What’s in my (Hacking Con) bag?

A number of people have asked about what I carry at a typical hacking con. In the blog below, I provide a brief overview. This article isn’t meant to be an endorsement and was in no way sponsored. Use what works for you, but I have included links for things when I can remember where I got them.

First, let me show you my bag, itself:


My bag is a Grunt Style tactical messenger bag. I like it because of the small form factor, it has lots of interior and external pockets, and has a variety of attachment points – carabiners, molle, ties, and velcro. It also happens to be configured for CCW, if that’s your cup of tea.

I’ve used various styles of backpacks, but I found myself with a tired back by the end of the day and I prefer the security of a cross body I can keep an eye on. This one fits my 13″ MBP in a clamshell. I believe that’ s the biggest notebook one could fit in it (but I highly advise against carrying a 15 pound desktop replacement to a con, if you must carry a laptop at all).

There are lots of vendors that carry similar bags, and each manufacturer has dogmatic followers who will regale you with the merits of their choice. Try them out and see what works for your computer and body.

Now to the important part – the contents of my bag:

The “Must Haves”

Item Purpose
Printed Ticket Because your phone will die or not scan at a really inopportune time.
Phone & Fob-Sized Faraday Bag An alternative option is carrying a burner phone, but for the most part I see people with their personal or work phones at cons. Sometimes you’re in a situation where you want to stop transmitting everything, that minute. Usually it’s because an antenna is pointed at you and somebody is grinning. It’s a cheap and important thing to have.
Wallet with ID, and Adequate Cash
The RFID wallet fad is pretty irrelevant. Just avoid bringing credit cards if possible, and don’t bring a debit card within several miles of the con. Cash whenever possible, and don’t use an ATM once you’re there!
Phone and Charger Self-explanatory.
Earplugs Because con parties, shared lodging, and airplanes can be too loud for the most die-hard rocker.
Wet Wipes or Hand Sanitizer Con plague is real.
Insulated Water Bottle It’s really important to stay hydrated at *any* big event. Alcohol, coffee, and energy drinks don’t count – bring a refillable bottle to drink lots of water, and have some juice with vitamin C daily. There are two types of bottles I like for cons – insulated bottles that keep water cool or coffee warm, and filtered bottles when the water there is less palatable.
Pens, Pencils, Sharpie Self-explanatory.
SyncStop A must-have if you would even consider charging a device off any USB port that does not belong to you.
Power Bank Outlets are in high demand.
Mini First Aid Kit & Prescriptions I have rarely gotten through a con without myself or a friend needing an OTC painkiller or a band-aid. I would recommend having those, at a minimum.
Mini Toiletry Bag On your person, for long days – not the one in your hotel room. I “militantly encourage” deodorant, and recommend a disposable toothbrush, as well as contact lens stuff and hair ties (as applicable).

The “Nice To Haves”

Item Purpose
Business Card Case Not only will you want to give out cards, but you will likely be handed cards you do not want to lose.
Bag of Holding‘ (with cables, adapters, dongles, USB drives, assorted antennae) Lots of vendors make cable organizers for travel that have spots for cables and USB devices. In mine, I carry video adapters for my laptop, presentation remote, charging cables, wifi and bluetooth antennas, hacktools, and USB drives. It really beats them tangled about in the bottom of the bag.
Properly-Imaged Laptop If you decide to bring a laptop, do not bring one with personal or work data on it. Swap the drive, or reimage. It is very possible you do not need a laptop.
Multi-Tool Don’t leave home without one. (Except through airport security.)
Pelican 1010 With Essential Lockpicks I have bigger Pelican cases with my practice locks and full set of physical intrusion tools that I can pack in my suitcase. On my person, I carry a few favorites to use in Lockpick Village, lobby con, or at vendor challenges. Mine are pretty assorted (see the image above), but Toool sells a good beginner set. Check out Deviant’s blog and Red Team Tools regarding other useful locksport tools (which he can properly name much better than I).
Warcollar DopeScope  For CTFs, challenges, and just finding weird stuff wireless stuff around the con to impress drunk people.
Hak5 Rubber Ducky  Too small not to, and can come in handy in  assorted challenge land. (No, I don’t have a Bash Bunny, yet.)
Small Screwdriver  I almost put this in the “must have” list. You should never travel with electronics without an appropriate screwdriver. Most multitools don’t have a tiny one, either.
Snacks Always a good idea to throw a few granola or protein bars in your bag. Schedules can get packed, and lines at local eateries and coffee shops can get very long.
Sweatshirt Conference rooms get miserably cold.
RTFM The pen testing book you are most likely to loudly scoff at now and sing praises of when Google isn’t available and man isn’t relevant.

