 My name is Alberto. Like he told you, I'm from Spain. My accent is not the best. I'm here to speak about how to hack all the transfer network of a country, how to make black hacking, how to hack critical infrastructures. So let's begin. This is the index of the main topics I'm going to speak about in this speech. First of all, I want to introduce myself. This is me when I was three, and this thing's handsome, handsome for men. I'm from Valladolid. Valladolid is a city 200 kilometers on the north of Madrid. I'm 24 years old. I'm single. If anyone wants to, okay? No, I'm only like girls. Sorry. Okay, I study maths and system IT. I don't know how to say in English. Maybe it's the same, the career, system ITs. And Salamanca. Salamanca is another beautiful city in Spain. It's near from Madrid, two hours. This is Salamanca. It's so cute. And I want to introduce myself, telling to you how I learn English because this is very important to me. I was in a university city. Salamanca is a university city. In Salamanca, there are a lot of young people. But not only Spanish people. There are a lot of parties. This is the main square in Salamanca on Christmas. All the students go to the main squares and drink a little bit. In these parties, I met a lot of foreign girls, foreign people. So I want to appreciate you, appreciate the American girls. I want to appreciate the Irish girls. I want to appreciate the VISA people who are going there to learn English with me. I want to say thank you to all of you, all of your girls, because they really helped me to improve my English. Okay, so where did I get this material? I'm going to talk about some material that I'm going to be clear in this. I want to be clear in this. I did not do it. No, it's not a joke. Really? Okay. I just don't know the torrent that I found around. Okay. I don't have the knowledge to do those things. I was looking for porn. That's all. Okay, that's all. Perfect. Clear. This thing must be clear. Okay. Who do I think are the really guys who did it? Who did this research? I imagine that something like that. Someone like this guy. I get some pictures in the torrent and this picture was around and I thought this was the really guys who did all this stuff. Okay. Related research. There was a similar talk about the same topic that I'm going to talk this evening now. This is anatomy of a subway hack on DEF CON 16. It was a special, my name is Alberto, like he told you. I'm from Spain. My accent is not the best. I'm here to speak about how to hack all the transfer network of a country, how to make black hacking, how to hack critical infrastructures. Okay. So let's begin. This is the index of the main topics I'm going to speak about in this speech. Okay. First of all, I want to introduce myself. This is me when I was pre and this thing is handsome. I'm from Valladolid. Valladolid is a city 200 kilometers on the north of Madrid and I'm 24 years old. I'm single. If anyone wants to, okay. No. I'm not only like girls. Sorry. Okay. I study maths and IT, system IT. I don't know how to say in English. Maybe it's the same in the career. System IT. And Salamanca. Salamanca is another beautiful city in Spain. It's near from Madrid. Two hours. This is Salamanca. This is Salamanca. It's so cute. And I want to introduce myself. Telling to you how I learned English because this is very important to me. I was in a university city. Salamanca is a university city. In Salamanca there are a lot of young people. But not only Spanish people. There are a lot of parties. This is the main square in Salamanca on Christmas. All the students go to the main squares and drink a little bit. In this Paris I met a lot of foreign girls, foreign people. So I want to appreciate you, appreciate the American girls. I want to appreciate the Irish girls. I want to appreciate the visa people who are going there to learn English with me. I want to say thank you to all of you. All of your girls because they really helped me to improve my English. Okay. So where did I get this material? I'm going to talk about some material that I'm going to be clear in this. I want to be clear in this. I did not do it. No, it's not a joke. Really. Okay. I just don't load the torrent that I found around. Okay. I don't have the knowledge to do those things. I was looking for porn. The soul. Okay. That's all. Perfect. Clear. This thing must be clear. Okay. Who I think are the really guys who did it? Who did this research? I imagine that something like that. Someone like this guy. I get some pictures in the torrent and this picture was around. And I thought this was the really guys who did all this stuff. Okay. Related research. There was a similar talk about the same topic that I'm going to talk this evening now. This is an anatomy of a subway hack on DEF CON 16. It was a special talk because there was so many conflicts. You can see here. Can I read? Okay. Okay. I'm going to talk about something like that that I found in the torrent. Okay. Oops. Wait. First of all, the first target is a kind of machine who is in the subway station. I'm going to talk a little bit about that. I'm going to talk a little bit about that. I'm going to talk a little bit about that. First of all, the first target is a kind of machine who is in the subway stations. Okay. It's just informative machines. Only to see the best route to going from this station to this other station. The best route to anyway. The information. Information stuff. Only information. Politics information. This kind of shit. Okay. So this machine, I call them finger machines. They say try me. This is not a real machine. Okay. This is just another machine that say try me. All of you, if you see a machine that say try me. You try, of course. So the finger machine. There were a lot of