 So I'm our snake and I work for a company called Sec Theory out of Austin, Texas around hackers and slackers and this is Jabra. How's it going DevCon? Ridiculous numbers there. Ridiculous numbers. So I'm Jabra. I work for a company called Rapid 7. I do a lot of pen testing. I write some Pearl. I work with the backtrack guys. We do, you know, the remote exploit thing. It's all good. So yeah, that's me. Cool. So we decided to do a talk on de-anonymization. We've done a lot of talks on, you know, hacking browsers and hacking websites, but we really wanted to kind of change it up a little bit and talk about hacking individuals. So, you know, quickly why this all matters. I mean, we all kind of care about our privacy at some level. You know, we don't want everyone to know about our secret things and, you know, our passwords and that kind of thing. But people I think oftentimes think that they're very secure, especially in this industry. You know, I've done my due diligence. I'm using a proxy and therefore I'm secure. So we decided to go after, you know, kind of our own to kind of demonstrate that there are quite a few holes in kind of our mantra around our own privacy. So why is privacy good? It's good because, you know, a lot of people want to drop docs on you, right? You know, you're a security guy. You don't really want your information all over the internet. Say for political dissidents, you know, the common thing is, you know, the Chinese guy, you know, against the country, you know, this is his country might want to kill him for some reason or put him in jail or whatever. Say for for people who might be subject to violent crimes, you know, they don't want to, you know, their jealous ex boyfriend to go come kill him or whatever. Say for for people who have fetishes. For good or for bad. Say for for whistleblowers as well. So I think there's a lot of different reasons why privacy is good and we all kind of, you know, encourage ourselves to try to be private if we're doing anything sensitive. And ultimately increases freedoms. So but there's a bunch of reasons it's also bad. It's a safe and for evil doers and I'm not going to try to define what that is but it's sort of it's up for interpretation but allows them to attack, you know, and kind of retreat and exfiltrate the data all relatively quickly and without ramifications and therefore hurts law enforcement whether you're pro or against it's kind of relevant and it prevents the social, you know, compact that we all have one another. If you come up and say something bad to me and to my face I can do something about it but if you say it over the internet it's a little bit harder so it's harder to enforce that over the internet with privacy. But either way privacy is broken and we're here to kind of demonstrate quite a few of those different things because it's too complex. Ultimately if you can find someone's IP address I think that's kind of the gold standard. If you know the real IP address then you can go do something about it. That's sort of the big thing that we want to find about each other. Not that that's particularly difficult. So but what about if we can do stuff that's even better? So we found quite a few ways to do that. So let's start with a basic de-anonymization guide and then we'll break that. Alright so the first thing that you do when you're looking at being anonymous is you look at okay what can I do to mask you know what I want to do on the internet. So can I use things like a proxy and then just traffic. I'll just send all my traffic through this proxy. So something like Tor is really ideal because you'll have you know all these proxies communicating and you're just sending your information into the proxy and then at the end it just goes out through this end node. So that's pretty cool. You can also do things like you know clearing your cookies clearing your session using no script. You know really doing the things diligently to protect and mask your identity. You can also use links so no one knows really what you are and where you're coming from. That sort of stuff. So yeah the next component is using things like free email systems right. So you can you can set up like a Gmail server if you want to log in to you know some new application. You have things like Lala or whatever. You can just create a free email account and then just log in with that bogus email. They won't be able to track you back to one you know one particular email which you use for all your data like your corporate email. You just use this other account. So it's it's a pretty good way to do it and you're you're basically you're dividing up all your user accounts so that no one can actually track you back to you know your corporate account. Okay so now the client side certificate stuff right. So what I did was I looked at taking a client who's connecting back to a server and they're using like some sort of public key. So this information is stored within your browser and what happens if you're going in using this with Firefox is you browse through a website and you have your public key within your browser. So the browser says okay you want to send your public key and there's just an okay button and you click okay and you think about it and you're like wait a minute what what sort of bad thing could have actually occurred. I'm trans transmitting my public key to a server and it has nothing to do with the server that I was actually supposed to be sending this information to. So it's like well that's kind of bad. So we go on to the next slide and so what what information is actually stored within the public key. Well there's a whole lot of information about your name, your email, the system that it's running on. So hypothetically you can tie this back to okay I know it's running in this