Plunder, Pillage and Print

Daryl Hyland and the name of this is plunder pillage in print thank you very much

so I guess we'll get moved along real quick uh not sure if everyone was expecting to be in my presentation it kind of collapsed into this I guess so uh this is a really interesting topic and we've been doing this for a number of years leveraging this information during pen testing and educating uh customers in what not to do when it comes to embedded devices on their Network a little bit about myself I'm a senior security consultant for CDW Corporation I travel around the country doing pen testing assessments evaluating corporate security I live in Ohio I've been doing I.T for over 20 years 10 years in security five plus as a consultant also a member of the fufusnet

team uh if you're a pin tester you may be familiar with tools like Medusa FG dump those come out of the foofa's net team so embedded devices so this whole talks generally about embedded devices we're going to have pay a little more attention to printers but when I talk about embedded devices it's literally all embedded devices everything from multi-function printers to wireless controllers routers switches storage management devices generally what we're looking for is any device we can get usable data out of so the most common factors of failure when we're dealing with embedded devices and I see this on every corporate network default password still enabled common problem followed by poor product design and then

we all finish it up by never actually patching the devices if the vendor comes around and actually comes up with a solution to fix some of the stupid stuff that I point out so as we're going through the presentation I think we probably have the time don't hesitate to ask me some questions if you have some input to go ahead and stop me let's make this kind of an education training section here so we can all get something out of this so what we're going to cover today or what we're after is typically active directory credentials anytime I'm doing an assessment I like grabbing that stuff Windows local credentials the local administrator account things like that Unix Linux host

credentials or SNMP Community string information all this data is available from a plethora of embedded devices that are existing on your corporate Networks so in today's agenda we're going to go through a couple examples of pen test it's kind of a pen test stories where we're going to point out examples and in some of the examples we're going to drill down into certain product lines so you can get a more a look and feel of how that data is actually pulled out of those devices in the methods that we use to do this we're to discuss processes and we'll also talk about automating a lot of this we have a tool called Prada that we've tried to automate a lot of

this functionality of extracting data from your corporate Network embedded devices and of course we can finish up with questions so pen test Story number one so I hope you don't mind me walking around I really hate standing in one place it's kind of boring and this one here we're dealing with trying to gain Windows Active Directory creds from a device and a little bit of information about this particular customer most of their systems are well patched so there's none of the common vulnerabilities that we could leverage to gain a foothold to any of the devices so we don't have that every Windows server in that environment had a different password most users had complex passwords nine or

more characters alphanumeric things that you typically aren't going to be able to Brute Force also uh they were a full Windows 2008 Windows 7 environment so as you're seeing here's a customer who's actually taking a real proactive approach to building their internal security a little more closer to the correct way of doing it and users do not have administrative access to their systems so the first day on this on the assessment I didn't gain access to anything other than a few systems I was able to compromise was never getting that Global foothold in the corporate environment now talking about embedded devices up to this particular engagement most of the time the work that I did

looking at embedded devices were saved to the end of the assessment most assessments I go in I hook up to their Network within the first 60 Minutes to hour and a half I usually a domain admin within that time frame but in this case I'm on day two of assessment and I've gained access to a few devices but like I said nothing global so after this assessment we moved the whole process I'm talking about here to the beginning of the engagement using that tool Pareto which we're going to talk about at the end foreign so we did find a number of embedded devices in this environment that had default creds and most of this we found

that Canon Image Runner multi-function printers on this site actually had default credits so it comes with one question how many people in here now everyone pay attention to the hands that go up so how many people went here at your location the requirement for all printers is they must have their default passwords changed prior to be putting into service do we have anyone so the numbers are going up but as you see we had five people raise their hands you guys work for government related entities okay that's interesting usually I see that at some government related entities but I don't see it in Corporate America but as you see with all the people in here we only had a few hands go up and

