A MarketPlace of Ideas

Archive for the ‘Hacking’ Category

DEF CON 24 SE Village – Chris Hadnagy – 7 Jedi Mind Tricks: Influence Your Target without a Word

Wednesday, August 9th, 2017

Good evening everybody I'm sultry Asian yeah this is great for my ego thanks very much I'm here to introduce our next speaker and I have to say that we have a fantastic team here at se Village but we wouldn't be a fantastic team without a fantastic leader this is Chris had Maggie the CEO of social engineer LLC and social engineer org he's author of three books social engineering the heart of human hacking unmasking the social engineer and fishing dark waters so he has had a lot of time in the business and a lot of experience in the business and he is here to talk to you tonight about special Jedi Mind Tricks he is a awesome when it comes to convincing people to do things that they shouldn't do so without further ado everybody Chris head naggy the best introduction of my life oh I only have five minutes left as of now okay oh actually I should probably start my own timer there we go okay so seven Jedi mind tricks to help you influence your target without a word so first of all I want to ask how many first-time deaf Conners holy mackerel really Wow Wow well I love you all that's amazing that's really crazy I never get that many hands okay so I want to start off just talking about what social engineering is before we get into actually using any kind of mind tricks right so I define social engineering as any act that influences a person to take an action that may or may not be in their best interest and I use a pretty broad definition which is way different than what you'll find online because what you'll find online a lot of times involves the word manipulation and that definitely is part of it but I think that's not always negative right now I know you're going to think I'm trying to se you but I really have a valid question how many guys in the room have daughters okay I do too as a matter of fact she's right here okay now and I swore I would never one bring her to Vegas and to bring her here to DEFCON but yet she's here how does that happen well there's all these different things we could talk about in psychology but and that's that she made a really valid argument that it was her right to come here and be with me and DEFCON supporting me and learning about the industry because this is what I want her to do with her life and how can she learn to do it if she's not here pretty valid argument right so solid reasoning mixed with all the emotions and feelings of her being my daughter and bam she's here there may or may not also be pictures on the internet of me wearing a pink scarf having my fingernails painted while drinking tea and I think any guy in the audience as a daughter can probably relate to said things things that we would never think we would do now if you study those very positive examples of social engineering and you'll learn how that works psychologically the bad are doing the same things right so I think from a security perspective and let's assume everyone in the room is here to learn how to do this for the good then we have to analyze how to use the principles of influence to become better communicators and social engineers so that way we can become better security professionals so I find this to be a very valid topic so what is influence and why is it so powerful well I like this definition of influence of trying to get someone to do something and make it their idea I thought I heard Hornsby and I was going to go nuts ok so trying to get someone to do something and make it their idea influence right different than manipulation when you get someone to do something that your idea I've heard other definitions like influence benefits both you and the target whereas manipulation only benefits you so we want to talk about influence because we want to talk about how to get people to want to do the things that you want to do and we can do a lot of talking about verbals and things like that but we're going to focus on things that you can practice everyday non-verbally that will help you become a better influencer here's the first one it's called a Duchenne smile now if you've never heard of of this guy he was a a French researcher named Duchenne the time people thought that you can't force you can't fake a real smile so Duchenne didn't think that way he thought well you can you can actually fake a real smile and he had an interesting way of proving it he drove around the French countryside and he got a prisoner out of prison and drilled a couple holes on the side of his face and suck a couple electrodes and those holes and shocked the crap out of him and the guess what the guy did he really smiled yeah that doesn't really make sense that he would really smile but he did he really smiled why well because he he triggered the ocularis orbit Alice I say that right Michele for once I did yes I win the ocularis orbital is nerve which is the the difference between a fake and a real smile fake smiles only engage the mouth real smiles engage the whole face and douche and prove that we can actually fake that right so we now call that two Duchenne smile what is the real smile now what's great is that the picture of him that you most commonly see there is no real smile on his face but he made this guy really smile just want to show you that once again there you go one more time okay now compare and contrast here's some really amazing pictures that Michelle helped me find on the Internet of the same people which side is the real smile right excellent right we could see that very clearly and what's amazing and we can't do this from this angle or I can't do it here on the screen but if you were to cover her mouth you could still tell she's smiling right based on her eyes if you were to cover her eyes you could definitely tell she's smiling whereas on the picture on the left she definitely looks happy when you see the whole face but not if you just cover let's say if you covered her mouth you would not see smiling in her eyes and vice versa so a real smile engages the whole face and you don't need the whole face to see that someone is happy so you could practice this well how do you practice this there's a couple different ways you can do that first what really helps is looking at pictures of people really smiling why does that work our brains like to mimic the things that we see we oftentimes mimic the facial expressions that we see if you ever had this experience you're walking down the street maybe you're walking past a restaurant and there's a glass being between your window and you see a group of people in the restaurant laughing and having a good time and what do you do you're doing what the majority of you are doing right now smiling thinking about it so you had that experience and it triggers an actual smile so when we see people who are laughing and smiling we tend to recreate those same facial expressions and the same emotions that go with it so one of the first things you can do is look at people that are really smile take a look at those pictures and then you can practice doing that and it's not too hard right you can practice getting your whole face involved in a smile and eventually it may not be natural few if that's not something you do but eventually after time practicing it it becomes more of a habit and you learn to do it now you have to be cautious at first when you're practicing I suggest practicing at home and a mirror with your family because if you're fake you start doing this and it looks like you're constipated and not smiling so you want to you know be cautious of your practice out in the in the wild so this real or fake real real or fake mmm very good class how about this good guys pass you know get certified in real smiles now this is an easy one but often what's interesting often times is that we we don't do it douwe we walk through our life we walk through the hallways you'll see this here at Def Con we are attached to our devices and we don't smile and why is that I don't really know the answer I'd like to know the answer but people tend to think that maybe I know in some cultures we were just my family and I were just in Russia and I learned something interesting about the culture there that smiling is considered a weakness and in some areas of Russia and if you smile they think you're up to something in your shady right so it's almost a coat in some cultures as a cultural thing we're smiling can make it seem weird so you want to be cautious with that because you don't want to be creepy right you only walk in by two you look a you know like you're just like hit some crack or something so you want to be cautious with how much you know you want to be weird-looking but you want to practice genuine smiles because as you guys just experienced looking at them even on a screen will trigger happy emotions in you and it will make people more compliant with your demands so if we can trigger happy emotions then we can trigger more compliancy here's number two the eyebrow flash I think I have a video to show you how this works oh yeah now what does that mean okay that was a little creepy see that was a no I was a creep yeah it sounded like let me tell you why I said oh yeah that sounded really maybe I should back up and redo that slide okay so these are what these are what are called conversational signals so without words if you were talking to someone and they were to do that they were to raise their eyebrows what did they just say to you okay so those are the emotions you're getting some emotions but imagine this surprised but also involve the mouth like right that would be more like surprise so very good but if someone is just talking if you're just conversing and you're saying something like oh yeah I went over to this talk and this guy was talking about emotions and it was okay you know it was not bad and they went like this what do they say what are they saying I'm sorry move I heard it I've heard so many answers okay keep talking skepticism interest okay all three of those are true right so it depending on the other parts of the face it could be yeah tell me more uninterested it can also be skepticism if it's maybe more of a downward motion with the eyebrows or it could be I'm interested in what you're saying so this is a conversational signal telling somebody that you want to hear more now think about this what does that tell the other person the talker the one who is sending out the message if you are telling them you are interested what does that say you're engaged excellent what else I heard some keep talking so I'm interested in you I'm listening active listening and I want you to tell me more how validating is that and the more you talk the less your targets are going to be compliant the more they talk the more compliant your targets will become so you can influence them by keeping them talking right and this is just a great principle of conversation whether you're doing it in social engineering or just doing it at home or just natural conversation so a really good one and Michelle did find me a male one just in case you know yeah and that's not creepy at all and oh I thought it worked better before okay now let's talk about the next one number three I was going to say this wrong you know this let's just let's reword that proxemics right anyone say that better than me okay no that's good I feel better so this is like our our space allowance what we closed in person I want to be like right now some of you are probably uncomfortable because of how close you are to each other but what determines how close people can get to you okay I heard some culture Society what else personal preference what please you stay here sir you in the white shirt gender okay let's smell that's DEFCON right there my friends interest you said context oh I like that so all of these are true statements right so also let me add some things to that the level of rapport that you feel with the person you are interacting with the relationship you have with them will determine the closeness including with culture and other things right so like in in Norway what is personal space tends to be a three foot radius that's personal space right yeah all right so but in Japan like there is no such thing as personal space if you can see light it's it's you're not you're too far away right so I mean that's it why is that well the cultures are different but rapport will also determine that for example imagine this you're standing here and a total stranger walks up to you and puts his hand on your stomach and starts to rub it yeah most you're not going to feel that way right most of you are going to feel the way you're all looking right now which is really uncomfortable that was like the awkward laugh like oh yeah it's weird and creepy okay why well you don't have a relationship with that person right there's no rapport there in trust so that's a really intimate area for someone to be able to come up and be that close to you but proxemics is learning how to use personal space right so here are some examples like a team it's okay to hug right now where's Dave Dave left he had to go of the meeting but I wanted him to hear this part is sometimes people don't want to be hugged long and awkwardly right sometimes people don't like long awkward hugs where there's heavy breathing on the neck and things like that's weird right now what allows for that well that's relationship right you can see the mom and daughter there that makes sense whereas if that same situation was on the bottom picture in the business setting it would look more like this creepy creepy yeah yeah if you ever see a on your targets if you ever see the face like that dog you know you're doing something wrong okay you're doing something wrong here so why is this important well I'll give you a personal example so I'm raised in New York City I'm raised in New York area I'm an Italian thank you New York yeah that's right so I'm raised Italian New York what does that mean about the level of touching in my family no you don't know nothing about Italians would lots of touching and slapping and pinching and hitting and hugging all sorts and my grandma walked up to me slap me in the face cursed at me and give me five bucks of it until my parents right this was the way it went you know this is the way you show the fixing your sewer from Kuhn slap you there's like God thank grandma I love you too you know there's a lot of personal touching right so because of that I don't have a problem I really don't have a problem with close proximity I don't have a problem with hugs don't have a problem with touching I don't have a problem with that but that doesn't mean that everyone else is the same so what do I have to learn if I'm going to be a good social engineer to be able to read those signs when people aren't comfortable right because it can make it can really break your chance to be influential it can break rapport if you are not aware of what your proximity is allowed and when you're in your interacting with your targets so you really have to learn these things and that takes some time so what does it mean well it's always best as err on the side of caution right when it comes to these things and not take liberties just because it's comfortable to you so when it comes to this particular one it's nice to to show that that you are aware of personal space and you're not you're not too creepy especially when it's cross-gender and I say this more so for guys to girls than girls to guys because guys right I mean if a girl gets really close was like swing you know I love it I don't care right I mean they can come up and like just be right next to you be like yes and if we do it we're creepers so you got to be aware of that okay you got to be aware of that and especially when it comes to cultural okay size is a thing too right I'm really tall so you got to be cautious because what happens to your targets if when you get close to them and they have ten act with you they're doing this this isn't comfortable is it it's intimidating exactly and it's uncomfortable to be to have to look up like this so you're going to ruin the ability to build rapport with your targets if they have to be uncomfortable while conversing with you so if you're dealing with the shorter person it's always best to stand back a little bit right to stand back so they can look at you even but not so far back that it looks odd because you don't want to be near them and some good tips there on that number four paralanguage these are things that are verbal but they're not right so something like a when you think of when you hear a sigh exasperation what else I'm sorry exhaustion good boredom okay so all of these are true and if you were standing there you hurt someone now in this room may not be the same because we're here for a purpose but if you're in public and you hear someone sigh whether you decide to ask what's wrong or not we start to think I wonder what's wrong with that person and if you're with a person who's who has empathy and compassion if you're in a public area and you sigh what will occur most times is they'll ask you what's wrong is everything okay what's wrong so a sigh is a great way to elicit a response from a person that you're looking to interact with right now you have to have a response that makes sense right so you know this is a part you got to follow up with because if you sigh and you ask people what if someone asks you what's wrong you got to have a good storyline and you can't you can't be like well you know when I was five my mom beat me that my dog died cuz people don't want to be that involved right now right they really don't I just asked you what's wrong so you want to have an answer that allows for a conversation and not like they're calling the hotline for your help you know what I mean so paralanguage can it will trigger an inquiry even if it's not right away and people will start to think I wonder what's wrong there you know if I should ask for help and if you're doing all those other parts right then it can help and also building that rapport and having people want to communicate with you oh here's a good one number five all right contact and this is super important right and now you know you got a really bounce this and this is a hard one for some people it really is especially us computer guys right we spent so much time with with technology like looking at another human is almost scary right so we really got to practice this one and we got to practice it right I've been with people like when they're practicing eye contact they stare at you and it's like like you almost feel like they want to hurt you you know they're like right yeah it's really scary don't do that yeah see so you got to be really careful with how intense your eye contact is and so you want to really practice that with people that know you and love you especially if it's a weakness of yours a great place to practice this is with your family with eye contact and learning to to look at people without being intently gazed upon them without looking psychotic or creepy it's a very powerful thing it's a very powerful form of influence if you make eye contact with people when you're communicating it says I actually care about you I'm looking at you I want to communicate with you as a person and it's very different than if I just kind of if you notice I just look over everyone's heads in the audience and I'm not really paying attention it's very different feel and how how personal this can be than making eye contact with people when you're speaking to them it really helps to build rapport am I going too fast I'm going too fast I need to slow down mom told me to slow down sorry hell no the haniss does I only have ten minutes left am I going too fast sorry guys okay well I'll slow down a little anyway because I'm probably and I'd naturally talk fast that's what happens so let me take a drink this will be a fake pause okay so back to eye contact and what's important about eye contact is also knowing when it could be outcome uncomfortable for the person you're interacting with right so if the person you're interacting with is nervous and not making eye contact you don't want to force it you want to be like hey right do you want to be really careful that you're also respecting your respecting them now from the older generation if you're dealing with older generations you always looked at people when you spoke to them right you always looked at them and my grandma would say you always look at people when they talk to you you never look away but so you have to also know culturally gender age what's acceptable and what's not probably one of the biggest ones non-sexual touch and it's important to understand what this means because human interacting and human interaction and touching is very powerful way to build rapport but only when it's done appropriately and non sexually so before we talked about proximity and how that works right and where the areas of the body that are acceptable to touch and not I mean some of them are very obvious we don't have to go into them but some of them may not be so obvious right like like the stomach or the lower back thighs anything like in this area these are unacceptable to touch on strangers right you don't just walk up to people and do that that's really weird right I wish dad was here for this because even with certain really close relationships it's inappropriate to touch areas you know in certain places because it doesn't build rapport doesn't make you feel comfortable it makes you feel uncomfortable and the shame to yourself anyhow so you got to be really careful with how you do that now why is this such a powerful thing if you can master this and and before we even talk about that let's talk about how you master it so this takes a lot of practice right knowing when it's appropriate and you'll notice too because sometimes when you're interacting with people they will tell you when it's okay because they will start doing it you ever have people you you you walk up to and you they right away put their hand on your shoulder right they're saying that's okay then for for you to reciprocate that or you ever talk with someone and they do the arm touch and do the arm touch right they touch you in the arm when they're talking to you that's that's acceptable form of non-sexual touch right because these are all okay places when it's done appropriately releases a coma called oxytocin in the brain and oxytocin is something that many people have research but one of the more current researchers is dr. Paul Zak he wrote a book called the moral molecule and it talks about oxytocin being the chemical that they've linked to the feeling of trust and we when we feel trust when we feel rapport oxytocin is released so this is a powerful thing because think about that if you can release oxytocin in your targets they feel trust and they feel it towards you and that's a really powerful thing to be able to do to two people you're trying to influence if they trust you and then you ask for something they're more likely to comply with the ask aren't they because you've built trust with them and you've done it chemically some things to know about oxytocin because I see some of you like writing it down or thinking about it if you search for oxytocin you will find that they sell oxytocin on Amazon it's not really oxytocin okay it's not it's more of like like a like an alcohol Tincher you know that's like mostly alcohol and then a little bit of something they're calling oxytocin and in the doc Paul Zak he says if you were actually trying to use that to build trust in people – I'll just buy this and put it in a girl's drink and she'll trust me but first of all you need to either inject it or they need to inhale it so unless you plan on bringing a pump and one and a half gallons to a bar and pumping it into a girl's nose it's not going to work to build trust yeah okay no you can't do it it's not not going to work you can't and I got a pump oh my god I have a liquid into a girl's nose what the bar that's not going to really build trust you can either sit here for a second funky Junction yeah just a minute more and you'll be trusting me you know so don't don't think that will work so online purchased oxytocin is not the way to go I say do it naturally by building trust through influence and and good emotions okay something else I know