 So how's it going DevCon? Well Nick and I appreciate coming out and hearing us talk. This talk is called The Dirty South Getting Justified with Technology and we'll be getting into that in just a minute here. But really appreciate coming out and always honored to speak here year after year again. Just a quick introduction. I'm the author of the Social Engineer Toolkit. I'm also founder of TrustedSec and it's a consulting company and co-author of the Metasploit The Penetration Testers book and also I've been presenting at Black Cat and DevCon for number of years and one of the co-founders of DerbyCon. So I appreciate again coming up on stage and talking. I am Nick and I can see that the slide has been modified slightly. Thank you Dave. I also work for TrustedSec, senior security consultant with Dave, been awesome, worked with him. Pen tester, breaker of things and yes, I am wearing one right now. Derbycon co-organizer, head of security there. I'm also a team member of social-engineer.org. We're doing the SCCTF down in Palma, come down and visit at some point, not now because you're here besides LV and Delaware Slave and I haven't wrote a book but I've read some. So the intro to this talk is literally we, you know, if you look at kind of the evolution of security and where we're at today and why we're all here today, it's changed a lot. So what we're going to do is go through the evolution of security and where we're at today and from there we're going to break some stuff and get a whole bunch of shells and do a bunch of other things. So we're going to do some three major demos. I have one big surprise for everybody here which will be, you know, I'm always full of surprises so every time you come to my talk you should expect something new. But Nick and I are basically going through the evolution of security and really where we're at today. If you look at where we're at today, we continue to get new technology that's trying to strengthen and protect against hackers, right? So, you know, advanced persistent threats and all these other things that we hear out there to try to protect against which is funny, right? But this technology is, you know, becoming more and more complex and introducing more and more complexity and we're spending millions and millions of dollars on this type of stuff to try to protect us and so today we're going to try to break it all. Sound good? All right. So the way that we structured this was an AA meeting. So first we need to realize that we all have a problem, right? So hi, I'm Dave. Hi, I'm Nick. And welcome. We've been sober from technology, from buying technology for about two years now, but believe me, we get tempted every single time and when we see that big, blinky ass box that does some cool stuff that we have no idea what it does behind the scenes, we want to buy and spend a million dollars on it, trust me. So the way that we structured this is really trying to break you down into a reality that what this stuff really does, what it really stops us against and then really start to build us up and really what we need to do to fix all this stuff because I see security either going this way or going this way and you know what? Either way is going to be interesting and fun and exciting, but we need to break you down first to realize where we're kind of at and so if anybody's drinking a beer, please drink one right now for me because it's not really AA, it's first technology. So just a warning, we're going to try to walk through every single technology that we know of that most corporations implement. But before we do that, we're going to get kind of into the history of security and why we're kind of in this vicious cycle of continually investing in different types of technology and then from there we'll start to actually go and attack them all. Sound good? All right, awesome. Nick? All right, so basically history of security in brief. So we have technology for about a century, so some type of technology. First question is why? Why do we need security for this? Well, someone breaks something and it's like, oh, okay, I see why we need security. And then they say, oh, here you go. This will fix it. And then it breaks again. Five minutes, five years, whatever, breaks. Oh, wait, my bad. I can fix that. No problem. Rinse, repeat. It's an endless loop of an endless cycle. So I thought there was a really interesting story about this, the inventor, Marconi. In 1903, his so called secure wireless telegraph system was being tested. And it was tested as the most secure communication at the time. So a magician by the name of Neville Masculini decided, you know what? I'm going to prove him wrong. So what he did was he hijacked the presentation and sent his own little message through. And if you know Morse code, that's actually Lulls in Morse code. And he proves this point. Did-da, did-da, did-da. Sorry. Did-da, did-da. So he proves this point that this is not a secure technology. So then we get to the age of an actual programmable computer. This is Zeus 3, where you can actually start to store some information on this. But what's, what's really needed to