WEBVTT 00:00:01.170 --> 00:00:04.240 JACK: Hey, my name’s Jack, the host of the show. 00:00:04.240 --> 00:00:07.820 Before making this podcast my job was looking at my clients’ networks to try to find ways 00:00:07.820 --> 00:00:09.260 to make them more secure. 00:00:09.260 --> 00:00:14.100 In other words I was on defense locking things down, hardening systems, securing applications, 00:00:14.100 --> 00:00:17.279 and trying to turn off everything that didn’t need to be on. 00:00:17.279 --> 00:00:20.700 The defense team is sometimes known as the Blue Team. 00:00:20.700 --> 00:00:22.640 I’m on the Blue Team. 00:00:22.640 --> 00:00:28.310 But one day we paid an attacker to come into our office and see how well I did at securing 00:00:28.310 --> 00:00:29.310 the network. 00:00:29.310 --> 00:00:34.510 He was a professional penetration tester and I made him sit right next to me. 00:00:34.510 --> 00:00:38.219 Attackers like this are said to be on the Red Team and this whole Red Team/Blue Team 00:00:38.219 --> 00:00:43.659 thing is just a term borrowed from the military where they had drills with attackers and defenders. 00:00:43.659 --> 00:00:48.760 Here I am, the Blue Team, and there he was in the desk right next to me, the Red Team. 00:00:48.760 --> 00:00:51.620 The adversary, the enemy, a hacker. 00:00:51.620 --> 00:00:52.819 What do I do? 00:00:52.819 --> 00:00:55.120 Do I sabotage him so he can’t do his job? 00:00:55.120 --> 00:00:57.609 Do I block his IP from getting anywhere? 00:00:57.609 --> 00:01:02.499 It wasn’t that I didn’t trust him ‘cause he came from a very trusted company but it 00:01:02.499 --> 00:01:06.619 was that I was extremely curious at how he works. 00:01:06.619 --> 00:01:10.670 I wheeled my chair right over to his desk and I watched over his shoulder for the whole 00:01:10.670 --> 00:01:11.990 week. 00:01:11.990 --> 00:01:14.030 I was amazed at what he can do. 00:01:14.030 --> 00:01:19.630 I learned so much that it forever made a permanent impact on the way I see how attackers work. 00:01:19.630 --> 00:01:23.939 I want to give you that experience so in this episode we’re going to get geeky. 00:01:23.939 --> 00:01:29.109 We’re going to get really nerdy and crazy technical at times as we watch over the shoulder 00:01:29.109 --> 00:01:34.100 of a penetration tester to see exactly how they do their work and how they try to get 00:01:34.100 --> 00:01:36.420 the crown jewels of a company. 00:01:36.420 --> 00:01:46.090 PROX (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:01:46.090 --> 00:01:50.060 Presented by Jack Rhysider, this is Darknet Diaries. 00:01:50.060 --> 00:01:51.060 [INTRO MUSIC ENDS] 00:01:51.060 --> 00:02:06.249 JACK: The 00:02:06.249 --> 00:02:09.360 penetration tester we’re going to watch over the shoulder of goes by the name Tinker. 00:02:09.360 --> 00:02:14.010 He has a background in the US Marines and has been doing penetration testing for a long 00:02:14.010 --> 00:02:15.530 time, years. 00:02:15.530 --> 00:02:19.680 When you do penetration testing for that long you end up knowing a lot about computers, 00:02:19.680 --> 00:02:24.590 like far, far, far more than the average person and even more than the average IT person. 00:02:24.590 --> 00:02:30.220 Tinker really is top-notch at knowing how computers work in general so I called him 00:02:30.220 --> 00:02:31.220 up. 00:02:31.220 --> 00:02:32.870 [SKYPE CALLING] Hello? 00:02:32.870 --> 00:02:35.220 Tinker, you there? Hello? 00:02:35.220 --> 00:02:40.050 TINKER: The cable just wasn’t pushed in all the way, that’s alright. 00:02:40.050 --> 00:02:44.459 It’s the nature of all – most issues are cable-related. 00:02:44.459 --> 00:02:48.730 JACK: Okay, sounds like we’re gonna be in for a ride here. 00:02:48.730 --> 00:02:52.490 So let’s start out with just tell us your name and what do you do. 00:02:52.490 --> 00:02:53.490 TINKER: Sure. 00:02:53.490 --> 00:02:54.560 My name is Tinker Secor. 00:02:54.560 --> 00:03:00.939 I am a penetration tester or Red Teamer, depending on the nature of the engagement. 00:03:00.939 --> 00:03:07.230 But generally speaking I hack into computers and I break into buildings in order to test 00:03:07.230 --> 00:03:08.230 my client’s security. 00:03:08.230 --> 00:03:12.239 JACK: He’s a typical penetration tester and it’s amazing to me that this job even 00:03:12.239 --> 00:03:13.239 exists. 00:03:13.239 --> 00:03:14.730 There are a lot of people who do this as a career. 00:03:14.730 --> 00:03:18.629 I mean imagine if a brick and mortar-type store tested their security like this too. 00:03:18.629 --> 00:03:23.290 You’d have paid shoplifters trying to test how good the LP is. 00:03:23.290 --> 00:03:26.269 LP is loss prevention for those non-criminals out there. 00:03:26.269 --> 00:03:31.140 You’d pay cat burglars to try to steal paintings from museums and you’d have reformed street 00:03:31.140 --> 00:03:34.170 gangsters trying to quietly rob a casino. 00:03:34.170 --> 00:03:38.670 Maybe some of these jobs exist but [00:05:00] in the online world it’s actually very common. 00:03:38.670 --> 00:03:42.760 Like, I’m pretty sure that if you want to process credit cards at all, you need an audit 00:03:42.760 --> 00:03:47.450 done on your network which usually requires a penetration tester to come act like a criminal 00:03:47.450 --> 00:03:49.980 to see if they can hack into your credit card machines. 00:03:49.980 --> 00:03:53.950 Anyway, Tinker’s been doing this for a long time and he’s really successful at getting 00:03:53.950 --> 00:03:54.950 into networks. 00:03:54.950 --> 00:03:57.219 Today, we’re gonna follow along with him on his assignment. 00:03:57.219 --> 00:04:04.049 TINKER: It was a large national client within the United States but it kind of stretched 00:04:04.049 --> 00:04:08.520 within North America and a bit in some other continents. 00:04:08.520 --> 00:04:12.260 JACK: Often what a penetration tester will do is try to find a way into the network from 00:04:12.260 --> 00:04:17.290 the internet, the outside, basically posing as just a rogue hacker online who’s trying 00:04:17.290 --> 00:04:21.810 to find something open or a website that’s like, exposing data. 00:04:21.810 --> 00:04:25.180 Tinker had already done some of that for this client and they were happy with the results 00:04:25.180 --> 00:04:27.110 and they wanted to take this to the next level. 00:04:27.110 --> 00:04:34.290 TINKER: They said look, we want to assume that a threat actor has breached the perimeter. 00:04:34.290 --> 00:04:39.500 We want to assume a threat actor has either broken into the facilities, implanted a rogue 00:04:39.500 --> 00:04:42.830 device, or maybe an insider threat kind of thing. 00:04:42.830 --> 00:04:44.830 Generally speaking, this test would cover all of it. 00:04:44.830 --> 00:04:49.400 JACK: There’s a term in information security called Defense in Depth and this Chief Information 00:04:49.400 --> 00:04:53.810 Security Officer, their CISO, felt like their Defense in Depth was so good that they wanted 00:04:53.810 --> 00:04:55.600 to put it to the test. 00:04:55.600 --> 00:04:59.430 Basically this concept means you create many layers of security which makes it redundant, 00:04:59.430 --> 00:05:00.430 even. 00:05:00.430 --> 00:05:01.890 TINKER: I started inside. 00:05:01.890 --> 00:05:05.950 [MUSIC] That’s what we call an internal pen test. 00:05:05.950 --> 00:05:13.310 The idea is okay, if you plan to fail and fail gracefully you want to see okay, what 00:05:13.310 --> 00:05:14.460 happens once somebody gets in? 00:05:14.460 --> 00:05:18.470 A lot of people say it’s game-over but there are so many different ways to breach. 00:05:18.470 --> 00:05:22.200 JACK: Again, I want to give a warning here that we’re going to get nerdy and technical 00:05:22.200 --> 00:05:26.720 in this episode because this story he has paints a perfect picture of what a penetration 00:05:26.720 --> 00:05:27.750 tester does. 00:05:27.750 --> 00:05:31.350 I want to get technical because I think it will be a fun opportunity to see exactly how 00:05:31.350 --> 00:05:32.350 all this works. 00:05:32.350 --> 00:05:34.990 Oh and there’s also a few cuss words in this one, too. 00:05:34.990 --> 00:05:40.150 So this company wants Tinker to do a security assessment from the inside of the company. 00:05:40.150 --> 00:05:43.930 To do that they need to set him up with a temporary job in Marketing. 00:05:43.930 --> 00:05:48.130 TINKER: They set me up basically to do content. 00:05:48.130 --> 00:05:51.440 I went in within the Marketing Department. 00:05:51.440 --> 00:05:55.790 I assumed the name Jeremy and I was Jeremy from Marketing. 00:05:55.790 --> 00:05:58.120 JACK: You get it, right? 00:05:58.120 --> 00:06:03.280 This Jeremy from Marketing is actually a very good hacker and his goal is to see how much 00:06:03.280 --> 00:06:07.550 he can hack into in his first week on the job in the marketing department. 00:06:07.550 --> 00:06:12.330 The IT team and security team and even the marketing team have absolutely no idea that 00:06:12.330 --> 00:06:17.470 this new guy, Jeremy from Marketing, is an extremely trained hacker who’s highly motivated 00:06:17.470 --> 00:06:20.050 to just hack into the network and get everything. 00:06:20.050 --> 00:06:25.010 This isn’t a far-fetched scenario; sometimes you have temps or interns or new hires that 00:06:25.010 --> 00:06:29.470 get turned into spies to work for another government to see what’s in that network 00:06:29.470 --> 00:06:33.380 while they’re working there and can you really trust Jeremy from Marketing? 00:06:33.380 --> 00:06:37.930 Yeah, suppose he did all the interviews but still, I mean he really just did walk right 00:06:37.930 --> 00:06:40.020 off the street and sit down in your office. 00:06:40.020 --> 00:06:44.540 Are you gonna give him all the passwords to file servers and logins and to the company’s 00:06:44.540 --> 00:06:45.990 Facebook account? 00:06:45.990 --> 00:06:50.580 Ideally your hiring process should vet him but it’s really hard to know if that person 00:06:50.580 --> 00:06:51.580 is actually trustworthy. 00:06:51.580 --> 00:06:55.520 TINKER: There’s really only two people in the entire company who knew who I was and 00:06:55.520 --> 00:06:57.620 that was the CISO and one of his assistants. 00:06:57.620 --> 00:07:02.910 JACK: The CISO is the Chief Information Security Officer and he reports directly to the CEO. 00:07:02.910 --> 00:07:07.060 He basically got everything sorted out with HR to hire this Jeremy from Marketing. 00:07:07.060 --> 00:07:10.210 TINKER: They said look, I can bring in anything I wanted. 00:07:10.210 --> 00:07:15.510 I could bring in all my hacking gear if I wanted to but I needed to make sure that I 00:07:15.510 --> 00:07:16.510 didn’t get caught. 00:07:16.510 --> 00:07:18.660 JACK: Without being caught is the tricky part. 00:07:18.660 --> 00:07:23.240 If he had a bunch of antennas sticking out of his desk or even extra laptops all around, 00:07:23.240 --> 00:07:25.530 it would surely look suspicious. 00:07:25.530 --> 00:07:28.130 Alright, so he’s all set for his new job. 00:07:28.130 --> 00:07:30.340 It’s Monday morning and he’s off to work. 00:07:30.340 --> 00:07:34.460 On the drive into the office he starts to go over his methodology and plan of attack. 00:07:34.460 --> 00:07:38.910 TINKER: Get in and do password reconnaissance, active reconnaissance, vulnerability, and 00:07:38.910 --> 00:07:45.180 misconfigurations that are in numeration, initial breach, lateral movement, pivot, escalation 00:07:45.180 --> 00:07:50.620 privileges, actions and target, exfiltration, and persistence may be in there if you need 00:07:50.620 --> 00:07:51.620 to, right. 00:07:51.620 --> 00:07:52.810 That’s kind of the standard approach. 00:07:52.810 --> 00:07:54.750 JACK: That’s his plan of attack. 