RECON VILLAGE- Winning a SANS 504
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Alternative Title |
| |
| Title of Series | ||
| Number of Parts | 322 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/39955 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Demo (music)Presentation of a groupStorage area networkRadical (chemistry)Computer animation
00:28
Multiplication signRandomizationStorage area networkVolume (thermodynamics)Filter <Stochastik>Game controllerProcess (computing)CASE <Informatik>EmailField (computer science)Link (knot theory)Computer networkCuboidEnterprise architectureComputer fileRadical (chemistry)QuicksortMereologyShared memoryInformation securityNuclear spacePhishingSystem on a chip
02:35
Hill differential equationExecution unitLevel (video gaming)Dependent and independent variablesPeer-to-peerSoftware testingSemiconductor memorySpacetimeEmailInformation securitySocial classGastropod shellComputer networkShared memoryVirtual machineIncidence algebraSpring (hydrology)Social engineering (security)TwitterWindowCore dumpPresentation of a groupGoodness of fitLink (knot theory)Computer forensicsFlagQuicksortStorage area networkInternetworkingProcess (computing)Touch typingElectronic mailing listOpen setPlanningHacker (term)BitStudent's t-testFacebookInternet service providerPhishing
06:47
WebsiteFreeware
07:04
EmailForm (programming)PlastikkarteGeometryRoundness (object)CubeSign (mathematics)InformationInterface (computing)
07:32
EmulationGastropod shellInterface (computing)Type theoryIdentity managementRoundness (object)EmailCubeAddress spaceComputer network
07:52
Right angleEmailMereologyElectronic signatureEnvelope (mathematics)Cartesian coordinate systemAddress spaceFilm editingBitInformationCommunications protocolCASE <Informatik>
09:30
Computer iconInclusion mapMultiplication signFacebookType theoryAddress spaceEmailPhysicalismElectronic signatureJava appletCASE <Informatik>BitQuicksortClassical physicsObservational studyChain
11:02
Execution unitStorage area networkElectronic signatureGoogolEmailFacebookContent (media)Game controller1 (number)Point (geometry)Firewall (computing)Multiplication sign
12:38
Hardware-in-the-loop simulationMaxima and minimaEmpennageHill differential equationLink (knot theory)TwitterCore dumpInformation securityWebsiteMetropolitan area networkContext awarenessHookingAddress spaceStorage area networkFlagPresentation of a groupEmailOptical disc driveMotion captureMultiplication signContent (media)
14:05
Domain nameAddress spaceInformationSocial engineering (security)Proxy serverEmailQuicksort1 (number)
14:45
QuadrilateralDegree (graph theory)Presentation of a groupEmail1 (number)Disk read-and-write headMetropolitan area networkProof theoryKey (cryptography)Storage area networkGoodness of fitChainContent (media)
16:05
Convex hullCartesian coordinate systemInformationComputer programmingEmailEnvelope (mathematics)Office suiteComa BerenicesDisk read-and-write headMenu (computing)Source codeView (database)Computer animation
17:14
EmailAddress spaceComputer animation
17:37
Uniform boundedness principleEmailStreaming mediaStorage area networkMereologyStudent's t-testPoint (geometry)Disk read-and-write headField (computer science)Virtual machineFlagBitSlide ruleOnline helpKernel (computing)Computer animation
Transcript: English(auto-generated)
00:00
OK, if everyone's ready, we'll get started with the first live demo of the day. I'm going to hand over very, very shortly to Dave, who's going to be introducing his presentation at winning a Sans 504 CTF without winning a Sans 504. Without further ado, Dave just done his shot, so now he can take over. Thanks. Thank you very much. Good morning. Welcome. So, I am big Dave. I'm not the biggest
00:23
Dave, but I am one of the many big Daves that exist within this world. Everyone knows that Dave, right? So, W, first thing you should do when you log on to a Linux terminal. W, who else is on with me? So, this is me, big Dave. That's my personal account everywhere. If you want to reach out to me, ask me questions after this, that's the place to
00:41
do it. It is personal, so you will just see random bullshit, random sketches I do and other stuff. I'm a security researcher. I work for a company in San Jose. My job is to look at attackers, how they're doing stuff inside the network. So, not the traditional IOCs, like what? How have they popped the box? More behavioral than that. I worked
01:00
for an engineering support company in the UK, working with the MOD, nuclear power, that sort of thing. Very big company. Got to work with a lot of interesting adversaries. It was through working with those guys that I uncovered some of the techniques and some of the stuff I'm going to talk about today. I also worked as a network engineer before that, so it's pretty standard, but the weirdest part is I have a BA in drama.
