 Okay, the line has trickled to a slow speed, so we're gonna get started. One quick announcement to remind you all of. Photographs of the speakers are with their permissions. Photographs of the audience not allowed. If we find you doing it, you will be removed. And with that, since post and rule off. Hello, hello. Okay, let's see. Just a couple of things before we start. I'm gonna try and speak into the mic the whole time, but it's kind of, you know, maybe do it like this, like that. Okay, let's see. Okay, before we begin, most of the stuff you can find at that URL over there. That's just for, you know, if we don't get through all of this, I think we would. Because we've got a double session, so there shouldn't be a problem, but if you want to write that down, that's where you can find the tool that we'll be showing today. Then also at Amsterdam, black at Amsterdam, we actually made a promise that we would release a web application scanner that is also available for download at the URL on the screen. In terms of time considerations, there's a lot, there's a lot that we must cover. We're basically gonna go through the presentation, and then afterwards we're gonna do a bit of a live demo. We're having issues with the wireless at the moment, but hopefully by that time it should be sorted out. So then we can go through a bit of live demo on this thing. Just something to start off with. You know, there's there's a lot of shows that you can go see here in Vegas. I've heard that, you know, Zumenity is quite good, and Alton John, and Celine Dion, and Dan Kaminsky. So this is a presentation, there won't be any drinking on the stage, and it's not a show. So basically, let me give you an introduction. Let me just quickly, like briefly tell you about Saints Post. We're a company of about 15 people in South Africa. We do external internal assessments, color penetration testing. We've done it for the last five years. We've been talking at Black Hat for the last four years in DEF CON. And in our work, what we basically do, amongst other things, is we break into networks. We train as well. We do training at Black Hat. We've trained a record amount of people this year at Black Hat. And we train them using, basically tell them about a methodology that we use to break into networks from the internet. This is not for internal, it's from over the internet. And so we pretty sure that our methodology kind of works. It seems to be working. We've seen the insides of more internal networks than we kind of care to see. So what we've done is, we've basically said, this methodology that we have, let's see how much of this can be automated. So the idea was to basically take every step of the way and check if that step can be automated and to what kind of level of accuracy it can be automated. So that by the end of the day, hopefully most of the stuff that we have to do manually, we can now do automatically. So the talk is really about the methodology itself. Which parts of the methodology can be automated? Where it really works well and where it really breaks down badly. And when it breaks down badly, why? It actually breaks down badly. And at the end, we're going to quickly talk about some implications that this tool will have for, you know, the more mediocre pen test is out there. Because I guess there's a couple of those. Okay, so in order to automate something, if you want to automate something, you need to code it, right? You need to be able to write it down and code it and code it. And to code it, you need to have some kind of algorithm. And in order to have an algorithm, you need to really, really understand what it is that you're trying to do. I find a lot of people that starting to write code for something that they don't understand yet. So the idea is never really that the coding should take a lot of the time. The idea would be that understanding the process that you're trying to do would be taking the time. And having done hundreds and hundreds of assessments, we kind of know what it is that we want to do. That's not just a question of coding it. With anything that you automate, if you can write it down on a piece of paper in a kind of a flow chart, and you know exactly what it is that you're writing down, and the flow chart works, then you can code it, right? Then it's just the question of saying we have to take this stuff and then write it and code. The problem comes in with automation is when there's exceptions. So the situation might be we can do this in this case, but one out of a thousand times, the result is going to look a little bit different. And if you still want to automate it, you need to make sure that you're catching that exception. So as soon as, and you will see this during the talk, as soon as there's exceptions and as soon as there's something that we don't really understand how it's working, or we have to make, we have to see how many different exceptions there are, and have to write a piece of code or a code path for all of those different exceptions, it becomes very, very difficult to do. Now the trade-off there is that if you have something that works 99.9% of the time and it doesn't take you a year to code the code path for the exception, then you kind of live with it and you say it's okay, we can live with this exception, we know that it occurs and it's not necessarily a bad thing, we can maybe fix it manually afterwards. So there's a couple of weird perceptions in the industry today and you will find it at this conference, it would be the best place to find that kind of weird perception. And if you talk to anyone, just about anyone in this conference, they would tell you that Unix is good and Windows is bad. And then afterwards you should make a kind of sheep noise, because if everybody says Windows is good, Unix is good and Windows is bad, then it must be. You will also see that a lot of people say that the problem with Windows is that we have this GUI apps that running on Windows and with GUI apps you can't really do a thing because it's kind of a black box and you don't have the flexibility that you have with Unix tools. What I'm saying is it really depends on who's writing that GUI application because you can still have a GUI application and still have flexibility, the same kind of flexibility that you would have under Unix. I don't want to go into this too much because I'm thinking people are going to assault me after this. I can see angry faces in the crowd. But there's really a perception out there that says if something is a GUI application and I guess that's the fault that a lot of people that write applications is doing is saying as soon as we stick a GUI on top of this thing, we need to dumb the application down. Because we think that people that using GUI tools are stupid. Because we're now catering for a crowd of people that's stupid, we need to have our GUI really point and click and go and it's really not the case. You can still build a GUI that is very flexible and that has lots of potential to play with if you assume that your users are not stupid. It's something that we've done in the tool that I'm going to show you. We basically written the tool in such a way that everything that's input and output goes into a text box. So at any time what you can do is you can select the whole text box and copy it into Unix system and do your whole grep and set and orc and all the nice things that we like about Unix. You don't have to export it in some kind of weird format and try to convert it into text and then you can work with it. The other thing is that the text boxes are hot, which means if you make a change in that text box that's a change that you've made to your data set, right? You don't have to write some kind of a SQL statement in order to update the stuff somewhere within a database. That's totally database list. Right. Now the tool's name is called BDblah, right? Yeah, BDblah is in blah, blah, blah, BDblah. And the tool that we written is really used for doing large scale assessment. Now just a quick note on assessment. If you're putting your domain in this tool, then this tool is doing an assessment. If you're putting someone else's domain in this tool, then you're doing an attack. So an attack and an assessment is kind of, you know, it really... When I'm doing this at Black Hat, I'm saying this is an assessment tool. And when I'm doing it at DevCon, I can tell you that you can also use it as an attack tool, right? Now it's built to actually look to do assessments, okay, on very