 Thanks everyone for coming out. Welcome to Earth versus the Giant Spider. Amazingly true stories of real penetration tests. My name is Rob Havelts and I'm the director of penetration testing for Trustwave Spider Labs. Over to my right, left, my other right, is my Brazilian friend Wendell Wendell, you want to introduce yourself? I work on the Trustwave Spider Labs penetration team for almost three years I guess. I have you over 90 years on the security industry. I have found some vulnerable in different set of products, web application firewalls, camera, remote application systems and probably a lot of others. I run presented at Black Hat to DEF CON, OASP and some other big conference. We are in the process of getting a patent impending technology for a penetration test project with ED and a few other things. That's me. And like I said, I'm the director of penetration testing at Trustwave Spider Labs. I've been around the security industry kind of forever. I've worked from starting up an ISP to doing TSCM to just about every possible job in system administration and information security. I've spoke at a lot of venues and this is a great opportunity for us to speak to you guys at probably one of the best security conferences ever, DEF CON, greatest crowd. So what's this all about? Basically we put together a collection of the weirdest, freakiest and most unlikely hacks that we've ever found. And we'll walk you through like these weird, freaky, unusual, just out of the ordinary stuff. We'll let you meet the victims of these odd hacks because some of these actually have serious implications. And we'll kind of walk you through a few of these things and kind of wrap it up after that. So basically we've been in a unique opportunity to see like some very real, interesting, uncommon and very non-trivial things that can't really be found either using traditional attacking methods, like vulnerability exploits, or straight on technological methods, or even like ways that make sense and follow the laws of, seemingly laws of physics. And we've done this because we, you know, we have a huge team that does like more than like 2,300 penetration tests in a year. But only the coolest and freakiest stuff were selected to present to you guys. So by the end of this presentation, we hope to have you thinking about these systems and applications that organizations use every day and how even like the most basic things, security tools, security systems, coffee machines, and things like that might be used against them. So on with Earth versus the giant spider. Do you want to talk about this one? This case is a big network, restaurant franchise around the world that sells food over the internet. They have some good maturity of security. So for example, the application, we couldn't find any cross-site scripting, psycho-injection, or things like that. The application was basically created in Java and Flashy. And the no common param term manipulation was working, for example, including negative values on products and things like that. However, during the transaction, we detected that the checkout was redirected to a 30-party gateway. And this gateway, when we get this information, proceed and send the information to a security channel directly to this company. And they just got a response like approved or not approved. So what we did is manipulated these requests to change the final value of the transaction itself on the gateway. Since it was redirected over Java script from our browser by the main application. Consequently, the final price that appeared on the website and all the stuff was the real price of the products. But when we conclude the transaction, we could put any kind of price that we would like. And they just got accepted or not. In this way, you could get almost any kind of food for any value. Yes, sure. Okay. Do you have them? No, I don't have them. Okay. Never mind. Okay. So, in summing up, you're talking now. Okay. Talk to them, not me. Yeah. Well, basically, as a result of this penetration of the test, we could get a good amount of food delivered to our home with almost 50 cents at the end of the engagement. One of the cool things was we actually did engage a delivery driver that came out with bags of food and everything like that and took a bunch of pictures. And it was all kinds of fun. But it's just a weird thing that, you know, and kind of a bad thing to do to let somebody kind of manipulate things and just kind of trust that everything's happening behind the scenes the way it should be. So, moving on. Okay. So, this one was, we're called the one PBX. We'll rule them all kind of hack. This was a large financial institution that had a lot of different, you know, a lot of different technologies in place, some new technologies, but some like ancient technologies. In the course of like testing this institution, you know, one of the things that you normally want to do is kind of dial the space. Sometimes you do it just to voicemail serve and see who's out, who's in, who's doing what, what people's names are and, you know, things like that. A side benefit of just kind of calling random numbers and listening is sometimes you run into something where you get a modem tone. Well, in doing this, you know, I called a number, got