 Rwy'n meddwl y gallwn i'n gwneud yn ei wneud yn y sesio final. Rwy'n meddwl i'n gweithio i'n ysgrifennu yn y dyfodol i'r gwaith, ac yn ystod yn ystod yn ei bod yn ei gweithio. Gweithio i'n gweithio i'r gwneud yn ei wneud. Yn y gallu, arweinydd am ymgylchig o'r William i'r meddwl i'r sesio mewn Priebelico. Felly yn ymdill wedi'u meddwl i'r Roedd Rheicon. Rydym yn priebelico Pai, ac mae'n meddwl i'r priebelico i'r signogol, I'm going to leave him to run through it from now on. Thanks very much. What's up, Defconn? You guys doing good? I technically threeed in my 321 because the day's not over yet. All right, so this is Probellico Pi and like I said, this is leveraging the network against the network without the network. And really what I'm doing here is I'm going to push a narrative a little further just given some of the things that I've experienced currently with various different things. So, all right, just go over an agenda. I'm going to give a kind of a brief introduction, right? And then I'm going to give a Probellico overview and that's the art of fighting without fighting. The reason I'm going to do that is not everyone is seeing Probellico and it's still amazing how many people in our community are still subject to group think that push back up against this constantly. I was here with the Cisco switch. I dropped it and proved that it happened. I've done it with an HP switch. These are enterprise grade switches. I've done it with netgear switches. I dropped this over at DC541 and just for a proof of concept, we even jumped on some networks I had zero control of and had all kinds of intel coming out of it. So what I'm going to do is I'm going to give a brief overview of that just so everyone's tracking what Probellico is and understand that way they can understand where I'm taking things. Next, I'm going to talk about the realities of physical and wireless penetration testing and the wireless threat landscapes of those two. Really what I'm looking forward to is just I'm going to give you just kind of a a brief summary of what that threat landscape looks like. Excuse me, what we currently inspect and real world demonstrate of impact. Then I'm going to talk about some of the Probellico shortcomings and that's actually some of the things that drove me to push this further, particularly data loss, data retrieval or exfil and also some air gap configurations. Then I'm going to talk about the key point here, which is there is no spoon and it's talking about your physical network controls and why they're no longer applicable and why it's important to go back to some of the original things. I think that we have a problem with a lot of vendors where they've sold us that the technical controls will save us and we disregard a lot of very basic principles and what I'm doing is I'm just pushing that narrative a little bit further and I'm all about the blue team. Who's on the blue team here? I love you guys. I do everything for you guys. This is a hard job. But I'm here to kind of help enable the blue team, especially those that don't necessarily have support in that area. Then I'm going to push the data forward with the live demonstration of Probellico Pi, which is the Intel extractor. Talk about the future of Probellico Pi and then offer some closing remarks and then just answer some questions. Okay, so obligatory slide. My name is William. I work for coal fire labs. We hack all the things, physical, human, API, blah, blah, blah. But that's enough about me. Really, I'm just kind of a person who likes to push the narrative forward and that's what I'm here for today. So let's talk about Probellico. Some of this content was borrowed from my previous thing, but basically I call it the Art of Fighting Without Fighting and basically it's a network analysis tool. I've seen some people start calling it like a scanner. It's not a scanner. Probellico does not broadcast or transmit anything. Basically it's something that I rage coded as a proof of concept. I did this because I was constantly being told that some of the things that I was doing was impossible. And so I rage coded it to provide a proof of concept and then everybody asked me to start building on some things and so that's kind of where it came from. But like I said, it gathers Intel through 100% passive techniques. It's zero touch and it's about 20% done, but it's going to need an overhaul anyway, especially with this push. So let's do a Probellico demonstration. So like I said before, the community totally believed me and got fully behind me as well as my management and some of those things. But after a while when I started proving some things, then the realities of what I had started coming in. And some of my guys on the blue side and some of our arm structure people were really concerned with what I was proving. So I was like, you know, yeah, let's take this to the world, right? And management, you know, they got fully behind me. My peers got behind me, you know, but especially management like, yeah, let's take this to the world and let's show them what we have. Actually, to be honest with you, there was a lot of fear about this. There was some talk about maybe we should just not release this, maybe we should take it from you, et cetera, et cetera. But my company really cares about Infosec, really got behind me and did, excuse me, did what they could to allow me to present some of this to you. So that said, this demonstration is a highly obfuscated virtual demo of what Probellico does. Spent a lot of time in a Hex editor and things like that and get an approval from the CSO and such. Okay, so basically on the right window, what you're