 So originally I was going to do like a talk about kind of how to segue from classical pen testing into industrial control systems and specializing in industrial control systems. But I'm going to go over one of the software defined radio tools that I've been developing and things along those lines. So it's basically yeah it's it's an amazing industry to get into and it feels like the early 2000s. How many people in here are pen testers? Or do pen testing for a living? And then how many people are in like IT positions for companies that are ship systems or anything along those lines? Yeah so like either of those are like segue points and I was going to kind of go into how because I started out you know doing classical pen testing or actually started doing terrible job which is server migrations and then I was scripting and doing two to three times as much as everybody else so it's something where you know you segue into actual pen testing and then from doing classical pen testing and exploit development and into actual industrial control systems and one of the the biggest things is like the it's just weird because it feels like you know the windows XP days like when you used to go pen testing and some people wouldn't even have you know patches fully aligned and things along those lines and just very very easy exploits to pull off and things along those lines so yeah and a little bit about me so a majority of the oil rigs and cruise liners and you know actual ship systems I've done and aircraft systems and things along those lines have all been for a company called MSI or Mission Secure and a little bit on myself I'm 33 years old I've been doing pen testing I live in North Dakota and it's nice and cold up there I spoke in a DEF CON main track talks 22, 3, 4, 5, 27 this is the village talk I'm doing this year so I've done a black cat, hardware IO, ICS security, enterprise yeah there's tons of speaking event, I've done over 60 speaking engagements so and yeah 15 years of pen testing more than that about 18 years of programming so and hacking ATMs point of sale systems everything IoT eventually got it originally got into actual industrial control systems by reverse engineering some malware that was going after oil rigs and they were actually stealing drill stem testing information so they could tell if the well is productive before the actual people who drilled it which is kind of crazy so and yeah going into hacking oil tankers and just pass passenger vessels aircraft systems so a lot of the air INC 429 and some of the specifics about it and that's one of the things I love about it like if you get burned out on actual classical pen testing you can get into some of the actual offshore rigs and yeah so I'm gonna go over a little bit of the actual pen testing as a profession and then that level of skills how to transition because you wouldn't believe how much you know it's kind of like a game of world warcraft like where you specialize in something so somebody's a web app guy or they're known as a web app guy or sequel or just certain people go into exploit development things along those lines how to actually segue into that a little bit I'm gonna go over some of the tools I developed because there's literally no tools for you can't just go buy metasploit for you know a caterpillar engine diagnostic system you literally have to listen to it find out what the hell it's saying and then try to say something back to it or see what it doesn't post like when it's doing its power on self testing and things along those lines so and yeah I'm gonna go into the actual protocols and equipment research and exploit development so you know some of the more advanced exploits and things like that if you can get unsigned code to run on a similar device sometimes there's a trust between things along those lines so yeah I'm just looking at the actual attack surface of the yeah and automating the actual testing of it because it's as fun as it sounds like you know going to Brazil or in the middle of the ocean several times a year is not how it's cracked up to be so it's something where yeah I'm going to go over some of the like the ways that you can actually segue into the actual testing purposes so yeah and different kinds of pen testing like I said there's classical hacking that's what everybody you know like when a bank or a hospital gets a pen test and there's web mobile and app application testing and then this is the usual progression somebody you know plays around with a lab or you know hacks their friends on i cq or something like that you know then it leads into you know actual web app mobile testing and then most likely into physical testing and then you then you get specialized you get your final spec and that's i'm going to use a couple outdated world warcraft analogies but that's pretty much the only easy way to explain it so and I highly recommend it because of any questions at all feel free to reach out to me and I will like go over in four hours just somebody how to you know actually do the attack surface of a ship it's very easy to do like a you know server 2012 or whatever and like some of that does tie into this like people always ask like how to get into pen testing that's like one of the biggest like when I would talk to college students and stuff and it's like you have to start out with some of the systems administration stuff you need to know what a lazy sys admin does because you're going to eventually have to exploit it and with some of the networking like some of the recent really really crazy ones where you can you know get in from a guest network and be on a ship like you know 12 hours later or something a lot of that requires networking it requires a device exploitation and things along those lines that you do learn from a life of actually doing just normal penetration testing and then physical stuff you know everything I use in my house my internet of things I always do do my own physical pen testing so like I pen tested my ring system just you know tore bot second system and just ripped total apart and yeah there's a couple other iot devices that I've torn apart and things along those lines but