example Fedora Core 4 on you know some you know EDU or whatever it's just like an example right. But if you look at gathering information about the actual target all you need to do is really grab this public key. So can you use something like TCP dump and you can put it and you can just you know snip that traffic grab the public key and I have a screenshot we can show later. It's just like using Wireshark to actually grab this public key and then you can see the information just clear text right there with Wireshark. So it's kind of good to be able to actually gather this information and then if we go to the next slide what we'll see is okay so if you have this information about the client so we have their email address or their name or some piece of information a lot of companies will use a common email schema to actually determine how we're going to create this email address. So it's really helpful as an attacker to be able to say okay so in traditional phishing what I would do would be to grab a list of employees and just create my email list. Well this is sort of the reverse of that all I need to do is just grab the email address and then just reverse it back to a full name of the individual. So now I know their name you know hypothetically I know their handle and now I can start trying to get into that server because based on the public key I know when it expires so all I need to do is just you know sort of do a brute force attack and you're you're much more likely of actually grabbing a shell because you're doing it you know with all the basis of this knowledge. That's sort of how it follows. So I think a lot of people here have heard of Tor yeah a few of you have you heard of it. So it's a pretty common way to anonymize yourself you just kind of bounce through a bunch of proxies. There was a couple guys minimum a couple guys who compromised some Tor exit nodes and were logging information as it as it went out of their network including a hundred embassy passwords and the reason why a hundred is an interesting number is because it's exactly a hundred. It wasn't a hundred and five wasn't ninety six it was exactly a hundred which means that there's probably a lot of other information that they didn't give out. In fact I know there's a lot more but there were such amazingly good passwords as temp and one two three four five six and Egypt with a I instead of a Y very very clever. So breach actually has a project where they have a bunch of different honey pots set up so you know bad guys will you know route their traffic through it and they're kind of track tracking all this stuff and saying okay well here's what bad guy traffic looks like and sort of monitoring that that kind of information. So ultimately you know you got to find a proxy that you trust which is very difficult because it's not your machine remember somebody else's machine and hopefully it's not linked back to you so you can't really have any prior knowledge of it which makes that very difficult. So Jabra worked on some way to create a hacked version of Tor that would actually do all the same stuff that the same guys who did the the Tor exit node hacking would be able to basically make that whole process a lot easier for everybody but we just sort of ran out of time so. So this is this little image tag here is a very quick way for you to de-anonymize or at least detect that someone is coming through a Tor node because onion routing has its own protocol or its own TLD rather. If you have a server set it set up inside the Tor network you can actually detect them coming through and pinging it and it's your machine because you put it there or you can use this piece of JavaScript to say yes you are or aren't on Tor. So it's a very if you're running JavaScript it's a very easy way to detect that you're coming from JavaScript space. So yeah like probably a year and a half or two years ago or something I created this thing called Mr. T was based off of Ronald's project Black Dragon I think it was called but basically it's a way to enumerate a bunch of plugins history screen resolution and a bunch of kind of the basic components that give you information about your target and allow you to go after them not great for de-anonymization but great for you know potential for exploitation you might be able to say well if you've got this specific plugin I know that you're going to be vulnerable to this particular thing because lots and lots of plugins have major major issues with them. So I was looking at utilizing this browser exploitation framework you guys you guys know about this browser exploitation framework yes no yes all right cool so it's a really awesome piece of software and what it does is it says okay anyone who goes to a malicious website that I've actually modified with something like cross-eyed scripting or my website I can attach it to this framework and I can do a lot of cool things once you're attached to this framework so what I can do is just basically detect what types of things are in the browser I can detect all the plugins I can detect you know what are you doing all your cookies all that sort of stuff I can do keystroke logging bunch of cool stuff so for this talk what I did was I said okay it's really important to actually be able to improve the quality of this browser exploitation framework because what we really want to do is really really just want to get a shell but we're going to build upon all this detection information to do that so for this talk what I did was I said okay what do we have for detecting you know various types of operating systems okay that's pretty good okay what what other things can we look at so I said okay there's VMware which there was a currently there was a module in there that use ActiveX I said okay this is not as