going to see is I'm dumping my IP configuration and then I'm running TCP dump, which is gospel, which is proving whether or not I'm broadcasting anything. So I want you to pay attention to that in the background. If I'm broadcasting anything, it'll scroll there. And then here on the left, on the bigger window, I want you to show that there's this intel that's spilling. This is kind of a best case scenario for what you can get with Probellico. But as you can see, there's all kinds of intel that's actually spilling here. In some cases, it's unicast and there can be a lot of juicy things in unicast. I'm able to do all kinds of things like map out different ports and services that systems are doing, kind of map out host intent. Kind of I have this one technique that I call reverse port scanning, which is where I can map ports on a host behind a firewall that I can't reach as well as identify the host that's allowed to reach those. And I'm just doing some real basic hackery, based off of concepts of the three-way handshake and some of those pieces. But like I've shown here, I can get things as sensitive as SNP community strings. So I've had some infrastructure that they've got like two-factor authentication on the infrastructure, but the guy who deployed it had some really complex SNP community string that I would never guess myself. But unfortunately, that stuff spills on a switch. I'm doing all this without man in the middle attacks. And if you think about it from an OSI layer model, that's a problem because we build everything off of that, right? But again, you know, finding things like password reset server. Again, I want to thank DISA for approving the password reset server. So useful to me. Thank you. Or test backup server or rapid seven next pose console or anything that I got an ode in my pocket for. This is so useful and this is free Intel that's coming over the wire with next to little effort. So it looks like someone's spraying SNP community string. There's an SNP v1 community string that was somewhat like that. That's valid enough to leverage. Again, test backup server. I love altered client backup resource when I attack clients. Anyway, this kind of gives you an idea of how that works. And then per the request of the community, what it is I put in some backup support for reporting capabilities and some of those things so I'll let that go really quick here and then I'll kind of forward on because I want to get to the real meat of why we're here. So what I'm doing here is I'm open up a new terminal and I'm just going to run the Probelco, the old school Probelco reporting engine. And what that's going to do is just say, Hey, I want you to take a look at the information you gathered and tell me about the attack surface that's here. And you see there's all sorts of useful information to include identified hosts, potential SNP community strings, validated descriptions of what various hosts are on the network as well as some guidance about how you might go about attacking this. As I demonstrated last year, you can get very specific with listing listing networks and listing particular hosts within those networks and getting some of the data there. But I'm not going to drag that on too much. We did that several times and I keep dropping this everywhere. So if you want me to show you more of this later, let me know and I'll swing by and show you. But like I said, very useful intel that is gathered 100% passively. Again, that window in the upper right hand corner. I'm not broadcasting anything, so it's zero touch. All right, so let's talk about the physical threat landscape. This is my perception of physical security and just about everywhere I go. And I think really the bigger part of the problem that we have here is whether or not we're taking things seriously. I think that we're being sold this concept that the technical controls will save you. And so let's just so what they can get in so what they can shim doors and so what they need to the server closet things like that. If I can find my way through there leveraging hangers or little tools and just shim my way through all the way into your organization, I assure you I will destroy you. Unfortunately, though our industry, the way that we kind of manage this is we carry out these physical threat assessments called audits. And we take a look and we're like, yep, we've got to control there. We're good. And we declare victory, right? Unfortunately, your adversary can operate just like me and can walk their way into place. And I assure you if they're more malicious than me, which I assure you they are, they can absolutely destroy you with physical access, but it seems like a lot of the physical teams are the people that are trying to enforce physical controls are disregarded constantly. And it seems like a lot of the engagements that I try to pursue. People don't want to pursue these because they're costly or useless, which is truly unfortunate, especially when you're paying for a red team engagement or a physical pentess. You know, as long as destructive attacks aren't in play, I highly encourage you to pursue this. But okay, so that's that's kind of the thing with physical security. Let's talk about the wireless threat landscape. And I apologize. This is a really old school image that everyone's seen showing the other frugusial allocation just for the United States, right? So it's highly overused. I apologize. But anyway, point being is that this has all kinds of potential. For instance, I may or may not have built these and may have tried to leverage these during engagements, but if a guy like me can build these, anybody can. Some stuff