday at 12:00 in Track 3
45 minutes | Demo, Exploit
Jeffrey Hofmann
Security Engineer at Nuro
MDM solutions are, by design, a single point of
failure for organizations. MDM appliances often
have the ability to execute commands on most of
the devices in an organization and provide an
“instant win” target for attackers. KACE Systems
Management Appliance is a popular MDM choice
for hybrid environments. This talk will cover the
technical details of 3 preauthentication RCE as
root chains on KACE SMA and the research steps
taken to identify the individual vulnerabilities used.
TAKING A DUMP IN THE CLOUD
Sunday at 12:00 in Track 2
45 minutes | Demo, Tool
Melvin Langvik
Security Consultant, TrustedSec Targeted Operations
Flangvik
Taking a Dump In The Cloud is a tale of countless
sleepless nights spent reversing and understanding
the integration between Microsoft Office resources
and how desktop applications implement them. The
release of the TeamFiltration toolkit, connecting all
the data points to more effectively launch attacks
against Microsoft Azure Tenants. Understanding the
lack of conditional access for non-interactive logins
and how one can abuse the magic of Microsofts
OAuth implementation with Single-Sign-On to
exfiltrate all the loot. Streamlining the process of
account enumeration and validation. Thoughts
on working effectively against Azure Smart
Lockout. Exploring options of vertical movement
given common cloud configurations, and more!
76
THE CALL IS COMING FROM
INSIDE THE CLUSTER: MISTAKES
THAT LEAD TO WHOLE CLUSTER
PWNERSHIP
Sunday at 12:00 in Track 1
45 minutes | Demo
Dagan Henderson
Principal / RAFT
Will Kline
Senior Principal / Dark Wolf Solutions
Kubernetes has taken the DevOps world by storm,
but its rapid uptake has created an ecosystem
where many popular solutions for common
challenges—storage, release management,
observability, etc.—are either somewhat immature
or have been “lifted and shifted” to Kubernetes.
What critical security smells can pentesters look
for when looking at the security of a cluster?
We are going to talk through five different
security problems that we have found (and
reported, no 0-days here) in popular open-
source projects and how you can look for
similar vulnerabilities in other projects.
ELECTROVOLT: PWNING
POPULAR DESKTOP APPS WHILE
UNCOVERING NEW ATTACK
SURFACE ON ELECTRON
Sunday at 13:00 in Track 3
45 minutes | Demo, Exploit
Aaditya Purani
Senior Security Engineer, Tesla
Max Garrett
Application Security Auditor, Cure53
Electron based apps are becoming a norm
these days as it allows encapsulating web
applications into a desktop app which is
rendered using chromium. However, if Electron
apps load remote content of attackers choice
either via feature or misconfiguration of Deep
Link or Open redirect or XSS it would lead
to Remote Code Execution on the OS.
Previously, it was known that lack of certain
feature flags and inefficiency to apply best
practices would cause this behavior but we have
identified sophisticated novel attack vectors
within the core electron framework which could
be leveraged to gain remote code execution
on Electron apps despite all feature flags being
set correctly under certain circumstances.
This presentation covers the vulnerabilities
found in twenty commonly used Electron
applications and demonstrates Remote Code
Execution within apps such as Discord,
Teams(local file read), VSCode, Basecamp,
Mattermost, Element, Notion, and others.
The speaker’s would like to thank Mohan
Sri Rama Krishna Pedhapati, Application
Security Auditor, Cure53 and William Bowling,
Senior Software Developer, Biteable for
their contributions to this presentation.
LESS SMARTSCREEN MORE
CAFFEINE – CLICKONCE (AB)USE
FOR TRUSTED CODE EXECUTION
Sunday at 13:00 in Track 1
45 minutes | Demo, Tool
Steven Flores
Senior Consultant at SpecterOps
Nick Powers
Consultant at SpecterOps
Initial access payloads have historically had limited
methods that work seamlessly in phishing campaigns
and can maintain a level of evasion. This payload
category has been dominated by Microsoft Office
types, but as recent news has shown, the lifespan
of even this technique is shortening. A vehicle for
payload delivery that has been greatly overlooked
for initial access is ClickOnce. ClickOnce is
very versatile and has a lot of opportunities for
maintaining a level of evasion and obfuscation.
In this talk we’ll cover methods of bypassing
Windows controls such as SmartScreen, application
whitelisting, and trusted code abuses with ClickOnce
applications. Additionally, we’ll discuss methods
of turning regular signed or high reputation
.NET assemblies into weaponized ClickOnce
deployments. This will result in circumvention of
common security controls and extend the value of
ClickOnce in the offensive use case. Finally, we’ll
discuss delivery mechanisms to increase the overall
legitimacy of ClickOnce application deployment in
phishing campaigns. This talk can bring to attention
the power of ClickOnce applications and code
execution techniques that are not commonly used.
SUNDAY
RINGHOPPER – HOPPING FROM
USER-SPACE TO GOD MODE
Sunday at 13:00 in Track 2
45 minutes | Demo, Exploit
Jonathan Lusky
Security Research Team Lead, Intel
Benny Zeltser
Security Researcher, Intel
The SMM is a well-guarded fortress that holds
a treasure – an unlimited god mode. We
hopped over the walls, fooled the guards,
and entered the holy grail of privileges.
An attacker running in System Management
Mode (SMM) can bypass practically any security
mechanism, steal sensitive information, install
a bootkit, or even brick the entire platform.
We discovered a family of industry wide TOCTOU
vulnerabilities in various UEFI implementations
affecting more than 8 major vendors making
billions of devices vulnerable to our attack.
RingHopper leverages peripheral devices that
exist on every platform to perform a confused
deputy attack. With RingHopper we hop from
ring 3 (user-space) into ring -2 (SMM), bypass all
mitigations, and gain arbitrary code execution.
In our talk, we will deep-dive into this class of
vulnerabilities, exploitation method and how it
can be prevented. Finally, we will demonstrate
a PoC of a full exploitation using RingHopper,
hopping from user-space into SMM.
THE JOURNEY FROM AN
ISOLATED CONTAINER TO
CLUSTER ADMIN IN SERVICE
FABRIC
Sunday at 13:00 in Track 4
45 minutes | Demo, Exploit
Aviv Sasson
Principal security researcher, Palo Alto Networks
Service Fabric is a scalable and reliable
container orchestrator developed by Microsoft.
It is widely used in Microsoft Azure as well as in
Microsoft’s internal production environments as
an infrastructure for containerized applications.
Developing a container orchestrator is not an easy
task as it involves harnessing many technologies
in a complicated and distributed environment.
This complexity can ultimately lead to security
issues. Such security issues can impose a critical
risk since compromising an infrastructure allows
attackers to escalate their privileges and take over
an entire environment quickly and effectively.
77
 PR3S3NTATI0NS
In this session, Aviv will share his research on
Service Fabric and his journey of escalating from
an isolated container to cluster admin. He will go
through researching the code and finding a zero-
day vulnerability, explaining his exploitation process
in Azure Service Fabric offering while dealing with
race conditions and other limitations, and explain
how it all allowed him to break out of his container
and HyperV virtual machine to later gain full
control over the underlying Service Fabric cluster.
In the end, he will share his thoughts on security in
the cloud and his concerns on cloud multitenancy.
SOLANA JIT: LESSONS FROM
FUZZING A SMART-CONTRACT
COMPILER
Sunday at 14:00 in Track 4
45 minutes | Demo, Tool
Thomas Roth
Solana is a blockchain with a $37 billion dollar
market cap with the security of that chain relying
on the security of the smart contracts on the chain
- and we found very little research on the actual
execution environment of those contracts. In contrast
to Ethereum, where contracts are mostly written
in Solidity and then compiled to the Ethereum
Virtual Machine, Solana uses a different approach:
Solana contracts can be written in C, Rust, and
C++, and are compiled to eBPF. Underneath the
hood, Solana uses rBPF: A Rust BPF implementation
with a just-in-time compiler. Given the security
78
history of eBPF in the Linux kernel, and the lack
of previous public, low-level Solana research, we
decided to dig deeper: We built Solana reverse-
engineering tooling and fuzzing harnesses as
we slowly dug our way into the JIT - eventually
discovering multiple out-of-bounds vulnerabilities.
CONTEST CLOSING
CEREMONIES & AWARDS
Sunday at 14:00 in Track 3
75 minutes
Grifter
DEF CON, Contests & Events
DEF CON Contest & Events Awards,
come find out who won what!!
DEF CON CLOSING CEREMONIES
& AWARDS
Sunday at 15:30 in Tracks 1 & 2
Till it ends
The Dark Tangent
DEF CON
DEF CON Closing Ceremonies & Awards,
the Uber Black badges are awarded to the
winners of CTF and several other contests that
earned a Black badge for DEF CON 30! We
will wrap up the con, say thanks where it’s
due, and acknowledge special moments.
79
 D3M0 LABS
AADINTERNALS: THE ULTIMATE
AZURE AD HACKING TOOLKIT
Nestori Syynimaa
Friday from 14:00 – 15:55 in Committee
AADInternals is an open-source hacking toolkit for
Azure AD and Microsoft 365, having over 14,000
downloads from the PowerShell gallery. It has over
230 different functions in 15 categories for various
purposes. The most famous ones are related to
Golden SAML attacks: you can export AD FS token
signing certificates remotely, forge SAML tokens,
and impersonate users w/ MFA bypass. These
techniques have been used in multiple attacks during
the last two years, including Solorigate and other
NOBELIUM attacks. AADInternals also allows you
to harvest credentials, export Azure AD Connect
passwords and modify numerous Azure AD / Office
365 settings not otherwise possible. The latest update
can extract certificates and impersonate Azure
AD joined devices allowing bypassing device based
conditional access rules. https://o365blog.com/
aadinternals/ https://attack.mitre.org/software/S0677
Audience: Blue teamers, red teamers, administrators, wannabe-hackers,
etc.
ACCESS UNDENIED ON AWS
Noam Dahan
Friday from 10:00 – 11:55 in Caucus
Access Undenied on AWS analyzes AWS
CloudTrail AccessDenied events – it scans the
environment to identify and explain the reasons
for which access was denied. When the reason
is an explicit deny statement, AccessUndenied
identifies the exact statement. When the reason is
a missing allow statement, AccessUndenied offers
a least-privilege policy that facilitates access.
Audience: Cloud Security, Defense.
AWSGOAT : A DAMN
VULNERABLE AWS
INFRASTRUCTURE
