PACKET HACKING VILLAGE - Fishing for Phishers. The Enterprise Strikes Back!

Video thumbnail (Frame 0) Video thumbnail (Frame 4846) Video thumbnail (Frame 19702) Video thumbnail (Frame 34558) Video thumbnail (Frame 49413) Video thumbnail (Frame 52165) Video thumbnail (Frame 54711) Video thumbnail (Frame 55793) Video thumbnail (Frame 56751) Video thumbnail (Frame 57592)
Video in TIB AV-Portal: PACKET HACKING VILLAGE - Fishing for Phishers. The Enterprise Strikes Back!

Formal Metadata

PACKET HACKING VILLAGE - Fishing for Phishers. The Enterprise Strikes Back!
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Phishing and social engineering has been around since Han Solo has flown the Millennium Flacon. The typically response is deleting the messages and giving the middle finger however, what more could be done to strike back? This talk will cover how to build an artificial environment and develop anti phishing tools used to respond to phishing attempts. Results could include owning the attacker's box "hypothetically" since some legal boundaries could be crossed.
Suite (music) Fisher's exact test Multiplication sign Chaos (cosmogony) Chaos (cosmogony) Bit Event horizon Perspective (visual) Twitter Formal language Process (computing) Phishing Blog Hacker (term) Term (mathematics) Blog Videoconferencing Right angle Information security YouTube Computer forensics Reverse engineering Social class Row (database)
Sensitivity analysis Presentation of a group Hoax Spezielle orthogonale Gruppe System administrator Source code Open set Information privacy Neuroinformatik Direct numerical simulation Different (Kate Ryan album) Computer configuration Videoconferencing Elasticity (physics) Row (database) Information security Physical system Data integrity Cybersex Link (knot theory) Observational study Mapping Block (periodic table) Building Bit Motion capture Formal language Electronic signature Hand fan Message passing Data management Process (computing) Telecommunication Internet service provider Figurate number Hacker (term) Computer forensics Web page Point (geometry) Windows Registry State transition system Computer file Firewall (computing) Patch (Unix) Motion capture Translation (relic) Online help Regular graph Event horizon Template (C++) Phishing Hacker (term) Operating system Authorization Address space YouTube Metropolitan area network Dataflow Key (cryptography) Information Weight Interface (computing) Physical law Content (media) Volume (thermodynamics) Line (geometry) System call 1 (number) File Transfer Protocol Mathematics Uniform resource locator Software Personal digital assistant Revision control Domain name Building INTEGRAL Multiplication sign 1 (number) First-order logic Set (mathematics) Complete metric space Mereology Electronic signature IP address Formal language Web 2.0 Uniform resource locator Data management Facebook Malware Mathematics Radical (chemistry) Spherical cap Flag Cuboid Information Data conversion Drum memory Perimeter Area Scripting language Boss Corporation Service (economics) Email Call centre Computer file Computer Menu (computing) Perturbation theory Hypothesis Social engineering (security) Type theory Googol Phishing Hard disk drive Website Software testing Convex hull Right angle Information security Physical system Row (database) Asynchronous Transfer Mode Ocean current Software engineering Dataflow Digital filter Server (computing) Game controller Service (economics) Virtual machine Web browser Content (media) 2 (number) Twitter Indian Remote Sensing Robotics Execution unit Dependent and independent variables Multiplication Forcing (mathematics) Interactive television Mathematical analysis Incidence algebra Pivot element Similarity (geometry) Intrusion detection system Search engine (computing) Password Videoconferencing Address space
Gateway (telecommunications) Email Open set Client (computing) Computer programming Neuroinformatik Medical imaging Antivirus software Computer configuration Different (Kate Ryan album) Videoconferencing Cloning Information security Physical system Link (knot theory) Touchscreen Block (periodic table) Building Bit Product (business) Electronic signature Malware Hash function System programming Software framework Wrapper (data mining) Computer file Motion capture Maxima and minima Mathematical analysis Drop (liquid) Event horizon Number Advanced Encryption Standard Hexagon Goodness of fit Hacker (term) Googol Authorization Traffic reporting Form (programming) Information management Information Video tracking Physical law System call Shareware Word Uniform resource locator Software Personal digital assistant Interpreter (computing) Gastropod shell Installation art Code Multiplication sign Boom (sailing) 1 (number) Mereology Total S.A. IP address Malware Strategy game Cuboid Scripting language Email Computer virus File format Complex (psychology) Data storage device Computer Type theory Data mining Phishing Website Software testing Right angle Freeware Physical system Trail Server (computing) Game controller Service (economics) Software developer Codierung <Programmierung> Electronic program guide Attribute grammar Internetworking Software Software testing Proxy server Macro (computer science) Installation art Execution unit Interactive television Audio file format Antivirus software Personal computer Rootkit Point cloud Routing Local ring Address space
Scripting language Point (geometry) Medical imaging Cache (computing) Malware Cuboid Computer worm Right angle Codierung <Programmierung> Videoconferencing Metropolitan area network
Revision control Information management Word Code 1 (number) Hill differential equation Integer Macro (computer science) Graph coloring Error message Information security Computer worm
Email MIDI Gastropod shell Hill differential equation Dreizehn Open set Reverse engineering
Point (geometry) Execution unit Information
Webcam Point (geometry) Dataflow Existential quantification Game controller Mobile app Computer file Multiplication sign Firewall (computing) Neuroinformatik Formal language 19 (number) Web 2.0 Software Videoconferencing Gastropod shell Cuboid Physical law Information security Physical system Call centre Touchscreen Information Weight Pivot element System call Shareware Connected space Type theory Word Arithmetic mean Message passing Malware Software Personal digital assistant Blog Right angle Matrix (mathematics) Near-ring Reduction of order Row (database)
and I want to introduce you make the introduction to Americana and joy Moonies so Joey happening to be a DJ as well too and American she seems like forever so the last time you were going to the last time you you have you invited a apparently did you have to take the early flight home to the Philippines because of some some things happened and you don't want to know okay so without much ado do anyone eat I mean I like honey thanks thanks me all right how you guys doing Sunday yeah all right first off I've been the DEFCON forever and this is actually our fourth time speaking for this event but I've never brought my daughter so you can see I have the earmuffs on because we do use foul language at times but this time we may not so hopefully Hey oh she can hear us all right she can hear us we'll have to be careful with all the language but there will be an earmuff warning for this particular talk because of that the other warning is unfortunately I'm Erin I work for big companies and our HR departments got a hold of our talks before this and because hi YouTube and the recording of this we had to cut off a little bit of the video we're gonna show it may be posted later in our blogs but we wouldn't apologize up front we got censured by our HR people because we like our jobs and some stuff we're gonna talk about now is not necessarily legal not it's not hypothetically legal right this is all in our minds or some oh yeah we'll be using the term magic land so when we say something happened in magic land or not omitting guilt - what we're gonna talk about basically the subject is if you've didn't see it on the talk it's fishing for fishers the Empire Enterprise Strikes Back and the idea is we're gonna talk about fishing which we've all hopefully have heard of fishing even real insertive fishing we're going to talk about what you can do from a legal perspective to defend against it and then we're going to flip to the dark side and talk about well what else could he do how can you actually hack back which is essentially not really illegal basically as we said it's been for the talks that we've done you can check out our other talks on YouTube we've done a ton but let's first introduce ourselves there all right so first of all I look much better than a suit so I decided for that picture up there but my name is a mark America Connie I'm actually a researcher Maur reverse engineer and I do stuff in forensics I run the doctor chaos blog if any of you guys have heard of that but yeah it's me I'm a hacker that's kind of what I do and a whole bunch of other BS I guess and then Joey work for Cisco an architect I have the security blogger again on our blogs either dr. chaos and/or security blogger will show the rest of this hopefully later we just were told not to do it right now together we've written four different three different books in one video class and then we've also done books independently our latest book is
investigating it's basically forensics for a network engineer and part of that book we'll talk today about like honey pots and how to create one how to create a cuckoo honey pot there'll be some details that we're gonna leave out because it's just a long subject but a lot of those answers could be found also in the book so that's who we are and what's getting to the talk so fishing we've all likely seen fishing as you probably know it's not just email a lot of times it's email it could be phone calls to be text messages this is the classic paypal fish this one I actually I got over the phone I don't know if this year if you guys experienced this in the USA but I had this new key robot voice call me saying that I owe the IRS a bunch of money and then when you call back basically the scam is that either I can wire them the money now and not go to court or I'm gonna be forced to go to court but that's a very popular one and a lot of times that's the case the phishing attacks there they're timing it based on certain things so at Cisco I'll tell you now are the if you want to fish us the easiest one is the UPS fake email because basically it's Christmas time you don't know if you're a husband or wife got you something you're like oh what is this and you just click it so that's typically the most effective one for us when we fish ourselves as the UPS one good news though is a lot of the vendors that provide email and communication are aware of phishing and they have this thing called reputation security where you'll get the flag that says this email has been seen a bunch of times it's probably not real so at least like the vendors themself are offering some something for you but still it's not enough so the one on one on fishing and again we're going to start with what is phishing going to legal then illegal the 101 is first the training and if you see Engrish basically most likely somebody's using a translator you're gonna find later in our talk I mean there's call centers dedicated to doing this in other countries and they don't understand the native language they just use translators I've personally been busted on like Russian sites using translators and they're like you're not speaking proper Russian you're using a translator so broken language is one other things I look for public data this actually goes back to our talk that you didn't show up for cuz you had to go to the Philippines you a-hole but we were supposed to talk I did it myself but long story short we did a social engineering attack and it was based on a fake account and a lot of the data we were using was all based on LinkedIn and Facebook Sabri reading what's already public against you so know what's public against you is the second concept you know on this one I just thought time out and for using information against you I remember when you on Facebook and we connected 1:1 that one guy and he's like hey I don't really trust you remember that and you're like like hey I just looked up his common friend and saw that he was in New York and said I ran into Matt in New York in like two seconds and the guy's like oh cool you know Matt I guess I trust you now the story on that one was 10 years ago you can see the guys like job history and ten years ago it said you worked at Hungry Howie's Pizza so then I said oh yeah I was and we were by the way we're blond hot girl named Emily Williams but I was like yeah uh Derrick I was Derrick's girlfriend and he see Derrick current location New York City so I was like yeah I ran into New York Derrick in New York City and we were talking about you so again just the idea is you can look at people's public records Facebook records basically read it against them especially five or ten years old they're not going to know like and remember all their friends of friends type people and just play that role so public data is another one a lot of times when I am doing this kind of stuff I want to know what the intent is there's always a trick there's always a scam so figuring eBay know I always ask what are they trying to get from you is that why Earling money is it sending it data the to hack backs we're gonna talk about one was they wanted a document with sensitive data the other one was the plant malware on our computer and we're gonna reverse that on them and that's at the end of the talk final thing don't be afraid to question people if somebody does start fishing you ask who are you how do I tell you it's not really that offensive and less like you're a mirror that like does it over and over to you and you're like you don't remember me dude we've been seeing each other like at work every week you still don't know my name like other than that that's like kind of awkward typically questioning somebody who are you is okay phishing just to be clear on the language there are two types of fishing there is the smash-and-grab which is basically you don't know the target you don't care about the target it's just blasting out a bunch of emails or spearfishing and you're whaling it's more targeted so be aware of that a lot of the fishing is typically not targeted so you'll get the fake email that is going to everybody that particular email in most cases you can copy and paste in Google and you'll find that the same emails been sent and people are complaining about it so usually smash-and-grab is really easy to find via google where the spearfishing and whaling is not because now they're actually going to your Facebook your LinkedIn and creating a special present for you so again you know ground zero that's what phishing is in spearfishing now in general I've given a bunch of examples but these would be basically some exhaust some technical examples beyond just the phishing email a lot of times you have to know where it's coming from and this kind of gets down to the security stuff like DNS security etc a lot of times with spearfishing people are gonna buy a website that's kind of like yours or source kind of like yours and that's how they're gonna send the information because most people don't check that Google has two O's versus two zeros yeah yeah well you know we know this example is like pretty stupid right it's it's pretty obvious that's that's fine most attackers are gonna be a little more creative and not making that obvious but the other thing I want to point out is you can actually have websites that look exactly like the source site because what was happening is uh attackers were using ASCII characters or other character sets different language character sets as well so it actually confused a browser so you did have something that looked like exactly like that now luckily most browsers have fixed right I mean they can't came up with updates like to see or I believe all of them did and kind of fix that all right so the defense's here's the legal defenses before we get into the illegal this is your standard blocking stuff so if you want to know what I can do about phishing 101 the first thing is gonna be reputation security what is that that is credit scoring where you connect to so if somebody says they're a bank they've been online for two hours they're they're hosted from GoDaddy they say they're a US bank they're really out of like North Korea obviously it's not a bank you drop it most security vendors offer this it's hard to read but the website I have a bad reputation calm I challenge you all to go back to your company go - I have a bad reputation calm and see what you see if you see this like pac-man ghost guy that means you don't have reputation security that means anybody can set up a site right now and set a bunch of crap to you if you do have reputation security you'll get a block page and what that means is it's not a hundred percent foolproof but what that means is at least people have to like have some credibility so they could hack a church and then attack you there could be a line for well but at least there's some credibility so that your first layer reputation security DNS security can be doing that or make for two net Cisco other vendors you can get this with like the firewall technology second layer will be content filtering which is basically reducing risky content because a lot of times your pornography those sites will have the popups and stuff and those can also include ways to basically fish you file integrity would be analyzing what comes from the sites and then finally training so this is your legal stuff if I was to consult on fishing these will be the initial things to talk about now if these fail then you need breach detection and that's where I Mehra wanted to do a little bit on his side since he does a lot on the research side on building honey pots and some of the research he does as well as how to catch one somebody compromised in your network so go ahead alright so first of all does anyone use the honey mount pots in their networks out here today anyone raise your hand all right we got a few people so five people yeah Oh first of all you might want to turn up the volume when I speak for her Irma's know so for those of you that don't don't know what a honey pot is it's basically a fake system that lures an attacker and the idea for that is to kind of pick up attack techniques you know like we both use that and I use that like personally just in my research because I want to figure out what attackers are doing what are the techniques are you doing what what are the kind of what is the malware that they're hosting exactly what are they interested in now there's two types of honey pots and most of time with you Google honey pots so you see some of the more popular software you see low interaction honey pots and they're cold they give you like you know basic shed like like s most ear muffs all right they give you basic stuff like like SSH passwords brute force basic things but there's also high interaction honey pots and for most high interaction honey pots you're probably going to do a lot of interactive ization yourself that's how you make the system look really real and sometimes they are real systems they're real WordPress sites you know elastic search engines they're real things and you're just setting up enough defenses to log to figure out what what it is now before I can get started like I run a lot of honey pots on different VPS providers different hosting providers like all over the world and you have to kind of be careful right because they're like first of all I can tell you I've had my own honey pots like compromised and all of sudden you know I may be researching like this new malware that's being spread I'm like crap I'm the command and
control server oh my my servers that's not a conversation you want to have with your boss right and that's and and your boss isn't definitely gonna give you a high five and say was that all the stuff you expensed out so am I liable for that huh so just be careful so a couple of things just my personal best practices is try and find honey pots or bleep yeses I'll give you two public addresses and the reason I say that is because if you want to run a honeypot that's doing SSH honey plotting or web honey plotting and you need a management interface you want two addresses out there now the other big thing is try to do know NAT now this is very very difficult to achieve with a lot of providers because everyone does not you may even look like you have a public address but it's being NAT at some place the reason I say that is because you know when you're running like you know twenty hundred two hundred honey pots and they're all coming back into a logging center like you're logging them all centrally and they all have the same IP addresses and you're usually like creating them on like templates it gets pretty crappy you're like okay where the hell did this come from and you're doing a lot more digging than you need to so just look at that and then the other thing is don't tell your hosting provider what the hell you're doing because they'll probably cancel your service and just always act dumb they're like hey were you hosting all this illegal software like I don't know works not really well most the time if you want add to this there's a term in the industry called resume generating event don't just go to youtube and type in honeypot and get a 13 year old with acne that says here's how to do a honey pots we've had people with that in sandboxes basically are incident response team come out and figure out what actual happened and a lot of cases people will basically put a honeypot on the network and then malware gets on their network through the honeypot and if you're responsible for the honeypot that is a resume generating event so please don't do that now what all best practices like I mean we're pretty much already standing on the shoulders of giants I mean a lot of this is kind of best practice that's been out there it's been documented and with our experience as well but there's a lot of different types of honey pots and all these I'm showing are low interaction honey type of honey pots but they all run on different ports now I'll tell you like a lot of people think like okay well what do I need to deliver honey potting you get like this awesome server know my servers are basically two gigs or a lot of one gig of ram 20 gig hard drives are pretty shitty boxes earmuffs okay I'm sorry you must before I classify okay alright so uh so just and then you can run multiple honey pots so like these ones that have on port 80 - all port 80 so don't run all of them you can pick one of them and you can pickle another one and pick another one so this you can kind of use as a map if you want and there's a lot of different options out there there's different things these are just some of the common ones that that I use now other other other things I do with my honey pots is I actually just set up servers regular service like FTP servers and sometimes my FTP servers have like pretty easily guessable passwords you know like like admin and password just to see what happens and I just set them up just to see like the type of the type of stuff that I'm going to get and first of all I will tell you this is the best way to get free porn by far just set up an FTP server on the internet and you're good to go now besides that the coolest thing that I got was I actually got like every episode of Thundercats and I don't know what happened but like someone actually yeah someone just logged into my honey pot and and I remember and I go man I set up an open FTP server I need something like you did what I go no no it's awesome I got every episode of Thundercats I don't know what people were doing and I did realize pretty fast because I was a fan of Thundercats when I was a kid man I had this weird obsession with a Cheetara man I don't know something all right so uh so go ahead and do that one of the other things that I do with my honey pots and this is this is I've actually discovered zero days with this too that I've done responsible disclosures but I actually have an XP machine that I have fully patched so 100% patch and I do this with multiple operating systems as well Windows 10 and Windows 8 and so these are fully patched and I'm running non admin mode so I'm not running as an admin user and then I have scripts that are just downloading a whole bunch of URLs I'm getting them from virustotal malware sites open intelligence sites plus just a lot of other sources I'm just downloading like you know hundreds thousands of URLs through the system and then what I do is I actually just compare the registry I like at the end of each day has a registry changed and if I find a change right that means that box is probably being compromised in some way now if I'm running a fully patched system and if I'm you know writer you know and running non admin most likely I found a zero-day and that has happened to me before so that was that was kind of cool now yeah it'll be clearer that that's that's how a lot of researchers find zero days you just basically create your honeypot put the system up there it's fully patched if it gets popped that's what you got there Sam yeah let me go finish this up well the other way like we find a lot of zero days is just oh we found something this is pretty cool and who's the first one to publish this right that's a lot of times that's what happens as well the last thing that I'll say is that I use p caps i always capture p caps and we'll talk about this a little later on but the nice thing about this is sometimes it's just so hard to just capture all this traffic and analyze all this traffic yes well P caps I can actually run it against known signatures I know signatures is an awful word but at least it gives me at least the type of attacks that are going on so if I know I'm sending something in the Ukraine and all US and I see a whole bunch of you know VPN filter like a Cisco Talos discovered or you know some other ransomware at least I can say hey this is happening in this region or someone like that I can analyze those P caps and just get a little flexible later later on pretty much what what I do and I'll let Joey kind of go into more details but there's a lot of logging tools one of the easiest ways to set up honey processes like use a modern honey network for low interaction honey pots they have like a built-in logging interface are you Splunk or elasticsearch and you know when you have just good files you know you set up a little bit of time you can set up all your nice pretty graphs and make it look really nice and good as well yeah so again this is all the breach detection stuff we spent a little extra time on the honey pots you want to learn more check out our forensics book snort will be another one so if your defenses fail ideally you can have an IP SIDS hopefully you'll heart a snort but snort you have to deploy you have to tap and know where you're looking if you want to have something where you don't really care where you're looking then maybe a net flow would be another off there's some security offenders out there that do this click sir Cisco a few others that do the idea of behavior analysis why do I see port scanning why do I see weird behavior so those are your defenses so that's this is basically the end of the legal stuff but basically if we were to say help me with phishing we would set up the defenses perimeter defenses we would then look at breach so if the perimeters fail your honey pod or your IPS or your net flow tool would alarm now what happens when you want to actually strike back that's the big question well technically speaking it's not necessarily legal as well as there's some things that think about first off think about what we just talked about in a lot of cases the attackers know there's reputation security so they have to get around that what are they gonna do they're gonna hack a church a school something like that so if you hack back what are you hacking back at you're hacking back at a church school or something so don't necessarily see phishing and think oh I need to strike back right away you may be hitting somebody who's basically a victim as well and that's the first thing that we kind of discovered as we started researching this is we're not necessarily popping attackers boxes we're popping other boxes that I've already been popped that are used as pivot points to attack people so be aware of that second thing is there are interesting laws which we'll talk about here in a minute and you need to be aware of what country you're in know if you're traveling what are the current laws of where you're at when you do this because again the walls are really iffy in this area of cyber not to mention this idea of actually striking back so everything from this point on because again of legal purposes hi YouTube it's all in magic land so this is hypothetically happened in a dream kind of thing and we'll show you a video that we pulled out of our dream as well I'm sure that EF F is gonna be wanting to talk to us you know you know first of all even if you're authorized to the hack back and hopefully me and him I'm gonna do a talk about something that happened interesting where I I was authorized by a DA to do hack back and and we did it and we got the information and we caught someone that was like not a good guy and and he got off scot-free because like you know I have to go to the judge and explain like what I did and I was like well I hacked him and you know don't tell a judge you hack someone even if you got like authorization and a warrant to do that mostly we fail because we didn't have a wiretapping warrant it was filled out wrong so that was that really sucked but I will tell you there are laws that are changing I mean proposed like the ac/dc and and for those of you guys that don't follow mountain the malware tech log great great Twitter feed great site as well but it's it's pretty much you know no one has really thought about this law and you said hey hack back is going going to be okay it's a it's a really really ear muffs okay it's a really it's a really shitty law that's out there a really shitty proposal it just takes into no account out like computer security really works or what's going on you know today unfortunately most of the stuff will kind of falls under the Computer Fraud and Abuse Act and things that shouldn't even falter in fact I'm you know at this conference and we
probably have known people that have been accused of breaking this law it's not doing it's being abused like any other law so right now hacking or hacking back is not a strategy it's gonna get you in more trouble than than anything else I guess unless you're hacking country that we don't officially authorized as a country all right so again here's the strategy of most fissures they're gonna basically try to trick you in some form or fashion a lot of times it's the email or phone call their goal is to get you to do something in a lot of cases it's to install something or it's to have you provide some information and then once you are duped they do something bad so our strategy and magic land is well what if we flip this script which means what if we basically then try to get them to do something and try to them to basically be duped so it's like almost reverse duping so there's two stories to tell the first story will actually be at the end which would be the second story and the reason why is we weren't recording the first time and then after we made this happen it was kind of Awesome we're like alright what's actually prepare for this and then the second time will actually record something so this is the second story up first and the idea here is the there was a fissure that was trying to get us to fill out some del form so the story is this is del security supports I've seen this also with Microsoft security support but they call you and they say your computer is full of malware and you're like really holy really who are you it's Microsoft while running a Mac well yeah that's okay too it's like what but it's it's seriously so with Dell is the same thing like we're running Macs and it's like yeah we're a contractor and we're just seeing malware so we supposed to basically come in and fix your box what we found initially when we just interact and not hack back either their old a want to get access to our box and then like show oh look we're inside your box but it that's the bad guys inside your box pay us now like a analysts service and we'll fix your computer so we've had them try to sell us fake services which really you're selling services against them we've seen it where they just ask for data or they've planted malware like install this viewing tool and we can view your box in the two stories this story here they try to get us to fill out a document so the idea is well why don't we trick them and basically plant malware in the document and send it back and then when you open the document we pop their box so that's the store we're gonna tell now and the other story the idea was we played stupid and said well hey I'm trying to do what you're doing this is frustrating mean like I've seen the Magna Matrix movie in the black hat movie this should be easier hey I have this thing called WebEx I can share my screen why don't I share my screen I'll give you full controls so that I gave them the WebEx agent but I weaponized the WebEx agent so then I popped their box on the WebEx agents and then I took over their computer so they had controlled my sandbox why I had control of their computer so those are the two stories so what we'll do now is I want to walk you through Story 1 which is the one we record which is the Dell story so the story is well basically you have to set up and this we're gonna walk you through the tools first but you need a sandbox because you want them to actually have something to have access to in this case we got them to get the agreement letter you need to weaponize it we're going to talk about different weaponization whether it's droppers or rats but you need to weaponize something and then trick them to either open that file open that program the exact same thing they're doing to us making us like install things or click things but just do it to them so we'll go ahead and we'll walk through this step-by-step first part is building a sandbox cool Anna you know first of all I would say don't you know you know kuku is complicated don't go to YouTube and like put like how do I install kuku because it you're probably gonna get a hacked okay not not saying there's not like a lot of good guides out there just be careful because a lot of a lot of sophisticated you know red actors will look for things like cuckoo and of course everyone looks for VM Tools no one's stupid enough to put a VM Tools that's not what all attackers are looking for you know they look at like the certain DLL is like like the SPIE DLL and other things that it's kind of hard to get rid of on these boxes now when we start all my sound boxes we're not just talking about you know something that you run and it and it gives you a reporter these are like kind of honeypot sound boxes as well so they're full interaction sound boxes that we can stop we can play we can you know re re image as well I can't tell you how many times that I've seen like people put in sandboxes and they've just gone hack themselves right I mean they just like compromised their entire network so if you don't know what the hell you're doing just buy a professional sound box right that's easier one thing I just started playing around with a couple of weeks ago and a good friend of mine um I don't fees in the audience Fred is there a fred is anyone named fred in the audience okay you can be my friend all right all right well he told me about this tool called clone clone Zilla it's I mean I ain't actually using it it's like super awesome for like just ghosting stuff and putting things in so if you're like a malware author or doing any type of malware testing look at Clonezilla it's actually like kind of saved my ass a couple times yeah actually I honestly had a customer buddy year-and-a-half ago that built a sandbox and they were playing with walkie ransomware and they got themself infected with walkie and when we did the investigation and we had to say well your sandbox is how you got infected resume generating event so again don't be that guy or girl when it comes to weaponization there's two different options in those cases you can use one is establishing a full tunnel which means you can interact you can actually pivot from that box and the other is a dropper which to be clear a dropper you don't get full interaction I talked to my dropper give me this information and it comes back so show me LS and a few minutes later I get back what what's basically running in that folder kind of thing so in this use case we're looking at rats which means we want full access to the person's computer but know there's different options like Empire you can put droppers out there easily and be more stealthy where a rat it's typically more chatty because it's a full tunnel so it depends on what you're looking to do in our case you're gonna find especially our first one was amateur hour there's a lot of things that we could have done better but we did it anyways so again full tunnel or drop or your two options they're gonna find also and the second story that I talk about here is wrapping and wrapping is the idea of actually taking a legit software and then wrapping it with malware true story with the challenge you guys know the packet capture village challenge one of the challenges was finding a hash that hash was my sock book that's some a-hole on the internet rap with malware and literally were in our sandbox our title of sandbox and I found I was just trying to find hashes of malware I was like holy crap that hash is my book wrapped with malware so you can wrap anything and like here's literally a freeware where I can take a book or take a software or a music file or in this case the WebEx installation client and wrap it with a backdoor so literally you take like a me commit interpreter and Metasploit you have that as your rootkit you create your whatever you want in this case your WebEx actually I don't we recorded your VPN client or our shareware client recorded you wrap that and if somebody runs it boom you're good now the other thing though and this is obviously the antivirus will catch it you do want to do your Moodle modification to it you're encoding basically to make sure that it doesn't get detected also by the way too if you are going to do this you probably want to have either like tridon or peed but you're also going to want to have some kind of follow detection piece and actually truly identify what the file is especially when they send stuff to you so in this use case when they send us the devil file it actually did not have malware but a lot of times a Fisher is sending us something usually it does have malware and the way to see it is you put in a sandbox and you first analyze and make sure what it is because it may be a zip file or it may be some other file even though the file type is different so not only should you build a sandbox we highly recommend for you to download some freeware and actually identify what the file is before you start analyzing it all right so well you know some of the things that we we started doing just to play around with you know how to get this malware on is we have to figure out that you know we don't want to really you know we both work for security companies we really know a little bit about how to bypass security devices and like everyone will tell you the way you bypass like security signatures and attacks is to use things that are already on the system right use PowerShell use Python Python is great you can like put a full rap Excel is a it's just a really easy rat that I came across that works on Mac machines as well and then from there I mean it's pretty much like Metasploit or any of these tools you can write your own own rats and your own deployment pretty easily as well and that's most of time like you know when we're testing things that's what we there's no signatures or something that I on the fly right and also you know have a public server ready to go that's that's hosting stuff I see a lot of times when we came across this research and you'll notice when we talk about the video exactly what we did is you know when when we got the call you know really I walk into the house and my mom's like I don't understand this call it's like someone saying Dell tech support and you know I'm listening to this guy I'm like all right it's it's Christmas time Christmas come early right and I'm texting him I go do some guys calling me clean style tech support right and he's like he's like what we gonna do and I was like dude I already got a call you box it up in the cloud like oh like we're gonna have some fun with this guy so like be be ready to go you know
talking about encoding yeah so as we mentioned in a lot of cases what you don't want to happen is same thing with them if we're gonna hack back we're gonna fish them we don't want to trick them have them install the file and then like their antivirus blocks it like that's a complete fail so make sure you encode basically what we did was we had our system already set up on the fly and then we were just basically trying out the files against the knowns security vendors and you're never gonna get like a hundred percent like bypass but long as you get like a high enough number in our case like seventy percent we're like this is good enough this is like a Dell workshop they probably have like a crappy computer anyways so yeah I mean pretty much make sure that you do test it before you send it and then finally those the location piece no one talked to this one yeah so uh you know couple of things that uh when we start talking about as we started playing around a lot with like macros word macros and the if a word macro is actually not sending information back it really doesn't trigger like a any AV type you know triggers so you can you put a macro in just to like basically record the IP address and like save that on like a hidden document or a hidden sheet or you know like start start putting in like basic basic location tracking so it's kind of cool one of the things people always talk about is the attribution but you know when we were writing the local IP address and then like pinging your local gateway and doing a trace route which we can all do in a macro and well we'll have a little more detail on our sites on exactly how we accomplished that as well so you can see the code it's just just via VB code you know we know exactly what that for abuse and and I'll describe it a little bit but at the end of the video I mean I saw the guy so I exactly exactly where he was from those it was a little obvious at least at least I thought it was anything you add all right so let me kind of set up this video just a little bit before we get going as I as I said
you know this really started off with
like I me walking to my house my mom's like I don't understand what's going on here and I talk to the guy he's like I'm Delta support I go cool I have a Mac all right you know BSD whatever I mean I don't use a dowel and yeah and then you know you know that I'm just talking to him he's like you know of course he's a contractor and he wants me to get on TeamViewer he's like a download team you're and I'm like yeah no way I'm not downloading TeamViewer and he's like trying to scare me he's like well first of all you know you have all this malware going on and he's really putting it on like that he's like you're gonna get arrested because you know you may not know what you're doing but now you're responsible for this malware and you're destroying people's lives and and democracy depends on this and I'm like pay me right and I like all right what do i do I don't understand and I was getting him really frustrated you know I was uh yeah you know I was you know a good protector I didn't know much and he's like all right you know what here's a document and send me this document like it's Christmas man it's beautiful like oh you're sending me a document so of course he sends me a document put it in the sandbox I was like so excited at this point I know when she's like running this my already image my box this is like and that's how I always get infected you know like you know you know you start off like like a spine I don't need to put in my VM and the document was clean it was it was completely clean right so um so I did the most basic thing I set up the most basic encoder and MS venom and why doesn't every AV just freakin caches this is Chris you know script kiddie stuff right that's all we're doing is I'm setting up a a local you know a local exploit and
this is a payload and and and and the macro that we put in now I'm you know you're not gonna put in the payload like I like visible in the document you'll
see that I just have it like in the document here at the very least just make it white just like let me make the color of the font white they're not they're not gonna see it but you can put it on a transparent sheet there's a there's other things you can do as well
and yeah you know he's gonna like depending on the version of word he has he's gonna get some error out here it
doesn't matter I mean as security people we always say like no one's gonna click macro everyone clicks on it they click on something even if he clicks end it doesn't matter and that's why I got the Michelle code here anyway so it's gonna bypass a lot of stuff anyways it's gonna
run automatically so so I save it of
course I told him my name he wanted to know my name my name is Easton hunt so that's what I told him and he's like oh that's good you know that's great so so of course I'm waiting for him to like open the document I'm waiting and I'm texting Joe Joey so he's gonna open it