about oxytocin has a very short shelf life but it also stays with you the reason for it dr. Zach did a really cool study on oxytocin where they found out that once there was a relationship that the same release of oxytocin occurred even when they were interacting with the person through social media so you have a good relationship with your boyfriend/girlfriend husband/wife kids when you're when you're reacting with them on facebook Messenger or Twitter or whatever the same amount of oxytocin is getting released in your bloodstream than when you're sitting with them and person so pretty powerful so imagine this from a social engineering perspective if you could be the source of oxytocin or one of them for your targets then they'll interact they'll feel that way with you regardless if they're interacting with you in person or through email or phone and that's a really really powerful thing but one of the one of the great ways to release it is non-sexual touch I need it I need someone to come up here I need a demonstrator anyone okay you come up here I want to just show you one thing that you get some people do know yeah so first so no just get got though you do it that's not really done a horrible example but sometimes we do this when we greet people if you see people do this is a really great way to ruin rapport okay thank you give them a round of applause okay that is not a positive form of non-sexual touch okay because what you're saying is I'm in control and when a urine control doesn't build rapport so you want to build rapport with people let them be in control right so doing that if you know what I have to work on this myself that tends to be my natural habit is to kind of put a hand over the hand when I'm shaking so you really have to be aware of that how that makes some people feel very captive and it looks very captive like you're just trying to be the top guy or gal so be really cautious with that especially cross-gender we see this to be very common can I can I ask you okay come here another one that happens with between male and females when they shake hands upper arm grab you see this really do like hey I'm not letting go and told I say it's uncomfortable see hug her it's uncomfortable you see that's what she said and this was even a demonstration and it's uncomfortable so if you have the habit of doing that it's not a great form of non-sexual touch and you can see there was no intimate areas interacted with on either of our of our guests right that net that never occurred but it still makes people feel uncomfortable if you try to take control so be cautious with that if you do it but really work on the non-sexual touch which could be used good with humor so you make a joke it could be some touching or when you're just building rapport if they make a joke and you laugh sometimes it's okay to put a hand on his shoulder touch the the forearm something like that is a great area to release oxytocin and then last but not least is open ventral displays tell you Bill Clinton had this down pat he really did I mean he had this down pat he so ventral being the the open side the underside right so when you talk imagine this is commanding right so this is hey you're going to do this you're going to do this but this is inviting hey won't you come with me when you come with me and we'll go do this together so inviting or commanding which one would you rather be if you're saying commanding is going to be much harder for you to build rapport inviting works well and you can do this without any words you know so of course adding words makes more sense if you if I were to stand there for now we're going not going to really need too much any of you but when you mix it with words it says I trust you right any ventral side head tilts is another ventral display because it says I bear my neck to you so it makes it easy you're going to be careful with head tilts guys especially if you're not a natural head tilt ER and you try to tilt your head and it's too much this is the way you look and then you mix it with your psychotic eye contact and your smile and you get that okay that is not good no rapport has been built I've ruined every bounce of rapport with any of you in the room right now so you don't want to do that but you practice this okay you practice these things do you get the right it doesn't take a lot of head tilt right it's not it's not extreme it's really very slight amount of head tilt and you may have noticed I was doing it the whole time while I was up here with head tilt try to put on a really genuine smile and using open ventral and it says something about you as a person says I trust you I'm open I'm happy it's okay to be my friend and it really builds rapport very very very fast so how do you put this all together before we get the questions so this is one of the big things that comes up all the time as after you talk about these things people say well how do you practice this right what do you do with all of this so the best place to practice is that home it really is if you it with your family because you can you can be yourself with your family you can practice that you can screw up and they're still going to love you get your family right so it's okay to practice with your family and also what I find is family gatherings anytime that you have like a large gathering is a great time to start practice these practicing these things my when I started learning this my goal was to try to pick one and practice one at a time because you don't want to overdo it right if some of these may come naturally to you like it is it is more common that you'll see women be natural at head tilting women will also be better at the non-sexual touch than guys so if you're a female you're practicing these things you may have naturally be better at some of these genuine smiles you can for anyone can practice these right and see the effect notice that try to really pay attention what happens to the people you're interacting with when you try these things and you'll see your relationships are open up communications will open up and that's when you can start applying this to actual security and social engineering and this is a weird topic right for a security conference but when we do se pen testing like we actually get paid to break into places and I know a lot of people call that red teaming but I kind of think there's a difference because red teaming is like you're scaling the walls and picking locks and you know you're breaking in the dead of night our normal mo is to go into a company broad daylight right broad daylight middle a day we walk in and we have some pretext we're supposed to be there and I find that it works much better when you can use influence with your targets instead of manipulation they like you and then when you come back later on and tell them that you broke in and that you have to do education at this point you're not the bad guy that made them feel dirty and bad you know like they were scared or fear they feel good about having met you and that works so much better when you apply these principles and the side benefit as a security professionals if you can master these it just makes you have better relationships overall and it makes it easier just to be a human and then where is that guy that asked about well morality catch up with technology maybe I don't see it happening but I think that's something that we can all work on okay what do we have left good we got plenty of time for questions because that's usually what happens so sir kind of a question on the interplay between I yes as you get closer okay so the question was if you look at people are they less likely to let you get closer that another question I actually find that to be the opposite you know what's amazing is a two years ago or so we had Apollo Robbins Apollo Robbins was here him and I give a speech together and he actually taught me something really amazing about pickpocketing and and how he gets to do it and actually he uses eye contact because if you look at somebody it's very they will really rarely break the eye contact from you if you're not being creepy right and then you can direct them so if I were let's say if you were my target I were to walk up to you and I were to make eye contact with you you know I'm about to interact with you and then if I were to start off with excuse me can I ask you a quick question and I would here's my map I'm lost can you tell me where I'm at this I've just directed your focus to look at me then my map and now my hand can be anywhere right and I well that sounded really creepy but you you know what I meant and my hand is on your stomach rubbing it softly releasing oxytocin yes that's exactly what I meant I hope that answered it without too much creepiness yes ma'am yes okay so you know there's actually a research paper not and I can't say this about use I don't know you okay so I'm just going to give you some things I know because you look like you have a very friendly face and a warm face you have a wonderful smile yes thank you so she asked she said that's when she stands there like just alone people have told her she seems unapproachable so she asked if there's any advice to become more approachable here's something that often happens to many of us you hear about the study on RBF okay I don't have to say it right so resting bad face we'll just say that because there's kids in the room okay so what happens is and and where many of us may be guilty of this when you're in thought you make this face and what is this hmm oh yes but what is it what emotion yes I'm sorry not fear anger who said it raise your hand please excellent anger so you may not work you may not know everyone said something different but either way whatever people said it was a bad one so if we have that kind of thinking face people look at us and they go on approach something's bad right also certain nonverbals tend to be unapproachable and that makes me unapproachable right so I don't want to do this that makes me look like I'm now damaged but a lot of you know lowering the shoulders a little bit and and putting my hand in my pocket can say look I'm not you know got gesture so much – I've actually slap people walking by which I have I was gesturing and I'm like oh my god I'm so sorry so I've actually done that mistakingly you know so you have to be careful with body language if you making yourself like a wall think about in the animal kingdom when there's a fight about to occur what usually happens most animals make themselves bigger like gorillas put their chest out peacocks put their feathers out animals make themselves bigger before they're about to get aggressive so we make ourselves bigger we're basically saying I'm ready to be aggressive so try to make yourself a little smaller and I don't know if you do these things you know you're kind of small as it is so I don't know much much smaller you can be you'll be like a poke a ball right now I don't know you know so smiling would also work great yeah working on a genuine smile maybe a someone at the mic thank you and it's not on thanks Evan thanks really love you do you have any other examples of paralanguage in addition to psy yeah so sure you all feel bad for me now because I gotta have there are many examples well let me think about some okay because that is not something that's clear in my head and I don't want to give you a fake answer because I hate doing that any kind of audible distress signal so so what we're not talking about in paralanguage is something that will trigger an inquiry as to your well-being so people will go man right they just like kind of make noises like they're hurt sighing sniffling these things are indicators that something is not right and it could trigger a response from someone asking you what's wrong are they usually audible yes they're usually that usually they're audible so people can hear them yeah thank you you're welcome yes ma'am that works okay so the she added one hmm right right one actually has worked on me before right at the grocery store or standing in the line someone behind me goes hmm and I've turned to look that for me or was that something else right and and it does it brings a curiosity right do you want to know what was in him about yeah good one thank you excellent you're in actually asked me a question really you live with me um a lot of people have different by language like one thing for them can mean a totally different thing for another person even though maybe the exact same movement or audible noise so how can you tell the difference that's a good question and you see why I'm screwed right right you guys all see it right so but okay so well here's some good things unlike unlike micro expressions body language is not universal it is not okay there are cultural body language and hand signals and things like that like like how many of you when you were a kid this was got your nose right got your nose right has it got your nose game don't play got your nose on Turkey because this is the vulgar sign for female genitalia right so so you got a no cultural – good question because you've got to know culturally what body language means you know Michelle's from Japan and she says if you wanted if your parent was going to call a child they do it like this this is like come fight you know this is come here and this is a different story so you have to understand I think culturally what your body language is saying that's very important otherwise it can become offensive it can come off really offensive if you don't but I still think that there are certain things that tend to be and I don't want to use the word Universal because that's not the case with body language but that tend to be more standard you know things like the touching you have to understand culturally what's acceptable or not but there still are areas that are unacceptable touching in most cultures right the the private areas that you would not touch regardless of what culture and so I think it's just a matter of learning about the culture of the people that you're interacting with and then understanding what that may mean for them yes sir all the time are you kidding yeah so one of the one of the best things I've ever done in my life has learned how to read facial expressions but it's also one of the worst things I've ever done in my life because when you first start learning you feel like you have a superpower right because you see people's emotion and then you know what they're feeling but you know what but you don't know why right and it's something I've learned personally from dr. Ecklund just because I could see that you have it but let's say you showed anger I could say oh that's guys angry because he's a hat he hates my speech and he doesn't like me but maybe you have a bad back and you moved and you your back just twins a little bit that made you flash anger right or maybe you got a text message from someone you don't like and that's what made you show anger and it's really horrible to assume it's about me right so I can see the emotion but I can't I can't know why unless I do one thing and that's ask questions which it may not be appropriate to do Thank You Hannah so I think I've had it backfire often because I've misread someone's emotional content and then made assumptions and I understood why now I try to control that I've been working on that so it's but it does take some time all the way in the back yes you high sure so she asked about positive power language so audible noises that express emotion right so a laughter laughter right that tells people that you're having a good time doesn't it a gasp will tell people what says what yeah surprise or fear right one of those things so not that you would ever hear this the only like a grunting okay right yeah if you heard that you're probably just would run the other way you know because that guy's like deeming you a psychotic half-smile over a head tilt right yeah that's a bad one but the other two were good sir that's a great question it was about mirroring and mimicking body language so I actually love this this this question because in the in the late 80s early 90s we taught that not we but the psychologists salespeople they taught that mirroring was a was a really positive thing to do all the time but it can really backfire because if you mirror too much and you get caught what happens you ruined rapport and Trust right so what we say is is is notice the let's say the probably the person sitting or they relaxed are they tense and you can mimic to an extent but you don't want to mirror right so example if the person is is sitting with their arms crossed like this right maybe maybe you you cross what you know you cross one arm you know you were that or you just put your hand up like this that could be a similar expression of relaxation but you don't want to follow every movement because maybe there's a comfortable for you to so you sit like this but then you move a minute later and you do this and you scratch your head and not a scratch on my head and then you put your hand down I'll put my hand down but what happens eventually if you get caught it becomes like you're parroting and it ruins rapport so it can actually make it really bad tons of hands okay let's see yes little one so besides the generational issue that you were talking about with your grandmother and eye contact are there other aspects of age difference that come into play with nonverbal communication yes so the question was age difference though they come into play but non verbals and it certainly does doesn't it because depending on your age it will seem more or less appropriate to act or be a certain way like for example it would be highly inappropriate even if I can master non-sexual touch for me to walk up to let's say a 15 year old girl and do it right I mean imagine if that was your daughter and I'm now practicing rapport building with non-sexual touch on your 15 year old daughter I'm getting shivved right I mean it's not it's not it's not good doesn't matter if it works if it's psychology it doesn't matter I guess that it's bad don't do it right so definitely you have to be aware of all of those things your age your size your status who you are and who your target is because if you don't you can really mess up by using the wrong type of nonverbal so yes you must worry about that sir there's two let's go with the guy in the back then you know yeah so the question was how do you do this when you're not in person okay so you're right a lot of this is geared more towards in-person interaction with influence well through email and and voice chat and phone that's a whole different talk but I will give you one thing because there's a lot of steps to it that don't involve any of this but your your nonverbals do affect your voice especially when you're doing fishing right so if you smile it actually changes the tone in your voice as when you frown right if you actually play the part non-verbally so if I'm calling I'm supposed to be the IT guy and I know a lot then you sit up straight you puff your chest out there's a great social psychosocial psychologist Amy Kuti she has an amazing TED talk if you haven't seen it you should watch it she talks about power posing and how posing for two minutes and like the Wonder Woman pose before you go do something that you're nervous about doing yeah arms up in the air the different poses that that you see powerful people do doing that for just two minutes before you take part of the activity that's making you nervous will will feed your body with the proper chemicals and emotions to make you feel powerful basically you're a seeing yourself you're tricking yourself at the saying yes I am confident your brain doesn't catch up for a little while until it's over then it goes darn you Chris it really weren't confident that's what will happen I got the stage you'll be like I know you were faking and then I'll be exhausted back there on the floor dripping with sweat sir yeah dude stop oh yeah yeah so that's actually good I don't I don't have any great advice for you right now I'm going to think about it okay because I don't want to give you wrong advice but I think it's just a matter of recognizing your your target that you're speaking to and how they're interacting right like I don't feel right now that your eye contact is intense or inappropriate right I think what can be the worst is if you're making eye contact with people in your eyes wander and they're wondering if you're paying attention right so I think it's okay like you know the things to watch for our intent gazing or what do they call that like we're kind of daydreaming where you're not really looking at someone you're looking and looking through them and yeah like zoning out right so you kind of do you know really listening to you like that that could be dangerous so you want to watch out for that but like our interaction here I don't feel like you're overly intense at all well it's kind of nice actually I meant that in a good way I really did I really did yeah yeah I can't tell you why I'd have to see you standing in public and then I'll come up and talk to you you know some people have very friendly faces you ever noticed that they just their body language and their face just makes you look like I think I can trust you right and and that that's that could be good that can also be bad because you know Ted Bundy had that face so to say and be careful right so he asked the question about de-escalating if you get caught you're saying so if you get caught that's a really good question I don't have a great answer to because we rarely get caught and I know that sounds really horrible it's an arrogant answer and I don't mean it that way I'm trying to think about if I like so you're saying if someone were to say and I know your head Tilton just let me I guess I don't under maybe you can clarify it on okay okay so they're questioning your motive yeah yes yep yep a hundred percent so I think what you do with that so let's say you practice this you say I'm going to go into the building with a with a nice head tilt open ventral and a smile and the person you know doesn't fall for it right they're like wait what company you're from I don't have you on the record I think to continue doing that is going to make you seem a little weird no really I'm supposed to be here right so I think you have to change your you can't stick with it going but I'm building oxytocin and rapport right let me touch you you know so I think you I think well I can be really misconstrued but I think I think you have to I think you have to think about your proper emotion if you were the person that you're saying you are so if I'm the IT guy and I'm being stopped what would be the proper emotion well it may be anger but I obviously don't ever show anger in an engagement ever there's no place for it you're a security professional you're there to educate don't ever show anger but can you be a little irritated can you be like I don't know why I'm not in the list all I know is I got a call from Bob he told me to get my butt down here and fix this machine what do you want me to do I'm doing my job just like you right and kind of put it back on them but have the proper level of emotional response that's what I usually do you know no problem my rule on my company is you never break pretext never break it no matter what even when you get caught I got locked in a closet once I did I still never broke pretext what no no no we didn't play spin-the-bottle on the club I got locked in the closet by two security guards yeah that's a beautiful question can I have another hour there's there any way to protect yourself and being manipulated about these things to my out of time I have 31 seconds to answer your question go through the tunnel I don't I don't think so I think it's just being aware of what it feels like when this is working on you and then knowing if someone does this what their requests are and if they request the next request that comes is inappropriate to realize that you are being manipulated and not influenced right because being influenced necessarily isn't a bad thing you know it's not necessarily a bad thing if someone's trying to get you to do something that's not terribly bad but you want to know what it feels like when it's working against you in a bad way and then be able to stop it okay guys I'd love to answer more of your questions but we have another speaker thank you