I hope you found this list and explanation helpful.

Ask Lesley InfoSec Advice Column: 2017-04-26

I was sent some very challenging scenarios this week, from entry level remote work to anonymity. As always, submit your problems here!


Hi Lesley,

I’ll add a little background before my question I’ve always wanted to break into the infosec industry as I love tinkering and figuring out how things work. I managed to get my first IT job on a helpdesk, which has taught me loads, and continues to everyday, however I’m not content with sticking to support. I’ve been very lucky in being accepted onto the Cisco CCNA CyberOps scholarship. My question is, do the course objectives look to be industry relevant?

First exam objectives – https://learningnetwork.cisco.com/community/certifications/ccna-cyber-ops/secfnd/exam-topics
Second exam objectives – https://learningnetwork.cisco.com/community/certifications/ccna-cyber-ops/secops/exam-topics

I’m going to sit the course and try pass it regardless, I’m just interested on how it is viewed by an infosec professional

– A keen n00b 🙂

Hi Keen,

Congratulations on your scholarship. The CCNA SECOPS and SECFND objectives are good, and cover many fundamentals every security professional should be able to describe and define at a minimum. Think of the program as your ten thousand foot view of many different niches and professions in security. Use the opportunity to pick out things that interest you personally, and dig into a couple farther. This might be indicative of the field you want to eventually work towards. Conversely, if you find at that high level you’re weak in any specific areas,  then it’s definitely a sign you need to study up on that subject.

Dear Lesley,

I’m a programmer, last year I quit my job and started to study infosec and systems programming at home, around December I reached the conclusion that I wouldn’t be able to turn this hobby into anything profitable (“pay-the-rent” profitable, not Zuckerberg profitable). I don’t live in the US, UK or any other major country, so these positions just don’t exist locally, information security is a non issue here.

The only way out of this that i could see are bug bounties, but even then, bounties don’t seem like a reliable source of income, surely i could make some good money in some months, but i can’t pay the rent only “in some months”, you know?

So that’s my question, how would you go about making infosec your main source of income if you can’t work for local companies nor relocate?

-Nasher Alagondar

Hi Nasher,

It’s really commendable that you want to get into security despite there not being much of a field, community, or market where you live.

You’re in a tough situation. If you were able to move I would definitely recommend going abroad with an internship or entry level position to get your foot in the door for a while before working remotely. The independent bug bounty market is a tough one, and it’s a mess of very skilled to totally unskilled people trying to make a living. Lots of companies don’t pay out bounties, and some even pursue legal action against people who submit them. If you could build up credibility with a dedicated bounty firm like Bugcrowd, that would probably be the best case scenario, but it’s still a cutthroat industry filled with many people in similar situations to you. If you go this route, you will really need to rise to the top in responsiveness and skill to be successful.

There are some remote low-level blue team cybersecurity jobs, particularly at big managed security providers. Their nationality requirements are going to vary, and it’s very likely they will require you go to their office for a period of time for training. Perhaps some commenters on my blog have specific suggestions of firms. This seems the most ideal option for stable work.

A third option is making it a issue in your area. Cybersecurity is in the news more and more lately, and malware like ransomware really has an visible impact on even very small businesses. I’m not sure where you live, but if there are businesses, hospitals, or schools that use computers, you can probably sell them general IT service consulting with a side of basic security configuration and response. That’s going to take a lot of initiative and entrepreneurship on your part, and requires enough of a market to make a living.

Either way, please reach out digitally and do all the networking you can with other security professionals. It can’t hurt to have friends who can hire!

Dear Lesley,

I’ve been in IT for over 10 years, with a focus on security the last 4. I want to continue in the security field and am really interested on the defensive side of things.

The problem I have is that most certifications, books and resources online seem to be aimed at Red Team folks. I know the best way to defend against attacks is to learn how the attackers work, so I do see the value in learning things like pen-testing etc. My question is what else can I do to strengthen my Blue Team skills and also grow my career?


– I Want to Be Blue Like A Smurf

Hi Smurf,

Yes, red team skills are directly translatable to the blue team, as are general systems administration skills. There are plenty of defensive courses and certifications, but they are not as broad as red team certs like OSCP or CEH.

  • For instance, if you’re interested in reversing, you should be looking at books like Practical Malware Analysis, conferences like REcon, courses like SANS 610 or Applied Reverse Engineering with IDA Pro, and certs like GREM.
  • If you’re interested in forensics, you should be looking at books by Harlan Carvey and Brian Carrier, courses like those from Volatility Labs or SANS 408, 508, 526, and certifications like EnCE, GCFA, GCFE.

