BSides Delaware 2016
Show transcript [en]
servers I also started getting online a little bit anybody get online yeah see some nods yeah these are not just coasters for those of you that are too young to remember them I always like how the the higher the version you got the more minutes you got hours free yes but yeah talking to other people this was an amazing part of of our experience you could connect to the Internet and get stuff for free which was great great Expanding Horizons the next thing I want to talk to you about is taking control of your self-learning okay and I say self- learning because a lot of people if you're coming from an academic environment you'll expect that learning
comes to you right oh my boss will sign me up for that oh uh I my curriculum will allow me to learn these things or will teach me how to program or how to infos to some degree that may be the case but I'll tell you this that class that your boss wants you to go to may not be what you you want to do in infosec and there's a lot of resources out there on in the in the world now there's this thing called YouTube anybody you yeah okay ctfs how many people are doing CTF downstairs how many people have heard that there is a CTF downstairs okay some hands go up good good but you're choosing not to do it
and that's your option and that brings up a great point is that the things I've talked about here you don't have to do all of them to feel better connected to the environment better connected to the community but choose one choose two participate your uh your experience will be a lot richer um the other thing that you can do is read wikis and blogs and forums the neat things about what is being published to the internet is that there's so many Niche areas hey I I have this one vulnerability or oh I want to research this one thing or I wonder if that if you think it it's already on the on the internet and there's probably a
video about it which is maybe not safe at work um so as far as self-learning um take control over your education take control over what you're learning some of you already do this you go to work you work 9 to5 or you work 9 to9 or whatever it is and then you go home and you continue your learning let me go ahead and code up that thing for for myself to understand what's going on do that you'll feel much more connected I myself chose to go the route of ss I took a Sans Class A Sans Institute class I was thought this is cool this is a company that will that will give me learning they will force
feed me literally it's like drinking from a anybody taking a Sans class yeah it's like drinking from a fire hose right I mean they just pour information into you and the people are so nice and afterwards your brain is kind of overflowing and I was like I could do some of these things back on my home network so I was assist admin and I went uh to one of these Sans classes and I learned how to do stuff I learned how to use certain tools I went back to my environment I'm like hey boss I bet I could hack into our super secret system that we've got going on here he's like no you're not going to do it in
production it's like all right I will make because I had that Foundation I I would make a a replica of our system we'll call it Dev test exploit whatever and I'll hack on that and within I took the skills that I had that I learned in this class and I applied it and within like 20 minutes I had domain admin I had creds it was awesome and my boss's jaw dropped he's like well we need to start doing this security thing I said yes you do and I know the man for it with this with this experience and with this information that I just gained and my ability to apply it which many times is something that it can be
challenging right we may all know somebody that's a tremendous Bookworm they know and read so many different things but when it comes to typing on a keyboard or applying that knowledge there's a disconnect but since I was able to apply this I started looking for pentest jobs because you know what I had skills I like awesome cool I became an information security professional it was yeah no really it doesn't say cyber up there sir it's okay um but yeah I became an information security professional and as an information security professional I could see this was the this was the first Google image for information security professional it's like I don't know what that is but it looks cyber is
Right locks floating in midair keyboard that was me I could see the locks and of course as an information security professional what do you have to do you got to get your cissp or at least I did and I got that and I was so happy I was like yeah got my cisp now how the heck do I apply this stuff I wasn't around any 10ft tall chain link fences to protect any top secret information I didn't have to bell the Pula anything but I knew of this information I knew it was out there so my boss he said hey M you're getting pretty infoi there I hear there's this black hat thing out in Las
Vegas you ever been to Vegas no like would you like to go to black hat I'm like yeah free trip to Vegas sure so so that's me in 2006 and Caesar's Palace it was awesome and I got some learning on and all I found out I had skills I found out I had Mad Skills cuz you know what happens you go to one of these conferences there's vendors there and the vendors give you stuff I had a skill for getting things for free was awesome it was great um I actually got so much stuff that I had to buy another suitcase so if you're in the in the industry plan ahead bring two suitcases to all
security events so I'm out there at black hat and I'm learning stuff black Hat's more of a corporate conference I think we'd agree um and my boss said hey are you up for staying there a little bit longer like yeah I can stay in Vegas longer that's cool said well there's this thing called Defcon would would you want to go to that I'm like sure I'm out here why not it's only like aund 100 bucks I could do that cool so I went online and I'm looking up like defc con where is it what's up and I saw that there were hackers there I saw that there were hackers now I'm an information security professional I got a cissp I can't be
around hackers these are people with mohawks if you remember my picture I got no hair how am I going to fit in I'm not a hacker I got no ski mask I got no gloves what am I supposed to do so I panicked a little bit I was like all right deep breaths I can do this that was a little sad a little sad but I got through it I went there to that Defcon and I was overwhelmed anybody been to Defcon yeah it's an information security circus right I mean it's it's amazing the the talented people that are there it's amazing the things that they're doing and how you have to buy a new phone when you leave
there but it's um it's really a cool place and in 2006 when I was just getting in it totally overwhelmed me um and it made me question my worth like well these guys are hacking GSM things and and doing all this stuff with long range blueooth snarfing I don't even know any of that stuff but it's okay and that's one of the tips I give people when I Mentor them it's okay to realize that you know a small amount of stuff and there's other people that know more than you you will get to a place where people think that you know more than they do you will get to a place place where you know a sufficient amount of
information and you're still looking up at the people that are doing even more Elite stuff that you forget about where you came from you forget about all those Junior people that are still don't even know what tcpip stands for so it's okay to feel inadequate and so I was playing volleyball uh I play volleyball in a league and I was playing volleyball with a with a young man um and uh he said to me you know Micah you're an information security professional now you're cissp you've been to Defcon why don't you come to this group I belong to it's called Nova hackers I was like whoa Bob hackers I don't know if I can do that I've got
the cissp it says I have to be ethical we know what hackers do but he he was relentless and I I thank you for that Bob um he he's right over here in the audience I'm going to call him out um so Bob was relentless he was like you got to come you got to just got got to just just meet these people they're nice people they're not all strange so my uh Community tip number three join a group now in my area Nova hackers was what Bob got me into and I found it was really neat we would go to these meetings and there would be people of a wide variety of skill level in there and they were
presenting on anything from like K kernel level rootkits to to how to do like really simple simple stuff but they were participating and it was neat to meet them and talk with them and grow my network of people because you know what this is one of the things that people don't realize is that even though you might not know what I know you still know stuff that I don't know and I can learn from you and you can teach me and I can teach you this is what our community is truly about it's about learning from each other yeah I might have this Uber blog post with a with a pretty picture in there but you
could do the same thing and you could teach people as well so in these meetings what we do is we sit down now if you don't have a Nova hackers where you are this is for Northern Virginia DC Maryland area there's Issa chapters there's OAS chapters there's a lot of other hacker organizations like Colorado the 303s right um there's a lot of other groups out there that can help you make connections to other people in the industry and in the community so some of the talks that we we've actually done you know there's people that are exploiting like kernel level stuff I don't get there's people that that were talking about programming and how to how
to start out programming all even how to programming languages that I don't even think exist Googles there are also people that help you do whatever this guy's doing to that computer which just does not look right I love the images on the anybody seen that soldering iron picture where the L's like grabbing the the hot end of the soldering iron and she's like man so there's a lot of people out there and so as you start to make these connections set some goals for yourself you know where do you want to be do you want to learn a language okay do you want to just attend more conferences okay do you want to speak somewhere there's lots of
opportunities to speak or just to learn and share your information set some goals for yourself because as Yogi bar said if you don't know where you're going you don't know when you get there yeah um you don't know when you get there and that's very true you know some of you probably uh do fiveyear plans 10 year plans career plans I want to be ciso I want to be the tech lead of this I want to write a book cool well do that also in infos saac do that in your in your community life as well I want to participate in the group I want to do two of the things that michah talks about on this slide or these slides
one of the other things that you can do to feel that connection to other people to get that mentorship this contribute to open source projects now I know it seems simple right I bet over half of you have used an open source project at one time in your life uh whether it's metas sploid or or some other tool yeah these things are easy I myself I learned Python and I started coding very very poorly but I started coding in in Recon NG framework I started writing these modules because it was about scraping information off of websites and then uh writing a module to do that more efficiently and put it within this framework it was pretty cool and it
mixed my work life with what my information security community life was becoming so I had motivation I had knowledge and I could do these things and learn new skills which was good for me so this was fun and it was neat the the the owner of the project Tim tomes lmaster 53 great guy down South Carolina he uh I remember my first module submission I'm like hey I just get something it to you I think I get pushed it to you or get pulled this to you and he's like yeah you did that right Mike I'm like all right cool you know put it in the framework buddy I did it it works he said yeah this kind of sucks let's
see if we can make this a little better and I give Tim a lot of credit because what he did is instead of fixing my code he taught me how to fix the code he taught me how to make it better and you'll find over and over and over again people are willing to help you learn and grow if you try I find this is this to be that that that response from many of the people that I Mentor hey I don't program I don't script I'm not to that place in my University experience I just I haven't been required to what do I do well okay if you want to contribute to an open
source project there are many projects out there that if you can notepad or notepad++ or sublime or textpad or something like that you can contribute there these things right here whether it's my offensive interview sorry that it's so wide um but if my offensive interview project up there that project is about open sourcing questions that people can use to find out your little level of technical ability that a candidate has when they come to interview so there there's some knowledge-based questions there's some technical questions and you ask the candidate this now oh if it's out there people will just read that and then they'll they'll figure out the answers and then those questions won't be good
anymore yeah absolutely but you'll also have somebody that you know does their homework does research on their own and is a quallet wants to learn so that's okay okay if somebody goes in and does that but I'm always looking for people to contribute send your questions in contribute fuz DB this is just a list of words a list of places and directories uh for websites this is not hard to add stuff to here um Justin nordine does something with the O ENT framework if you go to entf framework. comom there's an amazing open source project that what it does is it organizes and categorize open source and intelligence gathering tools okay we call them stalking tools
but in information security there are open source intelligence gathering tools but all it is is you go out and you find a site that you can look up somebody's phone number on you go to the project you download it you say I could get somebody's phone number here and you put the information in and you've contributed you've made it so somebody else can do things faster better and more efficiently and that's contributing that's giving back next thing is participating at conferences now when I was an information security professional I went to Defcon I went to blackhe hat and aside from scraping all of the swag from all the different vendors and sticking in my luggage I didn't participate at
all I went to the talks I didn't do anything that was um I went to the talks I I didn't do the lockpicking because lockpicking isn't that illegal isn't that you know against the law it isn't but back then I was thinking these things like these are bad things I didn't CTF cuz oh my God putting my laptop on that hostile Network won't they attack me sometimes yes sometimes no but you know what here I don't know if tools down here who's doing o it's not tool right it's somebody else so the open Association the open organization of lockpickers tool tool. us some firewalls will block this if you're in a corporate environment they call this a hacking
site and you'll get put on a watch list but tool. us has a PowerPoint presentation on how to lockpick if you've ever been to one of the infoset conferences and they have that PowerPoint with all the animated locks going in uh and keys and how to pick that's where they you can get it you can download it you can teach yourself out a lockpick with a paper clip and a pair of scissors no seriously I I did it one time at work we were doing Wireless assessments and we're looking for rogue W wireless access points and one time we were walking through a building like wow it was up in the ceiling and there was a
box in the ceiling with a lock on it and there were two antennas coming down from it like oh that's probably one of the corporate ones that's okay and we called the corporate people to say hey this one's misconfigured they said well we don't have anything in that room I like yeah you do it's it's right there it's in the common box it's you know he's like no we don't have that really okay so now I was up there I was like I know how to lock pick I went to a conference once and I did this but I had none of my tools on me I'm like think about mcgyver like get me a paperclip a pair of
scissors and a pen knife for some reason and I'm sitting up there picking the lock in the SE in the ceiling and my Bud's like you'll never get and just then it opened and there was a Cisco access point I'm like that is absolutely our corporate access point and the guy's like no we don't have in our database I'm like H well it's mine now so you can win fabulous prizes with this but one of the other things that I decided is one year I've on to dercon anybody dery con over in Louisville yeah really nice kind of family feeling conference um nice group of people and one year I kept going there and I I walk