a modem tone and just a weird like kind of series of characters and a login prompt. So, that was kind of generic, but kind of dissecting like the series of characters and what we got back from the modem over making like several calls, figured out that it was an old Siemens Rome PBX. Well, in this case, that's great. You know, you get a PBX kind of manual. It turns out that they changed the administrator password. They changed the user, the opera password on it, but there was one account that actually had better credentials than administrator. It was field tech account and they didn't change that password. When you get into the field tech account, it actually lets you go into like any user account that you want. So, went into the Rome PBX as administrator and, you know, just kind of browse that. Having like done some voicemail surfing previously, I knew that the extension for the help desk. So, one of the features is to like clone a voicemail box. So, one of the things we did is created a new extension, cloned the voicemail box for the corporate tech support and at the end of the day we kind of listened to the various messages. Well, it turns out that like there was some dude that was traveling on the road and called in frantically to tech support after hours when they weren't picking up, asking a problem about a VPN problem. It just so happens that in a previous life I was a certified checkpoint instructor and I happened to know a lot about checkpoint. In a previous life if I actually like sat on help desks and did like checkpoint like managed services and the problem he was describing I knew exactly what it was right away. It was a stupid like settings problem. So, I actually just called the guy back. I called the guy back and I walked him through like his problem. First I asked him for his username, then I asked him for his password, you know, so that I can check and verify his account. And then I fixed his machine. Afterwards like, you know, he logged in and, you know, he logged out and Bingo, he logged in as himself, paying free credentials. The funny part about that was in the wrap up of testing, we found out that this guy actually sent an email to the head of tech support like praising them for like the wonderful tech support they got and the quick responsiveness of the tech. So, that one, that one was kind of awesome and freaky and weird and, you know, sometimes you just kind of have to think outside the box. But, you know, something stupid like, you know, not realizing that, hey, the field tech has their own like super account on this piece of antiquated technology can, you know, have kind of severe implications. So, and well, this penetration test on the reality happened at least three times. Similar wishes like this one. Well, we were doing an internal penetration test and during the internal penetration test, the network segmented was very limited. We had almost a very few things to test like one open SSH server, very well updated. One Samba server that was almost without sharing no folders, nothing, and a Windows box or a few Windows box that just blocked every single set to ping like echo request and the echo response. Also, Vlan attack bypass or Vlan hoping was not possible on this specific customer and neither on this other two or three that he used a similar attack during the last year. However, ARP spoofing that everybody knows and is very common was present. It was possible to be executed, but it gave no juice. We couldn't get any credential or anything in special. However, during the previous external penetration test, we figured out that this customer had an external site in a data center that had a VPN SSL and this external VPN SSL used a self-segnet certificate and they used this a lot, but we couldn't compromise during the external. So during the internal, we saw some traffic over the SSL port and we did an ATTPS man in the middle since it was a self-segnet certificate. Probably the users did not figure out the difference. When we dumped the contents, we saw connections to these external VPN SSL server with self-segnet certificates. So we just got the cookies and the cloning in our box with a burp suite and the access again, the same external data center server and as a result, we get a successful login on the holy VPN over SSL, getting access to file servers, applications and a lot of stuff that was not accessible before including credit card data and a lot of interesting stuff. So it's very interesting demonstration of how sometimes a vulnerability that you couldn't exploit from the external side and is not easily detected by the automated tool can be exploited for example from the inside network. It's kind of interesting because it could reproduce the same kind of vulnerability at least in three different customers during the last year. So this kind of vulnerability is the kind of vulnerability we would like to show you. They are kind of different and not easy to find with automated tools and stuff like that. And that's always interesting because you're taking an external, organizations tend to think of the perimeter is the perimeter and the insides the inside and we need to secure the perimeter and the things that we do to secure the perimeter. That's out there and that's