I've done a lot of a vehicle control area networks so I was a specializing in that a little bit before so but I always recommend it especially when people get burned out if they're in an overhead position or you aren't billable it's something where you have tons of time to do research and things along those lines you can specialize in this and I just would if anybody has any questions at all about that that's that literally hit me up on Twitter and I will take the time to go through some of the attack surface and how to build that up so it's at a tipping point for maturity it literally feels like 2002 2003 every single month and sometimes there are operating systems running from those years so that's kind of the the funny parts of it but it's looking at the actual wireless attack surface and I'm gonna get some of the automation and like even on airtight systems they're using a wireless keyboard that's exploitable or they'll use you know something that is specific down the road and it wouldn't you wouldn't believe if you know the resolution of a screen and you can actually you know connect a device you could start clicking things so and it's a pretty interesting group of concepts and I'm automating it like I was saying is like one of the main purposes that I was developing the wireless tools for it so yeah web application testing so all the HMI's majority of them are web based some of them have gotten a lot better about locking things down and there's certain systems where you can actually get that get their hardened system so there's an HMI in a control room or something like that I've actually you know tapped on the command prompt went to the info button I then got to pop up an internet explorer browser visited a local device on the network ran a internet explorer exploit oh it's like that's a chain of attacks that you have to do to you know actually execute some of that stuff so it's something where if you can get something local on the network you know that's that's one finding right there there's another finding second finding and it's more above and beyond just writing reports it's about actually taking that attack surface like understanding how some of the waitlisting and some of the other pen testing I've done in the past it's something where you know if you're able to do um cell side emulation legally like where you can you know spoof onto a network sometimes you get hit a four-year-old Cisco device that's unpatched and you know things along those lines and you can get past access controls and things like that so it's definitely something we're taking into consideration your previous experience with pen testing you can definitely get into ship systems and it's amazing how many ship systems have operating systems running on them or just normal off-the-shelf operating systems so and yeah classical pen testing so just on top of all the exploits you know there's all the named ones nowadays oh that is your phone I was like what happened to my phone I thought anyways sorry about that yeah but basically going into the actual remote code execution exploit development understanding how the exploits work because a lot of the systems they try to lock them down or harden them so it's something that looking into like I have I did several years of etm pen testing before I got into some of the more industrial control systems and it's something that uh yeah it's just taking a look at an approach at how people try to harden things and the majority is the security through obscurity so taking into consideration classical pen testing you definitely need to develop those skills you definitely need to pull those exploits off on the boxes also so the iot and smart smart stuff is basically yeah just doing manuals on phones I've done several cvs I think I have a 22 or 23 under my belt some of them internally disclosed a lot of them are with cell phone manufacturers things along those lines and some of those have just been found by tinkering with you know doing a web map test on a phone and then all of a sudden you see you know some sort of traffic that you're not supposed to so and yeah it's I definitely recommend getting as many devices as you can in understanding how they work and just start digging into a tax surface of them because once you have that analytical thought process where you can go through and see exactly how these systems interact with each other and how they refer certain interfaces so what happens when a cellular interface goes down or when a device is inside of a room that they assume can't connect to the internet but it still is a cellular interface on it it's still looking for cellular towers that's an attack surface that you're able to detect with the right wireless equipment you can see the beaconing information and you can actually sensor in international water you don't have to have a 50 foot Faraday cage you have to pull it all off and so it's really really fun stuff and I highly recommend yeah getting into tractor systems car systems definitely go over to the old villages around here guys there's a wealth of information these people are amazing and like most people are pretty approachable so it's definitely a good industry to reach out on so and if you're not confused you're not learning that's what I've learned over the years I got a there's one year where I didn't like learn anything and I just use like the exact same stuff over and over and over and if you guys ever get that you get this this learning curve that you have to work through once you get back to actually trying to learn things so if you want to start you know getting into like vehicle systems like I was doing some autonomous vehicle stuff I had to read the rfc for 802 11p and then you know find out what wave communication vehicle to infrastructure stuff is so there's all these things out there that aren't your classical pen testing and you'll feel like an 11 year old when you're doing it so that's the thing I can recommend for you guys is go out and buy like an 11 dollar pal tuner burned out and then find out why it burned out and then you know get like the actual you can work into some of the scots gadgets for the sdr's and