into the CTF room if you walk into a capture the flag room not the one down here but like at a conference if it's a dedicated room do it on day one cuz on day two you're not going to want to go into that room it will smell kind of hacker is so I walked in the room I'm like wow all the these people and I'm looking at people's screens I'm like I could probably do that I could probably do that H I don't want to put my laptop on that Network that's too scary for me and I wasn't at a place where I could do that that's okay that was where I was at
at that time but you know what the next year I made a goal and my goal was to sit down and just do it for a little bit until I stopped getting bored you know I was like I'll plug in I wiped my box you know flashed the BIOS because you got to be careful about that FL did everything clean C Linux uh install and I hopped on the network and I sat there from Friday at noon until Sunday at noon and I just hacked all the things we can't my team came in third that year it was awesome and I learned so much because I worked with a bunch of other people and those
people became my friends and those friends knew more about Windows exploitation than I could ever know but you know what I knew a little bit more about web so when they got to a hard website or something like that they're like hey Mah can can can you help me out I'm like yeah but you got to help me with this cuz I don't and we work together towards a common goal and we learned so my my uh challenge to you is is if you want to go down to the CTF downstairs try one of them try to lockpick which you don't have to plug in a computer to do I get that um but try
something downstairs that you haven't done in the past to broaden your horizons you might find that you've got some skills that you didn't know about so we did the CT F and that was cool my tip number seven is to publish your information you know blogging nowadays is super super simple wordpress.com whatever you you can go there and set up a site in minutes and it's easy now people say to me well hey I don't have anything to say or or well other people have probably already said this um carinal Ownage Chris Gates he said one time you know when I blog blogging is not necessarily for you to read what I've done I don't care if
you find that helpful or not it's for me to take public notes so that when I go and I have this exact same problem in a week a month two years I'd be like damn I did that once right and he goes back to his blog and goes oh that's how I exploited it that's what the response should be and he can move forward yeah it's great that it helps other people it's great that it moves the the field of infos SEC forward but it doesn't have to be for other people it can just be so that you have a voice I actually started a Blog right after my derbycon thing I was like I got
something to talk about I was a CTF virgin and I went in there and my team got third place and I talked about it I talked about the feelings of the inadequacy when I started out on the network and and I didn't know what the heck to do and I talked about how not sharing information really hurt us and it wasn't necessarily technical but it was things that could help other people and it was things that made me feel better about my experiences there next thing is volunteer and when I say volunteer I mean volunteer at places like this um there are lots of these bsides conferences and other conferences that need help whether you're helping
out at hack hackers for charity Booth or you're helping out running the conference um this is a conference that's coming up besides DC uh later on in this month down in the DC area and there's constantly these pleas for help us out contribute uh come give you a free access to the to the conference just we need you to to help out register people at the front door or we need you help with security or whatever they're not hard jobs but you make a difference and you help other people kind of have a good experience as well so consider P participating pitching in now this is something that's really hard for people asking for and taking
feedback if you want to participate in the information security community you can be one of those people that's really closed off one of those people that won't take input isn't open to other ideas we have those in the industry we have those on Reddit but if you want to be successful being open to other people's ideas other people's techniques for for doing whatever that's going to be helpful and you will learn and grow by that conversation if you allow yourself to be and I say that because I actually give a talk up at bsides Boston loved it great place great town um I went up there and I gave this talk it's a stalking talk that I give um uh called
running away from security it's on the YouTubes and it's about finding people on the internet and showing you know where they live and and other things it it's kind of fun and afterward this lady came raised her hand I like are there any questions and she raised her hand she said yeah so why were all of your examples about women you had three examples and all of them were about women what why don't you like women Micah like my I I love my wife I have a daughter I love my mom I like women um but it got me thinking I mean her point was was more that she had an agenda she she had a a feminist blog and she was
you know talking about all of the indignities if I had three men up there as examples the same question would have come out of her mouth but I took the I I I took the essence of what she said that my examples even though they were easy and they fit were skewed and I I opened up myself I said well could I make one of them about a man and you know what I went back home and my daughter helped me out with that talk and she and I went scouring the internet for places where men were disclosing too much information which is a lot of places and we we actually found a better example for my
talk than that that woman example so it was good so so taking that feedback and being open to it allowed me to actually um make a better presentation that was pretty cool and actually then blogged about that thanking her for doing that I think she wrote A Blog criticizing my blog about her blog so it's one of these Inception things um the next thing is share your knowledge now when I talk to Junior people about this people just breaking into security I say share your knowledge they're like oh no no no I I'm not here I I'm I'm just getting in there I say you know what there's things that you know that I don't know because I
haven't looked into DNS deack or I haven't tried to figure out how to use IPv6 but you had to do this in class or or you had to do something else with objectoriented programming I don't know so you even though you're junior you have other skills that you can bring to bear to further the conversation and share your knowledge now for me I set a goal of becoming a Sans instructor I teach for Sans now but it took me years to actually work up to that but that was a goal that's how I share information you might not want to do this standing in front of groups like this might terrify you and that's okay
we have other ways that you can contribute whether it's at work in a brown bag or or doing an afterhour talk at a college class or after a college class or something you can mentor other people help them bring them along into your journey hey you know this is what I'm choosing to do I went to this talk there were 13 tips not 14 not 12 13 tips and I'm choosing these three which are you going to do and you kind of learn from each other this is another one that I find is uh is is one that sounds simple but it eludes us because we don't think about our journey we think about the destination
you set a goal you're like I want to you know have my master's degree in two years or I want to get that job all right cool track your progress back in the early 1990s um these things were were how we like kept track of our calendars there was no Googles there was no no uh nothing to keep track of it on the computer so we use these books and you know what these are ones that are in my basement I stored them away and I started flipping through them looking at hey this was my first tcpip class that that's pretty cool and it shows you where you've been and it allows you to see that growth because what we don't
recognize as people is we we don't recognize those those small gradual steps that we make towards our goal we recognize a goal I got married I got promoted I got this but you don't recognize all the steps that you had to do to get to that event and by doing that sometimes when you're feeling down you're feeling inadequate you're feeling like an impostor you can go back and go you know what I do know a lot and here's where I learned that and here's where I participated so keep track of it you don't have to use one of these things you can use the internet now that's fine here's another thing here's one of Micah's tips to track your progress a
lot of you have these badges on right yeah so my wife is a runner and and one year for her birthday I got her one of these running things it says success isn't how far you got but the distance you traveled from where you started and I started thinking I'm like I have been collecting all the badges from all of the trainings I've gone to from all the conferences I've gone to and they're just hanging in my closet well heck that's a lot of money and a lot of time and a lot of effort that normally people don't see that I've put in to get where I am and so what I did was I bought one
of these things off of the running on the wall or Amazon wherever and I hung on my stuff and I put it on my wall at work and when Junior people come in they're like well how do I I'm like you see that you try you attend you participate and it helps further the conversation also I can say I can look at this and go yeah you know what i' done a bunch of things and that makes me feel good on days when you know maybe I'm feeling like things aren't going really well here's another thing and I'll tell you this social media is bad all right but social media is also helpful in my
opinion we as people make risk-based decisions at a personal level all the time do I post this to Facebook do I geolocate myself do I apply for this job or that job do I attend this talk or not you you make these decisions and then we move on with our lives just like we do at work making risk-based decisions joining Twitter is a risk-based decision but I would tell you that joining Twitter Twitter is one of those things that has a much bigger reward than a risk there are people on Twitter and you know who you are that don't tweet a bit they just lurk they read other things that other people are tweeting they
might retweet things and that's okay Twitter's a great way to reach out directly to people to again further that conversation hey you know what besides de Delaware you guys are having a great time there I'm wondering if you could do this or or just keeping track of what events are happening here or # infos or # poemon go no don't do that one um but you can reach out to people if you if I told you that you could get in contact with anybody that you wanted and spark up a conversation just by finding their handle would that make you feel powerful hey I'm working on this social engineer toolkit God I wish I could get in touch
with trusted SE or Dave Kennedy he's got Twitter hey Dave and this thing and he'll respond or Rafael mud or some of these other big names in the industry they want to help people so get involved in the conversation even if it's just listening you don't have to do anything also on Twitter this is where we find a lot of things before they hit mainstream media I don't know if you've seen it recently I'm watching like the TV and I'm looking and they've got somebody's Twitter feed up there going hash you know storm in Miami or whatever I'm like you guys are using Twitter as a primary source for that's crazy but if you're on
Twitter you've already seen that maybe 6 hours 12 hours ago and that happens very frequently in infosec Twitter is like a phone book for us reaching out having the conversations and uh and really making a lot of connections for also for all of the infoset conferences you go to um a lot of things are discussed on Twitter new events parties other other things hey you left your phone in the lobby type of things um on Twitter and then here's my last tip and this is kind of an obvious one but it's one that many people don't think about if you're always the smartest person in the room you're probably not growing and learning as much as possible right and
many of you probably are the smartest people in your room at your companies at your organizations at your schools at home how many at home are the smartest people I know sorry dear um yeah so you're the smartest ones in the room that's great but do you ever find yourself wanting a mentor wanting somebody that knows more about this than you that's cool and that happens to a lot of us what you can do is you can reach out to Twitter use your blog go ahead and and talk to the people that you volunteered with talk about all these different things that we've done participating at conferences you grow those networks so that when you get here
and you get to that mid level or senior position or you're the only person in your organization that does infosec you have friends that you can reach out to that's one of the best things about the Nova hackers group or if you're in Sans one of the uh the Sans advisory boards they're mailing lists and these are mailing list that you could say hey I don't know what the heck I'm doing here my boss just asked me to do this can anybody help me and people will help you because you are part of the community so this is the recap all of these different things now again for those of you came late you don't have to do all of these to be
connected to the infoset community but the more of these things you do you'll find that you know when you come to these conferences it won't be about yeah I'm going to go lockpick it'll be about man I can't wait to see my buddies I can't wait to see my friends I can't wait to meet new friends I was just out at Derby con it was a great conference um I went to a couple talks did a couple of other things but what I found most was it was more of like a reunion I went there I saw my old friends and then each one of my old friends they brought a new friend with them they're like hey have
you met Bob Bob this is his first info oh hey Bob growing my network and growing his too and reaching out to him so that is my talk are there any questions for me yes sir okay of I don't know L remember I know yeah you remember going back where okay so the question is or the comment is is that this gentleman uh runs a blue team pod podcast and uh the question is is where do blue teamers hang out is mostly a little we're in a newbi hang out okay so I will turn this to you all cuz I'm guessing that this might be out of your comfort zone and that's okay this is a safe environment any that's
right that's right we're on The Fringe um so anybody that responds here I'll give you a hug outside it'll be okay but so for you people that are just breaking into security where do you go for information is it Reddit or Facebook group or uh Twitter or or if your local University website where do you goter what you lurk on Twitter all right all right cool some twitters sir net Reddit netc SLR netc right okay INR CF okay yes sir YouTube so you're watching videos on how to do things so if you Chang your podcast and maybe to one of those podcast Vlogs maybe you reach some people yeah what is the podcast CIS administrivia that's pretty cool and
that's one of the neat things that you find is you know there are people that love blue teaming or defense there's people that love offense penetration testing vulnerability stuff and there's people that love every other part of the community so thank you for so there's places out there um talk to this what's your name sir Brent Brent talk to Brent if you want to give him some more places to find you which sounds odd when I say it out loud but you know what I meant not that's right see my other talk what other questions do you have all right cool well thank you very much for starting off besides Delaware with
me
are you good all right I'll start everybody hearing me in the back hello good good all right cool beans oh no you fail so welcome this is wctf Magic As Told by a clumsy magician I'm going to take you on a fantastic
Adventure All right so I was told we're on a live stream so I have to do my absolute best to behave myself but uh I can no promises uh I may say some stuff that may offend you I'm not really that sorry so who am I uh 2001 decided to join Navy did Navy it for 11 years the coolest things I did were uh mobile coms Team 1 with Seal Team 1 I did other jungle comms when we deployed to the Philippines I ran the entire network uh suite and Comm Suite uh I worked at nyak Maryland uh they made me go to short Duty finally and then uh com fleet Fleet cybercom I helped stand up the Navy's uh