informative machines in the subway station like I told you before. Okay. The machine has informative function to search the fastest route or to receive info. That's all. That's all. This is a stupid machine at first. But then, okay, there are many, many ways to touch it. It's a touch screen machine. Okay. You touch the screen and there are so many ways to go to get some free internet time to surf on the internet, to check your Facebook, to check your emails. It's very easy. This is, so you have to touch this icon. Then you have to touch in this hyper wrinkle. Then you have to check to touch this thing. And then you have the Google for you. Okay. This is so easy. This is not important here. And there are some protection because they try to download executable X file. Okay. But there are so many restrictions. Canine. Okay. This stuff. But is there anything better than a cell? Okay. This, this, this web, this, this machine has a print option. Just say print to a file. Then you go to system 32 and you drag and drop to the CMD execution. That's all. Trivial, trivial. Okay. Then when the guys, the pretty guys that I showed you before, has a common cell, CMD, they connect to the FTP and download a server of a rat, a remote application tool. Okay. That was all. And here you have the black states or the rat, remote application tool to look at the files and all the stuff. That's perfect. But I want to be clear. This is a stupid machine. Okay. At first. It's just for informative function. The boys who did all this stuff thought that it's not important. There is no gc files. There is no gc application into these machines. But looking for gc files. Okay. The machine just see the router. Okay. First of all, the typical network scan to see if there are a lot of, a lot of, a lot of other hosts in the same, in the same network and this stuff. But there is only the router. The router was the only one who we can see. But the router has not the, the file, the file password. But it's okay. But we, they look at the application who was installed, installed in, in this machine. And they found this application. They said pingeador. Okay. It's like pinger. Ping to make a ping. ICMP ping. Okay. Pingeador. Pinger machine. I don't know what's that. So, I look around. They look around. There was, there was an interesting application called pingeador. There was a config file with the SQL server connection stream. Perfect. The IP. There was a public IP. Not internal IP. Perfect. Okay. But anyway, I say, what was that? This is a stupid machine in the middle of the station. I'm pretty sure that this application is not, is not bad. Okay. It's harmless. A harmless application. But I am, how it works is he makes a ping to the, to the IP of the server and so on. The server has to connect and this is stuff. But here you have all the, all the tables. I make a string. There are strings to get the strings of the, of the, of the application. And I get the tables, the columns. I get some info about the people who develop this application. And finally, I realize that this application is used to control all the stats of all the country, of all the trains of all the country. Okay. It was the, the stats of the time of arrive, the history and the shit. This is a, this is a stupid machine. A machine just to, to, to look the faster road to go some, somewhere. But there is installed this kind of application. Why? Why? Stupid. Really stupid. I had the connection stream. Use, they have the connection stream. User password and all of this. Okay. Whoa, whoa. Ah, okay. I, I don't see it here. I'm going to stay here. Okay. Possible bugs, possible bugs. Some parameters are sent to the application, but one of them called ID terminal is extracted from a text file, TXT file. Okay. So, okay. Just remember this is a SQL server. If we have the, enough privilege, we have, we, we are able to draw a, draw a database, uh, X, X, X XP, CMD cell, net user, to add a user and connect remotely to the system. Uh, just select all the statics of the, of the subway or just to get some info, some GC info about the frequency status, historial, all this stuff. Okay. I have a funny story because someday all these machines disappear. So these guys, uh, went to the, to unestate, some station to ask to a security man why this machine was not in his place, in his place that the machine used to be. And these guys say to me, say to them, okay, okay. Okay. Okay. I want it to be clear. If I say me, this is because it's so personal for me. I found this story. Okay. Yeah. Oh, it's true. My English is the worst. I'm sorry. I was to say. Okay. Let's go. Um, so I go there and the, the, the man told to me that, okay, this machine was removed like two, two weeks ago, but, um, uh, do you know I am a hacker? Oh yeah. You look like, your job is security, security man. You don't like, like, you don't look like a hacker. You don't have this cool hair dress. Uh, and, uh, he says, yeah, I know how, how way to go to check my email. I say, oh, your password is mine. Okay. He's more or less, he was this guy. Okay. Okay. Let's, let's continue. Getting cheapest way tickets. This is the kind of tickets using this city that I don't want to say the name. Uh, they try to read, uh, row. Okay. The tickets, the magnetic, uh, strip. They try to read, to, to read it in a, in a, in this thing, the credit car reader. Okay. But, uh, it doesn't work because if you, if you strip faster or not faster, that's different. The dump is different. And okay, it doesn't, it doesn't work. This is the sectors and prices. This is very important. Okay. In these cities, there are a lot of sectors. You can see A, B1, B2. You can see it. Down in the, in the left, in the right. Okay. If you want to travel further, you have to pay more. It's typical. Okay. Um, this is the, those are the, the prices to travel. Okay. If you go to the A zone, you just pay like 51 euros, I thought. 