top of page

Recon Village is back @ DEFCON 32

📍 Las Vegas Convention Center, 🗓️ 9th, 10th and 11th August 2024

Call For Papers: OPENING SOON

Call for Volunteers: OPENING SOON

An Open Space with Talks, Live Demos, Workshops, Discussions, CTFs with a common focus on Reconnaissance.

Talks

We have hosted some great talks in the past from some amazing speakers. Check out the interesting talks around OSINT and Recon.

Read More >

Contests

We host contests like Jeopardy style CTF, Hackathon, etc. and use these as a tool to promote learning and hands on exercises.

Read More >

Tools

Many tools have been presented/launched in the past at Recon Village and we have finally compiled a list of these tools.

Read More >

Recon Village - DEF CON 31 Talks

DEF CON 31 Recon Village  - Berk Can Geyikci - Finding Hidden Gems In Temporary Mail Services

DEF CON 31 Recon Village - Berk Can Geyikci - Finding Hidden Gems In Temporary Mail Services

In today's world, where temporary mail services are widely used, our project aims to monitor these services according to the provided configuration and to discover valuable gems. For this research, we developed a command and control Python tool. This tool is hosted on our private Amazon server. So, what does this tool do? It constantly scans the most popular temporary mail services (yopmail, tempr.email, dispostable, guerrila, maildrop) and indexes the emails delivered to them based on specified keywords. The tool then notifies us via Telegram using the integrated Telegram API. This tool has been running on our server for about a year and has stored, and continues to store, more than 1 million emails. In our research, we analyzed these emails, the types of emails sent through these services, and their potential uses for hackers. We were able to take over accounts containing money from these mail services during our research. Our ongoing investigation has uncovered confidential personal information, account reset emails, hundreds of game accounts, and bitcoin wallet information. Some of these findings will be presented in a censored manner during our presentation. Moreover, we will release the tool on GitHub after the presentation. This tool includes a configuration file that allows it to continuously crawl and monitor emails from specified URLs, and optionally save them. It filters the emails to record based on the keywords in the config file, making this tool highly effective. For instance, I installed this tool and entered keywords such as eBay, password reset, bitcoin, and OTP. This tool saves or notifies you when emails containing these words are delivered to the relevant email services. Additionally, this tool features Telegram API integration, allowing you to receive real-time notifications via Telegram when relevant emails are received. All these aspects are included in our research. During our project presentation, we will demonstrate a live proof of concept and showcase valuable findings we can obtain during the presentation. In the bonus section, we will highlight red team activities we observed while examining these mail services. This part may be quite interesting 🙂 ------------------------------------------------------------------------------------------------------------------------------------------ This talk was recorded at the @ReconVillage - at @DEFCONConference , Hotel Linq, Las Vegas. For more updates and announcements, follow us on Twitter: https://twitter.com/ReconVillage LinkedIn: https://www.linkedin.com/company/reconvillage YouTube: https://youtube.com/reconvillage DEFCON Mastadon: https://defcon.social/@reconvillage Cheers, Recon Village Team.
DEF CON 31 Recon Village - Seyfullah - Mastering OSINT  Advanced Techniques in the Realm of Big Data

DEF CON 31 Recon Village - Seyfullah - Mastering OSINT Advanced Techniques in the Realm of Big Data