Posted in Computing, Hacking, Social-Engineering | No Comments »

Installing Kali NetHunter on Nexus 7 Tablet

Saturday, July 8th, 2017

Making notes here regarding Kali NetHunter installed on a Nexus 7 tablet. I noticed this was possible when looking on ebay for a Nexus 7 for a car computer installation.

Research Links

Google: kali linux on nexus 7
Kali Linux → How to root your Nexus 7 and install Net Hunter – this is a step by step overview of the process
Ebay: Nexus 7
Ebay: Phone OnePlus

YouTube: How To Install Kali On Nexus 7 [2016] High Quality

Show Transcript…

Alright guys so let's go ahead and jump right into it I want to apologize ahead of time for those of you who thought there would be some type of dubstep music in the background unfortunately not that type of tutorial but what further ado guys let's go ahead and get right into it so kali linux and if you're not familiar with it kali linux is a linux distro that's kind of driven towards security has a lot of security applications on it now what Kali net hunter Edition does it allows you to have those same features on a mobile device giving you a portable penetration testing device now these are this Kali the hunter editions exclusively available for these following devices so it's primarily the Nexus devices you see here and a blue do believe they have it available for the oneplus one device now there are some prerequisites that we got to take care of in order to get that Kali Linux 900 ish installed on the on the tablet or phone itself now you must be running either lollipop or marshmallow device needs to be rooted and the bootloader needs to be unlocked now that's what we'll be doing in this tutorial and we'll be taking care of that and in this tutorial we'll be using a nexus 7 2013 tablet edition this is the one I have right here and just a full disclosure the one I'm using right now it has a cracked screen and digitizer so the struggle is real people and if you're actually if you do not have all these devices you can actually find one of these on Amazon for a relatively good price um here's one for 109 bucks the newer one is 149 bucks LTE yms around or you can get the phone on amazon.com 169 so that's neither here nor there guys let's go ahead and get right into it so we want to download a couple things before we start one of those things being the Nexus route toolkit now I'll have that link available for you in the download or in the comment section and then we also want to download something called oh we want to download the Kelly net hunter ISO so if you scroll down to the bottom and you see your device here and how I'm running Nexus 7 2013 lollipop so that's what I'm going to go ahead and download now and we'll wait for that to finish up and then we'll go there now I wanted to quickly add real quick and I know a lot of you might be familiar with the process but if you want to verify the version of Android you're running simply put all you're doing is you're going to go to your settings and then you're going to go to about system or about tablet and it should tell you what version of Android you are running here and if you click on it it'll give you the whole you know the little icon that tells you hey you're running lollipop so that being said our next step that we want to do is we want to enable developer mode on this device now this is condemned bet can be done very easily all you got to do is click on build number and in my situation it's already enabled but if you click on clicking it it'll tell you once that mode has been enabled I think it's six times or I think it's eight times I'm not 100% sure but if you keep on clicking it'll get it for you so once that's done you're going to see the option for developer options and you want to make sure that's enabled now our next step is we want to go to we like to call our storage settings so we're going to go back up and scroll and we see our storage settings here and what we want to do is we want to enable what we like to call MTP mode so USB computer connection and we want to make sure that MIDI device is enabled as MTP all right so we have one last step we have to do let's go ahead and plug in our device one more time oh if you haven't go if you unplugged it you know plug it back in if it's our plug then don't worry and then what we want to do is we want to go back to developer options again and so we're going to settings go developer options and we're going to go ahead and enable USB debugging mode onto this not your head okay now some of you might get an alert that actually states that hey it's from RSA to allow the bugging from this computer something similar to that click always allow from this computer and then you hit OK that's basically allowing allowing your computer or Android authorizing your computer to access the information on your and your device without no problems which is going to be necessary for us to unroot the device and unlock the bootloader alright so our next step is going to be we want to go to the nexus rule to a nexus root toolkit now like I said I have the link for that below if you guys want to download it to available from this website as well that's the source so once we've downloaded that we're going to go back to our desktop where I saved mine and we're going to go ahead and launch that application and hit install and let that thing do its thing now apparently the version that I have available is a little bit older but for the for the sake of this actual tutorial we're going to cancel on it and now it's asking us what version of Android we are running so we're going to go ahead and select that we're running the Wi-Fi tablet Nexus 27 Nexus 7 2013 edition and it's going to ask us to verify the version of Android that we are running so simply put just to double-check to be on the safe side we're going to go ahead and go back to our our Nexus device and let's go ahead and just verify what version of Android we're running so just go back and we're going to about tablet and we were running version 5.0 too so again we're just going to go ahead and select version 5:02 and hit apply now this is something we already went through already so we've already enabled USB debugging okay we also have enabled MTP for USB connection settings and we go ahead okay and again it's asking us to upgrade to newer version in this instance you said cancel and there's going to ask us to download some files and dependencies now this might take some time depending on your internet connection so I'm going to go ahead and pause here and let this thing do its thing and they will come back once it's all wrapped up so once the process has been completed you should have a screen that looks similar to what I'm looking at right here now if you download the latest version this might be a little bit different but that being said we want to do the most important part which is the initial setup for driver installation guide so let's go ahead and click on that so now it's asking us to plug in your device in with a USB debugging mode enabled and that's again that's within our developer options so let's double check and make sure we have that enabled so let's go ahead and go to developer options as you can see USB debugging mode is enabled on this device so that's one thing we can check off the list launch device manager using the buttons below and select uninstall Veni select uninstall check the but the boxes for any devices that are um any drivers tied down to the Nexus device so launch device manager and we're going to scroll down and I guess we can just kind of look for okay so we have anything here nope system devices no I'm not seeing anything there hope there's an Android device right there so we're going to hit it uninstall and it's asking us to delete driver software as well for this device or we still check and make sure it stays that so let's make it short so I can stop making that it's verifying us or telling us to make sure we delete the drivers and software's for this device I'll hit OK in the hit okay and it's asking us to unplug your device and launch the USB review using the button below so we've unplugged the device and we're clicking on this right here and again it's asking us to delete anything related to Android in essence so I'm seeing one here for Google USB drivers so we're going to hide a hit I'll install hit okay now we see anything for Nexus seven so we've seen a couple things here for Nexus 7 so we're going to go ahead hit hit uninstall selected drivers hit yes yes on this table selected drivers yes what else anything related to samsung here okay now say anything related to Samsung Google ADB drivers alright I'm not seeing anything related to that or anything else that resembles your Nexus device a particular look for any devices with the vendor ID 18 d1 so let's look for vendor vendor devices and here we have one from Google right here as well so we're going to hit install boom and zero for see if we see and think without one as well and we are not seeing anything for that one so again like I said this is kind of the more tedious process because it has to be pretty much meticulous as far as what it wants you to uninstall from your computer so that being said I verified and made sure that everything is good I'm just going to do a double check to make sure everything is all set and then once we've done that we're going to go ahead and close this out and I'm gonna hit no on this one right here and then once we've done that where it's asking us to reboot the computer so we're gonna go ahead and reboot the computer and it will start it back up all right so we have rebooted the computer and so we're going to go ahead and click on the full driver installation guide again and we're going to go ahead and click on step two so now it's asking us to disable USB debugging so we're going to go ahead and start doing that all right so let's go ahead and go to our developer options or if you're not already there go into settings developer options and then we're going to go to USB debugging we're going to turn that off boom alright so let's go back to our computer and then so let's say say is go to Settings table USB debugging and then plug in your device so we're going to go ahead and plug in the device boom and it's going to see it and wait a few minutes you see your computer Auto configure MTP which I already has right here so under setting storage from the computer off in the store settings within Android you want it to sit or uncheck MTP so let's go ahead and do that now so let's go ahead and go to our Nexus device again and there we go to storage USB computer connection and then we want to disable that we got a little error here alright boom and then we want to go ahead and rename MTP settings so boom and then we want to go ahead and re enable USB debugging mode so we're going back to developer options and we're enable USB debugging hit OK boom and now our last step needs to be and actually we're seeing that your next device is ready to use in next so our next step now is going to be the launch Explorer and we want to make sure that we can actually see our Nexus device so we're going to go to computer and as you can see our portable nexus 7 device internal storage it is accessible everything is good so once that's completed they're asking us to go to step 3 and so basically saying choose a driver solution if recommended one doesn't work try number four so we're going to go ahead and click on the Google drivers so I'll go ahead and click on those boom and just to read it for you guys it says this will fully automatically automate the installation of the official Google ADB slash fastboot drivers these are the latest version available taken directly from the SDK except the driver installation when prompted so we're gonna hit okay hit next and we're going to hit go ahead and hit select always trusts software from Google Inc hit install and this may take some time guys do apologize and we're going to hit finish and of course asking us to reboot the computer so we're going to go ahead and do that and we'll start back up once it's completed all right so the computer has been rebooted so we're going to go ahead and launch the nexus fruit toolkit again and as you can see it's starting up some of the services and we're gonna get that message again to update to the latest version it canceled all right so once you have opened the nexus rule 2 root toolkit application we're going to go ahead and back to the we're going to go ahead go right back to the initial setup again full driver installation guide and we're going to help go ahead and click on step 4 now this is kind of the moment of truth it's going to tell you basically it's going to test and make sure that the drivers are working properly on your computer and your computer is able to communicate with the next device properly in order for us to be able to route it and unlock the bootloader so let's go ahead and start that process up we're going to go ahead and click the full driver test and we want to make sure that your Nexus device is actually fully unlocks I'm going to make sure mine is fully unlocked and we're going to go ahead and hit the full driver test now this might take some time anywhere from anywhere from 2 or 3 minutes let's go ahead and let this run now at this point your Nexus device should be rebooting you should see a little Android guy with stomach open so it's doing its thing right now and it's checking the fastboot connectivity and now it's should be rebooting your device now and it's going to be waiting for your devices we see here apologize I had to get ahead of time guys I'm planning a cold someone I might sound a little sniffily when I'm recording this but really wanted to get this out for you guys so I am a soldier so now the device is rebooting so it's still waiting for your device and again this could vary from device to device how long it's going to take and now you can see we're able to access the file storage system at this point your device should be up and running so as you can see my device is back up and running and let me see my mouse can enable I can connect to it like I said before guys I have a cracked screen so I have a wireless keyboard and wireless mouse hooked up to my Nexus device who's better than me alright so we go back to our computer we can see that it was a success and that the drivers are working properly all right so our next step now is going to be to route the device so we can install two additional applications so we can actually load the callee net hunter addition onto the device now I know initially in the tutorial we had said we're going to unlock the bootloader now this process is pretty straightforward mine is already unlocked on my device if yours is not unlocked you can actually do it through this button right here this will unlock the bootloader but it will wipe your entire device so that is something you could use at your discretion um a lot of the instructions that I've run it on the internet do not require that you unlock the bootloader but I am not a hundred percent sure if anybody has a quote that anybody has the handset for that leaving in the comments below but what we're going to go ahead and do now is we're gonna go ahead and route the device so let's go ahead and get started on that so let's go ahead and turn on our device and we're just going to go ahead and unlock it my mouth is acting up alright cool so we're going to go ahead and click root and basically again it's a kind of a discretion as telling you the script is designed to help you read your device and also flash a custom recovery to it rooting your device will give you photo measure of access to it kind of just read through the whole device guys but we're gonna go ahead and hit okay so hit okay boom and now at this point your device should be rebooting now it's rebooting your device into bootloader mode now this process might take some time guys so just bear with me on this one you all right so once we have this screen open up here we want to verify that we actually have root access on our Nexus device so simply put go back to our Nexus device and it's verify that we have Super User permissions on the computer or on the Nexus device so we're going to the menu and you should see to the right supersu click on that and it should show that you have basically root access in essence so right now I have my application for stream for screen streaming so I'm able to display my screen on my computer for this tutorial so once that's done guys we want to download a couple additional applications for this device so first device our first application we want to download it's going to be something called busybox so baby I'll simply put go to the Google Play Store and type in busybox and I'm going to go ahead and install that and let that do this day and once that's installed we're going to open and we're going to go ahead and hit grant access for Super User permissions so hope hit grant and we're gonna hit install and that's good to go and then we want to download one more additional application so let's go back to our Play Store and it's going to be T WRP so let's go ahead and or boot manager application so let's go ahead and click on that and hit install and accept and we'll wait for that to install on the system and then we're going to hit open on it and make sure it's actually functioning properly and they should be asking for Super User permissions and we're just gonna hit grants and then we should be good to go now now our next step that we want to do is we want to go back to our computer and then we want to make sure that we want that we have downloaded or successfully downloaded our Kali Linux image so as you can see I have mine right here then that hunter and what we're going to go ahead and do is we're going to go ahead and transfer that over to our Nexus device so we have our Nexus device right here and we're going to go ahead and click on that device hit internal storage and we're going to go ahead and drop it right in the root folder now if you did experience some issues initially when you're trying to put on there no there was like a little clip there or a little cut I had some issues with it but simply unplug and replug the device and that should allow you to view the files on the device again so we're going to our nexus kali image again and here we go copy and we're going to go ahead and drop that smackdown in the middle let that transfer over to the system it will pause now and wait till it's finish all right so the files have fully transferred over to the actual device itself as you can see everything is good to go there so our next step that we want to do is we want to go back into our main device we're going to open up to wrp manager and then we want to do a couple things here what we want to do is we actually want to make sure that we have a recovery install recovery installed onto this computer or installed onto the Nexus device so what we're going to do is when I click on a device name and then we make sure we select our Nexus device and so once we do that hit recovery version to install and we'll just click 3.0 and it's going to install recovery and it's going to go ahead and do its thing you now at this point it's asking us to a basic thing it was assessed flashing cover II was successful would you like to attempt rebooting to recovery now so we're going to go ahead hit YES on this and while we're doing this we're going to go ahead and actually flash the device with the Kali Linux image and so we're going to go ahead yes on this and so the device should be rebooting now you so at this point our the the initial setup menu is going to come up and we've kind of sped up the video just for the sake of the sake of the time of the other tutorial but now since you're selecting it uh the language is English and then so I had a little issue with actually getting this to work so I connected my mouse but you're selecting English and then you're actually going to go ahead and load a recovery onto the device itself and then once you see that menu there what you're going to do is you're going to scroll down to the actual zip file that we had which is the kali linux one scroll and it's going to load it up at this point the instructions in essence are going to ask you hit agree to you agree with the Terms of Use etc and at this point it's actually loading up the Kali Linux image onto the device alright guys so if the process was successful and when you do boot your device you should be seeing that Kali net hunter wallpaper in the back and when you unlock the device very similar to how your Android device was but once you start looking around you can actually see some of the applications that are available for you and we will for sure be going more in-depth on this channel with some of those capabilities of this device and of course guys if you have any questions for me feel free to leave them below in the comments box I do apologize again I got again for the some of the video quality when we were capturing the device offline you know I wanted to do this this tutorial kind of on the fly so if any errors that I got you guys could see and maybe you guys got the same errors as well and I can help you fix them as well but if you ran some of theirs guys feel free to leave comments below I'll try to get back to you subscribe to the channel if you guys like the videos I appreciate your time guys take care peace.

YouTube: My Experiences With Kali Nethunter On The Oneplus One

Show Transcript…

Hello everyone and I want to show you today my new cell phone which is a 1+1 phone running collie nut hunter and I want to show you how I've set it up how I've used it since installing it there are several videos online showing you how to install net hunter on on a phone and yes it's complicated and it's irritating and I'm not going through it with you if you there are other videos you can watch but basically I will tell you a little bit about but basically I wanted to show you how I've used it since I have installed it and most importantly I've been using this as my main operating system that's right I've been using it as my phone phone functions everything all the Android apps everything functions normally on this as if it's just an Android phone well it is an Android phone but it's got Linux built onto it or into it somehow I don't know how that works fairy dust is probably involved so first thing about this phone it is huge the oneplus one is a great phone if you are going to install calling that hunter onto a phone first of all there's only a couple of phones out there that this works on and the oneplus one is the one that the developers of kali nut hunter recommend this is the devs favorite and that's why I bought this one but a couple of things about this phone I do not really like one is its size it is freaking huge it's six inches tall exactly six inches and three inches wide now that's bordering on tablet or phablet at this point but that's really cool some people might like that but it doesn't fit in your pocket at all there are no pouches out there on the market that will strap it to your belt very well I ordered a pouch from Maxpedition the minutes accompany the max pouches and they are going to shoot me this pouch that hopefully will fit it I haven't got it yet but I don't need to do a video about that the the other bad thing about this phone is the GPS does not work as well as I would hope I have my mapping software here my navigation software well I have several navigation software here but this is Locust and you see the big circle there that is basically there because it is not wanting to find us it is not wanting to to hone in on us because the satellites are not getting a good signal because we're in the house now if we're outside I'm sure it will get a signal pretty quick and it works great but if you're in a car or if you're in the house takes a long time to get a signal and we'll eventually do it though and sometimes we're going to in a car with a metal roof yeah it loses the signal periodically thankfully I Drive a car with the fabric top so for me it's not as big of an issue those the only couple of things about this film that I really don't care for this phone is excellent otherwise I've had no problems with it now with regards to using Kali there is my little terminal sorry this is a little hard to do with a camera I'm kind of talking over the camera shoulder here but there we go there we have a Kali shell and I've reduced the font alright you're not going to be able to see this very well but the font is very tiny because it makes it easier for me to see I also downloaded a keyboard called hackers keyboard and adjusted the settings so I've got a full keyboard with controls so I can push ctrl C really easily when I want program or whatever in the arrows so if I want to push up arrow to to easily enter what I laugh the command that I last typed before on there then I can do that I'm sorry about the reflection you can see me very easily sort of yeah I'm in kind of a brightly lit room now let's talk about Wi-Fi cards the phone's internal Wi-Fi card does not support packet injection so if you want to do the cool you know Wi-Fi hacking thing not really happening without an external card so for that here's one set up this is the first thing I ever did this is a alpha Wi-Fi card and this is a AWS 0 3 6 H I think is the model number it's on the older ones yeah it has aluminum foil tape on it long story doesn't matter here's a little adapter that mex it down from USB mini 2 or micro I forget which ones which to one of these retractable dealies now you still need a USB OTG adapter and I found a really nifty one which is very tiny on the Internet's I think this was on Amazon and I believe it was around five dollars or no no this was an Amazon I got it from somewhere else and sorry I cannot remember where I got it from but it was about five bucks it was super cheap and this will plug into there now a couple of caveats about this let's say you want to use the Alpha with your phone now I got this nifty little clip on the back of mine so I can hook it on to my phone's case and then it looks something like this check out this antenna sticking up here it's a little wonky I mean if you now one thing about this is this is this does make it easy to carry it's not hard to carry it like this and you can open up a terminal and use this pretty easily like this but the problem is it's not discreet it's certainly not discreet what if you want to what if you want to use a Wi-Fi card with packet injection but you want to do it right in front of a bunch of people and you don't want people going well what does that guy trying to do be Egon Spengler from the ghostbusters carrying around this funky looking handheld contraption well that's where this comes in here is a Wi-Fi radio it is in edimax edimax and it's um where's the box sorry about this to bring out the box so I can show you the box the box shows here it's a n 150 and it says this is what caught my attention ideal for Raspberry Pi the Raspberry Pi er is a Linux tiny Linux computer and it's running an ARM architecture CPU well so our phones so this can run on an ARM architecture out of the box and Linux out of the box so I thought hey I'll give this a try so I took my tiny adaptor plug my tiny radio into the tiny OTG adapter and that's what you have there folks so you take this little thing and plug it into here and look at that you have a nice sleek compact solution for Wi-Fi hacking and this is this stays in there really well so it doesn't fall out and it's so small you can carry it around like this stuffed into your shirt pocket or something and not worry about it you can get it to start cracking Internet or whatever it is you're trying to do and walk around with it in your pocket and no one notices or cares and as far as packet injection let's give that a test really quick I'm just going to do something easy so I don't have to bore you with me typing this out I'm going to go with Wi-Fi twitch is an automatic Wi-Fi hacking thing there we go now you'll notice when you do this on a phone running net hunter there you go yet why fight you'll see there are three adapters there's one two and three and the first one says p2p 0 and then W land 0 and then W land 1 well you notice that the first two says has this kind of description over here saying not PCI USB or SD IO on the top two but the bottom one says edimax so obvious which one is out of max now if you try and put either the first two into monitor mode does not work it just sort of kills the program after that but I push three and enter and it's going into monitor mode and now it's going to start scanning I believe yeah there we go so there are a couple of routers pretty close by now one thing about the edimax radio is that for some strange reason it does not show the power very well in decibels it tends to get confused about its power about the power that it's seeing rather and it just sort of spits out the same numbers for everything so in this case is everything is 66 decibels but that doesn't affect its ability to work it does do pack an injection just fine and so I haven't had a problem with it let me try and kill this okay there we go that's it um I'm not going to do a demonstration of hacking Wi-Fi or something I there's plenty of videos out there for that but I just wanted to show you really quickly my setup and how you can do this very sleek and and discreet now the Alpha card is very good if you guys are looking for high power something that's going to really reach out and touch someone and let you get into routers far far away like safe in a parking lot from the inside of a vehicle where you don't care about what your phone looks like while you're doing it this is the way to go but if you want to be able to walk into around inside of a building full of people without them really noticing and the routers in the same building is you this is the way to go so just a couple of options there for you and other than that this has been a great phone for the last couple of months the signal on the cell towers has been great everything's worked fine I really don't notice that I'm using Kali net hunter Linux when I'm just using my phone from day to day it just feels like any other Android but because it is Kelly it's always there for me if I need it and I can just carry this sucker in my pocket and so it'll be ready to go and because the radio is only ten bucks and the adapter was I think five or ten bucks I was worried about losing this but you know even if you do you're only out twenty bucks you can get another one it's not too expensive well that's it those are my two that's my two cents on how to set up this phone I hope that gives you guys some inspiration and if you want to know more about installing that hunter onto this phone check out some other videos on YouTube by some other people you can just google around and find it or search around YouTube rather whatever and find it but I'll tell you really quickly basic principle is that you're going to be installing multi ROM this program here and multi Rama is going to allow you to essentially have multiple roms you're going to be able to now this isn't going to show you the interface that you see at the beginning but this when you start up your film but multi ROM basically works like a dual boot when you start up your phone you'll get this little menu that says do you want to boot into Colleen that Hunter or do you want to boot into regular Android just click whichever one you want ah knowing now what I know that this that Colleen Hunter works as an everyday operating system for my phone flawlessly with no problems and I have absolutely no need for the stock rom I kind of wish I hadn't done this I'm I'm not a hundred percent sure but I'm almost sure that you don't need that that I could in fact probably just replace the stock rom with Kelly nut hunter I'm not sure a hundred percent but I think I probably could and if I was doing this all over again I would probably attempt that because really that dual boot thing at the beginning when I fire my phone up now is just a minor annoyance that I have to click through just to get into my phone so not a big deal if you don't turn your phone off all the time but that's it hope you got something out of this and thanks for watching goodbye

Posted in Android, ARM Processor, Computing, Hacking, Linux | No Comments »

RansomWare Attack in Europe based on Petya

Tuesday, June 27th, 2017

Was notified by a friend in the USA that their company is under ransom ware attack and the miscreants are asking 300 USD equivalent in BitCoins to free each device. They mentioned Petya. With all this being so wide spread I did a cursory check to see what is going on. It is notable to me that I keep hearing about hospitals being affected. Perhaps some of those cheap Indian I.T. workers that hospitals are using are moonlighting?

