 Hi, welcome to track two. Yay! So I'm Vist, this is Jonathan. Um, we're going to abuse VNC really, really badly. Um, do you have anything? No? Yeah? Right. So this is us, um, yeah, fun times. We both do, we both do terrible, terrible things on the internet. Uh, usually on Twitter, it's very, very public and usually it's very, very amusing. Um, so internet stuff is, it seems like it's getting nicer but it's proliferating lots and lots of horribly broken vulnerable devices, right? So the internet's getting pretty bad. Um, it's not really getting better. They keep adding more problems and more vulnerabilities and nobody gives a crap about security and then you have this sort of thing happen and then this sort of thing happen and then basically this is just us saying like, hey dude, you could totally see the faint outline of some cyber, cyber something legislation in there and you can smell the totally, you're not allowed to hack all the router's proposals. You can, yeah, that's right. That was the, what was it, FCC? Yeah. Yeah. So, cameras. Yeah. So I was doing a talk back in March this year and um, the screen you're seeing on the left was a house that was actually close to where I was doing the talk and I was also talking about VNC stuff and I just popped open the window. It's like, hey, this is a house. If you look to the left, you can, you can probably see it and there's just a bunch of stuff. So you can go from cameras to people putting scotta stuff on cameras. Um, and over time, sometimes stuff gets fixed. So, um, this company had this on VNC. It could basically go into the settings and people could mess things up. Uh, and what they did when I report is they removed it and then on the same IP address, something else came back and it was a camera. It was looking at the same screen we had on VNC before. Just so people couldn't screw with the settings. But, you know, it's, it's okay because now you cannot mess with anything and they just want to remotely see what's going on, uh, in the factory. Um, this is another interesting one. So there's a company, uh, in my country and when you ship something back because you don't want it, uh, they unpack it and they check to see if you didn't mess with it, if you didn't unpack it. This is the camera which shows the guy who's unpacking all the stuff because they want to have it registered in case something's up. So I could send back my own package and then see it pass by basically. Now, something else I've been doing which is kind of sketchy sometimes is look at the Middle East. They have a ton of interesting stuff. I only put this one in there because I don't want to, I don't put people off or get the wrong people looking at me basically. But there's, there's like a bunch of cameras and a bunch of interesting devices online in the Middle East as well. What, what could possibly go wrong? It's, burn your house down as a conference. Um, so let's, let's introduce some fifth dimensional thinking. It appears as though the world at large is now in 1999 realizing that there's more on the internet than just Facebook and Candy Crush. And this realization has terrified people enough to believe that they need to have like support groups to cope with that idea. So we see, uh, uh, something like this and for two guys that spend their time trolling the internet and finding ridiculous, ridiculous stuff that shouldn't be on the internet, we're just like, what the? Really? So this, yep. You can browse the internet from your fridge. What could go wrong? Yeah, so sometimes you find the most sketches devices. So this one wasn't connected online. Uh, this is basically, um, it, it doses the drugs you get in the hospitals. Uh, but these used to be hooked up on a hospital network locally. You could tell not to them and it could do statistics and, you know, change values. Um, but somebody thought, you know, we need to upgrade this. It, we need to rebrand this. We need to sell more of this basically. So, you know, it's running the Linux sort of as well. So let's just add Wi-Fi because that's good. They have Telnet, but nobody added authentication. So that's kind of good. But then somebody actually got a CVE for the thing not having authentication. So apparently you can now get CVEs for features you want to have, which is kind of neat. So we don't really know what's up with that. I, I, I don't even. I don't know. I'm, I'm not sure. I think this is one of the, there are no words slides. So we're just going to show you a picture. Like that's the greatest expression. What could possibly go wrong? Um, so apparently there's, I won't read the slide to you because I'm sure most of you in the room can read. Um, apparently there are toasters that will complain at you if you don't feed them whole wheat bread. Like you're not allowed to eat this kind of bread. You have to eat that kind of bread. Um, and fridges are shutting down, um, when certain types of consistency, inconsistencies are detected. So now you have your fridge telling you, like, you can or can't eat your food. Or you can't refrigerate your food. Cause you know, that's fine. Um, and then cut to more internet bedoucheery and you have this. Um, which when we found it on, on, uh, VNC we're, what on earth is that? And at time, the little red arrow was like moving over this grid. So have you ever played that game in the 80s like Spectre or something? It looked like that. It was like this little arrow and it was moving over this grid. And we're like, that's really weird. It's alive. Um, so we looked it up and it's this tool that's used by farmers to, oh is it water? No it's not water. Maybe it's, it's something involving traveling over crops. And I can't remember whether it's to give them nutrients or to, to, uh, water them or to collect things. But, um, there's a video. We're trying to get, there we go. So, um, I wonder if there's, yeah, it won't let us skip it. So like, sorry to make you wait for 30 seconds. But like this is their demo video. This is their, like, reel. Um, and you can see it at about the 45 second mark. And you can see it behind the dude's head. This guy's in a tractor and this thing is kind of like, if Tesla was wearing overalls and had a hay seed, like it drives the tractor and it like keeps track of where has been dealt