 And I want to introduce, to make the introduction to Amir al-Khani and Joy Muniz. So Joey happened to be a DJ as well too, and Amir has been, gee, he seems like forever. So the last time you were going to, the last time you invited, apparently you had to take the early flight home to the Philippines because of some things happened and you don't want to know. Okay, so without much ado, Joy Muniz, Amir al-Khani. Thanks. Thanks, Ming. All right. How are you guys doing? Sunday. Woo! Yeah? All right. First off, I've been the DEF CON forever and this is actually our fourth time speaking for this event, but I've never brought my daughter. So you can see I have the earmuffs on because we do use foul language at times, but this time we may not, so hopefully, hey, oh, she can hear us. All right. She can hear us. We have to be careful with the language, but there will be an earmuff warning for this particular talk because of that. The other warning is, unfortunately, Amir and I work for big companies and our HR departments got a hold of our talks before this and because high YouTube and the recording of this, we had to cut off a little bit of the video we're going to show. It may be posted later on our blogs, but we were going to apologize up front. We got censored by our HR people because we like our jobs and some stuff we're going to talk about now is not necessarily legal. It's not hypothetically legal, right? This is all in our minds or something. We'll be using the term magic land. So when we say something happened in magic land, we're not emitting guilt to what we're going to talk about. Basically, the subject is, if you didn't see it on the talk, it's fishing for fishers. Enterprise strikes back. And the idea is we're going to talk about fishing, which we've all hopefully have heard of fishing, even realins heard of fishing. We're going to talk about what you can do from a legal perspective to defend against it and then we're going to flip to the dark side and talk about, well, what else can you do? How can you actually hack back? Which is essentially not really legal. Basically, as we said, it's been four of the talks that we've done. You can check out our other talks on YouTube. We've done a ton, but let's first introduce ourselves. Amir. Alright, so first of all, I look much better in a suit, so I decided to put that picture up there. My name is Amir Lakhani. I'm actually a researcher, Maurer, a reverse engineer, and I do stuff in forensics. I run the doctor chaos blog, if any of you guys have heard of that. But yeah, it's me. I'm a hacker. That's kind of what I do and a whole bunch of other BS, I guess. And then Joey, work for Cisco, an architect. I have the security blogger. Again, on our blogs, either doctor chaos and or security blogger. We'll show the rest of this hopefully later. We're just told not to do it right now. Together, we've written three different books in one video class and then we've also done books independently. Our latest book is investigating, it's basically forensics for a network engineer. And part of that book, we'll talk today about like honeypots and how to create one, how to create a cuckoo honeypot. There'll be some details that we're going to leave out because it's just a long subject. But a lot of those answers can be found also in the book. So that's who we are. And let's get into the talk. So, phishing. We've all, I've likely seen phishing. As you probably know, it's not just email. A lot of times it's email. It could be phone calls. It could be text messages. This is the classic PayPal fish. This one I actually got over the phone. I don't know if this year, if you guys experienced this in the USA. But I had this spooky robot voice call me saying that I owe the IRS a bunch of money. And then when you call back, basically the scam is that either I can wire them the money now and not go to court. Or I'm going to be forced to go to court. But that's a very popular one. And a lot of times that's the case. The phishing attacks, they're timing it based on certain things. So at Cisco, I'll tell you now, if you want to fish us, the easiest one is the UPS fake email. Because basically it's Christmas time. You don't know if your husband or wife got you something. You're like, oh, what is this? And you just click it. So that's typically the most effective one for us when we fish ourselves as the UPS one. Good news though is a lot of the vendors that provide email and communication are aware of phishing. And they have this thing called reputation security where you'll get the flag that says, this email has been seen a bunch of times. It's probably not real. So at least like the vendors themselves are offering something for you. But still it's not enough. So the 101 on phishing and again we're going to start with what is phishing, go into legal then illegal. The 101 is first the training. And if you see English, basically most likely somebody's using a translator. You're going to find later in our talk, I mean there's call centers dedicated to doing this in other countries. And they don't understand the native language. They just use translators. I've personally been busted on like Russian sites using translators. And they're like, you're not speaking proper Russian. You're using a translator. So broken language is one. Other things to look for, public data. This actually goes back to our talk that you didn't show up for because you had to go to the Philippines, the A-hole. But we were supposed to talk. I did it myself. But long story short we did a social engineering attack. And it was based on a fake account. And a lot of the data we were using was all based on LinkedIn and Facebook. So