large networks. The problem for demoing this thing at a conference like this is that, since post does not have a very large network, our clients, they have large networks. But they won't appreciate it if we start showing their data on the screen at DevCon, right? So what we're doing here is we're going to do some passive work, which is totally passive. We're not sending any packets to the network. Well, not a lot. It's not an attack at all. No, no, generally it's not a... You will see. It's not like we're attacking anything. But we're going to do some passive work against just the IBM DNA space. And we're going to do some passive work against Playboy. Just because I thought, you know, if we get any results, it might be interesting to verify it. And then when we go active, we're going to look at the since post network, even if it's small, keep in mind that, you know, it's a small network. You can do the same thing on a large network. And when we really go into attacking boxes and owning them, we'll be having a VMware server that we look at. Now, the problem with this stuff is there's a lot of risk in doing this live, okay? Because networks change all the time. And there might just be a situation that when we did the scan yesterday, everything was cool. But today, there's a vulnerability on the machine. So we're not going to do it. Well, we might afterwards do some stuff live. We'll see how it goes in terms of time as well. But when we do stuff live, you will know that we either have permission of the owners of that network or it's on our own network, right? So if there's any press in this room, I don't know if there's any press, please, after this talk, please don't write an article that says on stage since post-attacked IBM and owned the network because that is not the case, okay? We're not going to even try to do that. Okay, so what we've done is in the things that in the pieces of demo that we have here, we've basically taken some video clips of that screen captures and put it into a video. All of it is exactly the way that it works and there's no trickery involved. However, sometimes we've paused the actual screen capture because, you know, when you're doing a reverse scan on a Class B, that's going to take a while and I don't want you to sit here and just look at the screen for half an hour seeing how we're doing a reverse scan on a Class B, okay? So for that stuff, we've paused it and it's kind of time-lapse. But the rest of the stuff is absolutely real. There's no image manipulation done anyway, right? So with that out of the way, let's have a look and see what our external methodology looks like. Now the people, can I just see in the class here who's been on any of our bootcamp classes at Black Hat? Some hands, okay? Okay, great stuff. Now if you're on the bootcamp class at Black Hat, you will know this methodology quite well. I'm not going to go into it too much because, you know, that's what the classes are there for. But basically it boils down to this. We start doing a footprint. From the footprint, we go on to a fingerprint. From there we do targeting of systems that we would like to attack. We then do vulnerability discovery. And the last step is we actually exploit those vulnerabilities to penetration testing on the network itself. Now all of these little blocks now break down into a whole lot of other sets of blocks. So we're going to start with the footprinting. The footprinting can be broken down into six blocks, okay? The first block is we find the domains. Now it seems very silly because you might think that if you, let's say, attack IBM, then the place to start is IBM.com, right? And it's as easy as that. What you might not know is that large organizations can have up to 2,000, 3,000 different domains. And those domains all carry DNS information that's pointing to IP addresses. And those IP addresses sit within net blocks. And those net blocks might contain machines that are vulnerable and that has access to the internal network or, you know, connected via VPN into the internal network. So the idea is that we find as many domains as we can. And then go to the next step, which is to find subdomains within those domains. And again, finding subdomains in a domain might seem at this stage very kind of silly. But you'll see that it's actually quite interesting. We then do forward DNS entries. So we basically look for anything we can find within the forward zone. We get net blocks. We start trimming those net blocks down to size. We might add other net blocks into those net blocks. Once we're done with our net blocks, the first round of definition of our net blocks, we do a DNS reverse scan of that particular block. And that might lead to two things. The first is we might find new domains coming out that we didn't know about. It almost always happens. And we find that maybe our net blocks weren't defined so nicely. So we can redefine our net blocks at that stage if it needs to be redefined, right? And once we have our net blocks nicely tied down, we can go to the next step, which is vitality testing and vitality testing and vitality scanning. The idea is use it with a class B. You're going to run a NASA scan against a class B? I don't think so, right? The idea there is to find machines that are alive within a big network space so that we can do targeting on it in the next step and decide which of those machines within that big piece of space is interesting to attack. Now, this footprinting methodology, these six blocks that are here can now be broken down into more blocks, okay? It's like, you know, those, what is it, ration dolls? You keep taking out the dolls, it's the same thing over here. Okay, so just to give you an overview of how this whole thing sits together, I've made this movie, okay? I've made this movie using visual and word. So it's a little bit sucky, I know. So we start with a main domain. From that domain, we get subdomains. From the subdomains, we start doing forward lookups. That's pointing to IP addresses, right? Those are the little arrows at the end. From that, we start our first round of net block definitions. It might be one IP big. It might be, you know, a class C, it might be a class B. Which we actually don't know. We do reverse entries, reverse DNS entries. I'm just going to pause it over here. That's the red lines. And from the reverse, we can get new domains, right? Which might be related, or that could be totally unrelated. This will help us to define our net blocks even nicer. Make the net block definition even tighter. As you can see here, we've now broken those net blocks into smaller blocks. Once we're done with that, we're going to go on and do vitality scanning. Those are the little dots. You see over there in the X's for closed ports. Once we have those machines within those networks defined, we can do a port scan on those machines to find out exactly what ports are open on each of those IP addresses. And once we have that, we can basically start doing vulnerability finding. So there, for instance, we have the Apache 132 chunk encoding problem that sits on one port, on one IP, within one network that was given to us by one domain. So in this case, we're using one domain. You can use as many domains as you wish. Like I said, some big corporations have up to, you know, thousands of domains. So this is the picture. This is the whole picture of the thing. Let's see how it actually works. So within the footprint, remember we went into this. This is now the first block finding the domains. I'm going to go into that. We haven't implemented this within this tool. And I'll tell you later on why we haven't implemented this. It's one of those things where there's lots of exceptions and it's not that easy to implement. We started doing it, but it's not there yet. So you won't see it within this tool. For the sub-domain mining, what we basically do is we start off with a domain itself. Now let me ask you this. If you Google for IBM, let's take IBM as an example. And please again, I've got nothing against them. If you Google for IBM, yeah, I'm using an IBM notebook. I mean, come on. If you Google IBM, you're going to find a whole lot of hits that points to machines that's sitting on a domain IBM.com. So for instance, one of the links that you might get is something coming off a site called www.chess.ibm.com. Not chess, no, chess. And what do we know from that? We know there's a sub-domain called chess.ibm.com, right? And as we go along, we can Google for different