51, yeah. If you go further, you pay 123. There's a lot of price, a lot of prices and sectors. But you can read, tercera edad. It's like retired people, old people. Okay. The old people, the people who is older than 65 years old, they just pay 11, 11 euros in all sectors. Cool. For them. This is the monthly pass. Okay. There are two important things in this, in this pass that, uh, okay. This is important thing, this number. Well, it's not a number. These letters and numbers, Q, this thing. And the bar code. Do you see the bar code? The bar code. And this pass. Okay. There are two important things. Okay. When I want to, uh, and another thing that's important too. Do you see B2? In the middle, in the head of Lisa Simpson, B2 is the, the, the sector. Okay. Three things. The sector, this number, this string, and the bar code. Okay. The bar code in the past is, is used to renew the monthly ticket. Okay. So I have the, the bar code. I introduce the bar code into the machines and then I pay and I get the new ticket of this month. Okay. The bar code has a, this format. But they realize that the bar code is a character and the past number. I showed you before. Okay. This is the bar code. So if you, if we change this character, we can get the older, older, older people, older people ticket. So, so cheap. We can travel with the, with the older people ticket and we can generate in the machines is not to clone. This is not, I'm, they are, they, they was playing for the, for the tickets. Okay. But they has not 65 years old. So everybody knows that we do fast, fasting, fasting tool, contest application tool, the bar pin through there or, I don't know, IDRA to make fasting, fasting things. But the new fasting techniques for them was fasting man was a guy with bar code in the machines to get, was the real character that he has to use to get the older ticket. Okay. So finally, like after try a lot of bar codes, introducing the bar codes in the machines. Okay. Finally, we got this ticket. This is a 65 years old ticket that we, that they generate in the machines. Okay. We can, they can generate any, any, any number. This is the past, it's hacker. Oh, nice. I did not realize until now. Okay. So they, thank you. They can travel in all the sectors only paying the 11 euros. Okay. So, nice. Okay. Castle this. The ticket is yellow. Do you see it? Yellow ticket. The usual ticket is orange or white. So if someone of the staff look at you when you are introducing the ticket in the machine to enter in the subway or and this, this ticket works with the subway, with the buses, with the local trains, with all this stuff. So if someone, someone of the staff is looking at you when you are introducing your ticket in the machines to go to the, to the subway, they say, hey, come here. So there are our friends, I told you before, had some casualties, 93 euros because this guy look at him when he was introducing the tickets. So, but our friends that was so, so smart, make some improvements in the tickets. Okay. They just put the, the magnetic strip, strip, strip, the magnetic strip and paste it in a usual, in a usual ticket. So finally, FID, next target. Okay. And there is a new FID system in the subway, it works with a zone only, a sector, okay, in the middle of the, of the town only. Okay, but FID is used by the staff. Okay. The staff holds, he set FID in the, in the, in the neck, like you with the, with the batch, with the batches. Okay. So it's easy to get close to them to ask a question. They are so kind. They are so kind. Yep. So if we mix an ultra book or any other computer and a touch stack, this is a reader of RFID tax, just a reader. And you're going for a visit. This is, this I think, I don't know because I'm not the guy, but I think that this is the cigarette box. And you can put the, the touch stack inside the cigarette box and going with the cigarette box, asking for a question. Oh, sorry. Where is the faster way to go to book? Bye. Okay. And then you have the doom of the RFID and you just, it's RFID hacking. Okay. To process the information, to get the, the password of its, of its, okay, to get the password and clone it. And finally, you have a RFID key chain and you can access to all the sectors with this sheet. Okay. I love the, the word sheet. In English, so sheet. Okay. Thank you. Security cameras. Next target. There is a big camera circuit in all the transport network. Okay. All the transport network is, is recorded all the time. There are several control centers like this. You can see that was the operating system used by the, by the staff. Okay. XP. And there is a wireless network. There is wireless network. So many APs in all the transport network. Okay. What? Nice. But, but, wait. The SSID are hidden. Okay. Let's go. Okay. There are a lot of antennas. So many, pardon. So many antennas, planar, omnidirectional. Okay. That's okay. And there is, there are APs that are accessible from everyone. Why? Man in the middle. So easy. Okay. But our guys was nice guys. The guys I saw you before. So they did not, did not do anything with this. So they did not, did not do anything with these things. They used another AP. Okay. Once inside. There was, there was not the, the HCP. Oh. But, Wireshark is our friend. ARP too, of course. So the guys just have to, had to wait to get an ARP packet to know what's the range of the IPs to manually put themselves, this IP, this subway, this, yeah. Okay. First of all, ARP scan. They found three hosts. There was our friend, our AP friend. The router and some other host. Port scanner of the host. Typical network pen testing. Typical. I'm not a magician. They was not a magician. So a router. The router was, I don't know if you see, do you see the, the ports open? Yeah? No? Okay. Wait. 21, 23, 80, and... 1998. Nice. Okay. This is the router, but this is the other host. This is my favorite. 