 Hi, I'm Jay Beal and I've been somehow speaking here for like 10 years, so thank you, Conference. Please don't make it the last. Anyway, I've been having a whole lot of fun and I hope you guys are too. DEF CON has really been growing and it's been changing and it's getting really cool. I'm really impressed. So anyway, I'm here to talk about client-side attacks a little bit. I did a talk yesterday that I'll reference here and there. That was on a tool that I've been writing and finishing and debugging at this point now called the Midler and the Midler is basically doing some attacks on client-side, on clients as they're surfing to web applications, as they're updating themselves, as they're doing anything over HTTP. So that talk very much came out of the ideas in this one and they both feed into each other and actually they use some of the tools, use some of the same codes. So I'll kind of, I'll be talking, I'll be making references back and forth to that one and I'm also going to talk about some of the other things that are going on at DEF CON because wow, this has been a really great conference. We've got a whole lot of people with a whole lot of different ideas that are similar to each other in some ways and just exploring different areas of the same space, which is actually the whole purpose of a technical conference in the first place or at least it's one of the major purposes. I came from an academic world where that's one of the biggest things we do. So it's really cool. It's really cool that we're all kind of bringing good ideas. Anyway, after this, I'll be in some breakout room, I guess probably across the hallway or something. So if anybody wants to come and hang out, we did that yesterday after the talk and I thought it was really a blast. We kept going until they kicked us out of that room too and we had some really cool people who were from some pretty impressive places and we got into a bit of an argument. We got into a bit of a full-on agreement and stuff we agreed on, none of us really liked that much. So anyway, come to the breakout room afterwards if you want and we'll do that again. If you don't, well, then come catch a beer with me. Okay, so I'm a consultant or sometimes we call ourselves consultants, never seriously, but we do sell our time by the hours, so what the hell. And the nice thing is, as a consultant, I get to do all kinds of stuff. Sometimes it's just sitting around talking to people and saying, okay, well, how are you doing this? How are you doing this? Kind of basically looking at the design of an application and trying to figure out whether we can make it so that it doesn't have to get hacked later on. And sometimes what I do is, well, try to break that application or try to break the network. So I get to do a heck of a lot of pen testing and pen testing is a weird little task. It's one of those things that it has these multiple purposes and one of them is sure to find out what's wrong, find out how I could break in. But another part of that that's always there is this question is could you break in and if you could break in, how far could you go? You know, could you break in and all you're going to do is you'll compromise some web-servering to face our front-end website, or could you break in and get all of this, you know, patient data or credit cards or what have you? You know, could you go and could you get that kind of information? One of the things I talked about yesterday with the middler is that I really want... I like to bring themes as often as I can. I like to bring themes, things for us to talk about. And one of my big themes lately, if I was angry about it, it would be a rant. But instead, since I'm not, it's a theme, is that we are always talking about the risks. We always think about what are the risks to a business, what are the risks to an organization, what's the risk to, well, you know, J's home network, whatever. But we think of it in terms of, you know, let's see, we got kind of the secrecy, which is kind of confidentiality. Somebody could get data they shouldn't be able to get. And then we have, like, availability. They could shut it down. But the one we constantly always forget about, anybody know what it is? Okay, integrity. Yeah, so this is CIA. We've got confidentiality, integrity, availability, and we always forget about, I swear, everybody, maybe in the security community, we don't do it as much, but I think we still do. We're always saying, wow, what if a bad guy got to this data? What if a bad guy got to this data? What if a bad guy could knock this down or make this inaccessible? Right, and we never think, well, what if a bad guy could change data? And worse, what if a bad guy could change data? And you never noticed. And we don't know how much that goes on. We really don't. Every so often we get a peek. Every so often we find out, we say, oh, wow, TJ Maxx has been getting hacked for a heck of a lot longer than three days. Right, it's, you know, what data's changed? Well, that's going to be hard. I mean, what do you do with an integrity tax? Suppose you're running your own little bank. Or, you know, your own little library. And you don't know who's got what book anymore, how many dollars, because, well, you'll trust it. Or what if you think, what if you do trust it, but your trust is not supposed to be there? Anyway, so this is, that's part of what I'm getting into with both of these talks. And it's kind of a theme I want to, it's kind of a theme I want to keep coming back to is the question of integrity. So we'll go there. Anyway, so we're doing, I do a whole bunch of pen tests, and on pen tests, the hard part is basically always getting to the internal network. The internal network's much, much harder to get to. And that's, and actually getting to the internal network from the outside's been getting harder and harder. Now that may mean that somehow I'm getting Lamer and Lamer. Oh, come on, I don't get a laugh on, okay. Tough room. Yeah, Jay's lame. Rock on. So anyway, so yeah, I mean, it's a, I could be getting Lamer and Lamer, but I don't think that's what's happening. I think to some extent we're getting perimeters that are tighter and tighter. Does that mean the code's getting better? Well, to some extent, but I'm not sure. I think to some extent it's just that we've, we finally got, we've been pushing, we've all been trying to push organizations to use decent firewalls and so on, decent perimeters for a long time. And well, we kind of won that battle most of the way. I mean, we still have stuff, but I don't see what I used to see. Ten years ago, I was looking at a firewall and be like, okay, this thing says, all the traffic's in unless it's testing for port 137, 139, 135. You know, nowadays, I see, you know, I see default in IRL sets to say nothing's allowed in except for port 18 only to this server. And even better, I often see firewall or all sets that say nothing's allowed in to this server except on this port and only from that partner network or only from these, from these people. We're not gonna, we'll have SSH ports open or we'll have, you know, whatever. We'll have certain even IPsec ports, IPsec will be allowed, but only from the known ISPs of our sysadmins. And things get a lot harder as an attacker. Now, things got a lot harder as an attacker over time and really what happened was the attackers kind of found other ways to do it and we're gonna come to that. But the cool thing is that once you get to the internal network, hey, switch slides. There we go. Once you get to the internal network, things