Research Links

ZeroHedge: "Massive Cyberattack – Spreads Across Europe, Hits Ukraine, Russia, UK, Denmark
Google: Petya
Petya ransomware running rampant: how to turn off SMBv1 in Windows to make sure you’re safe – this arty suggests that turning off smb1 saying it is antiquated and vulnerable. Versions SMB2 & 3 exist.
Wikipedia: SMB – Server Message Block
How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
No SMB entries in Windows 7 Registry – Is it normal?

News

NSA-Linked Hackers Raise Price Of Monthly Subscription to $61,000 After Tuesday's Cyberattack

In windows 7 there are no hooks in Control Panel to turn smb1 on and off. They suggest editing the following registry key. To enable or disable SMBv1 on the SMB server, configure the following registry key: When I attempted this there was no entry for SMB1. I created it and set it equal to zero. Not sure if that will help me.

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled

Posted in BitCoin, Computing, CryptoCurrency, Fraud, Hacking | No Comments »

Every router in America has been compromised’ – McAfee on CIA exploits

Saturday, June 24th, 2017

Show Transcript…

WikiLeaks has released damaging new information that ACA a project called cherry blossom has been hacking into home Wi-Fi routers since 2007 that's not all the CIA reportedly used that hack as a listening device and for more on this developing story were joined by cyber security expert and CEO of MGT Capital John McAfee welcome John thank you very much and so first I want to go back to Alexa's report I mean we just heard about a massive information being put out there roughly 25 terabytes worth of information being accessed without a password I mean just to be clear this information was not stolen by hackers it was actually there and without a password and I mean with so many of us having passwords on our phone how is this even possible well the hacking happens all the time the thing that concerns me is not so much the fact that the information was available all of this information you can buy from Google what concerns me is how did they get this information my phone number my address my age my marital status my preferences whether or not I believe in Obama care what do I feel about immigration what do I feel about our national policy every single political attitude is in that database for virtually every adult in America now should we be asking the question how did this data company even acquire that information that's what concerns me because once you get the information into a database it will be hacked it will be let loose this is just a fact of life these days and something we should be concerned about but far more concerning to me is how did it happen it happened because companies like Google and Facebook acquired data on every one of us what blogs we are visiting even our messages that we pass on Facebook or instant messages on Twitter are accessible and these things are collected so that we have no privacy what concerns me about this is if you look at the data in this 25 terabytes it's almost every political attitude a person could have and my phone number and the jobs that I've had and my health records please a lot of people's room I'm sorry go ahead yeah a lot of people don't want that information public especially their political stances I mean it causes so much friction nowadays I mean maybe your clothes daily members can know how you feel but you know publicly out there again a lot of people just don't want people to know but moving on now to WikiLeaks you know they just release those secret documents revealing that home routers from 10 different manufacturers can be turned into listening posts that the CIA can monitor I mean this sounds similar to you know those other devices like some televisions that are being used and listening devices so were you personally shocked at these findings well no I mean myself and every other security professional have known about this and I have been warning about this it's not just the CIA all of these routers and that's virtually every router that's in use in the American home I are accessible to hackers to the CIA that they can take over the control of the router they can monitor all of the traffic and worse they can download malware into any device that is connected to that router so I personally never connect to any Wi-Fi system I use the LTE on my phone I know that sounds crazy but that's the only way that I can be secure because every router in America has been compromised we have all known this and we've been worrying about it for years nobody pays attention until something like WikiLeaks comes up and says look this is what's happening then or goes oh but we've been saying it for years and and it is devastating in terms of the impact on American privacy our individual privacy because once the router is compromised and it infects the cell phones that are attached your your laptop your desktop computer your tablet then they become compromised and not only can you watch the data you can start listening to conversations you can start watching to the cameras on these devices so you're saying even when we go to something like say Starbucks and get on the free Wi-Fi that our information can be compromised Wow incredible in fact if you actually go to Starbucks and get on free Wi-Fi you're being very foolish because not only is the router compromised at Starbucks but there are people in Starbucks that have devices pretending to be Wi-Fi and you're connecting to them sometimes and they're monitoring all of your traffic reading your emails listen and your text messages here comes so this is the problem the fundamental issues we are completely blind as to our circumstances in regards to security I mean that's one and then you kind of laid it out for us but can you kind of recap what are your thoughts ethically with the CA using technology this way and do you think they have the right without the American people's consent of course not of course not there's nothing in the American Constitution which gives the government the right to invade the privacy of my home or any place that I am where I am I have the presumption of privacy of course it's not ethical if it's unconscionable and we have very few means of combating this my own company mg T is a product coming out soon called Sentinel which will prevent this from happening in corporations but nothing for the home yet and we're working on that but it will be six months to year before that comes out so we're totally helpless we are we are in a situation with our government where they know everything about us and we know nothing about what the government is doing Wow they have the right to privacy and secrecy but the individual does not anymore well good to know and it will certainly be careful on where we go online nowadays thank you so much John McAfee CEO of MGT thank you

Posted in Computing, Deep State, Government, Hacking | No Comments »

WordPress Website Hacking Using n00py’s WPForce

Saturday, May 20th, 2017

Show Transcript…

what's up internet on here from Don does 30.com bringing you a hacking tutorial today on hacking WordPress websites using an updated method from prior examples that I gave and this is going to be a really good tutorial using a new tool by I guess new P called WP force it's a wordpress attack suite that not only helps you crack a password using a kind of dictionary attack group for scenario type thing but it also allows you to upload get this shells PHP shells are shells that you could use to kind of really get into the website and mess things up or you know because we're responsible hackers let the site owner know so the two previous wordpress tutorials thought i gave we have brute-forcing wordpress passwords and in an ever increasing security world people are using a lot of plugins so this new tool according to the author uses the API instead of the login form so it allows you to bypass a lot of the methods protection methods that these websites might have and also finding vulnerabilities to hack WordPress sites so these are the two previous ones that we showed you but this is the new tool that we're going to be using it's exciting so first we have to download the tool I haven't downloaded it yet this way it just kind of doing a fresh start for you guys or all on the same page and generally what I like to do I'm going to make a directory first called newbie and go into that directory oops of course if I could spell newbie all right and to get the to download it we're going to download it from github so get clone HTTPS and see github com and new P is actually spelled n 00 py so those aren't capital o's that's those are zeros and WP Force dot get and this will download all the files that we need now I set up a wordpress site on my test server so that way we could test this against that and it looks like it's downloading already or finished downloading already I should say so let's check it out so created a directory called WP force will go into that and it's just a couple of files not very many at all so the wp force is what we're going to be using to crack the password I guess this is your ttle Yertle is going to allow us to upload a shell using the hacked credentials so that way we get a shell back to our computer or watch we use an interactive shell for this example and 3d file read media files are always good to look at so you have an understanding of what's going on so this is what it's going to look like and let's see where the steps were the steps here we go I'll actually let's take a look at some of the features right so brute force via API which is what when I mentioned earlier so it can bypass some form protection login form protection automatically upload an interactive shell which is really cool can be used to spawn a full-featured reverse shell which is even better because this particular thing this tool will go ahead and utilize metasploit as kind of a extra extra options for you it's going to dump the wordpress password hashes if you tell it to backdoor authentication function for plaintext password collection which is pretty cool it's a keylogger inject beef hooks into all the pages which is really fun if you noticed on one of my other tutorials that there's an introduction to beef and how the beef hooks will go ahead and allow you to use the beef the browser exploitation commands and functions to do some cool stuff as well and then again pivot to an interpreter session if needed so we already went and installed everything and this is our usage for the wp force so as you can see it's a Python script it does require a user name list and a password list so if you have a word list of mine for your passwords that's awesome if you use maybe one of the other methods such as brute forcing the word for WordPress passwords or finding vulnerabilities if you go back to those tutorials you may be able to go ahead and enumerate some of the user names that you could use and then just the website the website name so let's get hacking but first of all like I said we're going to have to create some word lists and all that junk so some kind of ones or WordPress this is the admin so do administrate or WP admin admin super user I don't know web master site admin so these are usually some very common user names for an administrator sometimes they don't use their names they use just the general account so I'm just going to use these as an example I'm going to head we'll save that yes I do want to save it user dot txt and we'll do the same thing with passwords will do some common passwords will say password let's not use that one I'll show you why in a minute so we'll do a pass 123 let me in wordpress password password password 123 no no that's probably good right I mean you could do as many passwords as you want and the more passwords you have in your password list probably the higher or you know your chances are going to be higher I'm cracking it so I'm just going to leave it to that will just use just a for this example because I already know what the username is password are so let's do it let's do Python and WP force not pie and see I already forgot this is why these files or readme files are so helpful so I and W and you so I user text IW past texts i wonder what the reason behind these naming conventions work alright so don test server com WP big easy because it's going to be a big easy hack alright so we just run the script will let it run it looks like I've got about a pretty decent combination of username and passwords again you could have millions of passwords millions of usernames it's going to go through and try each one so again because I knew the credentials I purposely put them into the username and password file it found valid credentials and the account is admin so this is perfect because this is a very shitty username and password easily crackable obviously but this is great for our example so we're going to use these credentials right here to upload that interactive shell so now we have to go back to that help file we'll take a look at your toll just like saying that you for username p for password t4 I guess target and this will use that ready ready ready ready alright so Python ear it'll would we say user name was admin password was password target use the target again Don test server calm and WordPress Big Easy i almost put big easy hack all right now there's to let me do this so there's two options you can either do a reverse shell which i'm not going to get into because i'll get a million questions about for forwarding and shit like that i just don't have the time for those questions right now so we'll just do a interactive shell which is really cool because there's really not anything else to set up so well type all that credential stuff in again we'll do interactive to take a second and hopefully we get a positive response from Yertle and we have a shell set up fingers crossed all right perfect so the back door was uploaded yeah I guess here's a temporary upload directory to where it uploads and we have our shell so first thing I like to do is either type in help or ? to find out what we could do so in this case its technical ? and enter and here the command so ? is our help menu the beef command injects a beef hook into the website exit exit the session hash dump dumps all the word wordpress password hashes help was again the help menu the keylogger again now this will log any type of plaintext credentials that might come through so if you see a wordpress site that doesn't have encryption which there are many out there to where the username and login form screen doesn't have encryption it gives you basically the option of logging those passwords and that goes for site users as well and then you check the key log you could tap an interpreter session to connect back to metasploit quit again terminates the session you can set up a shell the that'll send a tcp reverse shell to a net cat listener and i'm not getting into reverse shells right now for obvious reasons but let's just for shits and gigs will set up a keylogger this modifies the core sure let's modify the core whatever alright so the sign-in function is patched do not run this more than once apparently and use key log to check the log file so as people are logging in with their plaintext passwords we'll go ahead and lock that so we have other users just besides the admin that we could come back and get into as well so anyway cool tool by new p thumbs up for me awesome way to get around some of the login protections that WordPress is now implementing and yeah test it out try it download it from github try a couple things if there's anything that you like specifically about it put it down in the comments anything that you hate about it put it down the comments and I'll talk to you guys later

Posted in Computing, Hacking, WordPress | No Comments »

How to find website vulnerabilities with Uniscan

Saturday, May 20th, 2017

Show Transcript…

. Kix that your book hunting career with book crowd book crowd is the largest security research community in the world and it helps companies such as Tesla simple Western Union Spotify and many more with cybersecurity paying anywhere from a simple thank you to 15,000 begin your book hunting career at bugcrowd comm slash track tutorials hey guys welcome back to a new video tutorial today we're going to be taking a look at the tool built into color linux 2.0 called eunice can now eunice can is a web vulnerability scanner some of you may have heard of it some of it some of you may not have but that's okay because either way you're going to learn something today now like said um comes built into color i'm using color next 2016 point one it has one of a terminal version and a GUI version so you can use whichever one you're more comfortable with and yeah it's a very powerful tool is very simple to use which makes it so good you know it's easy to use and is also very rewarding so let's just open up a terminal here and if you type in uni scam you can see that we get the help file now the help file contains all the different parameters you can use all the options we are running version 6.3 and you can download you scan if you don't have it from sourceforge.net and it is written in perl so we are going to be looking at some of these options today so i'll just go through quickly what you can do with eunice cancer you can enable Derrick's checks you can enable file tricks you can enable robots dot txt and sitemap.xml checks you can enable dynamic checks and static checks and stress tests you also have the ability to do Bing and Google searches for dogs however the Google one doesn't seem to be working very well because Google blocks a lot of automated search queries however being does not we also have web fingerprint and server fingerprinting and down here you've got a couple of examples on how you can use uni scan so I'm going to be basically doing these today showing you what and you can do so I'll also show you what the GUI looks like you just do unit scan – GUI for that and you'll get this very simplistic and GUI but if you want to use that you can do is you know perfectly as personal preference I will use both and just because well I'll use both just for one specific check just so you guys can see what it looks like so let's just go ahead and do unit scan again and so what we need to do is we need to first of all whenever you're going to prepare a unit scan a scan you need to do – you and then you just want to put in the URL of the website so let's just do check tutorials comm I'm pretty sure there's nothing too bad that's going to come up here so you can see that we just did a quick scan of it and you get the server so you can see we're running CloudFlare you also get the IP address so now you can add a bunch of parameters to this and you can actually you know you might want to run a direct check and a file check you can just easily do that you can see here under usage – you can string together parameters into one parameter themselves so if I'm just going to copy this out pure laziness but basically this is going to run it's going to enable units going to go back into the background so we will just leave that blank and for now so we're just going to be using QW EDS so we are going to be doing a direct Rick a file check the robots dot txt and sitemap.xml check that looks we're also going to do in a dynamic check and a static check so let's just go ahead and run that so what we'll do is do units can ever jet tutorials and we'll paste in this and still is basic see what's going on and hit enter and you can see that it's going to run through it also has some built-in plugins such as upload form detection email detection PHP info disclosure and many more like that so I'm going to leave that running for a little bit just because it might take a while to return and some of the information so I'll be back in just a second so you can see the report has been saved in this location here now it doesn't actually take long to complete it all you can see we've got some stuff here most of stuff has come up as you know no because and I guess jet tutorials is pretty secure so call me another if you do find a bug feel free to report it to me so if it may come your way anyway let's go ahead and look at that report file so it seems a report files in HTML files it's a very nice a very professional looking reports oh you can use this file I don't know real-life pen tested if you were to do such a thing so just go ahead and click on other locations and then go to computer and then just type in user and then go to share and inside of share there should be a folder called Eunice camp and in here there will be a folder called report and you will have let's just delete these because you don't need them and I don't need that one either and also delete this one these are all the old ones and we will do need to delete this one Mabel it down and mmm yeah we can do that one as well okay so just open up the go the jet tutorials comm HTML report and this is what you're going to get you shows everything in its own section so you've got scan time the target crawling so that includes your things like emails and stuff like that that it finds dynamic tests static tests and scan time so that gives you a basic understanding on how in you know scan looks at websites now I've mentioned that you can do multiple parameters at once so that's always good like said using this at the end of it is multiple parameters so you can add as many as you want onto there alternatively you can just do do the ego I mean you can do that but it's just easier to tie them all up into one single parameter so let's just do that same scan again but we'll use the units can GUI so I'll show you what that looks like let's do you scan GUI and we will paste in well we will try and paste in HTTP do it up check tutorials calm and we can just check what we want to do so let's just check everything and press stat scam so you can see that you just get terminal here and I'm just going to leave that running as well so that's going to take a little bit too long then what I wanted it to take so you get the idea it will save the same report in this HTML file it'll look exactly the same apart from using GUI mode with a nice little turnbull in it so just imagine this this is what it is in a fashion anyway let's move on so let's talk about being in Google dogs so this is two units getting it now I can said and the Google one doesn't work because it can detect automatic queries so for example if I do you lease camp – oh and then do I'll explain what this is in the military right in URL index dot PHP ID equals it's going to return to your websites and if it doesn't then I get surprise for me see what it returns it should be zero if not then there's a reason for that and I can explain it as well so yeah will be an idea if actually like put in quotes and so you can see that it returns zero sites and the reason why is because Google can filter automated search requests now if I change this to Bing is going to work fine so let's just talk about what dog is and so doc is a specific search term so if we just go actually we'll just do this in color why do I always need to go to my Windows machine let's stay in color so I just got iceweasel here and I'll head over to Google so you just work and go but basically this is a search term so I can put in in URLs so that means to look inside of the URL for index dot PHP ID equals HC that's returned to a bunch of websites but these websites and return because of their content you know the title or the header text or all like that is returned specifically based on their URL now we've obviously I've done a SQL injection video and you can see that this link here these are the kind of things you are looking for if you're going to be doing a post based or a get based SQL injection these are commonly the get missing SQL injection so I can obviously go on this website and I can go ahead and I don't know I've just come onto here but I can just do this and we can see if the website is SQL vulnerable or not which hopefully is not so yeah you can see that it seems to be okay so that is what the docs are now you can you know these returns pages and pages of results or you can just use unit scan which will generate generate them fires so let's just do Eunice camp and we are going to have to use Bing because Google doesn't work so – I and we'll just put open speech right here piston that thing that we did before hit enter X it's going to do a Bing search for in URL index dot PHP ID equals now there is a little bit of a downside to this and I'll show you all those in a minute and you can see that we've returned 477 sites and let's save insights dot txt which is inside that bar folder so let's just go head up one folder to the eunice gun folder and it's going to be insights dot txt so you can see we've got 477 sites here now the issue is that it doesn't return it you know with the index dot PHP ID equals it doesn't return that it just returns the actual URL but that's fine there's nothing to really worry about but then and that's kind of ironic hacking skills anyway then you can actually load this file into into units can and you can roam ability scan all these different websites so I can go ahead into units can dash F size dot txt and then put a bunch of parameters on the end of it so let's just do a simple directory check on all of these websites dash Q hit enter and is going to work its way through all of them sites that were in size dot txt so this is going to take a while to do you can see this actually found an admin folder on this first web site and so yeah that's going to take a while to do so we'll just leave that for now ctrl C so you can see that's basically it will have to work its way through 477 website starting from the very top so that was book server and then it's going to go to this one this one this one and that'll save it in their individual reports inside of the reports folder so the final thing I want to show you today ladies and gentlemen I'll probably Millie gentlemen but if you are related that that is awesome and we're going to do you can basically search IP addresses this is using the same google doc method but you can search for IP addresses and they return a list of websites that are also associated with that IP address so for example I'm going to choose one on one you care because it's one-on-one calm because we know that that is a web hosting company so there is a good chance they will have different IP addresses a different websites associated with that same IP address so let's just search one on one and what we want to do is just get the IP address of this which is nice and easy because I can just go ahead in two units can do – you piss in that and I can get the IP address so what we can do them is copy the IP address and we can do units cam – I for blog not blog be easy I I believe it's I Stella look – oh no – I yes – i you can do units can – I I P : and then pierced in the IP address and that's going to return the number of sites that are associated with that site next to it because I returned one website and let's just go ahead and rerun that again so actually doesn't append it it just changes it you can see that the only website associated at HTTP which is interesting I did not expect that result let's just make sure I've got the string right let's go up here and yeah it looks like it's right to me so yeah that's a bad example that's just it's a bad example let's get all the web sites associated with a different IP address so decide to use the IP address that jet tutorials came up once let's have a look at what we've got in there and see we've got lots of different web sites here and then I was like we can go ahead and do Eunice can on that so that is a basic guide on how to use units can hopefully you'll have some fun with it you can do all kinds of stuff in it and you basically can generate some nice reports and also it can be used for finding potential memorable websites so remember to report your findings if you do find anything to the respected every respect – that's not the right word alright good bye we put your findings to the person the webmaster basically so they can fix it so that is the end of this video tutorial please like comment and subscribe if you enjoyed it if you have not already and feel free to follow me on Twitter days at Jack 157 also follow me on Twitch days at check one three three seven as well and also like me on Facebook those track tutorials and don't forget to tune in for next video and I said that this video was going through the veil evasion one but veil evasion and Callanetics above plane up and they're not working properly but hopefully the Creator will have that fixed soon for me to do that video but for now I haven't got really much else to say so Figaro much for watching like I said before and I'll see you again in the next one