And so on and so forth. There are many defensive niches and they each have specific training, tools, and certifications. The broadest defensive certifications are Security+ and CISSP, and those are pretty high level for a reason. With your years of experience, I would suggest specializing a bit.

Dear Lesley,

In today’s world guarding our personal information has become more important than ever and maintaining our privacy has become more difficult and exhausting whether we like it or not. My first question is what do you think we can do to protect our privacy while we looking for a job or socializing with other people …etc… and second do you thing it’s worth creating a pseudo-name (pseudo-identity) and give it to the people we meet inside and outside of our field instead of your real name as a layer of privacy and maybe protection?. Thank you for your time.

– cautious paranoid

Hi Paranoid,

I can’t tell you whether it’s better for you personally to use a real name or a pseudonym online. This requires a series of judgement calls you have to make yourself, and you will have to weigh costs and benefits. I can tell you that I use my real name because the exposure I get is tremendously beneficial to my credibility and ability to speak and train people. This comes at a cost. I have friends who use pseudonyms which can be traced back to them with effort, and others who have decided to be as anonymous as possible so they can discuss subject matter their employers disapprove of. If you use your real name, you should carefully craft your online persona and avoid posting offensive or sensitive personal information. If you use a pseudonym, you must be cognizant that it could be traced back to you tomorrow, or in ten years.

Unfortunately, this is one of those situations where you must weigh convenience and ability to function in society versus personal privacy, and try to maintain a balance between the two that works for your individual situation.

Dear Lesley,

First of all, thank you for this question series and for the Infosec Megamix. It really helps self-doubting me to get back on my feet and continue their path in the infosec world. Now, I recently obtained an infosec certification and it turned out to be an eye-opening experience which played well along my broad-and-shallow approach to learning. But ultimately I want to specialize in some sphere and my interests are (in no particular order) threat intelligence, forensics and research/exploit development. Which are the topics I should get familiar with that are essential to all these spheres? (or maybe 2 out of 3?) I’m currently picking up some low-level knowledge (reversing, OS insides etc.) and there are so much to be learned, so some guidance will be very helpful. Thanks again and keep the good work!

– The Inkmaster

Hi Inkmaster,

Congrats on your hard work and certification. I’m really glad it inspired you.

The three areas you mentioned are pretty functionally disparate. The two you are most likely to see overlap in a role are forensics and threat intel, but that’s not super common.

Threat Intel requires a lot of soft skills, OSINT research, and geopolitical understanding. Forensics requires a lot disk, memory, and operating system knowledge. Exploit research is entirely a different can of reverse engineering worms on the red team side of things. However, I like your question because it brings up a point I rail on a lot – system and network fundamentals are critical for every red team or blue team person.

Off the top of my head, some things that will overlap between those fields:

  • OS architecture, system function, and file systems – Forensics and Exploit Research
  • TCP/IP, ports and protocols, and internet architecture – All Three
  • Scripting with Python – All Three
  • Exploit methodology and the ‘kill chain’ – All Three

Dear Lesley,

I would like to know when performing various things over the internet like hacking/scanning someone’s network and other stuff that can alert the authorities, how can I perform those tasks without them knowing who I really am(like my IP and stuff and most uses proxies but i have a gut feeling it’s not only that) ? I would like to know how professionals cover themselves up over the Internet of course 🙂


Hi QuesT-Ion,

First, the caveat – I don’t recommend or condone illegal hacking and you should only exploit systems that belong to you or you have clear written permission to test.

No, it’s not only about proxies. Sure, many a hacker has screwed up and forgotten to tunnel one piece of traffic, and many an ISP and VPN provider has been successfully subpoenaed, but IPs alone are not the end-all way to catch a hacker. Not only can attackers use proxies, but they can also use another compromised system as an attack platform, so the whole fields of DFIR and Threat Intelligence are pretty much dedicated to associated detective work.

There are lots of hard and soft indicators that can give away the nationality, location, or even identity of a hacker. Hard indicators include solid evidence like IP, MAC, system fingerprinting, metadata on files that shows a creator or source device, or geolocation data. Many an attacker has screwed up and left an internal hostname, handle, or local SSID behind in commands or code. Soft indicators, when put together, can also paint a great picture of an attacker. They are things like the time zone the attacker worked in, the language their tools and keyboard were set to, the specific malware variants or tools they selected to use, when they took breaks or made errors, and their methodology.

Of course, many an attacker has just been caught by much more embarrassing means, like bragging about their attack without enough caution, or getting caught in a sting operation.

Real life attackers try to eliminate all of those mistakes and soft and hard indicators, but as threat intelligence reports will show, that’s very hard to do completely.