cyber command I worked for Admiral Rogers and then uh uh Admiral Mulla and it was Rogers Wally was a three star before he went and became a cool guy fourstar over at NSA so uh I was a principal security engineer I was the hbss me that sent out all the cool messages that said you had to do what things on hbss uh I worked at Ron on a NATO Network the combined Federated battle Laboratories Network and then I'm currently doing a network Navy network isso uh I do SCA I do very boring paperwork junky stuff uh search cuz they made me have to do the 8570 compliance stuff and then uh I also recently joined the American Fireworks
team and I blow up the most recent uh shoot we did was Fourth of July for secrets in Ocean City we set off 6,000 shells and uh some shells I held in my hand were bigger than your head and they let me hold those and wire them up and how many fingers you got enough all right so now that we're done with that jery who is wasabi so I finally started real infos sec in 2010 after doing Navy it for a while uh I do wireless hacking you know since kind of what I'm here to talk about uh I'm on the Crimson agent CTF team uh as as an individual and as a part of a team we
have won the last five wctf we have competed in uh we're not cool enough to go to Defcon and compete so I don't I don't count that one uh security Enthusiast uh I enjoy security and I know that the world's going towards the internet of things or uh it's going to be a lot of fun with Wi-Fi and Wireless in the future so as I said in my bio I'm looking forward to filling your kitchen with ice cubes after I take over your fridge all right the objective of this talk they do a much better job at explaining how to do a wctf from the other side with the with the intro to the wctf I'm going to give
all these things from my point of view from the first time I ever tried to wctf and failed miserably to putting points on the board and having tons of fun so I have fought with my computer I have stuck myself for six hours trying to figure out the same web thing and went down the rabbit hole and Googled and things weren't working right and it's it's not fun and I'm hoping that you will learn from my mistakes and no and don't incur the same wrath I received from the uh the team at the front of the room oh come on we love you we you in it's all love wraith so as a matter of fact uh
forgotten here the first time I ever went to a security conference and the first time I ever tried to compete in a wctf was the very first bides DC and I went I just happened to go to the hacker space on the Friday night and he's like I got an extra ticket and I want to split a room I said I ain't got any plans this weekend let's go so literally on the car ride down I'm installing C Linux thinking I'm gonna oh yeah on the ride down on battery power I'm installing C lenux thinking I'm going to take over this cuz I ran Reaver once and got a password and thought I was cool and I followed the life hacker
article on how to break a web key and did it once so I'm obviously ready so so so here's the here's the funny part so I had just installed Cali over Windows on this Asus that never had Cali on it or any Linux on it before I sit down receive the brief I'm hiding in the corner cuz I don't know anybody this is my first con ever it's all bunch of scary hacker folks uh my wireless stopped working like like all of it I couldn't get any networking working like at all and I'm thinking well I've been owned like I that that didn't take long I'm freaking Noob like it happened immediately so I'm like in the corner
fighting with my network card because all I brought was like my laptop and my charming personality no extra Wi-Fi cards no Bluetooth nothing like I was I was convinced I had everything I needed for the competition so come to find out after 3 days of reinstalls after Chasing forums after running through blog posts my Asus laptop no hold on my Asus laptop when you boot it up for the first time the network manager has a bug and it doesn't start networking it thinks it's Hardware disabled so all I have to do is close the lid wait till there's just one light for the standby light open the laptop back up and boom I'm connected to
Wi-Fi it thinks it's Hardware disabled none of that works like it thinks it's Hardware disabled so I was looking through the BIOS I'm looking for switches that I didn't even know existed on this laptop I was convinced I had to find a button that was not on my laptop so that is what you not do for your very first wctf so look the only way that I'm even here right now is cuz I failed I failed some more I failed three more times and then finally through pure Brute Force I started learning this stuff through a little bit of mentorship and a guidance from the wctf team I've actually was able to put in a flag and get like at
least a couple of points so from the competitive point of view we're going to go over the game the challenges some methodologies the team and solo strategy offense and defense and then some gear stuff so so uh it's a wireless it's a wireless ETF but it's it's kind of set up standard that other ctfs are you got rules points prizes and opponents and sometimes in this one you can't even see your opponent because they can be further away because it's wireless uh not everyone's going to get a trophy you're not first you're last it it's it's Jeopardy style in the sense that when you go to their website uh you submit your flag but it's not like there's not
like a scoreboard or just like a there's not a necessarily a flow like you can go at any rate that you want and try any challenge that you need to based on what you're able to accomplish so if you don't know then ask so unlike my first wctf I didn't talk to anybody I was hiding in the corner I probably could have got a little help the it's just a game like everybody's there to compete but I have never met anybody that one wasn't truly like one did not want to help somebody so go up and like don't be shy go up and ask that they're more than willing I I'll even help you if you show up today down there
and you're having a problem ask me and I will help you uh wasabi wasabi wasabi so don't nuke it little spicy so it's just a game we're here to have fun so Delaware is two days like right now people are scoring points and I'm not down there competing in the wctf like I should Yeah we actually brought it up your we ran up here at the last thanks so if you get stuck on something move on and maybe come back to it don't don't Corner yourself into one thing or one problem there they have so many different challenges that you can try whether it's SDR uh they just introduced scada they've got some Bluetooth stuff
uh there's a bunch of Wi-Fi there's different kinds of Wi-Fi so if one is your problem for you try try another one and come back to it so don't give up but don't stay on the One Challenge like I did for 6 hours and trying to figure out why web doesn't work so it's wireless you cannot see what's not there but that's the thing you can decide it it's you know it's Wi-Fi you know it's Bluetooth you know that those things are out there start your scans know what you want to look for know what you want to start looking for and go from there the challenges of course uh believe with uh Defcon they
just introduced a little bit more Bluetooth stuff especially with the release of blue Hydra really cool tool if you've not downloaded it go to GitHub and get it uh I've ran it at a couple of different places and it is really cool the things that are running Bluetooth that you didn't know are running Bluetooth uh I wor I my neighbor has a bluetoo bulb now that's I uh I I I walked the entire Derby con and saw really really interesting things so there's Wi-Fi there's SDR uh all this stuff is low entry on equipment you can come in and participate think outside the box they may very well start introducing things like toasters that we have to take over
and burn toast to get points like that would be cool I'm taking credit if you do
it all right so so what do I do now like when you show up like it it's just assumed sometimes that you know exactly what you're supposed to already do like with other red team events that you you you uh plug in and you start scanning so pick the device that you want to look for pick the thing that you want to do pick Wi-Fi pick whatever else you want to do like if it's Bluetooth you want to go after the speakers and play your own music because they've picked some kind of weird esoteric freaking EDM from goth days or something yeah yeah I know about to start I'm about to start off with negative points just like
shukan so uh so so take notes as you go I I I can't emphasize this enough because there were times that I I had assigned W Land one to do one thing and I assigned w l 2 to do another and then I came back and I decided I was going to do something else and I assigned w l one to do that so everything I was doing on the other pain like it failed because I wasn't collecting anymore or doing anything so take notes write what you see write what you don't see if you over hear people talking about something steal from them so from my perspective get in get logged in get their word list downloaded look
at their past freaking uh presentations of what they did at other places because you can do a lot of homework ahead of time and see all the things that you want to do settle in put all up your stuff do not over multitask do not over multitask your computer may not be able to handle it unless you brought your your gaming rig from home know what you're good at give it a good shot and then try and have fun with the rest um they just brought up a bunch of skada stuff I have no idea about skada but I'm about to hit it today and I'm about to just hurt my brain as hard as I
can or tomorrow uh uh take it in chunks uh if you go to their if you go to their scoreboard at the bottom you can see what all the flags are you can see the different styles of like different things like you can see that they're possibly going to have this and that it's it's it's kind of like looking ahead do lots of Googling lots of Googling there's Wireless stuff all over the place from different years but uh there's lots of help on the internet so what if you get stuck ask others ask your team walk up and look at what's displayed on the table but do not go behind the table without permission you won't
get and uh try another challenge just do not I I I keep I keep pegging on it because I literally spent almost two days at at a CTF just trying to figure out why I couldn't break the first web challenge like it's I wanted to figure it out I wanted to figure it out so bad all right so I scored uh the Wi-Fi Fox was released and so is the SDR Fox and I had my SDR gear and I'm walking all over bides charm don't be shy because you're going to have to ask people if they are the fox or not just just being dumb I decided to ask somebody cuz I I I walked down the
escalators I looked up and there's just a group of guys just staring at me guys I knew and I was like are you the fox the guy's like yeah yeah I am you walked right by me and you I I I thought you were going to catch me so I get up there I've got SDR gear in my hand and he hands me the Wi-Fi Fox so when I got back into the wctf room Rick looked at me and goes no I don't even want to give you points for this I was like it's not against the rules like I should get extra points cuz I found something with the wrong gear but the rule is all I have to do is bring it
back to the room but no I mean you're going to have to walk up to people if you're searching for the fox do not be overly shy and ask people just random people because you never know what they have in their pocket either yep so speaking of they named the fox at freaking shukan foxy and I'm walking around with a shirt that says bearded for her pleasure I am walking up to grown men I am walking up to women because I'm seeing this signal and I have to go talk to this girl and I have to ask her if she's Foxy the looks on people's faces when you ask if they're foxy which and I'm I'm spelt and bearded it's like are
you foxy no it's it's a good time she would if we have since changed how that rule works it's now a code word because some of the people were uncomfortable being asked if they were foxy oh okay that may be my
fault so team and solo strategy uh join a
team no I mean don't go sit in the corner and get stuck like I did like if I had have had two other people that I was there with they probably could have steered me in another Direction help me even let me borrow a laptop let me borrow a dongle like if we don't join together and come together and work together and share information it nothing none of this cyber security stuff will work anyway so join the team have some fun but uh if you're not on a team go there have fun ask questions but it's it's not a delimit edor all right look share with your team but if you're not whispering I swear I
will steal your Flags uh Break Stuff up if you've got a guy that's your strong Wi-Fi guy and you're the strongest SDR Guy start start knocking it out at the same time so you can start scoring fast and often all right uh it helps with uh what I did at charm was when I did find the Wi-Fi Fox uh I actually didn't turn the Wi-Fi fox in I turned it off and left it in my pocket because while that was going on uh everybody else was still looking for the fox and I was in the room scoring points on other challenges so to actually combat that we do have flag damn it yeah they're still not scoring points
either so communicate with your team figure out a way uh we actually tried to uh walk we tried to follow uh zero at shukan cuz I saw him leave with the bag that I knew the SDR Fox was in and we're communicating through slack found out that's not a good idea cuz there's a delay so he he went out the door and my teammates finally got to the door and he's already gone gone so we were actually going to follow him to the fo like the actual fox and then just take it reason I all right so uh besides charm I actually uh sandwiches were in route from Jimmy John's it was the second day we'd already had the con
party I'm hungry uh as I'm walking out the door to find the SDR fox or Wi-Fi or Wi-Fi hide-and seek I went over to the booth like the actual registration table for the conference and I started pulling apart t-shirts uh I was lifting up the the skirt for the table I actually got on my hands and knees and was rolling around on the floor in and out of between people because I was looking for the the the hide-and-seek object I finally found it in a paper cup hidden underneath like the behind a table leg so do not be afraid to get down and dirty to look for the hide-and seek they will stick it anywhere they think is NE I think one
time they put it behind a painting at the hotel for DC uh one was actually in their hotel room and you had to give the hotel or the room number to say that you were even close to it
so so offense and defense is in play so uh Josh and general actually pulled off a really good uh uh event where he was replaying their website and posting old information so that nobody could uh get current information for the uh the the wctf uh you can bring your Wi-Fi pineapple and you can run Karma and you can be a jerk but they will shut you down they know how to use this stuff better than you do they know how to do it better than I do and that's you're at a hacker conference everybody knows what the Wi-Fi pineapple is you can get away with it at some other place but uh you're going to get shut down here but
uh red teaming is allowed you cannot Jam frequencies you cannot do anything that will like get the FCC in trouble with you but uh you can attack protocols and you can do other things so at charm uh I was searching for the Wi-Fi Fox and I noticed every time one of the competitors walked by me I got stronger signal and as he walked away the signal went down he was replaying the fox as a part of red teaming so that nobody knew what was going on and that's why I when I finally found the fox because I had to pay attention that if I actually got a good signal I had to make sure he
wasn't nowhere around so that I knew it was the actual real fox so that's why I turned the fox off and put it in my pocket because he was still replaying it the whole time so people were still seeing with that Mac address and that SSID they were still seeing foxy so everybody still thought the fox was out but it wasn't he was actually trolling himself cuz he actually still kept going out looking for the fox too all right gear uh none of my stuff is like commercial grade hardcore uh anything I've got TP Link Senna UD 100s I've got anything that's you know like $50 and below I have a hackrf just cuz I wanted
one for doing SDR but uh I I got the Porta pek and I did all kinds of stuff but uh there's nothing that's that you don't have to come in with $10,000 worth of Gear to to do to get Flags uh unless you're cryptos uh as a matter of fact my current setup is based on what his setup was when he won a competition for the bicycle race thing like the way that he had the USB hub and the way just I I stole off ideas off of other people so uh why reinvent the wheel know your gear and test your gear I still fail at this I still don't test my I'm telling you to