basically our wall against the big bad internet and inside we need to do different things. But like Wendell said, as a malicious attacker or a malicious insider could use external systems just as easily against internal resources. There was a another instance of something akin to that where we were taking a look at a phone directory and from the inside of a network and we're just able to basically get names of people. However on the outside there was actually like an HR system with a vulnerability but you had to have people's name and they're like HR code. Well when used with the phone directory inside it had the HR code and the vulnerable app from the outside gave enough information to kind of go through and actually get HR data from every single user at that company including the CEO's payroll information. So those are always interesting. And it's interesting because somehow it was internal that you have to compromise external to come back to internal. This one makes no sense and we're still trying to figure out how this even worked. But we're taking a look at a card processor for actually like an entire country that processed most of the Mastercard Visa transactions. And they had a transaction switch that they couldn't touch that was from the card brands and there was kind of a war of we suspect that's not secure. No it's not. Yes it is. No it's not. Yes it is kind of thing. And it was very much they said this, they said that kind of going back and forth. The best they could do is kind of like build a wall around it. So because of their idea that it wasn't very secure they put some very restricted firewall policies in place. They were using some weird old technology that as it turns out was very misconfigured. Nothing would get through to the transaction switch. It was kind of set down and you could only actually like reach it from a couple stations inside that were kind of like the major databases. Yeah absolutely. That's exactly what I was getting at. Yeah right. And so what he's saying is then that's exactly what we found out is so they spent all this time like building this firewall around it on like this legacy equipment. And you know basically like things first from port zero like being a wild card on the legacy stack. It like actually kind of sailed right through. So it turned out that you know the people that said like no it's not secure was actually right because sourcing traffic from port zero we found out a Webman interface on this transaction switch with an admin admin user pass pair. That's awesome. That's always the thing that you want running every financial transaction from your country from. And you know because of that like you know the Webman interface they're able to get in at an OS level and basically like you know see processing for basically the whole country. This one's really funny. All right. So there was an external pen test you know just as an outside in kind of thing. Very few services. A couple applications. There was an administrative like Web interface. And it was some cheesy thing we thought might be vulnerable but you know we were able to get like some of the code to leak and things like that enough so that you know you could Google it and kind of search for it. So it turned out that that led us to looking at like comments and metadata in there. We actually found a news group where the administrator actually like posted like huge snippets of the source code for it as well as like all of his information. It was very very chatty on the news groups. Unfortunately that didn't get as much. You know so looking through like the snippets like you know you think like bingo I have like source code here. You know surely I can get like something from that. It didn't end up getting much. However we ended up like looking up the guy by name and we found his Facebook page and like you know like nicknames and a bunch of stuff about it which led us to a forum called Caucasian Asian love. And it was a forum for Caucasian men to find Asian women to love. So this guy had a full profile on there. Apparently he was really really into it and really really active in the Caucasian Asian love. So anyway we ended up building up a word list from his dating profile. And his password was a variant of love machine with the common you spelling of love. Which is actually rather awesome. So we ended up getting into the administrative interface which actually like I yielded like a time. So well it was another external penetration test where we couldn't find any trivial vulnerability. Basically no kind of web vulnerability. No vulnerable services. No weak accounts. No things like that. It was a huge network. And we found that on this huge network they had almost 20 high definition IP cameras. And also a specific part that was unrecognized by network mapper. That probably was the application to centralize all these IP cameras into a single service. Well, these IP cameras we looked around the vulnerability databases. And we couldn't find any well known vulnerability. So we just looked for a copy of these IP cameras. And in a lab we tested them. And we find a few vulnerabilities like authentication bypass that allowed us to dump the whole password from the Linux based system inside the IP camera. And a lot of