loader image
TROPICON
img not found!

Speaker: Paulino Calderón


Biography


Paulino has experience in developing cybersecurity tools, and his contributions are used by millions of professionals in the industry. As an official Nmap contributor and NSE (Nmap Scripting Engine) developer, he has authored several well-known books, including “Nmap 6: Network Exploration and Security Auditing,” “Nmap Scripting Engine Development,” and “Nmap: Network Exploration and Security Auditing Cookbook, 2nd Edition,” where he thoroughly reviews the process of network exploration, security auditing tasks, and the development of scripts for the NSE engine.

In 2011, he participated as a student in the Google Summer of Code program, later returning as a student mentor focused on vulnerability exploitation during the 2015 and 2017 editions with the Nmap project, and in 2019 with the OWASP IoT Goat project. Paulino actively collaborates with the OWASP organization through the OWASP IoT Goat project—where he is a project co-lead—and the OWASP Mobile Application Security Verification Standard. He is also the leader of the Riviera Maya chapter and organizer of the OWASP LATAM Tour event in Mexico.

He has participated as a speaker and workshop instructor in more than 45 cybersecurity events in China, Germany, Canada, the United States, Mexico, Colombia, Honduras, El Salvador, Bolivia, Peru, Chile, and Curaçao.


Public exploits and vulnerabilities

  • http-adobe-coldfusion-apsa1301 – Exploits ColdFusion servers
  • http-shellshock – Exploits the vulnerability known as Shellshock
  • SQL injections on Android systems
  • MSF module: lansweeper_collector
  • Debugging shell with root privileges on TP-LINK WDR740
  • Unauthorized access to configuration files on TP-LINK WDR740 routers
  • PHP Self Cross-Site Scripting in MantisBT 1.2.x
  • lansweeper_collector – Extracts and decrypts credentials stored in Lansweeper
  • apache_tomcat_transfer_encoding – Exploits a vulnerability exposing application source code on vulnerable Apache Tomcat servers
  • http_form_fuzzer – Exploits web applications vulnerable to malformed input
  • http-vuln-cve2015-1635 – Exploits Windows systems vulnerable to MS15-034
  • http-coldfusion-subzero – Exploits ColdFusion servers