Jeswin Mathai, Sanjeev Mahunta
Friday from 14:00 – 15:55 in Caucus
Compromising an organization’s cloud infrastructure is
like sitting on a gold mine for attackers. And sometimes,
a simple misconfiguration or a vulnerability in web
applications, is all an attacker needs to compromise
the entire infrastructure. Since cloud is relatively
new, many developers are not fully aware of the
threatscape and they end up deploying a vulnerable
cloud infrastructure. When it comes to web application
pentesting on traditional infrastructure, deliberately
80
vulnerable applications such as DVWA and bWAPP
have helped the infosec community in understanding
the popular web attack vectors. However, at this point
in time, we do not have a similar framework for the
cloud environment. In this talk, we will be introducing
AWSGoat, a vulnerable by design infrastructure on
AWS featuring the latest released OWASP Top 10
web application security risks (2021) and other
misconfiguration based on services such as IAM,
S3, API Gateway, Lambda, EC2, and ECS. AWSGoat
mimics real-world infrastructure but with added
vulnerabilities. The idea behind AWSGoat is to provide
security enthusiasts and pen-testers with an easy
to deploy/destroy vulnerable infrastructure where
they can learn how to enumerate cloud applications,
identify vulnerabilities, and chain various attacks to
compromise the AWS account. The deployment scripts
will be open-source and made available after the talk.
Audience: Cloud, Ofference, Defense
AZUREGOAT: DAMN
VULNERABLE AZURE
INFRASTRUCTURE
Nishant Sharma, Rachna Umraniya
Friday from 12:00 – 13:55 in Committee
Microsoft Azure cloud has become the second-largest
vendor by market share in the cloud infrastructure
providers (as per multiple reports), just behind
AWS. There are numerous tools and vulnerable
applications available for AWS for the security
professional to perform attack/defense practices,
but it is not the case with Azure. There are far fewer
options available to the community. AzureGoat
is our attempt to shorten this gap by providing
a ready-to-deploy vulnerable setup (vulnerable
application + misconfigured Azure components +
multiple attack paths) that can be used to learn/
teach/practice Azure cloud environment pentesting.
Audience: Cloud, Offence, Defense
BADRATS: INITIAL ACCESS MADE
EASY
Kevin Clark, Dominic “Cryillic” Cunningham
Friday from 14:00 – 15:55 in Society
Remote Access Trojans (RATs) are one of the defining
tradecraft for identifying an Advanced Persistent
Threat. The reason being is that APTs typically leverage
custom toolkits for gaining initial access, so they
do not risk burning full-featured implants. Badrats
takes characteristics from APT Tactics, Techniques,
and Procedures (TTPs) and implements them into
a custom Command and Control (C2) tool with a
focus on initial access and implant flexibility. The key
goal is to emulate that modern threat actors avoid
loading fully-featured implants unless required, instead
opting to use a smaller staged implant. Badrats
implants are written in various languages, each with
a similar yet limited feature set. The implants are
designed to be small for antivirus evasion and provides
multiple methods of loading additional tools, such
as shellcode, .NET assemblies, PowerShell, and shell
commands on a compromised host. One of the most
advanced TTPs that Badrats supports is peer-to-
peer communications over SMB to allow implants to
communicate through other compromised hosts.
Audience: Offense
CYBERPEACE BUILDERS
Adrien Ogee
Friday from 14:00 – 15:55 in Accord
The CyberPeace Builders are pro hackers who
volunteer to help NGOs improve their cybersecurity.
Through a portal that I’ll demo, hackers can access
a variety of short engagements, from 1 to 4 hours,
to provide targeted cybersecurity help to NGOs
on topics ranging from staff awareness to DMARC
implementation, password management and
authentication practices, breach notification, OSINT
and dark web monitoring, all the way to designing
a cyber-related poster for the staff, reviewing their
privacy policy and cyber insurance papers. The
programme is the world’s first and only skills-based
volunteering opportunity for professionals in the
cybersecurity industry; it has been prototyped over
2 years, was launched in July 2021 and is now being
used by over 60 NGOs worldwide, ultimately helping
to protect over 350 million vulnerable people and
$500 million in funds. I’ll demo the platform, show the
type of help NGOs need and explain how NGOs and
security professionals can leverage the programme.
Audience: Security professionals, NGOs
EMBA - OPEN-SOURCE
FIRMWARE SECURITY TESTING
Michael Messner, Pascal Eckmann
Friday from 12:00 – 13:55 in Council
Penetration testing of current embedded devices
is quite complex as we have to deal with different
architectures, optimized operating systems and special
protocols. EMBA is an open-source firmware analyzer
with the goal to simplify, optimize and automate
the complex task of firmware security analysis.
Audience: Offense (penetration testers) and defense (security team and
developers).
FISSURE: THE RF FRAMEWORK
Christopher Poore
Friday from 10:00 – 11:55 in Council
FISSURE is an open-source RF and reverse engineering
framework designed for all skill levels with hooks for
signal detection and classification, protocol discovery,
attack execution, IQ manipulation, vulnerability analysis,
automation, and AI/ML. The framework was built to
promote the rapid integration of software modules,
radios, protocols, signal data, scripts, flow graphs,
reference material, and third-party tools. FISSURE is a
workflow enabler that keeps software in one location
and allows teams to effortlessly get up to speed while
sharing the same proven baseline configuration for
specific Linux distributions. The framework and tools
included with FISSURE are designed to detect the
presence of RF energy, understand the characteristics
of a signal, collect and analyze samples, develop
transmit and/or injection techniques, and craft custom
payloads or messages. FISSURE contains a growing
library of protocol and signal information to assist
in identification, packet crafting, and fuzzing. Online
archive capabilities exist to download signal files and
build playlists to simulate traffic and test systems.
Audience: RF, Wireless, SDR, Offense, Defense
MERCURY
David McGrew, Brandon Enright
Friday from 12:00 – 13:55 in Society
Mercury is an open source package for network
metadata extraction and analysis. It reports session
metadata including fingerprint strings for TLS, QUIC,
HTTP, DNS, and many other protocols. Mercury
can output JSON or PCAP. Designed for large
scale use, it can process packets in real time at
40Gbps on server-class commodity hardware,
using Linux native zero-copy high performance
networking. The Mercury package includes tools
for analyzing PKIX/X.509 certificates and finding
weak keys, and for analyzing fingerprints with
destination context using a naive Bayes classifier.
Audience: Network defense, incident response, forensics, security and
privacy research
PACKET SENDER
Dan Nagle
Friday from 12:00 – 13:55 in Accord
Packet Sender is a free open-source (GPLv2) cross-
platform (Windows, Mac, Linux) tool used daily by
security researchers, college students, and professional
developers to troubleshoot and reverse engineer
network-based devices. Its core features are crafting
and listening for UDP, TCP, and SSL/TLS packets via IPv4
81
 D3M0 LABS
or IPv6. It can listen simultaneously on any number of
ports while sending to any UDP, TCP, SSL/TLS packet
server. It is available for direct download or through
the Winget, Homebrew, Debian, or Snap repos.
Audience: Offensive, Defensive, Developers, Testers
PCILEECH AND MEMPROCFS
Ulf Frisk, Ian Vitek
Friday from 14:00 – 15:55 in Council
The PCILeech direct memory access attack toolkit was
presented at DEF CON 24 and quickly became popular
amongst red teamers and game hackers alike. We will
demonstrate how to take control of still vulnerable
systems with PCIe DMA code injection using affordable
FPGA hardware and the open source PCILeech
toolkit. MemProcFS is memory forensics and analysis
made super easy! Analyze memory by clicking on files
in a virtual file system or by using the API. Analyze
memory dump files or live memory acquired using
drivers or PCILeech PCIe FPGA hardware devices.
Audience: Offense, Defense, Forensics, Hardware
THEALLCOMMANDER
Matthew Handy
Friday from 10:00 – 11:55 in Accord
TheAllCommander is an open-source tool which offers
red teams and blue teams a framework to rapidly
prototype and model malware communications, as well
as associated client-side indicators of compromise.
The framework provides a structured, documented,
and object-oriented API for both the client and
server, allowing anyone to quickly implement a novel
communications protocol between a simulated malware
daemon and its command and control server. For
Blue Teamers, this allows rapid modeling of emerging
threats and comprehensive testing in a controlled
manner to develop reliable detection models. For Red
Teamers, this framework allows rapid iteration and
development of new protocols and communications
schemes with an easy to use Python interface. The
framework has many tools or techniques used by red
teams built in, such as a SOCKS5 proxy, which then
use the implemented communication scheme. This
allows comprehensive testing of the detection and
functional capability of the communication scheme,
allowing for efficient design and development choices
to be made before committing to production tool
development. To facilitate this goal, TheAllCommander
includes a Java based command and control server
with a simple API to allow new plug-ins for server-
side control. There is a python-based emulation
client, which can be easily extended using the API
to allow new client side communications code.
Several reference implementations for covert
malware communication are provided to allow
82
out-of-the-box modeling, including emulated
client browser HTTPS traffic, DNS queries, and
email traffic. The tool chain includes support for
several common Red Team tactics, such as Remote
Desktop tunneling and FODHelper UAC bypass.
This implementation effectively generates both client
side and network traffic indicators of compromise.
Audience: Offense, Defense
VAJRA - YOUR WEAPON TO
CLOUD
Raunak Parmar
Friday from 10:00 – 11:55 in Committee
Vajra (Your Weapon to Cloud) is a framework
capable of validating the cloud security posture of the
target environment. In Indian mythology, the word
Vajra refers to the Weapon of God Indra (God of
Thunder and Storms). Because it is cloud-connected,
it is an ideal name for the tool.Vajra supports multi-
cloud environments and a variety of attack and
enumeration strategies for both AWS and Azure. It