stuff we cracked the local root password and stuff. On the end we created a modified firmware. And we uploaded the over this interface. And they created a web shell from this web shell on the web camera. They was connected on the inside network. And consequently from these web cameras we could look, for example, internal employees working, give zoom up to 10 times, get screenshots, IP of systems, user names, and obviously from the web shell we created on the modified firmware we could access the whole internal network that was accessible from this IP cameras network that was on the management administrative segment. It is interesting because it resulted in advisory. So we used the all video cameras that's a security service. The great thing about that one is you take a look once you're into these video cameras. And these were like by them having like the good video cameras instead of like the crappy grainy like black and white ones. It really helped a lot because like you had an optical zoom of 10 times. And some of these were trained on like machines and keyboards and things like that. So it ended up becoming like a password bonanza as you like kind of just sat there remotely in a different country watching a user like kind of like sit down at a station and type in their password. And I'm like, okay. So that username has this password. And you know, throughout the day, you end up like collecting a bunch of stuff. And then it once you have credentials, the stuff on that hardened exterior, you know, with the various servers that you can do much with isn't really like so hardened anymore. You know, you can kind of a lot of password reuse is problematic and all pervasive. So you know, it tends to lead to compromise that way. All right. So after this one, we have a video to show you of, you know, exactly how this all works. But I'll let Wendell describe it first. And do you want to come here and then I'll hand you this? Sure. All right. Go for it. Well, personally, I really like database security. And we commonly find raw BI and all guys on the internal network penetration test, we see a lot of database as well as SQL server, Oracle, DB2, and MySQL and a lot else. Well, sometimes we can compromise them with different techniques, overflows, weak accounts, problems like bad DNS configured services, et cetera in Oracle. However, sometimes we can get like ARP spoofing, but no new connections, not people reconnection. They have strong passwords, so we can't get the creeps, the credentials during the span time of the engagement. And that's a frustrating thing. You're in the middle and you're seeing all this stuff and you wish you could do something with it. And, you know, it's like, well, I have all these sessions going, why can't I just grab one? So that's what Wendell and Steve did. They wrote a tool to basically, all right, this is an already authenticated session. Let's just go ahead and grab one. Yeah, exactly. Also, big thanks to Steve to work with this with us. He did a great job. And Dalt to connect, he also supports SQL server. So the main idea is, if you have the sessions running for Oracle or even SQL server, why force them to reject, to disconnect and get credentials or whatever, if you can just take this connection and send your own comments and do whatever we want. So, as you know, we can't show screenshots of this penetration test we are talking about because they are customer. And it's not a good thing, but we created the in-house video just to demonstrate how it works. We used it recently a lot in different internal penetration tests with a good level of success. And the tool also is free and available on the internet for who is interested. Okay, so we start off with this tool called BAMP that actually does the ARP spoofing. It's a pro script that does kind of like some reverse ARP spoofing. With BAMP then you run this tool called Thicknet. And now we are just showing a normal connection to Oracle database. From a supposed client, this virtual machine is like a client that you want to access. It's first showing that we can't log in with the credential. When the database, as you can see on the first line, then it's logged with the user Steve, that's a valid user. So, Steve is executing a very simple query like select one, two, three from the firewall or whatever. Now back to Thicknet. If you use the LS command, we can see the active sessions. And the one is marked with the eye letter that means that it's injectable. It was detected as injectable by Thicknet. So, the next thing you do is you actually like go ahead and use Thicknet to steal the session. It's a really easy thing. And basically what you end up with is taking that session over. The normal user just reconnects. In most cases they don't know that anything really happens. It just is kind of like a blip. And a lot of like database clients have connection pools. Anyway. So, you know, they just start a new connection. You take their old one and basically end up with a shell interface to the Oracle database. Yeah. At this point we could, for example, send any comments. I see we stolen the connection. So, just to demonstrate, we are sending this SQL query that you'll be creating an account that's called the window that on the beginning of the video