Social Forensication: A Multidisciplinary Approach to Successful SE

let's grab see so I don't Finny you guys are local awesome so you guys probably don't know gentlemen I got to meet him a couple years ago I sat in hysterics watching one of those one of the spawn talks awesome he's a Navy veteran Submariner and prolific social engineer as well as red teamer this is one of those citizens to watch - but anyways - great

all right so welcome to your social for education this is a multitude of multidisciplinary approach to social engineering before I get started the thoughts and opinions I express or not those of IBM I say this because though I don't admit it I'm a senior security architect at IBM about me from the social engineering perspective I'm the 2017 derbycon social engineering attacks from the flag winner I was on the third-place team last year in Oulu Khan and the ocean CTF as part of the past food inspection agency I'm going to be back there about three weeks to try to win I've got some certifications I write for Forbes from time to time and I started to offering training through

what I'm calling post sent associates so be able to look out for that as well I'm probably going to take the training on the road and not do as much online as I used to because the black bedford derbycon was handmade and it took almost a year to make it it's very delicate it doesn't leave the house but there's a picture of it so if it lights up it's really blinking it's really nice and yeah it's a shame that I'm not going to be able to black badge after this year so if you run a conference and you want to accept this black badge I would be more than happy to take you up on that

this is the closing ceremony anyone who knows me knows I never shut up but I was absolutely speechless today so figured it was worth capturing so then way into the into this bridge walked very briefly about the basics of social engineering just to kind of level the playing field in terms of what social engineering is and it's an and then we'll talk about some existing techniques we'll see some familiar faces with regards to social engineering and then we're going to talk about memory forensics and Wi-Fi attacks and talk about considerations execution mitigation tonight durations as well so I don't have to make any sacrifices to the demo gods so with that being said social engineering

in essence is human hacky you're trying to influence not manipulate someone into doing something that may not be in their best interests those things could be performing an action opening the email clicking a link executing a file it could be giving you information what was your mom's name before she was married what's your password or anyone who's wondering my social security number is zero seven eight zero five eleven twenty if you google you'll find out why I'm ready able to get that away because it may not be mine it may not be anyone's anymore and it's not the LifeLock I'll tell you that now I am sure all those cameras onto that already so I had to go

a little bit old-school with that so anyway with regards to social engineering we've got various types social engineering is a very large umbrella that encompasses numerous things so when we hear social engineering we have two schools of thought one immediately thinks of fishing and fishing the other things of someone wearing a black hoodie sneaking in through the window picking locks dodging lasers with sharks and all that fun stuff and this one really actually is more on the physical side which is somewhere where I'm not exactly as comfortable as I am let's say fishing and fishing it's worth noting that dumpster diving and baiting the oils of considered social engineering but they're not really going to be addressed

in this with regards to social engineering there's a lot of complexity to it unlike other disciplines with an InfoSec like app set for example it's basically architecture programming and security with this because the human element is involved you have to take into account things like improv and acting when you're on a fishing call and I'll go ahead and tell you about right after this talk I'm going to eat a very quick lunch and then I'm going to come back to the stage and I'm gonna start calling scammers on speakerphone and I'm gonna try to get some information out of them and waste their time just thanks but because we're interfacing with the human element we're trying to influence

humans to do things we have to have a certain level psychology associated with it and honestly as a professional I would fill it out what if I didn't mention technical writing because I don't care what role you're doing it InfoSec with your systemic stock analyst right team or a clean team or whatever you're gonna have to do technical writing you're gonna have to write reports someone they may don't read it but you're gonna have to write it it's the deliverable so getting into the psychology of social engineering this is all based on dr. Robert uomini six principles of persuasion that he outlined in his books influence the psychology of persuasion I think it's 2006 and how it went