features an intuitive web-based user interface built
with the Python Flask module for a better user
experience. The primary focus of this tool is to have
different attacking and enumerating techniques all in
one place with web UI interfaces so that it can be
accessed anywhere by just hosting it on your server.
The following modules are currently available:
• Azure
- Attacking
1. OAuth Based Phishing (Illicit Consent
Grant Attack)
- Exfiltrate Data
- Enumerate Environment
- Deploy Backdoors
- Send mails/Create Rules
2. Password Spray
3. Password Brute Force W
- Enumeration
1. Users
2. Subdomain
3. Azure Ad
4. Azure Services
- Specific Service
1. Storage Accounts
• AWS
- Enumeration
1. IAM Enumeration
2. S3 Scanner
 - Misconfiguration
Audience: Security Professional Cloud Engineer
WAKANDA LAND
Stephen Kofi Asamoah
Friday from 12:00 – 13:55 in Caucus
Wakanda Land is a Cyber Range deployment tool
that uses terraform for automating the process of
deploying an Adversarial Simulation lab infrastructure
for practicing various offensive attacks. This project
inherits from other people’s work in the Cybersecurity
Community, to which I have added some additional
sprinkles to their work from my other research. The
tool deploys the following for the lab infrastructure
(of course, more assets can be added): -Two Subnets
-Guacamole Server --This provides dashboard access to
--Kali GUI and Windows RDP instances The Kali GUI,
Windows RDP and the user accounts used to log into
these instances are already backed into the deployment
process --To log into the Guacamole dashboard with
the guacadmin account, you need to SSH into the
Guacamole server using the public IP address (which is
displayed after the deployment is complete) and then
change into the guacamole directory and then type
cat .env for the password (the guacadmin password
is randomly generated and saved as an environment
variable) -Windows Domain Controller for the Child
Domain (first.local) -Windows Domain Controller for
the Parent Domain (second.local) -Windows Server
in the Child Domain -Windows 10 workstation in
the Child Domain -Kali Machine - a directory called
toolz is created on this box and Covenant C2 is
downloaded into that folder, so its just a matter of
running Covenant once you are authenticated into Kali
-Debian Server serving as Web Server 1 - OWASP’s
Juice Shop deployed via Docker -Debian Server
serving as Web Server 2 - Vulnerable web apps
Audience: Offensive - Defensive - Any Cybersecurity enthusiasts
ZUTHAKA: A COMMAND &
CONTROLS (C2S) INTEGRATION
FRAMEWORK
Lucas Bonastre, Alberto Herrera
Friday from 10:00 – 11:55 in Society
The current C2s ecosystem has rapidly grown in
order to adapt to modern red team operations
and diverse needs (further information on C2
selection can be found here). This comes with a lot of
overhead work for Offensive Security professionals
everywhere. Creating a C2 is already a demanding
task, and most C2s available lack an intuitive and
easy to use web interface. Most Red Teams must
independently administer and understand each C2
in their infrastructure. Zuthaka presents a simplified
API for fast and clear integration of C2s and provides
a centralized management for multiple C2 instances
through a unified interface for Red Team operations. A
collaborative free open-source Command & Control
development framework that allows developers to
concentrate on the core function and goal of their C2.
Zuthaka is more than just a collection of C2s, it is also
a solid foundation that can be built upon and easily
customized to meet the needs of the exercise that
needs to be accomplished. This integration framework
for C2 allows developers to concentrate on a unique
target environment and not have to reinvent the
wheel. After we first presented Zuthakas’ MVP at
Black hat USA 2021 and DEFCON demo labs, we are
now presenting the first release with updated post-
exploitation modules to support text based modules,
as well as file based ones. With a lab populated of
commonly used C2s and its out-of-the-box integrations.
Audience: Red team operators, wishing a centralized place to handle all
C2s instances. C2 developers, wishing to save the effort of writing the
Frontend. Hackers, wishing a strong infrastructure to run C2s.
ALSANNA
Jason Johnson
Saturday from 12:00 – 13:55 in Accord
alsanna is a command-line based intercepting proxy
for arbitrary TCP traffic. It includes built-in support
for decrypting TLS streams, and allows editing the
stream as it passes over the network. It is deliberately
lightweight and documented to help hackers who
need to modify its behavior. This demo will
include live instances of the tool which can be
used by visitors, live support for anyone looking to
learn how to use alsanna, and a short on-demand
walkthrough for visitors, covering how the tool
works and what you need to know to modify it.
Audience: Researchers, reverse engineers, pentesters, bug bounty hunters
CONTROL VALIDATION
COMPASS – THREAT MODELING
AIDE & PURPLE TEAM CONTENT
REPO
Scott Small
Saturday from 14:00 – 15:55 in Caucus
Control Validation Compass (“Control Compass”)
provides a needed public resource that enables
cyber security teams to actually operationalize
MITRE ATT&CK for its best purpose: prioritized
control validation. Control Compass unites tens
of thousands of detection rules, offensive security
scripts, and policy recommendations from 60+ open
sources – all aligned with MITRE ATT&CK – into the
83
 D3M0 LABS
largest single, continuously updated reference library
for such content, wrapped in an easily searchable
interface. This saves defenders, red teamers, and
intel & GRC analysts serious time & effort when
researching content for purple teaming efforts (aka
control validation). Like its input components and
sources, Control Compass resource sets are openly
available to all, no strings attached. Control Compass
supports a powerful second use case informed by its
author’s experience advising security & intelligence
teams across maturity levels: the tool also provides
a library of unique, openly available threat landscape
summaries organized by key adversary categories,
including motivation, location, and victim industry.
By enabling easy identification of relevant threat
intelligence – and a simple UI-based workflow to
instantly surface corresponding security controls –
Control Compass greatly lowers the barrier to building
accurate, intelligence-driven threat models and helps
drive tighter control validation feedback loops around
the threats that matter most to a given organization.
Audience: Intelligence analysts, SOC/blue team/defenders, red team/
adversary emulation, GRC analysts
DEFENSIVE 5G
Eric Mair, Ryan Ashley
Saturday from 12:00 – 13:55 in Council
In this work we developed a 4.5G/5G network using
only commercial off the shelf (COTS) hardware and
open-source software to serve as test-infrastructure
for studying vulnerabilities in 5G networks. We are
using software defined networking (SDN) tools such as
Faucet and Dovesnap and software defined radio(SDR)
capabilities such as Open5gs and srsRAN along with
Docker Containers to facilitate the rapid and reliable
setup and configuration of network topologies that
can be used to represent the 5G networks that we
intend to test. By having a configurable and repeatable
mechanism that could be shared among multiple users
with differing hardware setups we were able to test
5G network configurations in a variety of ways and
have those results validated by other team members.
Audience: Network Defense and Attack, 5G, Software Defined Radio and
Infrastructure-as-Code.
EDR DETECTION MECHANISMS HLS4ML - OPEN SOURCE
AND BYPASS TECHNIQUES WITH MACHINE LEARNING
EDRSANDBLAST ACCELERATORS ON FPGAS
Thomas Diot, Maxime Meignan
Saturday from 10:00 – 11:55 in Society
EDRSandBlast is a tool written in C that implements
and industrializes known as well as original bypass
techniques to make EDR evasion easier during
adversary simulations. Both user-land and kernel-land
84
EDR detection capabilities can be bypassed, using
multiple unhooking techniques and a vulnerable signed
driver to unregister kernel callbacks and disable the
ETW Threat Intelligence provider. Since the initial
release, multiple improvements have been implemented
in EDRSandBlast: it is now possible to use this toolbox
as a library from another attacking tool, new bypasses
have been implemented, the embedded vulnerable
driver is now interchangeable to increase stealthiness
and the use of a pre-built offsets database is no more
required! Come discover our tool and its new features,
learn (or teach us!) something about EDRs and discuss
about the potential improvements to this project.
Audience: Offense, Defense, Windows, EDR
EMPIRE 4.0 AND BEYOND
Vincent “Vinnybod” Rose, Anthony
W“Cx01N” Rose
Saturday from 10:00 – 11:55 in Accord
Empire is a Command and Control (C2) framework
powered by Python 3 that supports Windows, Linux,
and macOS exploitation. It has evolved significantly
since its introduction in 2015 and has become one
of the most widely used open-source C2 platforms.
Starting life as PowerShell Empire and later merging
in Empyre, Empire is now a full-fledged .NET C2
leveraging PowerShell, Python, C#, and Dynamic
Language Runtime (DLR) agents. It offers a flexible
modular architecture that links Advanced Persistent
Threats (APTs) Tactics, Techniques, and Procedures
(TTPs) through the MITRE ATT&CK database. The
framework aims to provide a flexible and easy-to-
use interface to easily incorporate a wide array of
tools into a single platform for red team operations
to emulate APTs. This presentation will explore
our most recent upgrades in Empire 4.0, including
C# and IronPython agents, Customizable Bypasses,
Malleable HTTP C2, Donut Integration, Beacon
Object File (BoF), and much more. In addition,
our team will be giving a preview of Empire 5.0
and its features. The most exciting of these being
the brand-new web client (Starkiller 2.0) and v2
API, which will be released later this year.
Audience: Offense
Ben Hawks, Andres Meza
Saturday from 14:00 – 15:55 in Council
Born from the high energy physics community at the
Large Hadron Collider, hls4ml is an open-source Python
package for machine learning inference in FPGAs
(Field Programmable Gate Arrays). It creates firmware
implementations of machine learning algorithms by
translating traditional, open-source machine learning
package models into optimized high level synthesis
C++ that can then be customized for your use case
and implemented on devices such as FPGAs and
Application Specific Integrated Circuits (ASICs). Hls4ml
can easily scale the implementation of a model to take
advantage of the parallel processing capabilities that
FPGAs offer, not only allowing for low latency, high
throughput designs, but also designs sized to fit on