good as the ideal where I could use something that is going to work everywhere we'll write it in Java it'll work pretty much anywhere and then you know you can use it in Linux you can use it in Windows whatever it doesn't matter so that's what I did for this talk and you know I've incorporated that in the new version of beef which should be out in a couple of weeks incidentally a lot of this stuff we have demos for but we need to race through the slides to make sure we get to the end then we'll we'll show the demos yeah all the demos are going to be online there's URLs at the end of the talk so everyone's gonna you know everyone will be able to go and see the demos awesome next slide okay so the cool thing is that cloud computing is where all the businesses are going that's where everything's going everyone's you know putting all their data in the cloud right so to be able to detect if you're running within something like VMware or QEMew QEMew is a open source virtualization mechanism or virtual box or Amazon EC2 all we really need to do is be able to get the user to run a piece of Java within their browser so just a simple Java applet that would detect the MAC address and then do a simple regular expression check to say okay are you within this range and you look at the first three octets you say okay compare that and then just determine what we're looking at so that's that's already incorporated pretty good and we can actually for Amazon EC2 it's even better we can say okay I know you're in this particular region so like US East or Europe West that's pretty nice so this pretty much works everywhere again so IE Firefox Linux Windows add a couple of issues with Mac but you know talk to the Apple guys and they say yeah that's awful work so awesome so what we're going to be able to do is we're going to be able to leverage this sort of information in our attacks so we don't really have any attacks against you know the virtualization mechanisms but you know well that's up that stuff will come in time so the next component that I looked at was actually taking this to the next level and actually getting shells based on you know the sort of information so if we can detect that the user has Java within their browser just like Java dot enabled and such all we need to do is just create a self-signed Java applet self-signed by something like the Microsoft Corporation and they just run the applet and we get a shell that's pretty cool and we'll just customize another one for Linux the same thing for Mac and you know it's it's pretty nice so if they're running in Linux with pseudo cash to rootpribs great now get a root shell pretty nice and if we're you know if they don't have Java enabled we'll just redirect them to browser auto-pone which is the the metasploit exploitation framework so the next component so in summary I did a ton of work on beef we have tour detection we have the Java pink sweeper that our snake wrote and what it is it's basically determining based on some really cool Ajax which you can talk about if you want determining what are the internal IP addresses for this organization for this person who went to my page we'll just do an internal pink sweep on their network to determine okay what else can we see wouldn't it be able to be great to go to a page and get a complete pen test that's what we're going for so the next component is just looking at increasing and just integrating all this stuff into beef so it's really just a full detection engine for your pen test and then getting all that information to be transmitted between modules is what we're going to work on next we also incorporated some of the cool stuff to be able to determine okay give me the Alexa top 500 of where this person has been so now I know okay they've been to you know Google you've been to Twitter all that stuff cross-site request forgery all that stuff comes into play so a new version coming out so there's a bunch of different ways to get internal IP address range or the IP address of the actual box you're on I'm not gonna spend much time on this stuff what a really good one I thought was SCP when SCP used to have a vulnerability where you could actually get people to upload files to you which was interesting word PDF bugs you'll find this stuff on decloak net interestingly I went through the about config just kind of hoping I could short circuit a lot of this research and just kind of jump right to the protocol handlers and look at them turns out that most protocol handlers that are really interesting don't actually reside in about config at least not for protocol handler you think it would but it doesn't including ITMS ITMS is what iTunes uses to communicate in fact I've talked a lot with Apple over the last couple weeks and Firefox and the IE guys all about this issue because who owns this bug so you come to my web page I spawn ITMS protocol with there's a bug in ITMS that allows me to make it visit any page forget that for a second just assume it worked that way naturally so I get you to visit my page but instead of going through the proxy that you set up your instead following the proxy settings of Firefox which are different than that of the base operating system it doesn't matter what operating system we're talking about but you know let's say it's Windows and then you connect directly to me so now I've got your real IP address as well as the proxy IP address as long as I submit some sort of payload in the DNS request so and this is already on decloak net it's been there for a couple months I just did never posted about it but if you go check it out it's already there so we spent a lot of time talking with the guys like whose bug is this where does it belong I don't think we ever came to a real conclusion but I'm more and more thinking that