23, 443. Oh, nice. And 50,000. Strange. Okay. They saw 443. So they accessed to this host by throw, through it, 80 DPS. And that's what they found. Oh. Invalid certificate. Okay. Self sign certificate. This is there. Wait. SPC, SPC. What's that? Okay. I'm continuous. And I arrive here. They arrive here. SPC 5300. I have no idea. They have no idea what was that. I don't have idea. I just look the torrent and I find this information. Wait, wait, wait, wait. And I found about this hardware, because it's a hardware. Okay? And I look what it is used for. And there is a web server. This is the web server, the slide before. And you can see, this is, okay, you can control through internet, GMS, wireless detectors, wireless detectors, fire warnings, IPA cameras, audio gate pad, door control. So, like in append testing. I have no knowledge to do that, but some friend told me that append testing is doing like this. Money in the middle. And invalid certificate was used. So it's too easy to use our signature certificate in the middle of the client. And we have the credentials in clear. And this is cool, because there is an invalid certificate. So the admin is used to accept the invalid certificate who looks at the fingerprint of the certificate. Okay. I know you are so great, so maybe you are. Do it. But we can go deeper. More funny. Do you remember the port 5000? No, 50,000. Do you remember in the port scan? Okay. There is an IP from another net mask. Net mask, okay? So we can take our range and we can start another append testing on this network. And this network is okay. But there is, oh, wait, there is a other IP who is sending the same, the same UDP, the same length, and all the same by other IP. I don't know. I don't know. Maybe my friends know, but they didn't write nothing in the torrent, so I don't know. But we can go deeper. We can use an invalid certificate, send it by us and so on. And finally, our last target. Train machines. Used to print tickets from a paid trip. Change tickets. Upgrade tickets. Cancel tickets. Buy tickets with credit cards. Nice. Okay. There was an update. Recently, there was an update. Before that, anyone was able to get a login panel. Okay. I want to, to clear this. The machines were, were touch, touch screen machines. Like our first friend. Okay. Touch, touch screen machines. So there was a place in the, in the screen to, to press this, in this zone and to get a, a login panel. Four digits. Four numbers only to get into the, into the admin panel. Social engineering, do you know about that? So we say, oh, what happened with my ticket? I don't know. I introduced my credit card and it's instead, it's into the machine. What happened? Oh, wait, wait, wait. Four numbers. Okay, but not now. Just a couple weeks ago, this function disappeared. But we can get full access of all of these machines. These machines are present in all the country. All the stations of all the country. Okay. I have a video here. This is the way to access to the CMD. In a video. Okay. Going, going. Select the destiny. Next. Change the, the date of the, the travel. What's that? Internet Explorer. Thanks, Microsoft. Okay. And do you know here? Do you know this stuff? Who is here, these things? Okay. Look. Compliments administration. Internet Explorer function. That's all. Compliments administration. Internet Explorer has this option. You can click here, down. Okay. It's a little geek only here. Okay. But to get this, these windows and then you push, you press a lot of time there. Not responding. So thank you, Microsoft. Do you know this is small? The, the, the, the cable on the, on the screen is small. And this is a touch screen. This is a shit. Okay. You, you want to press a and you press s. You want to press w and you press m. Okay. But we have our cell, our CMD. Do you see applications? We are there. There's an internal application who has several functions. Accept any credit card, turn on, off the alarm, temperature of the machine. You can control the temperature of the machine. What? You can open the door, the machine door. So, so many stats and parameters of the machine. This is the application. Okay. Here there are a lot of, so many, so many options. You can do a lot of things with the machines. Remote control. All the time there was, we had a, in front of the machine. With the security cameras here. With the security hacking voice around there. Okay. So this is, this is important. So the guys that did all of it wants remote control. Like every one of you. So there is an application for the remote control but it can be only used if you are in the internal network. So this is not useful. So they want to remote control the machine, of course. They try to install a Trojan, downloading the server, the server of the Trojan by through HTTP or HTTPS. But all the records were forbidden. Only internal, only internal web page were allowed. Try to use FTP. It didn't work. Oh shit. Losing hope. The machine resolves DNS request. Nice. So they thought, they thought UDP traffic was a low. Okay. Easy. They tried using FTP through UDP. TFTP. Okay. Do you know old fashioned TFTP? Okay. TFTP is installed in all Windows versions. The machines run like it's very traditional. So there was a TFTP client was installed in this machine. So perfect. But time out. It didn't work. But they still thought UDP traffic were low but only using 53 port. DNS. So TFTP used 69 by default. So they changed the TFTP control settings to change the TFTP destination port to the 53. And then in his house, they make a nut to redirect. Do you know that? But time