get a hack of a lot easier. They get way easier. I mean, think about, if you don't, if you haven't had this experience as a penetration tester or maybe as an evil hacksaw, think about it for just your own company or your own network for a little bit. Just think, okay, well, suppose I was here and I didn't have any passwords at all, but I just had one desktop here. I didn't even have any privilege on the desktop, maybe. Maybe I didn't even have, maybe I wasn't even signing the domain or anything like that. What do I get? I get a heck of a lot of access. I mean, we're just so many companies. Once you're on the inside, you can go anywhere because most companies still, I know this sounds amazingly simplistic. You're all, you're not gonna believe me, but I'm telling you, I go to way too many companies and I say, well, I'm looking at the same damn architecture. Well, we've got, you know, we kind of have three legs on a firewall, right? We've got the internet, big bad internet. We've got this DMZ where we've got servers that the internet's got access and we know that that's where things are supposed to go. And then we've got the internal network. Okay, so we're basically deploying assets on two networks. One's the DMZ and it's got like 10 servers on it or 500 servers on it or 5,000, depending on your size. And then we've got the internal network, which is everything else. What do I mean by everything else? It's got all the workstations, it's got all the printers, it's got all the internal only servers. It's got every single other asset. I swear, you know, look at multinational companies and they still end up having a fairly flat network on the back. Is it really flat? No, no, they're doing all kinds of crazy stuff for performance, but what I'm saying is from an access control perspective, they're not doing much. If I get one desktop, I'm really gonna have way too much access. I mean, we'll look at, you know, I tell you, we'll do a pen test and we'll say, okay, I've got this one desktop and I start looking at the internal network and start looking at what assets are there. I'm like, ooh, look, I found a SharePoint server. What's on that SharePoint server? I go look at the SharePoint server and I'm like, okay, I've got, maybe I'm able to get, maybe I'm able to get one user's username and password and that user's not an IT. I'm like, hey, look on the SharePoint server, which I can log into as one of the accounting users. I've got, well, all the passwords for every single device here, demand admin credentials and everything. True story. But I just, there's a tremendous, and that's kind of the easy case. But the hard, but you know, if you do want to make it hard, once I get inside, I start finding lots and lots of servers that aren't in any way filtered and aren't in any way patched and again, lots and lots of good access to information. Recent internal pen test, I'm spending a whole lot of time on one slide, aren't I? But recent internal pen test, we were, you know, we're on site, we're at the client and we know our scanning. And this network is huge. We're having trouble actually just keeping track of all the targets. But we find 800 databases and out of 800 databases, 40 of them had their username and had their passwords set to, let's see, they were all Microsoft SQL server databases. Can anybody guess? SA, blank, that's about all I need. Yeah, 40 of them. So you say, well, 40 out of 800, that's not too bad. But 40 databases, I only needed one half the time, right? At that point, well, let's assume that this was a really, really big credit card company. It wasn't, but let's assume it was. Well, I'm going to have, trust me, I'm going to have enough access, I'm going to have enough data on that that I'm going to be well eating free for a long time if I'm a criminal. Luckily, I'm not, I couldn't pull off this whole criminal thing. I've just got this fear of jail and hurting anybody and all kinds of stuff like that. Whoa, good thing that wasn't a beer bottle. So anyway, my deal is that once I get inside, once I get onto the internal network, whether it's by walking on, by finding some wireless access point, or by hacking a desktop, I have a tremendous amount of access. Those first two are pretty easy if you're well located and they've been bad with their wireless, but the thing that happens far, far, far more often is the desktops get hacked and that's part of what I'm going to go into. Okay. Somehow I'm having trouble flipping slides. Well, maybe it's a coordination from way too many parties here last night. DevCon's kind of good for that. If you're watching this on video and you're not at the conference, wow, you missed a great night. So anyway, like I said, we're finding it a whole lot harder. We're finding it much, much harder to hack into the network from the outside to just say, okay, well, I'm going to scan for web servers and to find web servers that are vulnerable and I'm going to use exploits against them. Even if I got access to commercial feeds of exploits, hacking servers from the outside is getting really, really difficult. So over time, what we've started doing and what a lot of consulting companies think we're doing is basically saying, wait a second, why don't we do what the attackers switched to doing like, I don't know, five years ago? Why don't we actually go after the desktops themselves instead of the servers? Why don't we send emails or IMs or whatever? Why don't we try to get the users inside to click on links or open attachments or whatever and those are client-side exploits. It's not like I invented client-side exploits. They've been out there in core impact for a long time and Metasploit got them and Metasploit made them, you know, Metasploit made them a whole lot more accessible to all of us and, gee, wow, that's been, it's just amazingly powerful what you can do with this. If I need to convince somebody to patch their browser, if I need to convince a family member to patch their browser now, I don't have any trouble anymore. I'm like, hold on, just give me a second. Clickity, clickity, clickity, clickity. Okay, why don't you surf to this website and they'll go and they'll surf to CNN.com They're like, hey, you've got my screen on your screen. What's going on? You're like, it's a client-side exploit, dad. So anyway, yeah, I kind of experiment on my family. Not meanly, it's just that I can't get them to patch or I can't get them to put their stuff behind a nat box or whatever. My family is way too ownable and I don't like that. So, you know, I try to help them out and sometimes, you know, I have to convince them. Always legally, absolutely. So anyway, in doing penetration tests, we started saying, okay, why don't we actually start hacking client-side software? Because that's where the attackers went a long, long time ago. It's very, very easy. Here's an example. I swear, I'm not trying to sell you all pen tests. Honestly, you guys are the people who do them for the most part. So to some extent, this is just a, I haven't tried to be light on mentioning that I do this for work because, well, I kind of figure that you all do too and we're more having a conversation among our own community. Anyway, so we're on a recent pen test and we're having a whole lot of trouble breaking in or this isn't actually, this isn't that recent a pen test. This is a pen test a while back. We're having trouble breaking in and this is where we kind of come across the idea of client-side exploitation. We say to the client, hey, listen, we're having a lot of trouble breaking in. You