lower cost, resource constrained hardware. Hls4ml also
supports generating accelerators with different drivers
that build minimal, self-contained implementations
which enable control via Python or C/C++ with
little extra development or hardware expertise.
Audience: Hardware, AI, IoT, FPGA
INJECTYLL-HIDE: PUSHING
THE FUTURE OF HARDWARE
IMPLANTS TO THE NEXT LEVEL
Jonathan Fischer, Jeremy Miller
Saturday from 10:00 – 11:55 in Council
Enterprises today are shifting away from dedicated
workstations, and moving to flexible workspaces
with shared hardware peripherals. This creates
the ideal landscape for hardware implant attacks;
however, implants have not kept up with this shift.
While closed source, for-profit solutions exist and
have seen some recent advances in innovation, they
lack the customization to adapt to large targeted
deployments. Open-source projects exist but focus
more on individual workstations (dumb keyboards/
terminals) relying on corporate networks for remote
control. Our solution is an open source, hardware
implant which adopts IoT technologies, using non-
standard channels to create a remotely managed
mesh network of hardware implants. Attendees will
learn how to create a new breed of open-source
hardware implants. Topics covered in this talk include
the scaling of implants for enterprise takeover, creating
and utilizing a custom C2 server, a reverse shell that
survives screen lock, and more. They will also leave
with a new platform from which to innovate custom
implants. Live demos will be used to show these new
tactics against real world infrastructure. This talk builds
off of previous implant talks but will show how to
leverage new techniques and technologies to push the
innovation of hardware implants forward evolutionarily.
Audience: Offense and Red Teams with a focus on a hardware approach
MEMFINI - A SYSTEMWIDE
MEMORY MONITOR INTERFACE
FOR LINUX
Shubham Dubey, Rishal Dwivedi
Saturday from 10:00 – 11:55 in Caucus
Surprisingly, memory related events logging has been
ignored by monitoring tool’s authors since a long
time. There are multiple event loggers present for
Linux that are capable of monitoring processes, i/o
operations, function calls or whole systemwide events.
But something which lacks in most is global monitoring
of memory related events like allocation, attachment
to a shared memory, memory allocation in foreign
process etc. This has many applications in security
domain or even software engineering in general. The
main area of focus or use case for Memfini is to assist
Security professionals for carrying out memory specific
Dynamic Malware Analysis, in order to help them
in finding indicators for malicious activities without
reversing the behavior. Below listed are few of the use
cases (which we will also be demonstrating in the talk).
• Process Injection
• Fileless malware execution
• Shellcode Execution
• Malicious shared memory usage
On the other hand, it can also be helpful for
Software developers, who wish to have an
eagle eye on the memory allocations
• Finding Memory Leaks
• Error detection for debugging purposes.
This is possible as Memfini is capable of monitoring
memory allocations on User space, Kernel space
as well as some under looked allocations like PCI
device mapping, DMA allocations etc. It provides a
command line interface with multiple filters, allowing
a user to interact with the logs generated & get the
required data. Currently, the user will be able to filter
the events by individual process, type of access etc.
Audience: Defensive security(Malware researcher, IR/Forensics) and
Offensive security(memory based vulnerability discovery)
OPENTDF
Paul Flynn, Cassandra Bailey
Saturday from 14:00 – 15:55 in Accord
OpenTDF is an open source project that
provides developers with the tools to build data
protections natively within their applications
using the Trusted Data Format (TDF).
Audience: AppSec, Defense, Mobile, IoT
85
 D3M0 LABS
PMR - PT & VA MANAGEMENT &
REPORTING
Abdul Alanazi, Musaed Bin Muatred
Saturday from 12:00 – 13:55 in Committee
PMR (PTVA Management & Reporting) is an open-
source collaboration platform that closes the gap
between InfoSec Technical teams and Management in all
assessment phases, from planning to reporting. Technical
folks can focus on assessment methodology planning,
test execution ,and engagement collaboration. Whereas
management can plan engagements, track progress,
assign testers, monitor remediation status, and escalate
SLA breaches, this is an All-in-One fancy dashboard.
The main features are: A) *Asset Management*
which allows IT asset inventory tracking with system
owner contacts. B) *Engagements Management &
Planning* that enable security testers to follow a
test execution roadmap by creating a new testing
methodology or follow execution standards such as
NIST, PTES or OWASP. It definitely will keep pentesting
engagements and projects more professional. Also, it
enables collaborative testing, gathering information
and evidence uploading. C) *Report Automation*
that automates boring tasks such as writing technical
reports and validation reports. Generating a PDF
report that is ready to share with clients and
management can be accomplished with one-click. D)
*All-in-One Dashboard* that will keep executives
and management up-to-date with the organization’s
security posture. The dashboard components are:
- High level of current vulnerabilities.
- Engagement progress.
- Remediation Status.
- Track SLA breaches.
- Monitoring risk exceptions.
Audience: Security professionals, Vulnerability Analysts , AppSec, Offense,
Risk Management
RESIDUEFREE
Logan Arkema
Saturday from 14:00 – 15:55 in Committee
ResidueFree is a privacy-enhancing tool that allows
individuals to keep sensitive information off their
device’s filesystem. It takes on-device privacy
protections from TAILS and “incognito” web browser
modes and applies them to any app running on a
user’s regular operating system, effectively making
the privacy protections offered by TAILS more usable
and accessible while improving the on-device privacy
guarantees made by web browsers and extending
them to any application. While ResidueFree currently
runs on Linux, its maintainers are hoping to port it
to other operating systems in the near future. In
86
addition, ResidueFree can help forensic analysts
and application security engineers isolate filesystem
changes made by a specific application. The same
implementation ResidueFree uses to ensure that any
file changes an application makes are not stored to
disk can also be used to isolate those changes to a
separate folder without impacting the original files.
Audience: ResidueFree was primarily developed for individuals facing
privacy threats that can access the information stored on the individualsʼ
device. However, this presentation is also designed for security trainers
that want to expand the tools they can suggest as well as for privacy
engineers interested in contributing to ResidueFree or expanding it to more
commonly used operating systems. ResidueFree also has features built for
malware or forensic analysts, application security engineers, or others who
wish to easily isolate an applicationʼs changes to a deviceʼs filesystem with
a simple tool.
SHARPSCCM
Chris Thompson, Duane Michael
Saturday from 12:00 – 13:55 in Society
SharpSCCM is a post-exploitation tool designed to
leverage Microsoft Endpoint Configuration Manager
(a.k.a. ConfigMgr, formerly SCCM) for lateral
movement from a C2 agent without requiring access
to the SCCM administration console. SharpSCCM
supports lateral movement functions ported from
PowerSCCM and contains additional functionality to
abuse newly discovered attack primitives for coercing
NTLM authentication from local administrator and
SCCM site server machine accounts in environments
where automatic client push installation is enabled.
SharpSCCM can also dump information about the
SCCM environment from a client, including domain
credentials for Network Access Accounts. Further, with
access to an SCCM administrator account, operators
of SharpSCCM can execute code as SYSTEM or coerce
NTLM authentication from the currently logged-in
user or the machine account on any SCCM client.
Audience: Offense, Defense, System Administrators
SVACHAL + MACHINESCLI
Ankur Tyagi
Saturday from 10:00 – 11:55 in Committee
Writeups for CTF challenges and machines are a
critical learning resource for our community. For the
author, it presents an opportunity to document their
methodology, tips/tricks and progress. For the audience,
it serves as reference material. Oftentimes, authors
switch roles and become the audience to learn from
their own work. This demo aims to showcase tools,
svachal and machinescli, developed with these insights.
These work in conjunction to help users curate their
learning in .yml structured files, find insights and
query this knowledge base as and when needed.
Audience: Offense/Defense
UNBLOB - TOWARDS EFFICIENT
FIRMWARE EXTRACTION
Quentin Kaiser, Florian Lukavsky
Saturday from 12:00 – 13:55 in Caucus
Unblob is a command line extraction tool to
obtain content from any kind of binary blob. It has
been initially developed for the sound and safe
extraction of arbitrary firmware images. It has
been built as a modular framework where anyone
can develop and submit new format handlers and
extractors. Its public version already supports a large
number of filesystems, archive, and compression
formats: https://github.com/onekey-sec/unblob
Audience: Reverse Engineers, Embedded Security
XAVIER MEMORY ANALYSIS
FRAMEWORK
Solomon Sonya
Saturday from 14:00 – 15:55 in Society
Malware continues to advance in sophistication. Well-
engineered malware can obfuscate itself from the user
and the OS. Volatile memory is the unique structure
malware cannot evade. I have engineered a new
construct for memory analysis and a new open-source
tool that automates memory analysis, correlation, and
user-interaction to increase investigation accuracy,
reduce analysis time and workload, and better detect
malware presence from memory. This talk demos a
new visualization construct that creates the ability to
interact with memory analysis artifacts. Additionally,
this talk demos new, very impactful data XREF and
a system manifest analysis features. Data XREF
provides an index and memory context detailing
how your search data is coupled with processes,
modules, and events captured in memory. The System
Manifest distills the analysis data to create a new
memory analysis snapshot and precise identification of
malicious artifacts detectable from malware execution
especially useful for exploit dev and malware analysis!
Audience: Malware Analysts/Software Reverse Engineers Exploit
Developers CTF Subject Matter Experts Incident Responders Digital
Forensics Examiners Offense & Defense