it actually is Firefox's bug except that if they ever fix it it'll make a lot of people's lives a lot worse because they won't be able to have a proxy inside inside Firefox as well as using everything else so the conclusion to that is if you want to be anonymous and you're using Firefox you have to use something like Tor button not Tor browser to our button they're very different one is totally insecure and the other one is very good so just FYI so David Byrne came up something probably a year and a half ago or so called res timing so he could basically check how fast something was coming up by instantiating it like a thousand times so if you instantiate a thousand times and it's not there it's a different time than if it is there which is great you can enumerate anything on the file system but it just takes a long time so not particularly useful and as it stands by itself I made it less useful by porting it to a non-java script version but you know hey now you don't have to have javascript turned on so then I came up with something called S&B enum and I didn't publish it but here I tell you all about it right now so I told Rich Mogul about this you know I'm able to enumerate your hard drive when you visit my website and here you go and I gave him a link and it was it was telling what he had installed and he's like what the fuck and that's right I mean it's it's kind of like you don't expect that to happen that is definitely across zone boundary thing that's vulnerable and IE in multiple ways both with res timing and S&B also included in beef also included beef sorry and I'll show you what that looks like in a second but usernames and computer names are really what we're after you know we don't IP address is great but what if I can get your you I want to know who you are maybe there's like 20 users on that box I want to know who you are but more importantly it's easier to track you down if your name is Bob Smith it's a little harder but but you know I mean it's you know how many you know Robert Hanson's are there in the security world like two or three you know it's makes it a lot easier so one example in IE if you can get someone to cut and paste this URL it'll actually drop the username and the full path of where where their user directory is or computer name and full path of the of where their user directory is you know I office get it a little bit uppercase lowercase kind of thing so basically you send them a broken link in an email you say hey can you please you know click on this or whatever that they can't click on it because it's a broken link but they'll cut and paste it into IE and boom you got all that information works pretty well S&B again a different way to do S&B inside of an iframe you have something as simple as file colon slash slash slash and then some IP address which is the location of where your S&B server sitting on the other side as long as you got Windows networking working I was told that about 50% of networks don't have the ability to have outbound S&B through you know outside the the corporate firewall whatever but 50% is still pretty good which means I can actually get all of your information and when I do mean all I mean all computer name your name what service pack you have all kinds of crazy stuff so as long as you got something sitting there watching the wire you can actually get all kinds of crazy information from that payload so S&B num is great but it's and it's pretty fast I mean you can you can probably enumerate it I don't know probably several hundred things in a second or a couple seconds it's pretty fast so how it works is it basically does a file colon slash slash slash slash for the local drive and tries to pick out files so in JavaScript space you're only allowed to pull out certain things like images CSS JavaScript I'm not allowed to pull dot exes or dot log or anything else that would be very interesting I just can't do it but with this information I can actually narrow down what you do have and then combining this with res colon now I can actually pull out this very specific granular thing you've got and not just kind of the big picture of what your drive looks like so use S&B first res timing for the granularity and then you start owning them based off what you actually know this is pretty good at being it's pretty accurate with the exception of once you uninstalled something a lot of times in the uninstall process it leaves images in place but other than that it is pretty accurate I talked to the IE guys about it they know about it I don't know if there's a patch forthcoming I think it would be kind of difficult to fix this is an unauthenticated state but it doesn't matter because you're local to the drive so the other thing that we tried to do and I actually threw away the code I built it and then I threw it away I was you know so frustrated I'm like I hate this but I was able to do username detection the problem actually numerate usernames the problem is the key space for usernames is absolutely ginormous and if I have to go through and pull images for every single every single one of these different things so let's let's take one of these for example if I had flash and flash had an image that was based inside my user directory I could look for you know okay and I know you have flash but now I got to look for your user directory so you can actually use them in combination to figure out where usernames and usernames are on the drive the problem with that is that it takes a very long time to enumerate in fact I never got it to work unless it was only like 20 usernames so if you know it's one of 20 things it's pretty fast but if you know it's one of 20,000 things the user will be sitting there for a very long time might even crash the computer so so all that stuff's great