have an amazingly small perimeter. Can we, you know, realizing that penetration tests are a subset of what a real attacker gets to do because a real attacker gets a whole lot more time because they can spend as long as they want. But also, a real attacker doesn't have to stop with only these methods in these ways. A real attacker can go social engineering if they want. They can go client-side if they want. They can go physical if they want. They can buy the plane ticket or what have you. Okay, so we said, you know, hey, can we make this a little more realistic and throw in this client-side exploitation? We know it's safe. We've tested all this stuff. We'd like to, like to give it a try. And the client said, well, I don't know if I can get even my boss to agree to, you know, to get exploited or much less the rest of IT, but I'll let you try to hack me. And I said, that's great. He's like, okay, well, let me go patch. And I'm like, no, no, no, no. Like, let's pretend, you know, let's make this, you know, let's make this cut a realistic. Let's make it as if, you know, you came in this morning and you didn't think that I was coming after you. And he said, great. And so we fired off. We took every single client-side exploit in Core Impact and every single client-side exploit in Metasploit and, you know, and gave it to him. You know, we fired them off and so on. We set them up and let him give him attachments and gave him links and all this. And he clicked on every single one. And I'm sitting there thinking, okay, we're not getting in. Gosh, this is the first time in years we haven't successfully hacked a client. I'm going to have to go and, you know, do the SEPICU thing. And I don't even know where I put my samurai sword. So this is going to suck. But anyway, the very, very, very last, very, very last client, the very last client-side exploit worked. It was wonderful. See, the thing was, this guy had IE7. Back when IE7 was still really, really new. And so first, it's already harder to hack than IE6. And then second, well, people haven't been writing that many exploits for it, at least not once they were publicly releasing. And so we didn't have that much for his browser. And also his, he had like two different forms of antivirus and they were going to catch a whole bunch of these suckers. So we're like, ah, darn it, that would have got in. But the antivirus got it. Okay, darn, that one would have got, anyway, we finally get to one. It's Acrobat Reader. And we send him, you know, we send him a PDF and he opens the PDF and boom, we've got a shell on a system. And then we have the ANC on a system and then we can, then we start exploring the client's network and then we own from top to bottom and, well, the rest is history. The really crazy thing is why didn't he actually, you know, why didn't he, why did he get, why did he get hacked? Acrobat Reader actually updates itself. Well, it's kind of crazy, but every time Acrobat Reader popped up and said, hi, I need to update myself. I'm like really old. He said, I don't have time for this. I was trying to open that PDF. How many of us have had that experience? Okay, raise your hand if like you've gotten something that's popped up and said you need to update and you're thinking the security person, I really should, it could be a security issue, but honestly, I need to open this damn document. Right? I do this. I do this. I'm talking about this and I do this. Okay, we're all, I know, and now you're like, wow, Jay's really lame. But really, what it is is that Jay's really human in the same way all of you are. We are in very many ways the most paranoid IT users out there. We're the absolutely the most paranoid, we're some of the most paranoid and knowledgeable IT staff at all because we're either in security or we're here, so it means we're in security and we're thinking, it means we're in IT and we're thinking about it. Okay, so, and we still sometimes say, no, don't update right now, okay, which means that we have that window of vulnerability that we go and scream at everybody else about. Okay, so this guy was a security guy, he was really, really paranoid, but honestly, when he needs to open a PDF, he doesn't have time to wait for it to update. He needs his desktop to be updated already, whatever. Okay, we can get into why that is, but the thing was, one of the critical things here was, you know, we tried all these exploits and only one worked and that's kind of good news, but we only needed one, right? We only needed one client to exploit against one desktop that we attacked. We only attacked one desktop, but we could have attacked them all and trust me, it would have found a lot more than one, right? But we only need one desktop and one client to exploit against that desktop and we're into the company, we're inside the internal network and now, well, things get a whole lot easier. Okay, now, what does that mean? Wow, have I gone... So, anyway, so this is my point. One of my points, I have a lot of these themes that I'm kind of starting to formulate. One of the themes that I formulated a long time ago and that a lot of us have been talking to this conference about is it is so much easier being an attacker than a defender. Okay, I've been trying to make tools for defense for a long time and gosh, you know, they can really, really work, but even getting people to use them is kind of hard. Getting people to use defensive tools to do proactive, because honestly, it's like, I don't have time for that right now. I'll harden that box later. I'll, you know, I'll take that. I want to change the firewall rules that make it stronger, but I'll do that later. I wanted to install, you know, I want to update my Acrobat reader, but I'll do that later. And I'm not blaming us for that. We're human and that's what happens. It's really hard for us to do proactive security. It's a whole lot easier for us to, well, set something up, maybe code something up and set it up and say, okay, you handle this for me because I don't have time, you know, what have you. Anyway, so, but let me talk about this. Let me switch to the other side of this outside of the point of view of the victim for a second and outside of the point of view of the consultant pen test and talk about the professional hackers, the criminal hackers as it were. And it's strange to say criminal hackers because what if you're in a country where it's not crime? What if your country where it's considered a day job? You know, there are, we're probably all used to that. I'm not saying that. You're not all thinking, wow, that would be really strange. I've never heard of that, right? We've all heard of lots and lots of people who are up to no good. Anyway, so the deal to me is really this client side stuff is what the attackers started doing years ago, like whatever it is. I don't know, roughly five years ago, give or take five years. So anyway, our attackers started doing this about five years ago and it's been wildly successful. Hacking desktops has been amazingly successful for them and it's been so successful that their problem hasn't been in creating some of the stuff that we create here and present at DEF CON in Black Hat. Okay, their problem hasn't been saying, okay, well, how do I come up with the, how do I come up with something that can get past VISTA's new heap overflow protection? That's not their problem. Their problem has been how do I manage all these systems I own? I mean, God, I own 400,000 systems. I don't even know everything I own. How do I manage it? And so they brought us the botnet