In the session titled "Mastering OSINT: Advanced Techniques in the Realm of Big Data," I will provide a deep dive into the intricacies of Open Source Intelligence (OSINT) and Big Data. Leveraging my extensive experience in the field, this presentation will elucidate the techniques, tools, and challenges in deploying OSINT methodologies in the context of Big Data. As an expert with years of practical experience in OSINT and Big Data analysis, I have a rich understanding of the possibilities and complexities that both these fields present. I will share this knowledge and experiences to help others more effectively navigate this exciting yet challenging landscape. The discussion will commence with an introduction to OSINT, including its origins, utility, and implications within the contemporary digital arena. This will lead us to the vast and complex realm of Big Data, where we'll understand its significance, challenges, and the role it plays in improving the efficacy of OSINT. A detailed overview of Google BigQuery will be provided, exploring how this powerful tool can be used for managing and analyzing big data. I will delve into its features, advantages, use-cases, and practical examples demonstrating how it can help in OSINT. I will also discuss other key resources such as CommonCrawl, which provides web crawl data, and Rapid7 Open-Data, a goldmine for security research. I will elucidate how these datasets can be harnessed for comprehensive analysis and deriving actionable intelligence. The section on Passive Search will cover various methods and best practices, with a special focus on how to leverage this technique in the context of Big Data. Finally, I will talk about Internet Search Engines' pivotal role in OSINT and how to extract maximum value from them. What sets this presentation apart is not only the comprehensiveness of the coverage but also the practical, hands-on approach, featuring real-world examples and demonstrative scenarios. It promises to be an enlightening session for anyone interested in advanced OSINT techniques and the potential of Big Data. ------------------------------------------------------------------------------------------------------------------------------------------ This talk was recorded at the @ReconVillage - at @DEFCONConference 31, Hotel Linq, Las Vegas. For more updates and announcements, follow us on Twitter: https://twitter.com/ReconVillage LinkedIn: https://www.linkedin.com/company/reconvillage YouTube: https://youtube.com/reconvillage DEFCON Mastadon: https://defcon.social/@reconvillage Cheers, Recon Village Team.
DEF CON 31 Recon Village - Jason Haddix - Easy EASM The Zero-Dollar Attack Surface Management Tool

DEF CON 31 Recon Village - Jason Haddix - Easy EASM The Zero-Dollar Attack Surface Management Tool

Easy EASM is just that... the easiest to set-up tool to give your organization visibility into its external facing assets. The industry is dominated by "Attack Surface Management," but OG bug bounty hunters and red teamers know the truth. External ASM was born out of the bug bounty scene. With ten lines of setup or less, using open source tools, and one button deployment, Easy EASM will give your organization a complete view of your online assets. Easy EASM scans you daily and alerts you via Slack or Discord on newly found assets! Easy EASM also spits out an Excel skeleton for a Risk Register or Asset Database! This isn't rocket science.. but it's USEFUL. Grab Easy EASM and feel confident you know what's facing attackers on the internet. Easy EASM uses a collection of tools tied together to perform recon on a target or set of targets. Utilizing Amass, Subfinder, Chaos, Notify, r7 Sonar, eyewitness, and Cloud Certs. It will run daily and track all assets discovered for your targets. With a Discord or Slack key, you'll get this output to chat every morning if any new assets have appeared. You can choose the "fast" or "comprehensive" deployment, which adds additional methods to the discovery (brute force, permutation discovery, screenshots, and tech profiling). BUT... literally, all the user does is one-click deploy and add a Slack or Discord token. Then they start receiving bacon... I mean recon... I mean EASM data. ------------------------------------------------------------------------------------------------------------------------------------------ This talk was recorded at the @ReconVillage - at @DEFCONConference 31 , Hotel Linq, Las Vegas. For more updates and announcements, follow us on Twitter: https://twitter.com/ReconVillage LinkedIn: https://www.linkedin.com/company/reconvillage YouTube: https://youtube.com/reconvillage DEFCON Mastadon: https://defcon.social/@reconvillage Cheers, Recon Village Team.
DEF CON 31 Recon Village - Vitor Ventura - Getting Ahead of The Bad Guys with Internet Scanning Data

DEF CON 31 Recon Village - Vitor Ventura - Getting Ahead of The Bad Guys with Internet Scanning Data