it's fantastic except for it all relies that I have a trap so I have to like convince you to do something or I have to sort of know that you like want to come and attack me and I have to kind of lay this trap out which is I mean that's fantastic and everything but it's not all that practical in a lot of cases or have to you know do some of the job or stuff and actually automatically own every single one of my users and then you know go back and say okay who were there all those users that I compromised you know it's sort of like it's it's too much of a wide you know range to it's like a thermonuclear weapon when I just want to take out one person so I was thinking about other ways you kind of go backwards in time and try to do stuff or like have such a such a passive looking listening device that you'd be able to kind of grab all this information so first thing I was thinking is malware writes the obvious thing if you can get malware on people's boxes it would be great but again noisy and you'd have to do it to everybody and not not you know kind of OS specific that kind of stuff second is stuff like the end of spyware you know like come on give me some spyware you know I'm talking about like Alexa or something this phoning home all the time saying where you are trying to give information out but that relies you on you being Alexa or having all your users have Alexa and it's just not that common of a plug-in or toolbar or whatever so what about Google what about safe browsing so so I went back and I started really thinking about it and and it turns out that there's some things that are going on in the hood of safe browsing so safe browsing is designed to protect you so let's say you go to a phishing site or malware site the browser will kind of pop up alerts say you're not supposed to go there you're gonna get compromised or whatever so it's great for consumers it's actually great for security except for the fact that it's phoning home all the time so I left it running for a day and I got somewhere in the neighborhood of you if you average it all out to around 30 requests per hour out to Google which is quite a bit so it does it's not like perfect sometimes it's a little bit more sometimes it's a little less it goes in burst sometimes it's like 15 at once and then 12 and then 18 you know so it's kind of it's not all very consistent and I talked to the Mozilla guys about that and they said well you know it really shouldn't be honing phoning home that much there might have been a bug there and there could easily be so that was just my test you feel free to test yourself but the important part here is that it's phoning home and actually setting a cookie so we all know cookies can be user tracking you know if this might be actually a unique identifier it might be a hash an algorithm that they use to say when we deliver this encrypted payload you can decrypt it with the key that you just sent us that kind of thing so public private keys sort of thing but that's irrelevant I actually don't care what that keys consists of all I care about is that it's unique you can clear your cookies all the time and people are pretty good about that let's say you wake up in the morning and you're gonna go hack somebody so you log in you turn on your browser you go get a cup of coffee it's phoning home setting cookies right and then you turn on your proxy and you decide you're gonna go hack somebody well so the nice thing about this is that it actually does follow the proxy normally you want to go outside the proxy and you want to try to identify who someone is directly but in this case it follows the proxy it's very polite and does exactly what it's supposed to do the problem with that is that let's say I'm on the other side and I'm China and I want to kill that dissident or whatever you know it's it's great to be able to say okay well you know I know I'm getting hacked from this proxy you know maybe someone else has some information about it maybe I can go try to break in that proxy but maybe it's outside the country maybe there's all things other things that get in the way or maybe they aren't my minus RF on the way out or whatever but it's been phoning home the whole time so I can go to Google and I can say hey Google can you give me the IP address and all associated IP addresses with this cookie over this timestamp so this cookie came in this timestamp tell me everything else outside of that and as a result they can actually get everything that's correlated to that so they can get your home you know IP address they can get the Starbucks down the street they can get whatever right just depends on wherever you've connected from and it doesn't matter if you clear cookies on the what as you're booting up or as long you know you have to do it out as well as when you're shutting down so you clean your cookies before you start because you don't want to leak information out that might be going to that the hack the client that you want to hack or whatever so you want to tear down your session after it's over but now you still set that cookie was still funding home that whole time is a new cookie and now you're using the new cookie when you tear down your session and you're using it from your own personal IP address so it really doesn't matter whether you turn it off and one place or the other you have to do it in both places to be consistent you have to always do it and so not that many people clean their cookies that religiously where they're going to never get caught by that the dangerous part about this is now you're thinking well I'm going to go and turn that off well it doesn't matter this is all backwards in time so this is all in the logs so if you've ever done anything ever illegal that when you're using Firefox or Chrome for the last probably