Living With Kodi And A Hole In Your Network

yes okay hello everyone oh nice so my name is Jurgen and I work in inside and today I'll be talking about coding really cool singing and without further ado let's start so what's Kali Cody is from the Hine point point of view it's just a media player but very interesting one because it works everywhere it works on PCs on Linux on Windows it works on mobiles and it's great because you can watch movies you can watch series and well without any issues one thing that's different about it is it allows using the plugins those plugins allow more features so for example if you want to watch Netflix or YouTube or twitch or some other channel that you

like to see after they midnight you can use it without any issues but you need add-ons for that the thing is add-ons are stuff that are being done by other developers so there are developers who made Cody and who did actually great job of doing it and now you have other guys developing more code in Python that do the other stuff or work for Netflix not YouTube and other things and as I was saying it runs everywhere so if you ever seen some mobile or a car stamp you can find the coding in there but the thing is if we have developers developing plugins and anyone can developer the plug-in it's well they might be unsafe and official

call the guys said well it's on site so just you be sure that it can be unsafe running unattended code on your network because well it can be anything so official documentation says be careful add-ons are bail and now let's see the first demo I will show it's where we have the singie okay so here and here I'm showing how to install a collie plugin as you can see an interface is very simple sorry no this not possess this one never minded nothing happened

okay this one so as you see the process is really simple we have security all are saying be careful you need to be sure to install add-ons and we have two settings one is update science not automatically I will turn it off just for the presentation once again another another warning saying that it can damage your computer and so be careful install again add-ons and after that after two warnings I finally go and install the add-on and it's installed so as you can see the process is really well long in theory you should have just a few minutes a few moments to install something but here you have confirmation that it may be bad for your computer so

let's see not this one let's see the actual code oh sorry so the key points you have a few warnings and that add-ons are bad so be careful with them and the thing is Cody leaks likes to live on the edge so he talked to install updates I got to disable it feature for this presentation but when there is an update for some Kali plug-in it automatically is not installed okay so yeah let's see actually code it's really hard because it's in XML and it just actually wants one file so it's called atom XML and you just need to zip that file and make the name of the plug-in called the version - diversion and dot C as you can see the code is

really simple so just the XML version the name the name of the plug-in you're you're saying it's I'd say the actual name the version and the provider name in this case I'm using a repository so what is repository repository is something where you can download more add-ons so in cody add own repository video add-on is all add-ons so you can have anything be here being here in this case I have a few different things and a few interesting ones so in this case I'm viewing using HTTP so all the add-ons and updates for them will be passed through HTTP this could sound strange because in most of the cases people would would might use HTTP not

really in most of the other ones you see out there people use HTTP and don't have any problem is that so a bit further you need to have the file with md5 it's just the code that has the md5 of the file add-ons dot XML and so and where can you download the actual add-ons we have the description metadata with the summary is the description and what platform you can run as I was saying in the beginning you can run it everywhere so starting from your phone to any computer on on the Internet so Linux Windows Mac forever okay let's imagine a different case let's be the well guys and make a very malicious code

that will do some malicious stuff the thing is to update something we will need a bit more so as I was saying you need to have a few different things you need to have the add-ons the XML file and the zip folder with with the actual items and in here we have add-ons XML add-ons XML v75 well it's just amplified of this file and in this directory the zip of the of the actual item yes here and the description of the atom in the zip we have two files add-on XML and service but pipe the Python code well for me it's just just some some basic code so let's see the actual code the difference here is in atom I'll be

adding some Python code so I'll be importing the Python model and I'll be starting a service called service pipe when the application is when the my plug-in is run so it's just these two lines that make the difference so some malicious guy found Dakota he'll get the first one headed to these lines and he can be doing executing Python code well let's see the rest of it in my service dot pipe I have a simple really simple code it's the basic stuff that waits for an object every 7 seconds and execute it well as you can see the code is really really really really difficult and really sophisticated I'm sure all the hackers use it because it creates a file

on the desktop and opens it with notepad so yeah it's really sophisticated here we have another file called add-ons dot XML this file is the one that contains all the add-ons so for example if I would like to update multiple add-ons or install different ones I would have more than one but more than one thing of those but in this case I only want to update one to version zero two and that's what I'm going to do md5 is md5 of the file ok so let's just imagine the scenario of being man-in-the-middle so we have a very sophisticated process using HTTP to update the atoms and well I think everybody knows that we can meet