is from hacker boxes or whatever else have you, but very useful during engagement. So this right here, for instance, is a USB data x field device that operates at 433 megahertz and a point to point network where if I can get access, physical access to a console that I'm quite interested in, I may be able to pass that over 433 mayors. This right here isn't. It's just a wireless bug. So literally, I can plug in a 9 volt battery and I can, you know, tune tune to whatever frequency I want and I can sit there and listen to your board conversations or your call center or whatever else have you while you're resetting your passwords and snag that information. Unfortunately, FCC restricts me from encrypting this. And so rhodio is rhodio and that's the best I knew. But let's take another device. For instance, this is a Raspberry Pi with a with the ability to talk over 3G 4G, right? And so we can passfully collect data, steal data, x field data over some of those alternate frequencies. Yet this is what our assessments consist of. So I highlighted the two red boxes where I typically see things and we're like secure wireless networks. We're good. Yet we declare victory again and these devices that are real world that I've talked about before operate completely outside of those bands and this is not just about my perception of things. These are real attacks. So this is a classic example of a blend of physical compromise and wireless compromise with a Barclays bank. They were able to get over $2.2 million and they could not figure out how the heck they were pulling this up. But they were literally working their way into into the server room having a KVM configuration and stealing data that way. All of their assessments and audits and everything past and they couldn't figure it out. They only got caught because they got greedy with an additional site. So here's the greed. Save Barclays. But the fact is that's a real world compromise involving physical security and wireless assessments. And again, that's operating out of those bands that we typically audit out of yet a lot of my customers are like I want to understand we're doing all the things and checking all the boxes. Why are they still owning us sometimes because your real world adversaries are desperate and like I've said before, you should never underestimate the creativity of a desperate individual. Okay, so let's just transition a little bit, you know, because this is about Probellico and let's talk about Probellico shortcomings, right? There are quite a few of them. I mean, first of all, I wrote this is a proof of concept out of rage to prove that switches spill. So it's an okay tool. But it kind of comes with some caveats. So like in air gap environments, you know, Probellico is, you know, not magic. It can't pull from a multiple air gap environments or that is it couldn't until now. But also Probellico depends on your position of the network. It's kind of interesting. When I run Probellico on some environments, I'll find that there's not a whole lot of data and then in some other environments, I'll find that there's a ton of data and I'm still trying to understand the drivers for that. But there have been instances where where I will execute Probellico and I'll see absolutely nothing until 4pm. I remember this one time with the customer. I said, hey, what happens at four o'clock? And the customer was like, oh, well, that's the sock change. Oh, okay. Yeah, those dudes hate each other because they both say they're doing it wrong. It turns out the way that the sock does things at 4pm was very useful to me. But you know, we're kind of dependent on based off that position of where we're where we're executing this via either overt or covert methods, right? So also device discovery can be devastating, especially in a red team engagement. I mean, I love dropping Probellico in a red team engagement because it does not transmit. You can't see it. Lots of data, but if somebody finds that little thing and they're like, what is that? Even if it says IT security, don't touch and they remove it. I lose my data. That's a sad day. So some of the ways you know that we try to go get that data is through X fill. There's various methods, right? You've got like C2 methods that you may want to try to pursue to get that data where you don't have to visit again and then you've got a sneaker net where you've got to visit, right? You've got to go visit that site, but that's also risky, especially, you know, if you're, if you have a scope requirement where it requires surreptitious methods of entry every time. That is to say you can't leave friends of evidence that you were there. That's a lot of overhead to be able to go and get that data via a sneaker net. So let's just talk about some of the shortcomings. First off, Probellico is awesome. I don't care if people don't like it. It's been very useful to me and I've gotten great reports back. Had a guy last year told me that it helped him take over the hotel network. I was a little concerned, but what he basically told me is there was a bridge that he wasn't expecting and that's what Probellico does. It challenges your assumptions about what you think the environment is and it turns out that the controls that they had weren't exactly effective and he was able to take that over. I encouraged him not to do illegal things, et cetera, et cetera, but you know it's kind of interesting some of the things that it's brought to light, even some of my assessments. So in my opinion, Probellico is awesome. But you know we know that we're going to be placed somewhere here on this network and we don't exactly know where, especially