secure that at that point? Well, you got a, next slide. Sorry. You got to lock that crap up. I forgot I had this. Can I have that? Here you go. Sorry. Sorry. You got to lock it up. Easy, easy enough, right? Lots of locks in the doors. But then, I think I can't do anything. Technology's hard. So then it, then it happened. Al Gore came along. He invented the internet. It's amazing. Can we get a round of applause for Al Gore please? Thank you. We are all here today because of him. So, so now we have the tubes. The tubes are here. They're invented. This opens us up for a whole mess of different things. We've got anywhere from just your standard when virus malware, we have phishing, we have just normal malicious stuff that's out there. So, okay, oh, you need some security. All right, well here's some security. This will protect you. Everything under the sun. AV, you know, everything to protect clients, organizations. Then they start to realize, oh, we need some type of protection on the perimeter. Let's put up a firewall. Let's deny all these ports. Let's only allow what we need through. But something is not working with the state of technology. So Verizon, Verizon, they did this nine year study. Now, over nine, a nine year period, they found that there was around 2,500 data disclosures and 1.1 billion compromised records. So what happens is, there's some confusion. We're putting all this money and all these things to protect ourselves, but 1.1 billion personal records are being breached or being taken. So why? So, you know, we continue to see this, and so a whole new industry is born, an industry where products can solve the problems of people. And so, you know, you look at these different products that are out there and the different things that are happening. There's technology that are specifically designed and made to social engineer us, basically, and trying to buy it to solve a specific problem. So the first one I'm going to pick on is next generation firewalls. So next generation firewalls are being touted as the way to prevent APTs, which if you go to any of the sites, it's all over there. That's a giggle. You look at all the things they're trying to do. They're trying to consolidate everything into one type of infrastructure. So you have spam filtering and whitelisting and content filtering, all the stuff that's kind of built into this to try to protect the perimeter and move everything more towards the perimeter. And so you're seeing this, and companies are buying this so that they can try to stop against the latest and greatest attacks of today. All right? So the first demo we're going to do, and it's going to be included in the social engineer toolkit, is we're calling it silent but deadly. Thank you, Valerie. Yeah, there she is. That was her idea. But I'm definitely not silent, but I'm definitely deadly when it comes to that stuff. So as my roommate can tell me. So what this is going to do, I'm just going to show you demonstration using the social engineer toolkit here, okay? And this is a Windows 8 machine, fully patched and like this stuff. We're not going to take advantage of an actual exploit yet. That's right. That's right. By the way, the chicken has no relevancy at all to this talk. We just wanted to put something random in here and then talk about let's pop a box. That's all we need here, right? So I'm going to use the social engineer toolkit. I'm just going to show you an example of what this does. And I'll be releasing the code hopefully today or tomorrow. And basically this is the new version, version 5.3. Now I haven't fully integrated the payload which is why I'll be releasing it later today or tomorrow. But here's what we're going to do first. We're going to clone a website and again we're going to coax somebody into clicking on something via social engineering. Now, oh my God. What's that? No screen. What happened to the screen? Hey, I can see the screen. Can everybody see the screen now? I'm not going to be able to do full screen in this for some reason, but that's cool. We'll deal with it. Hang on, I'm going to minimize this one too. All right, is everybody see this? All right, everybody got that? Can you see my screen? The logo, ah, it's not mirrored. That would be why. So what we're going to discuss today is how to mirror displays on OSX. Look at the chicken, everyone. Nothing to see here. Can you see that? Yeah. Whoa. Thank you for coming. Bye. All right, so we're going to launch the social engineer toolkit. What I'm going to do is I'm going to clone a website really quick, okay? Now, this is a new payload that I developed. I don't know if you know this or not, but a lot of the new next-gen firewalls are actually doing behavioral analysis on the network side, which means that they're protocol aware. So they can see protocols that are going back and forth, all that good stuff, and they can flag on things that aren't necessarily protocol specific, okay? So, me, loving my exploit and interpret and everything else, I wanted to figure out a way to develop something that would never, ever, ever in any way should perform be detected again, okay? So