test it because you'll be in a position like me and he'll tell you this morning that the pen two load that I installed crashes and does a kernel panic when you put your Wi-Fi into monitor mode so now I have two laptops are going to Kernel Panic on me for the game because I didn't test my gear before I showed up so now I might have to try and download a different pen to over Hotel Wi-Fi no it's on theou oh it is all right sweet but seriously test your gear
wiely so a cool and interesting story that I a cool and interesting thing I learned um I was walking around with the SDR little gray SDR and I had the little bass and I had like the giant antenna that I telescoping antenna they were they they told me you're not going to find the thing that's right in front of your face within this antenna that's over your head so they actually sent me packing and looking for a freaking paperclip that I then stuck into the end of my SDR and now because I have a terrible antenna I'm not getting the freaking signal from like somebody's uh blender making a smoothie two blocks away I'm actually getting what the actual SDR fox
is right in front of my face so I actually no crap as soon as I stuck that in I went straight out found the fox and came right back it I mean it was that quick because I had it it was so fine-tuned into just what was in front of me that as soon as I actually had the signal that was the actual fox so I went from I brought literally nothing to uh I brought too much uh I went on Amazon and did like a buying spree I'm buying USB hubs I'm buying Wi-Fi antennas I'm buying AC cards that don't even work on freaking Linux yet uh like it I just I I needed I I was so
mad at myself for the very first wctf that I decided that I wasn't going to let that happen to me again so I decided to go on a purchasing spree and I got single people money so so so I bought a few Wi-Fi dongles so uh most of the most of the gear that you need to participate in this is anywhere from $20 to $100 and it's $100 because you bought one Wi-Fi dongle one Bluetooth dongle and one SDR they are at about $20 and below so you you can participate for relatively easy and out of the box uh random bits and Bobs uh when you go out looking for the fox make sure you've got one of these really cool uh
external batteries for your for your devices because uh when you're out there for 2 hours looking uh you're going to start running out of juice and you may get really close to that fox and all of a sudden you're at 2% 1% and you're not finding the fox uh USB hub I recommend this because when you start putting in the the Wi-Fi dongle and the SDR dongle on the side of your computer the stuff like the USBs are like right up next to each other and they're not going to fit at the same time the dongle too big I hate when that happens all right so different styles of antennas directional omnidirectional know what your antennas can do know what
they can do for you uh or tablet the most successful I've been is with Wi-Fi analyzer to find the fox I'm trying to fix that that it's not the only tool that you can use I'm actually developing something right now and homemade stuff uh because of the paperclip incident I've I actually got a um SMA to BNC connector I've hot glued a paperclip into it so now I have a homemade permanent paperclip antenna so that I'm not just sticking it in the end of my freaking like the actual dongle that I have no don't don't I do what I want I'm
grown all right so uh so after I copied somebody and I had this giant USB with 19 dongles in it because I did my single people money thing uh I couldn't I still couldn't crack anything thing and come to find out I was oversaturating the USB bus when you are pulling in that much information from five different Cards doing Arrow dump Kizmet doing everything else it is not going to work for you and then if you try to do SDR at the same time you were just pulling too much information through that one area uh focus on a few things at a time because your computer is not going to be able to take it you it is not going to be you
have to bring if you want to do 18 things at once you're going to have to bring in in hardcore Hardware so this is my most fun story uh I got cut loose with Corey's hack RF that wasn't in a case with a porta pack and a floppy whip antenna because I had it on good I had it on good uh they told me that the SDR Fox was actually going to be at the party so I believed them so I'm walking around drinking my my white Russians and my ciders and about 10 drinks later I fin I was finally told have you not been looking at Twitter no I'm freaking looking for the fox so the fox left and
went home so I was looking for nothing for an hour but by this time I was thoroughly
beveragedessert huh visa and then just walk
away hey what's going on there was also one gentleman that was really really drunk too and walked up to me and was like hey man I've seen like a couple of those like what is that and I was like cuz I'm an ass a not nice guy I said well it's a small penis penis detector and it's going off so you've probably seen several so his entire group of friends all of a sudden it was oh but no the the the credit card thing was the best but so this is this is what that setup looks like like at a hacker conference you're holding this weird contraption that you know not everybody does Wireless you've got your red teamer
guys that are hardcore into this you've got database guys that are into that not everybody knows what this weird Gizmo is with this antenna is so you have to be prepared when you walk up to somebody and say I just got your Visa information you might take one to the 10 so don't I'm prepared for that I was also thoroughly beverag so it was it was not going to be a problem so thank you thank you to everybody's contributed thanks to the Wi-Fi Village it's been freaking fun I'm not retiring or anything you've not banned me yet but uh thank you be besides uh and thank you to everyone else is there any questions no actually I probably could I had to I
I had to take a bunch out so is there any questions do what when you found
maybe uh there wasn't really like a whole yeah so I mean the batter is generally just for like your your devices like your uh like I've got the Community Edition pone uh pone pad uh those through they're okay so uh with an OTG cable because you're rooted you can actually hook your SDR up to the pone pad and there's a 99 cent app on the App Store that is amazing at doing a SDR waterfall so you just punch in the freak and you can go straight to it and if you get it for the phone you can do the same thing uh I do not have RF analyzer as you mentioned the beginning the Wi-Fi capture flag inef has a lot of
this stuff tool list PR yeah I I did not I was not trying to recreate their in brief because it's it is it is great but I mean these are just small things that I've learned along the way anybody else berer berer all right then I'm done what no bring
it. ninja no um so depending on where you live there's a lot of great resources uh like I'm from Maryland and we're kind of a Baltimore hacker space unallocated and we're actually going doing an SDR class right now and uh we just did three weeks of uh training and we're having our own little Wireless CTF with just SDR on Tuesday um there's uh their website is the wctf US is just littered with links and uh everything that you need to find out and if you go downstairs new if you're a new person I will help you all right anybody else ber let's go oh uh right by BWI like there's a prison right here a
prison right here and then then there's us just no no I'm kidding uh want is it on which website absolutely yes an an allocated space.org almost one more all right Final Call yes sirard yes I do uh uh the website is grave before shave grave before shave say again how do magnet work uh so uh you listen to Insane Clown posi and they've got a really great write up on that they get out a white paper out Bring It On what else what you
got how big's my gut well it depends depends on whether I ate recently or not I love you too I will see you afterwards so if that if that's it I'm done I'll let youall cut loose and cuz it's lunchtime and I'm I'm hungry I got up at 6:00 a.m. how dare you
sir
an advance for the ICP theme uh as I said um it amused me great L at the time um and then I realized that there's a problem cuz it's clowns and as we all know clowns are truly the biggest the biggest threat facing America nowadays so who am I and the disclaimer I'm a security professional by day expen tester disassembler of things evaluator of risk now I seem to be in that management consulting role where I try to convince people that security might not be a bad thing but not in a beat them up kind of way I'm no longer saying No I say let's figure out a better way or as my boss likes to call it
solutioning your problem space I say that with a straight face because I am this far from getting a consultant as neck tattoo uh I am not speaking for my employer especially if I still have one after at the end of this talk I'm also a lawyer uh I advise my fellow Security Professionals I see a lot of contracts um generally people send me employment contracts statements of work Master service agreements and whatnot it could be their entry-level pentesters trying to go are is my company trying to screw me they can be veterans who are hey I've been doing this for a while and I want to license some technology to somebody are they trying to screw me and I get to
get a really good like mirror I get to have a really good visibility into our industry by doing that and there is nothing as creepy as me saying to somebody at a conference where they're like the chief C they're Council for large shop like man you like like firey and it's like oh yeah read a bunch of your contracts and like how did you see them like um cuz I'm the guy who does doesn't say no I write a lot of contracts even though my day job is doing security I get the job of writing statements of work a lot because well I'm a lawyer I am not a jug um as I said this joke was
funny at some point I think we've hit that point so what are contracts they're formal promises they clarify terms that we're agreeing to they Define satisfaction of promises and I know that sounds strange but I promise to do this thing well how do we know when we're done right simple contract I will sell you my car for $5,000 well how do I know that we're done you have my car I have $5,000 were there other promises entailed in this in this conversation did I promise something else did that go away during our negotiations cuz if you've ever sold especially if you sell Consulting Services you know how you talk about a lot of things and then you
send them that you send them a proposal and they go I really like the proposal except for one thing it's too expensive can we can we can we do something different and the next thing you know you've cut a bunch of stuff and they still think they're getting what you originally proposed and that doesn't work so you the point of the contract is to lock it down and formalize it and say yeah at one point we talked about that you know at one point we talked about a five course dinner you're getting half of a Big Mac because we're pay you're paying one tenth of what we originally what we originally talked about so the purpose of a contract is to
is to Bas is to lay all that out in such a way that it's formal so that way at the end no one's going but I think you owe me this it's how you assign risks of unknowns who here has ever knocked over a system during a pentest I'm the only person who puts up their hand and admits that like oh yeah did you need DNS of that shop yeah um who's responsible like who's responsible that actually causes business damage hopefully in your country you've got some like while we'll attempt to not break everything we touch um if we do we're not responsible for it like we're responsible that we're going to help you fix it maybe but if we cause
you business losses it's not on us that should be in your contract it's the intent to be bound it's a promise that is enforceable so kinds of contracts there is unilateral which is a promise for performance the first person who gives me 10 bucks will get this rooll of this role of tape it's it's one promise and performance so the first person who hands me 10 bucks get gets the tape then there's bilateral which is a promise for a promise if if if Rogue just says hey I've got 10 bucks I'll give it to you for that tape well he's now he's not offering 10 bucks he's offering a promise to give me 10 bucks and for some people that's the
same as 10 bucks for other people it's dramatically different it's substantially less valuable but and then there's quasi contract there are things that aren't contracts that still kind of bind people we have promisor a stopple which is a fancy way of saying I relied on your promise and then there's detrimental Reliance which is I relied stupidly on something you said like I relied on your validation that this company was handling PCI data correctly and therefore I as a bank am suing even though I have no contract with a certain qsa I'm suing them anyway so basic requirements of contract or questions of a contract is was there a promise did someone actually promise to do a
thing exactly what was promised and then was there consideration consideration is value I promise you a thing for a thing both of those promises may have some value but there has to be something in value and something of at least minimal value often times contract textbooks will talk about one single pepper corn or a penny or a dollar doesn't have to have significant value it just has to have some value a promise itself is consideration in a bilateral contract it's a promise to do something or not do something is consideration however what isn't consideration is promising to do something you already owe you know when I said I'll give someone this roll of tape and I don't they give me 10 bucks I
don't give them the tape and I say well and for another contract you an extra two bucks will'll give you the tape no I already owed you the tape so that isn't consideration for that second contract and then the questions are was the performance actually done we promised something did you get that so breach of contract is when you didn't get what you expected to get I failed to perform as agreed and there's two kinds of breaches there's material which is the thing that I haven't done is so core to the agreement like I'm going to pay you for a penetration test well the penetration test is probably material to the contract and the payment is probably
material to the contract something like it will get delivered on a certain day may or may not be material right a late pen test report may be as good as a not late pen test report but not getting paid is material and the the importance of material breach versus immaterial breach is what it allows you to do if it's a material breach the other side the innocent side gets to say nope I'm out I don't care what the contract said I am withdrawing I'm going to do other things now a non-material breach say for example I promise in my contract that I will Pro I'll provide a pentest and give you a report and the report will be
competently written and instead I subcontract that out to someone who's like half literate so it's a pentest there's a report and it's just badly written you might if you want to make that into your like your customer facing letter you may say I have to rewrite this it cost me an extra $500 or $1,000 to rewrite your your bad performance so while it's not a material breach I can likely get some compensation for that screw up so damages when there's a bre of contract there's expectation if you had done what you said you were going to do I was going to expect this and I can I can be made whole by saying say for example I was going to
resell this product on so I buy it from you for $5,000 I have a buyer who's going to pay Seven you don't deliver it to me so I can't deliver it on to my buyer I was expecting $2,000 Pro $2,000 profit I can sue you for the $2,000 I was expecting that two grand had everything gone as planned I would be two grand richer that's expectation sometimes we might not know what that value is so we put it in the contract and say liquidated damages if this goes wrong you owe me a th000 bucks because I we can't calculate what I'm out really so we'll just we'll just write it now as a th000 bucks and then another con concept with
breach of contract is mitigation if I know that you're not going to uphold your end of the bargain or you don't uphold your end of the bargain I have a duty to to attempt to minimize my damages usually this is often done in employment contracts I hire you to do a thing we don't start because reasons and you go well I was contracted to go do this work for you for 2 weeks but nothing happened and I didn't find any other work so I pretty much spent two weeks on Reddit eating eating nothing but Cheetos no you to minimize your losses you should have done things like go out and find other work you should have