01:23
So, that's relevant for this field, right? So, background to this talk. I spent a long time when I was working with my previous company in the trenches of the spam reporting folder. People just send us emails every day, and I was doing this day in, day out, just ridiculous
01:41
volumes of email saying this is spam, this is malicious, this is advertising, this is fine, you can click on these links and you can't click on these ones. Through that, we had to think of novel ways to also beat the enterprise filters. So, how can we get past the anti-spoofing? How can we send emails that look like other people? How can we get files through these
02:01
devices as well? Worked, obviously, as part of the blue team in that I was a SOC analyst, so we went up against everyone from Nigerian scammers who would say, do you want your share of 85,000 Nigerian dollars? But we also ran investigations which
02:20
deal with a more serious item. It's the one that people know a lot about and hear a lot about now, the sort of the CFO phishing. Somebody pretends to be your CFO, they send it to your financial controllers. It usually looks really bad. There are a couple of cases, though, where that isn't the case. But let's give you a background of what I'm talking about today. The SANS 504. It's run by SANS. It's the Hacker Tools, Techniques, Exploits, and Incident
02:46
Handling course. So, it's the sort of basic stuff for the SOC. Five-day course covers the basics of incident response, processes of incident response, good practice for incident response, and pen testing as well. It's a lot heavier on the pen testing, actually, than
03:00
incident response, which is a bit weird given that it is more of an incident response course. Fair enough. On the Saturday, they run a CTF. The CTF is a small network of planable machines that you have to get two flags, put them together, and come up with the phrase that pays. And then you win the CTF, and you get a coin. You get your 504 challenge coin.
03:23
I didn't win the CTF, but I have a 504 challenge coin, and I'll come onto that. So, it was taught by Kevin Fiscus. Please feel free to at him on Twitter. I asked him before the talk. It's fine. It was two days of me being very serious and five days of me being very devious.
03:45
So, on the first couple of days, Kevin said that at the end of the week, we're going to be doing the CTF. And he said in front of the class, hey, I encourage social engineering because I've never been socially engineered to give up the phrase that pays. So, whilst the rest of the class went off and went, oh, I'm going to produce a letter
04:04
that says I have a share of $20 million if you give me a hint to the CTF. Or someone went and got a picture of his Jeep from Facebook and said, oh, we're going to craft something from the DMV. It's going to say he's been caught speeding. And then if he gives us a hint to the CTF, then we'll let him off. It's fine. And I took it way too seriously.
04:24
So, the challenge. The CTF was set up, encouraged us to socially engineer to get the phrase that pays. He showed us bad examples of previous phishing and said he found them hilarious. I definitely took it too seriously. I was advised not to do this by my peers who said, you shouldn't fuck with your CTF, with your SANS instructor. They will kick you off the course.
04:42
So, the target. He said he'd never been socially engineered by a student. He's a security professional. He works in incident response. He's incredibly smart. And he was aware that he was opening himself up for incoming attacks. So, the patty. So, there was another SANS instructor that week giving a presentation where importantly,
05:05
there was free beer at the back where I stood for the entire talk, getting beautifully rat assed. They gave a presentation. The presentation was on memory forensics. It was great. They were showing off a new tool. The tool worked really well.