rereading what's already public against you. So know what's public against you. You know on this one, I was just talking about using information against you. I remember when you were on Facebook and we connected with one guy. And he was like, hey, I don't really trust you. Remember that? And you're like, hey, you just looked up his common friend and saw that he was in New York. And I ran into Matt in New York in like two seconds. And the guy was like, oh cool, you know Matt, I guess I trust you now. Yeah, the story on that one was ten years ago you can see the guy's like job history. And ten years ago it said he worked at Hungry Howling's Pizza. So then I said, oh yeah, by the way we were a blonde hot girl named Emily Williams. But I was like, yeah, I was Derek. I was Derek's girlfriend. And you see Derek's current location in New York City. So I was like, yeah, I ran into Derek in New York City and we were talking about you. So again, just the idea is you can look at people's public records or Facebook records. Basically read it against them, especially it's five or ten years old. They're not going to know like and remember all their friends of friends type people and just play that role. So public data is another one. A lot of times when I'm doing this kind of stuff, I want to know what the intent is. There's always a trick. There's always a scam. So figuring they always ask what are they trying to get from you? Is it wiring money? Is it sending a data? The two hackbacks we're going to talk about. One was they wanted a document with sensitive data. The other one was the plant malware on our computer. And we're going to reverse that on them and that's at the end of the talk. Final thing, don't be afraid to question people. If somebody does start phishing you, ask who are you? How do I know you? It's not really that offensive unless like you're a mayor that like does it over and over to you. And you're like, you don't remember me dude? We've been seeing each other like at work every week. You still don't know my name like other than that. That's like kind of awkward. Typically questioning somebody who are you is okay. Phishing just to be clear on the language. There are two types of phishing. There is the smash and grab which is basically you don't know the target. You don't care about the target. You're just blasting out a bunch of emails where spear phishing and your whaling is more targeted. So be aware of that. A lot of the phishing is typically not targeted. So you'll get the fake email that is going to everybody. That particular email in those cases you can copy and paste in Google and you'll find that the same email has been sent and people are complaining about it. So usually smash and grab is really easy to find via Google where the spear phishing and whaling is not. Because now they're actually going to your Facebook, your LinkedIn and creating a special present for you. So again, ground zero that's what phishing is in spear phishing. Now in general I've given a bunch of examples but these would be basically some technical examples. Beyond just the phishing email, a lot of times you have to know where it's coming from and this kind of gets down to the security stuff like DNS, security, etc. A lot of times with spear phishing people are going to buy a website that's kind of like yours or source kind of like yours and that's how they're going to send the information because most people don't check that Google has two O's versus two zero's. Yeah well you know we know this example is like pretty stupid right, it's pretty obvious, that's fine. Most attackers are going to be a little more creative and not making that obvious. But the other thing I want to point out is you can actually have websites that look exactly like the source site because what was happening is attackers were using ASCII characters or other character sets, different language character sets as well. So it actually confused the browser so you did have something that looked like Google.com exactly like that. Now luckily most browsers have fixed, right, I mean they came up with updates like the CR I believe all of them did and kind of fixed that. Alright so the defenses, here's the legal defenses before we get into the illegal. This is your standard blocking stuff. So if you want to know what I can do about phishing 101, the first thing is going to be reputation security. What is that? That is credit scoring where you connect to. So if somebody says they're a bank, they've been online for two hours, they're hosted from GoDaddy, they say they're a US bank, they're really out of like North Korea, obviously it's not a bank, you drop it. Most security vendors offer this. It's hard to read but the website Ihaveabadreputation.com. I challenge you all to go back to your company, go to Ihaveabadreputation.com and see what you see. If you see this like Pac-Man ghost guy that means you don't have reputation security, that means anybody can set up a site right now and set a bunch of crap to you. If you do have reputation security you'll get a block page and what that means is it's not 100% foolproof but what that means is at least people have to like have some credibility. So they could hack a church and then attack you, they could be online for a while but at least there's some credibility. So at your first layer, reputation security, DNS security can be doing that or like Fortinet, Cisco, other vendors, you can get this with like the firewall technology. Second layer would be content filtering which is basically reducing risky content because a lot of times your pornography and those sites will have the pop-ups and stuff and those can also