through these very quickly from the lens of a car salesman those who took my class yesterday you know exactly where I'm going with this but I mean it's the easiest way to kind of explain it because most people have dealt with car salespeople at some point so reciprocity sometimes refer to as quid pro quo you pay an extra five hundred dollars for this car I'm going to take you for a steak dinner short that sounds like a good idea where do you have in mind I'm thinking like Morgan's words Chris Flynn ings when the carpet salesman actually tinted that on me he agreed to I don't know if anybody here familiar with a bit of Ryan's

steakhouse which is good at the fame I was like I'm not paying five hundred extra dollars for this we're gonna go to Fleming's and I'm gonna get like some of that expensive whiskey even though I don't like whiskey I'm probably gonna spit it out but I'm gonna spend your money I don't like caviar but I'll probably try it I quite spit it out to you I'll probably order a bottle of Dom Ariane with the side of orange juice and just make my own mimosas but anyway commitment consistency we don't necessarily see this in car salespeople too often because they are only focused on their right now they're not focused on the long-term game so if they were to

do it it would be someone that you've repeatedly bought a car from and they're gonna say something like I've always done right by you I consistently look out for you I've even taken negative Commission for you or something to that effect but we really see it is in the long-term tech sales people working and I mean I'm not hating on CDW when I say this it's just the only company that comes to mind right now but somebody will work there you move jobs they see it on LinkedIn there they move to another company and they're going to hit you up and offer you everything that they're selling there whether it be the same or different and

that's the long-term sales game if they stay committed and consistent to someone it's expected that that person will continue to buy from it social proof a good case of this as you walk to a car dealership but you're trying to buy a Ford Taurus and they say successful people at your age are driving Mustangs or Z for roadsters it's like no when I ran into that it was four days after I had flipped my rx-8 I walked away from it so it was all good but when they put me towards that c4 I was like here are pictures of my art excited from Monday that I flipped and walked away I don't want a convertible

I'm traumatized I made it feel like that taller just beautiful I don't normally go that route scarcity is giving Authority for right now but scarcity it's the age-old hey somebody just came in here looked at this car then went down the street to the bank to get financing but if you can get finance before then it's yours the same thing except they tried to put me in a Z or tried that it was a Sunday what kind of make is this person going to Authority let's say for example Kim Kardashian drives this car okay sure or Donald Trump endorses this car not even gonna go there the dealership that pulled this stupid stuff on me they

tried it too I was looking at a volkswagen CC they come out they've got the tape they're trying to get me to sign the offer I'm like okay cool look at it the number doesn't add up it's like $2,500 off not in my favor and I was like why is this higher than their like oh there's a problem with the internet pricing homes on the internet that's incorrect okay so you're trying Bates what sure I need to see this itemized we can't do that why what we just can't we don't we don't really do that well if you wanna make this sell after you're going to hear yeah so I get up and I go to walk

out okay well idolize it so here comes the itemized list gaps on there it had just saved my skin with the rx-8 so as I kept kept cool and then I see warranty I didn't ask for warranty but this is a certified car you have to buy a warranty no I don't number one this is a Ford dealership you cannot certify a Volkswagen number two there's nothing requiring me to buy a warranty throw out yet there is it's a state law I lived in Georgia at the time I didn't know anything about buying cars in Georgia so except for the hustle itself I don't know if there is a state law about it or God's house I'm

genuinely curious I'm going to find out about this so what's the statute what's the code for this oh it's not published I don't think this is how that works lead was to say I rage quit I walked out the door and I may have created quite a few accounts to write some really scathing reviews about them and I may have been even been known that upon occasion if I saw the specific salesperson that I was dealing with and I drove I may have shown that he was one anyway so moving into the attack stage of things I'm sure most of the people in here may recognize this upstanding and gentleman he was on a show on the Discovery Channel he's known

to break into banks sometimes the wrong banks sometimes he drinks a lot of Diet Pepsi and has to paint really bad and that sometimes leads to the wrong banks but anyway with him with JC Street he's been known to sneak into places and plug things in typically a reproduction not that when the earnings brings with the one that Darren kitchen is friends with so with that there's a lot of things you could do with it okey but typically JC stops right there at the point of the proof-of-concept saying hey I've applied to this in you are not secure and it may it may send an email and they send a shell back or something just for further

