top of page

Recon Village Talks @ DEFCON 32

Las Vegas Convention Center, Las Vegas (🇺🇸 USA)

🗓️ 9th August 2024

Bastardo Grande: Hunting the Largest Black Market Bike Fence In The World
Bryan Hance
Comprehensive Talk
10:00-10:45
Recursion is a Harsh Mistress: How (Not) To Build a Recursive Internet Scanner
TheTechromancer
Comprehensive Talk
10:45-11:30
Hospitals, Airports, and Telcos — Modern Approach to Attributing Hacktivism Attacks
Itay Cohen
Short Talk
11:30-12:05
Bypassing WHOIS Rate Limiting and Alerting on Fresh Enterprise Domains
Willis Vandevanter
Tool Demo
12:05-12:40
SWGRecon: Automate SWG Rules, Policy, and Bypass Enumeration
Vivek Ramachandran
Comprehensive Talk
12:40-13:25
Tapping the OSINT potential of Telegram
Megan Squire
Short Talk
13:25-14:00
GeoINT Mastery: A pixel is worth a thousand words
Mishaal Khan
Comprehensive Talk
15:00:15:45
Recon MindMap: Organize, Visualize, and Prioritize Your Recon Data Efficiently
Lenin Alevski
Tool Demo
15:45-16:20
From RAGs to Riches: Navigating Large Attack Surfaces with LLMs to Find Bugs
Anthony Rhodes
Comprehensive Talk
16:20-17:05
Pushing the limits of mass DNS scanning
Jasper Insinger
Comprehensive Talk
17:05-17:45
OSINT at Clemson: Unmasking John Mark Dougan's Disinformation Empire
Steven Sheffield
Short Talk
17:45-18:15

Bastardo Grande: Hunting the Largest Black Market Bike Fence In The World

Bryan Hance

10:00-10:45

Since 2020, I have (as a BikeIndex.org cofounder) been chasing and hunting the single largest black market bike fence in modern history. This OSINT-heavy, cross-border investigation eventually blossomed into a federal court case in early 2024, so I've only able to partially share that story in public until now. By the time DEFCON happens, I'll be able to give this talk in its fullest and most unredacted form, which I haven't been able to do yet. (This talk was presented at Seattle BSIDES 2023, but even then I couldn't give 'the whole talk' because one of the key players was still being prosecuted in CA court) In December 2021, BikeIndex.org published an article that laid out how our OSINT detective work showed residential burglars in Colorado were exporting stolen bikes to Juarez Mexico and selling them on grey-market sites there for excellent profit. This quantified a long suspected 'urban legend' in the cycling community - that high end stolen bikes went to Mexico - but also the economics of the problem, as we tracked over 1000 sales of stolen bikes and were able to capture sales data and study the black market in very great detail. (That write up is here, if you are curious:https://bikeindex.org/news/closing-the-loop-a-deep-dive-on-a-facebook-reseller-of-bikes-stolen-in ) What we did *not* disclose at that time was that we were infiltrating and tracking an even larger, more impressive criminal actor in the same space - one whose sales and profits reach into the millions. Through years of surveillance, OSINT work, and a lot of persistence, we eventually identified one of his US side suppliers and got them raided by law enforcement, which then snowballed into a federal prosecution in 2024. In this talk, I'll talk about how the motivation to seek justice drives normal people to do extraordinary things with OSINT and other crafty methods to chase down bad guys and recover their stolen goods and seek justice. I'll cover some of the crazier edge cases we've run into in this space, and I'll talk about the secret shadow army of hunters and cyclists who are hunt these kinds of bad guys down online, every day. The talk will be audience engaging, with back-and-forth and audience 'spot-the-OSINT-FAIL-here' type participation as we walk through the major breakthroughs that took this project from 'hey, that's an interesting' to names going down into a federal indictment. Specifically, I'll give an overview of how we engage with theft victims to surveil, track, identify, and take down transnational black market bike fences - who often turn out to be even crazier individuals than anybody ever expected.

Recursion is a Harsh Mistress: How (Not) To Build a Recursive Internet Scanner

TheTechromancer

10:45-11:30

Recursion has a tendency to turn little bugs into explosive ones. In this talk, witness the myriad of strange and unexpected bugs we encountered while building BBOT, a recursive internet scanner. Rendered in smooth realtime animations, these bugs may appear fun and sometimes hilarious, but when they occurred they were extremely problematic, and taught us some valuable lessons about the internet and recursion. Discover the nefarious traps and nightmarish edge cases that awaited us in the depths of the internet, the destruction they caused, the awkward situations they put us in, and the tricks we used to overcome them. Most importantly, discover the kinds of hidden gems recursion can uncover (when it's implemented properly), and the critical advantage it will give you in your recon!

