Needle in the Twitter Haystack. I talk quite fast, so if you're on YouTube, press shift and arrow, and it's slowed down and actually turned into a proper talk. Who am I? I'm not. I'm not an American. Australian Canadian, French, German. I'm not a pen tester. I'm definitely not a blue team. I'm not a coder. I do try. I'm very trying. I'm definitely not sober. I'm not a

bad guy, so Mr. American FBI man, please don't arrest me on the way home. But who I am? I'm wicked clown. I am from the United Kingdom. If you don't know where that is, that's near France, where you guys won the World Cup, the Women's World Cup. Go US. Yay. I am a biker. I am a hacker. Like I said, I'm not a pen tester or anything like that, so I view myself as a hacker. I am a family man to a wonderful family, so I don't get

a lot of spare time to do my security research. I am a co-founder of Def Con Gloucester in the UK. I'm also dyslexic. Why do I bring that up? It's the first time I've brought it up in public. If you don't know what dyslexic is, it means I have a learning disability. I can't read or write very well. And when you look at other people's

talks or presentations, they talk about how they read an RFC or they've wrote a book or they've done something similar to that. And we look at some of the...when they do their call for papers, they do the presentation. It's like an essay. I can't read 100 words, let alone write 100 words, so I'd like to thank the Recon Village for allowing me to speak here, and if I can inspire anybody with student

disabilities to come up and talk. And that's an achievement unlocked for myself. So I'm going to talk about three tools that I've written to view people's tweets, search timeline, and show who they're communicating most with. I know you can do that with Twitter, with the GUI, so I'm going to explain a bit more of it and what's the difference between my tools and doing it online.

Before I go on that, I want to talk about the Locky Martin Server Kill Chain. It'll all make sense in a minute. If you don't know what this is, it's what Locky Martin says that as a bad guy, we have to take each of those steps and get to be successful in each one, and the defender has to be right once. They just have to block us on either delivery, exploitation. They can block us there, then it's game over for us, which is true,

but in my head, I'd say it doesn't quite work very well. This is how I view it. If you're color blind, the red are the up and down, and blue, left and right arrows. So the reason why I'm just bringing this up is because with Recon, this is where we can spend most of our time and effort, and the blue team has zero fillability of what we're doing. So we can actually hide that, do what we're...more information, more Recon we get. I know I'm teaching Preacher to the Choir here,

but more Recon we do makes our jobs more successful. So when it gets to weaponization, this is where the blue team starts to make build up. If they're only running Windows operating systems, they don't care about Linux exploits. So that means they're only concentrating on that. So it means we've got to now focus our efforts into Windows exploits because all the Linux ones no longer exist. When it moves down to delivery,

it's 50-50. Blue team can't just shut off the internet, they can't just block all emails, so we now have to hide in that information. We need to hide to make sure the emails that's going through the system is locked to the judgment and any packets we send are going through. When it gets down to exploitation, this is our hardest bit as the attacker. The reason is because we have to make sure that we break that system.

It's an easiest job for the blue team because all they have to do is make... If they've got good pack manager in place, good user training in place, good user awareness, it's going to be very hard for us to exploit it. So we have to make sure that the Recon, everything we do in Recon, funnels down to that point so we can be successful. But then once we get past exploitation, this is where we have blue team

on the back foot. We can then use installation so we can actually start pivoting and going through the network and they're going to try to get rid of us. Once we get command and control in other boxes, we can naturally move and pivot so we can actually, so they take out one host, we still hopefully have persistence somewhere else to exploit. Then we get actions on objectives when we actually have full control of the network, blue team are struggling, they're in a massive firefight,

and then we pretty much own the network. So the reason why I brought this up because I said Recon is the most important phase in my understanding of this. So this is why I've written this tool, all my tools. So basically, I'm going to look at my friend of mine, Cristo O'Reilly. I've asked his permission to do this, so it's okay.

The reason I picked on him because he's a prolific tweeter. He's done loads of tweets. He's got loads of people following him and it's going to be really hard to get some info and intel on him. So first, we can view the tweets. What this tool does, it actually just shows the tweets and retweets, sorry, tweets and replies. It doesn't show the retweets.

I don't really care about what other people are saying when Cristo O'Reilly tweets or retweets. I want to know how to get inside of his head, which is a very scary place at the best of times, but I want to get inside. I need to understand him if I want to be exploited. So if it's a retweet, I'm not interested. I want to know what he's tweeting, what he's talking about, what he's thinking, what he's feeling. I need to understand his communication.

I also want to search his timeline. The thing is that with machines on the GUI one, it puts it in just random order. Here, it actually puts it in chronological order. So it makes it really easy to actually get that information out. So if I need to extract, so if I'm doing a search on a conference or something he's attending and he's hashtagging it, that means I'm going to get all that information there and then.