out. But finally, they realized that this is the network map. The machines, router, DNS, a firewall, and the lovely internet. Okay. All the traffic sent from router to internet is dropped. It's not a low. But the DNS has a rule in the firewall that allow all the traffic. Only is the traffic come from this DNS. If you make an slookup, directly to Google, it doesn't work. You have to use this DNS. And use the implementation of the DNS protocol. Okay. If I have no information, I ask to another DNS. And these things. So this is the same I told you. So. Okay. Okay. To remotely control the machine, they had to use a rat. Remote application tool through DNS. Right? There is an interesting project called DNS cat who makes something like that. But our friends were a bunch of geeks. You know, this friend. I think it's maybe more than the first one. The real guy. I think so. So these guys developed a modular rat using Python. Yeah. Python. It's heavy. Because you have to use Py2x to convert, to load all the libraries. It's heavy. But it's so easy to develop. It's too easy. Okay. The rat server. Okay. The server who was installed in the machine. In the hacked machine. Just ask to a DNS server for A register. Okay. The DNS response. And if some of the response has some pattern, the infected system did some action. Okay. If you, if you resolve my domain, it's one, two, three, 52. The DNS tool take the 52 and say 52 is there. A directory listing. Maybe. Or is. Whatever. It did not stabilize, establish a connection. Okay. Nice. Finally, the executable file was downloaded using TXT records of a controlled DNS server. Okay. We have to install the server. The server of this Python tool. So. Perfect. They use that to make the DNS request. The machine was remotely under their control. Perfect. Pivoting. The operating system using the machine was XP as a service pack too. Somebody knows NetAppy. NetAP or NetAppy or NetAppy in Spanish. And this is the final slide you can hold. Once the machine and all the other NetAppy machines was under control, it's time to look for UEC application and files. All the machines stored without encryption, the CC dumps of the clients. The credit card of all the clients. It's not necessary to make a hooking of the application. It's not necessary. Is there? Okay. It means that the bad guys, if those guys I told you before, if they were bad guys, they are able to get all the CC dumps of all the customers of the entire transport network of the country. Of all the country. Okay. So. Epic fail. Okay. That's all. I want to thank you for listening here today. I want to, wait, I want to appreciate the real guys that did all I have told you to all of you for listening to me today, of course. This is, I'm so proud to be here to be with you. To my family, a friend. This is, yeah, I appreciate that. All those who want to understand how and why things work. Okay. Continues in this way. Thank you. We can do it here because I've also got to take it down here. Okay. Okay. We are going to be doing Q&A in Q&A room one, if you want to follow us. And, yeah. That's it for this room. I have a talk because there was so many conflicts. You can see here. Can I read? Court looks MIT students from sewing subway hack. Do charters help to deaf con speech on subway car hacking? So on. Okay. So this is the related research. I'm going to speak about something like that that I found in the torrent. Oops. Wait. First of all, the first target is a kind of machine who is in the subway stations. Okay. It's just informative machines. Only to see the best route to going from this station to this other station. The best route to anyway. The information. Information stuff. Only information. Politics information. This kind of shit. Okay. So this machine, I call them finger machines. They say try me. This is not a real machine. Okay. This is just another machine that say try me. All of you, if you see a machine that say try me. You try, of course. So the information. There were a lot of information machines in the subway station, like I told you before. Okay. The machine has informative function to search the fastest route or to receive info. That's all. That's all. This is a stupid machine at first. But then, okay, there are many, many ways to touch in. It's a touch screen machine. Okay. You touch the screen and there are so many ways to go to get some free internet time to surf on the internet, to check your Facebook, to check your emails. It's very easy. This is, so you have to touch this, this, this icon. Then you have to touch in this hyperbankle. Then you have to to check, to touch this, this thing. And then you have the Google for you. Okay. This is so easy. This is not important here. And there are some protections because they try to download executable x file. Okay. But there are so many restrictions. Can I? Okay. This stuff. But is there anything better than a cell? Okay. This, this, this web, this, this machine has a print option. Just, just say print to a file. Then you go to system, system 32 and do drag and drop to the CMD execution. That's all. Trivial, trivial. Okay. Then when the guys, this pretty guys that I saw you before, has a common cell, a CMD. They connect to the FTP and download on a server of a rat, remote application tool. Okay. That was all. And here you have the black states or the rat, remote application tool with the, to look the files and all the stuff. This. Perfect. But I want to be clear. This is a stupid machine. Okay. At first. It's just for informative function. The, the boys who did all this stuff thought that it's not important. There is no juicy files. There is no juicy application into these machines. But looking for juicy files. Okay. The machine just see the router. Okay. First of all the typical