mitigated your damages as opposed to the job that didn't materialize and then there's anticipatory breach which allows me to say you have made no attempts to perform under this and because of your ineffective or non-existent attempts to perform under this I think you're not going you cannot finish you cannot actually perform it's like usually this is often brought up in as things like Contracting you said you're going to paint my house and it was going to be done by the end of October it's halfway through October and you haven't shown up you haven't even asked me what color paint to use I you can't possibly complete it in time I'm backing out because you I am anticipating that
you're going to breach I'm out and then there is two other Concepts called waiver and latches which is in the performance of the contract there are certain ways that one side does not make does not fulfill all the needs and the other side doesn't care enough to call it out we call that waiver where say for example you promis something to be done on a certain date it shows up 2 days later if I don't if I don't call that out if I don't say wait that was two days late that's that's a problem if we keep on doing it where it's always two days late eventually I'm not able to say oh yeah 6 weeks ago that
was 2 days late I'm not paying because we've waved it I haven't called it out I haven't said anything so before I start talking about actual kinds of contracts I want to point out that getting clever with contracts is not always a good idea a lot of people ask me to write really just nasty contracts with ugly penalty Clauses and the like and I try to school them not to because unfair one-sided contracts don't help anybody for this reason and I'm going to give an example like hiding terms under other headers if you're a contract that usually has a header for each section so that way we're going to talk like non-disclosure you may not disclose
anything you learn under this because it's important to us thank you if you hide another clause in that header like non-disclosure and assignment of intellectual property because you're going to Breeze through and go oh yeah non-disclosure non-disclosure is non-disclosure don't care but if you hide something else you're being a dick and it means that if you're willing if you're willing to do that in the contract the first thing you see when we're actually talking about going from a sales pitch and remember sales pitch is everything is wonderful right everyone is on their best behavior it's like dating but you want to have one hint about what is this person like when things are more settled are they going to be a horrible
horrible person and the contractors the first time you can see what are these people actually going to be like when things get a little itsy you over brought a signing of unrelated rights I've seen this in a bunch of contracts like all intellectual property you've ever developed is ours like no I probably walked in with a coup you know a couple of inventions that that was that was made on my time or a previous employer's time um not yours cannot has but you look for that you're like wait a minute if you want that you're going to be a pain in the ass to work with and the the takeaway I have is this is the first time you get to see how the
working relationship's going to work if they're going to be a pain in the ass now four weeks into this they're going to be horrible and sometimes you take a look at their contract and you go this tells me bad things about you you're going to be a pain in the ass you're going to try to screw me and I'm thinking of a few friends who are dealing with this where someone sold them some you know someone brought them in to do some work and everything was cool they did the work and then it was like yes we'd like to be paid we'd like to be paid our expenses for this and the person who brought them in like um yeah
about that things and some people require the threat of a lawsuit to pay up some people won't pay even after the suit's been settled you know the the the the Donald Trump argument like yeah screw you know I may provide you you may provide the services I'm not paying you until you make me and the problem is is that if you know going in when you see the contract is being very one-sided means they're planning on screwing you and it makes sense to say maybe I should hold off maybe I should renegotiate the contract or if you are you know thankfully in our industry where there might another contract is waiting to happen you go nope not doing business
with you maybe you should try to find someone more desperate so getting clever with contracts continue these are ways of being clever with contracts that are actually helpful and I call this acceptable cleverness the brown Eminem Clause those of you who are under the age of 35 there was once a band called Van Halen and and what makes them important is that they were one of the first big arena Rock shows prior to them even big shows might be all their equipment might fit in two or three 18- wheeel trucks Van Halen's show was like 15 18-wheel trucks and they required uh uh certain engineering capabilities for the building as in it has to hold this much weight
we need this much power we need this much crew and concert promoters sleazy creatures that they are would just sign whatever contract and there's a case where van halil and Stage Show actually damaged the property because it wasn't built to hold the weight so David ler Roth the lead singer comes up the idea of in this contract in the contract writer is like 85 Pages cuz it's also all the specs like here's where the power has to be here's how the lights have to get set up here's this this this and this and they put a clause in that said there will be a bowl of M&M's in the dressing room there will be no brown
M&M's in that bowl and many people when first seeing this go oh God it's just like Rockstar pretentiousness instead it's a very very quick way of determining whether or not you actually read the requirements and are producing something I can work with right David Le Roth can't run uh you know he can't have his own crew go and check power he can't check the engineering you know the engineering specs on the building but it's really easy to go no brown M&M's they read the contract uh I'm a fan of the tech version of that the RFC 1149 requirements for any network year some of you laugh some of you should look it up it's IP over Aven
carrier and there is nothing like putting that in a requirement to see what happens because you get a sales guy who's like oh of course it's RFC 1149 compliant there's a sales engineer going he's an you know the the the guy who's we're trying to sell this to is clearly an he's smiling and I don't like it I don't know why and you watch the sales industry and go like I'll get back to you on that I actually did that for a it was a um a a a a tape a robot tape library and it's like is an RFC 1149 and the sales guy was like of course it is and the part's like shut up
no I we just get back because he's he's he's asking us we had some other requirements we wanted as well they would go of course it's firewire compatible it's scuzzy it's that fire wire so make make sure everybody's actually read the if you have specific weird requirements like you have a union requirement for for your prevailing wage or you've got nationality requirement you can't have any non-americans on the contract or something like that you want to make sure that they've read that weirdo requirement now instead of going 3 weeks in we're like oh did you mean that yeah yeah you did so quickly do something that should make them
laughing HR you read this contract yeah I said no read it yeah I what we what we're doing
that's common it's very common to see recycled contract languages especially in this industry I've read my favorite is one that I got from someone in the community who's like I I'm trying to sell services to a midsize company in in the space and I read the contract I'm like are these guys hooked up with Yahoo because all like sometimes the contract specifies the name of the company other times it specifies yahoo I'm like are they a Yahoo subsidiary and like we were like I don't I don't know why why you know know Yahoo has a subsidiary in Allentown I don't know and then we finally asked the opposing Council and he's like oh yeah we just took the
boiler plate from Yahoo's terms of service I'm like have you heard of find and replace I would just recommend that I found like he build he build his client some like $28,000 to write that contract I'm like I'm in the wrong business so other things you do with contracts is hedging risk indemnification in the case of say for example you're doing you're operating it's like a qsa or you're operating as an auditor and you audit a system you audit a company you audit a you audit an application they may ask you to say if you certify it as good or you you identify the flaws and we fix all those flaws and it still gets breached and it
causes us damage we want you to cover our costs that's indemnification this can be dangerous especially if you're a small shop hold harmless is a is a slightly less painful version of this which just says you won't sue me for this often times I I put I try to put this in pentest contracts that I write where it's you will hold us harmless for our activities in scope if we if we if we knock over a system that you told us to test and instead of us getting shell we just dropped it you can't sue us for it we'll do every attempt to you know usually want have language that says something like we will we will do everything we can to
not break it but if we do you can't go after us for it liquidated damages I don't know what my losses may be but let's set them now if this happens you pay me X instead of us having to have later discussions about it a limitation on Damages even if I break everything let's limit it at $500 or $10,000 or whatever you're willing to whatever the two sides are willing to agree to but it's a hedging of the risk I don't know what the damages may be let's set them we can just fix them with liquid dat damages we can cap them with a limitation clause and this snags so many shops somewhere in that contract you
agree to follow nist 853 or 171 or you you uh um attest to being ISO 27,2 or Hippa or some other requirement and it's always hidden there the amount of ones I've read that have crazy requirements like you are both fed ramp and PCI requirements for a shop that writes software that doesn't touch payment card are federally mandated data but they'll put that requirement in there it's a way of me if I'm writing contract hedging that you may lose my data you'll fit these at least these requirements usually we'll also pen in an audit Clause that allows me to check to make sure you're doing that this is more common in a something as a service
Market but it's something there other Clauses you you'll see in contracts are how do we handle an eventual dispute we may have a choice of law any dispute under this happens under the laws of Delaware or some other state you just pick one that you you think you know how it's going to go out that way there's no surprises you can do a choice of venue to prevent say for example I'm a Pennsylvania Corporation a a Colorado company hires me I say choice of venue is Pennsylvania so that way I don't have to go to Colorado if this goes sour arbitration and mediation Clauses often times you'll see these in there to essentially require some step before
actual actual Court litigation often times though these are one-sided one side will require arbitration but not bind themselves to arbitration if they choose to initiate it other things like control of information and these are just Concepts you'll see there the non-disclosure agreement all information you gain under this stays with you you don't publish it you don't use it non-disparagement no matter what happens during this engagement you will not talk about us ever restrictions on internal use um how you will be holding our sensitive information it only stays with within your practice area uh it only stays within named employees I've seen this a lot when you're talking like large Consulting companies where say like deoe we may you
may say well I only want the following you know the following Practice Group to be able to see any of the information that we're giving you we don't want this to go to everyone at Del restrictions and reuse and marketing I should be seeing more of this where you grant rights about your marketing Persona say for example and I I've seen this in the field where um like a network manufacturer says we've just sold you a million dollars of equipment to solve a problem we would like to be able to use your name and your logo for our next pitch are for our marketing materials the problem is is that how many people have ever done really good
open source in uh open source intelligent using marketing white papers I know I have there's nothing like showing someone the network map of their their scada environment by showing a vendor presentation on it like that's that's only secret information like no Google gave me that cuz the vendors D that here's a picture of your Network map in a vendor in a in a vendor uh um presentation so it's a way of controlling information you're giving assignment of intellectual property if you develop any intellectual property under this contract who is it so you have like work for hire where any intellectual property you create while you're working for us is ours we paid you it's ours
so how to interpret contracts there's ambiguity I don't know what that term means and do you look for defined terms in the in that are the related contracts if you have multiple contracts if you've Define the term you can use the customary definition in the trader business uh I have seen some shops that will try to bend this um as in a certain large information security vendor that believes that a quala scan plus manual verification is a penetration test that is in their language if you actually want someone to get shell on your system or to Pivot that is the advanced penetration test um so but that's in their contracts and they're like 60-page contracts so
the only people reading them are lawyers who might not get the might not immediately sneer at that so you have so if if we don't have defined terms in the contract if we're not clear on the customary definition the court will often just say whatever is commercially reasonable interpretation of what that term is so that's sort of a background on contracts half hour contracts for a course it's usually a whole year in law school so contracts that affect us employment we all like being employed usually employment contracts will have a non-disclosure clause or non-disclosure agreement I will not reveal what I have learned here usually limited to things like sensitive business information the plans proposed technology Trade Secrets
and other sensitive information you have obtained during your employment a non-compete after working from here you will not attempt to hire people for a certain amount of time you will not go to the people you supported if you were in a Consulting field and go try to get them you will not work for one of our competitors for a certain amount of time and the relative enforceability of this depends what what uh what state you're in for example California has fairly uh it restricts non-compete in ways that we don't on the East Coast non-competes have teeth on the East Coast they don't have as much teeth in California so that's why you go for the
choice of law choice of venue question in the original contract to go should I worry about this non-compete work for hiring and invention assignments I've seen some ugly ones of these where an invention you come up with 6 months after you've left is ours unless you can show that you never thought about it and like how do you show that like I I am not so ISO anal retentive that I take shower notes you know well you have that you have that realization as you're as you're you know you know as you're as you're washing yourself like wait a minute that might work but how would I prove to my employer that I didn't come up with that
on their time so often times when you're starting when you're when you're negotiating a a a negotiating a new uh a new job there'll be a declarations page these are my inventions I walk in with them I'm walking out with them at will employment means they can fire you for any reason or no reason even though this is an employment contract with them the actual can we end it yeah either side can end it at any time if it says at will most contracts usually are so second kind of employment contract I'll I'll I'll go through is the termination or exit agreement you've decided to leave it may be a mutual decision it may be unilateral maybe your employer really
