Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration tests

Video thumbnail (Frame 0) Video thumbnail (Frame 881) Video thumbnail (Frame 2723) Video thumbnail (Frame 3741) Video thumbnail (Frame 5833) Video thumbnail (Frame 14039) Video thumbnail (Frame 17131) Video thumbnail (Frame 23289) Video thumbnail (Frame 30839) Video thumbnail (Frame 34064) Video thumbnail (Frame 38133) Video thumbnail (Frame 43958) Video thumbnail (Frame 44980) Video thumbnail (Frame 45918) Video thumbnail (Frame 49368) Video thumbnail (Frame 52209) Video thumbnail (Frame 53330) Video thumbnail (Frame 54169) Video thumbnail (Frame 55025) Video thumbnail (Frame 57241)
Video in TIB AV-Portal: Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration tests

Formal Metadata

Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration tests
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration Tests brings the DEF CON 19 audience the most massive collection of weird, downright bizarre, freaky, and altogether unlikely hacks ever seen in the wild. This talk will focus on those complex hacks found in real environments - some in very high end and important systems, that are unlikely but true. Through stories and demonstrations we will take the audience into a bizarre world where odd business logic flaws get you almost free food [including home shipping], sourcing traffic from port 0 allows ownership of the finances a nation, and security systems are used to hack organizations. The SpiderLabs team delivered more than 2300 penetration tests last year, giving us access to a huge variety of systems and services, we've collected a compendium of coolest and oddest compromises from the previous year to present at DEF CON. Our goal is to show effective attacks and at the same time not the trivial ones that can be found by automated methods. By the end of this presentation we hope to have the audience thinking differently about systems and applications that organizations use every day, and how they may be used against them. Rob Havelt is the director of penetration testing at Trustwave's SpiderLabs, the advanced security team within Trustwave focused on forensics, ethical hacking, and application security testing for premier clients. Rob has worked with offensive security seemingly forever, and from running a start-up ISP, to working as a TSCM specialist, he's held just about every job possible in the realm of system administration and information security. Formerly a bourbon-fueled absurdist, raconteur, and man about town, currently a sardonic workaholic occasionally seeking meaning in the finer things in life - Rob is, and will always be, a career hacker. Wendel Guglielmetti Henrique is a Security Consultant at Trustwave's SpiderLabs, the advanced security team within Trustwave focused on forensics, ethical hacking, and application security testing for premier clients. He has over 11 years experience in Information Technology, where the last 6 years were dedicated to penetration testing. He has performed security focused code reviews, secure development training, forensics analysis and security assessments. Wendel has performed countless network, application and web application penetration tests for various organizations across the globe, including government, banking, commercial sectors, as well as the payment card industry. Recent presentations include Black Hat Arsenal 2010 (USA), OWASP AppSec Research 2010 (Sweden) and Black Hat Europe 2010 (Spain). Previously, Wendel spoke in Troopers 09 (Germany), OWASP AppSecEU09 (Poland), YSTS 3.0 (Brazil), and has spoken in well known security conferences such as DEF CON 16 (USA) and H2HC (Brazil). Wendel developed a tool to detect and remove the famous BugBear virus, before most of the antivirus companies around the world in 2002. During his career, he has discovered vulnerabilities across a diverse set of technologies including webmail systems, wireless access points, remote access systems, web application firewalls, IP cameras, and IP telephony applications. Some tools he wrote already were used as examples in national magazines like PCWorld Brazil and international ones like Hakin9 Magazine.