00:07:54.750 --> 00:07:57.120 [MUSIC] He drives into the office, parks the car. 00:07:57.120 --> 00:08:00.250 It’s a typical-looking office building; multiple floors. 00:08:00.250 --> 00:08:01.870 His office is just one of the floors. 00:08:01.870 --> 00:08:05.160 TINKER: I showed up dressed in a button-up with a tie. 00:08:05.160 --> 00:08:08.350 JACK: Shows his badge to get in and asks where the Marketing Department is. 00:08:08.350 --> 00:08:10.160 They introduce him to his new team. 00:08:10.160 --> 00:08:12.440 TINKER: They said look, here’s your cubicle, here’s your team. 00:08:12.440 --> 00:08:15.360 The team was told that I was a contractor. 00:08:15.360 --> 00:08:21.750 This company used a decent amount of contractors so my being there, my role was fairly normal. 00:08:21.750 --> 00:08:26.150 I think there might have been another person who’d started a week earlier as an actual 00:08:26.150 --> 00:08:27.940 content creator within Marketing. 00:08:27.940 --> 00:08:30.180 JACK: He takes a look at the computer that was given to him. 00:08:30.180 --> 00:08:34.240 TINKER: I came in as an employee, as a contractor, but it was the same thing. 00:08:34.240 --> 00:08:40.409 They gave me a laptop that had a very [00:10:00] standard – their standard work station image, 00:08:40.409 --> 00:08:42.409 right. I could use that. 00:08:42.409 --> 00:08:46.209 It was fairly locked down and they did that on purpose ‘cause they wanted to say hey, 00:08:46.209 --> 00:08:50.160 what’s available to someone else or what happens if one of their employees clicks on 00:08:50.160 --> 00:08:53.410 a phish and they have that user-level starting point? 00:08:53.410 --> 00:08:54.410 They gave me that. 00:08:54.410 --> 00:08:55.790 JACK: That’s another good point. 00:08:55.790 --> 00:09:00.400 When a phish or phishing e-mail is successful, often the hacker will then have access to 00:09:00.400 --> 00:09:03.290 that person’s computer who opened the phishing e-mail. 00:09:03.290 --> 00:09:07.640 If somebody in marketing did get phished, this is a great scenario to test whether or 00:09:07.640 --> 00:09:09.730 not they could get further into the network. 00:09:09.730 --> 00:09:11.160 I think it’s a good idea to test this. 00:09:11.160 --> 00:09:17.601 TINKER: The very first day I came in with just the laptop that they gave me and maybe 00:09:17.601 --> 00:09:22.899 a Kali image burnt on a USB that I could maybe mount. 00:09:22.899 --> 00:09:29.899 I had in my backpack my own hack box, just a little Dell laptop loaded with Ubuntu as 00:09:29.899 --> 00:09:33.660 a base image with some Kali VMs, etc. 00:09:33.660 --> 00:09:35.230 That’s kind of the rogue device. 00:09:35.230 --> 00:09:39.410 I had a standard set of equipment starting off. 00:09:39.410 --> 00:09:45.040 Not a lot was expected of me within the first couple weeks is what my team told me but it 00:09:45.040 --> 00:09:49.199 was very much watch the security videos, I’m not supposed to click on a phish, that sort 00:09:49.199 --> 00:09:50.199 of thing. 00:09:50.199 --> 00:09:54.779 There was a couple things that they wanted me to start working on like an internal SharePoint. 00:09:54.779 --> 00:09:56.509 Again, nothing major. 00:09:56.509 --> 00:10:01.019 The culture was hey, we’ll get you spun up over the next two weeks and starting on 00:10:01.019 --> 00:10:05.300 week three and four you’ll start shadowing people and getting into it. 00:10:05.300 --> 00:10:08.949 JACK: This gave him a lot of time to himself to see what was in the network. 00:10:08.949 --> 00:10:13.879 TINKER: [MUSIC] The very, very first thing I did was plugged in their standard laptop 00:10:13.879 --> 00:10:15.279 and just get a feel for it. 00:10:15.279 --> 00:10:18.910 I wanted to know what’s the username schema. 00:10:18.910 --> 00:10:21.750 Is it first initial, last name? 00:10:21.750 --> 00:10:22.970 Does it match the e-mail? 00:10:22.970 --> 00:10:24.270 It doesn’t always match the e-mail. 00:10:24.270 --> 00:10:28.780 JACK: One thing that companies do is give certain IT admins a second username, something 00:10:28.780 --> 00:10:32.019 like -adm at the end or -admin. 00:10:32.019 --> 00:10:36.680 A username like this gives you a clue that that person probably has extra access than 00:10:36.680 --> 00:10:37.680 others. 00:10:37.680 --> 00:10:43.089 TINKER: The very first thing I can do is run – pull up command.exe on the workstation. 00:10:43.089 --> 00:10:45.130 I’m using their tools. 00:10:45.130 --> 00:10:46.680 I’m not using any malware. 00:10:46.680 --> 00:10:52.870 Just type in netspaceusers/domain and it will dump out the entire list of all users within 00:10:52.870 --> 00:10:54.129 that domain. 00:10:54.129 --> 00:10:58.779 I can do netgroupsdomain/admins, and dump all the domain admins. 00:10:58.779 --> 00:11:04.920 I can do netgroupsdomaincontrollers/domain and dump out the host names of all the domain 00:11:04.920 --> 00:11:05.920 controllers. 00:11:05.920 --> 00:11:10.100 JACK: These commands spit out a ton of data, giving a list of all usernames, all admins, 00:11:10.100 --> 00:11:14.750 all domains, and he’s compiling this data to have it handy later in case he needs it. 00:11:14.750 --> 00:11:16.620 These commands he’s typing aren’t even hacker tools. 00:11:16.620 --> 00:11:20.970 They’re just standard Windows commands there to help IT administrators do their job. 00:11:20.970 --> 00:11:22.770 This is all part of the reconnaissance phase. 00:11:22.770 --> 00:11:26.829 TINKER: Me running these commands as a user against the domain controller, that’s how 00:11:26.829 --> 00:11:30.560 a lot of default Active Directory environments are set up. 00:11:30.560 --> 00:11:35.060 I did this raw just so I could have it offline at night. 00:11:35.060 --> 00:11:40.019 JACK: Active Directory is the mechanism that Windows computers authenticate to each other. 00:11:40.019 --> 00:11:42.680 Hackers love attacking this because it has so much data. 00:11:42.680 --> 00:11:46.600 It has information on all the users and all the passwords and it has tons of stuff that 00:11:46.600 --> 00:11:51.019 a hacker can use to escalate their privileges or move on to other systems. 00:11:51.019 --> 00:11:52.879 It’s a great place to start looking. 00:11:52.879 --> 00:11:56.100 There’s a lot of standard things to look for which are like low-hanging fruit; known 00:11:56.100 --> 00:11:59.740 vulnerabilities, best practices that the IT team didn’t follow. 00:11:59.740 --> 00:12:03.960 One such bad practice is to set the admin password for Jeremy’s laptop through a group 00:12:03.960 --> 00:12:08.350 policy because this means that the hashed password would be in the group policy and 00:12:08.350 --> 00:12:12.240 since Jeremy can see the policy he could grab that hash and try to crack it. 00:12:12.240 --> 00:12:15.089 TINKER: This place didn’t have that so I tried a lot of the very standard things. 00:12:15.089 --> 00:12:21.180 Went through and checked some shares just using my own credentials, using guest credentials, 00:12:21.180 --> 00:12:25.120 no credentials, and did a lot of that stuff, just basic enumeration. 00:12:25.120 --> 00:12:30.259 [MUSIC] Got a feel for internal SharePoint, internal intranet, that sort of thing. 00:12:30.259 --> 00:12:31.819 What is available to the user? 00:12:31.819 --> 00:12:35.670 JACK: During this time he’s also learning what kind of tools this company may be running 00:12:35.670 --> 00:12:36.670 internally. 00:12:36.670 --> 00:12:40.660 This is helpful because if you know for instance, that they’re running SAP then you can start 00:12:40.660 --> 00:12:42.290 looking up vulnerabilities in SAP. 00:12:42.290 --> 00:12:44.790 He started building a map of the network. 00:12:44.790 --> 00:12:49.459 TINKER: The very first day I’m just – the idea is just sit very still, find out what’s 00:12:49.459 --> 00:12:50.819 going on in the environment. 00:12:50.819 --> 00:12:52.709 I kind of learned what’s going around. 00:12:52.709 --> 00:12:56.589 JACK: Something a good penetration tester will do is try to be quiet as they can and 00:12:56.589 --> 00:13:00.749 not do anything to raise suspicion just so that they aren’t detected early and they 00:13:00.749 --> 00:13:02.230 know what normal looks like. 00:13:02.230 --> 00:13:06.249 He was careful at what commands he was typing into the computer so that he wouldn’t raise 00:13:06.249 --> 00:13:07.249 any sort of alarms. 00:13:07.249 --> 00:13:10.879 TINKER: The workstation had a bit of antivirus and Endpoint protection. 00:13:10.879 --> 00:13:15.709 It wasn’t as robust as it could have been but it was definitely there. 00:13:15.709 --> 00:13:20.389 Endpoint protection is one of two things or both; it either prevents what it deems as 00:13:20.389 --> 00:13:22.910 malicious software but it can also do a lot of logging. 00:13:22.910 --> 00:13:26.399 JACK: Next he took a look at what tasks and services were running on his laptop. 00:13:26.399 --> 00:13:29.499 TINKER: Just doing CTRL + ALT + DEL and looking at Task Manager. 00:13:29.499 --> 00:13:33.550 Notice specific software solution that did a lot of heavy logging. 00:13:33.550 --> 00:13:37.790 JACK: This means the computer he was on was sending [00:15:00] all kinds of messages to 00:13:37.790 --> 00:13:41.600 the log-collector telling it what was going on on that system. 00:13:41.600 --> 00:13:46.199 If he was doing bad things on that computer, chances are that was going to be logged and 00:13:46.199 --> 00:13:48.350 someone else could see that and catch him. 00:13:48.350 --> 00:13:52.240 He didn’t want to raise any suspicions so he stopped pulling data from Active Directory 00:13:52.240 --> 00:13:54.380 thinking someone might catch him doing it. 00:13:54.380 --> 00:13:57.829 Another thing he liked to do on his first day is be very visible around the office. 00:13:57.829 --> 00:14:01.540 He wanted people to know he belonged there and he was part of the Marketing team. 00:14:01.540 --> 00:14:06.809 He’d take walks around frequently, get some water, go to the bathroom, chat with people. 00:14:06.809 --> 00:14:11.399 This also let him look around the office a little and scope the place out, see what normal 00:14:11.399 --> 00:14:13.060 office behavior looks like. 00:14:13.060 --> 00:14:17.009 He comes back to his desk and sits down and starts to pull out his rogue laptop which 00:14:17.009 --> 00:14:19.930 is full of all kinds of hacker tools. 00:14:19.930 --> 00:14:22.790 After the break we’ll see what kind of fun he can have with this, what kind of trouble 00:14:22.790 --> 00:14:25.180 he can get into. 00:14:25.180 --> 00:14:28.019 Jeremy from Marketing pulls out a rogue laptop and boots it up. 00:14:28.019 --> 00:14:33.589 TINKER: When I did plug in my actual laptop, my hack laptop, the first thing I did is run 00:14:33.589 --> 00:14:34.589 Wireshark. 00:14:34.589 --> 00:14:37.910 JACK: [MUSIC] Wireshark captures all packets coming to that computer. 00:14:37.910 --> 00:14:41.459 It’s sort of like sitting on the front porch of your house and watching all the traffic 00:14:41.459 --> 00:14:42.559 going up and down the street. 00:14:42.559 --> 00:14:45.889 But you really only get to see what’s on your street, not the whole neighborhood. 00:14:45.889 --> 00:14:49.300 In fact you really only get to see what’s coming in and out of your own driveway. 00:14:49.300 --> 00:14:52.760 But still, it gives you a good sense of what kind of traffic is going around. 00:14:52.760 --> 00:14:57.840 TINKER: I spun up Wireshark and started trapping a lot of – sniffing a lot of the packets. 00:14:57.840 --> 00:14:58.840 JACK: Primarily he was looking for… 00:14:58.840 --> 00:15:02.430 TINKER: What sort of hardware is on the system; laptop-wise or even server wise. 00:15:02.430 --> 00:15:04.170 What’s the host’s name schema? 