CONNECT
Official Sites U.S. Social Media
Website: https://defcon.org Twitter: https://twitter.com/defcon

DEF CON Media: https://media.defcon.org Facebook: https://facebook.com/defcon/

DEF CON Groups: https:/defcongroups.org Instagram: https://www.instagram.com/

wearedefcon/
DEF CON Forums: https:/forum.defcon.org
Reddit:http://www.reddit.com/r/defcon

Download the presentation materials

and more from the DEF CON media server
at:
https://media.defcon.org/DEF CON 30/

87
 V3ND0RS
BOARD SOURCE
Boardsource sells custom keyboard kits designed for
programmers, geeks, hackers, or anyone who spends a
lot of time in a text editor. Products range from entry-level
solderable kits and electrical components to products that
are ready to use out of the box. Come by the booth to
test out some keyboards and see what we have to offer!

CAPITOL TECHNOLOGY
UNIVERSITY
Capitol Technology University, an independent, non-
profit university in Maryland, is laser-focused on STEM
careers and gives students the hands-on, real-world
experience they need to enter today’s tech job market.
With one of the best cybersecurity programs in the
nation, Capitol is a CAE institution. Most recently,
Capitol was awarded a two-year grant from the NSA to
lead the CAE Northeast Regional Hub, which includes
14 states, the District of Columbia, and hundreds
of institutions offering cybersecurity programs.

CARNEGIE MELLON
UNIVERSITY
Deepen your technical knowledge and secure competitive
salaries at the Information Networking Institute (INI),
a department within the highly ranked College of
Engineering at Carnegie Mellon University (CMU).
We offer master’s degrees in information networking,
security and mobile and IoT engineering, with a variety
of study options so you can customize your program.

CRYPTOCURRENCY HACKERS
Experience modern finance technology first hand by
visiting the Cryptocurrency Hackers stand at the Defcon
vendor area. We distribute items relating to a number
of projects including Monero, Bitcoin, Ethereum, and
others. Show your cryptohacker colours with high
quality wearables and custom badges. Try new devices
and electronics, with access to the designers on site.
Inform yourself of cryptocurrency science by exploring
our infocard display rack. Our stand is your one stop
shop for cryptocurrency hacker items and information.

88
 EFF
EFF is the leading defender of online civil liberties.
We promote innovator rights, defend free speech,
fight illegal surveillance, and protect rights and
freedoms as our use of technology grows.