Hospitals, Airports, and Telcos — Modern Approach to Attributing Hacktivism Attacks

Itay Cohen

11:30-12:05

On December 12th, millions of Ukrainians trying to connect on Kyivstar's mobile and internet services were met with silence. The outage, it turned out, was no accident, but a carefully planned attack that had been brewing for months. One day later, a message saying “We take full responsibility for the cyber attack on Kyivstar” appeared on social media accounts belonging to a group calling itself ‘Solntsepek’. “We attacked Kyivstar because the company provides communications to the Armed Forces of Ukraine” the message continued. The Ukrainian users found themselves an audience of another hacking stunt in the ongoing war that started with the Russian invasion of Ukraine. Almost one month later, the pro-Ukraine hacker group “BlackJack” claimed to have breached the Russian internet provider M9com as revenge for the Kyivstar attack. These attacks demonstrate a rising trend where groups, ostensibly state-sponsored yet posing as hacktivists, execute cyber and influence operations. This approach provides plausible deniability and an appearance of legitimacy, avoiding the direct implications of government involvement. These actors, often using various group names, leverage grassroots facades for anonymity and to minimize international backlash. But what if the inflation in the trend is its weakest point? This is where yet another trendy topic comes in handy— Machine Learning (And yes, AI as well). We analyzed thousands of public messages from Hacktivist groups in Europe and the Middle East and combined classic Cyber threat-intelligence practices with modern ML models to learn about their motives over time and more importantly — tie some of these groups together and improve the way we do attribution when it comes to Hacktivism.

Bypassing WHOIS Rate Limiting and Alerting on Fresh Enterprise Domains

Willis Vandevanter

12:05-12:40

WHOIS data is a prime resources for identifying apex domains owned by a company. Unfortunately that data is typically locked up behind rate limited systems, third party APIs, or expensive bulk purchases. We developed whoiswatcher to run in serverless cloud (where we have clocked it at 1-1.5MM domains per day) or by using IPv6 proxying (can hit 150-200k domains per day with a small VPC). This makes it a perfect candidate to build a WHOIS dataset, review historic WHOIS records, and alert you on fresh enterprise domains. We will demo all this and more!

SWGRecon: Automate SWG Rules, Policy, and Bypass Enumeration

Vivek Ramachandran

12:40-13:25

Enterprise users on their web browsers are prime targets for attackers, penetration testers, and red teamers. A common tactic involves tricking users into clicking on spear-phishing emails, downloading malicious documents or binaries, and subsequently compromising their systems. To mitigate these web-based initial access threats, enterprises deploy Secure Web Gateways (SWGs). SWGs are essentially SSL-intercepting cloud proxies that inspect web traffic, blocking attacks such as malicious file downloads, harmful websites, and scripts. Since all web traffic from users' browsers is routed through these proxies, SWGs have complete visibility into the scripts loading into users' browsers and the capability to block them. In this talk, we will explore how to conduct reconnaissance against SWGs, identify the vendor and location, reconstruct the rules and policies applied, and identify bypasses based on these insights. We will introduce SWGRecon, a new tool designed to automate enumeration processes. This tool can be deployed as a JavaScript file for automatic enumeration and is complemented by a browser extension for certain scenarios. Our techniques have been rigorously tested against all the leading vendors in the market and have proven to be highly effective as of this writing. Our primary objective is to raise awareness about how easily an attacker can deploy JavaScript via their website or inject it into a known website, uncovering loopholes in SWG rules and policies. By exploiting these loopholes, attackers can bypass protections and deliver malware or malicious websites directly to enterprise users' browsers.

Tapping the OSINT potential of Telegram

Megan Squire

13:25-14:00

This short talk explores the intelligence potential available in the Telegram messaging app, with particular focus on our novel work exploring its new “similar channels” feature. Telegram is a popular application with numerous, but labyrinthine, security settings and many ways to spill data. In November 2023, Telegram also launched a new “similar channels” recommender feature, explaining that upon joining a channel, users will be shown similar channels that were "selected automatically based on similarities in their subscriber bases.” We built a new tool, which we will release at DEFCON, to collect and analyze this similar channels data. We will then show how to use social network analysis techniques to uncover previously-hidden relationships between channels on the platform. In the course of collecting this OSINT for our own research projects, we uncovered evidence of numerous inauthentic channel networks that are being used to influence political discourse.