include ways to basically fish you. File integrity would be analyzing what comes from the sites and then finally training. So this is your legal stuff. If I was to consult on fishing, these would be the initial things to talk about. Now if these fail then you need breach detection and that's where Amer wanted to do a little bit on his side since he does a lot on the research side on building honey pots and some of the research he does as well as how to catch when somebody compromises your network. So go ahead. Alright so first of all does anyone use the honey mop pots and their networks out here today? Anyone? Raise your hand. Alright we got a few people. So five people. First of all you might want to turn up the volume when I speak for her ear muscle. No so for those of you that don't don't know what a honey pot is it's basically a fake system that lures an attacker and the idea for that is to kind of pick up attack techniques. You know like we both use that and I use that like personally just in my research because I want to figure out what attackers are doing. What are the techniques that are you doing? What are the kind of what is the malware that they're hosting? Exactly what are they interested in? Now there's two types of honey pots and most of the time if you Google honey pots so you see some of the popular software you see low interaction honey pots and they're cool they give you like you know basic shit like like S, ear muscle, ear muscle. Alright they give you basic stuff like like SSH passwords, brute force, basic things but there's also high interaction honey pots and for most high interaction honey pots you're probably going to do a lot of interact customization yourself. That's how you make the system look really real sometimes they are real systems they're real WordPress sites you know elastic search engines they're real things and you're just setting up enough defenses to log to figure out what it is. Now before I can get started like I run a lot of honey pots on different VPS providers different hosting providers like all over the world and you have to kind of be careful right because like first of all I can tell you I've had my own honey pots like compromised and all of a sudden you know I may be researching a new malware that's being spread I'm like crap I'm the command and control server like my servers that's not a conversation you want to have with your boss right and your boss is definitely not going to give you a high five and say was that all the stuff you expensed out so am I liable for that? So just be careful so a couple of things just my personal best practices is try and find honey pots or VPSs that will give you two public addresses and the reason I say that is you want to run a honey pot that's doing SSH honey potting or web honey potting and you need a management interface you want two addresses out there. Now the other big thing is try to do no NAT. Now this is very very difficult to achieve with a lot of VPS providers because everyone does NAT. You may even look like you have a public address but it's being NAT at some place. The reason I say that is because you know when you're running like you know 20, 100, 200 honey pots and they're all coming back into a logging them all centrally and they all have the same IP addresses and you're usually like creating them on like templates it gets pretty crappy. You're like okay where the hell did this come from and you're doing a lot more digging than you need to. So just look at that. And then the other thing is don't tell your hosting provider what the hell you're doing because they'll probably cancel your service and just always act dumb. They're like hey were you hosting all this illegal software? Like I don't know. Works out really well most of the time. Is there anyone out there? Oh yeah. There's a term in the industry called resume generating event. Don't just go to YouTube and type in honey pot and get a 13 year old with Acne that says here's how to do a honey pot. We've had people with that in sandboxes basically our incident response team come out and figure out what actually happened and a lot of cases people will basically put a honey pot on the network and then malware gets on their network through the honey pot. And if you're responsible for the honey pot that is a resume generating event. So please don't do that. Now with all best practices like I mean we're pretty much already standing on the shoulders of giants. I mean a lot of this is kind of best practice that's been out there, it's been documented and with our experience as well. But there's a lot of different types of honey pots and all these I'm showing are low interaction type of honey pots but they all run on different ports. Now I'll tell you like a lot of people think like okay well what do I need to have a honey pot I need to get like this awesome server. No my servers are basically two gigs or a lot of times one gig around 20 gig hard drives are pretty shitty boxes. Earmuffs. Oh okay cool. I'm supposed to earmuffs before I cuss right? Okay alright. So just and then you can run multiple honey pots so like these ones that have on port 80 they're all port 80 so don't run all of them you can pick one of them and you can pick another one and pick another one so this you can kind of use as a map if you want. And there's a lot of different options out there there's different things. These are just some of the common ones that I use. Now other things that I do when my honey pots is I actually just set up servers regular servers like FTP servers and sometimes my FTP servers have like pretty easily guessable passwords you know like admin and password just to see what