tired of looking at you and as such well they will ask you to leave and usually um especially in this field they'll ask you like look we would like you to sign a another contract that by doing so you give up any rights you had to an employment discrimination lawsuit any question that we still owe you money any question about anything else we owe you an exchange will give you Severance we will extend your health insurance we'll give you a thing uh the last job I left uh oddly enough one of the promises they gave was two monitors I mean they're nice they're like 22in Dells like hey that's cool that was a part of my exit agreement but this is a
final attempt to renegotiate things however they can add things into the exit agreement that weren't in your employment contract so even though you may have walked in with your invention assignment the exit agreement May resend that because it's essentially a renegotiation so be careful often times you'll have non-disparagement you can't talk about us we can't talk about you assistance this is a fairly common one I'm seeing this getting actually used bar if you haven't fully documented your code or you have some chunk of information about a a client situation our environment there will often be an assistance Clause that says they can essentially rehire you as a contractor you agree to this to get them
over that hump I've seen it often threatened more because you know you're getting the hey how does this work screw you I left three months ago but you remember there's a trick to it tell me what it is and you you know they can threaten with we can just rehire you we can force you to come back and do the thing so often times you'll just dulge like oh yeah you it's up down up down ab ab so business contracts so you've gone from being an employee to maybe you're negotiating on behalf of your company or you're running a company non-disclosure agreements usually the first of what I think of is is the flirting part of of the
relationship all you're doing is saying I'm going to divulge some information we have no business relationship past this it is merely that I want to be able to talk freely about what I'm trying to do so non-disclosure second one and this is for a in a Contracting or Consulting role the master service agreement this establishes all the rules by which we're going to do business right it doesn't say what we're going to do but this is things like how are you going to get paid if you choose if we do something are you going to get paid on invoice is it going to be net 30 net 90 based on a retainer how so all the
all the rules about every subsequent contract goes through the MSA so it's essentially how are we going to do business it's the first if you want to think of this as like a a network thing it's the handshake this establishes all the rules by which future business will happen but it doesn't describe what we're doing it just says if we do a thing this is the this is the master so terms of payment assigning risks the actual performance is in another contract the statement of work those of you consultants if you have not learned this yet this is the first thing you read when you're told oh yeah you've got a thing to do I don't talk to the sales rep who
sold it I don't talk to any of the engineers who are currently working on it I read the statement of her because I want to know what did we actually promise to do and I mean by read it I mean print it out and circle things that you're like what does this mean I I used to uh one shop I work for the person writing the contracts and selling them would put in phrases that had no meaning we will one of our deliverables was always a possibilities Matrix what's a possibilities Matrix I didn't know either so every one of my deliverables had section whatever possibilities Matrix and it was like a 4x4 Matrix about possibilities and I realized it was like
a way of saying we're going to sell you all these things you're like but this is actually of no value but we promised you a bunch of things but that's the that's the statement of work is all the things you're actually promising on doing and all the things they're promising to do for you as in payment or anything else you might be getting from them the SLA the service the service level agreement how quickly will you respond what is your uptime so this is less about con Contracting and more like if you're bringing on something as a service this is essentially your B these two though are essentially the if you have a conflict with the person you've
contracted with this is the first thing you read and you reread it to figure out who's out of line so those of you who work in healthc care this is a scary scary thing business associate agreement it is not merely a contract this is now actually by signing a business associate agreement you are certifying that you comply with HIPPA and the amount of times I see baas get signed by Consulting companies who are doing work that should not be business associates under Hippa but they sign it anyway because you want the sale all of a sudden now you are promising that your own internal processes are best practice who here thinks their own internal processes are best
practice right not you like I remember this like clear desk clear screen as a requirement and I'm like well there is a there is a desk and a screen under these piles of paper and Equipment cuz I remember doing this like I wouldn't pass this you know and I'm telling a company oh yeah you should do that do you do it no all the you know all the official business locations of our company in Seattle May do this I don't know I'm not there right now my own office no so this is kind of a scary because it essentially says I'm agreeing to follow hip and high-tech security and privacy rules and you're like yeah but I'm a
consulting firm I'm a freewheeling you know white hat hacker rules schools I'm leite all your stuff is going to be in a thumb drive on my desk at least I think it's on the desk it may have fallen off so you you're now ascribing to all those things that you expect someone else to do you're like uh oh yeah or it's an often will'll be I've seen this especially for doing work with really really large Healthcare organizations like Hospital chains or health insurers is that not only do you say that you're going to follow hip up they're going to also publish their own more rigorous security rules and you're filling out that the the vendor
assessments that you often send out you're like wait a minute I have to follow this I have to do these things like a peasant no so those contracts are dangerous you have to encrypt your email yep the the best one was like you have to use those and I hate those it sends you the link that you come back to and then you're like why doesn't this work on my browser because reasons you're like do you have a one you Rec men I'm like yes none of them um so these are dangerous be careful um I find even though I and I've done this where I try to explain to a client like a and I an information
security client like I'm not signing this because I'm not touching any of your health care data even for like things like a Hipp assessment I'm like I'm not actually looking at your Phi if I see Phi I I'm not going to look at it cuz I don't want to know what you're doing I will just call it out and say I could see Phi but I'm not handling Phi I'm not a subcontractor in that space I'm not that kind of girl um audit Clauses these can these are threats less so like the amount of time if if they're going to bother to do an audit Beyond a questionnaire a follow-up phone call and maybe a site visit if they're
going to do like a fullon audit they're thinking of dropping you cuz you've got there's got to be a competitor to you somewhere that isn't screwing it up so you want to be a pent tester you've got an MSA you sign with a sign the agreement which is how am I going to get paid when am I going to get paid what else do I agree to things that are dangerous indemnification I've see this stuck into a bunch of Master Services agreements where the client expects you to indemnify them for any damages you may cause or you fail to find and it's caused as in you do a pen test give a clean bill of health four months later
they get owned they want you to step in and cover their costs you can I mean if you've got $20 million in the bank to indemnify as an indemnification fund go for it otherwise you're going to an insurance company who may now require that they view your stuff to make sure that you are a worthy risk for them so be careful about those hold harmless you won't sue me if this happens I often try to get those into Master Services agreements for in scope stuff statement of work you include the scope of action in the statement of work the following systems applications locations however you're defining the the the um the work you want it to be very very specific if
it's if you're doing a scan and Pen test the following IP addresses are in scope you want to make it very clear this is what I'm hitting if that doesn't happen or it gets changed right oh yeah we put in these new systems and we tore these out because we wrote the statement of work four months ago and we couldn't get it approved we've changed our infrastructure between then and now and we didn't want to change it so there might be some kind of meet kickoff meeting you have where where you essentially renegotiate the scope get them to sign it if only to say send it from their email like we agree this is the new scope or this modifies
the scope in the statement of work because and I keep beating this up you want the scope of what work you're doing to be clear um oftentimes you'll have the meeting notes will also say say things say things like when when may I pentest your systems and why is it always it's like midnight to 4:00 a.m. why is that always the rule yeah and then we'll have a status call at 9ine that was me for six weeks like on the phone like snoring alerts if we knock something over yeah we did this test about it and it doesn't ping anymore um it was listed as something like Master a is that important oops Yeah we should let you
know the get out of jail letter those of you who do physical pent test or social engineering that gets a little aggressive um the get out of jail letter is essentially a a shortened version of the scope of work signed by either their legal counsel client legal council the client CEO or president saying the person standing in front of you is a pentester they're allowed to do whatever stupid thing they may have just done between this date and this date um no need to call the cops if if you've hit them please apologize um you can put the gun down um yeah explains what you're doing the idea is this is that if CU you know in every
physical pentest there's always that moment like I'm going to do something stupid and um next thing you know you're like yep someone's called me on it and it's not just like oh I'm sorry I'm leaving now like no you need to be able to show the letter that says trust me sometimes you're showing that to the police um this is something now that everyone's going to the cloud identify the ownership of the stuff you're testing if if you have a if if your client has put a bunch of stuff into AWS you may not be able to pentest it because you know what Amazon really doesn't like you pentesting their stuff they they they react badly to
thison actually reques you go to them with request auth because otherwise it's an attack um sometimes a redirect takes you over the line I found this during a test um something that was in scope was actually hosted elsewhere I I I went to its root directory by doing that you know the the the you know go go up the web server to hopefully find the patchy admin page and instead I found someone else's box which I owned looked at the IP and went that's not ours that was rack spaces I should go explain to Rackspace what I just did sorry um yeah I got I got Chell in this oh I got shell in someone else's box oops um
so that's the story I have for that so what you want to do is if there if you have identified collocated Cloud whatever is a service stuff get them you don't want to do this because I mean think of this way think of how Amazon or rack space is going to deal with like Oh I'm a pentester I'm going to be pentesting this box no you're not you're a customer of ours go away get them to get all that stuff in place or come up with another solution but that's why scope is so important because breaking a system that is in scope is just a bad day for them if you've written this correctly you're
indemnified if I break into a system that is out of scope I have now committed a felony a felony does not look good on on your permanent record um prevents criminal and civil liability if your scope is good so say for example now going back to contracts what happens when there's a conflict they believe you haven't performed they don't like what you're saying and it goes from argument to all of a sudden people aren't accepting meeting invites that's that's when my blood runs cold like uh oh I can't no one's on the status call no response with thank you for my you know status spreadsheet about what I've done so you know there's a problem what can you do
you might be able to renegotiate you talk to the principles involved and say this project has somehow gone off the rails how do we keep this going do we extend scope do we extend time do we change the amount of money involved do we do something how do we keep the business relationship fine might have to offer something new on both sides essentially it's a whole new contract you want to identify the breach and the breach is the breach in contract what did what what did you promise to do that you didn't do what did they promise to do that they didn't do because you're fighting about that you want to figure out how that is how you can fix that how
you can cure that problem this is now getting uglier you've assum like they've breached their side so you can say I believe that you won't continue performing we are out anticipatory breach you will not do what you're supposed to do in a material fact you're not going to pay us you're not going to get the project done on time you haven't done Co core things to it we're out like the extreme one of these is all of a sudden your badges no longer work at the job site because they have basically told you leave all yall get out threatened lawsuit this is now things have spiraled into stupid uh actually they're spiraling into stupid because you've gone
from we were making them happy we're making them relatively happy at this point no one on the technical teams on either side is talking this is maybe the pr if you're the principal of your shop you're talking and you're now not talking to the technical people you're likely talking to people in the business management are maybe legal you're now fighting over whether or not you're going to continue it all like this might be the end of the business relationship and then you've gone from threatening a lawsuit you've written a couple letters or your attorneys have written some letters you actually file a lawsuit someone files a suit about this all of a sudden now it's you're no
longer really worrying about getting paid you're worrying about a escaping so any questions on
contracts okay um it's third parties if if if I say I'm holding hold harmless means we're not going to sue each other under this indemnification means that if someone else sues me you're stepping in right you you promis to do a thing for me like you're going to test my system and you certify that it's good if it's a mere hold harmless it means that if you break it or or I cause you damage no now now you're are standing in and saying customer yeah customer sues you you're defending me yeah
right especially if it's not yet done if you're like working on a project that has not yet made it to GitHub or isn't really there yet you would probably want to name it in your inventions disclosure because it's like I'm working on you and come up that's why I I often tell my my clients like come up with a name just name the thing so that way instead of a some read it's like a patented declaration like a thing that does awesomeness wow that's useless no it's a library that does this thing and now now it's a thing and you can basically claim it as I'm walking into this place with this now in a lot of cases thinking
about inventions if they are close to related to what you're doing in your day job you want to be careful lest you use you recycle code one way or the other now it becomes where the company can rightfully say well wait a minute which of this code did you write for us which of this code is now in this open source project this smells like what we paid you to do so that's a
concern open anywhere very rarely as a leader in open a lot of know contct way
allely very broad terms anything do
yeah it's so the difficulty now is how do you protect how do you protect the project if if these guys can come in and say all the code that this person you're like but then you're like taking out like individual lines like you're going back to to commits and going show me show me on this what's yours um I I'm less concerned about that for open source because most of the time I don't unless that open source package becomes incredibly valuable like you the Linux kernel or something like that it odds are it's going to be like yeah it's a wash we don't think there's anything of of enough value to fight you on