GIRLS HACK VILLAGE

Girls Hack Village is designed to highlight the
contributions and experiences of girls in cybersecurity.
Women are underrepresented in cybersecurity and
our goal is to highlight the female experience in the
industry. Women are traditionally underrepresented at
many cybersecurity conferences and Girls Hack Village
will give attendees the opportunity to learn about
cybersecurity and hacking in a gender-friendly place.

HACKER WAREHOUSE
HACKER WAREHOUSE is your one stop shop for hacking
equipment. We understand the importance of tools and
gear which is why we carry only the highest quality gear
from the best brands in the industry. From RF Hacking to
Hardware Hacking to Lock Picks, we carry equipment that
all hackers need. Check us out at HackerWarehouse.com.

HACKERBOXES
HackerBoxes is the monthly subscription box for hardware
hacking, DIY electronics, cybersecurity, and hacker
culture. Each monthly HackerBox includes a carefully
curated collection of projects, components, modules,
tools, supplies, and exclusive items. HackerBox hackers
connect online as a community of experience, support,
and ideas. Your HackerBox subscription is like having
a tiny hacker convention in your mailbox every month.

HACKERS FOR CHARITY

Hackers for Charity’s mission is to provide technical
cyber support to other non-profits and charities. Our
efforts focus on those organizations without internal
help desks or other technical support. As a technical
enabler, HFC empowers those non-profits and charities
to succeed at their mission. HFC provides the breadth
of cyber services and disaster relief, from basic help
desk to threat hunting to incident remediation.

89
 V3ND0RS
HAK5
Discover the devices that have found their way into
the hearts and tool-kits of the modern hacker. Notable
for ease of use. Celebrated by geek culture. From
comprehensive WiFi audits to covert network implants and
physical access mayhem - Hak5 Gear gets the job done.

HOTWAN
HotWAN is selling the “Pen Test Assistant” and the
“Boot Monkey”. The Assistant is Pen Test attack box
used in Red Teaming, Penetration Testing and Hardware
Hacking. It can be used as a drop box, pivot box
or C2. The “Boot Monkey” provides remote access
to the local laptop power button. This addresses
laptop freezes. Physical touch for Power on, power
off. Hard resets for laptops. It can also be used as a
laptop jiggler to prevent screensavers occuring.

KEYPORT
Keyport® combines keys, pocket tools, & smart
tech into one secure everyday multi-tool. We will
be selling our latest modular product line (co-
branded DEFCON 30 Editions) including the
Keyport Pivot, Modules, Inserts, and accessories.

MISCREANTS
Miscreants is a creative agency working with cybersecurity
clients. Besides our design work, we’re creating clothing
heavily influenced by streetwear and security culture,
looking to document the past, present, and future of
cybersecurity history. As a brand, we strive to deliver
original pieces that belong in your closet for decades.

NO STARCH PRESS
No Starch Press has been publishing the finest in
Geek Entertainment since 1994 and we’re glad to
be back! We have so many new books to show you
and even a new death metal t-shirt. Everything is
discounted. Come by and meet some of our editors
and our founder, Bill Pollock, before he loses his
voice. We look forward to seeing all of you again!

90
 OWASP
As the world’s largest non-profit organization
concerned with software security, OWASP:

- Supports the building of impactful projects;

- Develops & nurtures communities through events

and chapter meetings worldwide; and

- Provides educational publications & resources

In order to enable developers to write better

software, and security professionals to make
the world’s software more secure.

PHYS SEC VILLAGE STORE

The Physical Security Village (formerly Lock Bypass
Village) will be present in the vendor area too this
year, loaded with physical hacking gear! We will have
bypass tools, common keyed-alike keys, handcuffs,
village swag, and more. We’ll have hands-on exhibits
in the Village area where you can go and try out
your new toys right away, without ever leaving DEF
CON! Whether you’re new to hacking the physical
world, or a seasoned pro, we’re sure we’ll have
something for your needs (or at least… something you
really want but totally don’t need). All proceeds go
towards the cost of putting on the village each year.

SCAM STUFF
Scam Stuff is gear for the Modern Rogue:
magic tricks, lock picking, puzzle boxes, spy
gear, novelty items, and more! If it’s designed
to get you ahead in life, you’ll find it here.

SHADOWVEX
Purveyors of limited edition clothing, music, art and
hacker culture. From stickers to unique NFT Art and
0-day limited edition swag just for DEF CON 30. Follow
the music in the vending area to find our booth!

91
 V3ND0RS
THE CALYX INSTITUTE
The Calyx Institute is a member-supported non-profit
privacy research organization. We host Tor exit nodes,
operate a free VPN service and are developing a
privacy and security focused Mobile phone operating
system, CalyxOS. Become a member and you could
get great free membership premiums such as a 5G
or 4G mobile hotspot with unlimited un-throttled
& un-capped mobile data for a year, or a Google
Pixel phone with CalyxOS pre-installed on it.

THE TOR PROJECT

The Tor Project is a nonprofit developing free and
open source software to protect people from tracking,
censorship, and surveillance online. Tor’s mission is to
advance human rights and freedoms by creating and
deploying free and open source anonymity and privacy
technologies, supporting their unrestricted availability
and use, and furthering their scientific and popular
understanding. Stop by our table to learn more, pick
up some gear, and find out how you can get involved.

TOOOL
The Open Organisation Of Lockpickers is back as
always, offering a wide selection of tasty lock goodies
for both the novice and master lockpicker! A variety
of commercial picks, handmade picks, custom designs,
practice locks, handcuffs, cutaways, and other neat
tools will be available for your perusing and enjoyment!
Stop by our table for interactive demos of this fine
lockpicking gear or just to pick up a T-shirt and show
your support for locksport. All sales exclusively benefit
Toool, a 501(c)3 non-profit organization. You can
purchase picks from many fine vendors, but ours is
the only table where you know that 100% of your
money goes directly back to the hacker community.

XCAPE, INC.
Looking for reliable drop boxes, do you need 2.4
& 5 GHz wireless auditing? Looking for a reliable
and secure bastion host? Check out the Xcape
Booth for the gear we use, make, and sell.

92
 ZERO TIER
ZeroTier (https://www.zerotier.com) enables users
to deploy and maintain secure peer-to-peer overlay
networks. Already supporting millions of devices globally,
and with a proud open-source heritage, ZeroTier provides
unrivaled ease of connectivity and management for
modern networking use cases. ZeroTier is trusted by
professionals worldwide in industries including Infosec,
IT, Cloud, Telecommunications, IoT, Manufacturing,
Media, Automotive, Aerospace, and Defense.

BOOK SIGNINGS
FRIDAY SATURDAY
11am - Craig Smith, The Car Hacker’s NOON - Corey Ball, Hacking APIs
Handbook
1pm - Joe Gray, Practical Social Engineering
NOON - Jasper van Woudenberg,
Hardware Hacking Handbook 2pm - Jon DiMaggio, The Art of Cyberwarfare

1pm - Fotios Chantzis, Paulino Calderon,

& Beau Woods, Practical IoT Hacking

2pm -Travis Goodspeed, PoC or GTFO

Volume 3

93
 MAPS

LINQ Third Floor

SKYTALKS
Up 2nd Escalators in the BLOQ (5th Floor)
ROGUES
VILLAGE
Connection A Connection B Evolution
INFO BOOTH
Social Square

RECON
Social VILLAGE CHILLOUT
SOCIAL ENGINEERING
A B C
COMMUNITY
Showroom

94
 FLAMINGO EXECUTIVE CONFERENCE CENTER

LOWER LEVEL

BRYCE ZION
VALLEYDATA
OF LAKE HARDWARE
FIRE II MEAD II RED ROCK
HACKING
DUPE Escalator/
Stairs
VI
VII
VIII
VILLAGE
VALLEYVILLAGE
OF LAKE
FIRE I MEAD I

CRYPTO & SOLDERING

PRIVACY Vista INFO BOOTH SKILLS
I II III VILLAGE
IV
VILLAGE RED ROCK

ADVERSARY VILLAGE
SUNSET BALLROOM
Scenic
CLOUD VILLAGE Banquet
Kitchen
APPSEC VILLAGE
Twilight
BIC VILLAGE
Elevators