Posted in Computing, Hacking | No Comments »

Tech Scammer sets Syskey and BIOS Password on his own Computer and Cries!

Friday, May 19th, 2017

Research Links

Wikipedia: Syskey

Show Transcript…

I explore no I explore no no no no I need you to tape the letter right I need but I need you to type the letter I okay okay you got it okay I need to put a space and then w-w-w dot remote tongue somebody's at three two one dot-com um yes one second wait wait sir sir no no I need you I need your nine digit code yes yes and you're doing fine yes I need your code I cannot give you my code I need your code United States we are located in Washington DC oh now D do you have do you have code okay hello yes can you hear me sorry what am I using Skype no I will I need you do you know I need you to use TeamViewer am i no no I I I'm using TeamViewer I am using TeamViewer No so so do you have nine digit code now oh no I'm I'm I have said I am using TeamViewer so let's just just give me the nine digit code and I can help you ah ha ha ha ha ha ha ha ah ha ha ha so do you already have change your installed on your computer so it would appear that you already have um so I need you to do one thing yeah yes do one thing for me now I did ah-ha-ha-ha I'm listening to you you said you need to tell me one thing go ahead oh yes yes but let me tell you one thing ah going ahead and I need you to open up do you still have that Internet window open okay um it is Kim you're open okay so I it would appear you um is this a company laptop or desktop a desktop so what is your name it is what your name is ty okay okay ty I need you to do one thing do you see down in the corner do you see the windows button and the letter R okay I need to I need you to push and hold those now do you get a little box okay now I need you to type do you do you see the words that are in there oh um okay go ahead and hit enter aha now I need you to go ahead and click but yes yes do that do that aha now do you do on wait you you click encryption enabled Oh click on update okay okay yes aha okay and then I put that yeah let me put that in the other box again hold on what was it again oh okay click OK here okay click on okay and tell me what it says account database startup key was check click on ok ok ok can you tell me the password is just that no one can you please back me the password um I I do not remember could you tell me again ok it's 1 2 3 4 5 6 7 8 9 ok go ahead and click on start and then click on restart would would this connect me to you I know it should connect you because that's my ID I just gave you oh ok ok oh this is odd I I am still new here so I'm actually using my supervisors using what you did today using what I'm using my supervisors computer today so this is different than mine though I am not sure you sound like you know a little bit ok I'm actually quality control at malwarebytes um did you restart the computer here's the three whoops hold on um oh I need your password ok the password is 1 2 3 4 5 6 7 8 9 2 3 pull them oh so I don't believe that correct okay so don't work your computer is infected with the spyware virus so what we need to go ahead and do is take your computer into the local technician and it needs to be repair for the registry corruptions and all your banking and financial details are at risk ok sir oh no oh no bad joke oh not good not good no no but good no this is not good not for it Lockwood first day on the job this is not my computer this this is my supervisor computer it's not called our code awkward no no not good girl sir Sir sir Sir sir what have you done so you need to take control whatever you think so what have you done take your computer to Best Buy codes are in the United States sir all right what have you done all I do exactly what your company does to other people do what well are you Microsoft technical support yeah then you can fix it yourself yes we are like the top technical support you can fix it yourself what you can sick no I have not no you can fix it yourself make yourself oh do me one thing what is your password password okay do you want it yeah okay are you ready for it yeah okay five three two okay eight six nine uh-huh five three uh-huh do that did did you get that yeah hold on Oh oh no oh no it is restarting if you tell me which one on screen um hold on I'm having issue here my computer is restarting okay tell me what you see on did you see manufacturer logo what brand is it um yes this is a Dell okay Dell so I'm go ahead and hold down the power button for five seconds and turn it off okay so if there's not good this is my clothes go so I feel so I compute okay um turn on the computer and on your keyboard on key pressing f12 do you see the f12 key gonna keep doing that okay okay oh okay III have a menu okay what does it say with uh gives me options okay what are your boots ah Network hard drives okay do you see something called file setup oh yeah yeah okay click on fire set up ok ok now tell me what you see well it is main security advanced exit okay you need to go to on boot sequence you see boot sequence oh no I see main security advance and exit ok hold on do you see boots um let me go to advanced yes yes I see boot ok DC authentication um hydride password or by a password um both should work okay on we need to give the hard drive password okay okay hold on let me go there okay pop okay and what is it what is the passed away so I can give you the password only once okay or twice uh-huh okay uh-huh and press enter and just ring um it died confirm okay type in same number okay aha and press enter okay and tell me what you see it says completed click Okay on was that the old hard drive password right that was the hard drive yeah okay so the hard drive has been unlocked now we need to unlock the BIOS so click on administrative supervisor password yeah yeah and the R is asking you for a password yeah yeah okay all you need to type in okay okay okay okay press enter AHA and confirm it do you remember it no okay I'll give it you again all right okay okay okay and press Enter and tell me what you see procedure it it successfully added it successfully what but it it did successfully added it it changed it okay can you look on the very top center of the screen and tell me juicy this is a BIOS setup utility or inside h20 setup utility ah no it it did not okay Dee is it is it um the is there a top light blue bar yeah it's light blue yet the whole screen is blue okay hold on and that black matters all right um do you see a column on the left side system onboard devices video security do you do you see that okay can you find the model number of your computer yes hold on okay pretty much sputtered with you need model the model yes why do you need model so I can generate a password for you oh ok ok 1 1 1 1 1 all right yes yeah it it it is it is ok it is a Dell Precision G as in Tom five eight one zero okay do you have the serial number or express service code um I do not feed ok might be called service tag and yet either the service tag or the Express service code uh I do not I do not know that okay hold on okay it should be on the top of the computer there should be a sticker black sticker on top of the desktop on the top of the death deck stuff I do not see if you can look at what it is not like I cannot I cannot access it it's locked yeah okay um so right now do you see on yours look on your screen look on the upper left corner aha and do you see something I'll do see it it's say the model number oh I do not see it that I just know how asses on front of it okay so on can you reach me what it said on the left side there should be a list on the left side the Dell Precision no only one I heard it on your screen you Dell okay what else does say on the screen wait sir sir sir wait wait wait wait no III am helping you I I am supposed to be helping you no this is Dell technical support department we are Beijing and Washington DC today it is well it's based in Washington DC okay press f10 press f10 on your keyboard Hong and tell me what it says uh-huh take the detector okay click on yes okay and press Enter this is restarting okay ah not good look good no good no good no no no this no no this no good it's not good sir sir yes does that do want to do one it's a dub BIOS is locked okay so I need you to provide me a nine digit code or a six digit code for a session key but I died okay so right now your computer is locked local ipsilon to me listen to me let me tell you one to your computers right now is locked by all the hackers and they're stealing your financial details and you need to pay know importantly not good 100 99 rupees is it nope it's 100 99 rupees oh no no no only 199 yes that does not better in manual open so you can send it to your PayPal you want 199 rupees yep that's what it says here after collected donation but do you know how much that is yes rupees on you you are you are in u.s. well correct we are based in Washington DC you want you want hold on I have charge here hold on let me look at chart I have chart on wall three US dollar yes two three US dollar yes all night do your thoughts okay that's that didn't but 199 movie is not done much money I can I can afford that I have I have I have lots of money I'm very rich man how much do you have whoopee yep how many rupees yep hey Vivian how much 1 billion over ok the price has gone up what the price is going up why because you're rich okay hey hey sir hold on let me look at it will cost 19 thousand 999 rupee how many 19 thousand 999 rupee 20 thousand so so so like a 300 u.s. dollar right so that's for the two years of work plan with getting premium tech support from a fake Microsoft Tech Support so so what have you done to my computer ok so right now this is what right now ladies not my computer ok not my committee open ends my 25 you were net stud you can use a fucking kill me he will fucking kill me ok that chase can you pass it on to your manager so he is in the other room he will fucking kill me okay so it is a scam what is this a scam it's what the damn is this skin you are scamming me no I'm not scaring you yes you are you're scaring me ok but you were working from safe tech support Microsoft we are from Microsoft we are Microsoft with we're not fucking Microsoft whatever fuck you fuck you you fucking fucker you're not mad at us what the heart no we're not fucking Microsoft what the fuck have you fucking done you fucking idiot let it should know this is not good not good not good at all ok so immature are you mocking me hmm do you have any idea who you are fucking with oh yeah take tech support I will fucking destroy your fucking computer okay do it fix I support you without a computer oh no oh no oh no I think oh this not oh ok so what you listen to me what you have to do okay listen ok this was server this was server this not computed this was server is it listen if it was a circle you would done if it would be server done listen to me if it was a server you wouldn't be using it to give tech supports people no no do you know he'll run okay with it no no no no now no computers work okay look remove three two one oh no it's still online I gotta take that offline first now no computers work no no computers work are you on a domain no no no what well are you on a domain good I think so okay so what you need to do reinstall windows on all the computers okay okay what's the company work for do the comp is that I just want to feed my family I want to provide for my family I do not want them be armed and to anyone I just want to provide for my family okay so we're working for Microsoft no but we all say that okay here supervisor rahid rakish you know low heat okay can I talk to him

Posted in Computing, Funny, Social-Engineering | No Comments »

Defcon 2010 – Your ISP and the Government Best Friends Forever – Christopher Soghoian