kind of common words and look if it's related, if it is within the IBM.com domain. And using Google, we can basically pull out a whole list of sub-domains. We can also pull out a whole lot of domains itself, a whole lot of DNS names itself, because if something resides on www.chess.ibm.com, then we know that www.chess.ibm.com exists, which gives us one forward entry in our table of maybe lots of forward entries that we're going to pick up later. Everybody's cool with that, right? So let's see how it is actually done. Sorry, if you want to have more information about that, you should attend Johnny Long's talk. He's doing a whole section on sub-domain mining. He's right there. Okay, so let's see how it works. We've got five minutes per domain to get sub-domains. And this is at the moment set to only look at the first three pages that Google returns, right? So we can set it to return as many pages, but the kind of 80-20 principles at work here, we find 80% of the hits within 20% of the time, okay? So doing three pages is just about okay. And we've got a couple of keywords that we can combine the search with. So I don't know if you can see there at the back. What we're going to do is I'm going to start playing this video. So we enter, oops, we enter IBM.com in there and we hit the start button. And now the tool is basically through the Google API, querying Google. We also get email addresses. So for instance, there you have no one, no one at us.ibm.com. And from that, we obviously know that there's a sub-domain called USA.ibm.com. When this tool is done, this is obviously time-lapsed, you'll see on the right-hand side, we have a whole list of sub-domains, UK.ibm.com, US, Watson.ibm.com, chess, and so forth and so on, okay? And while this might not look so interesting on IBM.com, we might afterwards show you an example that is more interesting. So basically what we have now is we have the sub-domains, right? We have the domains and we have the sub-domains. And what we want to do is we want to find all the forward entries that we can possibly find, right? So hang on a bit. What do you think would be the first step to check for when we're finding forward DNS entries? What would be the first thing that we would see if this is possible on the domain? Anyone? Anyone? Okay, hang on a bit. Where's our T-shirts? Do we have T-shirts? Let's see again. What would be the first thing that you do when you have a domain and you want to find all the forward entries in the domain? Yes, sir. Sorry? No. Who said zone transfer? There you go. Okay, so the first thing that we're going to do is we're going to attempt to do a zone transfer, right? Why? Because if we can transfer the zone, we get all the information in the zone in one go. We don't have to mind for any DNS data. We get the entire zone. So the first thing we're going to do is we're basically going to check for MX records and NS records and then we're going to see if a zone transfer is possible. Where's my handy laser pointer? If a zone transfer is possible, we immediately have all the forwards within that list. The next thing we want to do, if a zone transfer is not possible, which is most likely the case, we're basically going to go through a hit list. Okay, and I'll explain that just now. And from the hit list, we're going to perform the forward and that's going to drop us into this container over there. Now, the hit list works like this, right? If you see that a machine exists with the name of Gandalf.ibm.com, what's the chances that there will be a machine called Frodo.ibm.com? Okay, pretty good, right? So the idea of what we're doing there is we're building a whole lot of lists, right? Of things like we have colors, we have animals, we have characters out of Lords of the Rings, we have characters from Hitchhiker's Guide to the Galaxy, Terry Pratchett books, we have names out of the Bible, and so forth and so on. And basically, we test for four entries, it's configurable, but we test for four entries within that list, and that list is sorted with the more popular names at the beginning. And we basically check if one of those names exists and if they do exist, we check the whole list, okay? So it gives us a way of finding out what kind of naming scheme these people are using, using only four DNS entries, right? DNS queries, right? Because they're not going to have some kind of a weird name out of Lords of the Rings and not have Gandalf, right? They would have Gandalf or Frodo, okay? So let's see how this works. Now for this, we've done it on Playboy, okay? And we've just now started with doing the sub-domains. In the case of Playboy, we only find two sub-domains called casino.playboy.com and playboynet.playboy.com. And what we're going to do is we're going to go on to the forwards, okay? When we click there, we can basically import the stuff from the previous section, okay? What you see there, sorry, I missed this. Let's just pause it here. Can you see there at the back at all? Probably not, right? Can you see people at the back? Can you see the actual lettering there? No? Dude, I'm sorry. No, I can't make it any larger. Okay, I can, but then that means rewriting the app for another font in that window there. So basically what you see over there, just trust me on this, okay? I'm not lying and the people in front can verify. So what you're seeing there at that part of the screen over there is entries that we've already found with the Google search, right? Those are already forward entries that we found with the Google search. So they exist. So now we're going to add to it. Let's just see if I can, okay? And I'm going to click on import, right? And we get our list over there of things that we have, fruit, e-commerce, disc world, colors, names, music, all of that. And immediately when we do that we start getting results. Now those results there, I know you can't see it even if you're sitting in the front. Those are the MX records and the NS records, okay, it's just in a different color. But we basically, here at the bottom you'll see that we're starting to check forward entries, right? And we already got FTP, we got content.playboy.com, that could be interesting. And at this stage I've basically stopped it and let it run through. The capture, I stopped the capture. So you see there the end of the entire capture. You get machines like secure2.playboy.com, picks.playboy.com. It's all kind of interesting. The other thing that we can do is we can add at the end of a forward. We basically add some fuzzing strings, okay? So when we test for instance FTP, we also test for FTP1 and FTP2 and FTP-1 and FTP-2 and you can have as many, you can have as many of that in there as you want, right? At the moment we were just testing dash1 dash2 1 and 2, okay? But it's basically kind of fuzzing the DNS out. Okay, so what we have after this is we can collect all of the DNS entries that we can possibly get from a domain. We can collect them in that text field on the right-hand side. Shit. Okay, so the next step that we want to do is we basically want to look at net blocks, okay? Now the idea is the first thing we can do is we can take all of those IP addresses that we had, right? And we can slice off the last digits from them and assume they're all class Cs and start off with a class C definition, right? Okay, we're going to start doing that. Striking your head, sir. Absolutely, you're absolutely correct. So we're going to start by that. We've got to start somewhere. You're absolutely correct. So you'll see. Okay, and what we're going to do is we're going to add into that, see what the who's definition is of that block to see if we can get the net block out of there. We're going to look at additional blocks like from ARIN and RIPE and APNIC and LACNIC and AFRINIC and all of those wonderful places. But you'll see how that is also difficult to do. We're going to look at reverse DNS entries to find out if the blocks are at the right, at the correct boundaries. And another technique that we were looking at is to basically find the AS number of, the AS number of the root connected to that particular IP address. Then put that AS number back in and see what other roots are within the same AS. Okay? And we'll talk about what the challenges are in that. So let's just look what happened to Playboy. I'm going to start playing this thing again. All right. So we go to the next step. We do import, right? And at this stage, the tool will tell you this will import from the, this will import from the