proof but it's nothing it's nothing sinister so I love to take other people's research and build upon it and twist things a different way just because I mean that's how we grow that's how we learn that's how we build defenses it because back to that whole thing where people say there's like three original lines of code and everything else is just plagiarism figure it's the same concept so for what I'm going to talk about these are the things you need we've got the external hard drive and a regular thumb drive on the top left and bottom right on the bottom left to top right we have had five products when they can bash money the other being a rubber

ducky they are very similar in nature basically they inject keystrokes that's how they bypass the any deal paint protection data loss prevention tools that a computer may have so basically it connects to the computer and tells the computer hey I'm the keyboard and it just types the things in you script it and ducky code or ducky script and then you can put it on there and it works like a champ other things you'll need for this vector of course you'll need it some sort of computer you'll need volume could use recall if you so choose no right or wrong answer there and if you're going to free route I would say ft km into the light there are a couple

of considerations with that is ftk imager light reports the window is called address the other platforms later so for this attack process basically we're going to gain access and when I say gain access I'm referring to physical access we're gonna roll in with a badge like this it may say fire I CrowdStrike carbon black the company I used for all of this and it's called legitimate forensics company so it's abbreviated like for code so with this you get an Universal data for instant consultant and using this principles of persuasion compounding with a little bit of fear you can probably get someone to let you be on their computer the key is though you don't want to do anything that's

going to let them set off any alarms so the spiel I cooked up was I'm affords a consultant with the legitimate forensics company we've been contracted by the company because malicious activity has been injured coming out of your network and it's been observed going in your network your computer itself is not infected you've done nothing wrong I just need to check the system out and get a memory image because one of the infected machines was observed to communicating with this and we want to make sure it didn't move them out where it is they're really malware on their network I could be I mean there are some sophisticated actors out there there are a lot of people who lack in

basic security principles there's a good chance there may be but in this case if you don't have anything specific here you are saying things to the victim in a way that a you're not going to make them feel like they've done something wrong and get scared and be you don't want them to raise any alarms and question you and ask anyone isn't this legit I mean I work for legit forensics company of course it's legit but anyway you're gonna build the rapport you're going to use next field you might give them some compliments talk about the weather if you're around this area you might be able to talk about like the Royals the Chiefs barbecue craft beer if you're in

Louisville they're all about the Bourbon the craft beer and there's a lot of foodies there you can run with that something to build rapport make them feel easy because here's the thing you have to coexist and get along with these people forever how long it takes you to gather your memory image so if you're targeting someone with a very small computer you're talking four to eight minutes if you're talking someone with 12 gigs plus you're talking close to half an hour or more so you got to break out of the whole anti-social built down like a hacker with the black hoodie and the sunglasses and all that fun stuff you're actually in that to play along

with someone who can communicate so if it's not your strong suit you're probably going to want to rehearse that before you go in and there's gonna be that broth evolved of that so you convinced them to take the image that's in line with building rapport those middle three are pretty much they should be stacked on top of each other but that didn't make a pretty picture so I left it that way we acquire the memory image and then we jet out the door so with this we don't want to be like the underpants gnomes and it looks like you never want to be like the underpants gnomes you know your starting point you know your it point you've got to find

out the middle ground and that's what the whole building rapport talking to the victim gathering the image and moving on is all about so once you have it you simply I use the word mount which is probably an incorrect term you plug the drive that has the image in you can use Kali or you can use sift the sands investigative forensics tool kit you can use the volatility modules both platforms have volatility natively built-in for my demos I use sift because they have a more robust library of modules to use you I could have added them to County but I'm kind of lazy sometimes so I was lazy that there I don't from there to carry on like the