happens and I just set them up just to see like the type of stuff that I'm going to get and first of all I will tell you this is the best way to get free form by far. Just set up an FTP server on the internet and you're good to go. Now besides that the coolest thing that I got was I actually got like every episode of thunder cats and I don't know what happened but like someone actually yeah someone just logged into my honey pot and I remember and I go man I set up an open FTP server and need something like you did what? I go no no it's awesome I got every episode of thunder cats. I don't know what people were doing and I did realize pretty fast because I was a fan of thunder cats when I was a kid. Man I had this weird obsession with Chitara man I don't know what's happening. Alright so go ahead and do that. One of the other things that I do with my honey pots and this is I've actually discovered zero days with this that I've done responsible disclosures but I actually have an XP machine that I have fully patched so 100% patched and I do this with multiple operating systems as well Windows 10 and Windows 8 and so these are fully patched and I'm running non-admin modes. I'm not running as an admin user and then I have scripts that are just downloading a whole bunch of URLs I'm getting them from virus total malware sites open intelligence sites plus just a lot of other sources I'm just downloading like you know hundreds of thousands of URLs through the system and then what I do is I actually just compare the registry at like at the end of each day has a registry changed and if I find a change right that means that box is probably being compromised in some way. Now if I'm running a fully patched system and if I'm you know running non-admin most likely I've found a zero day and that has happened to me before so that was kind of cool. Yeah to be clear on that that's how a lot of researchers find zero days you just basically create your honey pot put the system up there it's fully patched if it gets popped that's what you got there Tom. Let me just finish this up well the other way like we find a lot of zero days is just oh shit we found something this is pretty cool right and who's the first one to publish this right that's a lot of times that's what happens as well. The last thing that I'll say is that I use PCAPS I always capture PCAPS and we'll talk about this a little later on but the nice thing about this is sometimes it's just so hard to just capture all this traffic analyze all this traffic yes but PCAPS I can actually run it against known signatures I know signatures is an awful word but at least it gives me at least the type of attacks that are going on so if I know I'm setting up something in the Ukraine and also I see a whole bunch of you know VPN filter like as Cisco Talos discovered or you know some other ransomware at least I can say hey this is happening in this region or something like that I can analyze those PCAPS and just get a little flexible later on. Pretty much what I do and I'll let Joey kind of go into more details but I have a lot of logging tools one of the easiest ways to set up honey pots is to like use a modern honey network for low interaction honey pots they have like a built in logging interface I use Splunk or elastic search and you know when you have just good files you know you set up a little bit of time you can set up all your nice pretty graphs and make it look really nice and good as well. So again this is all the breach detection stuff we spent a little extra time on the honey pots you want to learn more check out our next book snort would be another one so if your defenses fail ideally you can have an IPS IDS hopefully you'll order snort but snort you have to deploy you have to tap and know where you're looking if you want to have something where you don't really care where you're looking then maybe a net flow would be another option there's some security vendors out there that do this Plexer Cisco a few others that do the idea of behavior and analysis why do I see port scanning why do I see weird behavior so those are your defenses so that's this is basically the end of the legal stuff but basically if we were to say help me with phishing we would set up the defenses perimeter defenses we would then look at breach so if the perimeters fail your honeypot or your IPS or your net flow tool would alarm now what happens when you want to actually strike back that's the big question well technically speaking it's not necessarily legal as well as there's some things to think about first off think about what we just talked about in a lot of cases the attackers know there's reputation security so they have to get around that what are they going to do they're going to hack a church a school something like that so if you hack back what are you hacking back at you're hacking back at a church school or something so don't necessarily see phishing and think oh I need to strike back right away you may be hitting somebody who's basically a victim as well and that's the first thing that we kind of discovered as we started researching this is we're not necessarily popping attackers boxes we're popping other boxes that have already been popped that are used as pivot points to attack people so be aware of that second thing is there are interesting laws which we'll talk about here in a minute and you need to be aware of what country you're in if you're traveling what are the current laws of where you're at when you do this because again the laws are really iffy in this area of cyber not to mention this idea of actually striking back so everything from this point on because again of legal purposes