someone else's deployed device for us, you know, Jack. Where did you plug me in, man? I don't know. There was a switch there. I were a plug. I have no idea, right? And sometimes, you know, the Intel can be better on one side than the other. Just do the nature of networks and the way Probellico works. But the bigger problem is we don't know about the security controls that we're going to be running into because we're investing a lot of these technical controls, which are great. Don't get me wrong. I'm not knocking and saying that they're junk. It's just I'm going to prove that they're not as helpful as one might think. But the reality is, as an attacker, there's going to be this massive infrastructure, especially with the mature organization, and trying to ex-fill data technically is going to be a bit difficult, right? It's probably going to look something like this, right? And when I'm trying to think of a way to kind of ex-fill data, or when my friends are like, dude, you've got to help me find a way to ex-fill the data. You know, I'm going to leverage something that may help me kind of leverage a C2 to be able to ex-fill that data. But you know what, in some cases that's going to get caught, which is great. But some organizations need to be nudged forward accordingly, you know, to improve their posture. So using something that they're going to catch immediately is kind of useless, especially in my team engagements. So I'm trying to see here and I'm thinking, how can I ex-fill the data from Probellico without knowing what the security controls are? How does that work? What can I do to pull this off? It says I know me. And then it kind of hits me. How can I bypass the controls that I can't predict? What is way, what is kind of, you know, I was proposing something to my buddies and they're like, no, they know that. No, they've grown that. You've got to be more creative. Come on, help me out. And I'm just like, man, it's just I'm wracking my brains. You know, I'm doing ICM PC2. I've got a little trick with TCP. I'm just trying to figure it out and it hits me. There is no spoon. This is mind-blowing to me. And I'll tell you I'm the dumbest guy in the room. But what I realize is I'm trying to fight against all these security controls in this network. You know, why am I operating by those things that they've defined? Why should I operate that way? It's 2019, 2020. You know, things are coming around. Lots of stuff is improving around us and suddenly I realize I don't need to operate around those security controls. Why should I? My adversaries aren't. That was proven by Barclays several years ago, right? I suddenly realized, well, fuck the security controls. Fuck trying to fight all that. You know, if I want to stretch an organization that just doesn't care about wireless or physical and things like that, I need to address my narrative because that's what we do as red teamers for the benefit of the blue, especially when they're trying to get those budget for the blue, right? In fact, fuck the network across the board. I don't need the network, right? Because there is no spoon. We've been operating with these adversario simulations under those controls, to test those controls. No, get me wrong, those are good to test and physical pen tests and things like that. But sometimes you reach a point in your organizational growth that you need someone to test you or push things beyond the limit. And we've been checking boxes, like I said, with wireless and physical engagements and everyone's just saying everything's good but we're constantly getting compromised. And then, like I said, there is no spoon. There's no network. There's no security control. And this is what Prevell Copai is about. All right, your versus goat theory. So what we have here is, and again for the haters that say this is impossible, I've got another type of managed switch. I dropped Cisco and I dropped a line from Cisco that said this is possible but I did this with a Cisco switch. I decided to bring an HP managed switch and what we have here are some really rough pine off of 64 boards. I tried to bring the enterprise to you and that's very hard and costly to do coming to DEFCON on my back. But what this is, is basically just a bunch of Linux servers. So by now, the CAM table or the binding table of the switch is fully populated. And so what I'm going to do now is I'm going to get that. Don't worry about it, boys. I got it. I know what's wrong. Okay. Okay. So here we go, here versus goat theory. I want to point out, just a quick question for you. How many think I can extract information for your infrastructure without leveraging your infrastructure? Oh, some brave votes. Absolutely. Let's see what happens. This right here is nothing special. It's just a Raspberry Pi with a really terrible yet survived antenna configuration that I did and just some custom code. This chip here is very expensive. It cost me a couple of bucks. But it's not plugged into anything. What this simulates is, I'm at my hotel room after I physically compromised you and I want to collect that data or perhaps from around the world. Is that possible? Let's see. This monitor is me in the hotel or wherever I want to steal the data comfortably. That monitor is the device that's plugged into the switch that you can't see because Probellic was a ghost. Man, I sure hope this works. Right here, I'm stealing the data from your network 100% passively. Unfortunately, the VM is running in QRX. It's terrible. What you're going to see over 950M, something you don't audit for or look for is where I'm stealing the data. Thanks to the conditions of this chip because I