this is the common thing uh I've only one time in five years of pen testing found an organization that actually had changed the default passwords on all their printers once in five years so so that's a key failure in our environments so let's look at this so our initial foothold happened to be in a Canon printer and it turns out with the Canon printers several problems when we're dealing with the older IR types they have a newer one ir-advs Advanced Canon printers but we're going to go into little detail on those but in this case they had the typical IR there's 11 address books on an IR printer that you can extract off of those devices

and uh the the cool thing on these older devices at least 90 percent of them if they haven't been patched to the latest firmware there's a problem where you can do forceful browsing so even if you set a password I can get past it and the way you get past it is one you hit the home page on the site which assigns you a cookie now cookie uh you have to have the cookie but once the Cookie's assigned then all you have to do is directly request the address books and that's done with this URL right here we can actually increment the aid up one two three four to get through all the address books

if you go online and just look at the address books you will not see user information if you export the address books you're going to see the detailed information in this case including the path the username the user ID and the password will be exported in plain text in the address books in this case here this turned out to be a domain admin cred so so we have an I.T manager and literally literally the director of it was hacked he was mad he had set all this effort all this time of years of hardening down his environment and it all came to not because of a Canon printer we've used this a hack on literally

dozens and dozens of companies most of the time they don't put a domain admin cred in there the functionality on the canons that you typically see in there is associated with scan to file functions so the user could come up he authenticates himself to the printer he does a scan and it stores it somewhere in this case it was a global scan so it would save it anywhere they want using the domain admin creds a lot of times you'll see those set up for individual users where it'll actually save the scan file to their workstation and a lot of times that'll be local administrator count on the local Workstation or it may be their individual user's

account so those are the type of information you get out of that so I want to look at the Canon MF a Little Closer and as I mentioned on the Canon uh I well I didn't mention on the IR but there's no default password set on the IR devices user Force browsery to gain access to the address book so if there's a password you can force browse to get access to the address books by default the address book exports the passwords in plain text pretty straightforward move forward a few years the Canon RI ADV devices it's new stuff after I published all this crap they came back and started fixing stuff in this case here you can't force browse

on the new ADV devices they've set a default credential so the administrative access is 7654321 with a password of 7654321 which as you've seen with the hands it went up early 90 of the people in this room will not change it passwords are not exported by default in the address books that's another change and if they are exported and you're able to be exported they export it encrypt it by default they'll ask you for a password during the export and it'll encrypt those passwords yes sir that I don't know but as you see it really doesn't matter I'll show you in a second

so here we are we got a Canon IR ADV device this is a 6055 password is 765-4321 okay now we're into the device at this point we click on settings registrations this takes us to this page here if we go ahead and click on set destination address book export settings this is where you enable exporting the password in the file you do the checks box you save that data out then you come over here and you come down to data management at the bottom here you click on data management and you can do a import export of the file so here is the actual post job going out and as you can see nothing really

changes here okay it looks similar to that your uh showed earlier we go ahead and click on it and now we get the password a it's encrypted and of course they base 60 for it because it's binary imprintable and it goes out that way and that's how it stores and there you have that we'll step back a little bit we look at this whole post process if we look down here it says in code mode the other one said in code mode 2. you change it to encode mode zero and now we get the password in plain text okay so now we're still able to do this and we've used this like three or four times

in probably the last month because everyone's buying all the new printers yes these are IDs and passwords period why is it not just going out to ad passing the hash and then getting the response back period well yeah a lot of them do do do do that they have uh Samba capability I'm not sure why Canon decided to do this I don't know their business model around doing this you know uh I've tried contacting them they don't always like talking to me so nor are they going to give me their business processes around their mindset on that is a reason for avoiding it all together correct correct uh the fact is if you do not change the

default password on your printer and you integrate your multi-function printer to anything in your business environment I don't care what the model the printer is I can steal your data off of it and get those passwords every model of printer if we have time I'll show the method that we use for that at the end so then we move on the pen sorry I couldn't answer your question so we move on to pen test stories too kind of stepping off and getting away from the multi-function printer and this was I wanted to gain access to the Cisco infrastructure of a of a corporate environment this happened to turn out to be a bank so I'm