Wednesday, May 17th, 2017

Show Transcript…

hello everyone so um is that my audio is that yours alright so I'm my name is Krista goin I'm a PhD candidate at Indiana University and I'm gonna be talking about government surveillance today my day job I guess is two things so first I'm a researcher and activists that work on privacy and security issues I also work half time at the Federal Trade Commission where I assist the team of lawyers and going after companies that violate your privacy unfortunately in the United States there's actually no federal agency that's tasked with protecting your privacy from the government the FTC has no official position on the department of justice or NSA's abuse of your civil liberties and so for those reasons I'm not speaking on behalf of the FTC here this is this is definitely my student research so my dissertation relates or is focused on the the relationship between ISPs in the government and so this is this is basically a collection of some of the research I've put together over the last year or two so you might remember me a few years ago I made a website that made fake boarding passes that led to the FBI writing my house at two in the morning shortly after that they finally got around to fixing the ease with which you could manipulate boarding passes now there are cryptographic hashes on the boarding passes whether you could consider that a good thing or not you know that's that's up to you alright so this talk is going to be focused on on a few things so first how often the companies provide our our costs the people's data to law enforcement intelligence agencies what data that can they be forced the club disclose how much money do they make by selling your data to the government and which engineering and legal practices can actually impact the degree to which your information is disclosed Sokka some companies actually fight both through legal means and through engineering means and I'm going to be shedding some light on those because it's for the most part they're just not really known right so part one how often does the government get our data alright so you might remember from the movies you know the old days of wiretapping was someone climbing up a telephone pole and and and listening in on headphones that's not how wiretaps work anymore right this is how wiretaps work someone sitting in an air-conditioned data center typing away at a keyboard pulling down a trunk full of data right when you store your data in the cloud Google doesn't get a visit at 2am by from armed police they don't seize Google's hard drives right Google just sends them a DVD with your data you know there's a reason that this shift from hosting data on our personal computers to hosting it in the cloud is important and impacts that the way the way the government gets information so there are bottlenecks with regard to government resources they only have so many agents and so many officials and so many lawyers right and so consider the marginal increase in work five more searches of homes that means five more teams that have to go out and raid the house and take all your data versus asking Google for five more accounts you're just adding a few names to an existing subpoena or existing search warrant and so it's really really easy for the government to benefit from sort of other network effect with ISPs they can ask for 20 more users information at very little cost all right so well what do we know about the extent of surveillance today so there are surveillance statistics that are published according to to some federal statutes for certain kinds of surveillance but a lot of the information that I have and I'm presenting here I've gone through the Freedom of Information Act through friends that I've made in Washington DC and a really effective strategy is getting company's lawyers drunk they they like to talk and when you promise them that you want name you won't name them they're actually willing to give up the goods it's important to note that the stats that I have by and large don't cover intelligence and the reason for that is that intelligence requests are shrouded in secrecy we have some stats regarding the number of pfizer orders which is a foreign intelligence surveillance court but they list the number of requests or the number of court orders not the number of individuals and so one court order can get 10,000 people's information right so we know nothing about the intelligence industry but we do know plenty about law enforcement so the first sort of a method of surveillance a bit talking about his wiretaps this is real-time interception of communications content includes voice communications text instant messaging and network traffic dumps like think TCP dump to get one you need what's called a super warrant this is a really really high legal standard it's a pain in the ass to get and then it takes a little bit of time and the police have to show probable cause they have to show there's probable cause to believe that you've broken the law they also have to show that they've gone through the all these other steps to try and get data and it failed all right so let's look into the wiretap stats and see what we can figure out so the first thing is this the use of surveillance intercepts grows every year so this is a 1987 through 2009 you can see a clear increase the blue is total intercepts and the red is federal intercepts so take home lesson here is that the federal usage isn't really going up that much but States is skyrocketing also important to note that look at between 1999 and 2001 2003 you would assume that after nine eleven there would be a massive increase in the number of wiretaps it's not there and the reason is because the the massive buildup of surveillance that happened after nine eleven wasn't law enforcement it was intelligence all right next take home lesson drugs are bad if you value your privacy all right so these are the major offences specifies an inner specified in intercept orders narcotics versus other crimes you can see that your chance of getting wire topped if you're engaged in drugs is pretty high and if you're engaged into anything else it's pretty low take-home lesson here is if you're going to break the law and don't want any wires out to stick with something safer like murder bribery or extortion you can see this from the numbers here right so we have two thousand intercepts a year for narcotics and nine for robbery these numbers speak for themselves right so the police are focused on drugs this is this is the this is the impact of the war on drugs in this country and most of the requests are coming from New York and California which have specialized Drug Task Forces these are agents who are trained in the process of getting these these pan the asks court orders um you're not seeing a police officer in podunk Minnesota who is going to go through all the efforts to do a wire that these are special units in LA and New York San Francisco all right next trend foreign surveillance interest increases each year while other forms decline and this isn't due to increases from the feds but this is due to the states so I don't know if you can see this graph but the take-home lesson here the blue thing is total phone intercepts with those have skyrocketed again due to use of the states the little things on that start on the left and the orange and a few other colors those are electronic surveillance so basically electronic surveillance is zero at this point so in in 2009 so actually one of the two thousand nine ninety-five percent of intercept borders were for portable devices so this is your cell phone being surveilled if you are using a phone in your house the chance of them are tapping is also very very slim so again you can see here from from the stats portal devices which are green are the lion's share just massive massive numbers here electronic intercept orders so that that's computers and other things used to be significant in number right so if we look through 1997a you know in 1999 there are nearly 700 electronic intercepts a year and if you go to 2 2009 you can see that you can't even see it on the graph and they've punched to less than five a year all right so we used to have hundreds of electronic intercepts and now we have five or 10 a year combined for federal and state so what happens this is electronic intercept so that category used to include pagers faxes and computers and when people stopped using pagers the number of electronic intercepts went down so why are there no network wiretaps the reason is because they're expensive law enforcement has to maintain a leased line back to their back from the ISPs data center back to theirs it's expensive it requires all this fancy gear they don't have the training to do it so law enforcement agencies just really are not doing network level wiretaps the instead they're going after the fact to your ISP and getting your store data that's your store to email your search queries and this other stuff like why tap your ISP in real time when you can go out for the fat and get it at much much cheaper prices so another interesting data point we used to hear for years that encryption was going to be the scourge of law enforcement how can they keep us safe when criminals are going to be using PGP and so a few years ago the Senate initiated a bill that got reporting of encryption added to the stats so every year law enforcement have to reveal how many cases of encryption they found when they were doing wiretaps so the take-home lesson here first is it they're not encountering it and when they are encountering it doesn't stop them from getting what they're after now again I have to clarify that this is not intelligence collection of data right so NSA is seeing encryption because they're monitoring skype but again you're podunk police officer in the south is not playing with encryption and they're not seeing it because the criminals that they're going after they don't know how to use encryption all right another category of data pen registers so this is the real time capture of non-content communications data we're thinking IP headers to and from information on emails the phone numbers dialed the URLs viewed in some cases and also geolocation data when combined with another kind of order the standard for getting these is ridiculously low it's called relevance to an ongoing investigation this is so so easy to get and as you'll see from the numbers you know they're a lot more of them all right so we have in 2008 14,000 pen registers a year at the federal level this doesn't include States um these reports are not public I had to FOIA these and then get some other stuff leaked to me but we're seeing massive massive numbers like five or six times the number of wiretaps and the reason is one it's really really easy to get there's no there's no evidentiary threshold that they really have to surpass and to the data is not as difficult to parse right they get a list of the phone numbers that are dialed in real time as opposed to having to deal with gigabytes of network transfers all right this is where the mother lode is stored communications and other data oops I move that all right well I'll get to that into them all right so before that location location requests have become a massive massive problem or massive massive tool if you take the perspective of law enforcement it is routine now if there is a murder and the police don't know who did it they call up the phone companies and they say tell us everyone that was within 200 feet of the corner of first and main street at seven p.m. on friday night they can get hundreds of people's information with this the legal threshold to get this historic and historical information super super low the historical information is usually usually cell tower data that is not super accurate but real-time data is based on gps pings or tower triangulation data which is really accurate in some parts of the country it requires a warrant but in often in other areas it can be gotten with a far lower legal process in fact the the standard varies by magistrate in a district so two judges down down the hall from each other can can have different standards this is a big problem because there's no federal guidance as to what the standard should be so it's caught this this is a quote from a house judiciary hearing a few weeks or a few months ago this is a lawyer representing tmobile and a few other companies it's common in hybrid location orders for the government to seek the location of the community of interest that is the location of persons with whom the target communicates so that means if you're under investigation not only is the government getting your location information but they're also getting a location information of everyone that you've called and that everyone who's called you with one order this is really really scary the extent to which they're getting this data and then putting it in a database and keeping it forever so this is a slide that I acquired that was presented at an intelligence conference a few years ago this is a British software solutions company that created a plugin for google earth this shows real-time geographic information geographic sell information on 60 million indonesian cellphone users in google earth so an analyst can sit at a desk top and in real time zoom from the city level down to the street level and see a little dot for every phone this is really really scary and if these companies are so these are Western companies that are selling it around the world you can bet that they're selling it to governments that are slightly closer to our hearts all right so this is something I'm particularly proud of last fall there was a conference in washington DC called ISS world it's some it's nicknamed the wire toppers ball to closed-door conference where surveillance software vendors get together and show off their products to intelligence and law enforcement officials from around the world and a nice lock in it's fun as first time i shaved in six years put on a suit anyway so so i went there and collected some information I rather than explaining it myself I'll let my friend Steven do it for me it was recently revealed that sprint gives the government their customers GPS coordinates sprints electronic surveillance manager Paul Taylor describes the program's success their GPS well we turn it on for law enforcement about one year ago last month and we just had a million requests that conversation was recorded without mr. Taylor's consent which is a terrible violation of sprint's violation of your privacy all right i mean it's funny right but what the fuck are these guys doing eight million pings in one year so what sprint did is they set up a special website where law enforcement can log in and view real-time coordinates for any individual under surveillance now sprint used to charge per paying two hundred and fifty dollars per ping back in the old days when they had an analyst sit down and type the command themselves they removed that that step and now law enforcement is logs in on respect their own special web interface sprint also has created a system they called El site which is an API that law enforcement agencies can can program to and then access the information they want with their own systems so the DEA the Drug Enforcement Administration is the first test pilot user of the system and every DA office has a terminal in it where an agent can sit down and type up there the subpoena or the order or whatever it gets sent electronically cryptographically signed to sprint systems it gets put in a bug tracker spin Sprint's people like monitor it get put the data back in and then I get sent back to the analyst it's cut the response time from days two hours so a sprint employee or the DEA folks put it in the evening before the next morning the date is waiting for them I mean it's cutting through red tape but I would argue that the red tape is actually a feature not a bug but this this stuff is really scary Sprint is not the only company that is providing this GPS information but they are at least right now as far as I know the only one that has provided it in such an easy and friendly to use manner all right so stored Communications I'm to my slides before alright so this includes your email inbox your google documents your spreadsheets your search queries your password protected private blogs your instant messaging communications if saved by a service writer and archived cellular text messages so this is all the data we store with Google and Yahoo and Microsoft and Flickr and all these other companies and the legal standard to get this information is ridiculously low and so obscure and weird right so if your emails are 180 days old it requires one threshold but once it 181 days it's a much lower threshold the minute you've opened up through emails it's easier for the government to get they can get your sent mail and your drafts with a single sip with a simple subpoena that the standards are just really really weird but the take-home messages it's very easy for them to get your information so most most isp's don't talk about the number of requests they get google is actually the first and they release this really handy tool in april this year and they show on a country-by-country basis how many requests they get take-home lesson here message really is that they're not getting that many requests so 3500 requests a year in the US but again that doesn't say how many individuals communications were disclosed just how many requests and one request can be for 10,000 individuals it also notes that this doesn't include intelligence orders because it's illegal for Google to disclose the existence of those but no other isp has created anything like this and google has pledged that every six months they'll be updating this so this actually pretty cool even if it isn't actually particular useful all right a few other data points in May of 2009 an unknown facebook employee gave an interview with Newsweek saying that they were getting between 10 and 20 requests per day that was when they had like 200 million users now they have a 500 million so maybe it's twice as much as that in 2006 AOL was getting a thousand requests a month but that was when a wall had customers so I don't know how many they're kidding now Time Warner revealed just recently that they got about 560 requests a month this is because they don't want to provide people's IP addresses to copyright lawsuits that they reveal dust at this data point they said that nearly all of those requests they get right now come from law enforcement verizon gets a shitload of requests they get the thousand requests a year and approximately 35,000 hours from federal officials and fifty-four thousand from state and local officials we don't have any numbers for AT&T or sprint or t-mobile but it's reasonable to assume the vast majority the requests are going to phone companies right now this is because they have the longest relationship with the government like all the police know how to submit a request to to AT&T or as they don't know how to submit a request the Twitter alright so this awesome document landed in my lap a few weeks back so this is you'll see that the details in a minute this is there's a really nice DOJ agency that can't disclose the identity of them yet that keeps a database of every request they submit to every ISP and they list the recipient of the request and the reason for it so this is information from 2006 you can see that Yahoo and Microsoft hotmail sure that the big winners here the recipient the major recipients 2010 oh look myspace now the number one recipient but by a huge margin myspace is just receiving massive amounts of requests well a few years ago a researcher Berkman named Anna voyage hypothesize that the basically poor people use myspace and rich people use facebook there's been a white flight from from myspace and that the only people who are left behind or those not likely to go to college well you know what unsurprisingly if there are people if there are people who are more poor and more minorities on myspace then they're going to get more requests because they're unfortunately on the receiving end of most government investigations in the real world so why not in cyberspace to what these users don't know is that myspace actually goes out of their way to help the government myspace is by far the best friend forever of the government and I'll get into that later but myspace is chief security officer told me at a conference that he takes it's a matter of pride that the company doesn't charge for the tens of thousands of requests they get per year they they see it as a service to their customers their customers being of course the government alright so those are the stats that we have now let's look into something a little bit more interesting so in which ways in which technical ways can companies actually differ on privacy and protect their customers all right first email headers this is a lovely technical audience I can speak about these things we all know that there is infant interesting information and email headers what you may not know is that webmail providers voluntarily put in some special headers so Microsoft and Yahoo put in their customers current IP address in the headers of the outgoing emails what that means is that if you're sitting in an internet cafe at your house and using Microsoft hotmail or yahoo your computer's IP address is going in the outbound email header not Microsoft or Yahoo's servers IP address um this is not required by technical standard this is something that they've chosen to do to help the government or to cut down on them of requests they receive from the government but Google doesn't do this in several other webmail providers are not doing this so it's important to note that these two companies are voluntarily providing their customers information and actually not telling their customers that they're doing this they're not the only one though so between 2006 and 2009 Facebook was adding users IP addresses to every automated message that was sent so if you commented on someone's wall or you poke them or did something stupid like that your IP address would get sent in the in the notice that was was sent to them I think it's slightly interesting but suck male the email server and named after Zuckerberg was leaking your personal information so in 2009 they changed they they started including the information in an encoded form this is base64 so it doesn't take rocket science to reverse it once people figured out what was going on the company quickly removed it but you know the impact of including this information is that when this information is in a header these companies are not in the loop when they get a request from law enforcement so if i send a threatening email to someone with a yahoo account they can look in the header and know exactly which dial-up or broadband is p i use okay well you know I yahoo or Microsoft we're going to have to give that information up anyway but what if the request comes from the government of Burma or Pakistan or Zimbabwe where those ISPs actually will tell the government's to get lost in those instances you know people in those countries would have had more privacy have been information not been provided all right so another really interesting data point mobile phone and broadband IP addresses so at that same conference I went to Oregon where I was lucky enough to record the executive from sprint talking and he revealed that sprint statically assigns all of their broadband customers IP addresses and they keep the logs of who has which IP address for 24 months they also have the URL history of every web page you view using their web gateway and they keep those for two years but they note that they don't store it for law enforcement purposes they start because when they originally launched their service in 2001 they thought they were going to build by the megabyte but then they decide not to do that but the reason they keep it is because marketing wants to rifle through the data how nice of sprint so if you're using sprint they know which IP address you use which means if you leave a nasty comment and someone's blog and then that person tries to unmask you Sprint is in a position to reveal who you are and which websites you were going to at that time contrast this to cricket which is a prepaid service aimed at the the poor in inner cities they use level 3 communications which is a upstream provider they use that they have no idea which users are using which connections everyone in the same city comes from a single IP address and so in this so this is the this is cricket surveillance manager at the same conference and they're apologizing they're saying look we're really sorry we're not able to help you law enforcement well you know we'd like to but our infrastructures doesn't provide us with that data so if you're a cricket user and you leave a nasty comment on someone's blog that person isn't gonna be able to unmask you you know that's a cool feature but cricket is apologetic they are not advertising this as a privacy feature also at the same conference t-mobile's person said yep we're in the same boat as cricket we don't have the ability to determine IP addresses everyone comes from the same address in the city so if you were a tmobile user you can have far more confidence in your ability to leave the framing comments or download bit torrent files over their network then if you're using sprint I'm not advising that you do that but I would definitely consider that issue when you're deciding who to renew your mobile contract with all right this is an issue that's near and dear to my heart https for webmail so many of you have seen the wall of sheep in previous years i think it's running this year as well all right so when we use wireless networks and we're not using encryption our usernames and passwords go over the network in the clear which means that anyone running a packet sniffer can hijack your information get it break into your account steal your data the solution for this is not rocket science right like it's HTTPS it's used been used by banks for the last 15 years in 2008 google said HTTPS can make your mail slower your computer has to do extra work to decrypt all that data encrypted data doesn't travel across the internet as efficiently as an unencrypted data that's why we leave the choice up to you now in all fairness Google at least offered its customers a choice every other web mail provider at the time didn't even offer HTTPS so Google was at least ahead of the pack and offering it but the choice that they were offering was an option in their inner settings the last of 13 options after Unicode keyboard shortcuts and vacation responders so it wasn't exactly a high priority setting in their eyes well in 2010 Google said you know over the last few months we've been researching the security and latency trade-offs who decided that turning HTTPS on for everyone is the right thing to do and then just this week in testimony before Congress Alma Witten Google's lead privacy engineers said you know we hope other companies will join us soon follow our lead were the first and only provider to do this blah blah blah well why did Google do this what caused him to change your tune well last May or last June I wrote an open letter to Eric Schmidt and it was signed by 38 other experts including some some folks who speak at this conference and some folks in the community and they said we said look this is the responsible thing turn the shit on encrypt your users data it's totally irresponsible to let this stuff go out and make it over the wire Google turn around said yeah we're going to we're going to look into this and then six months later they did it all right so who's still doesn't offer HTTPS by default Twitter Facebook Google's other services so Google Docs Google Calendar Google search they just started offering encrypted search a month or two ago but it's not on by default all right who doesn't use HTTPS at all even as a configurable option to Yahoo Hotmail Bing search myspace these providers don't offer any encryption at all after your username and password goes out over the wire all right well maybe it's expensive right like buying all those crypto accelerators it's really really expensive it's about this gear put in data centers configure these servers how many thousands of servers does it require to support ssl none at this point it's free so this is Google's SSL engineer Adam Langley on a blog post just last month revealing that they had 0 new machines deploy that ssl accounts for less than 1% of the cpu load less than 10k per memory per connection and less than 2% network overhead so encryption is free for these companies this means there is no longer any reason not to protect your customer data with ssl right ssl is awesome it protects your people your users from passive network monitoring it protects them from from many hijack attacks and it protects them from passive Network surveillance by you know folks at NSA who have convinced AT&T to give them access to their backbone this is a good thing and many isps should be doing it all right bet it network encryption isn't enough we also need storage encryption so when you upload your data into the cloud the file should be encrypted so that you know no one can get the information a few companies have been leading the way here so I don't know how many of you using the Firefox web browser they have an add-on that's I think and we come part of the browser at some point called Firefox Sync is synchronized as your cookies and bookmarks and stuff across multiple computers across your wireless or your your hands handheld and the data stored on Mozilla servers but it's encrypted with a key that Mozilla doesn't have Mozilla cannot be compelled to reveal your bookmarks this is a really awesome thing and probably the reason that they've designed it this way is because they're not profiting from it right whereas your webmail provider pays for their costs by scanning your email and showing you ads it's unlikely that they're ever going to be able to offer you encrypted storage of your data right they need to be able to access the plain text of your communications to pay their their hosting costs to other awesome services SpiderOak is a secure backup service and tar Snap is a similar service that has no graphical user interface both offer encrypted backups really really cool really fun and subpoena proof what about data retention so through through collecting some information I've been able to get the data retention periods for a bunch of service providers some of this stuff has been leaked I've gotten other information other ways take-home lesson is that your IP address connection information is retained across the board at companies Microsoft keeps it for 60 days AOL keeps it for 90 days myspace for a year Time Warner for six months companies all have these policies they all have established policies for how long they keep data and when they delete it but they don't tell their customers about these policies the one area where they do tell their customers is in the search engine in space so over the last couple years european regulators have been beating up the search engines and pushing them to start deleting IP address data in response all have moved right so Microsoft now deletes the entire IP address from their logs after six months Yahoo anonymize is some of their logs after three months they keep a second set for security purposes that only a few engineers have access to but it can still be subpoenaed up until six months and then Google does a really shitty job of anonymizing their data they delete the last octet of the IP address and nine months so like one in 255 Google is not doing a good job in the space but but they're all anonymizing their logs after a certain number of months well does this matter no so Google's head privacy lawyers spoke to Wired in 2007 and basically said that when law enforcement comes for data they come a couple days after the searchers we're done right so deleting the data six months at nine months at one month it doesn't really matter because when law enforcement is coming the companies have the full data in there what about Microsoft well they were asked by the New York Times a couple years ago why they wouldn't adopt zero data retention and microsoft said too much privacy is actually dangerous anonymize search can become a haven for child predators and we want to make sure that users have control and choices but at the same time we want to provide a security balance well you know I don't really want my service provider to be striking that balance I wanted to be deleting the data on day one or two not keep it in the first place but you should think about this when companies say we protect your privacy we care about your privacy we put your privacy first then they're making these statements and cutting these deals behind closed doors right so when companies talk about putting your privacy first what they're talking about is putting your commercial privacy first we want to share your data with third parties we want to sell your data none of them consider their relationship with the government to be part of that aspect of privacy so one interesting thing is that when companies have these data retention policies and they don't talk about the data retention policies when they change the number of months after which they keep the data no one knows alright so this is these are screenshots from myspaces law enforcement handbook which they published and compile and pretend give to any law enforcement official in the country you can see it in 2006 they kept 90 days worth of logs and in 2007 they kept to one year of logs so they massively multiply the length in which they keep data and they never told their customers the reason is their privacy policy doesn't include this stuff the privacy policy says we will provide your data you know in certain circumstances we protect your privacy we value privacy blah blah blah but they don't actually include the important details the place those details are listed are in the law enforcement handbooks they don't share with their customers all right so there are also these non technical methods by which companies can protect your privacy and companies do differ in these ways right so not every company is the same and in the way that they respond to requests emergency requests all right so we have requests that come with court orders we have requests that come with subpoenas that has come with some legal process and we have these emergency requests what this means is the law says if a provider in good faith believes that an emergency involving danger of death or serious physical injury to any person requires disclosure or delay of communications relating to the emergency so what this means is that the feds or local police can go to an ISP and say someone's going to die we need this person's data it sounds reasonable right you don't want to stop the investigation its tracks well when you have two paths one with high work and one with low work everything shifts to the low work track and so suddenly there are lots and lots of emergencies so how many are there a huge fucking amount so of the approximately ninety thousand requests that Verizon received from government agencies each year twenty five thousand or emergency requests these are requests that have no court order no subpoena no search warrant no oversight at all this is a police officer calling them up or writing a fax saying someone's going to die and the ISPs don't even have to learn about the circumstances they can take the police on their word so the important thing is here that the feds are not actually submitting loads of emergency requests to verizon they're all from state and local law enforcement so like missing person in the woods or you know a murder or something I don't know what what you know what the cases are because unfortunately because there's no court order there's also no paper trail to follow up so we have no idea what these emergencies are it's important to note that a voluntary disclosure means a voluntary disclosure right so according to the internet service providers Association which represents all the big ISPs there is never an emergency obligation on a nice we disclose the ISP has the right to tell the government to get lost and to come back with a warrant they can and in some cases the ISPs do there is a process by which you know the police can wake up at two in the morning and get him to sign a court order I know because they did one and use it to break into my house they can call a pope magistrate over the phone and and he'll issue the order by fax it can take half an hour so this isn't a serious issue but very few ISPs actually say no alright so a company's policy on emergency requests is one of the most important indicators regarding its overall commitment to privacy because this is an area where they can actually say no when they get a court order or they get a search warrant there's nothing they can really do the warrant is if it's valid they have to disclose the data but when it's a voluntary request isp can put their foot down but we don't know how many say no because they don't talk about it this is like an area of uber uber secrecy because the ISPs think that if customers find out that they're doing this that they will not entrust them with their data may be for a good reason all right well what about the cost rights nothing is free in this world companies are legally permitted to pass along the cost of surveillance to the government this includes labor capital costs including associated with hardware and software the development of the of the wiretapping systems as an example sprint has a hundred employees doing nothing but wiretapping their customers and providing their customers call records and location and other stuff that isn't free right those those folks all have salaries what what's interesting is that you know these companies charge you know on a regular basis and actually right now several I big ISPs are under investigation by the Department of Justice for overcharging the government again because we don't know how much they're charging all right so this is some information that came out of report a couple years ago this details the prices for different ISPs it's tough to read but yet basically you can see that the average cost of intercept is between one and a half and two and a half thousand dollars they're charging big bucks for these intercepts not everyone charges them so myspace Facebook and Microsoft don't charge at all they've decided that they would like to help the government in any way they can so they just give the information for free well you know is it good or bad that these companies are charging well so they're actually some benefits the public when is P is charged this is again a telecommunications lawyer godari speaking when records are free law enforcement over consumes with abandon but when service providers charge for extracting data law enforcement requests are more tailored also when they when you charge there's an invoice there's a there's a paper trail and so over the last couple of years I've been filing FOIA requests to get the invoices so you can see here the google charges $25 for your email account it's pretty interesting to know also yahoo charges twenty dollars and thirty-nine cents or twenty dollars and 41 cents what's the difference between those two numbers the increase in the cost of a stamp Yahoo is passing on the cost of a stamp to the government for every time they hand over your data I think this is pretty cool actually alright so as I said before all of these ISPs have surveillance manuals in which they detail their policies that costs everything else they provide sample subpoenas so that the police don't have to spend as much time writing up the requests many of these these surveillance manuals have leaked onto the internet recently I've got copies and they're really interesting you can see them all at crypto morgue that's where they're all hosted this is my favorite this is sprint surveillance manual you can check out the awesome clip art thankfully folks other companies are pitching in like Yahoo who is currently facing a Freedom of Information suit that seeks to learn how much money they made selling their customers private information to the feds they are fighting this suit because according to their lawyer the information if disclosed would be used to shame yahoo and other companies and to shock their customers I for one am shocked does yahoo still have customers so you know there's always this talk about bloggers ripping off the mainstream media and I don't know if Stephen Colbert accounts as the mainstream media but both that sprint recording and this foil request that he's citing are mine and he didn't mention my name on the air so I think it's totally appropriate that I then make it use a clip of his without paying for it all right so we know the ISPs differ on privacy we know that some fight more requests and others we know that the some go out of their way to help the government I think it's interesting to note that so Yahoo's surveillance manual showed up on a crypt home which is a website yahoo sent a cease-and-desist then a few weeks later in Microsoft surveillance manual setup in crypto and Microsoft's like really went hardcore after crypto man had the site shut down like their upstream ISP pulled the connection for a little while these companies don't want their surveillance manuals getting out because it makes them look bad right like there's they're spilling all the goods and describing all the ways in which the government can get your data and the prices they charge like this is damning stuff but i really recommend that you look through these because it's really interesting all right so from this information though maybe we can take it do a little bit of analysis and say well which is peas sucked the least which is P is not going to totally violate your privacy all right so let's start with sprint sprint retains the IP address logs and the URLs viewed for two years and they provided eight million GPS pings to law enforcement in one year another thing these guys are really good so I wouldn't recommend using sprint verizon when sued by eff for assisting in the warrantless wiretapping program actually went to court and an argue that they had a First Amendment right to disclose their customers communications to the government they believe they have a free speech right to have to share your information so so screw verizon what about AT&T one word alright so sort of by process of a process of elimination t-mobile is the largest reasonable communications carrier they use nap they have no IP logs to keep they don't retain the URLs that you view and at least I haven't found any public materials that indicate they went along with the NSA warrantless wiretapping program they very well may have but they didn't get caught doing it which is more than I can say for the author too big service writers also it's important to know that prepaid phones or your friends there's a bill in Congress right now to try and ban the use of prepaid SIM cards hasn't gone through yet so I recommend that you buy several SIM cards and share them with your friends um so you know it is important to know the companies do differ on privacy and they don't want to talk about why they differ in many cases they're apologetic for the ways they differ but you know you can significantly impact and protect your own privacy by intelligently picking your service provider your email provider by using an encrypted cloud service rather than one that data minds your information and serves you ads I would like that when you that you get to walk into best buy and in addition to comparing who has the sexiest new phone or who has the cheapest prices that you could actually compare you know who fights law enforcement requests the most or who keeps the least amount of data we don't have that yet but hopefully we will in the near future thank you

