 Yn y dweud y wanderrathreid hon, gwneud hynny llwyster ac yw'r cyfnod gwaith iawn? Felly, rwy'n rhaid i mewn bod eich ddinddiad i'r llyfr yw'r cyrgelt sy'n dweud, rydych yn d yn nhw wedi'u bob ychydig y gwerthu iawn am y dyfodol a'r cyfan ychydig, ond y celf arall hefyd yn digwydd a'r cwestiyn wedi eu cyfaceisio. Spefysi'r cyfeiri sydd ychydig ar選nu, mae'r cyfrifio'r cyfrifio'r cwestiynau yn gweithio 15 mlynedd yn gweithio'r cyfrifio, ac mae gennym ni fydd anud o'r cyfnod a'r cyfnod. If you've got any further questions after that, by all means grab the teams, and you can discuss that. Our two judges are Justin and Maxie. Starting with Justin, Justin is, according to the notes that I've had scrawled in front of me, is an active Ozzent researcher, he runs Ozzent framework and he's a CFP review mentor. I'm hoping that's all correct if it isn't, just smile and nod. And Maxie runs Tools watch. Moving straight into our teams, We've got RTL recerning. They're going to be discussing an API for free SMS receiving services. Our hand over, once I've switched this mic on. Okay. The mic's on. Can you hear me well? Should I put it closer? That's fine? That's fine? All right. So, first time participating in any kind of contests here at Defconn, so I'm not a real programmer either... ..so trying to participate for the first time in an Ocent hackathon. Dy idea that we come up with where we're team with two people. I'm Brett and there was Lyn. We both tried to co-together on this project. We had the idea that to provide an API as a service to other web services. In order they can, as a counter measure, to detect fake accounts, fake news. A followersAmerican on a lot of platforms nowadays you have to provide a cell phone number which should be a valid one because often they send an activation message to you in an activation code so you should receive text message on your phone and then type over the code on the sign-up form in order to complete the sign-up process. Now for a person who generally wants to create a personal account he puts in his phone number create a new account on the platform is no problem. But there are also people who want to just create an account but they don't want to provide their own phone number for specific reasons or they want to create multiple accounts, so they need to have multiple phone numbers. And there's web services out there that allow you to read received as a message to their specific numbers. I'll show you a few examples of those web services. So you know what what I talk about. So these like these dodgy looking websites like receive and as a mess dot com. I mean, I'm not saying that they are performing any like illegal or really dodgy kind of stuff, but a lot of people use them for dodgy reasons, I suppose. So basically you pick one of the phone numbers. Let's go to Switzerland. And then, yeah, then you can see, for example, activation codes being sent to this specific number. That could be interesting. So what do we want to do? We wanted to create a tool which basically scrapes a predetermined list of these kind of websites. Scrape them for their phone numbers that they offer on the site that you can read the text messages from. Yeah, there's another one of those one. And put all these in a database like a small database. And one of the scraping is honest in the database. The idea was to provide an API. So some service who is not necessarily running the database themselves, they could, but then they have to run the scraper themselves as well, who just query the database through an HTTP get command and then see whether a phone number is known in that specific database or not. If it's known in database, then it's highly likely or it is like with certainty. A person who is trying to set up an account using one of these free text messaging services. Depending on what kind of platform that you are running that you want to do fraud detection, that's not desirable that people put in fake telephone numbers or telephone numbers that they are not the owner of. So that's why we created, in the few minutes time between all the interesting talks here on Defcon, a tool called Free SMS Detector. Basically, we even had a little bit of time to put some basic documentation in there. So it's based on Python 3. You can clone it. It's all on GitHub. I suppose the GitHub repo link will be available afterwards on the Recon Village website as well. Or you have to watch the video again. So there's two parts. You could run it yourself and provide an API to others. Or you could run it yourself and not use the API but just use the Python component. So we split it up. So there's actually two components. There's a crawler part, which could of course be improved if you have your own idea of places where to find these malicious telephone numbers. You could easily extend this and add your own crawling to the script. And there's the API part. So for the API part because that's going to be probably the most interesting because for that you don't have to run anything yourself. You just need to use the service somebody else is providing. So the idea is that you do an HTTP request to a server running this script. I'll give a small demonstration. So I'm not sure if you can read the URL. So basically you just do an HTTP get and then you provide a phone number attached to it. So just be careful that the phone number is URL encoded since a plus or a space or a parentheses in the URL should be decoded. Otherwise the data is not passed on to the script. So if you just it's pretty straightforward. First of course have to launch the web API, which is in this case on a local host. So I'll be firing it up. All right, it will be better. So basically you just query your number that you want to query and then it returns to or false. It's just as plain simple as that. Now for privacy issues a service like a service who wants to do this kind of fraud detection might not necessarily want to expose their new account creating new accounts that being created they don't want to expose their the phone numbers of the new users. So there's a second method you could format the phone number that the user has done as a specific format. So you move all the spaces and the parentheses. The format is called E164 and they have fancy names for that. And then you just make the MD5 sum of that hash and then you just throw that hash into the web API. So that way you only get a true result if that same hash is also in the database present. Just to show you for debugging purposes how the database structure looks like. So there is MD5 hashes, telephone numbers and when it was crawled and on which URL it was found at the time. So quickly show you the crawling part. So this is the SQLite database that runs in the background. There is at this moment is there on the bottom 84 different phone numbers present. Now if you look at unique ones because we don't throw away any data there's 25 unique ones at the moment. So if we for example would launch the crawler let's see. I'm going to take it straight from the documentation. Let's see. So to populate the database. So once you have cloned the project it's just as simple as following the instructions on the GitHub page. It doesn't require any Python knowledge but it does help. So if we launch the scraper now. So it scrapes a few sites. Some debugging output as well. So as you can see the telephone numbers have dashes sometimes they