RegistrationDesk
INFO BOOTH

I
CHILL
RENO
II
CORPORATE CONVENTION CENTER
I

LAUGHLIN
BIOII Third floor

HACKING
VILLAGE
III
ROOFTOP
INFO BOOTH
CHILLOUT
Garden View
Elevators HAM alators
l t
Escalators
GIRLS

VILLAGE
HACK

MEMORIAL

IIIIII
VIRGINIA CITY RED TEAM Savoy
CHILLOUT

Eldorado CARSON CITY MESQUITE

Foyer
VILLAGE Foyer
ROOM

I II

Elevators
RADIO FREQUENCY
ELDORADO BALLROOM Banquet BLUE TEAM
VILLAGE Kitchen VILLAGESAVOY

95
 THANK Y0U!
The Dark Tangent would like to thank everyone who supports
DEF CON and the hacking community. DEF CON is possible
because of all the hard work from the people who make up
the following departments: CFP Review, Contests and Events,
DCTV, Defacement, DEF CON Groups, Demo Labs, Discord
DevOps, Dispatch, Entertainment, Forums, Hackers With
Disabilities, Infobooth, Inhuman Registration, Infrastructure,
Parties, Photo Corps, Press, Production, Policy@DEFCON,
QM Stores, Registration, the SOC, Speaker Ops, DEF CON
Store, Vendor, Villages, and Workshops.
Over 1,100 Goons, Creators, and speakers came together to
organize and made DEF CON 30 happen!
Thank you to the HQ staff for adapting as plans kept shifting:
Bill, Cayce, Cot, Darington, Janet, Jeff, Neil, Nikita, and
Will. Everyone had to deal with last minute changes and
remain flexible in a year where decisions are being made
last minute.
Thank you to the badge designers, MK Factor, for a fantastic
second year designing the badge and keeping it fresh with a
human to human connection. Thank you to Zebbler Studios
for designing the great badge stations and head to head
music competitions.
A special Thanks to Coastwide Promotions, The Source of
Knowledge, Black Hat, and Caesars Entertainment - You
have all been fantastic to work with and have gone above
and beyond this past year.
Thank you everyone! The 30th year milestone is amazing
and you made it happen!
-The Dark Tangent
ARTS & ENTERTAINMENT:
ChrisAM would like to thank everyone responsible for this
year’s entertainment & decor: Krisz Klink, Great Scott, Zziks,
dead, CTRL, stitch, davesbase, ch0wn35, Trotfox5, C0njur3r,
HiveQueen, sven, Zebbler Studios, SomaFM, Mobius,
Imagine Stage Lighting, and all the DJs and artists who
donated their time and talent to this event.
CONTENT:
Nikita would like to thank The Dark Tangent, Alex and
the DC30 Content Reviewers for Talks and Workshops:
AlxRogan, Anullvalue, Ash, Beaker, carnal0wnage, Suggy,
Claviger, CyberSulu, DaKahuna, Dead Addict, Deanna,
Dino, efffn, LawyerLiz, HighWiz, Jay Healy, Magen Wu,
Malware Unicorn, Marcia Hoffman, Medic, n00bz, Roamer,
Pwcrack, SecBarbie, Shaggy, SinderznAshes, Snow, Solstice,
Vyrus, Yan, Zfasel, Zoz. Massive thanks to Dept Leads, mad
props to Janet, Neil, Bestie, Rick Astley, Buggins & Squish.
CONTESTS:
Grifter would like to thank all of the creators and
coordinators of the multitude of contests and events at
DEF CON 30. The time, effort, and passion that goes into
your events does not go unnoticed, and the entertainment
you bring not only to the contestants, but to the general
attendees and overall atmosphere of DEF CON is hugely
appreciated, so thank you, thank you, thank you. A
huge thanks also goes to the C&E Goons for making sure
things go off without a hitch and for putting out fires when
they’re still just smoldering, so thank you to stumper, saltr,
heisenberg, apexxor, secove, rugger, gomer, rcu83d, zero3,
psychoticide, p0lr, CyDefe, V3rbaal, H4r0ld, Kaybz, and
Ell o Punk; this wouldn’t be possible without you. Big thanks
96
to the Dark Tangent, Janet, Darrington, and Will...and of
course a massive thanks to Nikita, our light in the storm,
without whom we would truly be lost.
DESIGN AND DEFACEMENT:
Neil would like to give a big shout out to the Defacement
Team: Medic, S4mG0ld, BigSam, xaphan and p0sterboy
for their hard work keeping you on track and aware of your
surroundings. Huge thanks to Sleestak and Nikita for support
on the printed program, and CotMan for getting all the
details online. Finally, to all the department leads who got
me everything I needed on time to make this book, it was
tight, I know, but thank you.
DEVOPS:
Riverside and Fox would like to thank all of the DevOps
goons:
Ari, BSE, cstone, Lightning, mauvehed, mcmayhem, mubix,
Nebberz, NightWolf, respondo, TCMBC, thephreak,
VoltageSpike.
A shout out to the Packet Hacking Village team for being the
bot beta testers year round.
DCTV:
Thanks to all the members of our team. Alex, GhostPepper,
Hanna, Sandwich, Tuna, skw33k, and Videoman.
DEF CON GROUPS:
DEF CON Groups (April, Casey, Jayson, Sleestak, 800xl,
and Brent) offer our sincerest gratitude to DT, Nikita, and
Will for their continued support and amazingness throughout
the year! Massive thanks to our amazing AltspaceVR event
volunteers: Giglio, Xray, Charmander, AldeBaran, TX, Drip,
and Scribbles, who created and manage a truly incredible
virtual DC experience. We would also like to give thanks
and recognition to all of our global DCGs for their awesome
work being local ʻhacker ambassadors’; Every DCG is
an example of the great things we can do when we come
together with endless curiosity and the willingness to share
our knowledge for the benefit of all. Each and every global
DCG makes the world better through bits, bytes, wires,
solder, and a lot of heart. Find your local community on
defcongroups.org! *HUGS* to you all! <3
DEMOLABS:
Heisenberg would like to thank Nikita and DT for help with
the selection process, and a shout out to Grifter and the
other Contest Goons for help during the con. A big shout
out to all the folks in the community who submitted demos for
Demolabs - this could not happen without you!
DISPATCH:
RF and Ahab would like to thank the Dispatch Goons:
AsmodianX, Taclane, Archangel, Fosgood, L0G1C, Rixon,
w00k, dymz, miggles, dirtclod, dll3ma, Offroad, Merg,
skyria, TheKillerSpud, Goon22, yosg, and Treble.
FORUMS:
The DEF CON Forums and all the DEF CON Servers wish
to thank Jeff Moss Jeff for giving them meaningful purpose
in service to DEF CON and the DEF CON Community: they
all fight for the users! Cotman thanks Cayce, Darington,
Janet, Jeff, Neil, Nikita, and Will for being so easy to
work with and tolerating my need to be specific and
explicit with details. Thanks to staff/goon from various
departments for getting me ToDo from all the organizers
of CVE-W-2022-08_11-14 (Contests, Villages, Events,
Workshops for 2022 ;-) in each department necessary
to populate the forums with details about each: Nikita,
Magen, Paydreaux, Zantdoit, Grifter. Thanks to info.defcon.
org peeps: Seth, Caleb, and others that work Info booth
and department for your work on the box to keep people
informed. Thanks to the DevOps team working on our
Discord server: Riverside, Ari, cstone, Lightning, Fox, Mubix,
Nightwolf, Respondo, ThePhreak, Mauvehed, Nebberz, BSE,
VoltageSpike, and mcmayhem. Thanks to all of DEF CON
attendees for working with each other to make DEF CON an
enjoyable experience for everyone. :-)
INHUMAN REG:
Inhuman Registration would like to thank Cstone, Undertaker,
Will, Nikita, Janet, Wendy, KC, McMayhem, Cylon, 50ph33
and all the department heads for putting up working with us.
NOC:
effffn, mac and DEF CON would like to thank the
indefatigable NOC team for their hard work.
Sparky, booger, CRV, c0mmiebstrd, Dp1i, c7five, Jon2,