and they brought us better and better botnets, right? I mean, it's for a little while. We had botnets and what was the earliest way that people were controlling botnets? It was our own little friend, exactly. It was our own little friend IRC. Thanks. For a little while, I said, you know what? This seems like a simple enough thing. Why don't I just start blocking out bound IRC from my network? And you might be like, well, wait. We got this one guy who still uses IRC. It's like, well, fine, cool. Let's block IRC up onto the network and then we'll let his IP address to IRC or we'll have him go through a special proxy. So he's allowed. Maybe he can even authenticate to the proxy. So if any IRC is leaving, we know that it's bad unless it came from there. So I used to say, well, let's block IRC or let's log IRC. Let's just log. No, before you think I'm logging all your conversations on our evil, evil hacker channels or not so evil hacker channels. No, it's not like that. Why don't we just log all the flow data and find out where all the IRC is going? And, you know, that was what I said. And you could still do that. You could still catch some of the stuff. But honestly, the attackers switched to, they said, you know, screw this. They made their own command and control that was centralized. Then they went beyond that. They made their own command and control that was centralized and encrypted. Then they went beyond that and said, let's make our own command and control that's encrypted and peer-to-peer. And gosh, wow, they're making it really, really, really hard. We talk about Flash. We talk about Flash Flux DNS. We talk about all kinds of stuff. And we say, wow. But my point here is not to even go into that, but to say, realize the attackers have been so successful compromising desktops at compromising all these workstations that they had to great the botnet. And they don't even understand what they have. Workstation control is amazingly powerful. It's amazingly powerful and most attackers, most of our attackers who have these botnets, they're going to scratch the surface of what they could do with them. If you had a targeted attack, I love when people talk about spearfishing, going after individual things. If we're doing a targeted attack, this is one of the biggest things that's crazy. Unless you're in here doing the criminal attacks and you, well, heck, you probably still have to have a pretty decent network of people you're talking to, we don't really entirely know what the ure-skilled criminal attackers are actually up to. Yes, some of us get to watch pieces. Some of us are able to find out for this given set, we say, we caught these guys, but we didn't catch all these other guys because they're not hacking, they're not just hacking some central, they're not hacking just the government or just a couple of banks, they're hacking everybody, right? Anyway, I mean, remember England did this whole thing where they were, I don't, was it MI5 or MI4 that said, assume that the Chinese own everything? And, wow, that was a little scary. But if you think about this, if we were to start looking at, if you just looked at workstations, most of the time we go to companies and they don't even know all the machines they've got inside that are compromised, they suspect some of them might be, they don't know, some of them don't even believe that any of them are compromised, and you say, okay, well, throw up a sniffer and start watching your outbound traffic and look for something that's abnormal, okay? At some point, that won't work so well, the botnets will all switch to using port 80 for their command and control, and they'll not just use port 80, but they'll use true HDP, because, well, we all, we made that, we could do that 10 years ago. But, right now, just start watching, and most companies are really surprised, like, oh my God, we have 24 compromised systems, and that's out of 500, and we say, yeah, that's how it goes. It's not all just my parents' PC. My parents haven't been, well, I was about to say my parents' PC hasn't been owned, but how would I know, right? How would I know if mine had? Yeah, we catch it a lot of time, but we don't always catch it. If somebody were to do something, and this is one of the big things, when we look at antivirus, we look at IPS, and we look at IDS, and all that, we say, wow, if we're signature-based, the tough part is enough people have to have been attacked by this, that the vendors, or that the open source, free people, or that whoever, that somebody's been able to create a signature. But don't get me off on a rant about signatures versus behavioral, and how you need both, and not just one, and stuff like that, right? It's a, actually, I like the whole idea of having two antivirus solutions at the same time on every desktop, because it's like, yeah. Anyway, so, beyond that, think about what you get out of these botnets. Think about what you get out of client-side exploitation, out of compromising clients, and not doing it as part of a botnet. It's just one day you decide that you've got a grudge against your former employer, you've decided to be criminal, I don't encourage this in any way, but you decide you're gonna go up to your former employer and you send some emails, or what have you, or you send, you in some way, get your former employee, people at your former employer's, on your former employee's network, to get some client-side exploits, or go to bad websites, or to click on bad attachments, or what have you, what happens? Well, you control one workstation or more. If you control one workstation inside of many, many companies, what can you do? What if it's the right workstation? What if it's the workstation that's currently logged in with all kinds of access? Could you print yourself checks? I've got friends who've done pen tests, and they found a check printer. They found a machine attached to the check printer and printed themselves a million-dollar check, and the workstation security's important. It's not just the servers. I want to bring one of those checks to a conference one day, but honestly, I'm sure that the client wouldn't let you. But anyway, so, so as pen testers, we end up using this, we end up using this, and we find internal access amazingly powerful. Why is it amazingly powerful? I love Windows. Not that the Mac isn't, if it ever gets targeted in greater numbers, going to be massively more vulnerable because they haven't really had to deal with a massively hostile environment there is for Microsoft software. But if one of the things I like on a pen test is that once I own one workstation, I go and look for cash credentials. I find the cash credentials. I wait long enough. I find cash credentials for other users. I find cash credentials for administrators, and sooner or later, I have domain admin on it. Who in here's done pen testing for work? Like, okay. Okay, so about a tenth of the room. You all know, just raise your hand again if you've enjoyed the amazing power of cash credentials. Okay, more hands just went up beyond the ones that did it for work, so I don't know what that means. But yeah, no, cash credentials. So all of a sudden, I own the entire darn domain and wow, Microsoft hosts are awesome. I mean, AD is a beautiful thing. I am constantly, constantly embarrassed. I'm embarrassed for Unix that we don't have some of the power that AD brings because we could do it. It's not like LDAP didn't exist already. It's not like we don't have far, far easier config files to modify than the registry, right? But we haven't had