that connection so we can be the middle in those connection in different like public Wi-Fi is it may sound strange but there are Cody's in public Wi-Fi so you can access that you can be on the same network as them public proxies and tour and DPN providers are a bit different and but who says if you put a public proxy saying oh look I have a proxy that that unlocks netflix for you so you just you just configure the proxy and everything works so you obviously will use the proxy because you want to sue to watch Netflix without any problems and you will lose use it because Netflix has some restriction on countries and for example US has more

shows than Europe so saying this is us proxy that has more shows you just need to use it you obviously will jump for that same thing for tour and want to offer VPN providers so yeah people saying the same thing as proxies here this service is very secure it's it's using really really high grade encryption and just just pass the traffic through us so let's see the second demo and this demo I'll be presenting the actual attack so not this one this one so what I'm doing is I'm checking for updates for my plugin and I find them there is an update available once again I was I changed the settings to update it manually so I have to for

stay on a date now let's wait the Adhan is updated it's already installed my version of elam so the hackathon and he received once again a very sophisticated hack I'm sure everybody does stuff like that and there's that so the process of updating an add-on that might even not be yours is really simple you just have to be on the net on the end on the receiving end so you receive a request or update you said oh I have updates for you so just install it okay let's see some numbers and some rest oh sorry guys this is not about another presentation about cloud and security and GDP are so let's see the actual later here we have an IP count

what is this account we have had inside an infrastructure that sees interesting events happening on the wild in this case we are seeing seven days of data so there are eight hundred and two thousand unique IPS of coatings so 8800 sorry I hydrant in thousand instances of CODIS running in there and communicating with us in seven days well that might not sound much but the thing is we had one a cry just need three three hundred thousand computers our reward to to make so much noise why I'm comparing these numbers well because the thing is the size really matters but in this case we are talking about CODIS that can be run anywhere so that's it software running

on your phone or even on some other places so what are the other place places this thing this number here 2001 hundred seventeen is number of unique companies that have code is installed and we have 85 different industries that are running them in bit side we have entry mapping and we know what company does has what IP so we we know what company is very stays what is its IP range what where its company name what's what's its location stuff like that so yeah well two thousand unique entities it's also not much but let's look at the countries first so yeah obviously us has the biggest number of IPs so once again this is information about

seven days of unique IPS talking to our server so if you are the bed guys we can do well some interesting things is it in Portugal we have only 4000 unique entities sorry unique IPS so well that doesn't sound much but let's let's see the actual interesting part so as I was saying its identity mapping and one of the anti mapping is understanding the sector so well we have a few different entities in different sectors like hospitals like government like gambling in casinos banking and insurance yeah the rest of the of them are also an interesting but I think this one are the most interesting one at once so what what could this mean this means we have access to some device

on the network of some random a random casino random govern administration entity so yeah the thing is this is not not much it's just a Cody it's just a simple device running some code someone someone just wanted to watch some some movies on any company but well that company might be interesting one okay this thing is it was really really nice it's it's really sophisticated attack and how can we protect well the thing is Cody's are devices that don't need much much network they need just access to some specific stuff so we can segregate them we can have them run and dependently of the other devices so it's you can put it somewhere far from ATMs

from POS and stuff like that in in case of other banks and it's far from the servers in case of other companies well the second thing is check your raid on sources it's really important because well if you have a domain that runs updates through HTTP it's really something well so well be sure to to see what you're installing the same thing of Kodi is it's just like Windows you can install anything but you can make it safe so be careful with those well this one is hard one just use HTTPS so if we have access to a network communication between the Cody and the network in case of HTTPS we will have some issues installing our Adam our

updates and well just updates before the adding them to production it also works for other things not just for CODIS so yeah it just just a bit there okay and it was really fast so thanks any questions so how did you actually detect the number of IPs that are running a curry device do they have some servers exposed that you can connect to or is this something else at mid size we have a magical thinking using machine learning and blockchain technology and yeah it's it's just whoa so we do sing calling so we find the details of somehow some stuff works and we just start doing more research how to understand how the network works and

well it's really complex process it's really complex partial process you know we just need to do a lot of debt analysis and that kind of stuff to get something like this so we do sing calling of some different domains and if different networks and there we get the data so yeah anymore

well looks like nope thanks once again guys you