that's usually what I go for. So, I'm going to grab my IP address really quick to clone it. I'm actually going to change it real quick. All right. There we go. And I'm just going to clone Trusted Sex so I don't get in trouble anymore. All right. That's not supposed to happen. We are connected. We're connected. Don't you worry. Don't you worry. Sorry. Stop it. There we go. We're good. That's right. Even hits the best of us, man. All right. So we're going to clone Trusted Sex.com. Now, what I'm going to do is import my own payload, all right? And this is the code that's going to be released here. And the code itself is going to be public, but it's basically Python and then it's wrapped in an executable, okay? All right. Importing my own EXE. You see it here? See that? All right. We're ready to go. Now, what I need to do is create a quick listener. Go to DEF CON. Now, what this is going to do is we're going to do a social engineering guide, but this is anything from a post-exploitation standpoint, right? So we're going to hack a company and you're actually going to see that live here in a minute. We're going to hack a company and it's going to come back to us. And what's going to happen is we're going to shoot Meterpreter in memory in an AES 256 encrypted bubble. We're going to wrap that around SSH and then we're going to create a polymorphic tunnel over HTTP. Okay? Sounds pretty cool. RFC compliant HTTP. So right now it's waiting. We launched the website and this is just the Java Apple attack that's built in set. So we go ahead and hit run. By the way, please don't report that I have a valid certificate. That's verified to publisher. I forgot about that. So we should see here in a second, we get a response back. Everything went properly. There it goes. Notice encrypted tunnel identified, sending challenge to verify, making sure it's the right session. What it's going to do is it's going to create a SSH tunnel over HTTP for us. It's going to then send the Meterpreter shell via second stage over our local host over to the victim machine and then we have a full shell running through the network over native HTTP. Yeah. It's pop a box. Now notice here we're tolling over local host. So it's actually running through our local host environments over SSH, over HTTP. And then what it does is it actually chunks it up every single time it does any type of get or post request. So it's a little slow. But it actually chunks it up different every time and changes the behavior and patterns every single time. So every single packet that you send is going to be completely different over HTTP. All right. Forgot to stop it. Nick? I think I'm up now. Yep, good. Good. So types of next gen. So welcome to the era of Marty McFly. Simply put, we're dealing with static. We saw the same slide, right? Yeah. Okay. Sorry. Static signatures anomaly detection. So basically, hello, N-A-Virus on a different level. Yeah. And if you look at this, what we started doing an analysis on a lot of the next gen firewalls is their behavioral analysis really dealt with a lot of signature-based detection with some minor modifications or changes based on what type of payload. Like, for example, you know, a lot of the next gen firewalls will flag on a second stage Meterpreter. But if you change that and modify it in any way shape or form, just a little tiny bit allows you to get around and still exfiltrate out over those protocols, whether it's HTTP or anything else. So basically it's just static-based signature again. And we're basically going back to the mid-80s, early 90s, just on the network behavioral side of the house, okay? One of the next gen firewall claims is stop APT. It's obviously ridiculous. Move to the perimeter. So to me, this is kind of crazy. All right. So security, we started like really doing a little bit of a decent job when we started having firewalls, DMZs, network segmentation, things like that. And we actually had layers of defense, right? Instead we're like moving to the cloud and mobile devices and laptops and just everything is completely decentralized and no longer at the perimeter. So it's all the way out and out and about. And so that's actually creates a pretty large exposure for us and something that these things aren't going to come close to touching. Now next demo. Oh, that's awesome. All right, all right, all right. Yes. Thank you, sir. Thank you, sir. We ran through a customer recently where they were basically, I don't know how you manage this, but basically they were doing whitelisting of only websites that they actually legitimately allowed. And so a lot of them still use social media and allow exceptions. But regardless, this is just anything that you can use that allows you to put information to something that's whitelisted. Now what we're going to be releasing is a new tool that allows a framework for that. That allows you to just basically insert a website that may be whitelisted that's public, that's used all the time. And then you can use it as an intermediary for encrypted protocol traffic over HCP as a thing in the middle. So what we're going to do here is just to show