My first security talk — BSides Delhi 2019 Experience
Well, last year, at the age of 18, I finally popped my security cherry and presented my research revolving around server fingerprinting in Delhi organised by the BSides.
It all started when an email made it's way into my inbox containing the good news but the moment this tweet below fleeted, that was really the moment when I started feeling both elated and frightened —
Presenting our #BSidesDelhiSpeaker !!— BSides Delhi (@bsidesdelhi) September 17, 2019
Piyush Raj ( @0x48piraj ) will be presenting a Technical Talk on "Server fingerprinting: How I broke most famous recon tools and made the script kiddies sad" at #BSidesDelhi2019#SecurityBSides #BSidesDelhi pic.twitter.com/MotFblbrmt
Finally... MY... FIRST... TALK...!!!
It was finally gonna happen. I got a few speaker opportunities in past (was invited to IIIT-A, IIT-B, etc.) as well but my family strongly repudiated these opportunities because they were sure I won't be able to utter a word in front of a crowd and had lovely questions like — "who would listen to you, huh? ...to a 17 year-old punk who knows nothing?". So yeah, those conversations made me very confident and I decided to drop all those opportunities. Clever (read dumb), I know.
This was my time.
Despite my fears of freezing on stage and beginning to drool like a moron, I think the presentation went well. Excluding of course in the start where presenter's laptop decided it would die in fire rather than show my slides. Hopefully the attendees took something from the presentation that they can use to make their systems a little more secure or at least make the lives of script kiddies a little harder. Dream of blue-teams, right?
Rough workflow I came up while travelling
- Intro — 2~3 min
- What we are gonna learn — 2 min
- About web fingerprinting — 4 min
- Types and tackling each briefly — 3 min
- OS fingerprinting; working; exisiting research i.e. nmap's beautiful blog — 5 min
- Transcend onto my wappalyser research — 7 min
- Release/Demo Wapparalyser — 3 min
- Fucking with server response codes, scanners, metasploit etc. — 7 min
- What can be done? what I'm thinking etc — 3 min
- Bye-bye, QnA — 5 min
Yep. I didn't prepared thousands times in front of the mirror, actually, I didn't practiced even once and not because I'm not big on practice makes a man perfect; it's because I'm a big procrastinator.
Cheers to the youngest speaker
Being the youngest speaker at a security conference in India is, well, a little bit daunting to be honest. How you ask, let me paint a picture, you walk up to the registration corner and the first thing you get is, "Sir, this the speaker counter, the student registration is over there" you feel shunned but after stuttering a bit you finally say, "I..I'm actually a speaker, can you check my name, it's Piyush Raj". You then get a sorry and your badge. After getting the badge, you go back to hang out but quickly realise that nobody matches your age-group and it's not within 4-5 years but by long shots, mostly 10+ years. An email comes saying this xyz club is reserved and all the speakers can hang out. You go in, see everyone drinking, talking about their security jobs, penetration fiascos and what not. It's fun, you want to contribute something to the topic but you can't just barge in because of that age issue. People kind of treat you differently and you don't like it.
Cheers to BSides Delhi Crew for sending me some shots. I'm not the selfie type and was very nervous so I didn't clicked many photos (drop the 'm'). I know. Dumb.
In 21th century, if you didn't went live on the moment, you well as didn't do shit. — Piyush Raj
Yeah. I still don't care.
The slides for the presentation are now online [pdf] [ppt] and the video will be uploaded as soon as BSides decides to fix my quote-unquote "fuck-up". Oh, you want to know what I'm talking about? Here you go —
Got an email regarding violating laws, had a friendly chat with the #BSidesDelhi2019 team, and now, I'll have to get the video removed, and they'll have to edit the whole session, that sucks.— Piyush Raj ~ Rex (@0x48piraj) October 11, 2019
I think, I forgot that, it's not @defcon or @BlackHatEvents.
Yeah. I know. That was stupid.
I released the tool 30~40 minutes after the presentation was over. As always, feedback on the talk or the idea, tool bugfixes/reporting-issues and anything else will be gratefully appreciated.
Find it over GitHub — 0x48piraj/wapparalyser.
What would I do differently today?
Building an interactive web-app rather than a dull clunky CLI.
This research shows how too much RegEx matching is bad and how heavy reliance on status code leads to the dark side. New methods are being developed some utilizing machine learning.
I'm working on a paper which describes an efficient method for performing web-server fingerprinting which doesn't uses RegEx matching but analyses the code-usage instead dramatically increasing the precision and reducing false-positives. If interested don't hesitate shooting me an e-mail or something.