Web crawler Real number Real number Right angle Software testing Statistical hypothesis testing Window Statistical hypothesis testing
Computer font System administrator Firewall (computing) Projective plane Set (mathematics) Cartesian coordinate system Product (business) Statistical hypothesis testing Web application In-System-Programmierung Process (computing) Hexagon Personal digital assistant Different (Kate Ryan album) Hacker (term) Remote procedure call Information security Vulnerability (computing)
Presentation of a group Physical law Self-organization Software testing Cartesian coordinate system Exploit (computer security) Information security Vulnerability (computing) Physical system
Gateway (telecommunications) Web crawler Random number generation System administrator Device driver Web browser Parameter (computer programming) Field (computer science) Statistical hypothesis testing Product (business) Number Wave Goodness of fit Mathematics Different (Kate Ryan album) Internetworking Negative number Computer worm Series (mathematics) Information security Capability Maturity Model Modem Injektivität Rule of inference Execution unit Dialect Information Generic programming Database transaction Directory service Cartesian coordinate system System call Demoscene Cross-site scripting Word Personal digital assistant Password Website Cycle (graph theory) Hacker (term) Resultant Spacetime
Point (geometry) Rule of inference Email Service (economics) Virtual machine Set (mathematics) Online help Disk read-and-write head Mereology Statistical hypothesis testing Message passing Password Cuboid Video game Cloning Hacker (term) Extension (kinesiology) Freeware
Axiom of choice Suite (music) Server (computing) Equaliser (mathematics) Multiplication sign Maxima and minima Similarity (geometry) Open set Public key certificate Field (computer science) Statistical hypothesis testing Virtuelles privates Netzwerk Internetworking Different (Kate Ryan album) Touch typing Cuboid Proxy server Metropolitan area network Vulnerability (computing) Rule of inference Dependent and independent variables Cellular automaton Content (media) Plastikkarte Cartesian coordinate system Datei-Server Flow separation Connected space Software Order (biology) Data center HTTP cookie Hacker (term) Window Resultant
Building Mobile app Code Multiplication sign System administrator Mehrplatzsystem Firewall (computing) Workstation <Musikinstrument> Coprocessor Virtuelles privates Netzwerk Different (Kate Ryan album) Touch typing Energy level Gamma function Perimeter Vulnerability (computing) Physical system Information Interface (computing) Plastikkarte Database transaction Database Directory service Instance (computer science) Self-organization Right angle Hacker (term)
Web page Webcam Service (economics) Code Multiplication sign Source code Virtual machine Mereology Metadata Statistical hypothesis testing Web 2.0 Facebook Internet forum Root Profil (magazine) Gastropod shell Proxy server Vulnerability (computing) Physical system User interface Authentication Arm Information Interface (computing) Electronic mailing list Basis <Mathematik> Cartesian coordinate system Word Software Password Hacker (term) Local ring
Satellite Server (computing) Service (economics) Multiplication sign Workstation <Musikinstrument> Zoom lens Source code Range (statistics) Virtual machine 1 (number) Statistical hypothesis testing Goodness of fit SQL Server Different (Kate Ryan album) Videoconferencing Energy level Information security Oracle Scaling (geometry) Keyboard shortcut Database Line (geometry) Connected space Type theory Data management Process (computing) Software Password Right angle Hacker (term) Buffer overflow Oracle
Scripting language Internetworking Database Gamma function Reverse engineering
Injektivität Point (geometry) Weight Interface (computing) Virtual machine Database Line (geometry) Client (computing) Connected space Personal digital assistant Query language Videoconferencing Gastropod shell Window
Authentication Server (computing) Database Lattice (order) Client (computing) Connected space Software Query language Personal digital assistant Selectivity (electronic) Table (information) Window Oracle
Amenable group Hacker (term) Oracle
Computer font Real number Lattice (order) Statistical hypothesis testing
Zoom lens Computer font Virtuelles privates Netzwerk Multiplication sign Hacker (term) Lattice (order) Oracle
Trail Server (computing) Multiplication sign Real number Virtual machine Login Coprocessor Lattice (order) Number Software bug Statistical hypothesis testing Revision control Hacker (term) Booting Personal area network Control system Physical system Personal identification number Default (computer science) Electronic mailing list Plastikkarte Menu (computing) Database transaction Line (geometry) Hand fan Type theory Integrated development environment Personal digital assistant Chain Data center Self-organization Game theory
thanks everyone for coming out welcome to earth vs. the giant spider amazingly true stories of real penetration tests my name is Rob hey belts and I'm the director of penetration testing for Trustwave spiderlabs over to my right left my other right is my Brazilian friend Wendell on reggae window yeah producer so I work on the stressed wavy spiderlabs penetration team for almost three years I guess I have you over nine
years on the security industry I have found some vulnerabilities in different set of products web application firewalls camera remote application assistance and probably a lot of others I read presented at black hat to DEFCON waspy and some the other big conference we are in the process of getting a patent pending technology for a penetration test project we did E and the a few older sinks that's me and like I said I'm the the director pen testing at trustwave spiderlabs I've been around security industry kind of forever I've worked from starting up an ISP to doing tsem to just about every possible job in system administration and information security I spoke at a lot of venues and in this is a great opportunity for us to speak at to you guys that probably one of the best security conferences ever Def Con greatest crowd so what's this