00:15:04.170 --> 00:15:08.819 JACK: Because while Wireshark generally only picks up traffic to that computer, it also 00:15:08.819 --> 00:15:11.649 picks up broadcast traffic, too. 00:15:11.649 --> 00:15:16.149 These are packets that are intended for everyone on that subnet and computers make a lot of 00:15:16.149 --> 00:15:17.670 broadcast traffic. 00:15:17.670 --> 00:15:22.369 By capturing these MAC addresses it will also tell you what kind of systems are on the network 00:15:22.369 --> 00:15:27.449 because a MAC address contains information on what manufacturer made that device. 00:15:27.449 --> 00:15:30.319 Again, knowing this lets him blend in better. 00:15:30.319 --> 00:15:33.369 Now he’s starting to know what kind of exploits he might be able to use. 00:15:33.369 --> 00:15:36.730 TINKER: Again, the very first day, especially right at the beginning, all I’m really trying 00:15:36.730 --> 00:15:42.839 to do is just sit very, very still and listen to what’s going on around me, get a feel 00:15:42.839 --> 00:15:43.839 for the environment. 00:15:43.839 --> 00:15:48.100 JACK: This reminds me of the quote from the spiritual teacher Ram Dass which goes like 00:15:48.100 --> 00:15:51.749 this, “The quieter you become the more you can hear.” 00:15:51.749 --> 00:15:55.740 TINKER: One thing struck me is that they didn’t have a very good NAC Solution. 00:15:55.740 --> 00:16:01.319 JACK: NAC is Network Access Control and it’s a technology that gives each individual computer 00:16:01.319 --> 00:16:02.769 network access. 00:16:02.769 --> 00:16:06.850 With proper NAC, only computers that the company has authorized are allowed on the network 00:16:06.850 --> 00:16:08.970 and everything else gets no access at all. 00:16:08.970 --> 00:16:13.509 TINKER: It’s to prevent this very specific type of attack where you plug in rogue devices. 00:16:13.509 --> 00:16:16.870 You should only plug in devices that you know are yours. 00:16:16.870 --> 00:16:22.370 The problem is having to manage all those assets especially when you come from an open 00:16:22.370 --> 00:16:26.230 environment where bring your own device and that kind of thing can get into the internal 00:16:26.230 --> 00:16:27.230 network. 00:16:27.230 --> 00:16:31.199 Implementing a NAC solution is a simple concept but it’s very, very difficult and typically 00:16:31.199 --> 00:16:33.459 takes several months to roll out. 00:16:33.459 --> 00:16:39.440 They did not have network access control so I could plug in my rogue device. 00:16:39.440 --> 00:16:44.009 But as soon as I got done with the passive sniffing, I want to know what MAC addresses 00:16:44.009 --> 00:16:48.839 are associated with servers, with laptops, and whatever else I could find. 00:16:48.839 --> 00:16:50.520 There was sometimes even phones, right. 00:16:50.520 --> 00:16:52.480 What were the host names for each? 00:16:52.480 --> 00:16:59.970 I changed my host name to match their schema and I changed the first three octets of my 00:16:59.970 --> 00:17:06.900 MAC address to match their hardware, then I randomized the last three. 00:17:06.900 --> 00:17:08.970 I did do that in order to blend in. 00:17:08.970 --> 00:17:12.520 JACK: He’s like Rambo now, painting himself with mud to avoid being detected. 00:17:12.520 --> 00:17:17.070 TINKER: The long and short is I tried a couple different things and ended up in a position 00:17:17.070 --> 00:17:22.050 where I was confident that I could start doing more active reconnaissance without being found 00:17:22.050 --> 00:17:23.050 out. 00:17:23.050 --> 00:17:24.140 JACK: Day one is over. 00:17:24.140 --> 00:17:27.860 Jeremy from Marketing quietly loads up his laptops and heads home for the day. 00:17:27.860 --> 00:17:29.210 He’s feeling confident at this point. 00:17:29.210 --> 00:17:33.430 He’s collected a lot of data and starts to get the feel for the environment and starting 00:17:33.430 --> 00:17:35.450 to think about what kind of attacks he can use. 00:17:35.450 --> 00:17:38.200 The next day he comes in, fires up Responder. 00:17:38.200 --> 00:17:41.840 [MUSIC] In my opinion Responder is an amazing tool. 00:17:41.840 --> 00:17:43.820 It’s like cheating almost for hackers. 00:17:43.820 --> 00:17:45.910 Here’s how I think it works. 00:17:45.910 --> 00:17:50.210 Okay, so if you have an office job and you use a computer, do you have shared drives 00:17:50.210 --> 00:17:51.550 on that computer? 00:17:51.550 --> 00:17:56.200 If you’re on a Windows machine you might have the M: drive or the I: drive or the Z: 00:17:56.200 --> 00:17:57.200 drive. 00:17:57.200 --> 00:18:00.860 This is some shared network folder that other people in the office can access, too. 00:18:00.860 --> 00:18:05.730 Okay, so suppose your Windows computer needs to connect to this shared network drive. 00:18:05.730 --> 00:18:08.220 There’s a number of things it has to do. 00:18:08.220 --> 00:18:09.960 Usually the shared drive is like a host name. 00:18:09.960 --> 00:18:13.370 It’s not always an IP address so the first thing your computer needs to do to connect 00:18:13.370 --> 00:18:15.830 to that drive is to resolve the host name. 00:18:15.830 --> 00:18:17.530 That’s what DNS is for. 00:18:17.530 --> 00:18:20.320 Now, there’s a DNS order of operation here. 00:18:20.320 --> 00:18:25.120 Your computer will first check the internal host file to see if it has a hard-coded IP 00:18:25.120 --> 00:18:26.650 address for that server. 00:18:26.650 --> 00:18:31.730 If not it’ll then go to the DNS server to see if it knows what the IP address is. 00:18:31.730 --> 00:18:35.780 Normally the DNS server knows the IP but sometimes it fails. 00:18:35.780 --> 00:18:39.020 It fails [00:20:00] because maybe you’re on the wrong network, you’re not VPN’d 00:18:39.020 --> 00:18:42.360 in, the shared server might be offline. 00:18:42.360 --> 00:18:46.940 If you ask the DNS servers what’s the IP address for this host name and the DNS server 00:18:46.940 --> 00:18:51.250 doesn’t know, then what does your computer do next? 00:18:51.250 --> 00:18:57.860 It asks everyone on the subnet hey; does anyone here know what IP address is for this shared 00:18:57.860 --> 00:18:58.860 drive? 00:18:58.860 --> 00:19:00.340 That’s when Responder kicks in. 00:19:00.340 --> 00:19:07.490 Responder is a lying, cheating, sneaky, ugly-looking guy who says yeah, I know exactly what IP 00:19:07.490 --> 00:19:08.820 address is for that server. 00:19:08.820 --> 00:19:11.370 Your computer says oh great, what is it? 00:19:11.370 --> 00:19:15.350 Responder says it’s me, I’m that shared drive even though it’s not. 00:19:15.350 --> 00:19:16.770 Your computer says oh, okay. 00:19:16.770 --> 00:19:18.200 Great, let me in then. 00:19:18.200 --> 00:19:23.440 The Responder says okay sure, no problem but first I want to make sure you’re allowed 00:19:23.440 --> 00:19:25.590 so tell me your password. 00:19:25.590 --> 00:19:28.400 Your computer then gives Responder the password. 00:19:28.400 --> 00:19:31.390 TINKER: You’re not gonna send your raw password in clear. 00:19:31.390 --> 00:19:34.570 You’re going to send your authentication hash. 00:19:34.570 --> 00:19:40.090 This sent its typically Net-NTLMv2 or v1 and that’s a salted hash. 00:19:40.090 --> 00:19:43.130 JACK: Do you see what happened here? 00:19:43.130 --> 00:19:46.940 Responder is a hacker tool that just lies and tricks a computer on the local subnet 00:19:46.940 --> 00:19:50.320 into giving computers the hashed password to that computer. 00:19:50.320 --> 00:19:54.270 It’s unbelievably good at this too, and it’s almost impossible to detect since you 00:19:54.270 --> 00:19:57.220 have to have sensors on that local subnet to spot it. 00:19:57.220 --> 00:20:03.080 TINKER: Generally speaking I will run Responder twice a day for maybe fifteen to twenty minutes 00:20:03.080 --> 00:20:04.990 and even intermittently at that. 00:20:04.990 --> 00:20:09.700 I run it right in the morning and right at noon when people are logging into their computers. 00:20:09.700 --> 00:20:12.030 They’re logging in the morning, they’re logging in back from lunch. 00:20:12.030 --> 00:20:15.960 That’s when a lot of that traffic comes that you can track. 00:20:15.960 --> 00:20:20.570 Generally speaking, depending on how big the environment is, I’ll pull down ten, twenty 00:20:20.570 --> 00:20:21.650 hashes quite easily. 00:20:21.650 --> 00:20:25.970 JACK: He fires up Responder in the morning and waits for hashes to come in. 00:20:25.970 --> 00:20:29.760 TINKER: I pulled down maybe five to fifteen hashes total. 00:20:29.760 --> 00:20:31.820 JACK: [MUSIC] Nice. 00:20:31.820 --> 00:20:35.440 With this, if he can crack a few of these, he can then work his way into the network 00:20:35.440 --> 00:20:37.940 and get some more privileges from someone else. 00:20:37.940 --> 00:20:40.280 TINKER: I pulled down these hashes. 00:20:40.280 --> 00:20:41.750 Again, they’re Net-NTLMv2 hashes. 00:20:41.750 --> 00:20:47.800 JACK: He loads these up into his GPU password-cracking rig which is offsite at his own office. 00:20:47.800 --> 00:20:56.340 TINKER: It was eight Nvidia GTX 1080 TIs mounted in a 4U Rack server. 00:20:56.340 --> 00:20:58.230 JACK: Whoa, what a monster. 00:20:58.230 --> 00:21:00.310 That’s like an $8,000 computer. 00:21:00.310 --> 00:21:04.920 Basically what it’ll do is take those hashes he picked up from Responder and load them 00:21:04.920 --> 00:21:06.520 up into this computer. 00:21:06.520 --> 00:21:10.830 Then he runs a tool called Hashcat to cycle through billions of passwords a second to 00:21:10.830 --> 00:21:13.000 try to find the matching password. 00:21:13.000 --> 00:21:16.980 A computer like that can try every word in the dictionary in like, under a second. 00:21:16.980 --> 00:21:20.820 Then it will go and try adding numbers to the ends of words, or special symbols like 00:21:20.820 --> 00:21:25.700 a dollar sign instead of an S. It will keep trying passwords more random and more complex 00:21:25.700 --> 00:21:28.600 over time until it finds a match. 00:21:28.600 --> 00:21:30.260 This is brute force password-cracking. 00:21:30.260 --> 00:21:37.010 TINKER: The lowest I’ve ever gotten is like, a 20% crack rate, one in five. 00:21:37.010 --> 00:21:39.950 Somebody is statistically – I’m gonna get that much. 00:21:39.950 --> 00:21:45.680 Usually on those immediate standard stuff I’ll get anywhere from 50% to 75% crack 00:21:45.680 --> 00:21:46.680 rate. 00:21:46.680 --> 00:21:52.250 NTLM, I think at that time we could do something like 300 billion guesses per second. 00:21:52.250 --> 00:21:59.630 I want to say with Net-NTLMv2 it was only and I say only, it was only somewhere between 00:21:59.630 --> 00:22:02.760 I don’t know, six to twelve billion guesses per second. 00:22:02.760 --> 00:22:05.240 So not too many. 00:22:05.240 --> 00:22:11.670 I ran it against our standard dictionaries and our rule sets and I didn’t crack any. 00:22:11.670 --> 00:22:17.740 JACK: His monster of a cracking station tried billions and billions of passwords and found 00:22:17.740 --> 00:22:21.510 absolutely no matches on any of the hashes. 00:22:21.510 --> 00:22:22.940 This was a big surprise. 00:22:22.940 --> 00:22:24.180 This never happens. 00:22:24.180 --> 00:22:27.260 TINKER: Usually when that happens it means my tools are broken, like an update broke 00:22:27.260 --> 00:22:28.530 it or something. 00:22:28.530 --> 00:22:32.080 I went and checked all my tools, put in known hashes. 00:22:32.080 --> 00:22:37.720 I test hashes to make sure my tools work and those cracked just fine. 00:22:37.720 --> 00:22:43.070 I did troubleshooting on my own stuff and it was working. 00:22:43.070 --> 00:22:47.820 That’s when I stopped and went back into the intranet and looked up a security policy. 00:22:47.820 --> 00:22:51.500 JACK: The security policy is going to tell you the minimum length of what a password 00:22:51.500 --> 00:22:55.110 must be and how many special characters and digits that have to be in it. 00:22:55.110 --> 00:22:59.490 TINKER: Sure enough, I believe they had a minimum of twelve character passwords. 