network, network scan to see if there are a lot of, a lot of, a lot of other hosts in the same, in the same network and this stuff. But there's only the router. The router was the only one who we can see. But the router has not the, the file, the file password. But it's okay. But we, they, look at the, at the application who was installed, installed in, in this machine. And they found this application. They said pingeador. Okay. It's like pinger. Ping. To make a ping. ICMP. Ping. Okay. Pingeador. Pinger machine. I don't know what's that. So I look around. They look around. There was, there was an interesting application called pingeador. There was a config file with the sql server connection stream. Perfect. The IP. There was a public IP. Not internal IP. Perfect. Okay. But anyway, I say what, what was that? This is, this is a stupid machine in the middle of the station. I'm pretty sure that this application is not, is not bad. Okay. It's, it's harmless, a harmless application. But I am, how it works is he makes a ping to, to the, to the IP of the server and so on. The three-way handset to connect and this stuff. But here you have all the connect, all the tables. I make a string. There are strings to get the strings of the, of the, of the application. And I get the tables, the columns. I get some info about the people who develop this application. And finally, I realize that this application is used to control all the stats of all the country, of all the trains of all the country. Okay. It was the, the stats of the time of arrive, the history and the shit. This is a, this is a stupid machine. A machine just to, to, to look the faster road to go some, somewhere. But there is installed this kind of application. Why? Why? Stupid, really stupid. I have the connection stream. Use, they have the connection stream. User password and all of this. Okay. Whoa, whoa. Ah, okay. I don't see here. I'm going to stay here. Okay. Possible bugs. Possible bugs. Some parameters are sent to the application. But one of them, called ID terminal, is extracted from a text file, txt file. Okay. So, okay. Just to remember, this is a SQL server. If we have the, enough privilege, we have, we, we are able to draw a, draw a database, exec, xp, cmd, sale, net user to add a user and connect remotely to the system. Just select all the statics of the, of the subway or just to get some info, some juicy info about the frequency status, historial, all this stuff. Okay. I have a funny story because some day, all these machines disappear. So these guys went to the, to some station to ask to a security man why this machine was not in his place, in his place that the machine used to be. And this guy said to me, say to them, okay, okay, okay. Okay. I want to be clear. If I say me, this is because it's so personal for me. I found this story. Okay. Yeah. Oh, it's too, my English is the worst. I'm sorry. I was to say. Okay. Let's go. So I go there and the man told to me, okay, this machine was removed like two weeks ago. But do you know, I am a hacker. Oh, yeah. Your job is security, security man. You don't like, you don't look like a hacker. You don't have this cool hair dress. And he says, yeah, I know a way to go to check my email. And I say, oh, your password is mine. Okay. He's more or less, he was this guy. Okay. Okay. Let's, let's continue. Getting cheapest way tickets. This is the kind of tickets using this city that I don't want to say the name. They try to read a row. Okay. The tickets, the magnetic strip, they try to read it in this thing, the credit card reader. Okay. But it doesn't work because if you strip faster or not faster, the dump is different. Okay. It doesn't work. This is the sectors and prices. This is very important. Okay. In these cities there are a lot of sectors. You can see A, B1, B2. You can see it. Down in the left, in the right. Okay. If you want to travel further, you have to pay more. Typical. Okay. This is the, those are the prices to travel. Okay. If you go to the A zone, you just pay like 51 euros, I thought. 51, yeah. If you go further, you pay 123. There is a lot of price, a lot of prices and sectors. But you can read Tercera Edas. It's like a retired people, old people. Okay. The old people, the people who is older than 65 years old, they just pay 11 euros in all sectors. Cool. For them. This is the monthly pass. Okay. There are two important things in this, in this pass that, okay. This is the important thing, this number. Well, it's not a number. These letters and numbers, Q, this thing. And the barcode. Do you see the barcode? The barcode and this pass. Okay. There are two important things. Okay. When I want to, another thing is important too. Do you see B2 in the middle, in the head of Lisa Simpson? B2 is the sector. Okay. Three things. The sector, this number, this string and the barcode. Okay. The barcode in the pass is used to renew the monthly ticket. Okay. So I have the barcode. I introduce the barcode into the machines and then I pay and I get the new ticket of this month. Okay. The barcode has this format. But they realize that the barcode is a character and the pass number I showed you before. Okay. This is the barcode. So if we change this character we can get the other, other other people, other people ticket. So it's so cheap. We can travel with the, with the other people ticket and we can generate in the machines is not to clone. This is not. They are, they were playing for the, for the tickets. Okay. But they has not 65 years old. So everybody knows that we do fast, fasting, fasting tool, contest application tool, the barping through there, or I don't know, Hydra to make fasting, fasting things. But the new fasting techniques for them was fasting man was a guy with barcode, trying every barcode in the machines