care, it's fully ADS encrypted. But what I see here after physical compromise, I will see here remotely if it all works. So, let's just skip for a bit. I'll see what else I can do on a little load surface. I'll see if I need to use QRX to keep up. I don't know what it's happening. Is it transmitting anymore? It's wrong? They've all said the same thing. They've all said the same thing. Okay. What do I want to do? I've got another node plugged in here. I'm going to do some SSH stuff. See if I can do a little bit more traffic. What they're doing essentially is they're SSH'ing to each other, following their hostname, SCPN, doing a bunch of that cat stuff. This is a hack. This is the best way I can renew an enterprise with 5.8 Alpha 64 ports, which is amazing, by the way. But let's see if I can nudge it a little further. Anything changing? Give me a minute. Let's try this. Unicast packets can't be captured on a switch and on anonymously or passively. That's not going to TCP port by simply logging in on a host on the network. My drug device, which, by the way, doesn't have an IP address, just will unicast packet. That's good to know. That's awesome. See what else we can do, though? I could actually log in and do something. So I can't see the monitor anymore, but it looks like I pulled an SNMP community one string remotely without leveraging your network. I'm stealing your data. I wish GQRX didn't fail me, but anyway, what you would see there is you'd see it go up and down and chirping. So I'm just going to let that run. Hopefully nothing else comes with it. But that right there is a Probellico Pi, at least the first part of it. So let's talk a little bit about some Probellico Pi exfiltration topologies. We're going to extend it a little bit further, right? Because I don't want to sit in your parking lot all the time. So here we have your typical corporate environment, and good old Willie, malicious as hell, is going to show up and is going to drop a couple pi transhevers or pi collectors or whatever the hell I want to do. And he's going to possibly, depending on what I need to do from a threat narrative, he's going to go possibly add some additional things that I call snitches. And snitches are kind of a special purpose device, special built device, and these things are designed to operate outside of your network, but steal your data in all kinds of ways that you can't see. Your technical controls are dead to me. So as demonstrated here, your corporate environment, mind you, it's just a couple feet, but you're talking miles. In some cases, I'm able to extract all kinds of useful data, maybe show up with a pretext, be able to work my way through it, maybe get a password. In some cases you can map out a potential ode inside and then just show up and root a host. But what if that's too far? Well, I can use a pie transceiver. So for instance, let's say that the facility I'm attacking is like, you know, a million square feet and it's got concrete walls all through it and trying to get that frequency all the way to my hotel is just rough. I might drop a pie transceiver, which as suggested to some of my peers might look like a really disgusting rat trap outside your building with solar power. And I'm ex-filling data out of your network. By leveraging the network against the network without the network, I'm stealing your information. Let's talk about air gap topology. So this came as a really specific request, trying to figure out how to do that and it turned out, it worked out just really well for me. So we've got air gap environments one and two. Oh, I labeled them right. That's good. I'm going to drop a couple pie collectors or transceivers or whatever on there and I'm going to be stealing your data from this air gap environment. But the beauty of this, since these things are kind of operating in a hive mesh-like mind, by the way, if you find one of these, they're just copying data to each other again without the network. Might deploy a couple of snitches depending on the scenario that I'm looking for. And again, I'm just going to collect that remotely off your site. Either nearby within a couple miles or maybe I want to extend that range a couple miles, maybe 30 miles or whatever, but again comfortably in the comfort of my own home or hotel. Well, the beauty of this is what I'm doing is I'm actually leveraging a chipset called Lorawan. So let's talk a little bit about Lorawan and why that's significant. So Lorawan basically is the Internet of Things. I forget the term that I coined a little bit ago, but I said that the Internet of Things would be leveraged by the adversary and it is quite convenient. Turns out there's a community of these devices that are hard to come by or not that support all kinds of things like gas meters, parking meters, whatever else have you. As those things gather data, we want to be able to aggregate that data in some form, but how do you do that without the Internet? Well, thank you to the Internet of Things communities. Thanks to them, I'm able to actually leverage the same kind of thing. So let's take a look at what that looks like. So basically all these Internet of Things or Williams Pi device can reach out to these devices that are all over the world, which I'll show you in a second, and that can push that data all out to me. So in a city that you're probably living in, it kind of looks like this with parking meters or gas meters or whatever all those Internet of Things are. And they're basically transmitting that data to a device that's connected to the Internet which allows me to reach the application server or Williams attack server. So they're really hard to come