00:22:59.490 --> 00:23:01.540 At that point started to become passphrases. 00:23:01.540 --> 00:23:03.880 I’m a big advocate of passphrases. 00:23:03.880 --> 00:23:09.590 Password you can crack fairly easily but a passphrase, ideally four or five different 00:23:09.590 --> 00:23:14.940 words, completely random, that’s much more robust that what we have today. 00:23:14.940 --> 00:23:17.150 I said okay, alright, that’s fine. 00:23:17.150 --> 00:23:22.360 It’s still upper lower number and symbol, three out of four, and it still changes every 00:23:22.360 --> 00:23:23.550 ninety days. 00:23:23.550 --> 00:23:27.730 That means that people aren’t gonna create a really hard-to-figure-out passphrase. 00:23:27.730 --> 00:23:32.020 They’re gonna create something that they can remember and then iterate on it. 00:23:32.020 --> 00:23:37.170 I changed a little bit of my attack settings to [00:25:00] account for a minimum twelve 00:23:37.170 --> 00:23:41.851 character and basically just picked longer words and longer numbers at the end. 00:23:41.851 --> 00:23:46.991 I did four digit numbers so you usually get the last four digits of somebody’s Social 00:23:46.991 --> 00:23:50.680 Security Number, the current year, something along those lines. 00:23:50.680 --> 00:23:53.450 I just picked longer words. 00:23:53.450 --> 00:23:59.440 I went onto the website and did a full word scrape from all their stuff including a lot 00:23:59.440 --> 00:24:03.560 of stuff from the internal internet to get the cultural thing. 00:24:03.560 --> 00:24:08.940 You get local sports teams, you get local schools, you get local street addresses, and 00:24:08.940 --> 00:24:14.400 any kind of mascots or what have you that they really identify with. 00:24:14.400 --> 00:24:16.240 You also get cultural phrases. 00:24:16.240 --> 00:24:20.820 I finally did that and I finally got, I want to say a good tidy handful. 00:24:20.820 --> 00:24:24.310 I finally got a couple of clear text passwords. 00:24:24.310 --> 00:24:28.590 But let me tell you, my equipment was sweating after that. 00:24:28.590 --> 00:24:34.710 JACK: [MUSIC] Okay, now Jeremy from Marketing has a few other employees’ passwords and 00:24:34.710 --> 00:24:37.440 really, getting this was not that difficult. 00:24:37.440 --> 00:24:41.010 Running Responder is really simple to do and he’s using off-the-shelf parts to build 00:24:41.010 --> 00:24:42.870 a computer to crack these hashes. 00:24:42.870 --> 00:24:47.110 It sounds amazing but if you know what you’re doing it’s really not that hard. 00:24:47.110 --> 00:24:52.190 Now that he has a few usernames and passwords, he cracks a small smile because it feels like 00:24:52.190 --> 00:24:55.640 a big win but he doesn’t want to let the other people in Marketing know that he’s 00:24:55.640 --> 00:24:56.640 doing something. 00:24:56.640 --> 00:24:59.340 He begins to try to figure out what he can do with these accounts. 00:24:59.340 --> 00:25:03.270 TINKER: There’s a couple things that you can do. 00:25:03.270 --> 00:25:06.640 You can immediately try to log into a workstation. 00:25:06.640 --> 00:25:14.410 I know their laptop is on the subnet and I do a very targeted spray with their username 00:25:14.410 --> 00:25:16.190 and their password against all of it. 00:25:16.190 --> 00:25:21.130 JACK: What targeted spray means is that he’s subtly trying to remotely log into a computer 00:25:21.130 --> 00:25:23.560 using these passwords he found. 00:25:23.560 --> 00:25:25.490 But none of the logins worked. 00:25:25.490 --> 00:25:30.420 TINKER: The error message amounted to good password but not authorized to log in, not 00:25:30.420 --> 00:25:34.920 within the group that can do remote logins which is fascinating, right? 00:25:34.920 --> 00:25:40.890 That is absolutely something that you can do but I very rarely see. 00:25:40.890 --> 00:25:47.210 By default that’s not set up which to me, that was kind of my first shock to the system. 00:25:47.210 --> 00:25:49.270 Aside from the fact – I’m like, here I am. 00:25:49.270 --> 00:25:53.191 They require twelve character passphrases and they don’t allow common users to do 00:25:53.191 --> 00:25:55.150 remote logins for their own boxes. 00:25:55.150 --> 00:26:00.600 I’m starting to go okay, something’s going on here. 00:26:00.600 --> 00:26:02.670 What sort of place have they put me in? 00:26:02.670 --> 00:26:08.360 JACK: [MUSIC] Okay, these users cannot log in remotely but they have to be able to log 00:26:08.360 --> 00:26:10.560 in normally like when they’re at a workstation. 00:26:10.560 --> 00:26:15.260 He logs out of his company-issued workstation and he tries to log in with one of these usernames. 00:26:15.260 --> 00:26:19.570 Earlier he was pulling stuff from Active Directory but because there was so much logging enabled 00:26:19.570 --> 00:26:23.260 in his laptop, he had to stop because he didn’t want to bring attention to himself. 00:26:23.260 --> 00:26:27.660 But now that he has someone else’s password and he can act like someone else for a little 00:26:27.660 --> 00:26:30.870 while, he can use that to gather more information with. 00:26:30.870 --> 00:26:34.080 TINKER: What I did with these credentials – ‘cause I didn’t want to use my own 00:26:34.080 --> 00:26:35.080 credentials. 00:26:35.080 --> 00:26:37.750 I didn’t want anything to be tied back to me as a person. 00:26:37.750 --> 00:26:45.410 I used these stolen credentials and at that point I logged into SYSVOL on the main controller, 00:26:45.410 --> 00:26:47.830 pulled all of Active Directory. 00:26:47.830 --> 00:26:52.150 You can mount SYSVOL and get all the group post preference. 00:26:52.150 --> 00:26:56.720 You get scripts in there that the domain admins will run and other IT will run. 00:26:56.720 --> 00:26:59.630 You can sometimes pull hardcoded credentials out of those. 00:26:59.630 --> 00:27:06.510 I pulled all the users, usernames, and host names, and a myriad of other things. 00:27:06.510 --> 00:27:10.100 With the domain controller I pulled out all the information of all the users including 00:27:10.100 --> 00:27:13.200 the groups and had a lot of recon at that point. 00:27:13.200 --> 00:27:16.320 It was rather successful, that first go. 00:27:16.320 --> 00:27:17.320 That’s just users. 00:27:17.320 --> 00:27:22.980 Even though I wasn’t able to log into the user laptop, I was able to at least interact 00:27:22.980 --> 00:27:25.900 with the domain controller in the way that Windows allows for. 00:27:25.900 --> 00:27:30.320 But still at this point I don’t have much, right. 00:27:30.320 --> 00:27:31.320 JACK: Right. 00:27:31.320 --> 00:27:34.810 So now we’re nearing the end of the second day and Jeremy from Marketing is really struggling 00:27:34.810 --> 00:27:36.480 to get anywhere in this network. 00:27:36.480 --> 00:27:40.390 Sure, he has a few passwords but he’s very limited at what he can do with them. 00:27:40.390 --> 00:27:44.660 Usually by now he’s deep in the network with starting to get access to Active Directory 00:27:44.660 --> 00:27:47.910 servers, something, something bigger than this. 00:27:47.910 --> 00:27:49.570 But he’s got nothing so far. 00:27:49.570 --> 00:27:56.080 TINKER: At this point I’m like okay well, I still have good user credentials. 00:27:56.080 --> 00:27:57.370 What am I gonna do? 00:27:57.370 --> 00:28:02.030 The first thing I tried to do is just log into their e-mail using either OWA or Office 00:28:02.030 --> 00:28:05.040 365 or whatever single sign-on that they were using. 00:28:05.040 --> 00:28:06.091 I was able to get in. 00:28:06.091 --> 00:28:11.390 [MUSIC] They did not have multi-factor authentication set up on e-mail. 00:28:11.390 --> 00:28:15.240 As luck would have it though, one of the very first e-mails that I read just rifling through 00:28:15.240 --> 00:28:20.341 someone else’s e-mail was an e-mail saying hey, be advised next week we’re implementing 00:28:20.341 --> 00:28:23.800 multi-factor authentication in e-mail so be prepared to set that up. 00:28:23.800 --> 00:28:24.800 I’m like woo! 00:28:24.800 --> 00:28:28.190 I got in early enough to where I didn’t have to do that. 00:28:28.190 --> 00:28:32.490 JACK: Now he starts looking through the e-mails to see if he can find anything of importance; 00:28:32.490 --> 00:28:36.730 maybe IT e-mailed them passwords at one point or something else that might be [00:30:00] 00:28:36.730 --> 00:28:37.730 helpful. 00:28:37.730 --> 00:28:43.630 He found a password but it was for a third-party tool like a tax-assessor’s website or something. 00:28:43.630 --> 00:28:44.770 Really, that’s it. 00:28:44.770 --> 00:28:48.920 He even looked for internal nodes that Outlook sometimes stores for users to see if they 00:28:48.920 --> 00:28:53.290 just wrote their passwords down on that or something but there was nothing there. 00:28:53.290 --> 00:28:54.830 No help. 00:28:54.830 --> 00:28:56.690 He tried a new approach. 00:28:56.690 --> 00:28:59.580 TINKER: Get into their single sign-on, their internet. 00:28:59.580 --> 00:29:03.820 JACK: What I see companies doing today is they create a single portal for employees 00:29:03.820 --> 00:29:07.610 to log into which then provides them access to all the tools. 00:29:07.610 --> 00:29:11.760 This is a called single sign-on because you log in once and gets you access to many things. 00:29:11.760 --> 00:29:18.180 TINKER: Single sign-on that’s not set up properly or securely is a hacker’s dream. 00:29:18.180 --> 00:29:22.750 All of the things are in one tidy little group and you have full access to it. 00:29:22.750 --> 00:29:31.100 I’ve taken down entire organizations where single sign-on was there, like a hub of applications, 00:29:31.100 --> 00:29:32.100 if you will. 00:29:32.100 --> 00:29:33.980 One of them gave me a whole lot of access. 00:29:33.980 --> 00:29:37.620 This place though, I got in from the outside which I tried to do because I didn’t want 00:29:37.620 --> 00:29:38.850 it to originate from the inside. 00:29:38.850 --> 00:29:43.030 From the outside it required multi-factor authentication just to log in. 00:29:43.030 --> 00:29:46.810 JACK: When he says from the outside he means from outside the company. 00:29:46.810 --> 00:29:49.720 The single sign-on portal can be accessed from anywhere in the world. 00:29:49.720 --> 00:29:54.410 It’s right on the internet but ah, multi-factor authentication makes it much harder to log 00:29:54.410 --> 00:29:55.410 in. 00:29:55.410 --> 00:29:59.650 This is where you need both a password and a six-digit token code generated on your phone 00:29:59.650 --> 00:30:01.000 or something to get in. 00:30:01.000 --> 00:30:05.200 He tried to get into the portal from his laptop on the inside of the company and it didn’t 00:30:05.200 --> 00:30:07.290 require a multi-factor authentication. 00:30:07.290 --> 00:30:09.870 Yeah, now he’s in. 00:30:09.870 --> 00:30:11.340 He looks to see what’s there. 00:30:11.340 --> 00:30:15.890 A bunch of different apps, payroll stuff, client databases, control panels, okay. 00:30:15.890 --> 00:30:17.590 He’s feeling like he’s getting somewhere now. 00:30:17.590 --> 00:30:23.080 TINKER: [MUSIC] I clicked on one of the apps and each individual app required its own separate 00:30:23.080 --> 00:30:25.310 multi-factor authentication login. 00:30:25.310 --> 00:30:26.680 I was like what? 00:30:26.680 --> 00:30:29.510 What kind of lockdown prison is this place, right? 00:30:29.510 --> 00:30:32.630 JACK: It’s the opposite of single sign-on. 00:30:32.630 --> 00:30:38.530 TINKER: Well exactly, and so what they’ve done is they set it up properly. 00:30:38.530 --> 00:30:42.910 They had one place for everybody to go to but man, you better have your soft token or 00:30:42.910 --> 00:30:45.580 something set up. 00:30:45.580 --> 00:30:49.320 At this point I’m getting kind of heated. 