high YouTube is all on magic land so this is hypothetically happened in a dream kind of thing and we'll show you a video that we pulled out of our dream as well. I'm sure that EFF is going to be wanting to talk to us here you know you know first of all even if you're authorized to hack back and hopefully me and him are going to do a talk about something that happened interesting where I was authorized by a DA to do hack back and we did it and we got the information and we caught someone that was like not a good guy and he got us caught free because like you know I had to go to the judge and explain like what I did and I was like well I hacked him and you know don't tell a judge you hack someone even if you got like authorization and a warrant to do that but mostly we failed because we didn't have a wiretapping warrant it was filled out wrong so that really sucked but I will tell you there are laws that are changing and being proposed like the ACDC and for those of you guys that don't follow the malware tech blog great great twitter feed great site as well but it's it's pretty much you know no one has really thought about this law and just said hey hack back is going to be okay it's a it's a really really uh it's a really it's a really shitty law that's out there really shitty proposal it just takes into no account how like computer security really works or what's going on you know today unfortunately most of the stuff kind of falls under the computer fraud and abuse act and things that shouldn't even fall there in fact you know at this conference and we probably have known people that have been accused of breaking this law it's not doing it's being abused like any other law so right now hacking or hacking back is not a strategy it's going to get you in more trouble than than anything else um I guess unless you're hacking a country that we don't officially authorize as a country right alright so again here's a strategy of most fishers they're going to basically try to trick you in some form of fashion a lot of times it's email or phone call uh their goal is to get you to do something in a lot of cases it's to install something or it's to have you provide some information and then once you are duped they do something bad so our strategy in Magic Land is well what if we flip the script which means what if we basically then try to get them to do something and try to get them to basically be duped so it's like almost reverse duping so there's two stories to tell the first story will actually be at the end which would be the second story and the reason why is we weren't recording the first time and then after we made this happen it was kind of awesome we're like alright let's actually prepare for this and then the second time we'll actually record something so this is the second story uh up first and the idea here is there was a fisher that was trying to get us to uh fill out some forms so the story is this is Dell security supports uh I've seen this also with Microsoft security support but they call you and they say your computer is full of malware you're like really holy shit really uh who are you it's Microsoft while running a Mac well yeah that's okay too it's like what um but it's seriously so with Dell it's the same thing like we're running Macs and it's like yeah uh we're a contractor and we're just seeing malware so we can really come in uh and fix your box what we found initially when we just interact and not hack back either there would a want to get access to our box and then like show oh look we're inside your box but that's the bad guys inside your box pay us now like a analyst service and we'll fix your computer so we've had them try to sell us fake services which really you're selling services against them uh we've seen it where they just ask for data or they've planted malware and they can view your box in the two stories this story here they try to get us to fill out a document so the idea is well why don't we trick them and basically plant malware in the document and send it back and then when we open the document we pop their box so that's the story we're going to tell now and the other story the idea was uh we played stupid and said well hey I'm trying to do what you're doing this is frustrating me and like I've seen the matrix movie the black hat movie this should be I have this thing called WebEx I can share my screen why don't I share my screen I'll give you full controls so that I gave them the WebEx agent but I weaponized the WebEx agent so that I pop their box with a WebEx agent and then I took over their computer so they had control of my sandbox while I had control of their computer so those are the two stories so what we'll do now is we're going to walk you through story one uh which is the one we recorded which is the Dell story so the story is um basically you have to set up and this case you need a sandbox because you want them to actually have something to have access to um in this case we got them to get the agreement letter you need to weaponize it we're going to talk about different weaponization whether it's droppers or rats but you need to weaponize something and then trick them to either open that file open that program the exact same thing they're doing to us making us like install things or click things but just do it to them so we'll go ahead and we'll walk through uh the building a sandbox cool and uh you know first of all I would say don't you know cuckoo is complicated don't go to youtube and like put like how do I install cuckoo because it's you're probably going to get hacked okay um not not saying there's not like a lot of good guides out there just be careful because