Posted in Computing, Hacking | No Comments »

Blackhat – 2010 How to Hack Millions of Routers

Monday, May 15th, 2017

This video is part of the Infosec Video Collection at SecurityTube.net: http://www.securitytube.net

This talk will demonstrate how many consumer routers can be exploited via DNS rebinding to gain interactive access to the router's internal-facing administrative interface. Unlike other DNS rebinding techniques, this attack does not require prior knowledge of the target router or the router's configuration settings such as make, model, internal IP address, host name, etc, and does not rely on any anti-DNS pinning techniques, thus circumventing existing DNS rebinding protections.

A tool release will accompany the presentation that completely automates the described attack and allows an external attacker to browse the Web-based interface of a victim's router in real time, just as if the attacker were sitting on the victim's LAN. This can be used to exploit vulnerabilities in the router, or to simply log in with the router's default credentials. A live demonstration will show how to pop a remote root shell on Verizon FIOS routers (ActionTec MI424-WR).

Confirmed affected routers include models manufactured by Linksys, Belkin, ActionTec, Thompson, Asus and Dell, as well as those running third-party firmware such as OpenWRT, DD-WRT and PFSense.
All Videos Are Listed At :- http://archive.org/details/blackhat20…

Research Links

https://code.google.com/archive/p/rebind/

Show Transcript…

uh so my name is Craig Hafner um yay um and obviously I'm going to be talking about hacking routers today specifically what I'm going to be discussing is how an external attacker can gain access to the internal administrative web interface of your common residential gateway router before I start though oh this is the wrong slide set damn it oh well before I start though my my my work did asked me to make a couple statements first of all I'm not doing this on behalf of them I didn't do any research on behalf of them I'm not here as part of my works if you know who I work for stop calling them and emailing them but I decided to focus on router security because there's very little security in home routers I couldn't fit very many screenshots into this slide I had about 17 more and all of these all these vulnerabilities typically are only exploitable from the land because most of them you know end up being in the web interface which typically most people don't have remote administration enabled so the question for an attacker is not how do I attack these devices and hack them the question is how do I get access to the device if I'm not on the land so the answer to that is typically either cross-site request forgery or DNS rebinding and request forgery is really popular because it's very very easy to do but it has a lot of limitations especially when you're going after routers so first of all you can't rely on there being a trust relationship between the internal clients browser and the router because no one ever logs into their routers so you can't exploit that you can't Forge basic authentication logins anymore with cross-site request forgery used to be able to do you know user : password app and then the URL it doesn't work anymore ie doesn't even recognize that as a valid URL and Firefox will actually throw a warning to the user so you can't rely on that either there's also some anti cross-site request forgery mechanisms in some routers this action tech router is one actually that I'll be demoing later and ultimately cross-site request forgery is limited by the same-origin policy in the browser and it always has been so if you're not familiar with the same-origin policy basically what it says is okay if I browse out to attacker comm I load up some JavaScript from attacker comm that JavaScript can interact with any page on attacker comm but it can't interact with Google calm or 192.168.1.1 and that's good because you don't want some random person's JavaScript talking to your router so that's where DNS rebinding comes in the premise behind DNS rebinding is basically okay well if the browser is going to implement security based on the domain name that's fine just tell it that attacker com has switched IP addresses to one ninety two dot one sixty eight dot one dot one so now when the attack is JavaScript connects back to attacker com the request actually goes to your router but DNS rebinding has been around for a long long time you know it's like 1996 cold and wants this exploit back it's been around forever and so people have put in Prevention's to stop it or try to stop it anyway and so browsers have put in patches and you know third-party plugins and put in patches and you also have services and tools like Open DNS no script DNS wall DNS mask also has some anti rebinding stuff in it and these these all attempt to stop people from using DNS rebinding to attack your internal network and the way they do that is they say well no external domain should resolve to an internal RFC 1918 non-routable IP address because if it does you're probably not gonna be able to connect to it anyway and if they're doing something malicious then we want to block it so that's basically how these tools work so I'm going to focus on using the multiple a record attack which is one variation of DNS rebinding and if you're not familiar with it really all it is is DNS load balancing that's it you return multiple IP addresses for a DNS lookup and so pretty much any major site does this you know you do a DNS lookup on Google you get five or six IPS back so what happens is the browser's this okay you have three IP addresses fine and it just rides and connect to each IP address in order and if one of those IP addresses goes down that's fine I've got more IP addresses it switches over to the next IP address in the list this attack is limited though and that you cannot target internal IP addresses with us you can target any public IP you want but you can't go after internal IPs so let's take a look at it using this attack to go after a public server so you've got your attacker out there with an IP address of one four one four and he wants to send some malicious content to the web server on two three five eight now he doesn't want his IP address showing up in the logs for whatever reason so he's going to proxy his requests through this client who's you know feeling very safe sitting behind his router so the attackers registered the domain name of attacker comm and he convinces this client to browse out to attacker comm so the first thing the browser does is a DNS lookup says what's the IP address for attacker comm see attackers DNS server then says oh I actually have two IP addresses 1 4 1 4 and 2 3 5 8 now 2 3 5 8 is obviously not the attackers IP address but the browser has no way of verifying that so this is oK you've got two IP addresses I trust you so it's going to try the first IP address first which is 1 4 1 4 does it's get request to the attacker server and the attacker sends back some JavaScript code now that JavaScript code then initiates a request back to attacker comm and the browser says well you came from attacker com you're going back to attacker comm fine that's allowed but when the browser makes this connection to initiate the request the attacker server sends back a TCP reset packet so now the browser says well crap that server is down I better switch over to the second IP address and so now the attackers JavaScript is interacting with the 2 3 5 8 server you can send get requests and get the response back parse the data and even send it back to the attacker if you wants so this is this works this has always worked there's never been anything to stop this from happening and there's certainly you know security issues that arise from this but the real threat has always been attacking the internal lamp so I don't want to go after some public web server I want to go after are the clients router I want to get access to the routers internal interface so this is the same scenario but instead of attacking a public IP the attacker is going to try and rebind to one ninety two dot one sixty eight dot one dot one so again client does a DNS lookup and again the attacker server sends back to IP addresses now the browser says oh we've got two IP addresses oh but one of them is an internal non-routable IP address and the browser will always try internal non-routable IP addresses first regardless of the order in the DNS packet so he's just going to go and send the request to the router and load up the routers web interface in the clients browser this does the attacker no good because the client never got went out to the attackers web server to get his JavaScript so attacker has no presence in the browser he's accomplished nothing um so the problem here is that everyone's focused on protecting internal IP addresses okay routers are kind of unique they have both an internal and an external IP address and so we can actually attack the external IP address using this method and gain access to the internal interface and the reason that works is actually kind of interesting so if you take a look at a netstat on a router and this is actually from an open wrt router take a look at how its binding services these services are bound to every interface on the router so port 80 yeah that's found on your way an interface it's listening on the LAN now what prevents just anyone from on the internet from connecting into the router or your firewall rules now anyone who's looked at open wrt firewall rules notice this is extremely simplified but basically says okay each zero is my way in interface I don't want people connecting in from the web so anything that comes in on each zero drop it everything else will except because that's our internal interfaces that's fine and there's nothing really inherently wrong with this but like the same origin policy this attempts to enforce security based on a name computers don't work on names they work on IP addresses and where this comes back to bite is when you look at how the underlying operating system handles IP packets RFC 1122 defines two different models for implementing an IP stack once called the strong end system model and once called the weak end system model now if you know nothing about these two models other than the names which one do you think is better right but interestingly enough the weak model is actually the more prevalent model of the two it's implemented by Linux BSD I believe Solaris and even previous Windows so let's take a look at how this works this is verbatim from the RFC you can read it if you want RCS are very boring but all this says is okay if if I have if I'm a router or any computer and I receive a packet I'm going to look at the destination IP of that packet and if the destination IP matches any of my IP addresses on any of my interfaces I look set that packet and process it now it could come in on technically the wrong interface so it could come in on a zero and it matches the IP address on the eve one doesn't matter I'll accept it and process it because obviously this is one of my IP addresses and this packets intended for me so let's take a look at how this works in the context of the router okay again we have an internal client a router and the Internet so the router has two interfaces each zero is its public way and interface and eath one is the internal interface now each zero has an IP address of two three five eight that's the routers public IP so what happens when an internal client tries to browse to two three five eight I'm just going to send it TCP syn packet and the routers going to look at this and say ah well the destination IP is two three five eight that's one of my IP addresses awesome and it goes okay the destination port is port 80 well hey guess what I have a service bound to port 80 because remember those services bind to every interface so he says yeah I have a service listening on two three five eight port 80 and two three five eight is my IP address so I'll accept this complete the three-way handshake and so now the client can actually access the routers internal web interface via the public IP so oh wait a minute what happened to that firewall rule where we had a firewall rule that says block everything on each zero right well if you take a look at the traffic the top window is e0 and the bottom window is each one no traffic ever went over each zero the week and system model logic happens pre routing so everything gets accepted and processed on the internal interface so that firewall rule that we have that says block everything on a zero does nothing because there's no traffic on the zero so ultimately an internal client can punch in the public IP and get the web interface now again this by itself is really not a problem it's not a vulnerability per se but as an external attacker can rebind any internal client to any public IP I want including the routers public IP so now if I can do that I can completely bypass all of these protections that are trying to stop me from rebinding to internal IP addresses because I'm not rebinding to an internal IP so let's take another look at our rebinding attack again same scenario as before but this time it's every binding to 192 168 dot one dot one attack is going to rebind to two three five eight so internal client does the DNS lookup and again the attackers DNS sends back to IP addresses the browser looks that says hey you've got two IPS both public IP s that's fine I'll try them in order goes out to one four one four gets the attackers JavaScript JavaScript initiates connection back to attacker comm so the browser goes back to one four one four because that's what worked before but this time he gets a TCP reset packet back and so now he immediately switches over to two three five eight and now the attackers JavaScript has full interactive access to the routers internal web interface so this is a really really nice attack for DNS rebinding because unlike some other DNS rebinding attacks there's there's no delay or waiting period before you can rebind it's pretty much instant we also don't need to know the routers internal IP address that's always kind of a problem because you know routers can have different internal Eyed Peas and people can change the IPS and we don't care because we're rebinding to the public IP another nice thing is this works in all major browsers because this is just how browsers work it's how they handle DNS redundancy the downsides are we have some very specific requirements on the router okay we basically have three specific requirements okay the router has to bind its services to the win interface the firewall rules on the router have to block based on interface name and not destination IP or some similar configuration and the router also has to implement the week end system model so obviously not all routers are going to be vulnerable to this so the question is which routers are so I tested 30 different routers and out of those 17 rivana below includes routers from Asus Belkin Dell which I didn't even know they made routers but apparently they did Thompson these are actually pretty popular over in the UK pre popular DSL routers and one thing I wanted a test I didn't get a chance is the BT home hub which is really popular in the UK and it's basically a rebranded Thompson so those may be vulnerable as well lots of Linksys lots and lots of Linksys devices and I really like this line because the bottom two routers they're the 54 GL and the 160 are on Amazon's top five most popular selling routers list so awesome of course a lot of people put third-party firmware on there Linksys routers and it works against them too now hopefully you have some other security stuff put in place which we'll talk about later if you're running these but not everyone does my favorite though are the action tech router x' and a lot of people might not have heard of action tech because it's not really a big router name but these are the routers at Verizon FiOS and Verizon DSL customers get so these are everywhere let's see the action tech 701 704 and then two versions of the mi 424 WR all of those I tested and it worked against all of them now what's really interesting about these the one on the far right there that and and on the bottom they're both the same router just different hardware versions what's really interesting is the firmware running on these isn't manufactured by action Tech action tech actually uses a commercial third-party firmware called open RG which is made by a company called jungle and jungle claims that this same firmware is deployed in over 23 million households worldwide so awesome I like that so this attack definitely works but we need to make it practical okay you can't just say oh my JavaScript can see your router's internal interface people go yeah okay whatever I don't care um so we have to make it really a practical drive-by attack really to demonstrate what can be done with this okay so we have to get the targets public IP address automatically because we don't want to have to know that before beforehand we want to be able to get that automatically and it seems kind of simple at first but we have to know this before they ever do a DNS lookup on us so we basically have to know their IP before they come to us and that it actually is a simple fix for that the more difficult part is we have to coordinate all our services so the DNS server the web server and the firewall all have to be coordinated they all have to know what state each client is in they often know when to block a client when to allow a client what IP is returned to each client so that requires custom code and so that's a little bit more difficult and finally like I said we have to make it do something useful so that end I wrote the cleverly named tool rebind so it basically does everything for you except registered domain name it's pretty much slash run and you're done it implements a DNS server web server it interfaces with the IP tables firewall it's got an HTTP proxy for the attacker to use a series of JavaScript code which basically acts as a client-side proxy to proxy requests from the attacker to the router and back I tried to make the the JavaScript as quiet as possible so it supports across domain XML HTTP requests for exfiltrating data if that's supported in the browser um ie8 and firefox 3 5 and later support those and i've tested in all major browsers and it works it's quite nice so here's how rebind works I love the robot devil he's the best so you've got an attacker here and he's sitting behind the 1 4 1 4 server and he's running rebind on that server and he wants to target this clients router again appliance routers public IPS 2 3 5 8 and the attackers domain is attacker com so the attacker gets the client to browse to attack or calm slash in it I NIT so again before he does this he has to have the name server setup and rebind has to basically handle all of your DNS queries because rebonds handling the DNS portion of the attack so the attacker before he gets the client to browse he has to go into his registrar wherever he registered his domain name and register a name server just name it NS wanna tacker calm and put in the attackers IP address and then once that's registered as a name server guys to go into his domains configuration and say hey and that's one down attacker comm is the primary name server for my domain that's all the configuration you have to do so once once the client browse is out to attacker comm of course it has to do a DNS lookup rebind is only going to send back one IP address because again remember at this point we don't know the clients public IP we have no idea what it is so he's just gonna say yeah I'm at 1 4 1 4 so the browser grows out to 1 4 1 4 and request /a met now we have the clients public IP because he's made a direct TCP connection to the web server running on rebind so rebind says ah ok I've got your public IP of 2 3 5 8 he then sends back a randomly generated sub domain redirection so randomly generates whack me the attacker comm slash exec and he redirects the client to that now he logs this so the DNS server knows as well and so now the browser says ok this is a 302 HTTP redirect that's fine but this is a new domain so I have to do a new DNS lookup so it's okay whereas wacky attacker.com and so now the DNS server says aha the web server just redirected an IP address of two three five eight to whack my attacker com so if you're requesting whack mean attacker com you must be two three five eight so at this point it sends back the two IP addresses one four one four and two three five eight so again the browser is going to try 1 4 1 4 first request the slash exact page gets the JavaScript and now once rebind does this is going to tell I P tables hey reject any connection on port 80 from 2 3 5 8 with a TCP reset packet so when that JavaScript attempts to connect back to attacker comm he gets a TCP reset from IP tables so now he switches over to 2 3 5 8 and we've rebound attacker com2 the routers public IP successfully now once this happens the JavaScript start going is going to start sending it to request pull requests back to attacker comm on port 81 because remember he's blocked on port 80 so it gets sent to port 81 and basically this pull request is the JavaScript saying what do you want me to do well at this point rebind doesn't have anything for him to do so it sends back nothing but once these pull requests start coming in the attackers web interface has that clients IP address in there yes I know that's not the same IP address but that's ok so all the attacker has to do is click on that IP address and when he does he has his browser configured to use the rebind HTTP proxy so his request actually goes off to the rebind server and repine says ok you want me to do a get request on the index page of 2 3 5 8 no problem so he holds that connection open to the attackers browser and the next time this pull request comes in from the JavaScript he says yeah I got something for you to do do a get request on the index page so the JavaScript that's all right no problem since the get request to whack my attacker comm which