some of them aren't technically software defined radios but you're able to listen to different frequencies and spectrums like a lot of the software defined radio automation I'm doing I literally have so it's a scott hack rf and then I have a edis n2 10 with a specific daughter board so I'm going to actually have like a smaller radios looking for frequencies it's going to be looking for just broad spectrum so it's a spectrum analyzer that basically looks all what's talking over a day period and then it'll pass off and then it'll capture huge spectrums of that and it's all all about automating it because it is expensive to fly people out to a ship in the air you know ship yard in the middle of nowhere and things like that so it's something we're especially if you know there's light plant switch at you know midnight every night it's you know some people don't want to be up at those hours so they don't want to send technicians out there so that's why I'm kind of working on automating it and going through the process of it so it'll basically do everything that I do on a pen test it'll tell me if there's pager traffic and then if there's pager traffic the next day it'll listen to that pager traffic it'll sample it and then you know you can actually go further with that you can port some of it's just raw serial communication when you actually break down the actual communication of it so but yeah yeah talk to people in the industry it's amazing like when I wanted to get into oil field hacking like I did a reverse engineering the malware it was geared at oil rigs in the Balkan that's where I'm from up in North Dakota and I just went to a bar and just chatted with like a bunch of MWD which is like measure wall drilling people and directional drillers and it's amazing you know like they have a you know dirty you know fire is it or fire-resistant gear and you just chat them up a little bit and people love talking about their jobs and that's definitely something I recommend and especially if you have the opportunity to be in an overhead position just try to learn as much as you can if you know wanting to get into some kind of consulting basis so and yeah like I said you can't be a master at everything unless if you literally dedicate your entire life to it like you know you guys all know that one friend that you go to with like the Linux questions and stuff like that yeah there are some people that do dedicate and but you need to specialize in four or five fields and then just become a master in those and like for three years I did telecom stuff and then I went on to other stuff and then I've ended up using my telecom stuff for base station hacking with site to site you know like these rigs they'll have a site to site and if you actually you know have an actual cpe or customer premise equipment you can pop up in between there and oh they're not using hardware encryption or they are using hardware encryption but there's some kind of spectrum you can listen to there so and there's always a lot of uh information you can do um just by learning how those actual systems work so and yeah levels of skills uh be enough okay there's several levels of it and what I recommend for people is be a good enough to sell it or quote it on everything like be able to you know talk about WAFs and you know and I'm not saying become a salesperson I would never recommend that to anybody but it's definitely something enough to self-study is the next step enough to hack enough to script and then enough to make exploits and uh enough to actually research and reverse engineer so just work your way through those uh levels and like I was saying this is pretty much an untouched industry I would say it's five years mature right now which is you know literally puts us in the early 2000s so first far as um opening up uh if you guys anyone if anyone a segue into that kind of industry or if you're in that kind of industry and they don't let you touch those systems if you can throw some of the lingo around enough to quote it type situation they might actually allow you to have access to some of those systems and then hopefully not brick them but yeah you can play around with them and learn them because some of these systems are you know a four hundred thousand dollar propulsion system you can't just buy that on ebay so and yeah having a broad skills is always positive um being able to know at least you know what the device is trying to do um is the level that you want to get to for all of it and then you can kind of go over the actual attack surface of the vessels themselves and when you get married or have kids uh your time does go away and uh there's this uh stopping point like when you turn 28 so like uh mentally after 28 it becomes impossible to pick up on new stuff so so for all the 30-year-olds in the room it's I think you guys you know or above you kind of feel that it's kind of hard to uh to learn things or pick them up as fast as you used to be able to so but uh yeah and uh also yeah just getting into actual uh software to find radios like I said is the biggest thing um uh I started uh tinkering with them you know just bought a paddle tuner and then I ended up um uh doing some work with the university and we ended up buying like four of the best uh us rps the edis n2 tens and then I ended up uh doing uh a man the middle attack on a uh a jeep key like actually starting a jeep a quarter mile away from its key and I did uh responsible discosers with um uh yeah chrysler and like just you know just starting from the bottom and you know like moving up and just wondering how stuff works in curiosity and for a while there I was I was getting bored I was like you know how many times can you get domain adamant in four hours or you know like something it just becomes a little bit repetitious and it's really really nice to be able to mix these kind of things into the mix so and background and transition like I said um you need to have um pretty much all these skills and all these skills are really good to work into um if you are like a mechanic or a technician as long as you have analytical thought they make some of the best people for actually doing