like robbing the bank okay it turns out that uh their Cisco was the only thing we didn't easily get access to on this tip of your pen test we had domain admin in 60 minutes once we plugged into their Network a really crappy Network and they're like keeping somebody's money safe so here's some methods you typically use at least I use during a pin test some of them to gain access to Cisco devices one way maybe to if they actually using triple A and they tied it into their active directory you just steal their network administrator's ID because you're already domain admin and you use that to log on the devices that's one method in this case they weren't using AAA so

the counts were all local to the device another method you can typically use is you look through the file system and you find their stupid backups of all other config files you pull those out then you look in them and you find password seven you reverse it but now you're into the device we couldn't find those for some reasons apparently they weren't keeping backups hahaha so the next thing is just SN to meet P private Community string if you have a community string for a Cisco device you can pull a running config off the device remotely there's many tools out there to do that so that's the method we're going to use here so how are we going to get that

well it turns out that this look organization like using SNMP so they integrate it mostly embedded devices with SNMP capabilities so they can monitor so they're at least trying to do something vaguely right for whatever reason I don't know but it turns out here is this happens to be an APC pdu what's the username for an APC pdu what's the password there you go APC APC so now we're into this device here we come over we click on that works we come down here to S and P strings we take a look at it wow look what we got we got the public and private S and P strings for this device guess where they use that on everything

because it's simple so now we took a lowly stupid APC device and it's gave us access to everything in their environment we're able to get access to uh we're able to pull the running configs off all their major Cisco devices and it turns out that they were also using password seven if anyone's familiar with configuring a device that's deprecated you don't want to use it it's a fixed key so you can revert it right back to the password so now we had administrative access we also had enable mode access just by extracting these running configs so you can see all the progression goes these devices are used to get a foothold to move through the environment to

compromise critical systems game over again yeah that's that's the ultimate fix and this applies across the board for any kind of embedded device whether it's a password or whether it's a community string you don't want to use the same strings of things of different security levels my firewall is a different security level than my a network camera or a APC pdu device or an APC UPS device they're different security levels so you don't want to use the same password that's like the the guy you hire you know the set at the front desk and answer the phones has the network access you don't give him the domain admin password and have him set his is the

same as a domain add password he's a nobody somebody compromises his account they could use that password eventually get to a domain administrator by just replaying the password and it works the same way with all your embedded devices just a point for everyone in the room though of APC and its competitors I've built out rooms within a room for data centers you know the hot aisle containment Solutions and stuff like that and I've done them from multiple vendors APC being one of the go-to's this is your weakest link this is one that you can find on every single audit because APC and these other competitor vendors like Liebert and all have an addressed it yet

Now ABC Liebert yeah trip late all the same exactly um we think about it as a stupid pdu and guess what you can have all the security in the world and the ultimate denial of service is just like what happened in Louisville over in Australia a couple weeks ago if I've got the ability to get into your BMS or more importantly into your pdu management system with read write strings that are less secure I can literally shut down your entire data center or your critical components it doesn't matter rather firewall or whatever I just shut them off yeah that's that's a good point I usually don't do that when I'm on assessments people have a tendency to

get all hacked off but yeah but but yeah denial services and and all all APC all these vendors majorly have default creds on all these devices I walked into a room that had an APC device that was eight feet by four feet by six feet tall powered entire Data Center and uh this the password's not APC these high-end ones they use something different but in that customer site it was still the default so literally I could shut down the entire data center completely uh so yeah these little devices need to pay attention to and this is something I've been preaching for three or four years yet and you know what the amazing thing is when I started talking this at

conferences to about two and a half years ago when I went on an engagement we leveraged this type of data to gain a foothold about 25 percent of the time since I've been preaching about it I gain access now at probably 60 to 70 percent of the time so it's actually getting worse uh people are actually starting to figure out that you know I paid twelve thousand dollars for this printer you know I can do more than print with it you know so they start integrating them into the environment which is another complaint I had Why Pay twelve thousand dollars just to print so we move on the pen test Story three uh this is we wanted to gain access this