by, very few of them in the world, and they're easily accessible. Fortunately, the interesting thing about Probellico is that it's only going to transmit updated intelligence that it's found, so it's going to actually use very little data. And by default, it's encrypted, but the way I'm doing it, I have to do a little extra encryption myself. But basically the community will allow you to use these because everyone's excited about IoT, so everyone's setting these up in their house. And by the way, I can participate as well. Also, just a fun fact, it's fun to set up your own gateway and see the data that could potentially come through. It appears to be encrypted so far, but just wait. Okay, so we talked about the Internet of Things and all these gateways that are all around us that we can. There's over 8,000 that I saw the other night. So with that, if I don't want to sit in my hotel room, I can just go through the Internet of Things, leverage that, go over the Internet, and collect my data from wherever I'm at. Well, what kind of data? Are we just talking about network data? No, we've got to push that narrative forward, bro. Your technical controls won't save you. So everybody knows, or most people know, that USB wireless plus, or USB networking plus Linux and maybe something like Responder on maybe a USB armory equals credentials. If you don't know that, it's glorious. Unfortunately, you've got to go back and get that data. But if I add a really expensive $3 chipset to this and tell Pi about it, I get targeted off-site login credential exfiltration covertly. So if you had an air-gapped workstation where maybe somebody is changing a highly sensitive file at 8am every day and it's fully air-gapped and they have all of these controls, if I can physically breach that perimeter, I might be able to drop this and over the Internet of Things, I can get a hash password and do what I need to do. Just come up with a couple of other things here. I don't know if you guys know, but it's possible to potentially leverage a Raspberry Pi or Pi Zero in a way where you can man in the middle HID devices and get a basic key log around of that. Again, add this very expensive chipset. I paid a premium of $10 for this because I didn't look for a good deal. And what you have is an off-site keyboard logging device for exfiltration that does not use your network for exfil. But it steals stuff from your network and you won't see it because you're not opening the wireless spectrum and you're not taking physical security very seriously. My win, your loss. I've got an idea. Everybody has call centers. Wait a minute. Do we reset passwords over the phone in call centers or give away credit card numbers? What if we have a device that has voice to text capabilities and on key words decides to chirp over the Internet of Things and tell me the things that I need to know? Either for to back up my pretext or provide what I need to destroy you remotely. I got an idea. I love bypassing bad readers. An ESP32, sorry, an ESP key is a device that I absolutely love and adore that I love putting behind your card readers. And I steal your credentials as you go by. You can be like three-factor security biometrics, pin code, card. And I can steal that because it's all weekend. But what if we took an ESP key instead of having been in the parking lot interact with a web server within close range with some antennas or whatever else have you? Which is a little weird but highly effective. What if we just extract that data from across the world? Make myself my own little key. Maybe I can clone your cards from the other side of the United States when I'm working with one of my buddies on the other side. It saves me money and overhead. I don't have to fly people anywhere now. I can locally source them accordingly. He can drop the device. I sit in the comfort of my home, bring it on my computer and your card, your weekend card data comes to me. And it's just beautiful, right? So that's what a snitch is. But really a snitch is just subject to creativity. There are so many applications that I can think of that I can apply this. But every single one of these things is stealing data from your organization via ex-filtration techniques that your security controls can no longer stop or control or see or whatever else have you. Again, the reason why I'm bringing this to the community is I'm looking to extend the narrative, the attack narrative that we've seen in real life but we want to pretend like it doesn't exist, like Barclays, and kind of push things along so that we are auditing all of the things and that we're not drinking the Kool-Aid of our security vendors that are telling us that this technical control will save you. Because if William gets on your site, I will destroy you. And I will do it for your benefit. But I'm the good guy. All right, so that's enough of that. Let's just talk about Barclays' future, right? First off, again, I made this thing as a proof of concept. Man, it is a hack. What I really need to do is rewrite this thing where there's a community-driven intelligence-gathering interface or kind of like a way where you can define intel that you want to extract and just upload that through push requests and such. And where the Probellacle Engine will process those files accordingly and then people can contribute to maybe little regexes that are interesting with data. They may notice that it's building a network that's beneficial for us all. Also, one of the things I really want to start with is Probellacle supporting full lower-wan. But that's just one of many instances that Py could be ex-feel from. I had a guy that said, I will