with. And in a minute, uh, he pans up and he like, dude moves his head and he points at the thing. The audio was crap so he cut the audio. But, uh, like this thing in this device is on the internet with no authentication. And you can like, you, you want to take control of a tractor over the internet? Because you can do that. Because somebody thought it was a good idea. And now we have this. Fun, fun times. Yeah, so it's also interesting like all these devices are on like 3G, 4G up links. So if you just scan certain Verizon and AT&T networks, you'll get different stuff pop up every time. So this one, you couldn't find it back if you scan the next day. It would be somewhere else whenever they turned it on and whatever IP they got. Um, so yeah, we got these ancient industrial stuff we've been probably tweeting about mostly like any dam or water irrigation system will find it. But there's a lot of new toys basically just like the infusion thing at the hospital. Um, there's also this, which is an exercise bike. This was in Hawaii. And we could get the exercise bike and remotely see like the screen where you had to press start and then pick whatever you wanted. And then we actually found one that was live. So you could see like the guy or you couldn't see the guy cycling, but at least you could see him, you know, him progressing. How to embarrass yourself over the internet live. And there's also this kind of stuff. So this is like a solar cell power thing you can have at home. Um, these were all open in Germany. So the manufacturer didn't do anything. And again, they were on like 3G, uh, sections of the network. Uh, and then it was reported and then they said they fixed it. So what they did is they added a new GUI and then they said it's fixed. There's, they're still there basically. Um, yeah. And you found your boat. Why is there a yacht on the internet? Who thought this was a good idea? It lets you control the engine. There isn't enough booze in this conference. Anyway, yeah, so there's a lot of that, but it happens on Twitter. Why, I don't even, like you find, what do you do? You find a yacht on the internet and then what? You just go uh, you make a meme. That's, that's, you, you download Instagiffer and you make some gifts. Um, but it gets worse. It gets much worse. Fun times. Yeah, so sometimes you find really weird sketchy stuff. So this is a guy who was caching out PayPal accounts uh, and he was on VNC. So we could basically see him like pull out accounts like the, the right side. First column is all the email addresses, then it says if it has any balance, if it's connected to a Mastercard or Visa, and then if he pulled anything off, like it, if it had a positive balance. And this guy was just caching out PayPal and we could just watch him booze on VNC. Just kind of interesting. Yeah, then you found your aquarium. Yeah. I thought this was an aquarium and I was really excited like wow, somebody spent a lot of money on the Saltwater Aquarium. It was the ocean. The, the Otheon. Um, this was a camera that was in a place that I didn't know existed at the time. The Maldives, which is apparently a really, really fancy island chain. This is a camera in a hotel that's shaped like an octagon that's below the ocean. It's like submerged. And one side of the restaurant, it's a, it's a, yeah the restaurant is submerged. And one side of it, like the whole thing is this big octagon of plexiglass. So you go and you have dinner under the ocean and one side of it has coral reef. And the camera that's on their website that sort of advertises the hotel is pointing out the window. So when you see it, I mean this is what you see. You're like whoa, that's kind of interesting. And it's RTSP and it's live and if you know the address and you know how to plug it into VNC you can just hit play and just full screen it on one of your displays and you have this huge like fish tank, right? So it's really neat. Like this is, this is the view from dinner. Like if you can afford the $16,000 a night hotel room. But you can also do what I did which was leave it full screen and be like oh this is really neat I'll just leave this up while I'm working whatever. And then you go out for like dinner or whatever and you come back and you see this and you go what the, what, why are there people? Um there were divers on the other side that had gone in and were cleaning the glass. Um but yeah when you think you found everything you find this and you go no there's no more. Um but yeah there's and yet there is still much more. It doesn't end, it never ends. Yeah and it goes from funny to really bad so this is a cardiac imaging device which was online. You could just reach VNC, open nothing. Same kind of stuff, 3G network so one day you would find it, other day you won't. Just depends if it's actually turned on. Um so you have this thing which is it's in some kind of company and it's like to scan badges or to register badges. They put up their finger for fingerprint screen and it pops up all their information. So would you want to, I don't know, steal identities? You just sit there, you have a fingerprint, you have all their information, you just wait, you just go print screen, print screen, print screen. It's yeah. Um and then we found this which is kind of interesting. So let's say you want to swap somebody, you usually do a call and then at the end you'll just end up in jail or find. You can now do it over VNC. So this is some, yeah some station somewhere and this is the software to use to manage like which patrols are out where. And we could just call one up basically. So let's say you want to swap somebody, you just enter the address, you send like, I don't know, 10 squats there and you hit go. And they all get an update and they go there. So yeah. A little bit less traceable. Um and then there's this. So originally I thought this was a device that was controlling like an X-ray machine. Turns out um you actually need to press a button on the hardware to make an X-ray image. Uh and this is stored on a data store and then you have a machine that interacts with a data store. So what I was looking at was actually some doctor I guess who was working with the data on the data store and he was just making notes and annotations uh in the documents basically. So