underpants gnomes pwnage and we'll talk more about that later I've got some recording demos that'll show that aspect but in terms of gaining access you might need business cards you can use Vistaprint you can go to Office Depot to my knowledge vistaprint will not validate that you're an employee of anything you can upload whatever you want and they will print it I know for a fact Office Depot will not validate anything okay cool you go get business cards maybe they say your Leslie Carter and the orchid drinkers if you like I had to do it if you want an ID card you've got two choices running this guy dog at a conference like I've done or Kotick ID card calm

again I don't think they vet that you work where you say you work the common running joke within the social engineering community is you can get into anywhere if you have a clipboard so it's a good idea to carry a clipboard take a laptop you're going to need their laptop anyway especially if you're going to do what I'm going to talk about later or maybe a bridge case or a backpack to look more official if you could pick up a companies like briefcases swag at a conference like black hat or RSA that's even better we're better you could say you worked at RSA if by an RSA - can hit their backpack I mean just thinking but

anyway you have that because like especially if you're using a Mac you're gonna have to have like seventy four point nine dongles to be able to do most anything and then you need a solid pretext you might not want to roll anyone can like this depending on how much knowledge and how mature the organization you're attacking is this may go over well it may not people might just give you access to the computer who about a penny I don't know but this is here more is a joke but anyway some considerations the main consideration for gathering the image is whether or not the target uses DLP software data loss protection and with that DLP software typically will prevent any

external storage device from effectively mounting so you cannot write to it sometimes you can't reach women either depending on the platform you can configure either or both then with that if you're going to get the memory image the person who's logged in that you're using either needs to be a local admin and that's the major thing that I learned through this I got a very harsh and privilege escalation or you need to be able to use some sort of powershell script like powerup or power sploit to be able to escalate your privileges that's going to take a little bit more time and the reason you have to have the privilege escalation is because to get

the memory image you have to be at I thought there may have been a way around it whenever I originally cooked up this idea thus far I've not found anything I'm continuing to research that but anyway you need to prompt the user where you get the privilege escalation if you don't succeeded either at those I've got another thing you can do here in a little bit that also involves a rubber ducky that it's almost a sinister then you get the image and you walk out the door if they have a DLP you can't just use a regular thumb drive you pretty much got to use a ducky or a bunny you follow the same thing you have to write

this stuff in ducky script which is a little bit challenging to learn but once you get it down it's not too bad there's actually a really good repository of existing duckies ghosts out there that do a lot of fun things so I created one it's on my github but it's kind of similar to to some of the others that's out there for this you'll also need to flash the firmware with a thing called twin ducky which will actually allow you to use it as a storage device so deal we may stop that depending on how its configured but in all I could probably not and then the other steps privilege escalation gather image walk out the door so with doing

this we need some posts in before we get better rows that makes better social engineering right so we need to look at layer eight not the conference next month but when you do look at the human element we need of how the culture of the organization is we need to find out do they have a culture of security or do they have what I call chronic number 17s there's a debate group or less core group I'm a member of and we've categorized several personality types and number 17 is the oversharer doing Busan I like number 17 they're always good for that they tell you everything you can find out where they eat every day of the week

at what time all that fun stuff and then they will typically vent about work on social media and quite frankly more often than not they don't have privacy controls in place and everything furthermore you're going to be the scour for air pages linked in other platforms as appropriate to ascertain which operating system they're using because with that you're going to need connectors and dongles and certain software will work with certain flat files find out after using DLP you can find that via the career pages LinkedIn you may even be able to find it using something like DNS dumpster hacker target since the Stadio net craft something like that if they've got something that's public facing in some

cases it'll be in their DNS records I don't consider a prove a point to be DOP but you can identify when someone's using proof proof points solely from their DNS records furthermore can you find out about any antivirus or EDR solutions that they're using because if you're going to privilege escalation route you're gonna have to bypass that and if you can't like if you can find out what it is you can test it and eventually find a way to get past it user right you want to try to target someone who's a local ad you don't want to go for IT because they're gonna know if something's happening you probably don't want to go with someone in

purchasing or because they're going to have knowledge of the contract a cello might be a good one but you also don't want to go for someone that has too much memory like if you're targeting someone who has video editors or someone that's got them and if 64 gigs of RAM you probably don't want to target that and then factoring in the time to collect so your limitations it again will mean the user and the users permissions their vulnerability management posture will certainly be a factor as well for the privilege escalation perspective if they don't have local admin and then the time and is quoted that as hours I meant to update that on the slide but