GeoINT Mastery: A pixel is worth a thousand words

Mishaal Khan

15:00:15:45

After this interactive talk, you will never see images the same way again. This enlightening session explores the dynamic realm of GEOINT (Geospatial Intelligence), a captivating subset of OSINT (Open Source Intelligence) that unlocks a wealth of hidden insights within images and videos. From identifying objects, landscapes, and aircraft to interpreting symbols, shadows, and reflections, we'll go deep into the art of imagery analysis. Learn how to decode the language of trees, signs, text and logos, and uncover the strategic implications behind seemingly mundane details using common browser tools. This talk promises to equip you with mind-blowing skills that you can easily learn as I take you through multiple demos.

Recon MindMap: Organize, Visualize, and Prioritize Your Recon Data Efficiently

Lenin Alevski

15:45-16:20

After doing recon on a target you probably end up with more URLs, domains and IPs that you can handle, and when time is limited, how do you prioritize them? Recon MindMap (RMM) is a tool that will simplify the task of organizing and sorting all these assets. RMM can help you to generate complex domain structures, visualize them using your favorite mind map tools, make informed decisions, and improve your reports visual appeal. During the talk I’ll discuss the motivations behind building this tool and what problem it solves, the algorithm behind, scenarios and use cases for this tool, how to contribute to the project and what’s next for RMM. RMM it's opensource and it's available at https://github.com/Alevsk/rmm

From RAGs to Riches: Navigating Large Attack Surfaces with LLMs to Find Bugs

Anthony Rhodes

16:20-17:05

Reconnaissance is a crucial phase of the bug hunting process. However, managing and analyzing large amounts of recon data is challenging. As your data grows, it becomes increasingly difficult to identify and prioritize where your efforts should be focused. LLMs have shown potential to help tackle this problem, but chat assistants still require you to parse your data manually and spoon feed them the relevant context. This talk explores how Retrieval Augmented Generation (RAG) techniques can be used with LLMs to enhance how you interact with your attack surface data. We will demonstrate how we incorporate data from a variety of widely used security tools into a centralized knowledge base. This enables LLM agents to access and analyze this data without being confined to the LLM's context window limitations. We will also walk through how you can use LLMs to enrich your data as it is ingested to provide actionable insights. Join us to discover how you can level up your LLMs to gain an edge in finding bugs across an organization's attack surface.

Pushing the limits of mass DNS scanning

Jasper Insinger

17:05-17:45

"Most hackers have a complicated, love-hate relationship with DNS: teleporting a fundamental building block of the internet from the 80’s without major overhauls is a recipe for some interesting exploits and frustrations. DNS enumeration is a critical process in penetration testing and essential to security practitioners: the faster we can conduct DNS enumeration, the more potential vulnerabilities we can find. We developed an ultra-fast open-source DNS scanner, SanicDNS, using multiple parallelisation techniques. The result is a scanner that is two orders of magnitude faster than other popular tools. I will take attendees under the hood of the code, sharing what techniques yield the best results, the challenges encountered and their workarounds, and my tips for those considering the same endeavour. The practical applications of SanicDNS far exceed those of everything that preceded it. With this novel scanner, it is possible to identify DNS misconfigurations and conduct Nameserver takeover scans across the entire internet in realtime. This opens up a world of new possibilities for conducting reconnaissance. SanicDNS will be released for open-source at Defcon with easy-to-use installation instructions for the community."

OSINT at Clemson: Unmasking John Mark Dougan's Disinformation Empire

Steven Sheffield

17:45-18:15

Clemson University's Media Forensics Center spearheaded an investigation into the extensive disinformation network orchestrated by John Mark Dougan, an alleged corrupt Sheriff's Deputy now residing in Russia. This presentation will focus on Clemson's employment of OSINT techniques, emphasizing our thorough examination of digital forensic artifacts and metadata analysis. Through advanced OSINT techniques, our team analyzed server logs, domain registrations, and internet protocol (IP) addresses, unraveling a sophisticated web of over 160 disinformation websites designed to mimic legitimate news outlets. By dissecting these digital breadcrumbs, we traced the network's infrastructure and operational tactics, uncovering the strategies Dougan employed to disseminate false narratives. During the process we discovered how narratives were laundered, and LLMs were utilized to create inflammatory content. The session will provide a detailed look at the methods used to collect and interpret metadata and artifacts, which revealed the hidden connections between the fake sites and Dougan's operations. We will discuss how our forensic analysis uncovered patterns of digital behavior, allowing us to attribute the network's activities to Dougan and understand the broader implications for more transparent public discourse. Join us as we share the intricacies of our forensic process, demonstrating how Clemson's expertise in media forensics and metadata analysis played a critical role in exposing a key player in Russia's disinformation efforts. This talk will equip attendees with a deeper appreciation of the vital role OSINT plays in modern intelligence operations and the ongoing battle against digital deception.
bottom of page