all about basically we put together a collection of the weirdest freakiest and most unlikely hacks that we've ever found and will will walk you through like these weird freaky unusual just out of the ordinary stuff we'll let you meet the the victims of these odd hex because some of these actually have serious implications and you know we'll kind of walk you through a few of these things and and kind of wrap it up after that so um basically we
had that we've been in a unique opportunity to see like some very real interesting uncommon and very non trivial things that can't really be found either using traditional like attacking methods like you know vulnerability exploits or straight on technological methods or even like ways that make sense and follow the laws of seemingly the laws of physics and we've done this because we you know we have a huge team that does like more than like 2300 penetration tests in a year but only the coolest and freakiest tough were selected to present to you guys so by the end of this presentation we hope to have you thinking about these systems and applications that organizations use every day and in how even like the most basic things security security tools security systems coffee machines and things like that might be used against them so on with earth vs. the giant
spider you want to talk about this one
this case is a big Network restaurant franchise around the word that sells food the over the Internet they they have some good maturity of security so for example the application we couldn't find any cross-site scripting cycle injection or things like that the application was basically created in Java and flashy and the no common parameter manipulation was working for example in including negative values on products and things like that however during the transaction we detected that he the checkout was had reacted to a third-party gateway and it is gateway when getting this information processed and sent the information to add to a security channel directly to this company and they just got a response like approve it or not approved so what we did is manipulated these requests to change the final valid value of the transaction itself on the gateway since it was a directory over JavaScript from our browser by the main application consequently the final pricey that appear on the website and the oldest stuff was the real price of the products but when we conclude the transaction we could put any kind of price that we would like and they just gotta accept they are not in this way you could get almost any kind of hoodie for any value yes sir ok I have them yeah no I don't have ok never mind huh ok so and something out wait good you're talking now ok talk to them not me yeah well basically as a result of this penetration test we could get some a good amount of food delivered to her home with you almost fifty cents at the end of the engagement one of the cool things was we actually did engage a delivery driver that came out with bags of food and everything like that and took a bunch of pictures and it was all kinds of fun but it's just a weird thing that you know in kind of a bad thing to do to let somebody kind of manipulate things and just kind of trust that everything's happening behind the scenes the way it should be so um moving on okay so this one was I were called the one pbx will rule them all kind of hack this was a large financial institution um that they had a lot of different a lot of different technologies in play some new technologies but some like ancient technologies in the course of like testing this institution you know one of the things that you normally want to do is kind of dial the the space sometimes you do it just to voicemail surf and and see who's out who's in who's doing what what people's names are and you know things like that a side benefit of just kind of calling random numbers and listening is sometimes you run into something where you get a modem tone well in doing this um you know I called a number got a modem tone and just a weird like kind of series of characters and and a login prompt that was kind of generic but kind of dissecting like the the series of characters and and what we got back from the modem / making like several calls figured out that it was an old Siemens Rome pbx well um in this case that's great I you know you get a pbx kind of manual it turns out that they change the administrator password they changed the user the oppor password on it but there was one account that actually had better credentials than administrator it was field tech account and they didn't change that password when you get into the field tech account it actually lets you go into like any user account that you want in a minute so went into the role PBX is administrator and you know just kind of browse that um having like done some voicemail surfing previously I
knew that the extension for the help
desk so one of the features is to like clone a voicemail box so one of the things we did is created a new extension cloned the voicemail box for the corporate tech support and at the end of the day we'd kind of listen to the various messages well it turns out that like there was um some dude that was traveling on the road and called in frantically to tech support after hours when they weren't picking up asking a problem about a VPN problem it just so happens that in a previous life I was a certified check point instructor and I happen to know a lot about checkpoint in a previous light if I actually like sat on help desk and did like checkpoint like managed services and the problem he was describing I knew exactly what it was right away it was a stupid like settings problem so i actually just called the guy back um I called the guy back and I walked him through like his problem first I asked him for his username then asked him first password you know so that I can check and verify his account and then I fixed his machine um afterwards like you know he logged in and you know he logged out and bingo i logged in as himself bang free credentials the funny part about that was in the wrap-up of testing we found out that this guy actually sent an email to the head of tech support like praising them for like the wonderful tech support they got and the quick
responsiveness of the touch so that one