he's gonna open it and and of course
like like it takes takes in like five minutes to open it and finally bingo
right I mean I get my on my reverse
shell back now what's funny is I
actually didn't put anything in it so he called me up he's like the documents empty he's like did you did you not know what you're doing like like oh what's going on yeah in fact you can see like
I'm like so excited because I'm like like what can I do here what can I do here right I mean I even put in the wrong commands here and and and so once it once he open up the document I could I could see his I could see his desktop running he's still staring at the empty
document I'll be it's going to be there the information is going to like like and this is the actual document that a you sent sent right so you you know you can see that uh that he didn't write it now I'm at that point that I like what I ended up doing was just like turning on
first of all like snapshots like on the webcam so so that way the light wouldn't go on on the on the webcam and so just to see how he look like but at the end I
was like f it let's just turn on the webcam right
and so this is a part of like I you know
we're kind of a little afraid of just because there was a lot of there's a lot of people here it wasn't just one guy I mean it was there was like two or three people next to him there was you know
there was people behind it it was a call center type type thing and so that's why I didn't put that on there and then I'm talking to him I'm like oh yeah that's a really nice red shirt and you know like you know your your turban is a little messed up layer I'm not gonna tell you what country I think is attributed from right but uh so like he's like what he's like not understanding me and I was like you know at that point I go hey bro so I started talking to him in Hindi right now and I go tell him exactly I go you know I go yeah this is really nice and these are the files oh you got yeah we chat he had a me I think we have a picture of his desktop we talk but we here we oh yeah so yeah yeah yeah but but about you know every chat message like a like a known to the world so the videos that I actually had that hopefully we'll be able to put up as basically him running towards the camera and pulling it out before it freezes so so that was uh that was awesome and of course this is all hypothetical I'm pretty sure a wink is a defensible you know please so yeah again we can't we couldn't show that cuz the language on the desktop and the country of origin all this stuff our HR departments like don't shell it but we hope to show it because again it's magic land but we hope to show this dream scenario that really didn't happen or did happen on our blogs at some point the near future that's scenario to scenario one was the other one just to mention so this one we didn't have a recording this is like when we started actually first hacking back but this is my scenario where again I had somebody call me they were trying to tell me that I have malware my computer so they're trying to walk me through commands to install stuff so all I was doing was this acting really slow and saying I don't get it or I'm fat fingering it and like and just kept saying I don't get it and that's when I offered well I have this shareware a software made by a a if I can't use a word web at skirt WebEx and basically said I could share my screen and I can let you interact so I'll give you full control you can do it for me and I can hear in his voice the excitement because he thinks he's won he's like I'm gonna have full control of this guy's computer this is awesome so I'm like sure just run this app so I'm I sent him Oh Inc exact same tricky that said to me but I basically weaponized my WebEx and popped his box that way and same thing we sort of interacted with this computer and turn on his camera I basically just screw to this computer to the point where his computer started acting funny then he got freaked out and then killed the connection so again same idea so the whole point of this here to summarize what we've did is really you think about it fishing in general is the idea of treat of tricking people they're trying to trick you they're trying to make it do something we talked about today first the legal defenses so hopefully again I have a bad reputation calm try that website out think about reputation security think about content filtering firewalls that kind of stuff and then half breach if you don't have breach you're an idiot because how do you know if those defenses are working or not if you're not validating those you don't know if something's getting through we talked about honey pots today which you can learn more on our book we talked about IPS and net flow as legitimate tools but if you do want to hack back we did talk about how to build a sandbox you want to do this obviously on the net we talked about some of the legalities of it we talked about if you do hack back you're probably you mean we got lucky in these two cases some of the other cases when we do actually pop a box we find were in a school or a church or some other system meaning it's a pivot point so you don't necessarily are going to like hack back and always get the bad guy or girl you may get some some pivot points but if you do get lucky enough like we got where you're actually talking to the personal phone and a lot of cases now you're actually talking to the victim or the the attacker so they can become via victim which basically is what we talked about which is think about tricking them using the exact same tactics you can use rats you can use droppers however you want to do it there's many ways of doing it we show two and then the idea is if you do you know get them back post it somewhere and embarrass them because hopefully they'll stop doing it yeah the one thing I would like to add is once if this ever happens to you and you start laughing uncontrollably at them hit the mute button because it does make them a little suspicious but uh you can also just tell them you were crying because you're so scared or something like that work - all right so again we do appreciate it we hope to publish more information about this as we continue to do this in magic land I'm if you guys end up doing some of this as well again I'm Joseph Feeny's this is the mayor reach out let us know we'd like to hear about your fishing back or attack back aventures thanks for your time enjoy our success on [Applause]