a lot a lot of um a lot of sophisticated um you know red actors will look for uh things like cuckoo and of course everyone looks for VM tools um no one's stupid enough to VM tools that's not what all attackers are looking for um uh you know they'll look at like certain DLLs like uh like the SPIE DLL and other things that it's kind of hard to get rid of uh on uh these boxes now when we're talking about sandboxes we're not just talking about um you know something that you run and it and it gives you a reporter these are like kind of honeypot sandboxes as well so they're full interaction sandboxes that we can stop we can play we can uh you know uh re re-image um I can't tell you how many times that uh that I've seen like people put in sandboxes um and they've just gone hack themselves right I mean they just like compromise their entire network so if you don't know what the hell you're doing just buy a professional sandbox right that that's easier um one thing I just started playing around with a couple of weeks ago and a good friend of mine um I don't know if he's in the audience Fred is there a Fred is anyone named Fred in the audience okay you you can be my friend I'm a clone zilla uh it's uh I mean actually using it it's like super awesome for like just ghosting stuff and putting things in so if you're like a malware author doing any type of malware testing uh look at clone zilla it's actually like kind of saved my ass a couple of times yeah actually honestly I had a customer buddy a year and a half ago that built a sandbox and uh they were playing with walkie ransomware and they got themselves infected with walkie and when we did the investigation and we had to say well your sandbox event so again don't be that guy or girl um when it comes to weaponization there's two different options in those cases that you can use one is establishing a full tunnel which means you can interact you can actually pivot from that box and the other is a dropper which to be clear a dropper you don't get full interaction I talked to my dropper give me this information and it comes back so show me uh the LS and a few minutes later I get back what what's basically running in that folder so um in this use case we're looking at rats which means we want full access to the person's computer but no there's different options like empire you can put droppers out there easily and be more stealthy where a rat it's typically more chatty because it's a full tunnel so it depends on what you're looking to do in our case you're gonna find uh especially our first one was amateur hour um there's a lot of things that we could have done better but we did it anyways so again full tunnel or dropper you can use um they're gonna find also in the second story that I talk about here is wrapping and wrapping is the idea of actually taking a legit software and then wrapping it with malware uh true story with the challenge you guys know the packet capture village challenge one of the challenges was finding a hash that hash was uh my uh sock book that's some a hole on the internet uh wrap with malware and literally we're in our sandbox our tallow sandbox and I found I was just trying to find a way to wrap that hash is my book wrapped with malware so you can wrap anything and like here's literally a freeware where I can take a book or take a software or a music file or in this case the WebEx installation client and uh wrap it with a backdoor so literally you take like a metatributer and metasploit you have that as your root kit you create your uh whatever you want in this case your WebEx um actually we're being recorded uh your VPN client or shareware client recorded you wrap that and if somebody runs it boom you're good now the other thing though and this is obviously the uh antivirus will catch it you do want to do your uh your modification to it you're encoding basically to make sure that it doesn't get detected uh also by the way too if you are going to do this you probably want to have you to like trident or peed but you're also going to want to have some kind of file detection piece and actually truly identify what the file is especially when they send stuff to you so in this use case when they send us the Dell file it actually did not have malware but a lot of times a fissure is sending us something usually it does have malware and the way to see it is you put in a sandbox and you first analyze and make sure what it is because it may be a zip file or it may be some other file even though the file type is different so not only should you build a sandbox we highly recommend for you to download some freeware and actually identify what the file is and then we start analyzing it. Alright so you know some of the things that we started doing just to play around with you know how to get this malware on is we have to figure out that you know we don't want to really you know we both work for security companies we really know a little bit about how to bypass security devices and like everyone will tell you the way you bypass like security signatures and attacks is to use things that are already on the system right use PowerShell use Python like put a full wrap Excel is just a really easy rat that I came across that works on Mac machines as well and then from there I mean it's pretty much like Metasploit or any of these tools you can write your own own rats and your own deployment pretty easily as well and that's most of the time like you know when we're testing things that's what we do there's no signatures on something that I write on the fly right and also you know have a public server ready to go that's hosting stuff I think a lot of times when we came across