that one was kind of awesome and freaky and weird and you know sometimes you just kind of have to think outside the box but you know something stupid like you know not realizing that hey the the field tech has their own like super account on this piece of antiquated technology can you know have kind of severe implications so and well this penetration test on the reality happen at least three or three times similar wishes like this one well we were doing an internal penetration test and they doing the internet the internal penetration test the network segmented was very limited we have we had almost two very few things to test like one open sa ssh server very well updated one samba server that's almost without sharing no no no Oh No folders nothing in the windows box or a few in those box that's just block every single septi pinky like oh like Yakko request and the echo response also villain attack bypass or villain hoping was not possible on this specific customer and the neither on this order two or three that he uses a similar attack during the last year however ARP spoofing that everybody knows the ending is very common was was present it was possible to to be executed but it gave no choice we couldn't get any credential or anything in special however during the previous Bennet external penetration test we figured out that this customer had external citing a data center that had a VP a VPN a ssl and it is external VPN ssl using a cell signal certificate and they used this a lot but we couldn't compromise during the external so during the internal we salsa me trafficky over the ssl port and we did a ATT PS man in the middle since it was a self-signed certificate probably the users did not figure out the difference when we dumped the contents we saw connections to these external VPN ssl server with self segment certificates so we just got the cookies and equality in your box with the burp suite and the access again the same external data center server and as a result we get is Sifl logging on the Holy VP any over SSL getting access to file servers applications and a lot of stuff that was naughty accessible before including credit card data and a lot of interesting stuff so it's very interesting demonstration of how sometimes even a doubt that you couldn't exploit from the external side and is not easily detected by the automated tool can be exploited for fur for example from the inside network it's kind of interesting because it could have produced the same kind of vulnerability at least in three different customers during the last year so this kind of lunar a blitz is the kind of vulnerable to you would like to to to show you their kind of you free difference and not easy to find we fell tomatoes and stuff like that yeah and
that's always interesting because you're taking um you're taking an external you know and organizations tend to think of the perimeters the perimeter and the insides the inside and you know we need to secure the perimeter and the things that we do to secure the perimeter you know that's out there and you know that's basically our wall against the the big bad internet and inside we need to do different things but like Wendell said you know as a as a malicious attacker or a malicious insider could use in external systems just as easily you know against internal resources there was a there was um another instance of something like akin to that where we were taking a look at a phone directory and from the inside of a network and we're just able to basically get like names of people however on the outside there was actually like in HR system with the vulnerability but you had to have like people's name and they're like HR code well when used with the phone directory inside it had the jar code and the vulnerable app from the the outside you know gave enough information to kind of go through and like actually get like HR data from every single user at that company including the CEOs payroll information so those are always interesting and it's interesting because somehow it was internal that to have to compromise external to come back to internal this one uh hmm this one makes no sense and we're still trying to figure out how this even worked um but we were taking a look at a card processor for actually like an entire country that processed most of the the MasterCard Visa transactions and they had a transaction switch that they couldn't touch that was from the card brands and there was kind of a war of we suspect that's not secure no it's not yes it is no it's not yes it is kind of thing and it was a very much you know they said this they said that kind of going back and forth the best they could do is kind of like build a wall around it so because of their you know their idea that it wasn't very secure they put some very restricted firewall policies in place they were using some weird old like I technology that as it turns out was very misconfigured nothing would get through to the transactions which it was kind of sat down and you could only actually like reach it from a couple stations inside that were kind of like the major databases yeah absolutely that's exactly what I was getting at yeah right and so what he's saying is then that's exactly what we found out is so they spent all this time like building this firewall around it on like this legacy equipment and you know basically like things sores from port 0 like being a wild card on the legacy stack it like actually kind of sailed right through so it turned out that um you know the the people that said like no it's not secure was actually right because sourcing traffic from port 0 we found out a webmin interface on this transaction switch with an admin admin user pass pair that's awesome that's always the thing that you want running every financial transaction from your country from and you know because of that like you know the webmin interface are able to get in at an OS level and basically like you know c processing for