one we don't get domain admin but the goal is get some kind of foothold uh again most systems well patched the network was well segmented which was a good process in place all users had complex password literally they were like forced at like 12 characters at this company here full Windows 2008 Windows 7. all users did not users did not have admin rights to their machines other than i t Department people um okay so then we move on to an interesting thing we're dealing with devices a lot of multi-function devices literally all of the newer multi-function printer devices have ability to do ldap Authentication okay so when you go to one of these printers you know it communicates to the

ldap server and the ldap server sends back the results so what do we like to do and this is the tack that works on every system every one of them 100 percent so we come in as the evil attacker and we log on to the printer with the same default password and we just change the IP address for the ldap server so instead of it pointing to the actual ldap server it points back to us then we go ahead and trigger an ldap lookup and it passes the password to us in plain text we've used this on I lost count every every large printer that I found ldap configurations on it we've been able to use this was kind of

interesting years ago when you would go into the configuration page for an ldap server you could just look at the source of the page and actually see the password so their goal to fix that was not put it in the source brilliant but what they did was they let you change every other setting on the page without changing the password password stored on the device if they would force you every time you change the IP on the device to change the password they would delete this problem make it go away but they don't do that so things you can do with this and we referred this as a pass back attack if you go to the fufasnet website there's

an entire paper written on carrying out pass-back attacks that we released about two years ago so you can do pass back attacks against Samba and then we can set up a Samba server and capture the handshakes and if it's an LM handshake it's game over because you can reverse that with a rainbow table smt pop three settings we'll work pass back attacks FTP and ldap ldap seems to be the most common one that I actually come across for being able to carry this out and during this pen test we happen to find a number of sharp multi-function printers in this case here so if we look at this this is a sharp printer device uh it's fairly straightforward

as you can see down here there's a checkbook called change password so you have to check that box to change the password other than that you can alter everything on this page so we can change we can literally change the the actual type the screenshot here happens to be anonymous um but this can be changed to I believe a lot of them have in tlm so they'll do those type of Kerberos they also have plain text so even though you configure it to use like in ntlm or whatever all I do is just change it back to plain text before I run my attack and it's going to give it to me in plain text

so again like I said we changed the IP address we can change the port I always like the idea of changing the port because I don't like always running like a net cat with privileges super user privileges on my Unix box so I run it at like 13.89 and I change and that way I don't have to run this route change the authentication type to be plain text easy enough to do set up netcat as a listener select test and then trigger the printer save that trigger the printer and this is what you get uh your net cat connects up and if you break this all down you can see we get the in this case we get the domain the

username and the password the breakup is the question mark breaks up the username and the username from the password and the passwords end with the zero B that happens to be a sharp it varies from device to device what it's not always zero B I know on the sharp it does but I can't validate it on the other ones because I can't remember why aren't they enforcing use of Kerberos I I mean literally I mean you want you know it if we go in and force the printer to only do some one thing you know the people are not that want to use it aren't going to use it okay so we have these features so not every

environment's the same not everyone has configured convert Kerberos not everyone's configured the same way so these printers need to be configurable but remember in my opinion it's not the vendor's responsibility to take care of your stupidity okay and where's the stupidity is gaining access to these devices the vendors field service reps are coming out and configuring the devices to happen oh I agree you know yeah I don't I don't disagree I mean if you're paying somebody to configure something they should configure it correctly um and then we get into the same thing when you buy a printer from a vendor a local you're in Boston you call it whatever sells printers around here and you say hey I want a lease 50 printers

for 50 offices and they're going to maintain it they're going to come in and maintain those and they're going to change the password and they're going to change the password to something that everyone in their office knows and it's for every one of their customers throughout the entire city so if you ever compromise any one of those and we had that in an engagement where we went in and we noticed the the printer was owned by a certain company that they leased it from we went back to a previous historical research that we had done from a previous job where we kept notes of stuff like that and then we use that to log into all their printers