stop you at 915 MHz. I was like, okay, well, I'll do 918 MHz or 450 MHz. You're not getting the concept here. You need to audit your wireless and understand what's chirping in your backyard. So what I want to do with that as well when I kind of define that center is be able to have a word of the community where people like you, which are smarter than me, can come up with something that's even better than lower-wan. Like here, here's a better idea to ex-feel data and we can provide a really easy interface to be able to define those things. But in the end, like I said, Probellacle will assist red and blue teams. I've spoken before about how Probellacle will be a very useful tool for indicators of compromise on the blue side. Since you can't predict a Probellacle instance, you can't see it because it doesn't transmit. It makes it really hard for guys like me that are helping on destroying you to leverage it accordingly. So like typically when I own an organization, maybe I can tell the scene to lie to you. That's useful. It's always fun to tell Windows hosts that it's Linux and watch it swear to you that it's Linux. I can do a lot of those things, but a Probellacle instance, I can't do, I can't do that because I can't see it. And on the blue side with Probellacle, given that there's no overhead, it's zero touch, you can have it kind of map out your environment and just let it sit. And if it notices something, something that's unusual, you may be able to leverage that as an IOC. So I think it'll be good for blue and red. Obviously this is more of a red update because that's what I do. I hack all the things. That's what we do at Cold Fire Labs. We steal everything because we want to have a brighter, better future. Anyway, like I said, it'll assist those through attack, audit and fence. But one last thing, this tool will not replace traditional methods of reconnaissance or exploitation. Stop asking me to make this thing do your pen test. Your clients deserve better than that. Your employer deserves better than that. This is designed to challenge your assumptions about what you think you know about reconnaissance. And I hope today that I've challenged your perspective on the real world of the attacks that were out there. So look, in closing, like I said before, switches or snitches, don't forget that. The people who say that switches don't leak data, they just don't know what they're talking about. It's been very useful for a lot of people. Like I said, this is good for both offense and defense, for bringing that 100% zero touch reconnaissance. And like I said, I think it's time for the offensive security team, guys like me to drive an error that forces the blue teams to consider validating physical security controls through actual physical attacks, not audit and check boxes and stuff, and auditing the wireless spectrum. I think that needs to be picked up again. Like I said, Probelka Pi permits this hardware-based out-of-band remote intelligence gathering and interaction allowing attackers to provide demonstrative impact of physical security compromises with very little overhead. Like I said, the last thing, tactical controls will not save you like your vendors are telling you. Physical security is important. And in closing, like I said, I'm not sorry, you're welcome. I do this for you guys, so. That's all I have for you. Are there any questions or concerns? Yes. Well, the beauty of this is that it's omnidirectional transmission. Unfortunately, William was kind enough to throw some AES wrappers in there. I am just a hacker. I'm not a programmer, but I do have AES encryption. I could kind of prove that with a Pi client if you want to see it. But what it does is it's omnidirectional spread spectrum. And what it is, what happened was a company got an FCC license and said, hey, we'd love to support the Internet of Things. And like all the Internet of Things guys got involved and said, I want to do that. I want to sell that and sell less that license and such. And now we have chipsets as cheapest like 10 bucks. So it goes everywhere. Yeah, certainly. So the question was, is Probelch always transmitting that data? Or is it storing it to get it later? How am I not losing the data? So these are actually operating kind of like a hive mind. The database here has the same database there. The beauty of this is I don't have to plug this into anything. Like I can literally just power packet. You know, I can hide it behind the fridge or whatever. I can put 100 of these around in the environment. When you start going around, it will be like whack-a-mole. But it won't matter because I've got this mesh-like infrastructure that's just pumping this data out. Drup-drup, drip-drup, drip-drup, drip-drup. And so that's how it's kind of dealing with the data loss. Back in the day when I have a device like that, if you were truly operating in a covert method with no transmission, in some red teams I would like I said I would drop this at a bank or whatever. Get a lot of intel out of it and they didn't know about it unless they were like, gyda'r dryn ein cyffreddau ac yna'r ddaw iawn. Mae'r dda wedi'u ddechrau, ac yn y cwysig, mae'r ddau ddod yn ei ddweud. Mae'r 5, 10, 20, 30 o'r ddweud o ddweud. Rhaid i'r ddod yn gweithio. Mae'r ddweud yn y ddweud, rhan o'r bwrdd rhan o'r rhan. Mae'r ddweud yn y ddweud i'n gweithio'r gweithio'r gwaith, yn ddweud yn y ddweud. Mae'r ddweud o'r transcefyr o'r ddweud o'r ddweud. That's the beauty of Lorawan, actually. So it means that I can let this run for a long time. Heck, I could penetrate your site physically and I could just let that sit for years if I wanted to until it came back