00:30:49.320 --> 00:30:52.750 I’m like Tinker, you’re losing time. 00:30:52.750 --> 00:30:55.970 You better hack into something. 00:30:55.970 --> 00:31:00.010 I had gotten a couple of things; I hacked into e-mail but it didn’t give me much. 00:31:00.010 --> 00:31:02.770 I already have some findings. 00:31:02.770 --> 00:31:08.880 I’ve got a report here that’s building of things they can tighten up but nothing 00:31:08.880 --> 00:31:09.880 significant. 00:31:09.880 --> 00:31:17.550 Pen testers, your dopamine, your adrenaline is going off those really big hacks, right. 00:31:17.550 --> 00:31:22.180 I still at this point have not gained access to another workstation beyond my own. 00:31:22.180 --> 00:31:26.640 JACK: He takes a little break, gets a drink of water, resets himself, and sits back down. 00:31:26.640 --> 00:31:27.960 TINKER: I need to lat move. 00:31:27.960 --> 00:31:30.020 I need to start getting onto some servers. 00:31:30.020 --> 00:31:37.140 I need to start going and at least targeting some crown jewels here but I’ve got nothing. 00:31:37.140 --> 00:31:41.270 One thing caught my eye though, in the single sign-on, was Citrix. 00:31:41.270 --> 00:31:49.720 I, as an attacker, I love Citrix ‘cause what Citrix is, is it amounts to Remote Desktop 00:31:49.720 --> 00:31:53.170 through the browser. 00:31:53.170 --> 00:31:58.020 Generally if there’s something from Citrix, generally it’s a server of some sort that’s 00:31:58.020 --> 00:32:02.730 hosting internal applications or something else it’s serving up. 00:32:02.730 --> 00:32:08.300 But I see Citrix and I usually go for it ‘cause I can really get a good thing there, maybe 00:32:08.300 --> 00:32:09.920 dump some memory. 00:32:09.920 --> 00:32:15.220 I click on Citrix and it asks me for multi-factor authentication and it says it’s gonna send 00:32:15.220 --> 00:32:19.820 it via SMS to this user’s cell phone. 00:32:19.820 --> 00:32:22.780 But it only gives the last four digits of the cell phone. 00:32:22.780 --> 00:32:27.090 JACK: While yes, it’s possible to hijack the cell phone, do SIM swapping or something, 00:32:27.090 --> 00:32:31.260 that’s technically illegal and he’s not allowed to do illegal things as a penetration 00:32:31.260 --> 00:32:32.260 tester. 00:32:32.260 --> 00:32:36.760 All he knows about this person is their name, their username, their password, and the last 00:32:36.760 --> 00:32:38.080 four digits of their cell phone. 00:32:38.080 --> 00:32:43.150 TINKER: But I have their e-mail so I type in the last four of their phone number into 00:32:43.150 --> 00:32:48.170 the search bar within this person’s e-mail and I pull up one of their signatures that 00:32:48.170 --> 00:32:49.180 has their full phone number. 00:32:49.180 --> 00:32:53.731 Okay, I have their full phone number, I have their name, I have who they are, I have everything 00:32:53.731 --> 00:32:56.300 that amounts to them within this environment. 00:32:56.300 --> 00:32:58.520 Let’s bypass multi-factor authentication. 00:32:58.520 --> 00:33:02.110 JACK: [MUSIC] Okay, so here’s what he’s gotta do. 00:33:02.110 --> 00:33:06.400 He’s gotta click on that login to Citrix which will then send a text message to the 00:33:06.400 --> 00:33:11.080 phone of that user and he’s gotta somehow get that text message, enter it into this 00:33:11.080 --> 00:33:15.210 website all within sixty seconds before the code expires. 00:33:15.210 --> 00:33:16.380 This isn’t gonna be easy. 00:33:16.380 --> 00:33:17.500 TINKER: I have this phone number. 00:33:17.500 --> 00:33:18.500 I called the person. 00:33:18.500 --> 00:33:24.080 I gotta make sure none of the people around me are hearing me at this point, right? 00:33:24.080 --> 00:33:28.390 But I put on my headset, put on my own phone, and I called this person. 00:33:28.390 --> 00:33:31.200 They answer; Jane from Accounting. 00:33:31.200 --> 00:33:41.620 I lie to them and then I say hey, I’m somebody [00:35:0] else from IT and we’re gonna migrate 00:33:41.620 --> 00:33:44.210 your Citrix since it’s within single sign-on. 00:33:44.210 --> 00:33:46.040 This person has no idea what I’m talking about. 00:33:46.040 --> 00:33:49.200 They’re not IT and so they’re like, all they hear is computer gobbly gook. 00:33:49.200 --> 00:33:51.120 They’re like yeah, that sounds fine. 00:33:51.120 --> 00:33:52.480 Why are you calling me? 00:33:52.480 --> 00:33:59.400 I’m like well, I’m gonna send you a pin number that I need you to read back to me 00:33:59.400 --> 00:34:04.140 that authenticates that it is your account but I need you to know as your IT, I will 00:34:04.140 --> 00:34:05.890 never ask for your password. 00:34:05.890 --> 00:34:08.320 Again, this gives them a sense of security. 00:34:08.320 --> 00:34:11.799 I obviously already had their password but it gives them a sense of security and says 00:34:11.799 --> 00:34:13.679 okay, well they’re not gonna ask for my password. 00:34:13.679 --> 00:34:15.819 That’s what matters so I’ll read off this pin. 00:34:15.819 --> 00:34:17.749 I said okay, I’m about to send you a text message. 00:34:17.749 --> 00:34:22.649 You’ll receive it from my server, Citrix, right, and they go okay. 00:34:22.649 --> 00:34:26.000 I go ahead and click Send MFA and they go okay, I got the text. 00:34:26.000 --> 00:34:27.899 You just need me to read this to you? 00:34:27.899 --> 00:34:29.309 I go yup, just read it to me. 00:34:29.309 --> 00:34:30.309 She read it to me. 00:34:30.309 --> 00:34:34.710 I typed it in within the minute ‘cause you only have about sixty seconds and it logged 00:34:34.710 --> 00:34:35.710 me in. 00:34:35.710 --> 00:34:40.200 I go okay, well just letting you know, and this is right before lunch, go out and take 00:34:40.200 --> 00:34:45.329 a long lunch or don’t interact with Citrix for at least two hours while we do the migration. 00:34:45.329 --> 00:34:47.250 She said okay, great, sounds good. 00:34:47.250 --> 00:34:48.849 I go okay, sounds good. 00:34:48.849 --> 00:34:49.849 Bye. 00:34:49.849 --> 00:34:50.849 I’m like okay great, finally. 00:34:50.849 --> 00:34:52.050 I’ve got into Citrix. 00:34:52.050 --> 00:34:55.990 I log into Citrix and there’s no applications. 00:34:55.990 --> 00:34:57.390 There’s no computers. 00:34:57.390 --> 00:34:59.829 It’s an empty Citrix instance. 00:34:59.829 --> 00:35:04.180 I’ve hacked my way into a broom closet. 00:35:04.180 --> 00:35:05.670 There’s nothing here. 00:35:05.670 --> 00:35:11.440 I just bypassed multi-factor authentication through a solid social engineering exploit 00:35:11.440 --> 00:35:15.390 after cracking this person’s password which was hard to crack to begin with. 00:35:15.390 --> 00:35:23.119 A day and a half has arrived up to this very point and I’ve got nothing, absolutely nothing. 00:35:23.119 --> 00:35:27.869 JACK: At this point if you were to look over at Jeremy from Marketing you’d see him sweating 00:35:27.869 --> 00:35:28.869 and shaking. 00:35:28.869 --> 00:35:34.160 TINKER: I found that generally when I’m doing a soc eng or social engineering attack 00:35:34.160 --> 00:35:39.099 or when I’m doing a physical break-in or what have you, when I’m doing it I’m calm, 00:35:39.099 --> 00:35:40.450 cool, and collected. 00:35:40.450 --> 00:35:46.559 I’m usually sweating like you wouldn’t believe but my demeanor is on point. 00:35:46.559 --> 00:35:51.279 Afterwards though, man, that adrenaline rush, it comes crashing down and I will, I shit 00:35:51.279 --> 00:35:54.240 you not, I will physically shake. 00:35:54.240 --> 00:35:59.119 I’m probably one of the most loud, outspoken introverts you’ve ever met. 00:35:59.119 --> 00:36:00.900 I am confident in front of people. 00:36:00.900 --> 00:36:05.749 I used to be a Sergeant in the Marine Corps and when you got a platoon full of trained 00:36:05.749 --> 00:36:11.790 killers and you’re trying to get them to do what you want them to do you have to develop 00:36:11.790 --> 00:36:12.790 confidence, or at least a projection of confidence. 00:36:12.790 --> 00:36:15.299 You gotta lie through your teeth, right. 00:36:15.299 --> 00:36:19.420 I will have confidence; I’m socially adept but it still drains me, especially when I’m 00:36:19.420 --> 00:36:24.240 doing something like this that I have to put on a heavy mask and so yeah, I get out of 00:36:24.240 --> 00:36:26.240 that. I’m sweating. 00:36:26.240 --> 00:36:30.650 It took me probably about a full hour to prepare for it as I did an in-depth research on this 00:36:30.650 --> 00:36:32.799 person. I’ve got nothing. 00:36:32.799 --> 00:36:36.881 JACK: Usually he’s a lot further along at this point on his penetration test and it’s 00:36:36.881 --> 00:36:39.769 just making him really worry that he’s not gonna find anything. 00:36:39.769 --> 00:36:44.150 TINKER: I go screw it; I’m gonna go all out at this point. 00:36:44.150 --> 00:36:48.980 As people start leaving to head home I say hey, I’m gonna stay back and finish trying 00:36:48.980 --> 00:36:52.700 to knock out some more of these onboarding videos and nobody seemed to mind. 00:36:52.700 --> 00:37:00.000 JACK: [MUSIC] He sits and waits, sitting in his cubicle watching everyone leave the office. 00:37:00.000 --> 00:37:03.390 He keeps peering over and seeing if anyone has left. 00:37:03.390 --> 00:37:06.430 He sits back down and waits some more. 00:37:06.430 --> 00:37:10.460 TINKER: I waited until the cleaning crew came. 00:37:10.460 --> 00:37:13.940 I waited until the cleaning crew left. 00:37:13.940 --> 00:37:16.339 I think I was the only one on that floor. 00:37:16.339 --> 00:37:20.089 I believe there was maybe a couple other people working on different floors but I was the 00:37:20.089 --> 00:37:21.089 only one on that floor. 00:37:21.089 --> 00:37:25.630 JACK: He starts walking by every cubicle looking to see if any computers were logged in while 00:37:25.630 --> 00:37:28.349 that person went home. 00:37:28.349 --> 00:37:32.650 No computers were left logged in but he does see some people did leave their computers 00:37:32.650 --> 00:37:33.650 behind. 00:37:33.650 --> 00:37:35.410 TINKER: I said you know what, I’m just gonna steal laptops. 00:37:35.410 --> 00:37:38.050 I don’t even care at this point. 00:37:38.050 --> 00:37:44.609 I go start plugging into my colleague’s laptops that left their laptop there but two 00:37:44.609 --> 00:37:46.041 things kind of jumped out. 00:37:46.041 --> 00:37:53.210 The biggest thing was they had encrypted hard drives so even if I mount and boot from USB 00:37:53.210 --> 00:37:57.210 which I was able to do, I couldn’t mount their hard drive. 00:37:57.210 --> 00:38:00.000 It was encrypted and so I couldn’t pull off any kind of local admin hash. 00:38:00.000 --> 00:38:01.310 JACK: Ah, again blocked. 00:38:01.310 --> 00:38:05.150 All these little safeguards in place are really giving him a hard time to get anywhere. 00:38:05.150 --> 00:38:09.089 Even when nobody is in the office he still can’t access people’s laptops. 00:38:09.089 --> 00:38:13.200 He’s tired, he’s hungry, he’s nervous, and his frustration is just building. 00:38:13.200 --> 00:38:16.180 TINKER: I said screw it, I’m gonna go after the IT shack. 00:38:16.180 --> 00:38:21.220 JACK: Okay, so the IT shack is the room where the IT help desk keeps all the computers. 00:38:21.220 --> 00:38:24.700 Like, they probably have ten, twenty, a hundred computers in there. 00:38:24.700 --> 00:38:29.780 If he can get into this room he’d have access to a lot of workstations and he thinks maybe 00:38:29.780 --> 00:38:32.030 if he gets his hands on these he can get somewhere. 00:38:32.030 --> 00:38:36.100 TINKER: Going up to the IT shack, during the previous [00:40:00] couple days, whenever 00:38:36.100 --> 00:38:41.000 I’d get up and walk I’d try to make people see me so that they know I’m supposed to 00:38:41.000 --> 00:38:42.000 be there. 