was not an account that existed on the database. As you can see, you get on the end the ORIER 01003. This means that the command was sent and partially successfully. Now we are just stopping the RPP poison and making sure VAMP makes sure that we are not breaking the RPP tables. And now we are trying to log in again with the same account that was the window just to make sure it really works. We used VAMP to intercept and injecting a live connection and to create a new account on the Oracle database. Now, as you can see, we can log in with the account that previously doesn't exist on the database. And now we can do any query like the privilege of this account. As you see, we're just kind of doing a select query. Yeah, just to demonstrate that it's possible to execute any query. Obviously, in this case, the session that was stolen was a administrative query, a administrative account. So we could create an account, but you can always get the privilege of that account. For example, recently, our team meeting, we got another guy from the network penetration testing team and it's very nice to last week we got a stolen SQL server, Microsoft has a good SQL server with this tool, and they could use the XPC MD shell to execute commands just for a nice stolen session. Also, we have the other nice things from TicNet, like steel credentials, and even Microsoft has some very specific, Oracle has some very specific stuff from Windows clients that leak Windows authentication. So I suggest everybody that is interested to check TicNet. It's very interesting. Is that it? Sure. Okay, great. We are in the end. Thanks. All right. Great. Whoa. Things are going insane here. Okay. So technology is against me. Okay. So it's time to, you know, talk about some of the victims of these attacks because they all have very serious implications. You know, they make for kind of like fun stories and, you know, sometimes funny get a chuckle out of them. But let's talk about none of these attacks really led to anything trivial. The reason, you know, why they're included here is all of these attacks led to ginormous compromises of huge amounts of data. You know, in some cases, CHD in the numbering in the millions, PII numbering in the millions, and huge, huge, huge amounts of data. So the organizations that, you know, we're talking about here are multinational banks, global restaurant franchise, major retail chains, credit card processor for an entire nation. And the types of data stolen that we're talking about here is, you know, every visa and master card transaction processed in an entire country. Hundreds of millions of pan and track data, HR data. In one case, you know, it led to accessing like the DHS terrorist watch list for financial institutions that they're supposed to check against. And, you know, obviously like billions of dollars in transactions. So just kind of in conclusion to this, before I say something about stuff you didn't see, this talk was focused on those complex or uncommon hacks found in real environments. Some are in very high end and important systems. And some are unlikely but true. And this is, you know, a bizarre world where you have like old ancient anomalies, you know, like affecting like newer systems, security systems that are used to hack organizations, you know, new techniques developed on the fly and things like that. So, you know, we're happy to be here. Hopefully you enjoyed these stories. So I think one of the things that we were going to do with this is we spent like two weeks setting up like this whole like hacking challenge that we're going to run during the talk. And so, you know, we checked on it when we got here, we checked on it last night, checked on it this morning and like three machines that we had like wooden boot. And that's just awesome. So, you know, the winner was supposed to get a prize. And so we still have the prize. We have a few prize. But I know like a lot of you out there have like bizarre and weird stories of their own. So we're going to change it. Anybody that comes up with just a truly weird fucked up story will get the prize of a Duke Nukem Forever PC version game. Anybody want to take a shot? Come on up. Well, yeah, we're showing you that we have the game today, but you won't actually get it for another 12 years. Have a seat. What's your name? Tim. Tim, what's your weird fucked up story? Well, we were doing a pen test one time and we were war dialing all their all their, you know, phone lines. And like you, we found a system that was returning odd characters. And basically we were able to determine that this was an HVAC control system. And so did some research and found that there was a default technician login. Got into the HVAC control system. And then we shut down the exhaust fan in their server room. So then we just sent somebody out dressed up as an HVAC technician. And we're able to get right in the data center. What do you guys think? Did you get the prize? Thank you. Sure. Wait. Wait, no, no, no, wait. Does anybody else like I saw a couple people that were kind of coming towards this stuff? Anybody else want to try for the runner up prize? Anyone? All right, well, in that case, I'll drink the kichasa myself. Thanks everyone. Hope you enjoyed it. And thanks for coming out.