I didn't so it's to to do in a quarter minutes for each gig of ram so I tested it on a VM with two gigs took me four and a half minutes I tested it on a physical machine with twelve gigs that took me right at 26 so at this point we've came up on a demo so let me mirror my displays

so this right here is a creek running the power up on a clean VM nothing's installed no services are running it's going to fall flat on its face because it's as vanilla as the dates on it's a short demo so in this case I'm using power sploit so you see there's the default user name it's looking for some things it's not it's not having much luck so that was pretty much that there's nothing there so that just goes to prove that there has to be something to use for whatever reason I shifted off of the mirrored displays here we go so this is power up on a dirtier machine that I just had sitting in my house that I've neglected

for some period of time so as we see here we're finding all sorts of things with like a puck board surface paths to where you can do injection with that there are a few opportunities for that type of stuff and with that know that this process takes a lot longer than this demo did I actually cut a couple things out that was just waiting and stalling and I spent a pace up just in the spirit of timeliness with this so with regards to that you've got that after that perspective one of these days I'm going to swipe the right direction so to actually get the memory image this is just showing if I can find my cursor

wherever it may be there it was any other day let me go back here and in the drop again okay

Aereo so this is just showing running of ftk imager there is the admin prompt there it goes running for this specific host that this is the one that took about four and a half minutes you can get it to collect an ad one file of NIMH file and the page file they're all different ways that you could analyze it forensically so basically what we're doing this more webinars and int'l forensics and in doing so you can do in various formats 81 being a proprietary format from the company that actually makes ftk imager so we go back to the PowerPoint on my end alright here we go with that so with volatility volatility is an open

source memory forensics tool it's developed by a bunch of nice people down in the Louisiana area there's also recall which is now maintained by I believe in Google it was originally a fork of volatility so it started with the same source code it's now built into Google rapid response so if we were talking about a blue team type subject you can have Girt installed with agents and elect live memory on the fly with that but for this we're using volatility it's native to sift and Cali I'd like to use these variables Chum the load my life easier just so I don't have to define them every single time I run it so export volatility underscore location

people's file and yes that is three slashes it's meant to be that way path and file name profile volatility underscore profile and the syntax has actually changed for that Windows 10 thing so whenever you actually collecting the Murray image you need to open system and find out which version of Windows 10 because it's going to be Windows 10 underscore version number they cut out that x64 part so regarding that there are a lot of useful modules and volatility so the second one on the left I think most of the people in this room may have heard of that Mimi Katz you can actually execute Mimi cats from volatility into a memory image and extract the passwords there's an

asterisk except the version of Windows 10 that I tested it against it did not work it does work against Windows 7 though but as things always go with Mimi cats and with several other tools they find a way they published their research the attackers eat it up it goes it runs wild on your brother if you want to go home cook in style and then Microsoft fix it fixes it and then they have to find a new way so it's like the constant battle of good and evil although is anyone truly evil with this but anyway you can do things like dump a if only one couldn't pass a hatch image info that's going to give you details

about the system it's going to tell you the version and all that if you weren't able to get it from looking at the system menu in control panel you can get it here it's a very time-consuming process I recommend doing it and going to bed so you can do that and it takes like cons gear that's going to show you the connections basically the equivalent of netstat you can look at history from like Internet Explorer Chrome Firefox net scan will do something similar to Khan's can I believe Khan scan is for XP and older Nets game is the newer one you can see what's in the notepad it could take screenshots you can dump it into a time language that's more of a