need to. And the reason we haven't had need to is we haven't been anywhere near as successful with open-source desktops as Microsoft has been. We've been great with open-source servers go, but anyway, so I'm getting all up on a tangent, which I never do, ever, ever, ever. So anyway, so, you know, client-side exploitation. I'm going to get into, I'm going to get more and more technical as we go. One of the big questions we get is, listen, isn't this just social engineering? If it's social engineering, it should have really good social engineering. Can't I just train my users? And I say, yeah, train your users. Do your security awareness training. Do whatever it is, you know, do what I do with my parents and say, Dad, if you get an email, God, my father is going to kill me if ever sees this talk. Hi, Dad. So, I'm sorry. And so anyway, the, you know, my dad will ever so often, you know, like show me, hey, I got this thing that says that my Google AdWords account is, I'm supposed to log in, and it says, you know, whatever, AdWords.Google.com. So I'm going to click on it, but you told me to call you before I clicked on any link that I got an email. I said, yeah. Okay, let's right click on that link. You see how that end part says, are you, that's not the real one. And he's like, oh, but honestly, I started thinking, God, how hard is it? How hard is it for me to just tell everybody in the company, everybody in the company, much less my own family, how hard is it to teach every single person how much harder, what would come out next? You know, would I just, okay, well, don't load images in your emails, because that might be C-server text. Security awareness is amazingly important at companies. I totally think you should all keep doing it. We should all keep teaching, but understand that some people are going to get fooled. I've watched security people get fooled. A couple years ago, I was working with, I was working with this, you know, well, I'll just say somebody in the security field. And I'm talking to him, and he said, yeah, this morning, I got this thing, and it was a contest, and it was really, really cool, and so I went and I clicked on it, I started filling out the form, and I clicked next, and I went to the second page of the form, and I'm like, wait, why does it want my social security number and my birthday? And he stopped, and he said, shh, I'm being phished, and it's just, it was seven in the morning, or six in the morning, or whatever his version of six in the morning is. Let's call it kind of three in the morning for you morning people, okay? So, you know, and he just kind of, he wasn't thinking, and he was a security guy, and he was an IT guy, he understood the line, she has not heard of this stuff before, okay? She sends me emails in all caps. I told her, grandma, stop shouting, you're hurting my ears, and she's like shouting, and it's, well okay, so, by the way, there are two grandmothers that come to these conferences sometimes, or know a whole lot, Raven Older's grandmother, and Dan Cumminsi's grandmother, they're like the most badass grannies I've ever seen. They both like, they're just like, shit. I mean, Raven's grandmother like runs Linux, goes to Lug, and Lugs, and gives talks, and she called up Raven one time, and asked her question, and asked Raven a question, said, how do I do this? And Raven said, I don't know, I don't run that, I don't run Windows, I run Linux, and grandma said, okay, that's fine, click, and she calls up later on, says, okay, I can't get PPP to work, and Raven's like, what, you just go to, I told you, I'm doing Linux, and grandma says, yeah, yeah, I've been on Linux for a while, I did this, I've edited my Etsy hosts, I've edited this, Raven's like, oh my god, anyway. You don't know their tangent, but let's see, anyway, social engineering, my point to that tangent, if there could have been one, and I think there was, my point is that it's really, really hard to train all the users, and even if you've got all the corporate users who actually have IT departments, tons of people don't, and I'm going to come to that later on, but social engineering, well, you know, what people are going to get social engineered, and part of that is because social engineering is an attack on the human brainstem, it's an attack on how we all work, we all want to be helpful, or who do psychological profiling for living, and they'll tell you that this stuff does work, and there's a reason it works, and I'll tell you that honestly every single one of us knows that if you get enough people attacked by something, if you get enough people, you ask, hey, can I have your password in exchange for a candy bar, you will find someone who says yes, if you can do that electronically, if you can make that automated, oh god, are you going to win? If I look at a 50,000 guy in the front row just said, I'd do it. Cool, I'll talk to you later. I've got some candy bars in my bag. No. But I'll need you to fill out a little form, authorizing me, and all that stuff. So if one one hundredth of one percent, or if one in 10,000 people got tricked by social engineering attack, one in 10,000, I can send 50 million emails, how many did I get? I can't even do the math right now, it's Sunday at DEF CON, but suppose that I have a 50,000 person company, and one in 10,000 people clicks the link, trust them one in 10,000 people, we've done this, we've simulated this, one in 10,000 people, one in 10,000 people, and a 50,000 person company gets a lot, I just got five. Yes, I know, my probability is kind of bad because we got laws of large numbers and stuff, and those numbers weren't that large, but on average, with standard deviations and all that, I got five desktops, I only need one. So it's not enough to just say, we're going to get social engineering and the users suck. And I also think that we need to protect the users, the security people, we have to protect the users from themselves and from the attackers, and really it's not so much from themselves, it really is from the attackers, we can't blame the user. There's a lot of reasons I think we can't blame the user. One is, unless you're going to put up a driver's license for the internet, we're not actually guaranteeing that everybody who buys a computer and gets on the internet is actually in any way safe or prepared or trained. Now I know a good number of people in this room at some point or another have said really should be a driver's license for the internet. And I'm right in the test. But we don't get to do that. They let scum like us onto the internet. None of us were supposed to be allowed on originally. Remember, it was like military and researchers and stuff. This was way before you could pay ten bucks to get a dial-up account. Now, God, what can you get for? Yes, so they didn't used to let scum like us on the internet. Now they let us on and they let us on the internet from everywhere. They're like free. Just go to a coffee house, you never even have to have heard of an ISP. It's a real beautiful thing except it's an ugly thing too. So clients at attack. Why should you give a rat's ass but other people getting exploited by clients at attack? Maybe it's not your job. And what I'd say is, you know, think about when you're applying for a mortgage. Anybody in this room ever applied for a mortgage? Okay, we have 20 people at DEF CON. Or at least in this talk we've applied for a mortgage. Nobody else, everyone else is either independently wealthy or renting. Okay, so if you apply for a mortgage, you know, you follow all these forms and