it yeah it's one of those like I identified this as a risk the same way I identified that there is you know meteor or clown risk in involved cool I think we're done thank you so
much
so who am I I'm I digital flame a penetration tester and digital forensics analyst for a company called Essex Tech um I'm a programmer a security rearer in my part-time and I'm a Raspberry Pi Enthusiast and I love popping boxes hacking video games and sending fishing emails especially those are really really really fun to do and python is life best programmer language ever so going over what we're going to cover today so the current way uh the need to bypass antivirus why we want to do it um the ways antivirus does catch M we're just going to go over how antivirus does what it does so we can get an understanding how we actually bypass antivirus um we're going to go
into current bypass processes and windows memory injection also some of the API method Windows uses for that uh AV trust and and then the finally the AV bypass how you detect it how you remediate it and I'm going to release the source code to this exploit once I finish this talk so antivirus you might have seen it you might have used it a lot of times on many of the three operating system platforms such as Windows and if you're a Windows user you kind of grunt you're like oh it's you know have necessity of life I need antivirus or else you know I'm screwed not always but um then if you use Linux you're like uh what's
antivirus I don't need this but the even better thing is if you're on a Mac you're like antivirus my operating system is super secure but then this happens and uh your super secure operating system does need antivirus so and also with antivirus being so effective how come this happens you know we have ransomwares on the rise and we have computers getting affected by many different types of antivirus not just zero days but different types of ransomware we would have ransomware that encrypts hard driv themselves and people still get affected by the little things that antivirus apparently does not catch so why do we need to bypass antivirus well penetration testers need it red teamr need it and the bad guys
need it now if you ask Google Images what a bad hacker is apparently he looks like that I mean I was going to dress like that but then I realized I could just cover my webcam I don't need the face mask but but you don't need gloves I I might need gloves that's a good point I should have bring those so why do we want to bypass any virus well one it saves us frustration you know if we're running you know MIM cat was a very popular penetration testing app um you know it's detected by antivirus so you know I mean I've personally myself uh on an engagement turned off antivirus on a client's computer just so I can run MIM cats so
you know to be able to evade that completely and not have to worry about like uh editing uh something on client's environment you know I don't have to do that anymore and also successfully delary payloads you know last thing I need is an IDs or even just an HIDs a host intrusion detection system to be blocking anything I'm trying to run or if I'm trying to compile code that you know for some reason is flag you know cuz it's shell code or you know some of its I don't know like a process hijacker or anything like that and like I said before it's better than turning off antivirus now granted you could easily do these three simple steps one click
the taskar two just click the little semantic icon or whatever AV I didn't say semantic whatever AV and click this disable antivirus protection but as you can see you know that causes a lot of problems and myself personally have been get kicked out of boxes because they has created a log event that an admin has seen and they're like that's not right and I've got shut out boxes before so that's something I don't want to do and that a lot of penetration testers don't want to do either so getting caught by antivirus so how does antivirus really catch viruses so it works on signature detection and you think about a signature it's like a fingerprint of antivirus just how people
have fingerprints that identify who they are antivirus or malware really has signatures of each individual variant and that's cool and all it's based on the file content or it could be based on the hash of the file and how it works is very simple so say we have a file here and we want to determine if it's malicious or not our antivirus engine will compute a signature of it and it'll compare it against the current the Cur current internal virus signature database and if it meets a signature or matches all right it's malicious let's get rid of it however if it doesn't it's not it's uh not malicious or at least we think so and one of the file con one of
the issues I had especially this PowerPoint really but also proves the file content power uh Power of uh antivirus is I'm going to submit I'm going to send this uh put this PowerPoint up on my website to download try to send try to send this an email to anybody the reason you cannot send this and I've actually tried to do this it gets blocked because of this string right here and if anybody doesn't know it's on the board really but um this is the E car the a car standard antivirus test file basically if you put this in right now on notepad I mean it's kind of like impossible to type but if you put
this in notepad and saved it it would actually come up as a virus I mean it's not really like a malicious virus but this is what vendors use test to make sure their vir system is working but like I said because this is in this PowerPoint you can't send it it thinks it's that virus so other ways antivirus will catch you it does real time it does current uh schedule scanning of mware and it also does real-time scanning and realtime scanning is basically when you try to access a file you try to open up a Word document whatever or you try to run a process it says hey before you give that person access let me look at this first
and it goes and it scans it and then if it's bad it says no you can't open this as you've ever seen before trying to open up like any malware you know for testing or something that you might not think is malicious and it blocks it it says hey you can't do that but if it's not malicious it just let you open it you don't even notice it happening it's not as reliable as you think it is problem is if there's not a signature for that antivirus or that malware I'm sorry uh then it won't get detected so basically if there's a new piece of M that just came out yesterday and your Anis vendor has not updated your
signatures or you just didn't update your signatures because you didn't feel like it you're going to get infected really quickly there's also a feature that's very old in antivirus but it's really had not much use until now it's called a horis deten detection and basically it detects the actions of pro of processes so depending on like what it opens what it does it tries to see if the process is acting malicious and it's kind of useful because you don't need a signature to detect if that's a malicious process if this process is you know I don't know opening like 30 files at once all right that seems kind of weird when does a process ever do that normally now there
is some cases but um it's better method detection and it is fast response to emerging threats so if antivirus or if a malware piece of M comes out today and it does something that's commonly known as malicious horis detection will at least say Hey you know that's malicious let's stop that even though I don't have a signature for it and you know like I said doesn't it also detect text Non signature based malware or non-listed as well and this can be seen in a couple of products that have been out recently uh malare bites has a new anti-ransomware program and this is kind of what I was getting to with the 30 files open is
that this program doesn't have any signatures for ransomware all it does is says hey is process a opening a butload of files if it is it's got to be ransomware let's at least stop it or kill it and the same thing Patrick wle a OS SEC OSX security researcher also released a program called um ransomware and it really does the same thing it doesn't look at the signature of each process and say hey is this malware is it not says hey is this process acting fishy there's something weird about it and in the case of ransomware is it opening a butload of files so now that we kind of know how antivirus works there are some ways
concurrently right now to bypass antivirus one is encoding and encryption or encryption and if you ever use metas spit one of the the options when you generate a p a payload in metlo is you can say hey what encoder should I use uh there's a couple ones like exor polymorphic um and basically what they do is they change the underlying machine code that it looks like but your code that you want to run is exactly the same so if you have I don't know Shell Code that shuts down the system really simple Shell Code it will look different even if you use a different um encoder but it does the same thing always and that used
to work really really well but the problem is signatures have caught up with them so any piece of Shell Code really even you know the basic bind shell will upload it to the virus to it will come back with like 30 hits automatically um you also have loaders they're commonly used in ransomware that a non-malicious or non-detected file will be downloaded to your system and it'll run and it'll download the malware without with basically so it avoids being detected by handles like by realtime scanning cuz you're not opening the file yourself a program is downloading it for you and running it now it can get picked up so it's not super successful but in new ca in cases
of new malware like ransomware you know it's a little bit easier for them yes thank you um also custom written malware so your zero days you know from like any other country or even the United States the NSA for example uh anything that's not mainstream will also fall into this category it's not a real protection but it's one way to get around it by coding your own malware and then uh uh sending it out as quick excuse me as quick as possible lastly the have popular Veil framework the veil framework actually has a lot of payloads including ones in Python C go and Powershell and it actually you can do memory injection with as well which we'll get into soon
but it does allow you to create undetectable executables so if you do have a piece of malware that's detectable you can use the veil framework to encode it in a payload that will at least render it somewhat undetectable so we're going to go into what is memory injection so like I said Veil framework does use memory injection so memory injection is the proc or the procedure of adding your own code to a current running process it's not always malicious as you might think it's actually used in a lot of PC modding programs debuggers Windows system processes do use it and other extensions to Windows programs do use this as well um it's also allows your
your custom code to run in the same context as the process that it injects into meaning if a process is p 1000 and you inject code into P 1000 you are now P 1000 so you now that process even though you're not that processes code you're your own custom code and basically this is how memory injection works so I chose calexe cuz besides Las Vegas this year was actually uh their motto was uh popping Cal exe since 2008 so I thought it was you know kind of good to choose calexe so said we have our process pro.exe and we have calexe now you'll notice that including in the instruction code you have a block of
free space and every Windows process at least on 32-bit systems is given up to at least four gigs of virtual located space not not you have that much space in Ram but it can virtually allocate that much so what'll first happen is our process will call a Windows API call Process open to try to attempt to get a handle to that process and if we have access rights uh we will get one back and we will get a handle to calexe and it's basically a pointer into memory where calexe is next we're going to call virtual loo ex what this does it allows us to allocate a space in memory from what we decide so if we like we want you know a
th000 bytes in memory if we have a handle we have access rights we can do that so we call virtual Lo and we create some space in the process so now we got this new free space and we got the handle to the memory block given to us and then we call right process memory and like the method's name is it allows us to write our own code into this free space of the process so now our own code's residing in somebody else's process and then we call create remote thread now here's really where it all happens create remote thread now allows us to trigger our own code at the instruction pointer of our new code in a
new thread under that process basically what it means is now we can start our own code under whatever the process calexe is running as so once that happens calexe is now pwned we now are running our own code under calexe and unless you're looking at it really closely you're not going to notice that cxe is now doing something malicious now one important thing in memory injection is that you need to have rights to that process I can't just go and inject into SVC host.exe because I feel like I'm really cool doesn't work that way if I don't have access rights to that can't do it also uh does since it's using Mau antivirus does pick this
up it's called a process hijacker a lot of common antivirus products will immediately red flag this and be like hey that's not possible um the one benefit of it it does evade real time and file scanning as there's nothing written to the disc all this is happening in memory so we're not making any changes anything physically on the disc that can be access forensically except for memory and we'll get to that so one of the ways you can practice memory injection is with python these two great books black hat Python and gry hat python cover this in detail um and it's really awesome the only downside to this is python has to be installed on a
on the computer you're targeting and Python 3 has a lot of issues with it I've tried Python 3 personally and it does not work Python 2.7 is the the best one that works with this you can compile it for compatibility however um one of my favorite Twitter statuses the worst part about compiling python into a Windows binary is the part where you get repeatedly punched in the throat and I feel like that is really true compiling a uh python executable it's kind of difficult I mean it works but it doesn't really work super well you get an exact you don't get just a single exe and you're like okay cool I'm just going to email this and pop
somebody's box doesn't work you get like nine files and a zip file so you have to email nine files to your target like hey can you download these put them in the same directory for me and then just execute that one that's right there thanks but like you can do it in a self- extracting archive so if you have like a szip sfx or use autoit which is another program that allows you to do something like this it does doesn't look a little bit suspicious when you download extract a bunch of files to Temp and then you know start executing a bunch of stuff from there so one way to kind of combat this is called process local memory
injection what this does is injecting malicious code into our own running process so we're not targeting somebody else we're targeting ourselves and it sounds kind of weird at first it's not detected as a process hijacker be due to the context meaning that since we're affecting our own process any virus is like hey you're not messing with anybody else I'll just let you alone um and it's also payload type in the veil framework and actually this is one of the main uh process or Shell Code injection vectors in the veil framework itself so this is kind of a little representation of how local memory injection works so you have your own stack here of your own process and you
basically call the same uh functions that we called in our previous example you know open process virtual Lo ex right process memory and you know we can write our new code to here and then bang our process is now running malicious code and you think well wait a minute why would I want to run malicious code in my own process well one thing it does it does evade AV and I'll show you so this for example is just me running mat interpreter so I cre up a I created a box that had a bunch of anti-bias programs on it as much as I can possibly put on there without them failing or crashing the box so first of all I try
to do interpreter which is highly picked up by virus every single antivirus program there is so this is just an encoded interpreter shell and you can see as soon as I run it it's picked up immediately I get Den not the ability to run it so now oh and this is the virus scan of that file that I just ran just for kind of context this is how bad it is being detected so this is local injection so this code I'm going to upload to GitHub as well this is a python file that has Shell Code for a interpreter shell inside of it and it's the same box you're running same antivirus programs so I'm going to go ahead and I ran it so