this kind of stuff so and uh yeah actual student perspective uh yeah like I said you're young learn everything you can and uh listen to as many videos as you can on double speed and uh yeah and uh programming is a must uh at a certain point you're gonna hit some kind of wall that's something I always like to go through with people uh you don't necessarily need to be able to program but you need like a you know you can't really modify a metasploit pilot if you don't know ruby or if you can't uh you know come up with a proof of concept if you can't modify the python so yeah stuff is something to look into so and then a permapentesters perspective is the way that I went so I went through uh networking and the pentesting and then I back filled all my systems administration stuff so I definitely recommend learning a little bit about everything and then getting specialized into the actual sips ship systems and like I said the exact same way you look at the attack surface and want to learn this stuff you have to look at the sales materials first because like when I was doing aircraft hacking what does an aircraft use and then you look at like people were selling aircraft stuff and they're just bragging about how their product does this this and the other thing then you read a couple rfcs and then pretty much you're at the point where you can at least talk the talk and then you start actually diving into some of the actual testing and things along those lines so and yeah overhead versus consulting like I said um uh an overhead position you're not billable that's just what I mean by that um I would recommend that it's something where you have tons of free time to be able to learn things uh they'll pay for training things along those lines so and then consulting uh if you're young and want to travel a lot that's definitely a good field to get into so and yeah and some of them are um there's trap positions to watch out for like where they'll promise one thing and then it's another thing so I just have your eyes out for that kind of stuff but if it's something where you want to work into one of those positions from the current position you're in that's why I kind of asked how many people were in actual pen or in pen testing or consider themselves uh even doing light um exploit you know testing or stage one exploit testing if you've run running scanners and improving that they're working and stuff like that so you can still segue into one of these fields and like I said this is one of the growing industries if you have the background knowledge you'll be able to yeah definitely get positions in this so but how to learn all this um yeah practically every machine is a root you know has some kind of operating system running on it so just understand how exploit exploits work uh I can't stress enough and you guys can tell by how fast I talk I listen to everything on double speed so and uh setting up a lab and understanding the exploits um old phones car parts like literally everything you have I everything I get I desoderate like even have some weird thing I bought at rummage sale I don't know what it does I'll google everything that's on it I don't have as much time to do that anymore but I like knowing what every single uh piece of a device does because I do a lot of hardware hacking and uh like when I used to do a lot of cell phone exploitation you had to actually pull everything off the chip everything's gotten a little bit more advanced nowadays but it's definitely something still worth checking into so and like I said um being able to program um is really really nice because you can take somebody's github project that they you know forgot about while they're going to college and then you can basically uh turned it into something else which is an actual tool um like I said it's a I call it like a weaponized spectrum analyzer which is basically going through um all those frequencies and just being able to you know not burn out the radios and understanding how radios work and actually tinkering with some software to find radios I can't stress enough how much it how young you feel like just playing around with those radios I feel like you know when I tore my dad's VCR apart when I was little or something you know it's like that kind of enjoyment so I can't stress that enough and yeah getting as many devices as you can setting up the labs um reverse engineering uh started out cracking video games uh back when I was in junior high that's how I got into C++ and assembly level languages so it's something where if it's you can take one of your loves and integrated into another one and if you guys want to get into heavy duty programming I recommend at least programming an hour a day and uh do all the languages you hate or the really hard ones and the it's like playing Resident Evil on really really hard I think going back on easy and you just breeze through it so using video game analogies but that's what I like to do I like to confuse the crap out of myself and one of my bosses used to call it invidious Reese which means he like to throw me in the middle of things and then have me like learn both ways and it's if you when you learn the hardest stuff you can where you're hardly confusing yourself uh all the other stuff just comes naturally because you're googling this that and the other thing and once you're going over the actual attack surface of a ship or a boat or anything along those lines like some of the cruise liners I've done like I remember you know uh it just being able to find the specific system of those systems and not having internet is like you know because I'm the kind of guy all Google in front of a customer it doesn't scare me you know some people are like I'm a no doll I never you know Google no all Google stuff but sometimes you can google stuff and you need to know at least the basics of everything like some of the encrypted traffic I did on one of my first ship systems I basically was sniffing out a lot of this industrial space wireless spectrum and I was like I have no idea what this is and then I got it homeless encrypted but I was able to repeat it and be able to see that it was you know speaking some