HackingWorkshop

[Music] all right in my other life I actually do to sound I'm just really glad there's no monitors in here we would have the minute I turned that on so all good and apologies to those at home who might have got that in the headphones so hacking 101 back to the where we started the whole point was there's a lot of people in the security industry that never work with tools and now there some my keeps here who grew up with that and they still log on and do stuff by now once in a while but there's lots of us who don't and even when we're doing a cloud thing we're just clicking you know a couple of

buttons in a web page and we're not really attached to the computer and the networking and the software and that stuff's going in so as things

get stuff is still defeatable you just have to answer right so um there is an interactive thing everybody I see people with laptops and people are out but is there anybody here that doesn't actually have a phone no hands go up anywhere at home you can play along absolutely the same thing so instead of slides we're going to do this fully interactive i' love working without a script or an N so CTF players what's the name of the domain what's the name of the company that we're hacking right now sorry yeah your mileage may vary Industrial we may we may not we're not the integrator of choice we're the integrator of Last Resort because your

budget sucks whatever right it's a small little mom and pop company that grew up and you know they started this little business and they're making a go of it who's the CEO of this I don't know so how would we first start this so if you're doing a red team like a hacking somebody hired you to be a hacker I have done this on multiple occasions you're given go find it so what's the website the YB industri that would be kind of like your first question right why is that because every business that's actually business now as a website right so what's the website already in there but what what is it it's not the bsides calry what is

it I sock I think they pay me Ty W there we are okay so the one guy I know is a ham in this can dance this question mark yeah ex so these guys do stuff over radio kind of cool right I got my I decided I should do this because the alternative is to get busy and uh stuff get on the air the only time I've ever broadcasted in my whole life is here at bsid when we had some so but we did it all that was last year stuff and that stuff will be back here but when you're going to a company website where are you going to look for information so remember yesterday we talked about

identity is a new perimeter this is that whole conversation and our job now is to figure out who we're going to Target so in CTF there's a series of questions called Spies Like Us has anybody got to those yeah and it was things like who is this person and what are they going or what do they do at your company so in the real world where are you normally going to start looking for this stuff LinkedIn right okay we did get monitors did you oh yeah okay bring them down just a bit if you is that good for everybody yeah okay all right so um LinkedIn we go search searching around we try and find stuff um for some

reason Jake Fox is currently banned from LinkedIn and they want real ID and stuff so you know moved some of the target Intel that you would normally do on LinkedIn up here okay sometimes you're not going to find this much chattiness about the people on the website but we're trying to simulate what you would do but seriously if you look it up on LinkedIn or look it up on their corporate website what's the difference you're going to a web page and you're finding out what is going on in that organization so where would I look for information about what's new in this company which corporate updates all right bright Bunch we got here this is

good no for sure right and this is one that a lot of people miss with uh with hacking companies really like to talk about what they're doing that's new and awesome why is that to try and stand out from the competition and they will often hide these things in press releases so You' be amazed at the number of places where you go and sometimes the press release isn't ready for release yet but if you put slash relase at the end of that URL you might just find something you're not going to this time but that whole thought process of where would they hide something because they're going to send an email to their 10 people they know at post media and

the radio stations and all the rest it's like hey here's a link go get our latest press release on X and so they can talk about it on the news or whatever right well if you could get that a couple days early might that be an advantage to you yeah if you're trading stock that's a actually against the law great stuff to know in advance though just saying but so go look around so on the corporate website what are we seeing is there anything that would be compelling here that seems interesting okay so the CEO is doing what she's saying hey we really value testing we do it's right downstairs you can go test it can you break in can you

crash it and we take it seriously and we're engaging cyber professionals to validate our security how about that it's almost like they knew what we were up to it's crazy and who are they doing the job for right now who are they working for Lego City yeah yeah yeah even if you hadn't seen the model you could say okay it's Lego city right okay great now who's talking about the Lego City like what are they doing So Raven That's the CEO but who's the person that is talking about Lego City Andy who's Andy and we're after a technical Target right who's the right guy to trying fish right now Andy or Raven Andy yeah like that's that's the

thought process right what's the target I'm after if after the money if I want to know the stock release I talk to R if I want to know how to break into the train or I want Andy's creds because I bet you he's got good creds if he's the director of something because if he has to fire somebody off the job he has to go lock them out so even if he doesn't normally log in his he has an account that might get him there so he's a good Target right so now how do I know where Andy's what what's Andy's email yeah we do but Andy's not there is he ah she was here yesterday you could