forwards and assume class C blocks, it might be a dangerous assumption. Okay? Okay, so that's a start. See all of those two on sixes in there? They kind of look as if they belong together. When you click on it, you basically get all the forwards that sits within that block. Okay? Let's see. Okay, so there's a lot of the Playboy stuff coming, FTP help. And we can click on the who's button and basically get the who's information for that block. And we see that, okay? That is actually not a class C, it's a couple of them. I think it's about what 16 class Cs. And then we can simply change our block definition over there and say, okay, it's not from one, it's not from 36, it's from 128, all the way up to 143. As soon as we do that, the other blocks that was there got kind of sucked into that list because they, you know, inside of that network now. Okay? In this case, you will see this machine and we can have our blocks even one IP big. You know, we can have one IP, we can have a class B, we can have a class A. We just change it to say that that thing is now only one IP large. Okay. What's interesting here is we did the forwards on, I just want to check if it's a case. We did the forwards on IBM as well. So you can have a look and see what their net blocks look like. You know, they got some crazy class Bs out there. Look at that size of that block. There's a couple of class Bs in there. Okay. So the next thing we're going to do is we're going to do reverse DNS scans. And the reverse DNS scan looks kind of intimidating. It's actually quite easy. We're going to start with the net blocks that we have at this stage. We're going to do reverse DNS entry on each of them. And then we're going to apply some filters and say if this thing is contained within that filter. Okay. We say it's the matched entry. We can extract the domain from there. Right. See if the domain is already found in our list of domains that we supplied. If it's not, we can add the domain. And if it doesn't match the filter, we say, hang on a bit, here's a domain within that block maybe it's interesting to have a look and see what else is on that domain. Okay. So let's see how this works. Okay. There's the forwards. It's now IP sorted. You can go to the net blocks. Those are net blocks that we defined. When we start the reverse, you'll see that it automatically puts in the filters a list of the domains because that's probably what you want to filter on. In our case, we change it so that it only says Playboy and you can get filtered to pick it up as well. When we started the reverse now, you can see these are all the entries that we get back. These are domains. There's PlayboyEnterprise.com, for instance, that match the filter. But we don't have Playboy Enterprise as a domain. So it's an additional domain that's a matched domain that we want to put back into the system. Right. This is not the speed at which it ran. I kind of paused it a couple of times but what you see there is something called... What is it? No, go down. SpiceTV.com. Right. If we do a who is on SpiceTV.com. Right. You will see that it is sitting at Spice Entertainment Inc. and it's sitting somewhere in Chicago. Note the address. Lake Shore Drive, Chicago and there's a phone number there. So let's just have a look and see what it is on Playboy.com. What the contact information would be for them. And what do you know? It is the same address. So SpiceTV and Playboy is clearly related, right? They are the same company. So in terms of putting new domains within your system to start scanning for more interesting domains and to start finding more IP addresses and more net blocks, you should be looking at SpiceTV.com as well. So we can take that stuff take out the the subs in there. It's all unique that basically cut all of that stuff out. You'd see there's a bug in the program at this stage. It's fixed in the release that we have now whereby it didn't check for uppercase, lowercase. So Playboy.com uppercase was still in the list of unmatched. You know, that's just a too lower. And we can take all of that stuff and we can basically paste it back in here with the rest of our domains. See that, take it out nicely. It's all unique that and we can start over again. And that's why we have this kind of cyclical thing between the reverse and the forwards until those blocks that we scan come out completely clean at the other end. Okay. Now the next step we want to do when we're happy with our net block definitions is we're going to find what machines are in those blocks that we can attack. Correct? Now again, imagine that you're doing this on a very large organization and you've got, let's say, IBM with lots of class Bs. You need to, well, yeah, they've got multiple class Bs. You need something that's really fast, right? This is, it ain't going to work if you're not scanning it really quick. Now there's three ways that we can find out if a machine is alive. We can do your normal ICMP scan, of course. We can scan it here. And we can do TCP scans. And then we go for kind of a small list of ports and we only check for that. And sure, we're going to miss stuff. Okay? But the more ports you test for, the more it becomes a port scan on the entire range and the longer it's going to take. So depending on your time here, you can either scan all the ports or you can scan for a very small subset and only find the machines that's alive on those ports. Because the port scanning is basically implement a asynchronous port scanner and you've all seen this. It's been used now in many kind of tools. It basically works like this. We send out a SIN, right? We have a SNF on the other end. We check for the source port coming back. If it's a SIN AC, the port is open. If it's a reset, the port is closed. It's as easy as that. So let's see how it works. This thing, and I know some of the other scanners, I mean check out the unicorn scan thing as well. I think they were speaking yesterday morning, right? They're doing the same thing, but they're doing it distributed. So it's even faster that way. But we can probably do one port in a class B in two minutes. So if you're only scanning for one port, it's going to take you about two minutes. We limit this thing so that it only sends at the quickest it can send out packets every two milliseconds. Obviously, you can do it faster than that if you implement it yourself. Oops. Okay, so let's just look at the whole process for sensepost.com because it's really quick. We go there, we find the forward entries. It's going really quick. Okay. We're almost done. Right. We take it into the net blocks. What you will find is there's a 10, 15, 10 in there. More which, I mean, it's not internal, but we use it for the training. So I'm taking that out because I'm not going to scan 10, 15, 10, right? That's a little bit silly. And the other thing that's interesting here to note is, let me just pause this, is that with Service Pack 2, XP Service Pack 2, Microsoft actually disabled the use of raw socket sending, right? Because they went through all the tools that uses raw socket sending and they were like, bad, bad, bad, bad. No, let's not check the rest, they're all bad. Okay. So they disabled it, which is a pity. So for us to be able to do this on this level, we need to drop a level down and send those packets out on an Ethernet layer. And so there's a driver that actually that we use. And you've got to bind the driver and send the packets out that way. It's a little bit more tricky, but it's not that much more tricky. Okay. So basically these net blocks now come in from the previous step. We select what ports we want to scan. It's all configurable, of course. In this case, we go with 22, 23, 25, and 443. And we basically just started up over here. The ports that I found open, this list is on that side, it's showing an O for open port, it shows you the IP, it shows you the port, and it also shows you the TTL. This gives you a kind of idea of how far the machine is away from you. Although, you know, some stacks send their packets out with the TTL of 128 others with other values. So it's not that useful, but you know, we put it in the NL. You'll see as soon as we go into the 72 network, things start to go a little bit quicker in there, or we get more results. The port's coming back. There we go. Okay. Because there's lots of machines that's open on those ports. And you'll see we paused it there, so it's going to jump. Okay. And that's basically doing the port scan, right? Basically doing the port