of the preambles and stuff like that so to know that it was a legitimate ship system so and yeah like I said the walls uh people who can't program uh like that's something I thought I couldn't program because they tried to you know I got this uh visual basic book and it was you know make a calculator and I'm like I don't want to do that so what I did was I got a bunch of c code and I just literally read it confused myself and then I started programming at least an hour a day and like I said even if you're confusing yourself and you're literally just reading for that hour a day do it as uh you will run into a wall and it's not as hard as you think once you've actually been in it like you'll it's that thing that you've done for three years that you can't realize how hard it was at one time that's exactly what programming is and uh if you don't feel like you don't like programming it's something that you learned it the wrong way or there's so many teaching methods especially in universities now um where they're teaching it what I would consider the wrong way so and yeah people who uh stagnate at one company I've seen or or there's the opposite of that the guy who hops in between companies every two years when their renewal bonuses up or you know things along those lines so and yeah and that's a good way to burn out HDMI so but yeah uh yeah and like I'm saying I don't don't feel bad googling things uh google as much as you can um yeah and fear uh yeah yeah as far as work face anti-os like some people are like I'm never going to do anything with this that or the other operating systems and some of the real-time operating systems are really really dry and a lot of them are repetitive and there are some recent exploits and things along those lines so staying on top of those exploits in addition to a 40 hour work week which none of us probably have it's all you know more hours than that but I spend at least eight hours researching exploits looking on github uh finding out how things work and if I don't understand them I have to find the mechanics behind the other thing and it's it's amazing like when you can you know uh basically you know like I could talk some crazy crazy things you can pull off but it's like chaining together six or seven things and some of them don't seem to be big things you know what I mean like if you can deactivate a windows license what does that do it's like I know the next time that machine boots up what page it's going to try to go to and if I'm in a man in the middle I can basically run a server by our uh web browser exploit so there's lots of cool ways to do sandbox escapes from hardened systems like that be it an hd or you know hmi or some other system like that so and we are running out of time so yeah just uh I think I have one more slide here so yeah this custom space um for custom start to find radios uh get into the get into their untouched uh wireless findings like I I can't believe how many people don't like if you guys are classical pen testers at least start doing this start uh looking at how many bluetooth there's bluetooth wireless um a hack uh crazy rf radio things been out since like 2016 so there's no excuse for not knowing that there's wireless keyboards and if you can literally sniff up people's passwords you can and I've done that in the wild like I've uh done that I've done that before I've paired with devices and done keystroke injection and sometimes that's good enough to showing them the proof of concept on that like even if they're one of those customers you're you know they they have a really hard end surface you might not be able to get in exactly you might be able to actually still show them that there's weaknesses with some of the wireless keyboards and things like that so yeah and as far as that spec uh uh spectrum tool I have like yeah I got two minutes left so but I'm gonna go into a little bit about the actual device itself and uh yeah so it basically has three radio antennas so it has Edison 210 as a scott scott and has a crazy rf on it so basically um scans for bluetooth traffic and then I have an uber tooth one on there also but so if you want to start getting into heavier payload sampling and things like that or if you want to start de-offing stuff or doing two-way communication you can um but it basically is a way to automate some of the wireless testing so because like some if some people do pen testing they like to send a box onsite and things like that and I think it would make a really great addition um to onsite pen testing like how many hospitals uh have people pen tested and they don't realize their pager traffic is unencrypted and they're leaking pii information like it's it's amazing like room numbers in a name or room numbers in a kind of medication you know then you can literally say you know it's so and so it's it's it's an amazing thing to be able to add to the deliverables I don't want to get all project mandatory but it's definitely something that people will enjoy and I think your customers will enjoy it so like I was saying yeah thanks thanks and I've opened the questions I honestly love my job and I literally will talk all day about it so yeah if you guys have any questions hit me up on twitter it's weston hecker at twitter so and yeah so open up to questions which I have like a minute left probably so awesome well I appreciate you guys taking the time and uh like I said um feel free to like literally approach me I I know a lot of people say that like I genuinely mean that like hit me up on twitter I have a lot of criminals hit me up on twitter too so if you're wanting me to you know let's hijack a ship of Mercedes vehicles or something I probably won't do it with you but if you guys want to learn some stuff like definitely let me know I love chatting with people and learning and seeing enthusiasm it makes me more enthusiastic because when you get burned out on something it's really nice to be able to you know see people with passion so so I appreciate it guys and yeah weston hecker at twitter feel free to hit me up and I'll get in contact with you otherwise I'll be right outside here and we can chat also so thank you guys