you an example. That's not an example. We're going to run this listener. Now what's going to happen is I'm going to launch a payload on my Windows machine. Windows machine is going to connect out the Facebook with things that I've already predefined. I'm going to direct intermediary over HCP encrypted traffic to allow us to do more of a command and control all through Facebook. Again, it's not just a Facebook issue. It's just anything that you have any type of public access to. So it's going to inject into there. We get our show. Now it's really quick. It's fast because we're continuously monitoring any major modifications based off of the notification system, which is nice. Now as soon as I type in something like IPing a fig, it takes a second because I have to post it, then read it back in, execute the command, post it back up with the data. So it's a little bit of a lag. It usually takes about four seconds, but I gave it age just in case, especially for demo purposes. And then we're able to use Facebook as essentially a man in the middle to communicate. And it can be any website. Any website that you have the ability to put any type of information off. And that's the new one we're releasing for a framework. All right. So the next one is my favorite. This is the best demo. This is kind of the pinnacle, okay? So we're going to go through a bunch of different technologies, everything that we use for corporations, and then from there we're going to kind of expand on it and see what we can actually do, okay? So behavior analysis. The best, let's say, we can liken this to the FBI and their behavioral analysis unit. They base their profiles on behavior, and that's exactly what behavior analysis does. But the problem is people can change their behavior. And so can the attacks, the malware, everything that the attacks actually base on can be changed. So we estimate about 30 seconds for this to be bypassed. And we're going to demo how that's going to be done. Application whitelisting. Really painting the butts of managers, especially in large corporations, but a lot of companies are moving towards that because you get to more of a trusted model where you only allow whitelisted applications. That's all fine and dandy, but all the whitelisted applications we use as an exploit play field. So it doesn't really do much good. So we're going to use that as well, okay? And I've actually really don't really need to slide on that, but I just kind of put it in there. Filler. Just like do anything, and it's good. So here we go. Monitoring and detection could be a good concept, right, because you want to detect these attacks. Most companies outsource them to MSSBs, right, who have no idea what their network is, anything about their data, and they're looking for port scans. Sounds good. That's our monitoring detection. Content filtering works awesome. No, it does not. It does not work at all because why? We can change the content. Exactly. That's all I got to say about that. So is everybody ready for one of the most epic demos ever? This is one of the most epic demos ever. You don't hear that a lot in talks. Bring out your chicken. All right. So what we're going to do here, and this could go horribly wrong or go horribly right, okay? I've actually got a customer who said that he would let a social engineer or somebody on stage real time. And I can't think of anybody else better to do it than one of my good friends Kevin Mitnick up here. So what I'm going to do first is I'm going to give Sam a call just to make sure that he's still good and hasn't chickened out yet. So we give Sam a call. Make sure he's all good with it. And then as soon as we're good with it, we've actually got five numbers. So this could go horribly wrong where we are. So either way, we'll figure it out. So hopefully you don't see this right now, so that's fine. Let's see what you're seeing on the screen right now. Just blank. Okay, cool. I don't want to give the phone numbers out. Because you guys are crazy sons of bitches. Not going to lie. So just one second here to set this up. All right, you ready? All right, mirror display. Yes, I have live shell windows up. So can we see the screen with the shells up? Yep, good. All right, let's do this. That sounded like it hurt. See, Paul, that's how you roll a T-shirt. You got to put a rock inside of it. The Browns are recruiting. We still have them. Hey, Sam, it's Dave. Kenny, how you doing? Good, good. Hey, I just wanted to verify that we're still good to do our little thing that we agreed upon. You're actually talking in front of everybody at that. That's perfect. All right, listen, we're going to try to keep the company amount as much as possible. I'm going to expect the audience to be very tame and not start tweeting about the company. In fact, if they accidentally say their name on the phone or something like that, is that okay? Is that good with everybody? Yes, that's perfect. Just a couple questions real quick. And again, we're not going to use any of this for our attack. We just want to see what type of technologies you have in place, okay? All right, are you using any