don't. If we now go look at the database hopefully so we have 84 now at the bottom if I do a refresh 107 so there's more entries in there. If you look at the unique ones so there's no new unique ones collected because I run it this morning. So chances of having a new number on there is quite small. Let's see if I missed something. So go over it. So that's basically the idea to provide a very simple script that could help you detect fraudulent sign up for your web platform. What are the possibilities in the future? I mean this is very basic. It's not extremely extensive. This has all been made in a few hours during the most awesome event of the year. So bear in mind. There's casinos and drinks around it as well. So they're all working against us as a factor. But you could extend. I mean if you think it's useful you could extend it with other phone numbers. We have some version of generic regular expression that gets any kind of phone number automatically from any kind of HTML text or anything like that. It's kind of buggy at the moment but we're fixing it. I think that pretty much concludes it. So I understand. If there's any questions about this now is Q&A. Cool. No questions. Awesome. So will it work for all the carriers? Yes. I mean it's basically the input of the database is predefined web pages. So we have a list of web pages. Quickly show you. So we put like four websites in here that these are services that are for the moment hard coded in. So you could I mean they're infinite these services. A hundreds of them I think maybe 20, 50, 40. Yes. And those will be scraped and those telephone numbers put in the database. That's the idea. So will you detect all possible fraudulent phone numbers? Not at all. I mean there is ways of getting a temporary phone number if you pay a small price. But a lot of those people who make a fraudulent account they're even not willing to spend 20 cents or anything for two reasons. It costs money as little as it is. But if they make 100 bots it costs gradually more to spend the money. But also because it leaves traces as soon as you pay something it's very difficult to stay anonymous. So that's why they just want to use the free numbers. I mean most people are lazy. I mean as a scripter I'm lazy as well. That's why I script because I don't want to do this stuff manually. Thank you. Okay now to introduce the next speaker. My servant who's going to be introducing reconning module for automatic extraction of information from webpages. Okay. So I don't know if anybody's played around with the tool reconNG before. Anybody seen that? It's one of my favorites. It works really good. What I like about it is it puts information in a database so that the other tools are like their modules that can be added and they can use that same information. So what I have here is not something new. It's like a spider but the concept is that it just helps add more data into the database. I'll show you that in a minute. So what it does is you basically type in the website that you want to scan. I'm just going to basically open up the web page, go through there and parse out all the hyperlinks. So I'll just try ebay.com for example. Oh wait, hold on. I have to select. There's an option like if you were using reconNG you would import all of your previous data if you wanted to. So I'm going to go up to the top here to show you what was going on. The following unique host names were grabbed from the web page but we don't know which one of those domains are ours. So the way that I'm doing it right now is to search the base of the domain ebay.com. All of these fall within the base domain that you added. So you know that those are your domains. And so then it gives you an option of the remaining domains. It gives you the option do you want to search each one of those for host names. So that's kind of what all that is. So your options here are if we want to continue the next scan. So this next website is ebay classified group. That looks like it's ebay so you would hit three to continue my next scan. So then it's going to scan that web page and pull back more hosts and stuff. So right here you can see where it started scanning. 56 hosts have been identified so far and then 25 of those belong to your organization. So this next one stubhub.com was probably a link to another web page so you don't want to scan that one. So you hit four to skip to the next one. Ebay.ink yeah that looks like it's ours. So you continue your next scan at number three. And so you see it's like it's it's found some additional hosts and stuff. And this process goes on for a while. The thing is is the nice thing is is that you could save it in the database. So once you do this it takes a little bit of knowledge about your domains. But chances are like once you see the domain you can't you're like oh okay yeah that makes sense. But what I would like to do eventually is to not only like say this is Facebook everybody knows what Facebook is. But let's say it's some other domain it would be cool to be able to pull information from you know who is to see who the domain owner and stuff like that is. And if you're doing a pen test on somebody else it would give you the additional information. And then you can also use this if you're a company and you're wanting it we're pretty I would work at a large company. And people are creating websites that I don't we don't even know about it sometimes it's not supposed to work that way but it does. And so if you have this whole database of all your host names out there and somehow somebody adds a new one. You'll be able to find it with this recon ng also how it has like some DNS brute forcing a lot of other things. But this just augments that data. And so the other features that I'd like to add I didn't get a chance and it was a lot going on. But once we get all these web pages that we know that are ours recon ng also has an option to add domains. So this would automatically add it into the into the domains. It would automatically add all the hosts obviously host names. But I'd also have like an option for scanning all of those same pages for the email address. Which I think there might be a module in there already that does something like that. But this one helps you make sure that you get all the domains if you don't know about them. And then add some Google hacking and stuff. And then search for file extensions. I mean like I said a lot of this stuff has been done 100 times over. But this was just a tool to embellish the data inside of a tool that already exists. Which is cool about that is that other people who write modules can then use that same data. And that's our project. This is my co-worker from Costa Rica over here. Sylvia. All right thank you. Any questions? All right. You know so I'm not actually using any kind of in-map type of stuff. It's purely going at the web page and scrubbing the web page for information. But the thing is inside of ReconNG you can run those in-map scans and figure out what ports are open. So that's why I like it as a module. So yeah. Thank you. All right thanks. And there's the libraries by the way that I'm using. How do you have it? About two. There you go. Awesome. Okay whenever the judges are ready I will ask them to come up to announce in a break. Okay they're going to go away and discuss things for a few minutes and then they'll be back to announce the winner in a short time.