yeah my guess was first that he was actually controlling it but he wasn't but close enough right. Um so yeah we do a lot of scans as in literally we are probably one of the five people that constantly bash VNC on the globe. Is is Erata Rob in the room? No? Okay. Is John Matherly in the room? No? Alright. There's basically six of us that scan the whole world routinely for VNC and like four or five of us are at con. So just fun times. Yeah so we do scans and we get back results. Basically we I usually scan for the RFB header so connect on anything on known ports uh expect RFB headers back and just store them, store the IP addresses and you get about three hundred and thirty five thousand that will respond to you. Eight thousand of those will not have authentication. You can connect and do whatever you want. Um now what's interesting is if you look at like the versioning so you get back all these banners and they have like a major and minor version and you can just, you can graph these. Um but if you look at like the official versioning or the official documents that were brought out saying okay this is first and three point something. Um there's three point three, three point seven and three point eight. Those are the official versions basically. Now if you look in this graph these should not exist right? These are numbers that make no sense. There's a bunch more that should probably not exist. Um if you actually look at them you can sort of figure out what it is. So um you got Apple remote uh desktop which basically what they did is they changed authentication to use Apple ID kind of stuff. Uh so the rest of the VNC part it's, it's pretty normal. It's standard VNC just different authentication. Um you got the real VNC personal. So the guys who originally built uh the RFB protocol they actually made a company and now they're also selling products. So you got a real VNC personal which is on uh 400. Alright so then you got real VNC enterprise which is 501. You got something unknown and you have a guy who's been messing with us. He's basically running a honeypot. Gives back whatever number um depending on the port you connect to. But there was something else with no version saying 0000. Um 3.5 thousand actually. Um so yeah we found a bug. I'll just kind of skip through this because we're sort of slowly running out of time. Basically we got a discussion on Twitter and we ended up finding a really nasty bug in this thing. So uh too much talk. Let's see. So what it ended up with is this. So we can use these VNC devices to reflect back on the internet or reflect back into the internal network. So these are 3.5 thousand devices which allow us to use them as anonymous proxies or we can go back into their network. Which are just open. No authentication, nothing. Full port control through some bugs we had. Um we actually got a CVE for this. Uh because he fixed uh we did port wrapping and they fixed it. Hey! Um but it actually gets worse. So he did a fix. There was a CVE. He made an update. Um and like four days ago just when I was making these slides or sort of finishing them. Um he got back to me and he said hey why are you using this bug? There's also like a feature that can do this. You don't need to abuse this bug to do port wrapping and connect anywhere. You really don't. You can just do it anyway. So this means you can connect to any host on any port on any protocol inside or outside the network through these devices. Um and even more interesting these devices have black listing, white listing. Um this is locally hosted so if you connect to one and you connect to a local host through these things you can get on the interface and you just can turn off filtering. So literally if you do a curl through these things you set allow connection and refuse connection to nothing. All the filtering is gone. You can go anywhere you like. That's that's kind of neat. Yeah the fix was white listing but you just proxy to local host and turn off the white listing. Okay good job. Yeah so we call this Stargate because you know people get the reference you go in somewhere you don't know where you end up. Sometimes you end up from the same IP address sometimes you go through somebody's network out to the internet on the other side. We don't know where. So basically it's an open proxy and you can pivot into it and go through anything inside. We made Python scripts so if anybody wants to look at this and use it it's up there. If somebody actually manages to use this and like some kind of red teaming or pentest please tell us because we we haven't found anything interesting on the inside yet. It's pretty difficult you go into a network and then you sort of have to guess what's always going to be there except the web interface. So we have some demos so let's see if we can actually do this in time. Okay yeah we'll do the most interesting one actually. Let's see. I already have the yeah so what I did I'm running a Stargate proxy locally on my host and I have a VM which is proxying towards my host through the Stargate proxy through the Stargate back on the internet. So we can let's do the most interesting one then if you don't have enough time. So there's there's a bunch of them online but this is one we found which is kind of interesting. So let's see we can probably go to Google if it works. So just to show you can go into Google and it will it works proxy through the Stargate back on to Google depending how fast it is. There you go. So what language is that? Well there you go. So this thing is apparently in France. So let's see what happens if we actually go to the server it's hosted on. Oh there's one thing this thing does not support concurrent connections. So this you're doing local host you get by Google for a force is because it's badly caching. So yeah. So now all right so now we get something internal in this network. We get an Apache server which is inside the network which we cannot reach from the outside and then we can actually with this one go service status. All right so internal service page from a page from an internal service through a proxy through the Stargate. This should only be available to local host but because we're proxying through the box that's hosting the thing we are local host so fun times. Are we done? So