basically the whole country oh this one's really funny all right so um there was an external pen test you know just as an outside-in kind of thing very few services a couple applications there was administrative like web interface and it was um some cheesy thing we thought might be vulnerable but you know we were able to get like some of the code to leak and things like that enough so that you know you could google it and kind of search for it so it turned out that that led us to looking at like comments and metadata in there we actually found a newsgroup where the the admittance greater actually like posted like huge snippets of the source code for it as well as like all of his information who is very very chatty on the newsgroups um unfortunately that didn't get as much um you know so looking through like the snippets like you know you think like bingo i have like source code here you know surely i can get like something from that it didn't end up getting much however arm we ended up like looking up the guy by name and and we found his facebook page and like you know like nicknames and a bunch of stuff about it which led us to a forum called Caucasian Asian love and it was a forum for Caucasians men to find asian women to love ya so this guy had a full profile on there apparently he was really really into it and really really active in the
the Caucasian Asian love so um anyway we ended up building up a word list from his dating profile and his password was a variant of love machine with the common you spelling of love which was actually rather awesome so we ended up getting into the administrative interface which actually like i yielded like a time so well it was another external penetration test where we couldn't find any true vulnerability basically no kind of a web vulnerability no venerable services no weak accounts know things like that it was a huge network and we found that on this huge network they had almost 20 high definition IP cameras and they also are I specifically part that was unrecognized by network mapper that probably was the application to centralize all these IP cameras into a single serve seat well these IP cameras we look at around well no venerable venerable vulnerabilities that basis and we couldn't find anyone over their ability so we just look for a cup of these IP cameras and in a lab we tested them and we find the funeral it's like a authentication bypass that he allowed us to dump the whole the password from the Linux basic system inside the IP camera and a lot of stuff we cracked the local root password and stuff on the end we created a modified former and we uploaded over this interface and they created a web shell from this web show on the web the web camera they was connected on the inside network and it consequently from this web cameras we could look for example internal employees working give zoom up to 10 times get screenshots IP of C stands user name is Andy obviously from the web shall we created it on the modified former we could access the whole internal network that was accessible
from this IP cameras network that was on the manager meant administrative segment it is interesting because it's resulted in advisory so we use it the on poetry they are video cameras that's a security service II the great thing about that one is you take a look once you're into these video cameras and these were like by them having like the good video cameras instead of like the like crappy grainy like black and white ones it really helped a lot because like he had an optical zoom of ten times and some of these were trained on like machines and keyboards and things like that so it ended up becoming like a password Bonanza as you like kind of just SAT there remotely in a different country um watching a user like kind of like sit down at a station and type in their password and I'm like okay so that username has this password and you know throughout the day you end up like collecting a bunch of stuff and then it once you have credentials the the stuff on that hardened exterior you know with the various servers that you can do much with isn't really like so hardened anymore you can kind of a lot of password reuse is a problematic and all pervasive so you know it it tends to lead to compromise right way okay alright so after this one we have a video to show you of you know exactly how this all works but i'll let Wendell I describe it first and Jim Wendling come here and then I'll hand you this sure all right go for it okay well um personally I really like database acute and they we commonly find Robbie I in ya'll guys on to the internal network penetration test we see a lot of database SQL Server Oracle to be true and the mysql and a lot else well sometimes we can compromise them with different techniques overflows week accounts problems like bad ETNs configured services etc miracle however sometimes we can get like ARP spoofing but no new connections not people recollection or they have a strong password so we can't get the decrypted credentials during the spawn time of the engagement and that's a frustrating thing you hear in the middle and and you're seeing all this stuff and you wish you could do something with it and you know it's like whoa I have all these sessions going why can't I just grab one so that's what Wendell and Steve did they wrote a tool so uh basically all right this is an already authenticated session let's just go ahead and grab one yeah exactly also be thanks to Steve to work with this refers he did a great job and bout to connect also support the scale server so the main idea is if you have the the sessions running for oracle or even SQL server why first then to
range acti to disconnect and get credentials or whatever if you can just take take this connection and the sender all comments and do whatever we want so as you know we can show screenshots of this penetration test we are talking about because they are a customer and it's not a good thing but we created the line how the video just to demonstrate how it works we use it it recently a lot in different internal penetration test with a good level of sources and it a to
also is free and available on the internet for who is interested
go ahead and explain what's happening
while running
oh ok so we start off with this tool called vamp that um actually like does the ARP spoofing it's a it's a perl script that does kind of like some reverse ARP spoofing with them then you'd run this tool called thick net and
now we are just showing a normal connection to oracle database from a supposedly client this virtual machine is like a client that you want to access his first showing that we can't log in with the credential window the database as you can see on the first line then it's logged with the user Steve that's of all the user so steve is is acute in