make it up I bet you it starts with Andy do something right right for sure so what's his email address right but what is that Andy lions at ymmv yeah right exactly like that's the process okay so you're already hacking this company because you can send him an email right now and he's going to get it in fact there's a bunch of things about send an email and I answered a lot of email in the last 24 hours people looking for games and all the kinds of stuff so that email is very much alive but there's other stuff we can do here so Andy also likes to talk about stuff right so we're going to go check out a couple

blog posts so if we go to Hidden cost First to Market it's something about don't rush to Market and make crappy stuff and it turns out that's not actually written by our guy it's written by our uh uh communications director Rishi right but she's kind enough to leave her email in there so if Andy's written anything a if we want looked in the profile we confirm that let's see what might Andy have written oh I love this one the beer kiosk that was Andy wasn't it yeah that was last year's it's out of ok to stuck because Jake Fox used to play for the dogs it's like yeah weird I don't know I don't know where my mind goes but

um yeah so here we are there's Andy right and uh if you look at his profile I think it is one of these it says oh there we are wait this somewhere in here I got his email right okay yes perfect so we got his email we've confirmed that's the one so that's good and I hope nobody actually tried putting the at signs in with the email and thinking that was going to get you the flag it does have to be a real formatted email but again sometimes people obscure that so a bot crawling it will miss that email and he doesn't get as much spam things like that so these are all normal things that go on in a website there's

nothing here that looks out of the ordinary but now if we look at all his posts is there anything here we can use so here's one about winter drains everyone even robots right it comes down one of the flags is you're supposed to find out a phone number to reach Andy because they've got email gateways now that prevent a lot of the fishing stuff but nobody has Gateway protection on their phones how many people get junk email or junk invites on their phones all of us it's like incessant and one of the reasons is it's up until very recently very easy to set up an SMS gateway the good news is here in Canada and the US they've now got some real

laws and the better providers are blocking that I know that because we had to set one up for this thing okay so it was rather convoluted you actually have to have a real business license and all the rest now while I was looking around for this I found places in Nigeria that were happy to send that I didn't really want to give them my credit card but you know so there's lots of places where SMS could come in that are not going to be as rigorous as you know North American providers that you know are traded on the stock exchange and stuff like that but you know Telos are pretty liberal they're very interested in money so you

can convince them to hook you up to the pstn you can probably make your own bad actor Gateway so SMS great vehicle right now that's why we're seeing more and more of the SMS stuff the only problem is you need to know their phone number right texting somebody other than Andy isn't really going to work is it so where's Andy's phone number zoomo H Zoom info exactly a lot of Open Source or lowcost search engine type things will tell you way more about people commercially then is always convenient and why would he have his stuff on Zoom info he's the director of projects he actually wants people to call him because he can sell them things so for

sure a lot of people in an organization are going to make themselves very public and available because they they need those contacts to try and generate business we can exploit that weakness as an attacker to get into their personal space to try and take advantage of that now Andy isn't a real person and he's not actually on Zoom info but I am going to try and see what I can do for next year to get you know increase the sock puppet quality um and I discussed this with a guy from the government earlier there's no official version of this but this is all for educational purposes no fraud will be implied or intended but you know if they really ask us to take

it down we would but here it's totally legal now the issue here is that we don't have his phone number or do we where's his phone number yeah exactly if you kept reading he actually makes a commitment to say I take robot train safety seriously and you can send a message any anybody from the general public can send a message to our support message so somebody got a phone try it text that number say hi what comes back did you try it yeah last night still working now I just changed something go check people getting answers

how about at home any anybody on the chat are they testing so folks on the internet I'm I told them in advance if you have a question just let us know okay did it come back we got answers okay so it's working so the change I made didn't break anything yay welcome to it right isn't that great I hope this works I got three minutes okay so yeah don't make it change before you go to a talk and then test it out live that's another Pro tip uh but this time it worked out good so we won't tempt to demo Gods too much further it's like don't all try it but yeah you go seriously this is twillo in

the back end so you can Hammer the heck out of it from what I can see I didn't script it but it's pretty tough uh um so you got an answer back and it says Hey where's your support number but if we read this closely it actually says send it to the support number but what else does he say exactly he'll monitor for