to get was the real character that he has to use to get the older tickets. Okay. So finally after try a lot of barcodes introducing the barcodes in the machines. Okay. Finally we got this ticket. This is a 65 years old ticket that we, that they generate in the machines. Okay. We can, they can generate any, any, any number. This is the past. It's hacker. Oh, nice. I did not realize until now. Okay. So they, thank you. They can travel in all the sectors, only paying the 11 euros. Okay. So, nice. Okay. Castle this. The ticket is yellow. Do you see it? Yellow ticket. The usual ticket is orange or white. So if someone of the staff look at you when you are introducing the ticket in the machine to enter in the subway, or this, this ticket works with the subway, with the buses, with the local trains, with all this stuff. So if someone, someone of the staff is looking at you when you are introducing your ticket in the machines to go to the, to the subway, they say, hey it's, no. Come here. So there are our friends, I told you before, had some casualties, 93 euros, because this guy looked at him when he was introducing the tickets. So, but our friends that were so, so smart make some improvements in the tickets. Okay. They just put the, the magnetic strip, strip, the magnetic strip and paste it in a usual, in a usual ticket. So finally, FID, next target. Okay. There is a new FID system in the subway. It works with a phone only, a sector. Okay. In the middle of the, of the town only. Okay. But FID is used by the staff. Okay. The staff holds his RFID in the, in the, in the neck, like you with the, with the batch, with the batches. Okay. So it's easy to get close to them to ask a question. They are so kind. They are so kind. Yep. So if we mix an ultrabook or any other computer and a touch tag, this is a reader of RFID tags, just a reader and you're going for a visit. This is a, this, I think, I don't know because I'm not the guy, but I think that this is the cigarette box and you can put the, the touch tag inside the cigarette box and going with the cigarette box asking for a question. Oh, sorry. Where is the faster way to go to book? Bye. Okay. And then you have the dump of the RFID and then you have the ID hacking. Okay. To process the information, to get the password of it, of it, okay, to get the password and clone it. And finally, you have a RFID key chain and you can access to all the sectors with this shit. Okay. I love the, the word shit. In English, so shit. Okay. Thank you. Security cameras. There is a big camera circuit in all the transport network. Okay. All the transport network is, is recorded all the time. There are several control centers like this. You can see that what's the operating system used by the, by the staff. Okay. XP. And there is a wireless network. There is wireless network. So many APs in all the transport network. Okay. What? Nice. Bad. Bad. Wait. The SSID are hidden. Okay. Let's go. Okay. There are a lot of antennas. So many. So many antennas. Planner of Dinex, omnidirectional. Okay. That's, okay. And there is, there are APs that are accessible from everyone. Why? Because they are not available in the middle. So easy. Okay. But our guys was nice guys. The guys I saw you before. So they did not, did not do anything with these things. They used another AP. Okay. Once inside, there was, there was not the, the HCP. Oh. Bad. Wireshark is our friend. Yeah. Okay. Okay. So, the guys just have to, had to wait to get an ARP packet to know what's the range of the IPs, to manually put themselves, this IP, this subway, this, the, yeah. Okay. First of all, ARP scan. They found three hosts. One was our friend, our AP friend. The router and some other host. Port scanner of the host. Typical network pentesting. Typical. I'm not a magician. They was not a magician. So, router. The router was, I don't know if you see, do you see the the ports open? Yeah? No? Okay. Wait. 23, 80, and 1998. Nice. Okay. This is the router, but this is the other host. This is my favorite. 23, 443. Oh, nice. And 50,000. Strange. Okay. They saw 443 as a HTTPS. So, they access to this host by a HTTPS. And that's what they found. Oh. In Bali certificate. Okay. Self sign certificate. This is the, wait. SPC, SPC. What's that? Okay. I'm continuous. And I arrive here. They arrive here. SPC 5300. So, I have no idea. They have no idea what was that. I don't have idea. I just look the torrent and I find this information. Wait, wait, wait, wait. And I found about this hardware, because it's a hardware. Okay. And I look what it is used for. And there is a web server that, this is the web server, the slide before. And you can see. Okay. You can control through internet, GMS, wireless detectors, wireless detectors, file warnings, IPA cameras, audio gate pad, door control. So, like in append testing. I have no knowledge to do that, but some friend told me that append testing is doing like this. And money in the middle. And in Bali certificate was used. So, it's too easy to use our signature certificate in the middle of the client. And we have the credentials in clear. And this is cool, because there is an in Bali certificate. So, the admin is used to accept the in Bali certificate. Who looks the fingerprint of the certificate. Okay. I know you are maybe you are. Do it. Do it. But we can go deeper. More funny. Do you remember the port 5000? No, 50,000. Do you remember in the port scan? Okay. There is an IP from another net mask. So, we can check our IP. And we can start another append testing on this network. And this network is okay. But there is oh, wait. There is other IP who is sending the same. The same UDP, the same length, and all the same by other IP. So, we can go deeper. We can use an in Bali certificate and so on. And finally, our last