scan on the net blocks and on the ports that we specified in the previous section. Okay. So it looks like this. And you're not supposed to be able to read anything that's on the screen. It's just to give you some idea of all the different steps and the complexity involved with this whole thing. Okay. We start off with a domain over there. We end up with a whole load list of IP numbers on that side. We're doing whole lots of tricks in between to make it work. Okay. So footprinting, it's over. I know people don't like it. The steps are really difficult to automate. The domain finding stuff is really difficult to automate. Okay. We wrote a paper on this two years ago for Black Hat Singapore. You can get it off the Black Hat site. You can see the methods that we use there. I know John is going to talk about some of those methods in his talk as well. But it's difficult. It's not nice. It's not a fun thing to do. And at the moment, we don't do it. You can learn a lot from the reverse by stv.com. But we don't do this. The sub-domain finding, we got it. It's cool. Forwards, no problem. The net blocks, it's difficult. The AS expansion technique that we have there don't always work on small networks. So, for instance, Science Post has one class C. But if you look at the AS that's basically attached to our net block, you would find that it belongs to the ISP. If you look at the other routes within that AS, you're going to get the net blocks for the ISP, which is not necessarily what you want to do, right? The other problem is that these registrars like LACNIC and APNIC and, you know, those guys, RIPE and ARIN, don't have a way to search with a wildcard for names and get back net blocks. I mean, you can do it on ARIN and you can kind of do it on RIPE with a bit of trouble. But you can't do it on LACNIC and you can't do it on AFRINIC and you can't do it on any of the others. You just can't do it. So you can't get more net block definitions from those guys. The reverse scans, oh, and the other thing is the who's information is worthless on these small little networks, right? Because they don't have the actual the person that is the company that has that net block. They only have the ISP or, you know, something like that in there. The reverse scans, that's easy. We can do it. It's a no-brainer. The volatility stuff, easy. At the moment, we only got the TCP stuff, but doing the rest is really just an extension on that. So why do you care about footprinting? You know, because there's a difference between finding one vulnerability on one machine versus finding one machine with one vulnerability. And I think actually Dan Kaminski did in his talk last night as well. It's easier finding one vulnerability on a whole lot of machines than finding one vulnerability on one machine. Okay, so we've done with that, right? We've done with that first block. We're going to move on to fingerprinting. Now fingerprinting, we actually want to do OS detection, right? We want to be able to say that is a Windows machine running Windows 2000 service pack 3, whatever. It's really difficult to do this on the internet on a machine that is tightly firewalled. Why? It's not technically difficult. It's not only technically difficult, but it's conceptually difficult as well. So if you have an Apache machine, all right, that's protected with the Firewall 1, running on Windows, Microsoft Windows, with one-to-one net back to that Apache box, that thing is going to report itself on a network label as a Windows machine, right? Because you're talking to the Windows stack, but on application level, it's going to return itself back as a Apache machine. So not just is it difficult to find that stuff, it's also difficult to kind of decide which one will it be. So with Bilibla, we don't try to do OS detection. We don't even try to. What we do is we do banner scanning, and I know everybody tells me you can change the banner, but how many people actually change the banner, right? So we're saying, okay, that's fine. Let's just do banner scanning, let's see what we get, and we do it asynchronously again, and the asynchronous banner scanning stuff is quite cool. You can do asynchronous banner scanning for any kind of banner, but the more complex it becomes in terms of negotiation, like SSL for instance, the more tricky it becomes to do it asynchronously. So we've done it with the SSL stuff, and with the rest of the stuff we did it with the other ports we've done it asynchronously. How does it work? Basically the same way that we had a the same way that we had a asynchronous port scanner, it works in the same way. So we got a sniffer, we're sending sins on this sound. We have a sniffer that checks the source port, right? Normally if the port is open, it's going to come back with a sin, you send a sin, we send it back to this thing. It's going to get a sin act. We got to act that packet back. So we send a act, right? We check if it's port 80 that we're testing. It could be other ports as well. 10880, 8080, 3128. And if it is, we send back a get slash HTTP 1.0. Now we're going to get an act back, right? Into this tree. If it's port 80, if it's not port 80, we simply extract the banner, then it's a 25 or a 21 or any of those, right? And we have to close the session because otherwise our web servers are going to keep on sending this stuff back. And so we have to send a fin, right? If there's a fin, we have to fin act that. Now who can tell me for a t-shirt, what is the thing that's going to bite us in this? There's a, this works, but we have to do something else to make this work. Who can tell me what the problem is here? Yes sir? We haven't seen, I think you're right, but we haven't seen a lot of that. No, no, no, no, no, no, that's not the problem either. Look, I mean think about this. This stuff happens, right? On user level. It doesn't happen through the kernel. It doesn't happen through the stack. The stack doesn't know about this happening. So we're sending out a fin right? No problem, our stack can send it out. Okay? So we get back a SIN act, right? And now what's my stack going to do? In comes a SIN act packet. Who said reset? Thank you sir. So that's exactly the problem. Now our SIN act packet is coming back into our stack. Our stack says, hey, I don't know what, what you took. So the stack says, hey, I'm sending back to me. I never send out the SIN. It doesn't know about that. So it's going to reply with a reset. So we're going to cut those resets off somewhere. In this case, you can do it in an upstream firewall. What we usually do is we, you know, we have a personal firewall on the machine. We cut the resets off there. So there's no reset that your machine can send out. It's not reset going back, it's resets going out. Okay? This thing, this asynchronous banner scanner, it can really work very fast. So we can do about 2000 banners in three minutes that we can grab. What I want to show you is how it actually works. When we start out, we do the, we first do multithreaded work on the HTTPS to get that because we can do it asynchronously, but hey, it's a lot of work. So let's go on and see. So those are the port scans. You go to the banners. You basically import that stuff in there. Okay? Select the interface. Right? It's starting there at the bottom. You can see it's starting on the SSL. It's doing 15 threads at the same time to find the banners for the SSL stuff. So that's not really fast. Right? And you will see there's a delay in there. The moment we're sending it out at 302 milliseconds delay between packets, but you can actually drop it off as, hang on, hang on, hang on, hang on. Okay? You can drop it off as low as you want to. Right? You'll see there's additional weight in there. That's basically, you know, those SMTP servers, when you connect to it, it doesn't do anything and it waits and it waits and it waits and it waits. And then finally, you get the banner coming back. That's the time that we got to wait for those stuff coming back. Now what you will see here is I'm going to drop that delay there down to 2 milliseconds. And what's interesting is, note the scroll bar on the right-hand side as I drop it. Okay? Okay, and those are all the banners that we could get there. So it's kind of fast. Okay, and now we're just waiting for other banners to come in if there's anything. Okay, cool. I'm going to go on. Right, so this is what we do for banner scanning. What's the next step? We want to be able to do targeting. Now the thing there is, if you have a lot