himself yes support contract is spelled Dr and that was actually going to be a reading test flag but you kind of ruined it for everyone thanks that's okay no no I'm a terrible typist as we can see yeah there was one came up yesterday and the reply name was wrong and uh they they got upset about that they we got it sorted out anyway um and yes if you do have an issue with a flag this is a friendly competition we're happy to help and and Coach like that's not a thing uh but it says I need to know it's for me before this so let's think about the fishing emails we used to get how am I

going to translate that into a smishing email there's a Vishing thing too I think now where you can send somebody a video of you telling them to do something stupid uh I don't know like whatever the next vehicle is it'll just have an ishing on the end of it and it'll mean scam like but so smishing is scamming over SMS it's super fast but also is there anybody here that doesn't have a phone no and when it goes off even if you're in a meeting you're sneaking to see who is it right like we're watching this thing all the time from an attacker point of view I got your eyeballs all the time is that not awesome or is that not

awesome no okay I think that's awesome I think that's awesome if I'm attacking somebody and trying to get into their space if I can get their phone number and I can start a text dialogue with them they don't know who I am I can pretend to be anybody and last night on the has anybody done the uh somebody's probably done the flags where you're reversing and you're looking for the license so you got to go on here you got to find the license address and then you got to reach out and say uh hey I need a license and people just sending Xs and test and other and other people big long story nice signature and everything else

obviously we're responding to the ones that are nice signatures and stuff first so it's all about pretext well we can't install signatures here but we can use things that make it look like a real message because how many of these we get there like your package may wait at blah blah blah click here for refund yeah I'm not doing that but if it's actually written in conversational language am I likely to engage more right okay so we're doing this live and you'll get points and you can put them in CTF so this is worth your time okay how am I going to engage Andy what's the first thing I should probably do

see exactly you know his name pretend you know him hey Andy hi Andy hello Andrew like something start with the person's name and a cordial greeting versus your package more likely to engage now the next thing that's going to happen is you have to get them to care what does Andy apparently care about right now safety yeah if we go back up is there anything specific that he's

mentioning frostbite that's kind of a weird term isn't it well not here in Alberta but that's actually the problem with the robot trains but the batteries are cold they're not going as fast um crossbite interesting he's apparently concerned about it hi Andy I have something about frostbite I don't know is he more likely to engage or not probably so send him a text say hi mention frostbite try it let's see what happens

is anybody trying this online can is there anybody actually watching or we we're just recording no on the chat do we see anybody oh okay all right that's fine I'm not offended they knew it was me I don't blame them for not coming I saw Rock smile I didn't know the other guy or they must have canceled your talk is that what it was okay what oh darn they're not biting yet okay all right but yes so it's working as planned um like Doug you're such a cruel man no not really this is a learning experience um so we're fishing them we're trying to convince them that there's something important but what are we missing from the adversaries

perspective actually the question is almost spelled out for you on the CTF if anybody's logged in go check the the smish me question because there's one more thing we're missing with this attacker what am I after is what you're after his credentials right so You' mentioned clicking but when he clicks what's he going to do we got to convince him to log into something because if he's running in a modern operating system his browser isn't going to fall over the minute he visits your website and you push something evil to it it's going to be patched for that kind of thing we have to convince him to add his credentials now modern ways there's things like docy sign and different

kinds of contract software where they send you a link and you're supposed to log in and click a button and that says yes I'll pay you follow through on the contract so what are we missing in our fishing thing right now yeah we got no link to this guy so let's retry the fishing thing with our politness and maybe something he might find interesting like safety or frostbite or robots or something and add a link and pretend you're a hacker and you've got a website that you control you can make up anything but it's actually got to be a real website not like real real but look like a real website what would a normal website have

to contain if I gave you a URL no it's got to start with the protocol right yeah we're we're secure of course we're going to use https it's a hacker site after all okay try it what do we get and then just add pretend you own some give it the domain you ever

wanted and those typing with their thumbs are going this is a drag I need a script to do this totally you would definitely want that but this this should work and we've given you three qus of the path through already but if you were just enumerating and trying to smash half the organization you'd probably want to script that did it work did we get something really oh so we have our first successful fisherman right here because he tricked him by giving him a location to go get that and the convincing pretext of this is about frostbite and you used his name and I'm we're assuming for the sake of Simplicity that some of the other words