type of whitelisting technology? Yes, we are. Do you do egress filtering? Yes. All right, and then as far as anything else, do you have any type of like virtualization, sandboxing technology at your SMTP gateways? Absolutely, we do. All right, thanks, Sam. I'll give you a call back after this is done. All right, I'll let you know how it goes. Okay, I'll report it. Get the hell away. We got three more to go, so bear with this, all right? That's right, we're going to try and through until we get it. What are we paying you for? Yes, may I speak to James, please? Hello? Hello? Yeah, James. Hello, James. James, can you hear me? Oh, great, great. This is Tom Baudet over with the HR department specifically benefits. How's it going today? Hello? Okay, I'm sorry. I'm having issues with my phone. Is this James? Oh, great, great, great. This is Tom Baudet. I'm over with HR. I work specifically in benefits. And we sent you over a form about a week ago on our benefits privacy form. Did you actually receive it? I don't understand. You don't? Well, unfortunately, I'm calling several people. You're the eighth person I'm talking to today. We must have had an issue getting them out. And we have to send you this form because legal is requiring that you accept a new policy. It's part of a legal requirement to continue receiving benefits. So it's kind of important and we need to get this done today. It's Friday. And do you have a moment? Do you have a fax machine? Or do you have a computer handy? Or better yet, are you new to your PC? I'm at my computer. Do you have a moment? Okay, okay, great. If you could open up a browser. Do you use Internet Explorer or Firefox? Yeah, we have Internet Explorer. Okay, if you could go ahead and open it up for me. And what we're going to do is I'm just going to have you accept a new policy over your computer so you don't have to go ahead and fax it to us. It makes it easier and quick so you don't have to fill out a form. Okay, tell me when you're ready. Okay, if you can go to www.health h-e-a-l-t-h health benefits. And this is all one word. No spaces. portal.com www.health benefits.portal.com And tell me when you get there. Correct. And you should, when you get there, you should like see a pop-up. When the site loads, you should see a pop-up come up. Repeat that. Yeah, click okay, that's right. Okay, now go ahead. Well, since you clicked okay on the pop-up, we went ahead and just automatically accepted the policy. So if you receive that, if you find that email or you find that in spam that we sent you earlier, just go ahead and ignore it because everything is fine. No, okay. Well, unfortunately, I have to call six more people that didn't fill out the form either, so it's kind of my Friday work. All right. Well, have a great weekend and talk to you soon. All right. All right, take care. Bye-bye. Oh, snap. Oh, my nerves are like, holy shit. Yeah. Can we just stop there? Yeah. Well, so you might be wondering why I got multiple shells. Now, the way that this attack works is I love that Windows is end-of-living XP. Like, that is the best thing that could have ever happened to us since like ever. So what we can do with PowerShell is Matthew Graber came out with an awesome attack a while back that allows you to basically inject a shell code straight into memory, all right, through PowerShell natively. Now, I did a talk a couple years back with an individual named Josh Kelly myself, where he presented how to basically take your malicious code, cast a unit code, base 64 encoded, and then you can get around and execute it. And then, you know, base 64 encoded, and then you can get around execution restriction policies. So we don't have to worry about execution restriction policies. That's still the same case. So in Windows 7, Windows 8, et cetera, et cetera, we have the ability to directly access memory without ever touching disk on a whitelisted process. Sounds pretty awesome, right? So I recently released what's called a native x86 downgrade attack through PowerShell, which allows you to natively, so if you're on a 64-bit platform or an x86 platform, it doesn't matter. It's an x86 process to allow you to inject native 32-bit shell code into memory to actually execute. So basically, we have full execution on all systems through PowerShell no matter what. And as you saw here, again, we were able to basically circumvent a lot of the different types of technologies out there. And this one was special custom shell code that basically encrypts the first stage, puts it back, and then you use the Chicago set stage encoding and it works out well. By the way, it's all default and set right now. So you can use this right now and set. So the truth is, since hacking is a people problem, it's people coming up with new ways to get into organizations. It's people that are sitting there attacking our infrastructure. It's people that are continuously trying to attack us. It cannot be solved solely by the use of technology. That's not going to fix the security issue. Technology itself isn't going to fix it. And so defense in depth, air quotes taken way out of context. It doesn't