and lots and lots of targets, lots of potential targets, you want something that can easily say, oh well, I want to identify everything that's running on port 22 and I want to only test against those. Or I want to have only machines that have open ports within a certain net block and I want to test those. Or you get the idea, right? So this is what the targeting stuff looks like. We basically have the banners now for everything. And we can click on targeting and we basically get our net blocks definitions in there. We can drop down to those, see the machines that are in there. The machines in there has either a DNS name or reversal forward, or it's the MX record or it's the NS record for a domain, or it has an open port. Or once it's got an open port, that's something that we would want to see in there, right? A machine that's totally dead with no forward or reverse entries or kind of boring to us. Machines with DNS information or open ports are interesting to us. And we can get the banners in there as well. What's interesting about the banner scanning is if you get a reset coming from the host, what do you know? You know that it's wrapped, right? It's a TCP wrapped port. So it actually accepted the entire conversation and then it sent back a reset to close the connection afterwards. So we can do a scan, we can do a search for instance for open SSL and we're going to get all the machines that has a banner that contains the word open SSL in the banner. And then we can just simply say, okay, make those targets. I want to attack those machines with open SSL and immediately goes off to the target section. Okay, cool. Then we're doing a scan for machines on TCP-22, anything that's open on 22. So you see all the banners coming back there and I can again just say make those machines targets. I want to attack it in the next stage. Okay, I think we get the idea. Right, so now we have our targets defined. Okay, remember we went through the whole thing, we went through the whole thing. At this stage, we have the machines that we're going to attack. We went through the targeting, all of that, we have the machines that we want to attack. Right, so what's the next step? We want to do vulnerability discovery. We want to find what vulnerabilities are on these machines. So we're not going to write a vulnerability scanner because there's a lot of people that wrote vulnerability scanners. We're going to use something that's really solid, we hope, and widely used and that is Nessus. So what we need to do is we need to write a Nessus client. Okay, we need to write a Nessus client and what we want to do is we want to give the user the ability to select the plugins that he wants to use just as a normal Nessus client and say, well, I want to test this particular bug. Okay, remember what I said previously? It's easier to find a single bug on a whole lot of machines than finding the one bug on one machine. So for instance, if we want to check which machines on a entire class B has SNMP community strings enabled, you know, we put one plugin into Nessus and we scan it across the whole class A and we find this stuff really quick. Okay, so this is basically what we use for plugin selection. That's really easy. You can decide which plugins you want to use. You can move them from one end to the other end and you can save that information afterwards. It actually just saves the plugin ID, so you can have your list of plugin IDs wherever you want to have it. You can put it in a text file and you can use whatever kind of selector you want to basically select these plugins. It's just a list of Nessus plugins, right, IDs. Okay, and afterwards we're going to save that and I can give it a name. Those are the plugin IDs of the left-hand side and I can call that thing whatever I want. Okay, I'm going to call it blackhatdemo.plg. It says, no, that's a plugin set and you're going to see how I'm going to use it later on. So, in the next step, we actually want to now run vulnerability scans, right? We're going to run the Nessus scan against our target on a particular plugin set. Okay, so there's the same stuff. There's the net blocks. There's all the reverse entries. Click. Yeah. There's the port scan. The banners. And what we want to do now is we want to run the Nessus scan against those machines but we have to target them first. So, I'm going to click on targeting and I'm going to say that first, you see that first class C over there? Okay, there's a couple of machines in there. It's in our lab situation that we want to scan. Right? I can right click on any of those and say it's selected as a target. Or what I can do is I can simply say anything that's in that block that's got an open port, make it a target. Okay, so immediately I get a list of machines there. Those machines are now my targets. Because they're live, right? They responded to any of those scans. And I go to the Nessus tab over there and I basically import those by just clicking on the import button. Okay, I select the set that I want to use and I click on start. Right, now with NTP, the Nessus protocol, you have to get all the plugins. You have to load the plugins before you can actually run the scan. It's kind of weird. Even if you know exactly what plugins you want to use, you have to select, you have to get all the plugin information coming back. Now there you can see the scan is now running. It started with the port scan as per normal on all those IP addresses. You can set your Nessus server up as you want to to scan more machines at a time or more threads at a time or any of that stuff at a time. It really depends on your Nessus server how fast that scan is going to happen. At any time, we can just click on the update tree button and we can see how far the scan has gone and what we've done there and get the output back. It's the same old, same old. We've all seen this before. It's just a different flavor, it's a different interface, but it's not doing anything else. And it will tell you when the scan is done. You can see there's still a bug there at the bottom as well. We sorted that out as well. But I thought, let me rather have the bug in there and you can see that it's really running and not a video recording somewhere. It also now shows you the actual issues. Right. So, let's move on. We've done the vulnerability discovery. The only thing that's left to do is basically exploit those vulnerabilities. Now, again, we don't want to reinvent the wheel here. So we have this thing talk to a nice exploitation framework, which is Metasploit. There's a couple of others as well, but Metasploit is quite neat. So what do we have to do? We write a Metasploit client. The problem with Metasploit, it's actually not a problem with Metasploit, it's a problem with us, is that it's very operating operating system-specific, which says this exploit will work against, you know, Windows 2K Service Pack 2. We don't have that information, right? We don't have that kind of level of information about our targets. If we were internal to the network, we can do funky stuff, but we're not. We're external, so we don't have the information. So what do we do is we select target number zero and we hope for the best, because a lot of the Metasploit plugins actually does a brute force, and so we don't have to supply it. What else is it that we have to supply to Metasploit? We have to supply the remote port, right? But the remote port, we can pick up from the NASA scan. Because let's say your server was running on, your web server was running on port 27, right? The NASA would pick it up as on port 27, and we have that port there, right? We know when stuff is SSL as well. So we can specify in Metasploit if it's got to use SSL or not. And we have the local IP address as well. If we're doing, for instance, a reverse shell, because that's our IP address. So most of the stuff we have. The only thing that we don't have is we don't have a way to tie up a Metasploit exploit with the NASA's ID, right? So basically saying we use NASA's to identify the weakness, and we use Metasploit to exploit it. But how do you tie the two together? So what we've done, where's Gareth? What Gareth has done there, there, Gareth Phillips, seeing his post guy, right in front of the camera. He spent a week basically, you know, tying these two things up, saying, here's a Metasploit exploit, okay? Is there a NASA's plugin that will identify this particular problem? And if you can find it, he basically writes it down in a little list, says this exploit, that plugin. And if there's multiple plugins for a specific exploit, he's got them listed there. And if there's no NASA's plugin for the Metasploit exploit, that's A, scary, right? And so B, he would write some of them. So how many did we write? We wrote about four, five. And I think at the moment, in terms of tying this stuff together, we need another 13 of the 70, how many? 70? 