forensics thing if you're trying to do an analysis you can look at the services and you can you can see what was input into the command line via commands game so there's a lot of things you could do here maybe not necessarily to get maximum poundage if you will but you may be able to get some creds you may be able to understand some architecture you may be able to a new moyu services that are running and understand the user behavior you could for example if you understand their browsing history and maybe what's typed into the command line you could probably construct a good fish that they may fall for that would actually work if you know that someone

in accounting spends a majority of their day looking at elegant ladies handbags not that I've ever seen anyone's browser history say that you might be able to cinema coupon to Macy's for some elegant women's handbags you never know you have to find out what their definition of elegant is that's another conversation for another day but anyway back to the limitations ftk imager line as I said only works with Windows you can use recall with Mac and for Linux there's the thing called wine all of which free open-source the operating system Windows 7 it's a cakewalk XP and before he basically Windows 7 and older are cake walks 10 is a lot more difficult there are plugins for Mac and Linux but

they're not there's not robust and I don't have much experience playing with them so I didn't want to include them with this but then the other thing is if you're doing this in a sense of consulting as with everything time how many billable hours can you drive afford this how much time is the adequate amount of time to analyze this before you move on and just touch clauses or how can we want to overwork because I mean to be almost if giving infinite amount of time anyone can break into anything given the time it doesn't there's always a way so we're coming up on the next demo period which will involve volatility so this is the

volatility on Windows 7 I've got new effects I lost my cursor again one of these days I will actually have a cursor I can find so this is just about one minute run it's even showing like how terrible I am typing sometimes but basically this is just showing how easy it would be to actually run with one of these systems so showing me me cats there's some passwords somebody had a password um done there's some network connections there's some stuff that's been put in on the command line processes here's the process list now we're going to look at some dll's so if you want to try some further like osce level exploitation a process hollowing

here you go for that this head out of the log delouse so now we're going to dump some Serbs so you might be able to misuse one of those potentially lots of that and that's it for that one now on the flip side here windows here's what we're pretty much not able to get so same thing this one's a little bit longer but we get a lot less out of it so it was against one zero five eight six that's the Windows 10 version me be cats nothing ash dump nothing nets can we get a little bit out of that so that's somewhere that we can work with and keep in mind the system was incredibly vanilla nothing installed

so therefore that's why social in very many processes but this is even showing more information about those processes

and now we're going to look at the Sith so we can see what users are there again I apologize I move so fast but I didn't want to absorb too much time because the focus isn't necessarily the volatility pieces part of the volatility piece but it's also the gaining access and everything around it with the considerations as well so that's why I kind of sped things up and this process of firewall to correctly took me about four hours per post just because it it's a very tedious process okay so that's done

so from here moving away from the forensics perspective into like rote Wi-Fi why would we do with Wi-Fi well it's simple you're already carrying a backpack so that you can gather this memory image or you're carrying a backpack because you're going to attempt to collect a memory image and you may fail so with doing so this is adding a second layer to it and honestly I don't I'm not saying social engineers don't look at other disciplines like forensics and wireless hacking but it's something you don't see as often so I'm trying to no less encourage people interested in social engineering and existing social engineers to broaden your horizons and look at building further attack vectors

so in doing so with a rogue Wi-Fi access point you can do it very easily you can buy an alpha network card off Amazon for 30 bucks you can get a really nice one that covers both the 2.4 and the 5 gigahertz for 59 bucks for a lot more you can also get a Wi-Fi pineapple from hack 5 does the same thing but basically if you want to do it without the Wi-Fi pineapple you can put it with a Raspberry Pi the easiest council's storm kids like the touchscreen raspberry PI's that they have for their ethical hacking class like yesterday you can connect it to that as well put a battery pack in order you're virtually undetected as long as