mean using multiple technology layers. It means using multiple layers in general. This is why these things do not work. They're not implemented correctly. Why? The main reason why we have the problems today is we're lazy. Anybody agree with that? Yeah. We are lazy bastards, seriously. I mean we expect that we don't have enough staffing, we don't have enough funding, we don't have enough of this. What we're going to do is buy a piece of technology. We're going to implement it. We don't have enough people and resources to support any of the other technology that we have. So those go to waste. Then we focus our six months to a year road map cycle of implementing this into our company while the rest of it goes to crap. And then we implement something else and then we continue to do something else again . So this is a 12-step program of actually fixing security. And it's not going to cost you a penny. I'm a big advocate of being able to do things that don't cost you a ton of money that you really can fix. So the first thing is get your hands dirty. We actually have to talk to people and trust me I know. We actually have to talk to people and interact with them and figure out our business and how they actually make money and how we actually have assets and how we protect those assets. That requires us to actually do some work ahead of time. Step two, and I was building TET in the 80s or 90s. I might screw that up. Early 90s. Thank you, sir. Thank you. Thank you. So we're good with that. So getting back to the 90s, I remember sitting there and hearing, hey, here's how you build a firewall. Here's how you do egress filtering. Here's how you do network segmentation. Like all those core critical concepts that we don't do today on our flat networks and our flat infrastructure and the rest of them. So isolating people to the only access that they need. Data that they need. Systems that they need. Segmenting, accounting, and finance and everybody else away from each other so that they only have access to the certain systems. Those are concepts that we built in 90s. I know. Again, revolutionary. I'm a heritage talk here. I'm serious. And this works. A recent engagement, really small. What we just did would not work. They didn't have anything revolutionary. They were just using exactly what Dave said. We did not perform this. We had a custom executable that we actually had used the week before at a large organization. I think the fish, it was about a thousand shells or something like that. It was when it just kept popping up. It was really cool to watch. It's completely true in the real world. Now, education awareness. Interesting concept. I got to know new revolutionary. We haven't been talking about this a lot. Education awareness, really trying to touch Bruce Schneider. Never mind. Anyways, so education awareness is a concept to really focus on people. Making sure that they understand key concepts. We all know that. Making security a friend. You know, people want hugs. There's no question about it. Except for Andrew from Maltego. He only gives me one on his birthday every year, but other than that, he wants hugs. But making friends with security. He's not an inhibitor of the business versus something else. Step five is my favorite. The one year challenge. Don't buy a damn thing for an entire year. Not a whole thing. Not one thing for a year. Stay away from something and focus on what you already have and start focusing on that defensive strategy around security. At the end of the day, that's what's going to make it or break it for your company. This is my thing in security right here. If it introduces complexity, it doesn't work. If it's simple for you to understand, then you should put it in your environment. Something that's going to take you four years to implement. Dude, really? Seriously? That's where we're at right now? You need to focus on the basics. Getting back to the easy things. That's ultimately what's going to stop us. Penetration testing. I'm a little bit biased here. Understanding where your risks and identifying your risks and simulating that and getting this to step nine. Eight, okay. Take a one-week hiatus. Go get your chi, grab a beer, sit for a week and actually think about what you're actually going to do and how you're going to do it. Because we come into this thing where we're firefighting every single day. So we don't do anything. We sit there and we firefight and firefight and firefight. Just take a week back, crack open a beer. I know this isn't any meaning, but it's okay. Crack open a beer and you'll be fine. It's one of the most fantastic books and you apply it to security and it actually really works. It's the guy from 37 Signals that wrote it. It was actually amazing. Step ten, I already talked about this a little bit, but removing complexity from your mind and going back to the basics. Step eleven, actually just do it. Don't like pontificate and talk about doing it. Actually go and do it. Change it. And lastly, just rinse and repeat. Do the same thing over and over again. You'll be fine. Thank you for your talk. I appreciate it. Thank you very much.