is the subdomain that we rebound gets the response sends the response back to rebind and then rebind forwards that back to the attackers browser and so now the attacker is browsing around in side the routers web interface as if he's on the land and you can click on links and submit forums and do everyone's so this is much more fun when you do it as a demo than sitting down and explaining everything so see if I can get a demo going here I will smack you will Shh all right so rebind running and yeah that's it you just run it there's there's no configuration beyond that it does support a bunch of command line options if you want them so my breath this is my browser as the attacker and I've already configured it to use rebind as my proxy so if I type in rebind I should get the web interface for repine and let me fullscreen this so it fits a little better there we go so now I got an attacker over here who's connected to the internal land of this router so I'm going to have him browse to attacker comm slash in it and he should pop up here there we go so now as an attacker I just click and I'm in so this is the login page for Verizon FiOS routers default login is admin password one and no one ever changes it oh that's not good I knew my damn it would fail yeah apparently my client stopped calling back or something terrible happened I swear this works yeah so he caught stopped calling back and I have no idea what let's try it again wouldn't doubt try again right all right so he's back yay okay so we logged in so what I'm going to do now is I'm going to go ahead and just enable remote administration oh yes I do want to proceed thank you let's go down here to remote administration yes I want to proceed Kenton's user interface is so annoying okay so I'm going to enable remote telnet okay okay we're done we've been able to tell that on this guy now you will notice here that the images don't get displayed that's because rebind blocks image requests because I don't give a crap about images and they eat up a lot of bandwidth so now we should be able to if my terminal comes up here telnet to three five eight log in same as before admin password one and you get this weird wireless broadband router thing just type in shell and you get a root shell so yeah so a lot of people say well I get into your router I'll change your DNS settings yet that I hate that that's stupid I don't want to do that I want to own your router so yeah I've got a root shell now I can do you know ARP like oh there's an internal client now I know his IP the downside to these these thing is of course they're running Linux um but it's really stripped-down you don't have netcat you don't have double you get you don't have all these fun things but you do have TFTP so i've cross-compiled a scanning tool to run on the I XP 425 processor this inside this router so I should be able to TFTP it down here and to start attacking the internal land ok so there I got it let me trim on it real quick ok so again this is kind of a real quick thing I threw together a poor-man's netcat that runs on the ARM processor because I had trouble cross compiling netcat for some reason but let's just go ahead and scan that internal IP address we got from the ARP 192 168 1.3 yeah if I type in the right IP it would probably help wouldn't it and let's scan ports 21 22 23 80 and 443 oh that was quick for date is open so we can now do a quick get request to port 80 on this internal server and yeah we get the secret web server page fun so one time into your router I can now go ahead and put whatever tools I want on this thing and run them against your internal network I mean I'm on your internal network at this point which is the great thing about routers they're connected to the Internet and your land fun so really I can turn this into an attack platform to go after your entire internal network at this point and of course routers don't have any kind of and I virus or anything on there so I'm pretty much do whatever the hell I want but we're not we're not limited to attacking the main web interface of the router so again you notice okay I had to login and yeah most people are going to leave the default login so that's a big problem but I can also go after soap services what about you PNP UPnP lets me open up ports on your router to any internal client without any authentication at all I can interface with you PNP using JavaScript it's awesome there's also H snap which I'm not going to go into but HF is the home network administration protocol which some routers implement it does require authentication but I found some issues with certain implementations that allow me to get around that we can also rebind to any public IP we're not restricted to the routers public IP so the repined tool allows you to say hey I don't want to rebind to this guy's router I don't really care about his router I just want to use him as an on-demand botnet to attack this other server over here so here's a list of IP addresses I want you to rebind clients to and then the attacker just has a script that goes through and attacks that service through someone else's web browser so how do we stop this forcefields would be awesome unfortunately I don't have those working yet the luckily is it's fairly easy to stop and to identify so you know first of all if you can punch in the public IP of your router as an internal client and you get the web interface yeah this will work there we go the next line now once you identify that this works the best way to stop it is to break any one of those three requirements we have on the router okay so you can stop the way stuff binds to interfaces you can change firewall rules containes routing rules of course just disabling the HTTP interface is probably the best thing to do anyway we can also do that and then we can also reduce the impact of the attack which is basic security precautions so if you want to block the attack of the router you can potentially tell the router services to bind to specific interfaces not all routers let you do this and most people will not have the technical skill or the access to the router in order to do this so is probably not the best option but if you can do it that's really the best way to do it you can also reconfigure the firewall rules and these are again iptables rules basically says okay my internal interface is 'if one if someone on eath one tries to go to my public IP drop it now the downside just new notice I put in actually slash 16 here the downside of putting in your specific public IP is that as soon as it changes this rule breaks and you have to update it so instead what you should do is do a whois lookup on your public IP for your ISP see what the range is but they're handing out for DHCP and just block that entire range because unless internal clients are trying to like hack your neighbors which hopefully they shouldn't be doing then this won't really affect any kind of internet connectivity that you have you're just blocking all everything in the DCP range that comes from your ISP and then you don't have to update the rule yet don't use HTTP use HTTP at least because if I try and rebind to http you're going to get at least a cert error and that's going to break the attack now if you're administrating a router it's best to use SSH even telnet is better than the web interface most people can't do that though so best suggestion is just disable HTTP and enable HTTPS also disable UPnP while you're at it yeah I noted I know you need for your Xbox you need it for your Skype and all that other crap it's bad don't use it however there are some problems don't just enable HTTPS and leave HTTP enabled because then I can still get to http some routers actually don't let you disable HTTP I've seen routers where there's a checkbox to enable HTTPS and you can't disable HTTP at all so that's a problem some routers have HTTP services listing on alternate ports this router for example listens on both port 80 and port 8080 so if you're if you're disabling this make sure that all of those ports get disabled again I'm bringing up a chap it's a home network administration protocol it uses HTTP not HTTP and in some routers you cannot change that and you cannot disable it so I can still go after that if you have a weak password blocking attacks on the host let's say you don't have access to your router to do this you just don't have sufficient access to make these changes or you don't want to make the changes for whatever reason you can go around to all of your internal hosts and basically put in the same rule say don't allow this host to browse out to the routers public IP because again I need an internal client in order to do this attack so if the internal client can access the router then it breaks the attack the downside of this is you have to do this on every single device that connects to your network and will ever connect to your network that includes your iPad's and your iTouches so that that can certainly be a management nightmare if you have you know more than two or three computers you can also configure dummy routes as well to say hey route everything is going to my public IP me to boot back and of course the connection will never succeed um basic security precautions for God's sakes change your routers default password no one does this hopefully everyone in this room does this but many people don't keep your firmware up-to-date there are a lot of vulnerabilities in this routers if you go online and you have routing like oh there's no vulnerabilities in it that means someone hasn't looked at it close enough yet I'm serious these things are full of security holes so make sure you keep your firmware up-to-date because there's probably a vulnerability out there and if something gets published you want to make sure you have a patch for it assuming your offender actually patches it and don't trust untrusted content and yes everything on the internet is untrusted you cannot trust stuff on the internet especially something called attacker comm yet I would suggest disabling JavaScript or using no script but to be honest that's completely impractical for the average user I can't even I get so annoyed browsing around the internet without JavaScript it's like god damn and I just enable it anyway because it's so annoying everything uses JavaScript and stuff will just break epically if you don't have JavaScript enabled so if you want to do that knock yourself out but again it's not really a good suggestion for the average user because they're not going to do it so vendor and industry solutions so fix the same origin policy in the browser's please this attack has been around for almost 15 years so I know you notice that I don't have fixed DNS up here I know a lot of people say oh we need to fix the NS you know fix ENS this is not a DNS problem I think it's completely unfair to put the burden on the DNS hey DNS was around long before the same-origin policy was DNS was never intended to be used for security but whoever decided in their infinite wisdom to create the same-origin policy set up riku's a DNS which is a completely unauthentic ated unverifiable unsecure protocol and based a security model on it so the problem is with the same origin policy in the browser and that's what needs to be fixed it for if you're if you're a router vendor implement the strong end system model in your router and users will not know or care it will not break anything for them and it will keep them secure from this particular attack you can also build DNS rebinding mitigations into routers the only router that I know of that does this is PF sense because when they saw this post it up on the blackhat site when the talk got accepted and they contacted me I said yeah just check your HTTP host setters make sure the HTTP host header has your host name in it or IP address and not someone else's and so their their actual their beta release for the 2.0 release of pfSense has that check in it so kudos to them but no one else does this to my knowledge and that's a very very simple way to stop any DNS rebinding attack in its tracks so how am i doing on time by the way how many 20 Wow no hope you guys have a lot of questions I went through that a lot faster than I expected so DNS rebinding still poses a threat to the land even with all the security protections out there and things that people have put in because ultimately what they put in doesn't work there is it's like going to the doctor and saying hey I've diarrhea and he gives you a cork it's not a real fix we have tools available to exploit DNS rebinding okay they work well they work the second time at least and really you are ultimately responsible for the security of your network you need to be aware of this stuff I know a lot of people just I talked are talking about DNS rebinding like what the hell are you talking about seriously well I'm gonna smack you yet so make sure that you have this you know about this stuff and you take the proper precautions because I mean you really can't rely on vendors to fix patches in their routers I mean if you have a router this like you know they drop support for it a month ago they're like oh well you just had to buy a new router darn so make sure you're aware the stuff there is stuff that you can do to stop this make sure you do it so with that said the rebind code is going to be posted up on rebind code comm um it's I don't have the code checked in yet but it'll be up there sometime today if you want to contact again do not contact my work contact me and do we have questions yeah yes my question was the JavaScript that you said you had on the client that she put on the client that feeds the routers web interface to your attacker machine yeah it proxies request from the attacker to the router and back so it does that pull request back to rebind and the rebind tells it what to get it gets from the router and then sends it back okay one question yeah no more oh there we go so files is the problem with file says they use mocha for their for their cable connection so you have to have a mocha enabled router and those are not very prevalent so most people just use the action tech supposedly you can get them into bridging mode where they just pass through but everyone I've talked to has tried that it's like it's a big pain in the ass and it never worked so pretty much everyone on FiOS is using these routers with very few exceptions okay yeah so if you if you have let's say you have the action tech okay the action tech router is your border gateway and you put another router behind that doesn't matter I'm still attacking the public IP of the action tech so I can still access the action tech router yeah it'll protect your it'll help protect your internal IP once I get on the router but it won't stop me from getting to the router right yeah what are the manufacturers you list was links us we knew who the parent company of that is I'm kind of surprised that they haven't contacted you um my work told me that they contacted them about something and then I never heard anything back from it so I don't know if they just gave up or what happened with that again simply because my work was listed on on the on the presentation everyone contacted them instead of me but yeah I haven't heard anything from them specifically and again but again this isn't really a prop I guess it's kind of a problem with the routers but there's no real vulnerability in the routers it really needs to be fixed in the browser ultimately if the attacker knows the internal IP address of your router can they mount the same attack despite the strong in system model or filters that based on IP address they can't do it with this because remember when you try and do the pub the private IP it'll fail with it with this particular attack if they know the internal IP address you can try and do anti DNS rebinding the downside to that is you have to wait like an exorbitant amount of time at least in Firefox it's like two minutes or three minutes before you can do the rebind so so so the realm of practicality starts decreasing there but yeah you can also do cross-site request forgery attacks too but like I said they're limited good I can't hear what you're saying can't you mount this attack without relying on back same origin policy in the browser course you can still do cross sight post so you can still do one post request to log in another post request should we figure the yeah but not if they're using okay so first of all that will work on this because it has anti cross-site request forgery there's a JavaScript token in there that you have to get so you can't do that type of attack here you also can't like I mentioned you can't do that against stuff that uses basic authentication that won't work anymore so yes you can you can use cross-site request forgery certainly on a lot of routers to do that the other nice thing about this is because I can see the responses this also open up opens up multiple other vulnerability types that are not exploitable cross-site request forgery like information disclosure so for example dd-wrt by default when you go to dd-wrt routers paid you know splash page it doesn't require you to log in but it gives me a nice list of all your internal IP addresses and your MAC addresses and the exact build version of DD WT you're running and so I can't exploit that with cross-site request forgery but I can with this so I don't even have to log in in order to get a decent amount of information about your network and granted that doesn't give me necessarily a definite exploit but it's certainly not information you want to be sharing with everyone on the internet known as a domain name so yeah you I'm not trying to disparage cross-site request forgery and there's certainly a lot of really awesome things you can do with it and it's definitely an easier attack but this has several advantages over it which is kind of the point of doing DNS rebinding no more questions go back to what yeah what's that oh you just wanted to see the show okay and now we got one question back there getting a microphone do we have it a quick one while he's doing that all right hi I'm curious about you with the same origin policy you mentioned this bill it's built on DNS which is an untrusted platform with the changes motion toward getting DNS SEC more widely a probe feasible have you would would that same statement be true or could you still do certain attacks be in it because I legitimately own attacker.com I've registered it I own it so I can set up a legitimate DNS SEC enabled DNS server for it yeah it DNS SEC does nothing to stop this I can't see anything good hands yeah and back there so you said that you tried it on hold on hold on two routers and I think you said about 17 of them worked and the rest didn't did you have time to investigate the ones that didn't work and figure out why they didn't work and what they're doing there that time we prevented it on most of them I suspect they're not using the week-end system model some of them actually were fairly smart about how they rebound services so they weren't listening on the LAN port I didn't get a chance to look at all of them but it from what I've tested if you're running a Linux or BSD based system you're at a much higher risk for attack because they implement the week-end system model in the OS now that doesn't necessarily mean it will work because there are some Linux based routers this didn't work against again because of the way they bind interfaces and set up their firewall rules but but I mean if you're running Linux you already a third of the way there and the other two configuration options are actually fairly prevalent so if you're not if you're running some kind of custom OS on the underlying router it's probably less like because interestingly the week-end system model is more difficult to implement and strong because you have to go through and look at all your IP addresses and see if they match rather than just checking the 1 1 IP said it so yes there is the question is if you didn't hear it is there anything an ISP can do to help stop this attack say notice I'm returning to IP addresses I have seen one really weird ISP that actually would filter out the the extra IP addresses so if I did a DNS lookup on Google it would only give me one IP address back and that will break this attack but it also breaks redundancy for Google as well so it's a pro and a con that it I have no idea why they chose that I really don't and I suspect it's one of those things they chose before you know javascript is real big and you had cross you know you had XML HTTP requests and that kind of thing but yeah I mean ultimately you're trying to enforce security based on domain name but the domain name can point anywhere so it is really just a fundamentally flawed policy but I have no idea why they chose to do that other than it's probably pretty difficult to do it based on IP especially if you want to allow DNS redundancy because then you have to have to allow to switch IPs no I haven't got anything for action tech interestingly though two days ago buddy of my mind forwarded me an email he got from Verizon saying we're very secured about our customer security and here's a link to a website that says you had to change your default password and all this other stuff but yeah I haven't been contact the only router company this contacted me as pfsense they're not really a company there's the open source project anything else all right awesome thanks very much

A MarketPlace of Ideas

Archive for the ‘Hacking’ Category

DEF CON 24 SE Village – Chris Hadnagy – 7 Jedi Mind Tricks: Influence Your Target without a Word

Installing Kali NetHunter on Nexus 7 Tablet

RansomWare Attack in Europe based on Petya

Every router in America has been compromised’ – McAfee on CIA exploits

WordPress Website Hacking Using n00py’s WPForce

How to find website vulnerabilities with Uniscan

Tech Scammer sets Syskey and BIOS Password on his own Computer and Cries!

Defcon 2010 – Your ISP and the Government Best Friends Forever – Christopher Soghoian

Blackhat – 2010 How to Hack Millions of Routers

HP Laptop Keylogger Shipped with Product

Meta

Tags

Categories