78, 78 exploits that was, you know, they're adding to it the whole time. The rest of the stuff is pretty much mapped, okay? And what we're hoping to do, and I'll beg HD for this, is to see if we can get it so that when they write new exploits for Metasploit, they include a NASA's ID in there. And if there's no NASA's ID, then they basically write a NASA's check for it. Because then we can just query, you know, the framework and get the IDs out of it dynamically, and we don't have to keep this list. And we're not going to keep this list current, okay? That's not what we do. Okay, so let's see, let's see how it works. Okay, so for this instance, we're looking at a VMware server, right? We're not, this is just a VMware server. Now, what's interesting here is, when we now do our NASA scan, right? Why do we have to check for all the NASA's IDs? We only check for the ones that's got related Metasploit exploits, right? We check for those 72 minus 13 NASA's IDs that we already got. So what I'm doing here is I'm basically running a NASA scan against an IP address, and only using the, I'm only using the list of NASA's IDs with related Metasploit plugins. And you can see it, it can do it rather quickly. So there it's done, and we found three issues. You click on it, you'll basically see, it should be all red, right? The last one, I don't know, it's a bug. Basically it tells you these are the three heavy issues that we found on this machine. You can look at them. And when you go to Metasploit, what you do is you click on that little button over there, and that loads the definitions in. Hang on. That basically loads the definitions in that says this is the NASA's ID that matched with this Metasploit ID. Once we have that, we can simply click on a thing that says find the matching targets. So now it will go through the entire NASA scan, right? Of all the machines that we want to scan, and it's going to pick out the ones that has related Metasploit IDs and say these are potential targets. If you run the Metasploit exploit against this, you have a good chance that it's going to work. And that's obviously the same machine, right? It's all the same machine, and it identified four problems, four possible exploits that we can run against that machine. We now have to configure our exploits. So we're going to go for which one is the DCOM, the DCOM one, no? Yes, it will tell you what the exploit is all about. Now you've got to select what you want to do with that thing. So you configure the exploit, click, right? And it basically dynamically queries the framework and tell you for that exploit, these are the different payloads that you can have, right? That's the reverse. And the stuff that you have to fill out, the stuff that you have to fill out, you can fill out, right? The rest of the stuff is automatically populated with all the information that we know at this stage. So I'm going to bring up the VMware machine. There we go. I've configured the rest of the exploits as well, but I didn't want to go through that. You can save it as well. And I start the Metasploit framework on this side. It could be sitting on any box, right? At this stage it's just sitting on your local machine. But you can have it speak to a Metasploit framework on a remote machine as well. And that's it. We click on Start. And now it's basically running those exploits against the machines. Remember that those machines could be a whole lot of machines if you're scanning a large organization again, you know, through the whole thing. Okay, and when it's done, what we expect is that in the framework we're going to have those shells. And, lo and behold, if you click on Sessions, hey, there you go. There's your shells. Okay, and, you know, I think you all know what this looks like, right? If you don't know, we're going to click on a session there just so that you also see it's not bullshit. Okay, you can do it. Right, that's this Metasploit. Okay, now think about a large network, okay? Let's say you're even sitting internal on a network. Let me show you something. This was done on an internal network. Okay, I can't say, I can't tell you who's network though. I'm going to just load that dataset in. That's the one that says can'tsaywho.txt. It's all text files. It saves it in text files. Okay, this is the net blocks. You check all the 10.somethings in there. And if we go to Nexus, you'll find that there's lots of issues with these machines. A lot of them have the same issue, right? But some have some interesting issues in there, like doc printer and those kind of overflows. In Metasploit, look at this, okay? If you click on matching targets, kind of funny. That's worm territory, man. Okay, so... So in a perfect world... Sorry, yes. Can we take this offline afterwards? Okay, so... But I will speak to you. So are we done? In a perfect world, we're done, right? In a perfect world, we're done, and we've done our assessment in this. But if you're doing assessments, can I just see in this room here who actually has to write reports? Aha, and you see? I thought so much. In a perfect world, you have to write reports. You don't have to write reports. There's no false positives. No way. Nessus never makes a mistake. Well, guess what? It does, right? And sometimes the stuff that it gives you is just not relevant. So what we've done is, we have this thing. To start off with, you know, within... within the Nessus scan, you can mark something as a false positive, right? If you really want to. And you can basically say, mark this as a false positive across the entire range of scans that you've done. And you can comment on the stuff. And what's nice about this is that when you go back to your targeting section, you can basically then go and say, well, let's find wherever I put that comment in. Or you can basically say, let's search all the machines that Nessus croaked about on, I don't know, the same server for instance, right? And I want to find those machines because those are the machines I need to attack or defend. I need to patch these machines or I need to attack these machines, right? So you can very easily do that kind of... you can do that kind of advanced targeting. It's supposed to be one, okay? And what's nice about this thing as well is the last tag on this thing is it actually does a lot of the reporting work for you, okay? So you have to write these things out for your boss. You have to give it out to your client. It would go a long, long way to basically help you not to have to write that report. And the reason why we do this and reason why we use this tool and develop this tool was that we use it internally, right? And we want to spend our time doing interesting stuff. We want to do the more interesting work of an assessment. We don't want to spend time writing reports and basically having to copy and paste from an NSS report into a real report. You know, that stuff... we want to play with the interesting stuff. And that's why we have this particular... it's just going on there about stuff. I can't forward the video actually. There we go, there's the reporting. I'm just doing the host tables now. So basically we have all the information, right? We have the forwards, we have the reverse. We have the domains, we have the banners, we have the open ports, we have the issues. We have the severity of the issues. We have all of these things. So we can basically take one host and build up a kind of a host table that says, this is the entire machine. This is what the machine looks like, right? It's a MXRecord4Sensepost.com. It has this IP address. It has these ports open. It has these banners. Okay? And it has these NSS IDs with whatever impact. And that happens all automatically because we don't want to do it. All the comments that we put in there, if there's a comment that we wanted to put in there, then that comment is also retained. So you can see there it says analyst comment. That's a comment that we put in there in the past. It's really nice for banners as well. So if you do banner scanning, and then you sort by banner, you can see immediately, these are all my IS-5 machines, or