and it's used by every way so all their employees know what it is and that's all the employees that have quit all the ones been fired it's never going to change if they're really really tricky they'll hard code still integrate something like the business name into the password oh yeah that's that's always a good one yeah putting the name putting the name in there so typically typically when I'm on engagement if I hit a complex password and it's something like that I usually don't waste my time I move on there's 50 million other ways to hack somebody so so anything's better than nothing you know exactly anything's better than nothing when you're actually trying to secure these devices

so in this case uh the game was not over the user creds that we got there were limited access so we typically weren't able to get domain ad privileges so we got to go from there so this is what we did uh what you what you can get with a user with no rights you can at least pull a list of users out of the domain you can enumerate the domain control and get a list of all the users and identify all the domain admin users in the environment to carry out tax against that's approved to users uh normal users and we can gain access to the file system where files where everyone has rights you create a user he's given the

rights of all users on the network so if you have share folders and stuff like that uh I now have access to that before we move on to this that created interest well let's let's go ahead and move on here so with this one here we had domain user rice we searched the file server discovered uh for password the word password into share folders We actually found a number of files containing the word password one of them happened to be sysprep okay well there's two ways to assist perhaps apparently used for rolling out uh window product type stuff uh and there's two ways to configure it you can configure syspreps so the password is actually encrypted or you cannot they

did not so we had the actual local administrator password for all the systems in the environment from there so from there what we did was we went back to our domain list of all the domain users identified everyone was domain admin one of the other things they did was they named the individual workstations after the user so now all they have to do is go okay John Smith is the domain admin so we go to this machine called John Smith we log on with this cred here we download WCE I don't know if anyone's familiar with WCE windows what I always get wrong when yeah when does credential editor and they got some new changes he used to be able to pull

the tokens with it that the token hashes so you can replay the hashes well they fixed that so with the dash W switch on a new version you can actually pull the password in plain text so here we're able to pull that domain admin user's password plain text on the device now uh game over so we're able to gain that access on another customer I was dealing with I had used this same attack against a printer that was in the payroll department and the user did not have any rights to anything it was used for the the the the the ldap cred stuff we we pulled gave us access to a folder in the payroll department

and it turns out that that same folder uh guess what a payroll department like puts in folders uh in this case they actually put the entire payroll database back up in the same folder so I was able to pull a large corporation with a thousand employees entire payroll system backup off on the my machine and strip all kinds of fun data out of it just because of a printer's ldap settings to any questions up to this point here so then we get to a tool called Prada I started working on this about three years ago and this is a slow process and the reason why it's a slow process is when I find a certain printer

device and I find that I can pull information off of it the right automation to pull that information off takes time and a lot of times when we're doing assessments I don't have time so I don't always get a chance to create modules so it's a slow process and we're going to look at some a little more detail that so Preta stands for plunder booty spoils Awards Latin the original name I came up with I won't say what it was it's pretty bad I can't even remember what the name was but it was kind of weird I I found this name well we I can't read that far 10 minutes okay so so I the original name I

came up with in Latin I turn around and searched on the internet to see what it was the name fit real Well the description in Latin but it turned out to also be a tool used by proctologist and everyone goes but that's like totally cool and I'm like nah I'm not even going there so we stuck with Prada uh the current version is and I consider this product beta even though it's been out for several years it's uh and we'll explain some of the shortcomings with it uh we're version 2.1 and the last part 72 is basically 72 devices that we can numerate data from uh we fingerprint the data uh using several things the title page on the web

because we do this all through the web mainly through the web interface part of it of the embedded device title page server type and S and P string you can pull Preta from GitHub right there it can actually describe it real quick it's made up of several pieces we have a dispatcher what the dispatcher does is it takes some kind of input IP input GM map input and it Compares it as it's touching each one of the devices against a flat file and if it has a match it runs the associated module for that device and pulls the data parses the data these are the switches and you can get this from the readme file easy enough so