you give them information much of which you never would like to be public. And it sits in your mortgage broker's computer. Or it sits in the bank's computer. But let's assume you use the mortgage broker because lots of us do. It's used a mortgage broker that sits on his computer. How long do you think it sits on his computer? Trust me, he's either in business for himself or he's with a company of 5 or 10 or 20 people. You know, it's not big. He doesn't have an IT guy. Not one. He doesn't have even one full-time IT guy. How long does that sit on his computer? Say you applied for that mortgage 10 years ago. Do you think it's still there? You think your information is still there? I'm telling you it is. I'm telling you it is. We look at big companies and find that they haven't ever gotten rid of any of their old data. They don't need it anymore. They process those credit cards, you know, 20 years ago. But, well, maybe not 20 years ago. But, you know, 10 years ago and they still have the records. Anyway, so, but think about your mortgage broker's computer. Here's another one. My dentist. I, you know, I submitted forms to my dentist and they all get read into a computer and they're all there. And which computer is it? Well, I'm not going to tell you guys where I get my teeth cleaned, but it's on the receptionist's workstation in the main lobby. Oh, and, you know, she's not always there. So, you want to bring a hostile USB key, a hostile disk, you want to walk off the computer itself. You want to get her to surf to some site that, you know, promises that there are free games or whatever. You know, celebrity, you know, celebrity stories that haven't hit the, whatever. You're going to get her. And then you're going to get me. And I'm not going to be able to say, well, the dentist should have hired a better, you know, IT guy that comes by once a quarter to make sure things are still working. Right. So, I think that we can't blame the users. What we have to do instead of blaming the users is try to protect the users. So, let's see. Where am I? There we go. So, I've been kind of, it looks like I'm jumping around the slides just a little bit and I apologize for that. But basically, as an attacker, I just have to have, I just have to find one vulnerable workstation. All I need is one. Okay. Here's the other reason clients don't want to have a workstation that works really well. We were protecting 150 servers. How hard was that? Could you absolutely, positively guarantee none of them got hacked? Okay. You couldn't, but, you know, you could batter your odds. What if you've got to protect 10,000 or 50,000 or, you know, several hundred thousand workstations? God, that gets really, really, really hard. Patching has always been a race condition. It's always been a reactive. It's really hard to beat it. One of the questions when I first, when I first floated this idea, I take most of my ideas to a bunch of other people who talk at conferences or who don't talk at conferences but who I respect and really, you know, I say, listen, is this new enough? Is this interesting? Is this something, you know, is this going to work technically? Am I totally full of crap? And they'll say, you know, and so I did this and when I was doing this kind of early vetting, somebody said, well, this is just patch management problem, Jay. It's not really worthy of talking about. And I kind of thought about it and I'm like, wow, maybe he's right. And I said, no, wait, it's not a patch management problem. Why? First, not every organization has a patch management tool in place. Not every single one does. I mean, we'll get into that. But assume that they do. You know, assume you say, well, Jay, at least your parents have, you know, Windows update and stuff. Right? Well, go beyond that. Patch management, you know, look at a given organization and say, there are a few things that aren't getting, there are a few things that aren't even getting patched by the patch management system. What kinds of stuff? Old hosts that aren't part of the domain, aren't part of the inventory. What kind of old hosts? Dedicated scanning machines. That thing runs the scanner. That thing just runs the multi-function devices wherever. That's not getting patched. That's not part of the domain. That system can't be part of the domain because of a given federal law or what have you. Hosts that, you know, computers get brought in by, get brought into the office from partner companies. They're not necessarily getting patched. You say, what the hell do I care about that? Listen, I've had, we've had companies, we have some companies we go to and they won't let us on their network. So what do you mean we can't be on your network? You can't put, they say, you can't put your host on the network. You can use ours. You can't use yours. Why? And they say, well, we are, let's see, a manufacturing company of some kind and the last three times that we've gotten hacked every single time it's been because somebody brought in some, some contractor brought in a laptop that's not one of ours. It wasn't well patched. It had gotten owned and, and then the rest of our network, you know, and then other parts of our network got owned and it shut down manufacturing. It cost so many millions of dollars. Like, okay, we'll bring our own, you know, wireless cars, our own cell cards. So anyway, there's, you know, all I got to do is compromise a host that's not only one of yours inside your network. I just got to compromise a host that's in your network and then I've got that foothold I want. Beyond that, legacy systems of any kind and sometimes I have to throw in UNIX hosts that don't own a patch. So anyway, patch management tools also and this is where my, this is where my parents still get nailed. Patch management tools don't get every third-party product. Okay, well I just talked about an Acrobat reader and that's something we're all used to. We're all used to Acrobat. But what about all the other software that's on my laptop? One of the ways I found, and one of the ways I thought about the man in the middle tool that I released, the Midler, is that, you know, I've got all this software on my laptop and it's all going out and updating itself. And I started looking at it and saying, wow, it's doing clear text. And wow, I'm not even always agreeing to the updates. And wow, some of it's not updating itself. Am I remembering to update it? So I'll talk about this. But anyway, even big, even lots of big companies that are pretty good at this, they don't even patch all the consistently or frequently enough anyway. Most companies seem to patch like every three months. I think that there are lots of companies that do it every six or 12 or some systems just never get patched. And they only tend to become pre-emptive for Microsoft software. And then, even if they do that, browser plugins don't really get patched quite so well either. How many of us are used to, we started using more and more browser plugins. Our users have started using them. And the browser plugins, well, those suckers don't get updated by Microsoft for you or they don't get updated, they don't necessarily get updated for you. And I've told a whole bunch of browser plugins not to update because it took too long. And I said, let's get it later. But I don't always know when something says, I want to update, that they want to update because there's a security vulnerability in the plugin. So we're not really solving this via patching. Maybe we could solve it via vulnerability assessments. Right? A lot of the vulnerability