you're not like dark matter and the Wi-Fi cactus I know when you've seen that picture we're seeing the cactus and live in the flesh knows exactly what I'm talking about it basically just comes all the way up it's nothing bad Sam so with that you can do it you can walk around you can even get some preliminary information from a website called wiggle WI Cinelli I think it's not net you can go there put in the geographic location and look at what wireless networks have been mapped there already if you want to go further you can actually get a GPS antenna and connect to your device and collect information to upload to wiggle if you so choose GPS antenna I think $39

on Amazon if I recall correctly I don't remember what I paid but anyway you can do it you could do it off your radio computer as well but for remaining undetected you can do it something that's so small they don't fit in a briefcase a backpack or if you want to really get what I would call simplistically sophisticated for some cardboard taking them halfway across a box of doughnuts and get like doughnuts on the other half people will break their neck to talk to you to get the doughnuts and you can just waltz right in you don't have to lie about who you are they'll just let you in to get the doughnut and you can just get the

wireless right there run the fake Wi-Fi access point get people to connect that's one perspective then once you get them to connect then you can run your own proxy you sniff out all their traffic game over alternatively if you could get into like a bathroom like I mean I don't really have but like a breastfeeding room somewhere that you could sit for 15-20 minutes you don't even really need that much time you can throw up the antenna and run the full air quite air correct suite against it and gain access to the wireless network and then just be able to sniff scan and do whatever so it's really not that that sophisticated and the the

suite it's really easy so I've got the final demo here that it is of the wireless persuasion I'll start out with this this is the ducting script that I wrote called Wi-Fi stealer so I'm gonna plug it in to a Windows host it's going to execute and this was the best result of figuring out that I didn't have an administrator account in the simulated environment that I could collect memory from so this is total from a user account and I mean it's pretty sinister so it's just going to pop up now we're going to see things start there we go there's the one-liner so it's getting all the information it's writing into a text file there's the text file and

there's the text file so it's saved it to the ducky and it also saved it to the desktop and right there we see the wireless SSID let's talk about hex baby and it has coconut indication which does not mean that it doesn't require a password it just means that you don't have to have any shared key authentication with it and that in the hex that just tells FAC beep so that's so one liner you can get it's on my getup I've got a link to it at the end of the presentation this is just too much fun today

so go back that's the slide I was looking for I spoke too soon about the demo gods let's go this route I'll show you so what was the memory analysis here we go so this is Wi-Fi cracking memory analysis I think I'll make sure that on the right

so this one's just showing how to find out Wi-Fi pineapple once I find my cursor so basically when we're looking you could just snip out and right there it is pineapple underscore B 181 that's actually part of the MAC address of the Wi-Fi pineapple so by default this is just more of a cautionary tale of if you're going to use a pineapple make sure you change your SSID so that people can say it so now that one to be honest that pineapple broadcast us SSID has not a pineapple anymore so if if someone catches on to me I might change it to something like a pina colada cuz no one would ever suspect that right

so this is like run through the process of cracking a wireless network so first we use an air mod which is just going to put our alpha card in to monitor mode basically promiscuous mode here we see the wireless networks around theirs tell my wife I love her there's white jitsu there's let's talk about hex baby all sorts of fun stuff so for this one we're targeting white Ginsu so we see that it's on channel 1 we're targeting the SSID which is the name the bssid is the MAC address of that so we've got that going on so we're just going to play with some air dumping and air replay tools aired on from being basically the

pcap platform for this it's going to let you gather in the packets necessary to do things air base being the tool that's going to be the fake access point and then we can use air replay to do things like fake out the navigation and D authentication attacks to the wireless network so that the hosts that are connected to it will have to re-authenticate so that we can capture those initialization vectors and those packets so that we can crack them at a later time so it's running through right now doing a few different things defrag attacks are fun as well a lot of this I picked up working on the OS WP so here the minus 0 and minus 0 space here