in there made sense right welcome to machine learning you got to narrow it down but those three things combined convinc this person to engage for those who've done incident response is that reasonable have we seen people fall for that okay anybody recently seen that not looking your way no like for sure it happens so it's not far-fetched so yes we didn't stand it up but it did give you a website to go to right what happens when you go to that

website so it should be in your link like it should give you a link right you got a 404 yeah yeah yeah the four yeah the page you're looking for isn't found that sucks this game sucks who wrote this okay I know that

guy yeah it tells you a few things it tells you that really is the website because if there was no website there what would you get yeah either domain error like I don't even know where that is or it just times out and so this is part of what I'm getting at with with we're getting so detached by doing things and just assuming it's always working you want to mess somebody up let them plug into your network and don't leave DHCP on 90 90 some percent of the people will not know how to set a static IP on their machine that's a real thing okay because we're just used to it so the good side is that you can

sometimes think you're being sec Cure by doing stuff like this so if I was an investigator right now do you do investigations like uh IRS you put your hand up said you just had a fishing one no besides Charlotte yeah okay all right so anybody ever done an investigation into a fishing thing yeah okay and you get a and you get a sometimes in those investigations you get a link to a website right what do you normally do I go to that see what's there yeah I go for it I go see so what have I done I've actually told the attacker hey your attack work because somebody's now looking but you don't actually know

what's on there do you did you get the link you just got you go there and you get the 404 right there's nothing right those attacker guys they're just like bad so he left the message in there is it unlike an attacker to leave bad information and something they think an incident responder is going to read okay who's controlling that website right now how do you know it's really a 404 how do you know it's not a page with me measuring who connect and what time and keeping a log of all that crap yeah like lots of lots of games the minute the attacker controls that website and you're going into their Turf there's the thing all right but the good

news is did anybody do their thread Intel who's our thread actor that we're chasing right and what did you do to beat that right but what did you use to do

that no besides your brain I mean like that was obvious that was a really good call by the way you went to it you went to d42 doca right okay all [Applause] right oh it'll help if you hang on here move this to a new window

I went to d42 CCA and I didn't get that can you check that again can somebody else check d42 yeah what's the

difference yeah but no it's really no no think lower down lower level what's the difference between me going to d42 doca and you going to d42 nope yeah top of the class exactly different machines what do incident responders use when they're investigating what do my victims use when they're surfing the internet the phone which one do I want to present to the incident responder and which one do I want to present to my victims and I wrote this at two o'clock in the morning in VI because I forgot the guys that laugh at VI like you still use yeah I use that I write the odd website in VI and you can tell by the quality see you know Styles

sheets and yeah exactly um you can view Source on that it's pretty Spartan right but it proves the point and that's the thing when you're going there the attacker has the advantage now so part of the hacking 101 concept is understanding what's going on but when I keep saying identity is a new perimeter that 404 that you're going through I could be logging that so if I've sent this out to 27 different companies they're giving me the addresses that their users are potentially leaving from or the phone provider that they're using because if if the company standard is Bell iPhones Bell's going to have a certain set of ranges I can look at the IPS that are

coming in and what's my next possible pretext against this company

H left a message no SC the rest of the no I want to get inside their company keyword being company and I know it's Bell who's Bell phone the one the company's paying for or the one they're paying for no the company one and who doesn't want a phone upgrade what if I put together a website that looks like the company it portal to say hey log in and make an appointment with us for your phone upgrade please use your active directory credentials how many are going to do that too many too many exactly but it keeps us blue teamers in work I guess I don't know there's something there but see now I create the pre

pretext right but if I saw this stuff coming through from this organization and most of them were using Androids sending them a lure to say get your iPhone upgrades gonna kind of fall on deaf ears so they're profiling us and they're doing the intelligence against us before we do that and so you actually got a couple answers you can try that account it's not going to work it will when I get back and add it uh but those the the cred you got is actually a valid key so you just got some points for your CTF um and uh I think that's really the the takeway here is that we've got so many ways that people are coming

at us now and our users are being I don't even want to say tricked they're being targeted like if somebody that's really out to mess with your organization makes it their day job to figure out how to work against you they're going to get some of your people there's no way around it but understanding how some of these Technologies work and the challenge with this I mean when was the last time anybody talked about mobile security other than putting a container on it to make sure it's not jailbroken like I think all of us got that and you got to have the six-digit pin thing right but we have no controls over the messages going in who's in