00:38:42.000 --> 00:38:44.369 I’m doing kind of reconnaissance on where everything was. 00:38:44.369 --> 00:38:50.359 By that time I knew where the break room was, I knew where the guards hung out, I knew where 00:38:50.359 --> 00:38:52.190 the IT shack was. 00:38:52.190 --> 00:38:55.819 First thing I had done previously was check where all the cameras were and there was not 00:38:55.819 --> 00:38:59.680 a camera looking at the door to the IT shack. 00:38:59.680 --> 00:39:03.970 I knew that visually I was fine but when I went to the IT shack I wanted to make sure 00:39:03.970 --> 00:39:04.970 there was no one around the corner. 00:39:04.970 --> 00:39:06.450 I wanted to sit there and pause. 00:39:06.450 --> 00:39:11.970 JACK: He stands and waits right around the corner from the IT shack door and he tries 00:39:11.970 --> 00:39:14.640 to listen to see if anyone is around. 00:39:14.640 --> 00:39:20.140 TINKER: In order to really cast your hearing out to hear as best you can, there’s a couple 00:39:20.140 --> 00:39:21.200 things that you can do. 00:39:21.200 --> 00:39:25.359 One is slow down your own breathing to slow your heart down ‘cause if your heart’s 00:39:25.359 --> 00:39:29.250 beating that’ll actually fill your ears with a pump, pump, pump of blood so you need 00:39:29.250 --> 00:39:31.500 to calm yourself completely down. 00:39:31.500 --> 00:39:32.660 I tilt my head down. 00:39:32.660 --> 00:39:34.130 I looked down because I want to focus. 00:39:34.130 --> 00:39:37.900 I’m not necessarily closing my eyes but I want to focus on my hearing so I’m making 00:39:37.900 --> 00:39:39.890 sure that I’m not looking at anything in particular. 00:39:39.890 --> 00:39:45.240 Then I open my mouth slightly and the reason why you do that is you have your jaw muscles; 00:39:45.240 --> 00:39:49.359 when you have a clenched or closed mouth, your jaw muscles will actually come right 00:39:49.359 --> 00:39:53.369 up near your ear canal and kind of close it off slightly. 00:39:53.369 --> 00:39:55.619 You can try this even at home. 00:39:55.619 --> 00:39:59.099 Get to a place where you have your jaw closed and just listen for a while. 00:39:59.099 --> 00:40:04.710 You can do this at night and then open your mouth comfortably wide open. 00:40:04.710 --> 00:40:09.200 You don’t want to strain yourself but comfortably open to move your jaw bone away from your 00:40:09.200 --> 00:40:10.200 ear canal. 00:40:10.200 --> 00:40:14.359 You’ll find that that opens your ear canal wide open and you can hear a lot more. 00:40:14.359 --> 00:40:19.220 I say get context; not only can you hear further but you can hear more things. 00:40:19.220 --> 00:40:20.220 Does that make sense? 00:40:20.220 --> 00:40:21.490 JACK: Yeah, I love pen testers. 00:40:21.490 --> 00:40:25.319 It’s like you’re Felix the Cat; you have a bag full of tricks and you never know when 00:40:25.319 --> 00:40:26.819 you need it but you just have them ready to go. 00:40:26.819 --> 00:40:30.309 TINKER: That’s the thing, we try to be Jacks of all trades and you try to study as many 00:40:30.309 --> 00:40:31.589 things as possible. 00:40:31.589 --> 00:40:36.239 I’ve pulled that trick out of being in the Marine Corps when you have to do night missions. 00:40:36.239 --> 00:40:40.970 Little things that you pick up along the way that I tell you, they come into play. 00:40:40.970 --> 00:40:44.750 JACK: After standing around the corner from the IT shack door for a good thirty seconds 00:40:44.750 --> 00:40:48.140 listening for anything, it seems like the coast is clear. 00:40:48.140 --> 00:40:49.670 Time to move in. 00:40:49.670 --> 00:40:54.259 He gets his lock picks ready and is prepared to move to the door and start picking the 00:40:54.259 --> 00:40:55.259 lock. 00:40:55.259 --> 00:40:58.670 He turns the corner and to his surprise a door stopper is stuck in the door which is 00:40:58.670 --> 00:41:01.069 just barely keeping the door open slightly. 00:41:01.069 --> 00:41:02.440 Alright, lucky break. 00:41:02.440 --> 00:41:04.569 He won’t have to pick the lock now. 00:41:04.569 --> 00:41:07.050 But this gave him a totally different sensation. 00:41:07.050 --> 00:41:09.440 Was someone in there? 00:41:09.440 --> 00:41:12.220 If so, is he gonna have to wait even longer for them to leave? 00:41:12.220 --> 00:41:15.529 He tries to look through the crack but he can’t see much. 00:41:15.529 --> 00:41:16.529 Screw it, he’s going in. 00:41:16.529 --> 00:41:21.260 TINKER: [MUSIC] I walk in real quick and I see stacks and stacks of laptops. 00:41:21.260 --> 00:41:22.880 JACK: Nobody was in the room. 00:41:22.880 --> 00:41:25.059 Someone accidentally left the door open all night. 00:41:25.059 --> 00:41:30.980 TINKER: I come to find out later on it was literally a person had forgotten their keys 00:41:30.980 --> 00:41:34.329 and so they left it propped open to go to the restroom and never came back to shut the 00:41:34.329 --> 00:41:35.329 door. 00:41:35.329 --> 00:41:38.119 JACK: He’s standing in the IT shack in front of like, seventy-five laptops or more. 00:41:38.119 --> 00:41:39.499 TINKER: I’ve got an option here. 00:41:39.499 --> 00:41:46.540 I can stay in the shack and do all my things there or I can take what I need and move over 00:41:46.540 --> 00:41:50.160 to my desk or conference room, whatever, and do it elsewhere. 00:41:50.160 --> 00:41:52.369 There’s a give and take of both. 00:41:52.369 --> 00:41:57.790 If I stay in the shack no one will see me hacking into these computers and so if I stay 00:41:57.790 --> 00:42:02.180 in there I protect myself against the bulk majority of people that will be walking through 00:42:02.180 --> 00:42:05.960 in the middle of the night if they came in after hours for whatever reason. 00:42:05.960 --> 00:42:10.880 But if I stay in there and an IT person comes in, which plenty of IT people work overnight 00:42:10.880 --> 00:42:13.940 or have to come in for a call or something, I’m caught red-handed. 00:42:13.940 --> 00:42:16.950 I’ve got no excuse for being in there. 00:42:16.950 --> 00:42:22.230 I make a call that I’m gonna start hauling as many of these computers to my desk and 00:42:22.230 --> 00:42:27.240 then from my desk, bring them up and if someone comes by hopefully I’ve got them tucked 00:42:27.240 --> 00:42:29.239 away or whatever and I can pretend that it’s mine or whatever. 00:42:29.239 --> 00:42:32.910 I can hear them coming, I can hide it and go back to work. 00:42:32.910 --> 00:42:40.019 I start taking armloads, like full handfuls of these laptops to my cubicle area and stacking 00:42:40.019 --> 00:42:42.509 them underneath my desk. 00:42:42.509 --> 00:42:47.470 I ended up grabbing – I made, I don’t know, three or four trips and ended up grabbing 00:42:47.470 --> 00:42:53.670 about thirty laptops before I said you know what, this is probably enough. 00:42:53.670 --> 00:42:59.849 I went back to my cubicle at this point, shut the door, and just started trying to boot 00:42:59.849 --> 00:43:02.539 from USB and mount as many hard drives as possible. 00:43:02.539 --> 00:43:07.259 JACK: He starts going through each laptop one by one, spending hours on them trying 00:43:07.259 --> 00:43:10.690 to find if any of them have an unencrypted drive. 00:43:10.690 --> 00:43:15.230 He finds two in the whole stack that were either old images or didn’t get encrypted. 00:43:15.230 --> 00:43:19.839 Now that he has an unencrypted hard drive he dumps the local administrator hash from 00:43:19.839 --> 00:43:21.299 that laptop. 00:43:21.299 --> 00:43:25.109 Once he has this hash he starts running it through that monster password cracking station 00:43:25.109 --> 00:43:27.570 he has and he tries to crack the admin password. 00:43:27.570 --> 00:43:29.519 TINKER: I crack it rather quickly. 00:43:29.519 --> 00:43:34.609 It was actually the company name and the year with a capital first letter on the company 00:43:34.609 --> 00:43:35.619 name, a very weak password. 00:43:35.619 --> 00:43:37.249 [00:45:00] I was like are you kidding me? 00:43:37.249 --> 00:43:39.549 Everything else I’ve found has been amazing and this is it? 00:43:39.549 --> 00:43:43.730 JACK: Just to test the password he tries logging into his own workstation with it and the admin 00:43:43.730 --> 00:43:46.099 password worked. Bingo. 00:43:46.099 --> 00:43:49.999 This means the admin password that he just found is likely the admin password for all 00:43:49.999 --> 00:43:55.170 the user’s laptops in the office which should allow him to log into any user’s laptop. 00:43:55.170 --> 00:43:56.940 Finally he’s making progress. 00:43:56.940 --> 00:43:58.040 This is a big break. 00:43:58.040 --> 00:44:00.480 He starts putting the laptops back in the IT shack. 00:44:00.480 --> 00:44:05.369 TINKER: I took pictures of where they were so that – they were out of order by this 00:44:05.369 --> 00:44:10.349 point but I put them, I mean, stacked about as precisely as I possibly could. 00:44:10.349 --> 00:44:14.579 Anything I touch, I put it back as closely as I found it so that it doesn’t look like 00:44:14.579 --> 00:44:15.579 it’s been disturbed. 00:44:15.579 --> 00:44:16.579 I’m like okay, well great. 00:44:16.579 --> 00:44:17.789 I got a lucky break. 00:44:17.789 --> 00:44:20.579 I can now use this to spray everything, right? 00:44:20.579 --> 00:44:23.900 At this point I’m beat and I go home and I sleep. 00:44:23.900 --> 00:44:27.809 JACK: Feeling rested and happy that he has an admin hash and a password, he comes back 00:44:27.809 --> 00:44:30.339 into the office finally ready to dig deep into the network. 00:44:30.339 --> 00:44:34.599 TINKER: I come back in and okay, I’ve got the best thing that I have; I’ve got a local 00:44:34.599 --> 00:44:35.599 admin hash. 00:44:35.599 --> 00:44:39.880 First thing I try to do is pass the hash which just uses the actual hash as a password. 00:44:39.880 --> 00:44:41.640 JACK: Which is a great technique. 00:44:41.640 --> 00:44:45.779 Often when you’re logging into another computer your computer hashes your password and gives 00:44:45.779 --> 00:44:50.319 it to that other computer to log into so if you have the hash, just give him that and 00:44:50.319 --> 00:44:51.869 that could authenticate you. 00:44:51.869 --> 00:44:54.560 But in this case it wasn’t working. 00:44:54.560 --> 00:45:00.059 There was some kind of error but last night he cracked the local admin password. 00:45:00.059 --> 00:45:03.819 IT administrators will often reuse this password so this local admin password might actually 00:45:03.819 --> 00:45:06.779 work on every laptop in the whole company. 00:45:06.779 --> 00:45:11.800 He tries to remotely log into another computer using this local admin and password. 00:45:11.800 --> 00:45:13.940 TINKER: But it wasn’t working. 00:45:13.940 --> 00:45:19.170 The local admin hash was not letting me log into – again, it comes up as valid credential 00:45:19.170 --> 00:45:20.789 but you’re not allowed to log in. 00:45:20.789 --> 00:45:22.489 I’m like, this is asinine. 00:45:22.489 --> 00:45:26.119 Even the local admin needs to be able to log in. 00:45:26.119 --> 00:45:27.119 It’s not letting me. 00:45:27.119 --> 00:45:30.470 JACK: He logs into his own laptop again as local admin to try to figure out what’s 00:45:30.470 --> 00:45:31.470 going on. 00:45:31.470 --> 00:45:37.140 TINKER: When I log in with the local admin password they don’t have access to the full 00:45:37.140 --> 00:45:38.140 computer. 00:45:38.140 --> 00:45:45.440 [MUSIC] The local admin, the local administrator, does not have full access to the rest of the 00:45:45.440 --> 00:45:46.440 hard drive. 00:45:46.440 --> 00:45:48.269 It doesn’t have access to the user level which – this doesn’t make sense ‘cause 00:45:48.269 --> 00:45:49.460 that’s how it’s set up. 00:45:49.460 --> 00:45:51.230 That admin has access to everything. 