this research and you'll notice when we talk about the video and exactly what we did is you know when we got the call you know really I walked into the house and my mom's like I don't understand this call it's like someone saying Deltec support and you know I'm listening to this guy I'm like alright it's Christmas time Christmas is coming early right and I'm texting him I go dude some guys calling me claiming he's Deltec support right and he's like dude I already got a call you box it up in the cloud like we're going to have some fun with this guy so like be ready to go you want to talk about encoding? yeah yeah yeah so as we mentioned in a lot of cases what you don't want to have happen is same thing with them if we're going to hack back we're going to fish them we don't want to trick them have them install the file and then like their antivirus blocks it like that's a complete fail so make sure you encode basically set up on the fly and then we were just basically trying out the files against the known security vendors and you're never going to get like a hundred percent like bypass but long as you get like a high enough number in our case like seventy percent we're like this is good enough this is like a Dell workshop they probably have like a crappy computer anyways so yeah I mean pretty much make sure that you do test it before you send it and then finally there was a location piece you want to talk to this one? we started talking about is we started playing around a lot with like macros word macros and if a word macro is actually not sending information back it really doesn't trigger like any AV type you know triggers so you can you put a macro in just to like basically record the IP address and like save that on like a hidden document or a hidden sheet or you know like start putting in like basic location tracking so it was kind of cool one of the things people always talk about is when we're writing the local IP address and then like picking your local gateway and doing a trace route which we can all do in a macro and we'll have a little more detail on our sites on exactly how we accomplished that as well so you can see the code it's just VB code you know we know exactly what the attribution was and I'll describe it a little bit but at the end of the video I mean I saw the guy so I exactly knew exactly where he was from it was a little obvious at least so alright so let me kind of set up this video just a little bit before we get going as I as I said you know this really started off with like me walking to my house my mom's like I don't understand what's going on here and I talked to the guy he's like I'm Dell tech support I go cool I have a Mac right or you know BSD whatever I mean I fucking don't use a Dell and and then you know I'm just talking to him and he's like you know of course he's a contractor and he wants me to get on TeamViewer he's like download TeamViewer and I'm like yeah no way I'm not downloading TeamViewer and he's like trying to scare me he's like well first of all you know you have all this malware going on and he's really putting it on like that he's like you're going to get arrested because you know you may not know what you're doing but now you're responsible for this malware and you're destroying people's lives and like paying me right and I'm like alright what do I do I don't understand and I was getting really frustrated you know I was you know I was you know pretending like I didn't know much and he's like alright you know what here's the document and send me this document like it's Christmas man it's beautiful I go you're sending me a document so of course he sends me a document put in the sandbox I was like so excited at this point I'm not even just like running this I'm like fuck it I'll re-image my box this is and that's how I always get infected you know like you know you start off like like fine I don't need to put in my VM and the document was clean it was it was completely clean right so so I did the most basic thing I set up the most basic encoder in MS Venom and why doesn't every AV just freaking cash this is script kitty stuff right that's all we're doing is I'm setting up a local you know a local exploit and this is a payload and the macro that we put in now you're not going to put in the payload like visible in the document you'll see that I just have it like in the document here at the very least just make it white just let him make the color of the font white they're not going to see it but you can put it on a transparent sheet there's other things you can do as well and yeah you know he's going to like depending on the version of word he has he's going to get some error out here it doesn't matter I mean as security always say like no one's going to click on a macro everyone clicks on it they click on something even if he clicks end it doesn't matter and that's why I got the shellcode here anyway so it's going to bypass a lot of stuff anyways it's going to run automatically so I save it of course I told him my name he wanted to know my name my name is eason hunt so that's what I told him and he's like oh that's good you know that's great so of course I'm waiting for him to like open the document I'm waiting and I'm texting Joey he's going to open it and of course it takes like five minutes to open it and finally bingo I mean I get my reverse shell back now what's funny is I actually didn't put anything in it so he called me up he's like the document's empty he's like did you not know what you were doing what's going on he called me wrong document in fact you can see I'm like so excited because I'm like what can I do here what can I do here I even put in