05:21
It did some new interesting stuff with not messing around with memory space when grabbing the memory dump. It's fantastic. It's better than other things I've used to do this before. But it gave me an idea. Because more importantly, in the memory dump was an example of the SANS 504 CTF that they run on a Sunday. Just showing the
05:43
meterpreter shell from the network list. So, oh, look, here's an open TCP on 4444. And it gave me an idea. The plan. Well, what did I know? I knew the instructors knew each other. They worked for SANS. I'd seen them talking. I knew that they were going to
06:02
give a presentation. So, I thought I'd go on to that. Sounded interesting. There was free beer. And I knew about some interesting email tricks. Now, I guarantee almost everyone in this room when they were 10 or 11, maybe even younger or older, in the 90s, let's say, found an open mail relay on the internet and sent an email to their friends as
06:24
billgates at Microsoft.com. Hey, there's a new update to Windows. Please click on this link. We're not going to sub 7 your machine at all. So, the execution. From a high level, I crafted an email in the style of the patty and sent it from the patty.
06:43
I found a hosting provider with open SMTP. That's about it. There's a touch more to it. I study in pink. I love this site. Always data.com. The best thing about this site is you can start for free. There is no signup fee. There's no 30-day trial that will give you a
07:02
really basic account for absolutely nothing. You also don't have to fill in any correct information. So, that butts at Guerrilla Mail. I think my name is Jimmy Riddle. I live at 1 France 77 in the city of Spain. The only thing that has to be correct is the country has to
07:21
match where you're signing up from. So, it looks at your geo IP. That's the only thing that needs to be correct in that form. It takes no credit card details, nothing else. You can lie through your back teeth. And it has a handy round cube webmail interface. If you don't want to type out the bothersome SMTP commands on the shell, you can just go and do it. You can just
07:44
do it from there. Round cube interface. So, there's my email address, buttsnatchatalwaysdata.com. And I can edit that identity. And I can put in anything I want. So, here, I've just changed it to say the email is actually just say it's from recon at DEF CON. Reply to, send it back
08:03
here. I want to get my email right. And here's the rub. It's a really old trick. We call this envelope spoofing. So, when you send the email, at the very top, you have your SMTP headers and you have the from address, you have the to address, the receipt to. But a lot of that
08:23
gets stripped these days by the Edge email systems. So, you can rarely unless you're intercepting the traffic from the Edge to the Exchange server, you won't ever see the original from address because it gets cut. You will, however, see the envelope. The envelope is part of the data of the email. This is all outside of the protocol. And the data of the email is the
08:44
important bit to the application. So, when the application receives the email, it doesn't look at the sender to make the email look like it came from that person. So, there's some other interesting things that happen when that goes ahead inside most of the applications. If you
09:02
can nail the email address to somebody within someone else's address book, Outlook, Gmail, Mail for Mac, any modern email application will pull in contact details, presence information, signatures, everything that makes that email look legitimately as if it has come from that person. So, all you've got to do is nail their email address and possibly how they talk and
09:26
how they act as well. If it's done and it works, is it really done? So, this is a bit of a case study. Facebook and Google both lost about $100 million to a scammer. Now, the guy has been
09:43
arrested since and it was absolutely huge. Two tech giants came to a well-known type of scam in which the attacker tricks the victim by innocent-looking emails. So, there's not been many details given out on how this was done. They said it was financial fraud, it's a well-known
10:04
technique, et cetera, et cetera. So, I want to shed some light on what happened. During the time of this attack, the common method to do this type of CFO fraud was to pretend to be the CFO to say, please authorize this payment to this company because they are a supplier.