00:45:51.230 --> 00:45:55.010 Again, I’m punching myself in the face. 00:45:55.010 --> 00:46:01.829 It turned out that they were using a third-party non-Microsoft tool to do access control and 00:46:01.829 --> 00:46:03.410 user control, etc. 00:46:03.410 --> 00:46:05.130 JACK: This is quite impressive. 00:46:05.130 --> 00:46:09.570 While the password was probably used for everyone’s laptop the admin user doesn’t have that 00:46:09.570 --> 00:46:11.039 many rights at all. 00:46:11.039 --> 00:46:12.940 I’ve never heard of this myself. 00:46:12.940 --> 00:46:16.980 But yet, this is another safeguard that this company has put in place in case this password 00:46:16.980 --> 00:46:20.029 got leaked which was really hard to find to begin with. 00:46:20.029 --> 00:46:22.010 This would stop them even further. 00:46:22.010 --> 00:46:25.279 TINKER: Now I’m angry. 00:46:25.279 --> 00:46:30.359 At this point I can pop a shell from my computer but – to my rogue computer. 00:46:30.359 --> 00:46:34.940 With this pass I can log in anywhere and get a shell if I have physical access to somewhere 00:46:34.940 --> 00:46:37.529 but it doesn’t give me any rights. 00:46:37.529 --> 00:46:38.529 I don’t have anything. 00:46:38.529 --> 00:46:39.529 I’ve got this tiny little niche. 00:46:39.529 --> 00:46:40.750 JACK: I would be angry too. 00:46:40.750 --> 00:46:44.750 So many of his exploits and techniques should have given him access to the whole company 00:46:44.750 --> 00:46:50.119 by now but this company was foiling his every single move and all his techniques. 00:46:50.119 --> 00:46:52.299 Now he’s tired of trying to fly under the radar. 00:46:52.299 --> 00:46:56.319 He’s ready to try an exploit on another computer that might make a little noise. 00:46:56.319 --> 00:46:59.880 From there, if he can get into a computer he can see if there’s anything good on that 00:46:59.880 --> 00:47:01.200 and move around to another computer. 00:47:01.200 --> 00:47:05.509 He scans his own computer to see if it has a vulnerability that he can exploit. 00:47:05.509 --> 00:47:11.039 TINKER: I tried a variety of them but the one that worked was unquoted service path 00:47:11.039 --> 00:47:16.640 which the way Windows works, is if say you want to run a program at startup and it’s 00:47:16.640 --> 00:47:18.239 designed to run this program at startup. 00:47:18.239 --> 00:47:23.440 But one of the folders that you run this program in has spaces in it. 00:47:23.440 --> 00:47:31.559 If you don’t put quotes around that full path, what Windows will do is attempt to run 00:47:31.559 --> 00:47:40.390 up to the space as if that word, say it was something that said Citrix space Server. 00:47:40.390 --> 00:47:42.170 That’s a BS one. 00:47:42.170 --> 00:47:48.190 It would try to run Citrix as an executable first before it tried to run Citrix server 00:47:48.190 --> 00:47:49.190 as a directory. 00:47:49.190 --> 00:47:53.710 If you go in there, if you have ReadWrite and you can create a program, a malicious 00:47:53.710 --> 00:47:58.950 program that’s named Citrix as opposed to Citrix space Server, it will run your program 00:47:58.950 --> 00:48:02.829 as in this sense, system because this system was calling it. 00:48:02.829 --> 00:48:05.440 I found a directory that let me do this. 00:48:05.440 --> 00:48:10.549 It wasn’t Citrix space Server but I’m like okay, great. 00:48:10.549 --> 00:48:15.079 But I ran a check to see if I had ReadWrite and it said I didn’t. 00:48:15.079 --> 00:48:18.019 At this point I’m like well, fuck it. 00:48:18.019 --> 00:48:19.019 I’m done. 00:48:19.019 --> 00:48:21.140 This is horrible. 00:48:21.140 --> 00:48:26.589 JACK: [MUSIC] Without the ability to write to the remote computer, he’s unable to exploit 00:48:26.589 --> 00:48:27.810 that thing. 00:48:27.810 --> 00:48:31.599 Because it said he didn’t have the ability to write, he just gave up at this point, totally 00:48:31.599 --> 00:48:32.599 out of ideas. 00:48:32.599 --> 00:48:37.849 He put his elbows on his desk and he put his head in his hands, completely [00:50:00] dumbfounded. 00:48:37.849 --> 00:48:41.910 He’s now on day three and still has not gained access to any computer outside his 00:48:41.910 --> 00:48:45.460 own and a couple of powered-off ones in the IT shack. 00:48:45.460 --> 00:48:48.539 His report and findings so far looked dismal. 00:48:48.539 --> 00:48:51.759 This has been the hardest assignment he’s ever had. 00:48:51.759 --> 00:48:55.259 Now day three is over and he heads home. 00:48:55.259 --> 00:48:56.259 Morning comes. 00:48:56.259 --> 00:48:58.239 It’s now Thursday and he’s getting ready to go into the office. 00:48:58.239 --> 00:49:00.750 TINKER: I call up an associate of mine. 00:49:00.750 --> 00:49:05.579 I told him here’s everything I did, but I ran the check to see if I had privs and 00:49:05.579 --> 00:49:07.079 it said I did not have writability. 00:49:07.079 --> 00:49:09.420 He goes well, did you try it anyways? 00:49:09.420 --> 00:49:11.150 I’m like oh, goddammit. 00:49:11.150 --> 00:49:12.450 No, I didn’t. 00:49:12.450 --> 00:49:14.500 I just assumed. 00:49:14.500 --> 00:49:18.609 I went ahead and tried to write to it and I could. 00:49:18.609 --> 00:49:22.930 [MUSIC] Even though Windows came back and told me I couldn’t, I was allowed to write. 00:49:22.930 --> 00:49:27.190 This kind of tells you don’t listen to the output of the tools that you’re trying to 00:49:27.190 --> 00:49:28.190 hack into. 00:49:28.190 --> 00:49:33.519 Turned out again, this third party software that ran all the access control, the third 00:49:33.519 --> 00:49:36.430 party allowed them to write even though the native Windows didn’t. 00:49:36.430 --> 00:49:40.119 Third party superseded native Windows. 00:49:40.119 --> 00:49:44.880 At this point I now have a meaningful way to escalate privileges to system level and 00:49:44.880 --> 00:49:46.290 I tried it out. 00:49:46.290 --> 00:49:51.349 I went with my colleague; he wrote a stager and I wrote the malware for it. 00:49:51.349 --> 00:49:57.420 He wrote an executable that will then call my PowerShell, reverse shell. 00:49:57.420 --> 00:50:03.809 I think it was just a tweaked version of Veil or some sort of PowerShell, remote shell. 00:50:03.809 --> 00:50:07.390 We tested on my own workstation, unplugged from the domain. 00:50:07.390 --> 00:50:11.470 At this point I’m getting kind of gutsy here and it worked. 00:50:11.470 --> 00:50:15.170 JACK: Okay, so for this exploit here’s what needs to happen. 00:50:15.170 --> 00:50:20.540 First he has to put the exploit on a USB drive and then physically take it to another computer. 00:50:20.540 --> 00:50:22.789 He would do this while a person wasn’t at their desk. 00:50:22.789 --> 00:50:27.970 TINKER: Log out of their user, log in as the local admin, drop two sets of malware. 00:50:27.970 --> 00:50:33.609 JACK: Drop it in as in copy it from the USB to the computer and then log out as admin. 00:50:33.609 --> 00:50:37.640 Then when the user comes back and logs in, his malware should give him remote access 00:50:37.640 --> 00:50:38.640 to that computer. 00:50:38.640 --> 00:50:43.229 TINKER: Even though I found this way to do it, it’s still under – a person has to 00:50:43.229 --> 00:50:45.759 break in by this point to have physical control. 00:50:45.759 --> 00:50:46.930 I’m like you know what? 00:50:46.930 --> 00:50:47.930 Screw it. 00:50:47.930 --> 00:50:48.930 We’re gonna do this. 00:50:48.930 --> 00:50:49.930 JACK: He thinks over this plan. 00:50:49.930 --> 00:50:54.130 This is a risky move but if done right could get him access to that person’s computer. 00:50:54.130 --> 00:50:55.999 So whose laptop would be worth getting into? 00:50:55.999 --> 00:50:57.289 Maybe the CEO’s. 00:50:57.289 --> 00:51:00.729 Hm, yeah, but they weren’t at this office. 00:51:00.729 --> 00:51:02.819 Who else? The IT team. 00:51:02.819 --> 00:51:03.819 [MUSIC] Perfect. 00:51:03.819 --> 00:51:05.240 TINKER: I’m gonna go straight for IT. 00:51:05.240 --> 00:51:06.874 I’m gonna hit IT and I’m gonna take them down. 00:51:06.874 --> 00:51:08.440 I’m gonna get system level remote access. 00:51:08.440 --> 00:51:12.619 JACK: With this remote access you’d be able to do everything including reading the CEO’s 00:51:12.619 --> 00:51:13.619 e-mails. 00:51:13.619 --> 00:51:17.819 The plan was to wait until lunch when he could go over to the IT team’s computers and put 00:51:17.819 --> 00:51:19.739 this malware on it. 00:51:19.739 --> 00:51:24.940 He waits and waits, peering over his cubicle from time to time. 00:51:24.940 --> 00:51:30.230 He watches a few more of those onboarding videos for Marketing and waits until lunch. 00:51:30.230 --> 00:51:34.430 The Marketing team asks him to go to lunch and he’s like no, no, I’m fine but they 00:51:34.430 --> 00:51:39.029 kept insisting and he’s like no, really, I want to stay so his team leaves him behind. 00:51:39.029 --> 00:51:40.990 He thinks okay, now’s a good time. 00:51:40.990 --> 00:51:45.650 TINKER: I set up a listener on my rogue machine and I go start walking. 00:51:45.650 --> 00:51:51.309 I’ve got a little thumb drive with my malware on it and their antivirus didn’t detect 00:51:51.309 --> 00:51:54.450 it ‘cause we kept it very low level. 00:51:54.450 --> 00:51:58.980 I go over to the IT area and I shit you not, the bulk majority of IT are sitting there 00:51:58.980 --> 00:51:59.980 eating lunch at their desk. 00:51:59.980 --> 00:52:00.980 I’m like a) that’s not healthy. 00:52:00.980 --> 00:52:01.980 That’s not good work. 00:52:01.980 --> 00:52:03.589 You need to get away from your computer. 00:52:03.589 --> 00:52:06.430 You need to stand up. 00:52:06.430 --> 00:52:08.700 You need to walk. 00:52:08.700 --> 00:52:10.559 But are you kidding me? 00:52:10.559 --> 00:52:15.509 This is not saying this is a valid defense technique, seriously. 00:52:15.509 --> 00:52:19.440 One person can be there if they really need to but people need to get up and move away 00:52:19.440 --> 00:52:21.109 from their computers, even IT. 00:52:21.109 --> 00:52:22.109 I’m frustrated. 00:52:22.109 --> 00:52:24.070 I start walking and pacing around. 00:52:24.070 --> 00:52:27.030 At this point I’m getting kind of heated. 00:52:27.030 --> 00:52:28.289 I’m losing my cool. 00:52:28.289 --> 00:52:33.119 I go around a corner; I finally find an area that doesn’t have anybody and sure enough 00:52:33.119 --> 00:52:34.280 it’s Finance. 00:52:34.280 --> 00:52:37.190 I’m gonna take down Finance. 00:52:37.190 --> 00:52:38.220 I go up there. 00:52:38.220 --> 00:52:45.180 As I’m up there I see one lady sitting down next to one of these cubicles and I’m just 00:52:45.180 --> 00:52:46.180 gonna go for it. 00:52:46.180 --> 00:52:47.390 I tell her; I go look, I’m IT. 00:52:47.390 --> 00:52:48.549 I’m about to do some updates. 00:52:48.549 --> 00:52:49.549 She goes okay, sounds great. 00:52:49.549 --> 00:52:50.690 I go ahead and do it. 00:52:50.690 --> 00:52:55.720 I pop it up and about thirty seconds it takes me to log out, log back in, drop the malware 00:52:55.720 --> 00:53:01.180 into the correct folder, log out again, and then leave. 00:53:01.180 --> 00:53:04.979 JACK: He goes back to his desk and waits. 00:53:04.979 --> 00:53:09.150 Now what he’s waiting for is that lady from Finance to finish her lunch and to log back 00:53:09.150 --> 00:53:10.150 into her computer. 00:53:10.150 --> 00:53:13.390 He pulls Metasploit up and waits and watches. 00:53:13.390 --> 00:53:15.220 Metasploit is like a hacker’s tool bag. 00:53:15.220 --> 00:53:17.950 It contains hundreds of exploits and tools to hack into stuff. 00:53:17.950 --> 00:53:19.670 He’s got this hack all set up. 00:53:19.670 --> 00:53:24.140 He’s staring at his screen and it says the listener is running and waiting for mode activity 00:53:24.140 --> 00:53:25.450 or something like that. 00:53:25.450 --> 00:53:30.479 If everything is set up right, when she comes back and logs into her computer he’ll then 00:53:30.479 --> 00:53:33.569 have remote access to that lady’s computer in Finance. 