a year and a half or so actually maybe longer than that they have the potential of having that logs so now whether they do have the logs or not is in question they say that they keep all logs for two weeks then after that they keep in aggregate so there's two ways to keep things in aggregate you can keep like global statistics like the amount of people who visit the site or something that's a that's an aggregate another aggregate is IP address cookie and time stamps that is easily enough information in aggregate to de anonymize anyone who uses your browser so they also say we're not going to give let's see they say there's their terms of service you know we have good faith belief that access use for preservation or disclosure such information is reasonably necessary to satisfy any applicable law so any legal entity that comes down says we want this information theoretically has it regulation legal process or enforceable government request government request enforce applicable terms of service including investigation of potential violations thereof detect prevalent or otherwise address fraud security or technical issues or protect against harm to the rights property or safety of Google its users or the public so basically they pretty much have carte blanche now let's say that they were totally benign and they had no intentions of ever using this ever for anything bad it kind of doesn't matter so let's say the FBI comes down within that first two week period and let's say they are getting rid of everything let's say they're they're really trying to do a good job the FBI can still come down say you need to hold on to this information for an additional I think it's like 60 days or something can anyone fact check me on that 60 no one knows that wow it's bad so I think they can keep it for like 60 days or something after that fact and say well I don't have the subpoena or warrant what's that 90 days alright and then they can force you to hold it indefinitely after that if they do have if they do have the subpoena or whatever so it and they also say we don't correlate this to your username well again they don't do that but that is irrelevant the government can still force them to do that correlation on their behalf so it almost just doesn't matter what their intentions are in this it still can be used so I'm sorry I was sort of in my head thinking you're all going to be very close and could read what's on the screen but basically this is just the transmission of the cookie back and forth and and the shawar and some of the payloads going back and forth but this information will be posted online if you want to take a look at it or just open up a proxy and just watch the information go by it's pretty simple Chrome however has an interesting thing so the hypothesis that they're doing totally all this all benign and they're not meaning to track anybody and that stuff kind of goes out the window when you're talking about Chrome Chrome has an additional two pieces that are going across the wire when it does updates updates and happen 30 times an hour they happen once every five hours so significantly less amount of time but they do send two additional pieces of information which I think are pretty interesting machine ID and user ID so why do you know to need to know my user ID to give me an update right it doesn't make sense to me I mean I can figure out maybe it's plausible to it's important to know what my machine information is so you can track it and know hey maybe we should have more updates for Windows through you know server blah blah blah this very specific variant but user ID you know so I I think it's a little unusual to pass that information out to the web that's certainly a huge privacy concern and certainly can be tracked back to your user over time because that information doesn't change so with that I think we should just get to the demos so this first one is being able to identify all the different websites that the user has been to so all they're doing is they're like connecting to beef and we just detect all that information so this is the new version of beef and it's just the the visited URL so as you'll see here we have the Alexa top 500 and all we need to do is just click send and then you get the information now the new version of beef is really awesome because it has this new improved logging functionality so the older versions didn't really have this and now all the information is just right there and all you get is the information these are the pages they've been to you don't get any junk where you know they've been to you they haven't been to this website they just get the good stuff so that was using the CSS history hack that you're all probably familiar with using the view you know if a color of a link is changed based off of whether you been there or not you can detect that in JavaScript space you don't have to use JavaScript but beef heavily uses JavaScript so this one is just detecting the plug-ins within the browser so as you can see you have like tons of information with all their plugins they have a vulnerable plug-in all we need to do is just go about actually exploiting it so you guys can see how we're going with this right you're getting information about the client you're going after them based on that specific piece of information instead of just dumping a bunch of stuff which is going to cause a lot of pop-ups problem with hacking browsers is there's a lot of warnings through every single one of those steps so the more you can sort of reduce that the more likely it is that you're going to get a shell on the box or you know compromise or network or whatever you're trying to do without causing that that user to be aware of that happening and that's what we're all about we're all about getting