assessment software now has, you know, can actually log into the workstations and find out what version is the software. But if they're not, they're doing a pretty bad job. And they still miss things. And we still have the false positive problem. And it's still very, very, very reactive. Okay? It's hard for us to do vulnerability assessments and catch all the client side software issues. Okay? The thing is, vulnerability assessment software, for better or for worse, is really targeted most at server applications. Okay? It really is. It's targeted, and even on workstations, you know, it's targeted at actually going and talking to a service. And the cool thing is you go and talk to a service and often it replies with a version number. Or you talk to a service and you're able to fingerprint what version of that given service it is. It's really nice when you're talking to server applications and it's really helpful. And I'll just give you their version number willy-nilly. Or wait, they do. This is kind of one of the places where this idea got good, which was a lot of the client side software is identifying itself all the time. Okay? My browser, if you want to, I would love to, I'm not sniffing this network. I'm not even on the DEF CON network, but I'd love to just talk to the wall of sheep guys and say, hey guys, you know, it's nice that you're logging all these usernames and passwords going by, but you're seeing a lot of people at DEF CON right now are surfing with vulnerable clients. Okay? How many people could I own? And I could give them some information out of a database very, very easily. They could tell me. We could find them in a real time. We'd be like, okay, this person can be owned, this person can be owned, this person can be owned, this person can be owned, this person can be owned. And just so I can kind of go off to tangent to my previous, to my other talk, you know, you're surfing with a browser. You're surfing with a browser and that you're using Gmail maybe, or you went to many, many sites and at those many, many sites you've got a user ID and user ID is not being encrypted, because most of the websites that we're all using for fun, whether it's Gmail or LinkedIn or Facebook or Twitter, they're all kind of, well passwords might get encrypted, the usernames keep going, you know, once the passwords have gone, actually Twitter has noticed it's been going a lot of that's going up encrypted, but we're seeing the usernames go by and we say, okay, I know that that I'm gonna knock on, I'm gonna own J. So the clients are identifying themselves. Not just the web browsers, mail clients too, this kind of interesting, I was on this mailing list, on this private security mailing list and I sent an email that was really, really insightful and I was waiting for the reply to come back and say, J, that's a really cool idea. And somebody wrote me back and said, J, that's a cool idea, but your mail clients like ages old and there's an active exploit at it, you could be receiving instead of this friendly shit and I realized that I don't know if my mail clients update or not, it's third party software, third party software, it ends up being a problem. So you say, well what if you can't sniff all the usernames strings, the really, really cool thing is that big organizations tend to use transparent proxies for all of their outbound web traffic, honestly most organizations do because it saves you a lot of money on bandwidth, well what if I start looking at that, nice thing, squid, most of the other proxies out there will log out of your mail and you can say, wait, that's a vulnerable browser and you can do it in real time, you can do it in real time, you can kind of watch it, so you don't have to sniff, you can be reading logs, but if you can sniff, you're going to see a whole lot and what's really, really cool is I've been talking about, I've been saying you can sniff mail clients, sniff browsers, but I'm missing something big, I'm missing another bit of network client side software that has lots of vulnerabilities, what's that, I heard Java, that was kind of cool, anybody else? Okay, browser plugins, when I've added this idea with Dan, with Dan Kaminski, he said, you know, browser is just great, but what about browser plugins, and I said what about them, and he said they're vulnerable and they have just as much power as the browser does, why not exploit those, and I said yeah, but how am I actually going to find out which ones are in use, okay, well it turns out it's really, really cool, well let me just say, I'm finding an Acrobat reader, snapshot and all the vulnerabilities we're finding in Flash, just doing a quick search on these, and those are not all the vulnerabilities, those are the vulnerabilities that allowed takeover, so I skipped all the DOS vulnerabilities, I skipped anything that was just maybe even simple information disclosure, and so I said Dan, how would you detect plugins, and he said well, R Snake, about a year, this was when we had this conversation more than a year ago, and he said well, R Snake has this thing called Mr. T, master reconnaissance tool, and it'll actually tell you, hey, you can, in essence, if you can get someone to visit this site, it'll tell you all versions of their plugins, I highly recommend you go here and see this, because it's amazingly powerful, I've given you just a short little snippet, it gives you pages, and you can see that this is the version of Shockwave Flash, this is the version of plugins you don't even know you had, I still had a juiced plugin in my browser, I didn't realize I still had it, I hadn't thought about it, but it handles, and congratulations, they exploit me, so let's take this beyond this, we want to do client-side vulnerability assessment, let's go into non-network software, okay, there's Larry Pesci on the poll.com podcast, we have a whole bunch of good podcasts, I love a whole bunch of them, one of the ones I like the most is poll.com, and Larry Pesci highlighted this thing that this guy Christian Mortarella did, and basically what it did was, it's something called metagoofill, and you point to their website, it goes and searches for that website in Google and it looks for docs, it looks for things with doc attachment and XLS attachment and PDF attachment and so on, and it pulls them all down, and it says here you go, and it does more than just pulls them all down, it can actually give you the metadata from those docs, and the metadata can be really, really interesting, awesome, five. Okay, so the metadata can be really interesting, what kind of stuff does it tell you? It tells you the creator and the creation time and the version of the doc that was posted, I just had a Word doc that was posted up to the company's file server, if I look at that file server, find Word docs that were just created very, very recently, I could go and pull the metadata out of that, find out there was a vulnerable version of Word used, I see the creator, I see the IP address, and I could start saying okay, that is a system with a vulnerable version of Word, and I could do that with all different kinds of client software, because that metadata is there, okay, one of our clients software really loves to identify itself, it loves to identify itself, it loves to say hey I'm this, and I don't know entirely why, but it's really cool, I love it, it's a wonderful security tool, okay, so I have no way of actually finding out if I can watch the wire, if I can sniff the wire, I have a way of finding out also who's got vulnerable versions of all