let's kind of move on and we have the ability to take put IP input list so you can just take a list of IP addresses and say hey check these Port 80 or 443 or you can do a GN map input so I thought the GM map would be really cool and it works really good 75 percent of the time but I have noticed on a couple engagements of devices on the network that nmap will actually set them say that they are some form of HTTP when in fact they're not so when this thing hits those instead of just timing out it holds the connection so I'm trying to work out that bug right now

but I found out if you just Purge all the windows boxes out of the list that problem about 99 goes away but I need to work out those details I haven't had any problems with the IP address and ports so you can just parse a a nmap scan and grab everything it's 80 and 443 and 8080 that you know is actually a device and feed that in it'll work fine so the output of this is a log file a web host data the log file contains all the discovered data the web host contains all the fingerprint information which is really cool because then you can go back and look for other devices on the network and we'll show this to

you so let's kind of move over here real quick okay

okay so if we look at the actual data output data so let's go ahead and VI this VI now and this was a real engagement that we extract data out of and you can see it goes through in this case it was a shirt printer it pulled the actual passwords from here's some SNMP strings that were pulled from a device I think if we come down here too

and there's a device that happens to be an integrated Remote Access Controller it actually checks for default creds so we have a lot of embedded devices where we just validate default creds and we have some that'll validate default creds and then pull in SNMP data I think a lot of devices have the SNMP data but if I haven't found one with it enabled I really not much for reconfiguring a customer's devices just so I can write my own code and then so so a lot of it's still a growth process in building this tool and as you can see it goes through and uh it shows the ones that failed uh showing that they actually uh and it's

usable data you want to know which ones are actually possibly configured right and which ones are not and the SNMP strings this last engagement I was in town working this week and we ran this tool and were able to pull acid and P strings which gave us access to all their Cisco devices we're actually able to pull passwords from a number of devices that gave us access to active directory also so probably in the last four or five months on internal engagements I've been hitting 100 success rate with foothold data used from Gathering From This tool here

and the other one is uh kind of look at this real quick the Boston web this is the one that just shows all the fingerprint data that's taking place so you can see all the different devices I've touched on the network and you can easily look through this and look for data of Interest where you can manually do some of the stuff I'm talking about even if there isn't a module you can quickly spot devices that you can carry out of tax against uh and then I encourage you to write modules you know look at some of the Pearl modules we have here uh if you're looking for if you find a device that does basic auth and then basically has

SNMP stuff if you look at the module ma0016 you could literally change the basic off creds and the input creds for the SNMP string like four fields in there and get that running first time every time so a lot of those can be Rewritten or modified and used that way so you can see we can identify a lot of usable data on the network and looking at Prieta itself so you see the structure here we have the data file that I mentioned which is basically uh the information that's validated or fingerprinted against so checks your device it comes back with three possible pieces of information the title page the server page is one that's used the fingerprint

the other one is just the S and the P string so we're doing both of those and it Compares these to the first field like if we come down here the HP Laser Laser Jet right here look at that it'll look at the server type if it gets a match on those it'll actually run run this job mp0001 and then write the data out to log file so you can see we have tons of devices a total of 73 new devices the Canon that I just described to you earlier we wrote modules to actually pull all that and all these different versions of the Canon devices so we've been getting a little more fancy and then down toward the end we

see the ones that start with the a these are actually embedded devices so we can see that we're pulling the the power checked I think this is a a trip light this one is the Emerson Liebert device and then we got some various other various devices in pulling acid and P strings on a lot of these so we're almost done here so any questions any questions at all any positive or negative feedback anyone find this useful okay good good yes sir have you been able to pull interesting data off some of the storage on these printers yeah it that's an interesting take I have not done that yet there's a lot of printers that actually can be

used to store data and I've talked to a couple people possibly adding to pray to an option where you enable that option because I don't want you just dumping you know 20 gig of storage on someone's device but if you want to do that the only thing I do here kind of weird that's similar to that is you know these small HP Officejet printers the cheap two 200 crappy things you use in your house finding those throughout Corporate America now people are buying a putting in our office because they're too lazy to walk 10 feet out of their office get the print job these things have a scan bed on them it's really nice you can