10:21
It failed 99% of the time. There are some big cases, like 70,000 pounds was given to some company in Taiwan through this sort of fraud. But in this case, they went for the supplier. Classic target supply chain, right? They targeted the supply chain, they infected them with an old-school Java rat. From that, they then sat on that supplier's email and they watched outbound
10:46
email. Not only did they scrape email addresses to send to, email addresses to send from, they also scraped headed paper, physical signatures that were transmitted across email because they were in the wire. So, the email came out of the supplier,
11:07
it got snuffed by the attacker, and then it got sent on to the target. Now, this was interesting because they then waited for a very large invoice to go across to the attacker, at which point they would then send a follow-up email. Oh, by the way, sorry to
11:24
interrupt, we are currently under audit. All our bank accounts have been frozen. Can you please change the bank accounts to these new ones because they're not under audit and we can take the payment and it'll be sorted out afterwards. If you know much about financial auditing, that wouldn't happen. That's just insanity. But the reply in due diligence says,
11:45
can you send us this with headed paper with the signature of your financial controllers? And of course, the attacker has already stolen all that. So, they send another one and the payment gets authorized to some Swiss bank account and they walk out the door with Facebook and Google with $100 million. These are smart people working in big tech companies
12:05
and these guys can get duped. What I always say to people when they say, oh, well, we bought the best firewalls, we bought the best email routing, we bought the best AV. It's like, I don't care. If someone wants to get you, they will get you. It doesn't matter if you are Facebook,
12:25
Google, or a SANS instructor. If somebody is really out to target you and to send you malicious content, they will do it every single time. And I have a nice heavy coin in my pocket that proves that to my SANS instructor. So, what do you need to know? Well, you need to
12:40
know their email address. How did I get this from a security professional? They were a very private person at the time. All they gave out in their talk was their Twitter handle. And this was before Twitter let you embed the link to your website. The hook, I mean, this was pretty easy based on the content being presented. I've already said they were showing off the SANS 504 memory
13:00
dumps in the capture the flag in the presentation. But I needed something to make it a little more believable. So, I need a handle, man. I'm not anything if I don't have a handle. So, for context, the recon was carried out a few years ago. Like I say, it was before putting your website on Twitter was actually kind of common. The security professional didn't advertise their email
13:22
address, just their Twitter handle. There is a lovely piece of SANS 504 advice, and I've spoken to a couple of instructors around here this week. At the beginning of the week, they say, if you own a website, put your own email address in the admin field because if it ever gets hacked, you want to be emailed, right? You want to be notified. Whilst great advice for notification of breach, it's actually brilliant for finding out people's personal
13:45
email addresses because sometimes they are not. They don't scrub it. They don't put something odd in there. They don't put a gorilla address. They just put something that is very personal to them. So, I took a shot in the dark. I knew the professional's Twitter handle, so I started going through all of the common TLDs to see if that was registered to them
14:04
as a TLD, and I got the hit. This is from a couple of years back, before it was all scrubbed by Domains by Proxy, but basically it was a, I believe it was a dot, this one was a dot com. It was really easy to get this one, and it had their personal email address, their Gmail address,
14:23
which wasn't anywhere else in there. I mean, it's easy recon. It's Whois data. Coming soon to Whois and EU, though, a lot of this data is going to go because of GDPR, so have fun with that. When that happens, we're going to be in an interesting place of finding
14:40
out the sort of information. We're going to have to revert to older social engineering techniques to try and get this stuff as well. Like Bill Murray at Wendy's, no one's going to believe you unless you have proof. The reason I say this is I could send an email to Kevin from his colleague, and I could make up any cock and bull story about, hey, you dropped your USB
15:04
key, and it's got the phrase that pays, or I need to know it because I'm going to be teaching the course next week, and I need to make sure I'm pre-warned. But I've got a degree in drama. I'm good at making stuff up. I'm good at playing pretend. I spent three years studying playing
15:22
pretend. I actually spent six months of that building a puppet, which is great. I ruined a hoodie like that because the head was made of foam, and I had to shave it down with a dremel, and it just sticks into any fabric. It's awful stuff, but it's great. A little Japanese man sat on the floor telling a story, trying to play a shamisen. Terrible. So, I sat in on the