one day and said, there's a test Windows XP host over there. And then I could show up on site and destroy you. So there's no more data loss if you actually go and start deploying these really expensive devices across the network. Does that answer your question? Awesome. The answer is no, because they're operating by themselves. There was a while back where I was going to try to go with this hub and spoke configuration. Who's going to be the master transmitter? And then it just hit me that everybody should be the master transmitter, right? I'm an equal opportunity guy. It's unfair for one of my pies to be the master. So I just said, you know, we're all masters. So then we call, you can do whatever you want. In this case, I use kind of a collector and a reporter kind of model, but to be honest with you, they'll have transceivers. So they can receive and transmit and repeat. And you know, everybody gets an equal shot at your data. Does that answer your question? Awesome. Are there any other questions? Yes, sir. Absolutely, the question was, which is an excellent question is, what kinds of measures would I do to mitigate this risk? Well, most of us can't afford things like the federal government to try to wirelessly isolate a place. You know, so obviously that's expensive. I would say that we would start off with taking our physical security a little bit more seriously and the people that are working to implement that. Part of the problem with this right here is, this is hardware, so I have to breach you physically. I think that if we work to harden some of those controls, that would initially help out. Number two, it would help with port security to be enabled if you truly shut off a port and you lock access to that, that is, because if you have port security enabled, I'm just going to try to break into your closet, but if you had port security enabled where I wasn't able to just to sniff that data, that would kind of help. However, there's a problem. When you connect Perbellico proper, not even this, to just wireless networks as the DC541 group will attest all kinds of data spills from there, even open networks. In fact, sometimes frames float from your secure side to your insecure side, which is weird. I demonstrated that and talked about that a little bit, or I had some proof of concepts of that last year where I had a frame that came from one side of the wireless zone and floated its way all the way up this switch stack that was completely unrelated to me. I thought Perbellico was lying, but what happened was it picked up a frame, a wireless frame from a Roku device, all the way through this switch infrastructure to a physical system with a VM and it picked up, it mapped a TCP port, which meant that you have some sort of unicast traffic that's being transferred from a wireless network that's fully encrypted and passed all the way up the switch infrastructure to me where I'm not even part of the wireless network. So it's kind of a problem. I wish I had a better answer for that, but I really think that it would start to have effective port security. It's amazing how often I can find a place that's got open port security. I think you might have to really consider what true wireless isolation is with your open networks. I know it's cheap and you save a lot of bucks to share an open network SSID with an encrypted SSID or enterprise based authentication and sharing that infrastructure. I know that that kind of makes sense. I know that your vendors will tell you that it doesn't spill data, but whatever, download Perbellico and connect with some open networks and see what you see. Sometimes you're not going to see a whole lot, but sometimes it's surprising. Absolutely, so the question was, have I ever seen a secure environment where they've scanned for all open frequencies? Yes, I have. Those people are well funded by the sweat of our backs. Most people aren't going to be able to do that all of the time. I would argue doing it every once in a while. Might help you avoid a Barclays incident. And we're kind of talking internally about how we can help save some bucks on that because that's an expensive resource. But what we do right now as we say, we're not going to do that because we're just not going to do it. It's useless, it's pointless. Well, now I'm releasing something where you can do that, and I assure you I'm not the only guy doing this. I guarantee you, I'm just providing you a proof of concept where assessing that spectrum is important. In fact though, I've found Fortune 50 companies that have really expensive whips to infrastructure and they don't even leverage that to monitor just those standard frequencies because they've gotten lazy. And that may be because people aren't pushing that narrative. So I'm not saying that this is going to be cheap or easy, but what I am telling you is doing the standard check-in-the-box audit is going to put you at risk. And it happened with Barclays and it's happening probably to several organizations that we can think of right now. So, any other questions? Okay, well, like I said, I'm with Co-Fire Labs. We hack all the things. I want to thank Co-Fire for letting me come and give this talk. And I want to thank you for your time for allowing me to demonstrate this to you. Remember, switches are snitches. I'm going to do what I can to help the blue team out. I'm going to do what I can to help my brothers out on the red side, trying to push that narrative forward. If you guys have any other questions or concerns, you can reach me out. DM me on Twitter, if I'm on Twitter, and I can give you a signal and we can talk further if you want to. So, thank you.