throw interesting stuff on there and scan it since they're a little personal printer what do you do you leave that crap sitting on the scan bed so there is a module in here if it identifies those it'll trigger his scan bed remotely and send you a JPEG of whatever sitting on a scan bed that's probably the only information style Gathering like that we also uh just released the paper not too long ago on attacking Xerox work Sentra devices check that out this is basically where I the paper will give you entire instructions how to where to go to get the firmware packages how to extract the dlm build software out of their firmware packages how to build your own

firmware that won't change nothing on the device but the run or trigger mechanism it leverages that to create a bath reverse shell back to you so you get full root level privileges uh to the printers devices and then from there you have access to everything so and their default pins uh one uh passwords one one one one for most of the work centers there are some that are two two two two and then someone who had an extra one or whatever but this this attack I'm talking about I've actually written my own job so if you change your password and this covers probably over 50 percent of the brand of Xerox printers out there so I wrote my

own firmware package that all I do is send it to Port 9100 and it creates a new URL on the web interface called whatever the root is called uh pareda.txt that'll actually output the administrator password in a file for me so even if you change your password I just send it all it is I send the print job to it it creates a file at the root of the server I pull your password now I have full password to the device and then I send another print job it gets rid of it for me so yeah the whole the whole firmware upgrade thing is a print job I literally Port 9100 which isn't protected and I could do anything I want

on the device with root level privileges yes sir

oh gosh uh we you see some bizarre stuff out there uh Energy Management systems that that control temperature control systems and stuff are kind of interesting cameras are kind of interesting uh getting useful data off cameras people just plug them in and never really change anything on them so I think I've seen like SNMP strings on those a few times that would be fairly interesting if if an organization is really proactive in SNMP managing stuff that's on their devices then then you know game over most of the time because they're never proactive to actually change the default passwords but yeah uh cameras cameras are kind of interesting so the one list the web host list where you can just look through and

go hey what's out there we've had all kinds of fun I remember going through there and go what's this device here the guy went out to it turned out it'd be had it was a camera system at a bus stop okay but it had all microphones tied to it too so we started talking to the guy was at the bus stop and he's like freaking out trying to figure out what's going on so so yeah there's there's a lot of interesting devices out there and I expect to see as you mentioned that device I expect to see more and more strange devices become apparent on the network that are accessible uh to do strange things with so that

ought to be interesting in the near future and of course uh this is all based on the fact that everything that's ever made anymore has a web interface on it and a web server everything if it plugs into the network it has a web server on it and that's what this whole tax based on so yes sir it's maintained by is it an individual or a group it's it's basically uh like I said it's a slow process I maintain it I will continue to maintain it until I I drop dead or no longer quit doing this I wrote it so yeah yeah it's our team our team maintains it uh I'm the only one that seems to be creating

modules there's a couple modules in there have been created by other people so if you find if you have devices on your network and you can write a quick Perl script python I don't care what you write it in I'll convert it over to fit to this but if you can write a script that will actually pull usable data off any kind of embedded device send it to me I'll rewrite it and put it in here or write me one in Pearl and I've had a couple people generate modules so it's it's a project that everything's filtered through our team before it goes into the thing because I want to check take make sure it's okay

but everyone's encouraged to get involved in especially if you do assessments and Pen tests and stuff it's a tool that actually speeds things up for most Penta how many people we have here at do pen testing type work okay so we got a number of people so I encourage you to give it a try if you don't like it tell me why let's fix it uh help me fix it because it's a tool for all of us yes sir I do a lot of hospitals but I haven't added any net what's the now I have not added any of those devices to this I have seen them but unfortunately I found out there's never any useful

data on those so they never integrate them they just plug them in the only devices that were intrigued me were the ones that were Wireless that I could actually pull uh wireless data off of the wireless codes the keys things like that that intrigues me because typically if the thing was actually put together by the networking Department it's probably going to match other keys and other Key Systems which is the ongoing issue so I think I've kind of overrun my time I'll be here the rest of the day feel free to uh hum me down thank you much