 Felly mae'r gwneud y ddweud yn y cyflawn. Ac yna'r dweud yn i, felly mae'r ddweud yn y cyflawn. Mae'r ddweud yn y cwm ni'n gofan yn y tredaeysach. Ac mae'n gwneud yn y gyflawn. Gofio'r ysgrifennu. Roedd yna'r ddweud yn y cwm ni'n gweithi. Mae'r ddweud. Chyfnodd. Mae'r ddweud yn y tredaeysach. Mae'r ddweud yn y cwm ni'n gofio, ond mae'r rhaid i gael i'r cyd-dwylltyn i'r cyflwlad. Rwy'n rhaid i'n gael. Rwy'n rhaid i'n gael. Yn Ostrail, Llyfrgell, Gwybredd Ilyfrgell, rhaid i'n Penteester, rhaid i'n Gwybredd Ilyfrgell. Rwy'n rhaid i'n coda, rhaid i'n ei meddwl. Rwy'n rhaid i'n meddwl. Rwy'n rhaid i'n meddwl, rhaid i'n meddwl yn y bobl yna, ac mae'r yng Nghymru Ysgrifennig Ffii Man, I'm from the United Kingdom. If you don't know where that is, it's near France, where you guys won the World Cup. If the women's World Cup, go US. I am a biker. I am a hacker. Like I said, I'm not a pentester or anything like that, so I view myself as a hacker. I am a family man to a wonderful family, so I don't get a lot of spare time. To do my security research, I am a co-founder of DEFCON Gloucester in the UK. I'm also dyslexic. Why do I bring that up? It's the first time I've brought it up in public. If you don't know what dyslexic it is, it means I have a learning disability, I can't read or write very well. When you look at other people's talks and presentations, they talk about how they've read an RFC, or they've wrote a book, or they've done something similar to that. When you look at some of the, when they do their call for papers, they do the presentation, it's like an essay. I can't read 100 words, let alone write 100 words, so I'd like to thank the recon village for allowing me to speak here, and if I can inspire anybody with similar disabilities to come up and talk, and that's an achievement unlocked for myself. I'm going to talk about three tools that I've written, to view people's tweets, search timeline, and show who they're communicating most with. I know you can do that with Twitter, with the GUI, so I'm going to explain a bit more of it, and what's the difference between my tools and doing it online. Before I go on that, I want to talk about the Lock and Might and Server kill chain. It'll all make sense in a minute. If you don't know what this is, it's what Lock and Might says that as a bad guy, we have to take each of those steps and get to be successful in each one, and a defender has to be right for once. They just have to block us on either delivery, exploitation, they can block us there, then it's game over for us. Which is true, but in my head, I said it doesn't quite work very well, this is how I view it. If you're colour blind, the red, the up and down, blue, left and right arrow, so reason why I'm bringing this up is because with recon, this is where we can spend most of our time and effort in, blue team has zero ability of what we're doing, so we can actually hide there, do what they're doing, more information, more recon we get, I know I'm teaching Pooja to the choir here, but more recon we do makes our jobs more successful. So when it gets to representation, this is where the blue team starts to make build up. If they're only wearing Windows operating systems, they don't care about Linux exploits, so that means they're only concentrating on that, that means we've got to now focus on our efforts into Windows exploits because all the Linux ones no longer exist. When it moves down to delivery, it's 50-50, blue team can't just shut off the internet, they can't just block all emails, so we now have to hide in that information. We need to hide and make sure the emails that's going through the system is looked legitimate and any packets we send are going through. When it gets down to exploitation, this is our hardest bit as the attacker. Reason is because we have to make sure that we break that system, it's the easiest job for the blue team because all they have to do is make, if they've got good pack manager in place, good user training in place, good user awareness, it's going to be very hard for us to exploit it. So we have to make sure that the recon, funnels down to that point so we can be successful. But then once we get past exploitation, this is when we have blue team on the back foot. We can then use insulation so we can actually start pivots and go in for the network and they're going to try to get rid of us. Once they get rid of, once we get control on other boxes, we can laterally move and pivot so we can actually take out one host, we still hopefully have persistence somewhere else to exploit. Then we get actions on objectives when we actually have full control of the network, blue team are struggling, they're in a mess of firefight and they'll be pretty much on the network. Reason why I brought this up is because I said recon is the most important phase in my understanding of this. This is why I've written this tool, all my tools. I'm going to look at my friend of mine, Christian Riley. I've asked his permission to do this so it's okay. Reason why I picked on him is because he's a prolific tweeter. He's done loads of tweets. He's got loads of people following him and it's going to be really hard to get intel on him. First we can view the tweets. What this tool does, it actually just shows the tweets and replies. It doesn't show the retweets. I don't really care about what other people say when Christian Riley tweets a retweet. I want to know how to get inside of his head, which is a very scary place at the best of times, but I want to get inside. I need to understand him if I want to be exploiting him. If it's a retweet, I'm not interested. I want to know what he's tweeting, what he's talking about, what he's thinking, what he's thinking. I need to understand his communication. I also want to search his timeline. The thing is that with my tools on the GUI one, it puts it in just random order. Here it actually puts it in chronological order. It makes it really easy to actually get the information out. If I need to extract, so if I'm doing a search on a conference or something he's attending and it's hashtagging it, that means I'm going to get all that information there and then so I'd be able to find his movements, understand how he's moving, what he's talking about, instead of going through all the search ones to try to find the information. This is the bit I find