this other non-network client software, so now you say well Jay, okay great, you know what version of Firefox everybody is running, but how do you know if you're using it? You know, Jake Kuhn's in Forestry, and now it's got a bunch of even cooler people working on it with them, Forest is not doing it anymore, but it was an awesome idea and he deserves credit, but OSPDB is an open source vulnerability database, one of the really cool things about it is that beyond just tracking vulnerabilities, and they put a whole bunch of time into it, they also make a database export allow downloadable, every night they do another database export, so the database on the same system is sniffing then you could say okay, I just saw this Firefox version string go by, I just saw this iTunes version string go by, and look it up, that version of iTunes is vulnerable to this, that version of Firefox is vulnerable to this, now I go a little bit further and I say I can do clients.ips, I can say okay, not only can I make you a list of all the vulnerable clients, but I can actually, if I create my own proxy, did it, and I've talked to a bunch of organizations that create your own proxy, you can say hey, anybody with a version string that shows themselves to be running software that's vulnerable to a publicly known exploit, we're just going to redirect them to a patch page, we're not going to let them surf outside the company, we're going to redirect them to a patch page in the company and we're going to be automatically mirroring patches, but that way we can actually say you know what, screw it, I don't want this system to get compromised, J is a lazy bastard and he's not more beyond telling me he's a vulnerable browser, let's go and say you're not allowed out until you fix this, because we're not going to deal with your desktop getting hacked, and that's kind of cool, that's a configurable feature, we're making it, that's where we get some simple, simple clients.ips, and he said J, how do you do the browser plugins, the way you do the browser plugins is basically once per day, right now it's hard coded, but we'll make it into a user configurable feature, once per day you say I'm going to redirect you, I'm going to send you to our own little host of Mr. T site and our own little host of Mr. T site will show us what version you have, we'll parse all that and now we know what plugins you have, we know whether the plugins are vulnerable, so this is kind of the client side IPS, and you can do this for other things, but there are two more things I want to add in, these are a couple new ideas I had, one is suppose that, you know I'm talking about sniffing the wire, man in the meddling, I'm talking about man in the meddling stuff I have, what if I parse poof the network, well now I've got like everybody going through me, I can send everybody through me and I can look at all their version strings and I can not let some people out or I can throw in an iframe that says, hey this is your coffee shop speaking, you should probably patch your browser, here's Hal, but I could do more than that, you could do more than that if you get a couple other things, if you get DNS poofing going on, locally you do the same thing, well what if you actually start owning other domains, the given website is a phishing site or this given website is running client site exploits trying to own browsers, well you can make a list of all those client site exploits, client sites and only stop a browser from going to that site if it turned out that that site, you know only stop it from going to that site if the person was vulnerable and they were and that site was actually offering an exploit for them, so now you take some of Dan's stuff, you take his ability to do that to other sites why don't I start basically making sure that you don't surf to the right people when you're surfing to the bad guys, you surf to me and I tell you, oh wait you don't want to go there, or oh wait you don't want to go there unless you're patched we can go one further step from this and I've added this slide specifically because there's a great talk here at 4pm, great talk okay and this is what if I could start, what if I could change routing on the internet, what if I can go beyond DNS, what if I could change routing on the internet this is something that Dan and Jay are really trying to get all of us to think about okay what if I could change routing and get you to surf to me even if you didn't want to, what if I could just send all of your data that was coming back to you or back to the hospital sites through somewhere else okay I don't know if this is quite legal but if I could do that, then at that point I can, well if I go back to the middleer talk I can inject bad things in, if I go to this talk where we're doing defensively where we're doing defense, I can say oh you're vulnerable, I'm not going to let you get to the bad thing I'm going to just inform you and now you could have a kind of cool thing, you know how a lot of people have gone and scanned the whole internet, they found all the vulnerable DNS servers, the vulnerable web servers or the open mail relays and they sent an email to the people who are vulnerable and said hey you should fix this, well what if we did this with like, you know, bad guys what if we did this with people going to the bad guy sites or who were surfing with vulnerable stuff and said okay I'm just going to capture all the internet traffic on this ISP today and I'm going to send it through me and then when it goes through me I'm going to see if there are vulnerable clients and then I'm going to email those people or what have you done, anyway it's kind of a little neat. If you own DNS, if you own routing, if you own local routing like ARP, if you start watching all the user agent strings, you can actually protect people quite a bit, you could also modify the requests in flight, you can do whatever you want redirecting gets easy, this is why we go to coffee houses and end up in captive portals. One of the cool things I want to do though is basically to introduce the talk that's coming up at 4pm, if I could do that, if I can actually do, if I can get routing. Hey Jay, I got to make one correction for your typo there, it's not imagined that I could, it's I can. Ah, that's a good point. It's not even theoretical at this point. Okay, so someone can, he can. And we are. And they are. Right now. Go for it. You know what? We have to end soon so this is why I'm also up here. Okay, short version is at 4pm you get to find out that someone actually is taking a part of the internet and they're just sending all the traffic and making go through them and you can do some really cool stuff. My imagined slide is imagine if any, imagine if Jay could, imagine if any of you could. You end up getting some really nice stuff. You could gather a whole bunch of info, you can modify everything that you want in flight, tons of non-encrypted stuff. This is what the Midler was about, but imagine if I could do the Midler, not just on my local land or not just with some DNS and some domains. What if I could do it with the whole internet? Okay, it could be really, really cool. And so I want to introduce basically a talk that's happening at 4pm in the same room. You just got to either stay here until then or remember how to get back here. I know many of you were drunk so just stumble your way back to here. Track 4 room, this is going to be a really, really awesome talk. It's called Stealing the Internet. Okay, so I'll see you all in Breakout Room or whatever.