that's an infinite loop d authentication attack in a sense it's kinda like a wireless denial of service if you want to mess with your neighbors I don't know I don't encourage that but as we can see this is also a wpa2 network so you know this is the strongest encryption that we can use in a wireless setting until WPA 3 comes out on the whites great so here's the cracking of it we've got enough we've got enough packets so we see it's running running running there's the password that password is included in rokkyo text and it took 29 minutes and 12 seconds so and the thing is because it's a 9 character password it contains three typefaces this

actually meets a lot of organizations complexity requirements so the moral of that story is lock your authentication down your strong password choose passphrases you know with every opportunity you have if you can use some sort of PKI by all means do so so shifting gears through the hacking class is Monisha platform the brownstone I co-founded there was another group of people around Def Con 2017 that were claiming to be mentors and we're out of dis frauds Brian and I were rather irritated at that so we decided that we were going to do something about it and this is the byproduct basically we understand that academia does what academia does certifications do what certifications do but that doesn't

necessarily give you the 13 years of experience with etherium that you need to get that entry-level stock analyst job keep in mind the theory was not been around for 13 years slight dig at the companies looking for unicorns but anyway basically we are looking at pairing people with experts or people who are more knowledgeable maybe not necessarily experts and there some people are afraid to use that term but either way to help you go through the process and learn a discipline we're looking at paths including hardening monitoring attacking for indicating and analysis basically when you go through this you'll be paired with somebody they'll give you some learning exercises you probably be depicted to write some

blog posts which could be published to whatever platform you choose here the platform peer list if you'd like in an introduction with cake brewed a label she's always looking for people and they will treat you very well but either way you do that and then when you're that you're appropriate and when we actually have that fully built out there's a range where everybody will converge someone will have a set amount of time to harden a system or systems depending on which complexity level they're on once the hardening is complete we're going to pass it off to someone to monitor and someone to attack simultaneously once that phase is done it'll be passed off to someone to

basically conduct incident response taking the notes from the person doing the monitoring and then at the end and once everything is put together so we'll analyze it for threat intelligence all that fun stuff and then all parties will sit down on WebEx or something comparable and discuss everything so the pen tester the person in that role can tell the person to card in the system hey you forgot to change this one setting it allowed me access for hey I really appreciate that you did this it make my life miserable thank you and everybody can hear everything so in a sense it's kind of like a purple team thing but not really I'm kind of apprehensive but for the term purple

team but anyway there's the information if you're interested if you look at the Twitter or the Facebook page basically enrollment is handled via the mailing list right now we're in the process of pairing the mentors and mentees we have an extremely disproportionate ratio of people seeking to be mentees as opposed to mentors you could need both so if you feel that you can mentor someone in one discipline and learn another one sign up please here's why upcoming speaking engagements next weeks can be pretty hellacious two days of balls to Knoxville in Atlanta then New Orleans training in Columbia and then all that fun stuff hacker Halton if you want to come to a hacker Halton actually the CFP is still

open until the 30th so get your submissions in but if you don't want to talk and you just want to come right here's a coupon code that you can get free admission share it with all your friends don't mind at all the more the merrier I know some people are hesitant to click bit ly links given to them by a social engineer so there's the full there's the full URL but if you want to go do it yourself and for fear of me poisoning them right you can go ahead and go there yourself and use the coupon code if you want 15% off training that's good for certified ethical hacker VCS al PTC C so

whatever you could use the coupon code there at the bottom as well so there's that and in the meantime before I share links any questions okay so here's the links to the stuff I used if you want to use play with it yourself so as we can tell it's what's up on github

wait is more thanks oh I went to fence so if you want the Wi-Fi stealer script that's there whenever I find the time if I ever find the time I'm gonna write some more scripts and put into that specific directory but that's pretty much all I have in that directory again before I put the final two slides up I'm gonna grab lunch really quick and then I'm gonna come back up here and start calling stampers and wasting their time so for this talk that's all folks and there's QR codes [Applause]

you