deadication, musa, wish, johntitor, MikeD, Toph and strange
do a great job and work long hours so you can internetz.
Lastly, a huge thank you to Phil, Kevin, Mable and the whole
Caesars IT and Encore staff for going above and beyond to
make our lives easier.
NFO BOOTH:
Littlebruzer and Littleroo would like to thank all of the NFO
goons: 0tter, 50 Caliber, Aask, algorythm, ARI, BLu3f0x,
Boudica, Bufo Alvarius, Cheshire, Commrade, D1Gger,
dL@w, Hankashyyyk, jimi2x, Krav, Lo, madstringer, Magpie,
MajorMayhem, Nav, Nymphaea Caerulea, Parenthetical,
Paul, PEZHead, Razzies, ReloadRtr, S747IK, Sanchez,
SchematicAddict, securityfirst, SmileFiles, Smo0otchy,
Sparkle, and Viva. A shout out to the Apps and Web team:
”Advice, aNullValue, derail, and l4wke for their hard work
on the mobile applications and the web site. A special shout
to MajorMayhem for all the helping out in a PM capacity
and keeping the team on track.The entire NFO team would
like to thank DT, Nikita, Janet, Will, Neil, and the rest of
the HQ team. Without your support, we would not have
this great conference. Thank you humans for the interesting
questions and allowing us to tell you where to go and how
to get there.
PARTIES:
0x58 would like to thank all of the parties that bring the
noise and fun, and the meetups that bring people together
face to face while in Las Vegas. Nikita and Janet, couldn’t
do it without you! And a thanks to my small team of boots on
the ground: Rickglass, s3gfault, sylv3on_, and Sage!
POLICY:
Beau and Matt want to give a huge thank you to all the
people who helped make the Policy Department possible
this year, including Winnona, Cathy Gellis, Moniru, Sarah
Powazek, Lin Wells, Linda Wells, Duck Duck, Harley, Roro,
Trey, Stew, Will, LawyerLiz, Ayan, AlexK, Mosfet, PWCrack,
Nikita, Janet, William Leonard, Neil, Wednesday, and Zant.
And especially everyone in the hacker and public policy
communities who act as voices of reason to help each other
get more technical and public policy literate.
PRESS:
Thank you to all the journalists, bloggers, and podcasters
who contribute to building & documenting our community
experiences! Over the years, it has become ever more
apparent how important it is to be able to laugh at and learn
from our collective history. A special thanks to the Press
Goons who make it all possible: Claire, Jeff, and Sean. <3@
Wednesday & Monika
PRODUCTION & HOTEL:
Thanks to the Production Team members Bill, Janet, Ira,
Proctor, Sparkles, Cybnew, Scout and Delchi for their tireless
efforts doing <redacted>. Thanks to Cannibal, Silk, AJ702,
and Amanda for their photo magic. Janet would like to
thank all of you, department leads, goons, and everyone in
between. Without you, this could not happen.
QUARTERMASTER:
Quartermasters Stores is brought to you this year by
the letter Q and the number Seven. ETA is August 11th,
assuming no Major Malfunction or failopen. It will be good
to back in the SunSh1ne hanging with the YoungBlood in the
Helium rich atmosphere, but of course keeping an eye out for
any Buttersnatcher or sp1kedshell at the Multigrain buffet.
shell-e, Drimacus, alizarinMegalodon, SP3ZN45, Nanook,
Pthamm, QBot, Cell Wizard and The Saint, I’m sorry but I
just can’t keep this up, lol. Thank you all for being our sisters
and brothers and keeping the shiny shiny!
REGISTRATION:
cstone from Human Registration would like to thank
everyone on SOC, QM, Swag, IHR, the Admin team, and
the reg goons: 0x90ebfe, Chimera, Crackerjack, funnyguy,
holmestrix, indigo, Jup1t3r, Model-A, Phear, Pozer, Prophet,
qumqats, Temtel, Undertaker, and wra1th.
SOC:
Cjunky and tacitus would like to thank: stealth, JulietBravo,
OIFhax, th0m4s, StellarDrift, kruger, Junior, George,
Si, Rose, nohackme, Gretchen, M0rph1x, Arc, Mouse,
DoktorMayhem, Faz, Rez, John Doll, Rubi, Skiznotic,
kerbear, arcon, Sif, SAGE, pr0ph37, cymike, Ada Zebra,
Echo Sixx, mauvehed, do2er, TRINITY, 0r3g0n V1x3n,
CarpeDiemT3ch, motsu, Andibrat, nesquik, Chof, G00dn1t3,
cocktail, Vaidu, Wham, mattrix, NextInLine, Chosen1, Hattori
Hanzo, Thirsty Goat, rand0h, duckie, polish dave, sl3dge,
ZephrFish, shuu, bm0nkey, prec0re, Randy_Waterhouse,
anna, LabRat, WHITE CHRIS, Colonel Ghona, Las0mbra,
wilnix, Scrimshaw, Priest, Glasswalk3r, zombie, Lady
Chaos, Siviak, Geekspeed, skroo, Nothingness, 4chtung,
Baybe Doll, timball, Ast0r, Logkiller, WhiteBrd, TBD, Alice
Kalli, Yaga, BeaMeR, whiskey, Strandloper, milkyline,
Kitty, Wreaktifier, MIM, SystM_Ov3rL04d, BMP51, deelo,
AlphaKilo, Br1ck, Sumdunce, Zerorez, Sonicos, Cherno,
Synn, St1ngray, Havoc, zerofux, JusticeStorm, Radio Active,
Judo, stan, redoubt, Plasma, Zulu, Sami, hamster, Heylel,
HoneyBadger, Mr. M, Binarywishes, Infojanitor, Strider,
Krassi, Wasted, Red, n1cfury, Jbone, dr.kaos, cRusad3r,
DrFed, and all retired SOC Goons. Pax Per Imperium.
SPEAKER OPS:
pwcrack would like to thank the Speaker Operations staff for
another year of great service to DEF CON and its speakers.
These goons are #s0sayw3all, Agent X, archwisp, Bushy,
CLI, Code24, Crash, DaKahuna, Flattire, g8, Gattaca,
gdead, Goekesmi, idontdrivecars, Jinx, Jur1st, Jutral, K-hole,
kampf, kylef, MaltLiquor, manchmod, Milhouse, Mnky,
97
 THANK Y0U!
notkevin, Pardus, Pasties, phliKtid, RoundRiver, Shadow, Paydreaux, Raze, Respondo, Sven, Trixie, Tuh-kah-kus, Void_
SIGAD, squirrel, stikk, SurrealKill3r, triw0lf, TruBluFan, star, Zachadakka, (Virtual) Cybersulu, Eddie the Yeti, and
usako, Vaedron and, as always, AMFYOYO! Woodpeka THANKS for all your time, help, and hard work!!
Villages would not be possible without it.
VENDORS:
Kevin would like to say thanks to the whole Vendor team
WORKSHOPS:
for being awesome as usual (special thanks to Fivepenny, Magen and Sinderz would like to thank our Workshop
the Vendor 2nd!). Thanks to all the DEF CON departments. goons: mav, BinaryBuddha, LawyerLiz, Integgroll, Dave,
Thanks for all the vendors that came to DEF CON 30! And Beaker, Fallible, Jen and Joel Cardella, Chrissy, adamO,
the attendees who give us all their money. And of course and RandomInterrupt; the Workshop Review Board and the
thank you to Janet, DT, and all of the DEF CON staff! instructors for all of the time and energy they volunteered
for the community; and the teams who support us before
VILLAGES: and during the show (DT, Nikita, Neil, Janet, Will, Cotman,
Darrington, QM, NOC, and SOC).
Zantdoit would like to thank Hony and F4ux for their
support as leads for each of the hotels. There is no way I
would be able to do this without you. BIG thanks to DVS
and Paydreaux for taking care of the village forums and
Discord... keeping them up to date and organized.
Zant, Hony, and F4ux, and the village team want to thank
all the Village leads and organizers for everything they do
to make DEF CON a huge success by bringing great villages
and content here for us to experience. Thanks to DEVOPS for
getting all the village channels organized up and running!
Thanks: Amlazar, Athena, Broozer, clutch, config, Curtis,
DVS, Furb, griff, Grimfodr, Hunny, Kralik, Margraf, Monster,

INFOCON IS A COMMUNITY SUPPORTED, NON-COMMERCIAL ARCHIVE OF ALL THE

PAST HACKING RELATED CONVENTION MATERIAL THAT CAN BE FOUND.
CONVENTIONS, SKILLS, RAINBOW TABLES, HACKER DOCUMENTARIES, PODCASTS.
AND MORE ALL AVAILABLE FOR DIRECT DOWNLOAD OR AS TORRENTS.
HOW BIG? 262K FILES, 16.4T!

98