 So this is connect-disployed version 2. Thank you guys for coming out. So early on a Sunday, I actually survived the con and made it to the end of the thing. So this is version 2. It did version 1 last year. Anybody here for that talk? You want to show up? Cool. Excellent. Thank you guys for coming back. So version 1 was just the connect plus one security tool and what we're doing this year is the connect plus 20 security tools or 20 tools in general to run a scenario. So our scenario is going to be we're using a real time 3D first person shooter game environment to collect the contents of a garbage file off of a server. So that should sound familiar to some of you, to most of you. So let me cover just a little bit about the architecture. We're going to run right into it because there's no slides. It's all demo. So everyone needs to, while I'm doing this, say a quick little prayer to whatever demo God you believe in to make sure that this thing actually functions. I've been testing it all week. That's the bad part about doing a talk on Sundays that you spend the entire time like practicing and working on your talk and making brand new mistakes so that you're nervous as hell when you actually find a good chance to do it. So that's my state right now. So architecture wise, everything's on this laptop. So the version 1, the big differences here were that it was Blender using Metasploits RPC server to talk to Metasploit, only Metasploit. But you know, when you want to talk to Snored and Nessus and Edercap and MAP and all those other guys, there's no RPC server for that. So I wrote an asynchronous, multi-threaded XML RPC server that Blender is talking to that then talks to all the external tools. And again, everything's on this laptop. There's a couple VMs that we're going to use as our victim systems. And there's one external function to go out to the Internet and you'll see that later on. So let's let's run right into it here. Give me just a second to get this. Okay. We've got the connector. Let me get myself all calibrated. And you should be seeing and you are seeing the Blender screen interface. And that's just taken a little bit to start up because it's got some large, large sound files. And he's the process connected, exploit initiated. Okay. Let's run it and actually, let me just leave it like that for now. It's showing the debug stuff up in the top. But we'll we'll deal with that for now. I could restart it, but we'll lose some output in some later scenes. So this is the default room where you start off on. And the main gestures are the same as last year for you guys who saw this. So you lean forward, you move forward in the room, you lean to the right, you move to the right, you lean to the left, go that way. And if you rotate your hips, you'll turn, turn around in the room. So this was meant to be patterned after the, the room in a matrix, you know, like the training room, big white room kind of thing where then they, the big cabinets full of guns came shooting in. So that's the first gesture that we're going to do to bring in the way that we get to the other rooms in there and actually start our, our attack scenario looking for this, this garbage file. So last year also the big differences are last year, every gesture was like when the gesture fired, it didn't, when I made the gesture it did, there was no delay. So you run the risk of when you're hooked up to 20 different things, causing some serious chaos. So this year the gestures, there's a little bit of delay before they happen. And there's an indication that you're actually causing something. So if you continue to do it, you will cause something to happen. So I'm going to raise my hand in like a help gesture. And I want you to notice the lights that show up on there to indicate that you're about to, you're about to do something. So put my hand in the thing, the lights light up, they're going to turn green when the gesture fires and in comes our cabinet full of ammo essentially that we've got. So we're going to start off our attack against this fictitious company by going into the wireless room. So you go into a room just by putting your hand into the cabinet. Now we're in the wireless room. Scanning in the wireless room is of course the first thing to do is scan for access points. So we're going to run IWList scan just by doing their scanning gesture, which is like scanning the horizon. And then we should be scanning initiated from our mind. So this will take a little bit here. And let me just cop to something. There's obviously no access points here on stage. When I was really thinking about this, I was like, I was like, Oh, you know, I'll bring a real live access point to Defconn. It'll be a real man and hack it live on stage. And I thought twice about that. And I thought, well, if I did that, I'm sure you guys would hack it before I ever got a chance to. So these are real live access points. They're just not real live access points here on stage. So this is real live output. It's just sort of think of it as a cooking show, you know, and they always have a lasagna in the oven that's already been cooked. That's exactly this scenario. It's just same real live output. And I should explain what these things are. So when I thought about how to represent an access point, when I was a kid, we had this little toy that was like a plastic bubble on a little wood platform with wheels on it and a stick. And you push it around, there are little balls in it that would pop up and down. I'm sure some of you guys have played with or have seen the same thing. And to me, that's what an access point is. It's like a little thing that's trying to self contain its packets, but they fly all over the place. So these are kind of purposely messy and they're dropping packets all over the place. So the way you target things in connect display, of course, is with a fireball. So we're going to shoot a fireball at this Quest 1824 access point. And the other construct here is that we use the walls in the various rooms to help interface with stuff. Because you can't just do gestures for everything at some point in time. I mean, acting tools are text oriented at some point in time. You got to deal with text. So the left most part is always a context. The right most part is menu options. There are always context sensitive menus. So like in this case, we've selected access points so I can choose to dump the packets of that, which of course is the first stage I'm going to attack. So if you've noticed now the packets out of that Quest 1824 are coming to me rather than going where it was they were going prior to that. And so again, obviously we're not really pulling packets down off an access point, but we are going to use a pcap file that was the result of this exact process. And so when it's done, it shows you some pcap files that you've got to choose from. And we're going to choose this top one up here. And we're going to run error crack against it and see if we can crack the Web key out of this 1824. So it knows we've chosen a pcap file. It doesn't know which access point we want to crack. So there's no option to do it. So we're going to target it again. Just shoot another fireball and it gives us the option to crack web with with pcap. So that's what we're going to do. Choose that menu option. It doesn't do much because it doesn't take very long to get it. But if it works, it's going to show the key as part of the access point itself. Refreshing access points. Oops. So hopefully you can see there's now a little key icon on the on that particular access point denoting that we've got we've got access to that particular network. So we're done in this room. That's all we need to do for wireless hacking that get this access to the network that we're going to that we're going to use. And let me let me set something up here by well first I want to see if this works. Of course, there's Twitter because it can't be a security person without having some sort of access to Twitter. And the reason I want to go in here is that later on we're going to come back here and actually get some hashtags for connect us boy. So if you want to tweet something about connect us boy now's the time to do it. And we'll come back later and see what what you guys said or what there is to see gathering tweets. So this is just some tweets out of my timeline. So what this is done is gone grabbed 20 or visit 10 10 I guess tweets just out of my timeline. And of course the way you see things and it tried to replace the the icons in real time with whoever happens to be out there. And you can see the first one it missed. But let's see who that is. You shoot a fireball and to see what they said. And it shows up on the on the on the outside of that. Oops, I got a bug where sometimes you can go through walls. Let's see one more and then we'll get out of here. Oh yeah, the good old daily show. Okay, let's go back to the home, but we'll come back to Twitter in a little bit. So if you want to show up there tweet something about about connect us boy. And one more thing I wanted to show you before we kind of move on to there. There's a perch. What I'm calling a perch anyway, that gets you kind of an overview of the entire world. So this is the world of connect us boy version to you can see all the rooms at once. And you kind of lord over top of them, if you will. And so the you can see that first room over there was the room we started. We got the wireless access room. We got the Twitter room. And then the reason I want to show you this this room over here, just in the kind of a far right hand corner is the snort room. So snorts role in this whole thing is to kind of be our visibility monitor, right? So instead of usually snorts what the defensive guys use. In this case, the attacking guy is going to use it to let us know, are we tripping anything? Do we, you know, if based on what we've done, are we showing up on someone's radar? And we'll go in the snort room a little later after there's some more stuff. But you can see there's kind of a rotating barrel that refreshes itself every 30 seconds. There's more, there's a barrel per category of alerts. So the four alert categories in snort, we're only going to worry about the top three. So if, if you see a red, really fast rotating barrel in snort, you know, you've done something that's going to trip somebody's IDS signatures. So that, that's the idea behind that. So let's get out of the perch and back into the home. And we're going to go into a end map and take a look at this network that, that we just got access to from the wireless access points in that. So we have a list of networks to get an idea of what we can, we can see. And so we got a couple different points here. I'm obviously not going to attack myself. This middle one is Defcon. I don't want to attack that. I'm going to attack 100.0, which is our, our victim VMs here. Let me do it again. I should get the little tick sound every time you select something just to let you know that you picked it. And again, it's kind of purposefully slow there. I mean, I'm, I'm delaying gestures on purpose just to make sure that you're not accidentally picking a menu option without meaning it. So that's, that's why it's changing color and delaying and all that stuff. So this is running an end map scan against that network. Collecting in map data. And it didn't take long at all because end maps quick, especially on a local box, which is good for us. So what this did was run, go out and run end map against that, that cider mask and pull back all the data in an XML file, parse the XML file, spit out some, some representations of computers, run it through graph viz and then made a graph for us of the trace route of that network. Obviously, it's not a very large network. It's only got three boxes, but you get the idea, right? So you get a graphical view of the network that you're dealing with and you get some hosts out in the room. They're scrolling their ports that are open is the, is the construct here. So 101 is us. It's our scanner. 100.7 looks like a Windows box. 139, 445 and then 100.8 looks like it's doing some web services and 2222. So it's probably a Linux box. Target acquired. So we're going to target that guy, of course, by shooting fireballs because fireballs are fun. And the best thing I know to get a handle on those Windows boxes is by attacking with Nessus. So we're going to go to Nessus. Nessus. Nessus is a hospital room. So, so, so that's the construct here because you know, we're going to dig into this guy and see what he's, what secret he's got, what he wants to give up. So if I can get over here, come on. There's two switches on the end of the operating table for Nessus. This one brings our victim into the room. And this other one. Nessus scanning initiated. Nessus scan, like it says. Like the nice lady. Nessus scan completed. So, if you've ever run Nessus, you know, it doesn't complete that fast. So I will cop to another cooking show portion of this thing. Actually I don't have Nessus loaded on here. But there is an integration in Nessus that is a real live Nessus scan from that box. It's just the XML file and kind of replaying because if you're running Nessus, you know, it takes like five or ten minutes per host and I don't want you guys staring at me for five or ten minutes. I like you and all, but so I need to warn you just so you're ready for this because it's a weird thing how you can't hear it until somebody tells you to listen to it. So, what's going to happen here is I'm going to select one of these vulnerabilities that we're going to dig into. We want to be stealthy. So, we're not going after the MS-1s. We're not just going to pop shell on a Windows box using, you know, a interpreter or a Mespoid exploit. We're going to go after this. Shares on privileged access, which is Nessus speak for an open share. But when I select it, it's going to read you the output of the Nessus vulnerability or the Nessus description. So, if you're ready, you won't hear it. So, listen. The following shares can be accessed as a BBIWMGM. FileS, readable, plus content of this share. Test.txt troubleshooting.pcap. Okay, so we've got two files accessible on an open share if you heard it. And one of them is a pcap file. So, I don't know about you guys. Whenever I find a pcap file in a pen test, first thing I want to do is run it past intercap to see if there's anything in there I can use. So, that's what we're going to do. We're going to package this up. And this puts it in a little ammo box that's going to follow us around, kind of like Thor's hammer. Right, so it attaches to our hand. And the fun thing is you can kind of outrun it. You can go faster. And then it will catch up to you. So, and it's going to follow us around to the rest of the rooms here. Well, until we get rid of it, which we're going to do and it's trying to find me and it's running through walls and all that stuff right now. And it's going to catch up to us in the intercap. You can, there's no reason why you couldn't in this particular thing so far. The question was, sorry, I should repeat the question. The question was, can you carry multiple containers? And yeah, you can. There's absolutely nothing stopping you from doing that. In this case one of the time is really all I need for this particular scenario. And that took a long time to get that to happen. I don't have more than one. But when I came into the intercap room it knew because this container exists in the scene that I had a target, that I had a vulnerability and so it gave me a menu option to target that guy. So intercap for me, the hard part of this thing is how do you represent all these various tools that don't have a physical manifestation? Intercap is a big swirling death. So that's what it is. So we're going to send this to intercap. Well, another thing to listen to. Listen to the sad tone in her voice. I didn't tell her to do this but she sounds so sad when she says this. Target sent to intercap. Intercap exploiting phone. Intercap finished. So it sounds so sad. Doesn't it sound like target sent to intercap. Okay, so what happened just then? We knew we had an open SMB share, right? So there's a script attached to that that knows if there's an open SMB share to run SMB client, pull down files, if there's a file, send it to intercap. Intercap parses it and spits out any credentials that it happens to find. So now we've got creds that we can go use. So let's go back and root. Sounds like a Linux box. So let's go to our messes area. Which is where we pick targets that we're interested in. We've got the windows guy targeted, it's untarget him. Target acquired. Target acquired. I've gone crazy. Let's untarget this guy. Come on. Okay. And let's be accurate and target this guy. Target acquired. Targeting is important in games and it's also important in this game. So we had a guy with 80 and 443 open and we have some credentials. Let's go to the web room and see what we can do for those. So here's our target came with us into the web room. Let's scan him for URLs. This is just going to run WGIT against him and see what we can find. Dot dot the URLs completed. Sounds like it's it announces when it does. Something announces when it's done. So if they happen almost simultaneously it sounds like that where it kind of came over top of itself. So you can see we didn't really get much, right? So let's use our credentials that we just got from Ettercap. It gives us this option because it notices that it just ticks on. I'm going to use credentials kind of a boolean flag. And let's scan again. Gothering URLs. Gothering URLs completed. So now we got quite a bit more. So let's just WGIT using those credentials that we had. And there's a whole list of URLs we can scan through them. The gesture for that is just you put your left hand behind you a little bit and then you do kind of like give me more data movement. So we've got a bunch of URLs we can pick from. We're going to pick this challenge three guy just because I know that it works. And now that we've got a URL selected, it gives us an option to launch SequelMap. So that's what we're going to do. We're going to launch SequelMap and try to get some more credentials and see if we can kind of stealth our way. SequelMap initiated. To retrieve our garbage file. So when SequelMap finishes it's going to display whatever it gets. SequelMap completed. If your results include hash values, you may wish to visit John the Ripper for assistance. A little foreshadowing maybe. A little obvious foreshadowing. So obviously we've got a username administrator and a hash out of the back end database. So that was the SequelMap just running in a password. Give me a password mode. And just like we did before, we're going to package these up in a little module because they're not quite complete. We need more data out of them. So we're going to package it off to John. Packaging your creds. Say hi to John for me. Okay. He's got a sense of humor. Okay, so let's go to John. John. John. There's a little red box in the corner because I don't know what else to do with John. The cool thing in Blender is I'm not spending much time on Blender. I have questions about the game engine. They came out creds. One cool thing is it's got a distance sensitive sound so closer I am, the louder the sound, farther away, the quieter the sound as well. So it's got some, I guess those are standard game engine features now but they're new to Blender. So we're going to crack these credentials by sending them off to John. Credentials sent to John. And when he works he's going to display them on the wall. Completed. So John did this work that fast because that was a real-time John crack by the way, it wasn't a cooking show type thing but that password obviously is in John's default password and database. So it just took that, it was a MySQL hash cracked it against that and so now we've got administrator creds with an oddly familiar password. So let's select those because we're going to use, make use of those and... Credentials selected. So I left this kind of raw. I could have done the same ammo box thing but I wanted just an opportunity to talk about like one of the coolest things in Blender is the Python scripting engine in there. And so for example this object, me right here I'm just called the player in the scene and you can attach Python dictionaries to anything, any object inside Blender. So when I selected those credentials all that really happened was it took this string if you're a Python guy you'll recognize that just a field, value, field, value, right? So username, administrator password, Gibson hash and attach that as a cred to the player. So anything else inside Blender can make use of that same thing. So it kind of has its own internal data transfer mechanism and we're going to use these creds next. So we got a real administrator cred and let's see what's... Let me check my cheat sheet here, sorry. All right, let's go... Let's go back and select our Windows box since we got an administrator account. Okay, let's unselect that dude and we're going to select that guy. Yes, we are going to select that guy. Talk it's acquired. Talk it's acquired. Fireball's bounce. Talk it's acquired. Screw you. Okay, one target acquired. One at a time. We'll work on the mass module, maybe that's next year. Target a hundred things or something. And we're going to go to obviously the last two rooms here in our scenario. So what we're after here is like I mentioned the contents of Garbage File. So the final goal is to get some forensic work done. The thing that's going to help us get onto the box however is Metasploit. Metasploit. Let's see, maybe we have a console. Yeah, we do, okay. So we have a console output from Metasploit. It's complaining and bitching about not being updated but I didn't want to break anything. So it's not updated recently. Let's go up here. So what this is going to do is run PSExec to get an interpreter session loading on the box. And it's going to run, I don't know if you guys were here last year for Wes McGrew's talk but he released a module that gets you a forensic interface, just an MBD server network block device server on a box. So through the interpreter you can then run any forensic tool that you want. So that's what we're running against that. So it's just PSExec using those credentials that I just showed you and it's attempting to run this module and as you can see it failed dramatically. So sometimes that happens and you just run it again and we can do it using gestures. So we're loading. It's going to try again if it works it'll serve up the C drive as a network block device and there it is. Serving up a C drive and the entire C drive is now available to us as a network block device. So that's awesome. And we're going to use that in the final stretch here, wherever you guys said to the demo guys, keep saying it because we're doing pretty good. We're going to go to the forensic room where we've got raw access to it. So we're going to connect using MBD, just MBD client the regular Linux client. And it's made the connection giving us another option to search the garbage aka the recycler bin in Windows. Searching. So this kicks off a job that's going to take just a little bit so let me explain kind of what it's doing while we're waiting for the output and then we'll go to some other rooms who are waiting for the output also. Searching through. So it's got a raw much like a DD image on there. It's going to run FLS out of the sleuth kit and just look for anything with the word recycler in it and then display it up on the wall. So in the meantime, let's go out to the perch and see if we have some snort that we can take a look at. And it looks like we do. We've got a couple barrels so let's get out of the perch and see if we can go see what alerts we've triggered Here we go, snort. Snort. So I'll only do one and then we'll move on to something else here but all you do is just touch the barrel and get close to it or something interfering here and it coughs out just a little summary of what alerts are there for that particular barrel so you can see these are like priority two alerts in snort. So we've got some port sweeps that obviously are from our M-Map scan and then some other stuff probably from the SQL map that we did. So that's the snort integration and while we're waiting for our forensic output it will announce it to us when we get we don't have to go back to the room to check it'll say forensic output received let's go to Twitter and see if I ran into stuff let's see if there's any connected stuff besides my one sorry tweet early this morning gathering tweets alright let's see what I'll try to knock some of these down because the fun thing about these they don't have much weight to them much like tweets don't so you can kind of knock them over if you hit them enough times with fireballs oh come on fall over please of course now it's not gonna haha let's see what was there yeah hack the gifs in exactly yeah that's what we're doing let's see what else we got haha cool come on forensic output see this a lot of people default icons and by the way I should have said all the code for this is gonna be available site. So you saw it in the initial intro there. It's just ponlabs.com slash defcon20. And everything that's here will be available there. You're going to give me just a little bit to clean it up because there's a lot of bad code still left in here. But it will all be open on there. And Blender as well as open source, if you go to blender.org, it runs on Linux Mac, Windows, and any Blender file that you create like this can run on any platform, of course, given assuming that you've got all the rest of the stuff on there. I mean, obviously, if you're going to use that mapping, you have to have a map as well. So we're going to have all that stuff loaded. So again, everything out of here will be all for forensic output received. Cool. So we got our forensic output. So let's go back home. And let's go back to the forensic room. Let's go around. So it did a FLS against that. And if you've ever done FLS and Mac times, all that stuff in forensics. So what we've got is the I know number on the far left and then the name of the file. So this is just everything that has recycler on that particular Windows box. If you have ever done forensics and recycling bin, all that kind of stuff, you'll know that the info to file, which I'm trying to select down here in the very bottom is the kind of the index for everything in the recycle bin. So we're going to choose that. There we go. Info to and a connected sport knows that info to file can be parsed with the refee UD and it gives us the option to do that. So I'm going to choose refee UD and it's going to pull down that file retrieving for forensic output received. So what I did just there was run I cat against that network block device with that I know number pull down info to run against refee UD and give us a bunch of what looks like crazy output. But we can go back to the beginning of this output. I think we can. Okay. So it just tells you where the file was and then the important thing to pay attention to. So the index number is the number that gets added to DC. So DC one will be this file up here. And if you notice the file's name is C slash numbers root slash period workspace slash garbage dot text, which sure sounds like the file that we're interested in. So let's go get our previous output here, search garbage again. Searching and this is going to forensic output received. So I ran that same exact thing that took a couple minutes last time, but it caches it. So it takes a lot less time out of the second time through. So we're going to pick DC one, which we got from our index on there. And then it just works. It's the grand finale. So let's hope it works. So we're going to go ahead and type that file out and see what it's got retrieving. Let me go over here. It's displayed the output on the back wall. So let me just go here and turn around. And hopefully this will work. And we'll be the end of connect exploit version two. There we go. There's the the output of that file. It's in that place where I put that thing that time, which if you've ever seen if you're seen hackers recently, you will recognize that. So that's connect exploit.