I'm injecting code in my own process and I go over to my Cali box and I get a interpreter shell my antivirus did not pick that up at all so I'm now running interpeter session freely now the one caveat to that is I will say sanch which is one of the uh virus products that we did test does have a very good firewall that does pick up interpreter no matter what so even if you use htps or you use bind shell uh reverse shell anything it will pick it up that's the one caveat the only one that was able to pick it up but once we disable a semantic fire we able to get past
that so why does local injection work well like I said before we're not touching any other process in memory at all so any virus is like hey cool you're not messing with anybody you're messing with yourself and also this does happen processes do do this themselves does happen naturally um and also antivirus doesn't actually scan memory of many processes at all uh there's only a couple that do scan it and a lot of this isn't picked up now why local injection sucks the reason it kind of sucks is you're still running your own process so if you download a file that's stupid file exe and it does this stupid file exe is still running on your system that might
be doing malicious stuff so as soon as you do something malicious like you migrate an interpreter or I don't know you try to do an LSA dump and dump like hatches from Windows or dump credentials or anything like that it's going to pick it up and it's going to say hey wait a minute that doesn't seem right and your file is going to get deleted and your Shell's gone so basically it works really well but the execution is not really there so this is BAS this is because of Av horis detection um and I kind of went over it a little bit but it really looks at what the process is doing so is it a
known process is it a system process is it explore exe is it reged exe is it notepad exe is who's the user running is it system running it is n um network service running it is Bob running it you know is Joe running it also the execute path so you know where's Explorer running from where is scove host running from where's notepad running from and it also looks at the network connections made I mean you know if you have notepad exe having a network connection out to I don't know China that does kind of look suspicious um I mean notepad doesn't even connect to anything on the network so that already does look suspicious already and it's really labeled with
threat intelligence as well so for example I have a bunch of processes on this board so there's a couple processes on here that are completely not good they're malicious just by looking at what the information I gave you could you think you could spot any processes that are
malicious so if you got these two you got them right notepad never runs a system and the funny thing is a lot of pent testers will actually start notepad from interpreter and migrate into it and that's where you'll see this from um as well this one looks really suspicious I mean a lot of M does do that where it drops a file that looks like has the same name of a common Windows process such as SBC host and then when you go into task manager and you don't see the EXA executable path you're like oh that's fine you know I got scope host running not a big deal but it's running from the temp directory so basically going back over
it you know as you can see process path SC host is never located in temp it's always in C Windows system 32 and you have no pads running a system which never happens so AV windows apis are also checked by antivirus as well so antivirus does look at API calls that you make and it checks the context to see if that looks malicious and what I mean by context is this so if you have winw exe which is the process name for Microsoft Word and it tries to open a handle to wiw Microsoft Word so it's opening a handle to itself you think any virus is gonna let that happen it is it's opening handle to
itself it's like okay whatever you can do that so now we have our process called MPR exe it tries to open up a handle to Windward again think antivirus is going to let that happen that would be nope it's not going to happen that's a process hijacker right there they're saying okay you want to inject memory into Windward we're not going to let you do that now we have run d32 then it wants to open up a handle to win.exe you think this will be allow if you said yes you are right the reason being is this a system process it's like hey this is system this obviously does this so why would I disallow it from doing what it's
supposed to do so and going over really quickly before we get into the exploit the API calls these are some of the API calls that are actually monitored by Mouse itself and these are the ones that actually can do the most damage so we have create remote thread which I used my earlier examples and that like I said it allows you to create a thread in another process that is not yours I mean or it can be your process if you want it to be uh NT create thread ex this is the beauty of Microsoft right here people this uh fun this method is not documented anywhere in any of Microsoft's documentation it's not and
it's actually the most effective the best working method for doing memory injection and thread calling and NTI NTI crate thread ex does the same thing as create remote thread except for some reason NT create thread ex works on 64-bit systems and it doesn't work or um create mode thread does not but it's also undocumented so I have no idea why Microsoft did that um write process memory what I also use in my previous example uh like I said allows you to write contents of process memory and have open process I've also used before open a handle this one's a little bit a new one uh this was used in meterpreter a little bit it's Lo library that a and
you can also have load Library W but I used a on this example and basically when you call that you call it with a dll path and allows you to load any dll into your current process and we're going to use that in one of our examples so back to our one example where we talked about context is that we noticed that run dll was allowed to open a handle to windw and that's because of Av trust so a inherently trusts system files and the reason being at 2008 I can't mention the vendor but but if you go to the link you can look it up this vendor had a signature that detected a Windows native program as malware and
you're like okay what's the big deal in that we detected it deleted a critical system file and everybody that was like oh I'm cleaning Mal in my system could no longer boot their operating system anymore so to prevent that AV does prevent you prevent system processes and AV data files especially cuz it's got to save itself from being malware so it's like hey if you know Explorer is trying to do something malicious but it's just opening a handle or it's writing memory okay that's fine whatever I don't care so or if an AB program file is doing it as well so that really leads us to our exploit so you know right now as you can
see we have a couple things that in combination could kind of work together so we have memory injection that could High m code currently we can only do it in our current process we're thinking okay whatever that's cool but also AV has an inherent trust in system processes and actions by System process are trusted all right so really all we need is a system process that can run our malicious code for us while at the same time looking like a system process and acting like a system process so an our answer is before is rundll32.exe so and just to uh on our next exploit I had to use uh bind TCP just because Mater was having issu in my uh example
the one good thing is is I tried to generate a bind TCP exe to show you how if AV would pick it up I couldn't even copy it over to my VM that's how bad it picked it up as soon as I copied it or even touched it it was like nope you can't do that so that's how easily the code we're about to run is being picked up by any virus so and I have syis internals open in the background I know you can't see it very well but I have syis internel open in the background that's going to show my connection so right now oh why is that quality so bad let me fix
that sorry about that guys I don't know why it looks really crappy that look a little better so we got our compiled exe over here so now we notice we clicked it and it ran nothing happened our process closed so I'm sitting here waiting I get over my box my Cali box and look at that I got a bind or I got a reverse shell open complet even though antivirus was in the system did not pick it up at all so in the greatest thing I look where I'm running as and I don't know if you can see it but I infected the antivirus process so my code infected antivirus so not only am I running a shell undetected
in the system I actually infected the own airus product and I and honestly I did not deliberately attack the antivirus uh process but I thought it was kind of ironic that antivirus was now doing my
bidding no it won't because the fact I'm well because I'm hous in uh AV process it would now if I was housed in like I don't know um uh Java update scheduler yeah it would do that so once my video comes up once this comes up so what happened what no oh there it goes it doesn't I think I infected the projector I might have did that by accident so what happened so what what did we do that allowed us to get to where we are now so our main process takes itself and dumps it into a dll into the temp directory and that dll contains our Shell Code and instructions to do its next job which what it does is
it get it gets launched by rund 32 so my main process calls run 32 with our drop our drop D and now our process is now running as run DLo 32 so our D now enumerates all running processes and it's like okay I want that one so we pick a process that's not going to make the system crash which I have done that I blue screen a box a couple times in testing this but U once we pick our process that meets our recommendations we're going to inject Shell Code into it and because we are running as run deal 32 the antivirus doesn't pick it up it says okay you want to do that cool go ahead and then the
Shell Code runs so in a little graph to kind of Step byep this is we create a d file we call run d32 to execute that file our file then enumerates all processes and it picks out a specific process and then we inject code into it and then start our malicious thread and then we now have maare on your machine without being detected and as a bonus video I'm not I I don't I'm not supposed to call out specific antivirus vendors but have any of you guys heard of Microsoft EMT the enhanced mitigation experience tool kit it's supposed to detect from buffer overflows and injections and a lot of things for Windows and it's constantly updated
problem is I tested it this morning and we were able to bypass it and so our little bonus videoos we have EMT here running and we have our code again so let's run our code this time again with EMT running in the background well in foreground really and you'll notice once it takes a couple seconds to
look there it goes so you notice we infected Powershell so the poell process that was running we now infected that and now I have another uh reverse shell in the system completely bypassing all technical controls put in place to prevent something like this from happening
so in compatibility I did test this on numerous version of Windows I kind of said screw Windows 8 because who really uses Windows 8 um my main test bed was Windows 7 it worked fine and I also tested on Windows 10 even though I don't know if anybody really likes Windows 10 either um it worked on Windows 10 as well so now we get to detection and prevention so how can we detect this it's actually very hard um no a caught it nope so detection uh one of the ways we can detect it is I use a program called Red Line uh Red Line it does analysis of memory currently running it has to dump
it first and then you can use it to analyze memory Red Line did see it in there so if you do have red line installed on your machines it will pick it up not directly in real time but you will be able to at least detect something like this going on um volatility now volatility is an after kind of action you know process so if I happen to be dumping memory of the host as I was doing this exploit then volatility would definitely work I would have to run um I would have to tell look for injects in volatility but I can definitely see that um and any memory dump really that you take would be able
to see this because this is really a memory only thing prevention how can we prevent something this from happening how can we prevent somebody from getting affected like this one thing we can do we can flag the dll itself or the loader is infected now this isn't a permanent solution as one little coat change little bite immediately will change the signature of these two files and you know we're just doing it all over again it's like cat and mouse um one thing we could do with Windows to bolster Security in itself we could force dl's to be signed to have to run so I couldn't run a dlll or inject a dll into a process unless it was signed by an
appropriate signing vendor and this would prevent you know a lot of these attacks from happening now state sponsored you know would maybe have the money to buy a CA to do this but you know Joe Blow that wants to infect you with ransomware won't have the money to do that we can also disable loading DLS from non-program directories I think that's the most important one I loaded this DL from temp I don't see a real reason to load DLS from temp ever there's no real reason to do that and if you do it's kind of bad programming DL should only be loaded from uh C Windows system 32 or CCIS W 64 or Windows CIS W
64 or the program files directories that's it it shouldn't be loading from your temp file from your app data roaming it should just be loaded from those directories and it prevent something like this uh because we'd also we don't need admin access to run this exploit in order for us to be able to drop a dll into Windows system 32 we you need admin rights so at least would you know control our surface area just a little bit that way unless we happen to find an administrator now granted that's even worse but it would lower the normal users from being able to be exploited by this second or the last one really is a big
one as well uh run run D 32 specifying the DL is a running application this one is kind of big if you ever open up Windows 7 and you open up a photo Windows photo viewer it says run D 32 it doesn't actually say windows photo viewer because Windows photo viewer is a dll it's not a actual program and that's kind of one of the the problems is that when you run a dlll you only see run DL 32 you don't see the program that's behind it or the DL that's behind it really controlling the show so if we had it run dlll so that way it says uh I don't know temp dll or dll 1579 dll is
running and you be like okay that's kind of weird that's a weird name for dll that shouldn't be running or if you have uh like shell32 dll is running then maybe you know you can see kind of what's running on your computer instead of just five processes of run dl32 running and you not knowing what's actually there lastly once once I finish this I'm going to post the code uh to GitHub uh it's it says currently but I have the chance right this moment to post it but once I will I post the python code and I'll post the C code I'm removing the Shell Code on it just to prevent myself from liability but feel free to put your
own Shell Code in it I don't care um you can also get more information a couple My Links at uh the link right there id.me iym it'll take you to a page that has a link to GitHub and the links that I put in previously in the other slides and actually I ran a little bit fast so does anybody have any questions I know it's kind of a lot
good no I'm using pi to exe I mean I don't know what that person was using I mean I thought it was really funny so but expen yeah oh you can do that that's that's a good idea okay I didn't know that thank you I have to I have to talk to you after and write that down uh any other questions go yeah I mean I could but I don't want to you know yeah I mean basically a great number of ab products that I've tested have not picked this up so you know I mean there's antivirus products that I don't even know there's probably ones like in not even in English just like there's like 50,000 browsers so there I
mean there may be one that picks it up but everything I've tested the average nothing so any other questions Red Line a Windows only yeah it's a Windows only tool it's I think it's made by fire ey fire ey yeah any other questions cool I appreciate you guys for listening thank you very much
back the red yeah I'll get back on the red
team
that
Related talks
31:02
28:25
48:45
57:35
22:25
40:35