Detecting adversaries ahead of time is the holy grail to any defender. In this presentation we propose the usage of internet scanning services as a hunting ground of adversaries. Services like Shodan and BinaryEdge provide a great source of adversarial indicators, allowing defenders to get ahead of the risk. While this is not possible all the time many defenders try to get ahead by collecting information from several sources, some open some through private feeds. In this presentation we will demonstrate how these services can be used to find unknown adversarial infrastructure. We will illustrate how this can be done hunting for ip addresses serving payloads that match the MZ header. This allows the identification of attack framework hosting sites serving executable payloads directly, Metasploit is a good example of such frameworks. The technique does not end with the MZ header, other patterns can be searched which contribute to a better mapping of the Internet threat landscape. The presentation will continue to explain how this data can be processed in order to be transformed into something useful for defenders and threat researchers. During our research we also found different results, from funny stuff without any harm to powershell scripts or even source to be compiled locally. This method has been used to triage logs on incident response cases where we wanted to see if CobalStrike had been used. By supplying a list of recent CS servers delivering payloads we were able to identify the initial attack vector and corresponding patient zero of that incident. The presentation will finish with the presentation of other use cases, for this kind of data analysis. ------------------------------------------------------------------------------------------------------------------------------------------ This talk was recorded at the @ReconVillage - at @DEFCONConference 31, Hotel Linq, Las Vegas. For more updates and announcements, follow us on Twitter: https://twitter.com/ReconVillage LinkedIn: https://www.linkedin.com/company/reconvillage YouTube: https://youtube.com/reconvillage DEFCON Mastadon: https://defcon.social/@reconvillage Cheers, Recon Village Team.
DEF CON 31 Recon Village - Nick Ascoli - Leakonomics 101 The Last Year in Data Leaks

DEF CON 31 Recon Village - Nick Ascoli - Leakonomics 101 The Last Year in Data Leaks

Data leaks have become an omnipresent concern in our digital landscape, demanding an understanding of their anatomy and the evolving trends that shape this realm. Join us at the Recon Village as we embark on a journey through the past year's data leaks, exploring their causes, consequences, and impact on organizations and the criminal underworld. We will dissect the anatomy of data leaks, examining vectors such as misconfigured cloud resources, insider threats, third-party vulns, and cybercrime group in-fighting. Through real-world case studies of the last year, including the Luxottica leak, the Toyota incident, the RAID forums leak, we will identify the common patterns and vulnerabilities that pave the way for breaches. Understanding the fallout from these breaches is crucial. We will analyze the consequences beyond financial and reputational damage, including the impact on customers and the broader ecosystem. No discussion of data leaks would be complete without exploring the criminal underworld. We will talk about where stolen data is sold and exchanged, drawing insights from recent posts on various cybercrime forums. Lastly, we will provide a panoramic view of the trends observed in the past year's data leaks. The increasing volume of cloud-based attacks, the persistence of legacy vulnerabilities, and the evolving tactics employed by cybercriminals will be explored. By understanding these trends, organizations can proactively adapt their security measures to counter emerging threats. Join us in this captivating talk as we navigate through Leakonomics 101: The Last Year in Data Leaks. ------------------------------------------------------------------------------------------------------------------------------------------ This talk was recorded at the @ReconVillage - at @DEFCONConference 31, Hotel Linq, Las Vegas. For more updates and announcements, follow us on Twitter: https://twitter.com/ReconVillage LinkedIn: https://www.linkedin.com/company/reconvillage YouTube: https://youtube.com/reconvillage DEFCON Mastadon: https://defcon.social/@reconvillage Cheers, Recon Village Team.
.GOV Doppelgänger: Your Häx Dollars at Work - Anthony Kava - Recon Village @DEFCON 29

.GOV Doppelgänger: Your Häx Dollars at Work - Anthony Kava - Recon Village @DEFCON 29