00:53:33.569 --> 00:53:37.380 The screen will say Meterpreter Session One [00:55:00] Open. 00:53:37.380 --> 00:53:39.410 He waits for activity. 00:53:39.410 --> 00:53:41.609 Nothing. Nothing. 00:53:41.609 --> 00:53:46.880 He peeks over the cubicle wall sometimes to see if he can see her but he can’t see anything. 00:53:46.880 --> 00:53:48.720 He waits longer, longer. 00:53:48.720 --> 00:53:50.380 He just keeps waiting. 00:53:50.380 --> 00:53:51.670 Come on, lady. 00:53:51.670 --> 00:53:52.880 The wait is killing him. 00:53:52.880 --> 00:53:57.160 It’s now been forty-five minutes at this point and he’s starting to think it didn’t 00:53:57.160 --> 00:53:58.160 work. 00:53:58.160 --> 00:54:01.549 She had to be back by now and for some reason, whatever reason, the malware just didn’t 00:54:01.549 --> 00:54:02.549 work. 00:54:02.549 --> 00:54:03.549 TINKER: I’m about to give up. 00:54:03.549 --> 00:54:07.920 I see Meterpreter Session One Open, right, and I’m like oh yeah, there it is. 00:54:07.920 --> 00:54:12.339 Then I see Meterpreter Session Two, Session Three, Session – it popped eight shells. 00:54:12.339 --> 00:54:14.890 It tried to call this thing eight different times. 00:54:14.890 --> 00:54:17.739 I’m like yes, I’m in, alright! 00:54:17.739 --> 00:54:20.759 [MUSIC] I start rifling through this person’s computer. 00:54:20.759 --> 00:54:21.759 I get persistence. 00:54:21.759 --> 00:54:27.170 I actually get a couple passwords for finance, some small ones. 00:54:27.170 --> 00:54:32.779 Right as I’m about to start dumping memory I lose my connection. 00:54:32.779 --> 00:54:34.989 The session closed. 00:54:34.989 --> 00:54:36.739 I’m like oh, no. 00:54:36.739 --> 00:54:38.049 No, no, no. 00:54:38.049 --> 00:54:40.230 I have been without sleep, I’ve gone too far. 00:54:40.230 --> 00:54:41.559 What the hell happened to my shell? 00:54:41.559 --> 00:54:46.239 I get up and I make a beeline right to that lady’s laptop ‘cause I’m gonna go pop 00:54:46.239 --> 00:54:47.239 another shell, you know. 00:54:47.239 --> 00:54:49.960 I’m like get out of my way! 00:54:49.960 --> 00:55:00.200 As I go, I round this corner and this precious little old lady reminds me of my grandmother; 00:55:00.200 --> 00:55:05.229 she’s looking up at this IT guy and she’s like no, I don’t understand. 00:55:05.229 --> 00:55:08.089 They told me you guys were updating my computer. 00:55:08.089 --> 00:55:12.829 Right as I come around heated, she turned and kind of glances at me and goes him! 00:55:12.829 --> 00:55:14.030 It was him! 00:55:14.030 --> 00:55:16.430 I’m like oh, fuck! 00:55:16.430 --> 00:55:22.839 I let out this high-pitched seventh-grade girl scream, you know, and I turned around 00:55:22.839 --> 00:55:26.800 and right as I turned around there’s two more IT guys right there. 00:55:26.800 --> 00:55:27.800 I’m like oh, shit. 00:55:27.800 --> 00:55:33.359 [LAUGHING] And they’re looking right at me like who the fuck are you and why are you 00:55:33.359 --> 00:55:34.529 calling yourself IT? 00:55:34.529 --> 00:55:37.190 They sat me down and they said who are you? 00:55:37.190 --> 00:55:38.950 What are you doing with these computers? 00:55:38.950 --> 00:55:39.950 Kind of thing. 00:55:39.950 --> 00:55:43.220 JACK: When a penetration tester gets caught like this, they have to think. 00:55:43.220 --> 00:55:47.890 Should I try to escape this situation or should I just tell them I’m here working for the 00:55:47.890 --> 00:55:48.890 CISO? 00:55:48.890 --> 00:55:51.559 In this case he decided to say I’m working for the CISO. 00:55:51.559 --> 00:55:53.890 TINKER: At this point I’m at the end of my rope. 00:55:53.890 --> 00:56:01.910 I’ve done a very thorough test even more than what I’ve gone into here over a good 00:56:01.910 --> 00:56:02.910 week. 00:56:02.910 --> 00:56:06.980 I’ve stayed late, I’ve done everything I can think of and even learned some new tricks 00:56:06.980 --> 00:56:07.989 along the way. 00:56:07.989 --> 00:56:14.170 While I was able to find several different things, an easy password on local admin, even 00:56:14.170 --> 00:56:17.880 a shared password even though they used the other ones, some clear text credentials here 00:56:17.880 --> 00:56:18.880 and there. 00:56:18.880 --> 00:56:20.190 A lady gave me her pin over the phone. 00:56:20.190 --> 00:56:22.960 A lot of these things they could tighten up. 00:56:22.960 --> 00:56:27.670 Long and short, they stopped me and we brought in the CISO. 00:56:27.670 --> 00:56:29.329 He said hey, good job. 00:56:29.329 --> 00:56:30.619 Here’s the situation. 00:56:30.619 --> 00:56:31.619 He’s okay. 00:56:31.619 --> 00:56:36.020 We went into an initial debrief with what I had done and how they found me. 00:56:36.020 --> 00:56:42.890 I asked them; I go look, I ran the safest frickin’ shell that I could run. 00:56:42.890 --> 00:56:48.660 I even tested it against your antivirus and your antivirus didn’t catch it. 00:56:48.660 --> 00:56:50.740 I was only there for thirty minutes. 00:56:50.740 --> 00:56:52.910 How did you find me? 00:56:52.910 --> 00:56:58.810 They said you were running PowerShell from a finance computer and finance doesn’t run 00:56:58.810 --> 00:57:00.150 PowerShell. 00:57:00.150 --> 00:57:04.299 The only people that run PowerShell are IT and maybe some of our Devs, you know, DevSecOps 00:57:04.299 --> 00:57:05.299 or DevOps. 00:57:05.299 --> 00:57:09.410 JACK: Power Shell is kind of like a super command line tool in Windows and yeah, only 00:57:09.410 --> 00:57:11.790 technical people ever use it or need it. 00:57:11.790 --> 00:57:17.049 The Finance Department would never run it so this sort of behavior is like anomaly-detection. 00:57:17.049 --> 00:57:20.470 That lady in Finance has never, in all the years she’s ever worked there ran Power 00:57:20.470 --> 00:57:21.470 Shell. 00:57:21.470 --> 00:57:26.109 But this exploit did and since it was so out of the ordinary is how he got caught. 00:57:26.109 --> 00:57:31.410 TINKER: But yeah, it was one of the toughest places and I like telling that story when 00:57:31.410 --> 00:57:35.749 Blue Team kicked Red Team’s ass because it showed what worked. 00:57:35.749 --> 00:57:39.849 Like I said, I still found a lot of different things that they could tighten up. 00:57:39.849 --> 00:57:44.420 They weren’t perfect by any stretch of the imagination but they had such robust security 00:57:44.420 --> 00:57:49.020 that they were able to not only detect me but act on it. 00:57:49.020 --> 00:57:51.069 It’s not enough to detect an attack. 00:57:51.069 --> 00:57:55.920 You have to do proper response and containment and I tell you what, they had all three. 00:57:55.920 --> 00:57:59.749 JACK: I imagine the IT team was proud of what they did to stop him but they remained focused 00:57:59.749 --> 00:58:01.759 and serious as Tinker went over the report. 00:58:01.759 --> 00:58:03.630 TINKER: They were taking ready notes. 00:58:03.630 --> 00:58:05.549 They didn’t gloat. 00:58:05.549 --> 00:58:09.900 They didn’t rub it in and they also didn’t take offense of the things that I found. 00:58:09.900 --> 00:58:14.170 They were very professional and they said they appreciated it and looked forward to 00:58:14.170 --> 00:58:15.270 my full report. 00:58:15.270 --> 00:58:17.369 It was the epitome of professionalism. 00:58:17.369 --> 00:58:21.270 JACK: I like this story because not only do we get to see what a penetration tester does 00:58:21.270 --> 00:58:25.119 but we also get to see what steps a company can take to make it really hard for hackers 00:58:25.119 --> 00:58:26.369 to get in. 00:58:26.369 --> 00:58:29.120 Because the harder it is, the more resource a hacker has to have. 00:58:29.120 --> 00:58:34.300 They have to have more time or more processing power or more people or more exploits or something. 00:58:34.300 --> 00:58:37.469 The harder you make it for them the more motivated [01:00:00] they have to be to get through 00:58:37.469 --> 00:58:38.469 it. 00:58:38.469 --> 00:58:41.940 They’ll probably just give up and move onto something else if it’s too hard. 00:58:41.940 --> 00:58:45.981 Just to recap what worked here for this company, they had multiple layers of security, defense 00:58:45.981 --> 00:58:46.981 and depth. 00:58:46.981 --> 00:58:50.880 They had a minimum of twelve character password policy which made passwords hard to crack. 00:58:50.880 --> 00:58:53.470 They had two-factor authentication almost everywhere. 00:58:53.470 --> 00:58:58.380 They limited access to each user which made it hard to do any remote logins. 00:58:58.380 --> 00:59:02.569 The local admin had very limited access and the logging that was on everyone’s computer 00:59:02.569 --> 00:59:08.200 allowed them to detect and find this hacker within minutes of him doing an exploit. 00:59:08.200 --> 00:59:12.440 All this added up creates a nightmare scenario for Tinker and will probably be enough to 00:59:12.440 --> 00:59:14.640 create a nightmare scenario for any other hacker. 00:59:14.640 --> 00:59:17.921 TINKER: The CISO was very – it was just professionalism from the top down. 00:59:17.921 --> 00:59:25.079 You could tell that this was a culture of continual self-introspection and self-awareness 00:59:25.079 --> 00:59:29.069 as it related to their environment and continual improval. 00:59:29.069 --> 00:59:33.999 He went in with the idea that at a certain point, you can’t have a perfectly secure 00:59:33.999 --> 00:59:36.599 system or no one’s going to be able to use it. 00:59:36.599 --> 00:59:41.109 If someone can use it you can – an attacker can emulate that user in some form or fashion. 00:59:41.109 --> 00:59:45.319 He’s like, we’re getting to the point where we have risk acceptance. 00:59:45.319 --> 00:59:51.400 If you have to break into my place and physically access a computer and do all this kind of 00:59:51.400 --> 00:59:57.440 stuff, at that point the only people I’m really worried about are really high-end criminal 00:59:57.440 --> 00:59:59.539 groups; the NSA in Mossad. 00:59:59.539 --> 01:00:02.869 If it takes the NSA in Mossad to hack into my place, fine. 01:00:02.869 --> 01:00:04.710 We’ll accept that. 01:00:04.710 --> 01:00:07.640 JACK: Thank you so much for sharing this story with us. 01:00:07.640 --> 01:00:08.640 TINKER: Cheers, cheers. 01:00:08.640 --> 01:00:11.029 Thank you for having me here to tell that story. 01:00:11.029 --> 01:00:14.180 A quick shout out to the Dallas Hackers Association. 01:00:14.180 --> 01:00:21.920 I’ve never met a more vile bunch of criminals, thieves, con artists, and hackers in my life 01:00:21.920 --> 01:00:25.400 but there’s some good folks. 01:00:25.400 --> 01:00:32.339 JACK (OUTRO): [OUTRO MUSIC] You’ve been listening to Darknet Diaries. 01:00:32.339 --> 01:00:36.980 Thank you to Tinker for telling us this amazing story and teaching us about pen testing. 01:00:36.980 --> 01:00:39.900 You should follow him on Twitter because he tells a lot more stories like this. 01:00:39.900 --> 01:00:42.280 His name there is @TinkerSec. 01:00:42.280 --> 01:00:45.019 Also thanks to Proximity Sound for doing that voice intro. 01:00:45.019 --> 01:00:46.319 That was really cool. 01:00:46.319 --> 01:00:51.000 Darknet Diaries is going to do a bit of a rebrand in the next few weeks with a new logo, 01:00:51.000 --> 01:00:52.339 web page, shirts, stickers. 01:00:52.339 --> 01:00:54.969 I’m super excited to roll it out so look for that soon. 01:00:54.969 --> 01:01:01.210 This show is made by me, the President of D-Corp, Jack Rhysider. 01:01:01.210 --> 01:01:05.770 Intro music is by Breakmaster Cylinder who you could always find hanging out at the Red 01:01:05.770 --> 01:01:13.939 Wheelbarrow BBQ.