a very simple query like select one two three from the wall or whatever now back to tick net if you will use the LS comments we can see the active sessions and the one is market with the I letter that means that it's injectable it was detected Oh detected as injectable buy ticket so we're playing yeah alright so the next thing you do is you actually like go ahead and use thick net to steal the session it's a real easy thing and basically what you end up with is taking that session over the normal user just reconnects in most cases they don't know that anything really happens it just is kind of like a blip and a lot of like database clients have connection pools anyway so you know they just start a new connection you take their old one and basically end up with a shell interface to the the Oracle database yeah at this point we could for example sending any comments i see we stealth we stolen the connection so just to demonstrate we are sending this SQL query that you'll be creating an account that's called yo vendo on the beginning of the video was not an account that xst on the database as you can see you get on the ND the array / 0 1 0 0 3 this means that the comment was sent and partially souza
free now we are just stopping the Arctic with poison and making sure babe vamp
make sure that we are not breaking the are tables and now we are trying to log in again with the same account that was when though just to make sure it really work to use it vamp to intercept and injecting a live connection and the create a new account on the Oracle database now as you can see we can log with the account that previously doesn't exist on the earth on the database and then now we can do any query like the privilege of his account yeah and as you see we're just kind of doing a select query yeah just to demonstrate that it's possible to include any query obviously in this case the session that was stolen was administratively query a demonstrative account so we could create an account but you can always get the privilege of that account for example recently onward team meeting we got another guy from the network penetration testing him and it's very nice too last week we got I stole an SQL Server microsoft SQL server with this too and they could use e XP CMD she'll choose a cute comments just for a nice tolling session also we have other nice things from technet likely steal credentials and even Microsoft has some adverse pc a oracle has some very specifically is toughy from windows clients that leaky windows authentication so i suggest a true everybody true that is interested to check the net it's very interesting so sure
don't you ok
look okay yes we are there Thanks all
right great um whoa these are going
insane here
okay so technology is against me
ok let's try this again
okay so it's time to you know talk about
some of the victims of these attacks because they all have very serious implications you know they make for kind of like fun stories and and you know sometimes funny get it chuckle out of them but let's talk about none of these
attacks really led to anything trivial the the reason you know why they're included here is all of these attacks led to ginormous compromises of huge amounts of data you know in in some cases CHD in in the numbering in the millions PII numbering in the millions and huge huge huge amounts of data so the organizations that uh you know we're talking about here are multinational banks global restaurant franchise major retail chains credit card processor for an entire nation and the the types of data stolen that we're talking about here is you know every visa and mastercard transaction processing into our country hundreds of millions of pan and track data HR data in one case I you know it led to accessing like the DHS terrorist watch list for financial institutions that they're supposed to check against and you know obviously like billions of dollars in transactions um so just kind of in conclusion to this
before I say something about stuff you didn't see is uh this tuck was a focused on on those complex or uncommon hacks found in real environments summer and very high-end and important systems and some are unlikely but true and this is you know a bizarre world where you have like old ancient anomalies you know like affecting like newer systems security systems that are used to hack organizations you know new techniques developed on the fly and and things like that so you know we're happy to be here hopefully enjoyed these stories so I think got one of the things that we were going to do with this is we spent like two weeks setting up like this whole like hacking challenge that we're going to run during the talk and so you know we've checked on it when we got here we've checked on it last night checked on it this morning and like three machines that we had like wouldn't boot and that's just awesome um so you know the the winner was supposed to get a prize yeah and so we still have the prize but we had a few prize but I know like a lot of you out there have like bizarre and weird stories of their own so we're going to change it anybody that comes up with just a truly weird fucked-up story will get the prize true of a duke nukem forever pc version game this guy anybody want to take a shot go on up well yeah yeah we're showing you that we have the game today but you won't actually get it for another 12 years have a seat what's your name Tim same what's your weird fucked-up story well we were doing a pin test one time and we were dialing all their other you know phone lines and like you we found a system that was returning odd characters and basically we were able to determine that this was an HVAC control system and so did some research and found that there was a default technician login got into the HVAC control system and then we shut down the exhaust fan in their server room so then we just sent somebody out dressed up as an HVAC technician and we're able to get right into the datacenter what do you guys think system gets the prize oh yeah hey there you go in thank you hey sure Wolfie me wait wait no no not really does anybody else like I saw a couple people that were kind of coming towards this stuff anybody else want to try for the runner-up prize anyone all right well um in that case I'll drink the couch assa myself thanks everyone hope you enjoyed it and thanks for coming out