Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
[Checklist] Prepare a pentest camp (challenge)

6 Technical Things To Do Before Security Camp (Challenge)

First I would say thank you to Jerry Gamblin for allowing me to reuse its work.

This checklist is based on Jerry Gamblin works:

Let's go!

  • Delete All The Saved SSID’s On Your Devices

A common attack that hackers like to do is spoof common SSIDs so that your device will connect automatically and start using their AP so they can capture all your information.
I actually wrote a script called mana-common that spoofs the most common to demo this problem.

You should delete all the saved SSIDS on your devices to stop from falling victim to this attack.


  • Get A Hot Spot

Connecting to a hotel network at a Hilton in Little Rock is dangerous. Connecting to a hotel network in Las Vegas is reckless. Connecting to a hotel network in Las Vegas during Security Summer Camp is stupid. You can pick up a mobile hotspot for about $25 a month.


  • Get A VPN

You could easily get a commercial VPN but if you want to go to the next step build your own streisand server or an openvpn server and delete it when you are done with it.
It will help protect your data from anyone who may be snooping on you.


  • Change All Your Passwords (Before and After)

You should run your passwords managers auto-change feature before you leave for Vegas and when you get back just incase someone gets a hold of your account.
You do use a password manager right?


  • Turn on 2FA On All Your Accounts.

You should at a minimum enable 2FA on all your social media and financial accounts before you head out. Twofactorauth.org has great information on how to configure your accounts to use 2FA.


  • PCAP All Your Traffic

This is the most paranoid of my tips but when I am at a conference I always PCAP all my data incase I do get breached I can hopefully figure out how or write a good blog post about it.

I wrote a blog post on doing this with docker earlier this summer so I now can run this to save the pcaps to my dropbox:

docker run -v ~/Dropbox/pcap:/pcap --net=host -d jgamblin/tcpdump

The truth is these rules should be followed all the time if you want to have a decent operational security posture. OK, you might not need to PCAP everything, I am just paranoid…follow the first and you will be ok.


  • Get Some Personal Cards

It is 2016 and we should all be able to NFC our contact info securely to the person next to us in 10 seconds, but we cant.

You should invest in some personal networking cards that you can hand to someone when you want to take that conversation about that amazing project they are working on from the Rapid7 party offline so you can really understand the technical details.

These just need your name, email and social media contact information (Moo.com is where I get mine).


Have Fun !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment