 Okay, if everyone's ready we'll get started with the first live demo of the day I'm going to hand over very very shortly to Dave who's going to be introducing his presentation winning asans 504 CTF without winning asans 504 without further ado. They've just done his shots. So now he can take over. Thanks. Thank you very much Good morning. Welcome. So I am big Dave I'm not the biggest Dave, but I am one of the many big Dave's that exists within this world. Everyone knows a Dave, right? so W First thing you should do when you log on to a Linux terminal. W. Who else is on with me? So this is me big Dave That's my personal account everywhere. If you want to reach out to me ask me questions after this That's the place to it is personal. So you will just see random bullshit random sketches. I do and other stuff I'm a security researcher Work for a company in San Jose. My job is to Look at attackers how they're doing stuff inside the network. So not the traditional IOCs like what? How have they popped a box more behavioral than that? I worked for an engineering support company in the UK working with the MAD Nuclear power that sort of thing very big company got to work with a lot of interesting adversaries It was through working with those guys that I uncovered some of the techniques and some of the stuff I'm gonna talk about today I also worked as a network engineer before that so It's pretty standard, but the weirdest part is I have a BA in drama So that's relevant for this field, right? So Background to this talk. I spent a long time when I was working with my previous company In the trenches of the spam reporting folder people just send us emails every day and I was doing this Day in day out just ridiculous volumes of email saying this is spam. This is malicious. This is advertising This is fine. You can click on these links and you can't click on these ones Through that we had to think of novel ways to also beat the enterprise filters. So How can we get past the anti spoofing? How can we send emails that look like other people? How can we get files through these through these devices as well? Worked obviously as part of the blue team in that I was a sock analyst So we went up against everyone from Nigerian scammers who would say do you want your share of eight five thousand? Nigerian dollars But we also ran investigations which deal with a more serious side And it's the one that people know a lot about and they hear a lot about now the sort of the CFO fishing Somebody pretends to be your CFO. They send it to your financial controllers. It usually looks really bad There are a couple of cases though where that isn't the case Let's give you a background of what I'm talking about today the sounds 504 sounds 504 to run by sands It's the hacker tools techniques exploits and into than handling course So it's the sort of basic stuff for the sock Five day course covers the basics of incident response process is an instance response good practice for incident response and pen testing as well It's a lot heavier on the pen testing actually than incident response, which is a bit weird given that it is more of an instant response course Fair enough on the Saturday They run a CTF the CTF is a small network of pineapple machines that you have to Get two flags put them together and come out with the phrase that pays And then you win the CTF and you get a coin you get your 504 challenge going I Didn't win the CTF but I have a 504 challenge going And I'll come on to that So my sands is in London 2015 spring. It was taught by Kevin Fiskus Please feel free to at him on Twitter. I asked him before the talk. It's fine It was two days of me being very serious and five days of me being very devious So on the first couple of days Kevin said that at the end of the week We're going to be doing the CTF and he said in front of the class. Hey, yeah, I Encourage social engineering because I've never been socially engineered to give up the phrase that pays so whilst the rest of the class went off and went I'm gonna Produce a letter that says I have a share of twenty million dollars if you give me a hint to the CTF or Someone went and got a picture of his Jeep from Facebook and said are we gonna craft something from the DMV It's gonna say he's been caught speeding and then if he gives us a hint to the CTF then we'll let him off his fine And I took it way too seriously So the challenge the CTF was set up encouraged us to socially engineered to get the phrase that pays He showed us bad examples of previous fishing and said he thought found them hilarious. I definitely took it too seriously I was advised not to do this by my peers who said you shouldn't fuck with your CTF with your sands instructor They will kick you off the course So the target said they've never been socially engineered by a student. He's a security professional. He works in incident response He's incredibly smart and he was aware that he was opening himself up for incoming attacks So the Patsy There was another sands instructor that week Giving a presentation where importantly there was free beer at the back Where I stood for the entire talk Getting beautifully rat-assed They gave a presentation the presentation was on memory forensics. It was great. They were showing off a new tool The tool worked really well. It did some new interesting stuff with not messing around with memory space when grabbing the memory dump It's fantastic. It's it's better than other things. I'd used to do this before but it gave me an idea Because more importantly in the memory dump Was an example of the sands 504 CTF that they run on the Sunday just showing the Interpreter shell from the network from the network list. So oh look here's an open TCP on 4444 They gave me an idea The plan well, what did I know? I knew the instructors knew each other. They worked for sands. I'd seen them talking. I knew that They were going to give a presentation. So I thought I'd go along to that sounded interesting. There was free beer And I knew about some interesting email tricks now. I guarantee almost everyone in this room when they were 10 or 11 Maybe even younger older in the 90s. Let's say found an open mail relay on the internet and sent an email to their friends as bill gates at Microsoft com Hey There's a new update to Windows. Please click on this link. We're not gonna sub 7 your machine at all So the execution From a high level I crafted an email in the style of a style of the patsy and I sent it from the patsy I found a hosting provider with open SMTP. That's that's about it There's a touch more to it a Study in pink. I love this site always data comm the best thing about this site is that you can start for free There is no sign-up fee. There's no like 30 day trial. They will give you a really basic account for absolutely nothing You also don't have to fill in any correct information. So that's buts a gorilla male I think my name is Jimmy Riddle. I live at one France 77 in the city of Spain the only thing that has to be correct is the country has to match where you're signing up from So it looks at your geo IP. That's the only thing that needs to be correct in that form takes no credit card details Nothing else you can lie through your back teeth and it has a handy round cube webmail interface If you don't want to type out those bothersome SMTP commands on on the shell you can just go and do it You can just do it from their round cube interface So there's my there's my email address but snatch it always data.com and I can edit that identity And I can put in anything I want So here I've just changed it to say the email is actually just say it's from recon at Defcon Reply to send it back here. I want to get I want to get my email right and here's the rub It's a really old trick. We call this envelope spoofing So when you send the email at the very top you have your SMTP headers and you have the from address you have the You have the to address the receipt to But a lot of that actually gets stripped these days by the edge email systems So you can rarely unless you're intercepting The traffic from the edge to the exchange over you won't ever see the original from address because it gets cut You will however see the envelope now the envelope is actually part of the data of the email So this is all outside of the protocol and the data of the email is is the important bit to the application So when the application receives the email It doesn't look at the original sender because it's usually been stripped It looks to the envelope to give you the sender and to to make the email look like it came from that person So there's some other interesting things that happen when that when that goes ahead inside most of the applications If you can nail the email address to somebody within someone else's address book Outlook gmail mail for Mac any modern email application will pull in contact details presence information signatures everything that makes that email look Legitimately as if it has come from that person. So what you've got to do is nail their email address and Possibly how they talk and how they act as well if it's done when it works Is it really done? So this is a bit of a case study Facebook and Google both lost about a hundred million dollars to a scammer and the guy's been arrested since and It was it was absolutely huge Two tech giants succumbed to a well-known type of scam In which the attacker tricks the victim by innocent looking emails So there's not been many details given out on how this was done. They said it was Financial fraud. It's a well-known technique Etc. Etc. So I want to shed some light on what happened During the time of this attack The common method to do this type of CFO fraud was to pretend to be the CFO to say Please authorize this payment to this company because they are a supplier It failed 99% of the time. There are some big cases like 70,000 pounds was given to some company in Taiwan through this sort of fraud But in this case They went for the supplier classic target supply chain, right? They targeted the supply chain. They infected them with an old-school Java rat From that they then sat on that suppliers email and they watched outbound email Not only did they scrape? Email addresses to send to email addresses to send from they also scraped headed paper Physical signatures that were transmitted across email because they were in the wire So the email came out of the supplier It got snuffed by the attacker and then it got sent on to the target Now this was interesting because they then waited for a very large invoice to go across to the attacker at which point They would then send a follow-up email. Oh By the way, sorry to interrupt. We are currently under audit All our bank accounts have been frozen. Can you please change the bank accounts to these? To these new ones because they're not under audit and we can take the payment and it'll be sorted out afterwards If you know much about financial auditing that wouldn't happen. That's just insanity But the reply in due diligence says hey Can you can you send us this with headed paper with the signature of your financial controllers? And of course the attack has already stolen all that So they send another one and the payment gets authorized to some Swiss bank account And they walk out the door with Facebook and Google with a hundred million dollars These are smart people working in big tech companies and these guys can get duped Why I always say to people when they they say oh, well, we bought the best firewalls. We bought the best email Routing we bought the best AV. It's like I don't care If someone wants to get you They will Get you doesn't matter if you are Facebook Google or a sand instructor If somebody is really out to target you and to send you malicious content They will do it every single time and I have a nice heavy coin in my pocket that proves that My son's instructor So what do you need to know when you need to know their email address? How did I get this from a security professional? They were a very private person at the time all they gave out on their talk was their Twitter handle And this was before Twitter let you embed your the link to your website the hook I mean This was pretty easy based on the content being presented I've already said they were showing off the sans 504 memory jumps in the capture the flag in the presentation I needed something to make it a little more believable I need a handle man. I'm not anything if I don't have a handle So context the the recon was carried out a Few years ago like I say it was before putting your website on Twitter was actually kind of common The security professional didn't advertise their email address just their Twitter handle There is a lovely piece of sans 504 advice and I speak spoken to a couple of Instructors around here this week that at the beginning of the week They say if you own a website put your own email address in the admin field because if it ever gets hacked You want to be emailed right you want to be notified Was great advice for notification of breach? It's actually Brilliant for finding out people's personal email addresses because sometimes they are not They don't scrub it. They don't put something odd in there. They don't put a gorilla address They just put something that is very personal to them. So I took a shot in the dark I knew the professionals Twitter handle. So I started going through all of the common Tlds to see if that was registered to them as a Tld And I got the hit This is this is from a couple years back Before it was all scrubbed by domains by proxy, but basically it was a I believe it was a dot This one was a dot-com It was really easy to get this one and it had their personal email address their Gmail address Which wasn't anywhere else in there? I mean it's It's easy recon. It's it's who is data Coming soon to a who is neither a lot of this data is gonna go because of GDPR So have fun with that when that happens We're gonna be in an interesting place of finding out the sort of information We're gonna have to revert to older social engineering techniques to try and get this stuff as well Like Bill Murray at Wendy's no one's gonna believe you unless you have proof The reason I say this is I could send an email to Kevin from his colleague and I could make up any Cock-and-ball story about hey you dropped your USB key and it's got the phrase that pays or I Need to know it because I'm gonna be teaching the course next week and I need to make sure I'm Pre-warned But I've got a degree in drama. I'm good at making stuff up. I'm getting it good at playing pretend. I Spent three years studying playing pretend. I actually spent six months of that building a puppet, which is great I Runed a hoodie like that because the head was made of foam and I had to shave it down with a Dremel And it just sticks into any fabric. It's awful stuff But it's great little Japanese man sat on the floor telling a story trying to play a shamisen terrible So I sat in on the the presentation given by the sand instructor And not only did I watch the presentation and enjoy the content and go hey, that's a cool tool I'm gonna go and add it to my tool chain. I Took note of how they spoke I Took note of the phrases they used I took note of the way they would leave gaps or go on non sequiturs And so when I sat When I sat in the gym that evening on a bike I sat there crafting an email in my head and when I got back to my hotel I wrote an email that looked like it was from His colleague and as I said earlier What makes an accurate email? Well modern email programs do the heavy lifting for me All these applications here add contact information to spoofed emails. So if you want to spoof the envelope These applications will make it look much more legitimate for you Like I say they read it from the envelope not the original SMTP mail from Yeah, worth noting actually a lot of these mail applications make it really difficult to view the source now We're not really difficult. They just hide it behind a few menus Exchange for example. Well outlook and exchange hit it behind a couple of menus and lots of people now ask where it is Gmail it's reasonably easy. You can do view original Office.com outlook is actually quite difficult to find the menu item to give you the source So it's hard to start for for normal people. It's hard to start Looking at this information, especially if you're viewing it on a mobile as well. I mean forget it So when I crafted the email I made it look like it was from his colleague I wrote it to look like it was from his colleague. I spoofed the email address that I was I was nearly sure Was their email address and it turns out I was right Not all was as it seems there's a third player in the room So, yeah, I forgot that was the last slide my bad. But yeah the next day. I So I sent him this email. I sent it to him at I think it's about half past 12 at night We're in London. I know the pubs close at 11. It's fine. I know that their instructors and their friends They're gonna be out drinking So unless there's something else going on between them that I don't know about I know they're probably not gonna be together And he might have had a couple of beers in him So send him an email at half past 12 at night and I wake up the next day check my check my account Open up my heart's racing butterflies in my stomach and There it is The phrase that pays and I'm not gonna tell you the phrase that pays because I spoke to other people who won the CCF and It hasn't changed But then so I had that and I was well, I mean, I guess that could be right He could be he could be tricking me. He might know so I I Basically ran all the way to my sans-courses. I was like skipping like a giddy school girl. I was so excited This was Wednesday The CCF on Saturday I walked in and he was talking to one of the sans adjudicators Now these guys are taking the course, but they don't pay they're there to field questions help people To be a T-boy They were a little apron. I think that's really cute So I went in he was talking to So the sans-judicator doing so So last night my colleague sent me an email and apparently one of my students is trying to socially engineer them for the phrase that pays And I had him I knew I had him because he was so bought into this idea that They had sent him the email it looked perfect But he was so boy and that he was telling a story of how one of his students had the balls to go and target another sans instructor For the phrase that pays so I just sidled up to him Here's the phrase that pays. Oh And that was it I confirmed I confirmed knowledge so the end of the week at the at the Saturday CTF Unfortunately my team didn't win we were about a minute behind the winners. We had both half to the flag We'd pop the vulnerable kernel on the Linux machine to get the second half, which is one of the more tricky bits So there you go We had both parts of the stream all we had to do was put them together and decode it As we were getting to that point be like hey, what about that tool we learned about at the beginning of the week That'd be great. Let's use that. Yeah, but put them together. We'll make it one follow And there's some guy that went we got it Shit because I'd like to one right. I was still in the same competition. I knew the winning answer, but we were all in the same competition So Kevin sir is like congratulations. How do you do it? Let's go through it and they gave all their details I'm like, yeah, we did that. We did that. Yeah. Oh, yeah, we found that. Yeah, that's great. Well done Okay, okay, I'm not gonna ask you for the phrase that pays. I'm gonna ask you Maybe stand up in front of everyone and explain myself and how I how I got the phrase that pays And that is how you walk away from a sounds 504 CTF capture the flag with a coin Without winning the sounds 504 CTF Don't know I got any questions