'============ ABSTRACT ============ .gov domains are especially vulnerable to Doppelgänger registrations and typosquatting. Many governments have used .com and .org names for decades but are now making the move and thereby creating fresh opportunities for impersonation. How effective are such attacks? What data could a bad actor intercept? We did an experiment to find-out -- 4 months, 42 domains, and some of the most populous city and county governments in the US and beyond. Financial data, PII, health records, confidential deals, critical infrastructure info, and even police intelligence bulletins are all up for grabs. Come see the practical results of an incredibly inexpensive, lawful, and difficult to mitigate information gathering tactic. ============ DETAILED OUTLINE ============ I. Intro [ 5 min ] A. .gov domains: perceived as more secure due to restrictions B. many govs used/use .com, .org, .net, .us, etc. for decades C. citizens, even gov employees, type .com without thinking II. An Experiment [ 5 min ] A. idea genesis: copied on an email with the wrong domain for another rcpt B. whoami(1) and why do I care? C. research project i. scrape Wikipedia to find most populous cities and counties ii. do look-ups to find available lookalike domains iii. register domains, set-up MX (do friendly bounce), redirect web visits to real site, log DNS queries iv. plan: capture months of data, advise real .govs for awareness, offer to xfer domains gratis v. capture vi. purge captured emails III. Findings [ 10 min ] A. 42 domains later... cities, counties, states, also foreign .gov.xx B. 400+ emails per month i. collage of drivers' licence photos received ii. collage of invoices sent to .govs (ripe for invoice fraud) iii. law enforcement intelligence -- oops, officers typed address wrong now we get everything iv. "secure" emails -- Zix, O365, Virtru, etc. -- not secure when we own the wrong email addresses C. lessons from DNS queries D. stats of web redirection E. we could have been bad: email looking like vendors or employees, inject malware into web traffic, phish, etc. F. who is doing this in the wild? What's their MO? IV. A New Hope [ 3 min ] A. amazing .uk safety net (also .uk let us do it anyway which is cool) B. gently telling .govs about this risk C. releasing domains to .govs and/or sinkholing them V. Lessons Learned [ 2 min ] A. citizens and .gov employees trust email implicitly B. even big .govs miss opportunites to deny good real estate to attackers C. you can steal .gov email and web traffic for $4/year VI. Questions [ 2 min ]

Recon Village - DEF CON 29 Talks

Recon Village - DEF CON 28 Talks

DEF CON Safe Mode   Recon Village - Ladislav Baco - Hunting for Blue Mockingbird Coinminers

DEF CON Safe Mode Recon Village - Ladislav Baco - Hunting for Blue Mockingbird Coinminers

During March-May 2020 the Blue Mockingbird group infected thousands of computer systems, mainly in the enterprise environments. There are known incidents in which they exploited the CVE-2019-18935 vulnerability in Telerik Web UI for ASP.NET, then they used various backdoors and finally, they deployed XMRig-based CoinMiners for mining Monero cryptocurrency. Interesting about these cases is the persistence which they used for CoinMiners - lot of techniques including scheduled tasks, services, but also WMI Event Subscription and COR Profilers. During forensic analysis and incident response process it was possible to find these persistences and many coinminers artifacts, but malware samples responsible for their installation and persistence creation have been missing. However, when we enriched results of the standard malware analysis with the Threat Intelligence data and OSInt, we were able to find the missed pieces of puzzle and reconstruct the original attack chain including the initial exploitation, local privilege exploit, two backdoors, main payload and multiple persistence techniques. Moreover, this research reveal many about the tools, techniques and procedures (TTP) of Blue Mockingbird Threat Actor. Finally, with more knowledge about the attackers it is possible to collect more samples of coinminers used by them. After next step of reconnaissance we can get insight into profit of their attacks and compare them with the damages caused by these attacks.
DEF CON Safe Mode Recon Village  - Mauro Eldritch - COVID 1984 Propaganda/Surveillance in a Pandemic

DEF CON Safe Mode Recon Village - Mauro Eldritch - COVID 1984 Propaganda/Surveillance in a Pandemic