target. Train machines used to print tickets from a paid trip. Change tickets, upgrade tickets, cancel tickets, buy tickets with credit cards. Nice. Okay. There was an update. Before that, anyone was able to get a login panel. I want to clear this. The machines were touch screen machines. Like our first friend. Okay. Touch screen machines. So, there was an update. So, you press in the screen, you press this in this zone and you get a login panel. Four digits. Four numbers only. To get into the admin panel. Social engineering. Do you know about that? Oh, what happened with my ticket? I don't know. I introduced my credit card to my friend. Okay. Not now. Just a couple weeks ago, this function disappeared. But we can get full access of all of these machines. These machines are present in all the country. All the stations of all the country. Okay. I have a video of access to the CMD. In a video. Going. Select the destiny. Next. Change the date of the travel. What's that? Internet Explorer. Thanks, Microsoft. Okay. Do you know this stuff? Who is here, these things? Okay. Look. Internet Explorer function. That's all. Internet Explorer has this option. You can click here, down. It's a little geek. But to get these windows. And then you press a lot of time. There. And not responding. So, thank you, Microsoft. Close. Do you know, this is small. The keyboard on the screen is small. And this is a touch screen. This is a shit. Okay. You press a and you press s. You want to press w and you press m. Okay, but we have our CMD. GCE applications. We are there. There's an internal application who has several functions. Accept any credit card turn off the alarm. Temperature of the machine. You can control the temperature of the machine. You can control the temperature of the machine. You can control the temperature of the machine. This is the application. Okay. Here there are a lot of so many options. You can do a lot of things with the machines. Remote control. All the time they was in front of the machine. They were there. Okay. So this is important. So the guys that did all of it wants remote control. Hey, every one of you. So there is an application for the remote control but it can be only used if you are in the internal network. So this is not useful. So they want to remote control the machine, of course. They try to install a remote control through HTTP or HTTPS but all the records were forbidden. Only internal web page were allowed. Try to use FTP. It didn't work. Oh, shit. The machine resolves DNS request. Nice. So they thought UDP traffic was allowed. Easy. Using FTP through UDP. TFTP. Okay. Do you know old-fashioned TFTP? Okay. TFTP is installed in all Windows versions. The machines run like it's a professional. So there was a TFTP client was installed in this machine. So perfect. But time out. It didn't work. But they still thought UDP traffic were allowed but only using 53 port DNS. So TFTP used 69 by default. So they changed the TFTP control settings to change the TFTP destination port to the 53. And then in his house they make a nut to redirect. But time out. But finally they realize that this is the network map. The machines, router, DNS, a firewall, and the lovely internet. Okay. All the traffic sent from router to internet is dropped. So, but the DNS has a rule in the firewall that allow all the traffic. Only if the traffic come from this DNS. If you make an NS look up directly to Google, it doesn't work. You have to use this DNS and use the implementation of the DNS protocol. If I have no information, I ask to another DNS. So, this is the same I told you. So, okay. To remotely control the machine, they had to use a rat remote application tool through DNS. Right? There is an interesting project called DNS cat who makes something like that. But our friends have a bunch of geeks. You know. This friend. I think it's maybe more than the first one, the real guy. I think so. So, these guys developed modular rat using Python. Yeah. Python. It's heavy because you have to use Py2x to convert to load all the libraries. It's heavy but it's so easy to load. The rat server. The server who was installed in the machine. Just ask to a DNS server for a register. Okay. The DNS response. If some of the response has some pattern, the infected system did some action. Okay. If you resolve my domain, it's 502. The DNS tool takes the 52 and says 52 is directory listing. Or is whatever. It did not establish a connection. Okay. Nice. Finally, the executable file was downloaded using TXT records of a controlled DNS server. Okay. We have to install the server. The server of this Python tool. So, perfect. They use that to make the DNS request. The machine was remotely under their control. Perfect. Pivoting. The operating system using the machine was XP service pack 2. Somebody knows what it is. Netapi. Netapi in Spanish. And this is the final slide you can hold. Once the machine and all the other machines was under control, it's time to look for application and files. All the machines stored without encryption, the CC dumps of the clients. The credit card of all the clients. It's not necessary to make a hooking of the application. It's not necessary. Is there? It means that the bad guys, if those guys I told you before, if they were bad guys, they are able to get all the CC dumps of all the customers of the entire transfer network of the country. Of all the country. So, epic fail. Okay, that's all. I want to thank you for listening here today. I want to wait. I want to appreciate the real guys that did all I have told you to all of you for listening today, of course. I'm so proud to be here to be with you. To my family, a friend. I appreciate that. All those who want to understand how and why things work. Okay, continue in this way. Thank you.