their contacts any other apps that are running so you know it's not an exaggeration in this part of the world to say that there are military agents that are out to get into our businesses why is that why is why are people interested in Alberta of all places yeah 45% of all the natural gas in North America flows between two pipeline

companies like we're number five or six globally for barrels per day out some of the people that don't like us right now are also in that business so if we're out of business that's good for them like you can kind of see how the governments might be willing to do these kinds of things so we've put together a fairly basic but trickier example like if you hadn't had some coaching how many of you would have got how to fish Andy get there but it would taken a while okay okay um that's the difference right is that the whole hacking concept originally came from people just trying to take what was already there and use it in new and inventive

ways I've attached a mobile phone to a web page not exactly rocket science the hardest part was actually getting legal but it's there and the adversaries they will have teams of people doing these kinds of things and the web pages will look great they'll look just like your website because they have people that's their only job as their web developer for a crime syndicate they're really good because the crime syndicate's making a lot of money so they can pay these people it's not this is not hoodies and basements okay so I think that's uh that's kind of where I want to leave this as far as this is this is kind of the state of the

nation and the we always got to be on the watch for emerging threats and stuff like that but I'm curious if there's questions about or comments on what you might be doing already to kind of nip this in the bud with your

people right and who ever thought that holding your phone up to a computer screen would be a was into an organization but we've trained a whole Legion of people to do that and that's scary as hell it's like you don't even know what's in there so and the email systems are not capable of pulling those down and reading them at the speed that the mail comes in you know you used to be a male Guy what's a big company bring in every day for message volume

all right so 25 times let's say you got 10,000 employees that's a quarter million messages a day coming in there's probably a bad one or two in there just going out on a limb here right so but now how many messages are going to your users phones we have no way of knowing we can't log we don't see that the only people that know are the phone company and they don't care because they're getting 18th of a scent every time it goes out they don't care so that's a blind spot for us right now I have no idea what my users are seeing in their SMS and it could be this kind of thing right so

um go

ahead

I don't really know what the stats are I know that definitely will perk their interest cuz you catch the right person on the right day you know you just had a fight with your significant other and an old girlfriend calls I'm going to look I'm sorry you know it it's a numbers game that's the other thing that we need to think through is that even at the pester prosumer rates once I got everything set up I think it is costing like I'm not kidding like an 18th of a cent or something to receive a text email if everybody that was playing CTF sent a 100 messages I think I might be out 15 bucks like it's not a big

price jump and that's entry level there's prices well are you sending 10,000 messages a day here's like who sends 10,000 messages a day marketing companies and so all of these things are built out for these marketing companies and the spam company or spam people come in and because everything's a service now you can probably just say here's the message and here's the people I want you to send and out it'll go right the uh the thread Intel and the CTF we've actually mapped out some of the concepts of ransomware as a service so you get this nerell Social Engineering Group nobody did give their name but they're in the thread Intel it says this is the thread Intel group and suddenly

they're doing cyber Espionage they what happened they hired some people so it's totally possible they can use their social social engineering context this company's technology and they split the money criminals getting together to solve a problem I think that's kind of a recurring theme right you do this part I do this part think of it like Oceans 11 right kind of an okayish movie but I need a grease man what's that oh somebody's really small and skinny and used to crawling through duct work that's a job it is if you're breaking into a casino okay like no no go

ahead imagine

that

right absolutely they're asking for it they're selling it back but the way you can confirm that is you go to their company's website and you look for their privacy policy oh no I get that part but the good news about the breach is that they will then give you free credit monitoring for two years so if you line it up right you should pretty much get through the rest of your life without ever having to pay for Equifax to tell you it's all good all right now this was again I had a completely different thing plann but this wasn't the right vehicle for it we were going to build fake rubber duckies today but we'll have to make that into a

workshop for next time you bring your PC and you'll actually build rubber duckies for 10 bucks instead of 50 and build your own code and all the rest that was going to be this that's not this obviously I have one real talk today and that's at three okay and it's on um log deidentification really weird narrow Niche subject but anybody that's doing blue team workor anybody that's doing tool development anybody that's doing AI this might be something you could use I get paid no more or less who's in the room but I'll be there and I actually have real slid and I've really done the work on that one but I hope you guys are

having a great time and I'm glad you're glad to see everyone today thank [Music] you