So I'll be able to find his movements, understand how he's doing, what he's moving, what he's talking about instead of going through all the search ones to try to find that information. This is the bit I find most useful. It actually does count how many mentions that they're using. I don't need to do this on the GUI front end itself. So we see here that we've got SBLIP, where we're at the last one,

2021 tells, byte down 130, digit into 100 times. So these are the people he's actually talking to, communicating with. So these are now, we've got a circle of trust. This is where we actually believe he's actually communicating more with, he's actually talking to. So if we can exploit that trust, we can then hopefully exploit him. So it also gives us more information about his hobbies and interests and stuff like that.

So let's put it together and let's see if we can actually make this work. Come on screen. This is going to pop up. Come on, there we go. Thank you. Okay. So I'm in the wrong place to start off with. All right.

So if we do search his tweets, let's hope he hasn't put anything dodgy up. So now we see all his tweets. But it also puts it in, so it's easier to see. And if we actually look at his tweets here, it's pretty hard to actually look for you,

see what's actually going on. We see he's got a retweet there. He's got a few other tweets. But if we look here, we can actually see his tweets and see it's for us to view and see. It makes it a bit more easy to consume the information. If you want to search now, do search like his users.

So it's now going to retrieve all his mentions that he talks about people. So it takes a few seconds for it to come back. And you see here, we've got SB Velux here, 220, Belgan, 143, 202.

But we also now understand his interests. We've got DJ Jackalope there. We have Duroco Music here. So we now understand his music taste as well. So by using this information, we hope to be able to get some sort of a more successful payload by doing the recon on. And how many of us is actually somebody sends you a link from a trusted source,

you're more likely to click the link, open it, or do something else than somebody from somebody you don't know. So this is the reason why we do this. So if we look at his searches, and we search for Chris John Riley,

and we search for Digi Ninja, because he's been speaking lots to him. So we can see the conversation going here. But now if we actually do the same thing again, but this time flip it around.

So we go, and this time we do the search. But this time we do Digi Ninja. This is the first time I've done a demo live. Normally I do a video because I talk too fast and it slows me down.

So now when it comes back to go up here, go up to the top,

and go to the top here again. So now we can see the conversations happening between the two. So for example, here it says, maybe, let's scroll up a bit. Is there an equivalent ramp of a sushi boot? A ramp of a boat with liquid inside should be able to sink.

Maybe a float sushi boot on the ramp. Now it sounds like a pipeboat. So now we're seeing conversation between him and other people. So we can actually look at how he's talking to people and how people are interacting with him. This just gives us more, doing a fishing attack, a lot more high chance of success to actually do that. So if we actually try to look at that now on Twitter,

when we try to see the same conversations going and doing the search, we can see now it's all dotted all over the place. So we hear from this year, last year, this year, this year, last year, this year, last year. So when we do the search, it's not in a chronological order. So it's trying to actually find the information that we need to use

to be able to exploit him. But we're seeing there how we're looking at a person with conversation talking with each other, how we'd be able to give that information

to be able to understand what's going on. But what about companies and organizations that are just broadcasting? We feel like Donald Trump, he just broadcast information. He doesn't actually have conversation with people on Twitter. Companies just broadcast information on Twitter. So since we mentioned Lockheed Martin, we'll add Lockheed Martin's Twitter feed. So we see here, we do the same, do the search, and we see that RAM envelope O space 156, F-35, F-33.

So we're also seeing there that we have high confidence now that this is an official Lockheed Martin Twitter feed because we're actually seeing mentions that would actually be expected for Lockheed Martin to receive. We're not seeing Bieber there or somebody else, Spice Girls or something there

that we actually know that it's not somebody spoofing Lockheed Martin. This is actually a Lockheed Martin's website, I think. So we look at Ram Ambrose. You see this, that's Rick Ambrose, he's the leader of space. So we can actually have a human to actually target. We can do like the supply team targeting. We're not going to be able to get into Lockheed Martin, but we might be able to exploit him to actually pivot our way into it.

Remember, we have the F-35 there. So we look at the F-35 Twitter feed again. We see Lockheed Martin, Luke, Air Force Base, Royal Air Force. So we now know that this is again an official Twitter feed from Lockheed Martin. We have very high confidence of that. We also see there called Billy Flynn. We look at Billy Flynn, he's the F-35 test pilot.

So this is now giving us information and insight on somebody else. I'm not going to be able to tap the F-35. I can't stop the F-35 from flying. But if I can take down the F-35 pilot, the F-35 doesn't fly. It's a very clear plane, but I believe it still needs a pilot to actually take off. So yeah, so quickly, that's the end of it. So you do need to register with Twitter to get yourself,

what's the word? The leverage license code to actually be able to communicate with it. You are also limited to 3,000 tweets per search, which I don't think is a restriction. So someone like Kristian Reiler, who's constantly tweeting all the time, I want to see the latest tweets, the latest information, the latest people he's talking to. Because if I try and spoof somebody

that's three, four years ago, I think their email has been compromised and they're not going to believe what they're talking to. So I need to have that up-to-date information for them to actually be able to believe it's working. So yeah, that's it, thank you very much. I'll talk quick, get us back in time. So yeah, if you want more information.

Yeah, there you go. Thank you very much.