most useful. It actually does count 100 mentions that he's using. I don't need to do this on the GUI front end itself. So we see here there we've got SPLIP, where we're at the last one, 231 tells, buy it down 130, digit it 100 times. So these are the people he's actually talking to, communicating with. So these are now, we've got a circle of trust. This is where we actually believe he's actually communicating more with, he's actually talking to. So if we can exploit that trust, we can then hopefully exploit him. So it also gives us more information about his hobbies and interests and stuff like that. So let's put it together and I'll see if we can actually make this work. Come on screen. This is going to pop up. Thank you. Okay, so I'm in the wrong place to start off with. All right, so if we do search his tweets, let's hope he hasn't put anything dodgy on it. So now we see all his tweets, but it also puts it in so it's easier to see. And if we actually look at his tweets here, it's pretty hard to actually look for you, see what's actually going on. We see he's got a retweet there. He's got a few other tweets, but if we look here, we can actually see his tweets and see it's first to view and see it makes it a bit more easier to consume the information. If you want to search, now do search like his users. So it's now going to retrieve one of his mentions that he talks about people. So it takes a few seconds for it to come back. And as you hear, we've got like SBVLX here, 220, Belgan, 143, D102. But we also now understand his interests. We've got DJ Dracula there. We have Duoco Music here. So we now understand his music taste as well. So by using this information, we hope to be able to get some sort of more successful payload by doing the recon on. And when we, how many of us is actually somebody sends you a link from a trusted source, you're more likely to click the link, open it, or do something else than somebody from somebody you don't know. So this is reason why we do this. We also look at his, so if we look at his search, the search is, I mean search for Chris John Riley. I'm a search for DigiNinja because he's been speaking lots to him. So we now can see that he's seen the conversation going here. But now if we actually do the same thing again, but this time flip it around. So we go, and this time we do the search, but this time we do DigiNinja. This is the first time I've done a demo live, normally I do a video because I talk too fast and it slows me down. So now when it comes back, let's go up here, go up to the top, and go to the top here again. So now we can see the conversation that's happening between the two. So for example here it says, maybe, let's go down a bit. Is there a equivalent ram of a sushi boot? A ram to a boat with liquid inside should it not sink. Maybe float the sushi boot on the ram. Now that's a nice pipe. So now we're seeing conversation between him and other people. So we can actually look at his, how he's talking to people and how people are interacting with him. This is giving us more, doing a phishing attack, a lot more high chance of success to actually do that. So if we actually try to look at that now on Twitter, when we try to see the same conversations going and doing the search, we can see now it's all dotted all over your place. We hear from this year, last year, this year, this year, last year, this year, last year. So when we do the search, it's not in a chronic order, so it's trying to actually find the information that we need to use to be able to exploit him. So, but we're seeing there how we're looking at a person of conversation talking with each other, how we'd be able to give that information to be able to understand what's going on, but what about companies and organisations that are just broadcasting? We feel like Donald Trump, he just broadcast information, doesn't actually have conversation with people on Twitter. Companies just broadcast information on Twitter. So as soon as we mentioned Lockheed Martin, we'll add Lockheed Martin's Twitter feed. So we see here, we do the same, do the search, and we see that Ram Emberlowe's space, 156, F35, F33. So we were also seeing there that we have high confidence now that this is an official Lockheed Martin Twitter feed because we're actually seeing mentions that would actually expect Lockheed Martin to see. We're not seeing Beaver there or somebody else, Spice Girls or something there that we can actually, we actually know that this is somebody's, it's not somebody's spoof in Lockheed Martin, this is actually Lockheed Martin's website. So we look at Ram Emberlowe's, you see this, that's Rick Emberlowe's leader of space. So we can actually have a human traction target, we can do like the supply team targeting. We're not better getting to Lockheed Martin but we might be able to export him to actually being pivot away into it. Remember we have the F35 there, so we look at the F35 Twitter feed. Again we can see Lockheed Martin Luke Air Force page, Royal Air Force. So we now know that this is again an official Twitter feed from Lockheed Martin. We have very high confidence of that. But you also see there called Billy Flynn. We look at Billy Flynn, he's the F35 test pilot. So this is now giving us information inside on somebody else. I'm not going to be able to tap the F35, I can't stop the F35 if I'm flying, but if I can take down the F35 pilot, the F35 doesn't fly. It's very clear of plane but I believe it still needs a pilot to actually take off. So yes, so quickly that's the end of it. So the, you do need to register with Twitter to get yourself, what's the word, deliver license code to actually be able to communicate with it. You are also limited to 3000 tweets per search, which I don't think is a restriction. So someone like Christian Riley who's constantly tweeting all the time, I want to see the latest tweets, the latest information, the latest people he's talking to because if I try and spoof somebody else three or four years ago, I think their email has been compromised and they're not going to believe what they're talking to. So I need to have that up-to-date information for them to actually be able to believe it's working. So yeah, that's it. Thank you very much. I'll tell you quick, get this back in time. So yeah, that's the information. Yeah, there you go. Thank you much.