What does a propaganda apparatus look like from the inside? How do groups dedicated to setting trends and censoring the opposition act? What if your government forces you to install an app that tracks you during the pandemic? What if we infiltrate a sock puppet account to understand all this better? The official political propaganda and digital surveillance in Argentina are not new. However, in the last fifteen years, both phenomena have adopted in their favor a new technological approach worthy of study, with the emergence of companies dedicated to manufacturing online trends; cyber militancy groups aimed at setting up debates, responding to them or denouncing rival trends in a coordinated way; the project to establish an exclusive social network for pro-government and “against the establishment” militants (sponsored by the Government itself); the rise of state digital surveillance after the implementation of a Cyber ​​Patrol Protocol, and the permanent monitoring of citizens through a mandatory mobile government application during the COVID-19 Pandemic. This work aims not only to review the previous events, but also to detail the two greatest milestones of political propaganda and digital surveillance in Argentina today: the political propaganda apparatus on social networks and the digital privacy abuses caused by the government application CUIDAR-COVID19 (ar.gob.coronavirus). For the first case, a fictitious account (sock puppet) will be infiltrated within the propaganda apparatus on social networks to achieve a detailed technical dissection of its entire operation (including its interventions and actors). Our own cyber intelligence tool, Venator.lua, will be used to obtain and process data. The following section will be devoted to the study of privacy abuses caused by the mandatory government application CUIDAR-COVID19, reverse engineering it and analyzing its source code.

Recon Village - DEF CON 27 Talks

Recon Village - DEF CON 26 Talks

DEF CON 26 RECON VILLAGE - yamakira - Building Visualisation Platforms for OSINT Data Using OSS

DEF CON 26 RECON VILLAGE - yamakira - Building Visualisation Platforms for OSINT Data Using OSS

“Reconnaissance is about gathering information. The information gathered is only as good as the insights and actionable decisions that we can gain from it. A lot of research is focused on finding OSINT data but little is done towards converting the data into insights and actionable decisions. Visualisation is an easy and efficient way to gain insights from any the data gleaned. In this workshop, we will look at how we can gather OSINT data and visualise it using free and open source solutions. Visualising data is not enough, we’ll also look at how we can use the metrics to answer business questions and lead to actionable decisions. We’ll tackle the problem by breaking it into following steps: Gathering OSINT data Storing the OSINT data Processing & visualising the data Gaining insights and making actionable decisions Some specific use-cases we’ll look at during the workshop includes: Monitoring an organisation’s SSL/TLS certificates, domains and subdomains in near-real time Creating dashboards using public datasets(scans.io) to gain insights into an organisation’s external posture Building monitoring and alerting solutions using OSINT data that will help us take business decisions Participants will get Step by Step Gitbook covering the entire training (html, pdf, epub, mobi) Custom scripts, playbooks and tools used as part of the workshop Scenarios that can be readily implemented for your use cases References to the data used in the workshop
DEF CON 26 RECON VILLAGE - victoris - Prebellico 100 Perfect Passive Pre-engagement/Post Compromise

DEF CON 26 RECON VILLAGE - victoris - Prebellico 100 Perfect Passive Pre-engagement/Post Compromise

When attacking modern internal networks, intelligence is everything. Understanding the environment you are operating in can be the difference between successfully penetrating your target environment or missing targets of opportunity due to lack of understand about the target environment. While true, obtaining information about the environment in a stealthy manner, when required, can be difficult within a mature environment. Even during overt engagements, obtaining the information you need within a limited time window can be difficult, especially during engagement delays. Further complicating things, often testing scope is based off of poor assumptions about the target environment, often leading unrealistic scope reductions a real-world attacker would not operate out of. Over the years internal testing engagements have been operating on various assumptions within switched networks, often driving engagement execution methods, but what if these assumptions were wrong? What if we could utilize the wasted time, even weeks in advance, between deployment and engagement execution, to take the time to understand the network? What if we could leverage the realities of modern networks and the things customers do to ‚Äòprepare’ for an engagement (backups, security scans, etc.) through 100% passive methods, challenging your assumptions about the network? Prebellico is pre-engagement and post compromise intelligence gathering mechanism designed to gather as much information about the target environment through 100% passive methods. Utilizing very few resources, Prebellico permits an attacker the ability to understand the target environment by providing information such as the intent of internal systems, internal network address space, hostnames, egress filtering, TCP trust relationships, as well as map open TCP/UDP ports through reverse port scanning using 100% passive techniques.”

Recon Village - DEF CON 25 Talks

bottom of page