Two years ago I wrote a basic and a straightforward guide here in Infosec Institute Resources on how to survive a hacker conference or convention and an information security gathering which I think should be expanded, improved and should also focus on enjoying such eximious event.
Another definite reason why I am inspired for this additional write up is because I was able to attend ROOTCON 8 last September 26-27, 2014 at Cebu Parklane International Hotel, Cebu City, Philippines. According to semprix, the CON was participated by 215 participants and 17 sponsors.
Here is a picture I took of ROOTCON’s coolest electronic badge ever which is powered by Arduino and designed by m1xr47.
Isn’t she beautiful? Now back to the ball game! How do we really feel the essence of such event even if it is your first hacker conference? I noticed that a lot of participants during ROOTCON 8 were CON virgins and so I would like to share some tips that I have learned:
Follow and Live by the 3-2-1 Rule
What’s the 3-2-1 Rule? Three hours of sleep, Two Meals, One Shower! You can’t miss the happenings and the parties so live by the 3-2-1 rule.
Pack Up Your Tools and Gears
Hacker conventions are packed with non-stop awesome activities and challenges like CTF (Capture the Flag), Packet Analysis, Lock Picking (in case you end up in prison LOL), Wireless Cracking, Hacker Jeopardy, Computer Forensic Games, Crack the Hash, and other games which usually involves pwning or poking, in fact new games and challenges may be introduced every year. And because such games exist, you need to pack up your tools and gears to unleash your ninja-fu .
Bring your laptop booted with Windows, Linux, or BSD. I suggest you install Backbox Linux or Kali Linux as your penetration testing distribution or toolkit if you want to have pre-compiled penetration testing tools like Aircrack-ng suite, Sqlmap, Wireshark, Netcat, Metasploit, Reaver, Nmap, Ettercap, Dsniff, John the Ripper, Kismet, Sqlninja, Hydra, Nessus, Nikto, etc. Burp Suite Professional may also come very handy for challenges that involves web app hacking.
You need wireless hardware too because Aircrack-ng suite needs a wireless card that is capable of packet injection and that Alfa AWUS036 card from Alfa Networks should be good enough. If you want to bring your Prodelin satellite dish then go because no one will stop you! (LOL just kidding but half meant). Hackers love signal boosters and antennas!
For reverse engineering, file analysis, forensics and exploit development don’t forget to install Ollydbg, IDA Pro, Exeinfo PE, or Immunity Debugger plus its plugins like Mona.py and Pvefindaddr.py.\
Aside from offensive security, reverse engineering and analysis tools, make sure you have extra protection so be sure to have an updated antivirus that is working good, decent firewall, sandboxes, IDS (intrusion detection system), and other detection tools that I forgot to mention.\
All of these tools that I suggested are essential (some are not but it depends) for participating the games but there are still more tools and gears out there that makes your life easier so don’t forget to research for more fun stuffs. If it is best tool for you then go!
Pwn that Hacker Badge like a Boss
A CON or a hacker badge is your pass and your souvenir item to a hacker conference and an information security gathering, without it you are unauthorized to pass the entrance of the event which is guarded by security goons or bouncers unless you can hack your way into the event.
Nowadays, electronic and microcontroller badges are mainstream in prestigious hacker conferences especially DEFCON so unleash your hardware hacking skills and pwn the badge till the fourth of dawn. In most cases, challenges are embedded into its firmware so plugging the badge to your laptop should be the first thing you do and then install its IDE (Integrated Development Environment).
The Hardware hacking village is a special area in a conference where you can learn hardware hacking, basic electronics, robotics, and circuit designing. If you are new to electronic badges then drop by to this village.
Listen to Talks and Tracks
Every year, new zero days and researches are disclosed and shared in conferences ranging from topics like Exploit Development, Reverse Engineering, Tools 101, Wireless Attacks, Cloud Security, IPv6 Hacks, Kernel Exploitation, Cryptography, Exploitation Techniques, Mobile Security and many more so be sure to attend and listen to talks handled by celebrity or talented speakers. Take out your program guide and make sure to mark out the talks you are planning to attend.
Take Everything Especially Pictures
No… Don’t steal stuffs but it’s up to you! Take a selfie, a groupie or whatever! As a hacker, you don’t want to leave your logs and footprints but hey this is a hacker conference! Take pictures of your precious moments during the CON because this is your chance. After the CON, you should be able to reminisce your escapades. Be sure you are not caught when taking pictures from FEDs and hot chicks.
Don’t forget to bring your GoPros and you might want to optimize it by using a number of handy scripts like Autoexec.ash on chernowee.com.
Party Harder and Drink till You Drop it Like it’s Hot
Take courage and be a hacker! Hackers are human beings too and we just want to have some fun. Don’t worry because there will be a lot of alcoholic drinks during Post-CON parties so prepare yourselves for unexpected things like plates being thrown into the pool, hacker clashes, dance showdowns, hot ch1xors wearing hot bikinis, and many more. Live DJs spinning their own turning tables would be present on the party, my tip is to try scratching their equipment but be sure to ask their permission in order to avoid some trouble.
Make sure you capture those hot moments just like the guy from the picture below.
Peace brother! I hope you enjoyed that moment. Thou shall not be sober! Hahahaha!
Visit Some Villages and Booths
Special areas in a hacker conference like Hardware Hacking Village, Lock Picking Village, Packet Hacking Village, Crypto and Privacy Village, Tamper Evident Village, ICS Village, and Social Engineering Village are places where you want to be.
In these villages you can learn a lot of things and socialize with other information security enthusiasts. Take note that hacker villages are in an open-forum format so just hang out and relax.
Participate and Socialize
Be friendly but be partially paranoid. It’s time to increase your network and show your skills without exposing yourself too much. Make some new friends, ask questions, socialize, and have fun.
Participating and winning in hacker games could earn you some privileges like free pass for next year’s convention. Don’t be a lurker just like what you always do in your favorite IRC (Internet Relay Chat) #channel or else someone will whack you with a big trout, it’s time to /exit, log off and face the real world. Big hacker conventions only happen once a year so enjoy!
A hacker conference has the most hostile networks and communications so do not just connect to various and untrusted access points provided by the attendees or the conference staffs (goons / crew) because there may be a lot of users who are sniffing in that network and also because of the very famous Wall of Sheep which is a demonstration of who just got pwned or caught logging into email, web sites, or other network services insecurely. It is a never ending war out there!
Don’t be a sheep! If ever you are connected to an access point, use a VPN server for tunneling or do SSH tunneling. Disable some of the services or processes in your system which are not needed, like your Apache and MySQL server.
I also found a good resource on how to survive a hacker convention entitled ‘How to Survive‘ which talks about physical security, BIOS passwords, mobile security, Bootloader configuration, and many more.
And lastly, just be yourself
Act normal, act stupid, or do whatever you want! You are free to do so but please don’t cause too much trouble.
Additional Reading and Reference:
Surviving a Hacker Conference – http://hackaday.com/2008/12/25/surviving-a-hacker-conference/
Black Hat USA 2013 Survival Guide – http://blog.coresecurity.com/2013/07/22/black-hat-usa-2013-survival-guide/
DEFCON – http://defcon.org/\
Unofficial Defcon FAQv3 – http://defcon.stotan.org/faq/rules.htm
ROOTCON – https://www.rootcon.org/