this is the target's IS-5 machines. This is the target's this. And all of those things come out quite neatly. Okay, so what's the bottom line? The bottom line is this tool is basically doing 80% of the work in 20% of the time that it takes us to do, which leaves us with 80% of the time that we can play with more interesting things. Okay? Some of the steps of the methodology is really hard to automate. And it's usually where there's exceptions. You know, there's exception to the rule. Makes it very hard to automate. Hopefully it will also raise the bar on people that do penetration, I'm a penetration testing specialist kind of dude. Because these things, I mean the report that you get out of this is just about the same report as these people are doing in a long, long, long time and charging a lot of money for it. So that's hopefully what we're going to get out of it. In terms of release of this tool, there's always a problem here, right? We've got the gentleman in front that's going to tell me, you're not going to release this, right? I mean, this is point and click, you know, weapons of mass destruction. You're not going to release it, right? And then we've got the other side, which I guess is the rest of the class, that's saying, okay, where do we download it? So we build this version, which is a Crippleway version. It's only crippled in two ways, okay? It runs for 20 minutes and you can't save your data. The rest of the stuff is exactly the same, okay? I just want to see, Harun, do we have time left? How much time do we have left? 30 minutes? Okay, what we're going to do now is we're going to play with it a bit and see how it works in real life, okay? Keep in mind, we're doing it via the wireless and the wireless is kind of, you know, flaky because of the fact that we kind of ride next door to the Wi-Fi shootout room. So if it's not handling itself well, then you know why, okay? So this is what the tool looks like, right? The new release is a little bit more friendlier and so forth and so on. Okay, so are we good? Okay, let's see if I can get out to the net. Okay, as you can see, it's kind of, ooh, you know? Yeah, okay. Okay, so, but let's give it a go. Okay, so for subdomains, remember I told you subdomains, subdomains, shmubdomains, but it actually gets really interesting, so I'm going to put a domain in there. If you're from this organization, keep in mind that we're only mining subdomains. We're not attacking your network. We're not going to go further than subdomains, okay? Okay, so I'm going to put in there domain, right? I don't know if you can see that. If you can't remember, it's only subdomain mining, okay, it's not anything else. We're not attacking the network. We're not sending a single packet to that network, okay? And you can see that it's basically pulling down a whole lot of subdomains there, okay? Right, we got some interesting things in there and email addresses that we can mine as well if we want to use it for later use. Okay, I want to stop this now. So let me just find the stop button and then of course you can go to the forwards and you can simply input that and start doing all the forwards on that, which I'm not going to do, right? We actually have the permission to look at some other network. Good friends at Electronic Arts is Frank here. Frank? Frank? Your lawyer? Okay, Frank is not here, but he said to us, it's okay if we show some of the stuff that we've done on there, so I'm going to put in the EA, you know EA, EA Sports, it's in the game. Okay, we're going to quickly go through there, see how that works. It actually works quite nice. Okay, so there you can see some burnout3.ea and earthandbeyond.ea.com and freedomfighters.ea.com. Those are all sub-domains that actually belong to them and it's just adding to the list as we go along. It's actually a UEFA Champions League game.ea.com sub-domain. Now once we have this stuff, I'm not going to go through all of this, right? It's going to take a while to finish this up. It takes about five minutes to run through one of these domains. Okay, we can go to the forwards and basically just do, this mouse is not working on this base, coming back here to input, right? And then we're going to start looking at the DNS information that the forwards, right? So those are the, what you see there, you can't see them, right? Let me just, those are the MX records and the NS records and as we go through there, we basically find, the TRIPW, obviously, FTP1, FTP, mail. No, no, no, no, no, no, no. Okay, next one we find, I'm going to move over to the next tab. Let's just see, testing for Cisco e-commerce. There we go, corporate.ea.com and it's actually got two IP addresses. Okay, right, so I'm going to stop it over there. I'm going to go to the net blocks, input the net blocks there. I'm not going to spend a whole lot of time on the net block definitions. You can see, they've got a class B network, right? If I get the who's information on this, it will tell me so. And of course, you can do this for any domain, right? There we go, electronic art. You can see that it's a class B. I'm not going to make it a class B now. I'm just going to keep it there, imported there. Here's our matching filters that we got, right? I want to change all of those matching filters here. There we go, corporate.ea.com and we're doing multi-threaded, 25 threads at a time. Reverse scan. There we got smtp.eu1.ea.com which is your, I think it's the European SMTP gateway. Okay, you get the idea, right? With them, it's really interesting when you start looking at the reverses because in the reverse of some of these blocks, you'll find that they have a whole lot of domains for just about every game that they make, they have a domain for it and they have reverse DNS entries that points to those IP address, from those IP addresses that point outwards. So you can get a whole lot of domains. I collected all of the information earlier. I'll show you the full, you know, the complete, what the complete thing looks like. Okay, so let's just stop this here. We go to the port scanner, basically import that stuff straight in there. So the blocks, I promise you there's more blocks, but you know, let's keep it sweet and short for now. I'm going to bind my driver. I'm going to say use that interface and let's see what ports do you want to scan. Okay, I'm going to scan a whole lot of ports. Let's just do 44380 and 25. See how it works. Hopefully it will be good. Okay, you can see there at the bottom, the speed at which this thing is scanning. It's quite fast. And those are the machines that's basically coming back to it. You'll see there's some duplicates in there. What happens is the machine, that fin that I'm sending out, I was just kidding. I'm not sending the fin. So the machines respond a couple of times. It's just something I still need to sort out. Okay, so there's a couple of 25s in there. There's a 44380. And we're almost a third of the way in the port scan. I'm not going to take your time looking at a progress bar. So let's move on to the next one. You get the idea, right? You can go through all of these machines. There's a couple of nice ones. Okay, there we go. Okay, that starts looking better and better. Okay, let's just keep it running for a little bit longer. Okay, and I'm going to stop it over there. So let's pull it in from the banners. Basically do this. We bind our driver again. And we go to this one. And let's do a scan. And there you can see the banners coming back in. Kind of quick, right? Okay, we've already sent out the packets. These are just packets coming back at this stage. We've got a 25-second wait for this thing. And there's not a lot more coming back at this stage, right? So already at this stage, what I can do is I can go to the targeting. I can update the tree. I can say, well, I want to find Apache boxes. Okay, search the tree and make those targets. Those are the Apache boxes in that range that we scanned, right? Not a lot. I wonder if there's any Microsoft boxes in there. Clear the selection. Well, it says Microsoft IS in the banner, right? I think so. Clear the selection search. We got some. Making targets. There we got those other Microsoft boxes in that network. How long did it take me to get that information? Right, three minutes. Okay, we can go into the NASA scan. You know, maybe not. Maybe, you know, maybe some other day. No, no, no, no. It's not all in the game. Okay, I thank you very much. And you still got 20 minutes to catch the next door. Thanks.