the wrong commands here and so once he opened up the document I could see his desktop running he's still staring at the empty document um I'll be it's going to be there the information is going to like this is the actual document that he sent right so you can see that he didn't write it now at that point what I ended up doing was just like turning on first of all like snapshots like on the webcam so that way the light wouldn't go on on the webcam and so just to see how he looked like but at the end I was like let's just turn on the webcam right and so this is the part like you know we're kind of a little afraid of just because there was a lot of people here it wasn't just one guy I mean it was like two or three people next to him there was people behind it it was a call center type type thing and so I didn't put that on there and then I'm talking to him I'm like oh yeah that's a really nice red shirt and uh you know like uh you know your your your turban's a little messed up here I'm not going to tell you what country I think it's attributed from right but uh uh so like he's like what he's like not understanding me and I was like you know at that point I go hey bro so I start talking to him in Hindi right now and I go tell him exactly I go you know I go yeah this is really nice and these are the files oh you got a chat he had aim we I think we have a picture of his desktop we took but we he had a we oh yeah so yeah yeah yeah but uh but uh you know every chat message like uh like uh known to the world so the video that I actually had um that hopefully we'll be able to put up is basically him running towards the camera and pulling it out before it freezes uh so uh so uh that was uh that was awesome and of course this is all hypothetical pretty sure a wink is a defensible uh uh you know please so yeah again we can't we couldn't show the because the language on the desktop and uh the country of origin all this stuff our HR department's like don't show it but we hope to show it because again it's magic land but we had to help to show this dream scenario that really didn't happen or did happen on our blogs at some point in your future that's scenario two scenario one was the other one just to mention so this one we didn't have a recording we started actually first hacking back but this is my scenario where again I had somebody call me they were trying to tell me that I have malware on my computer so they're trying to walk me through commands to install stuff so all I was doing was just acting really slow and saying I don't get it or I'm fat fingering it like and just kept saying I don't get it and that's when I offered well I have this shareware software made by uh I guess I can't use the word WebEx WebEx um and basically said I could share my screen and I can interact so I'll give you full control and you can do it for me and I can hear in his voice the excitement because he thinks he's one he's like I'm gonna full control this guy's computer this is awesome so I'm like sure just run this app so I send him a link exact same tricky distance to me but I basically weaponized my WebEx and popped his box that way and same thing we started interacting with his computer and uh turn on his camera I basically just screwed with his computer to the point where his computer started acting funny and then killed the connection so again same idea so the whole point of this here to summarize what we've did is really if you think about it phishing in general is the idea of tricking people they're trying to trick you they're trying to make it do something uh we talked about today first the the legal defenses so hopefully again I have a bad reputation dot com try that website out think about reputation security think about content filtering firewalls that kind of stuff and then half breach if you don't have breach you're an idiot you don't know if those defenses are working or not if you're not validating those you don't know if something's getting through we talked about honeypots today which you can learn more on our book we talked about uh IPS and NetFlow as legitimate tools but if you do want to hack back we did talk about how to build a sandbox you want to do this obviously on the net we talked about some of the legalities of it we talked about if you do hack back you're probably we got lucky in these two cases some of the other cases when we do hack back it's a pivot point so you don't necessarily are going to like hack back and always get the bad guy or girl you may get some some pivot points but if you do it lucky enough like we got where you're actually talking to the person on the phone in a lot of cases now you're actually talking to the victim or the uh the attacker so they can become the victim which basically is what we talked about which is think about tricking them using the exact same tactics you can use rats you can use droppers however in it we show two and then the ideas if you do you know get them back post it somewhere and uh embarrass them because hopefully they'll stop doing it. Yeah the one thing I would like to add is once if this ever happens to you and you start laughing uncontrollably at them hit the mute button because it does make them a little suspicious but uh you can also just tell them you are crying because you're so scared or something like that work too. So again we do appreciate it we hope to publish more information about this as we continue to do this in Magicland uh and if you guys end up doing some of this as well uh again I'm Joseph Unies this is the mayor reach out let us know we'd like to hear about your uh phishing back or attack back adventures. Thanks for your time enjoy the recipe.com