shells so this is the virtualization detection mechanism the older version had the detection of the mware but this actual version actually detects QMU virtual box Amazon EC2 so this demonstration is just Amazon or this is actually the mware and this will be released in the next couple of weeks this is interesting for a couple different reasons a lot of security dudes happen to use some sort of virtualization so if you don't want to pop your shell inside of a security guy's window it's kind of nice to know that you're inside of a VM it could also be interesting to know where geographically they are or maybe they're using it's a virtual host but it's a bad one or maybe the network isn't well secured so once you're on a virtual box it's essentially shared hosting and you can start attacking the network all kinds of stuff okay so the next one is using browser auto phone so I couldn't actually get the newest version of browser auto phone to work because I didn't have a VM where a system to actually exploit so I just use Netcat on Backtrack 4 so it's pretty good it's all we're going to do is we're just going to inject an iframe and just redirect them to this page so what we'll see here is just modifying the configuration information I've already included the RC file as you guys will see up there but this is just redirecting them to a Netcat session just listening so obviously if you're going to do browser exploitation all you would do would just be you know have your metasploit system listening and then just send your exploits so there we can see the client connected they sent their information in Netcat game over now the Java applet this isn't really really cool and what we would do if we actually had a client on Linux or Mac we would just detect actually what operating system they're running and then present them with the corresponding VM or Java applet in this case to actually exploit their system just get a shell do something a little bit different this particular actual exploitation is downloading an exe you know MSF payload and then just you know run it and this is self-signed by the Microsoft corporation obviously for Apple you would just do Apple and must be secure yeah must be so I just called it update Microsoft corporation switch over to Linux box zoom in and there's our shell do you all catch that like you can compromise people by going to web page single click one click pretty easy I get a shell done come on there's no patch for this there's no patch for this this works as by design okay now the SMB enum stuff thank you alright I can actually see you guys now supposed to picture you naked that's a SMB enum I think I'm good on picturing them yeah I know I know I was gonna say I'm good new so bingo we got we got all the software that's installed in this box so this is a I put this list together in like literally 20 minutes or something so that could be greatly greatly improved it's just a matter of time how much time you really want to spend making it go through and making those SMB requests it's local so it's pretty damn fast you could probably do it up to maybe a thousand or two thousand within just a few seconds but beyond that you probably want to find some other way to enumerate patches accepted yeah come on guys so this demo is actually disabling safe browsing so you know you can send this to your mom or your dad just disable safe browsing okay let's give them a quick how-to and full screens on there we go so this is one way to do it you can also do it through tools security and then click the two buttons but if about config is your is your sweet spot you can also do it there simple enough of course you know the Mozilla guys were in the audience when we did this at Black Hat and they said well we really don't recommend that people turn safe browsing and you know safe you know safe browsing off all right I'm sure you all appreciate bright lights after a hangover all right but anyway yeah we talked to them they're like yeah we we we really appreciate people to keep it on you know it's it's better for their pride better for their security and all that stuff and that's true but it's just a matter of understanding the trade-offs if you happen to be a security guy and don't happen to be vulnerable to a lot of that stuff or happen to know that your target isn't going to try to exploit you back then it probably is a good idea that you turn it off so yeah that's pretty much all the demos I had one more component the client side stuff this is just an example of sniffing a client side certificate so as you can see you get like common name and all this information about your organization or whatever and that's just an you know just using wire shark and you know public certificate so this is just a quick example of how to set it up I'll put this stuff on my blog and you know you guys can take a look it's pretty easy all I did was I just used open SSL and created my own certificate and then I just had it listen and correspondingly accept client-side certs pretty easy so more and more banks are starting to use client-side certs not so much the United States but definitely a lot more internationally a few banks here have started doing it as well trading platforms that kind of stuff it's kind of more common like for smaller companies who want to protect themselves without kind of a lot of the hassles of a lot like tokens like actual hardware tokens that kind of stuff so we we actually are going to be in room 106 for Q&A if you guys have any questions but I appreciate you all coming out let's just show them where they can get like the slides and such okay so he's going to put the slides up if you want to write it down otherwise just meet us in room 106 right here all the slides are going to be here thank you very much guys thank you