15:43
presentation given by this SANS instructor, and not only did I watch the presentation and enjoy the content and go, hey, that's a cool tool. I'm going to go and add it to my tool chain. I took note of how they spoke. I took note of the phrases they used. I took note of the way they would leave gaps or go on non-sequiturs. So, when I sat in the gym that evening on a bike,
16:10
I sat there crafting an email in my head, and when I got back to my hotel, I wrote an email that looked like it was from his colleague. And as I said earlier, what makes an accurate
16:21
email? Well, modern email programs do the heavy lifting for me. All these applications here add contact information to spoofed emails. So, if you want to spoof the envelope, these applications will make it look much more legitimate for you. Like I say, they read it from the envelope, not the original SMTP mail from. Yeah, worth noting, actually, a lot of these
16:43
mail applications make it really difficult to view the source now. Well, not really difficult. They just hide it behind a few menus. Exchange, for example, well, Outlook and Exchange hid it behind a couple of menus, and lots of people now ask where it is. Gmail, it's reasonably easy. You can do View Original. Office.com, Outlook, it's actually quite difficult to find the menu
17:04
item to give you the source. So, it's hard to start. For normal people, it's hard to start looking at this information, especially if you're viewing it on a mobile as well. I mean, forget it. So, when I crafted the email, I made it look like it was from his colleague. I wrote it to
17:21
look like it was from his colleague. I spoofed the email address, but I was nearly sure was their email address. And it turns out I was right. Not all was as it seems. There's a third player in the room. So, yeah, I forgot that was the last slide. My bad. But yeah, the next day,
17:44
so, I sent him this email. I sent it to him at, I think it was about half past 12 at night. We're in London. I know the pubs close at 11. It's fine. I know that their instructors and their friends, they're going to be out drinking. So, unless there's something else going on between them that I don't know about, I know they're probably not going to be together and he might
18:01
have had a couple of beers in him. So, I sent him an email at half past 12 at night. And I wake up the next day, check my account, open it up. My heart's racing, butterflies in my stomach. And there it is. The phrase that pays. I'm not going to tell you the phrase that
18:20
pays because I spoke to other people who won the CCF and it hasn't changed. So, I had that and I was like, well, I mean, I guess that could be right. He could be tricking me. He might know. So, I basically ran all the way to my SANS course. I was like skipping like a giddy schoolgirl. I was so excited. This was Wednesday, the CCF on
18:45
Saturday. I walked in and he was talking to one of the SANS adjudicators. Now, these guys are taking the course, but they don't pay. They're there to field questions, help people, to be a T-boy. They wear a little apron. I think that's really cute. So, I went in and he was talking to the SANS adjudicator. He's going, so, last night,
19:05
my colleague sent me an email and apparently one of my students is trying to socially engineer them for the phrase that pays. And I had him. I knew I had him because he was so bought into this idea that they had sent him the email. It looked perfect that he was
19:22
telling a story of how one of his students had the balls to go and target another SANS instructor for the phrase that pays. So, I just sidled up to him and went, here's the phrase that pays. Oh, fuck you.
19:41
And that was it. I confirmed knowledge. So, at the end of the week, at the Saturday CTF, unfortunately, my team didn't win. We were about a minute behind the winners. We had both halves of the flag. We'd popped the vulnerable kernel on the Linux machine to get the second half, which is one of the more tricky bits. So, there you go. We had both
20:05
parts of the stream. All we had to do was put them together and decode it. As we were getting to that point, we're like, hey, what about that tool we learned about at the beginning of the week? That'd be great. Let's use that. Put them together. We'll shit. Because I'd like to have won, right? I was still in the same competition. I knew
20:23
the winning answer, but we were all in the same competition. So, Kevin was like, congratulations. How do you do it? Let's go through it. And they gave all their details. And I'm like, yeah, we did that. We did that. Oh, yeah, we found that. Yeah, that's great. Well done. Okay, okay. I'm not going to ask you for the phrase that pays.
20:42
I'm going to ask you. And he made me stand up in front of everyone and explain myself. And how I got the phrase that pays. And that is how you walk away from a Sans 504 CTF, capture the flag, with a coin, without winning the Sans 504 CTF. Does anyone got any questions?