Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration tests
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 122 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/40631 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 1915 / 122
3
5
10
11
12
22
23
24
30
31
32
38
43
46
47
49
51
54
56
59
60
62
71
73
76
84
85
88
92
93
96
97
98
104
106
109
112
113
115
119
00:00
Real numberStatistical hypothesis testingStatistical hypothesis testingWeb crawlerSoftware testingReal numberWindowRight angleInformation security
00:35
Computer fontInformation securityIn-System-ProgrammierungPersonal digital assistantDifferent (Kate Ryan album)Cartesian coordinate systemProjective planeFirewall (computing)Statistical hypothesis testingRemote procedure callSystem administratorSet (mathematics)Web applicationProcess (computing)Vulnerability (computing)Product (business)Hacker (term)Web crawlerPhysical systemComputer animation
02:30
Physical lawCartesian coordinate systemExploit (computer security)Vulnerability (computing)Information securityPhysical systemPresentation of a groupSelf-organizationSoftware testing
03:53
WaveComputer wormExecution unitRule of inferenceHacker (term)Web crawlerCycle (graph theory)Gateway (telecommunications)ModemPasswordCapability Maturity ModelSystem administratorSpacetimeCASE <Informatik>Goodness of fitWebsiteNumberWeb browserCross-site scriptingDirectory serviceInternetworkingSystem callWordDifferent (Kate Ryan album)Database transactionCartesian coordinate systemStatistical hypothesis testingInformation securityDialectInformationField (computer science)Series (mathematics)Device driverGeneric programmingProduct (business)MathematicsDemosceneNegative numberParameter (computer programming)Random number generationResultantInjektivitätDependent and independent variablesHacker (term)Pattern languageFlash memoryJava appletSoftware
09:22
Hacker (term)Rule of inferenceExtension (kinesiology)Online helpStatistical hypothesis testingSet (mathematics)EmailCuboidCloningPoint (geometry)Service (economics)Virtual machineMereologyDisk read-and-write headMessage passingVideo gamePasswordFreewareMobile appComputer animationLecture/Conference
11:25
Rule of inferenceHacker (term)Maxima and minimaVirtuelles privates NetzwerkDependent and independent variablesTouch typingOpen setServer (computing)Metropolitan area networkSuite (music)Statistical hypothesis testingCuboidWindowSoftwarePlastikkarteCartesian coordinate systemAxiom of choiceConnected spaceResultantDatei-ServerCellular automatonDifferent (Kate Ryan album)Order (biology)Public key certificateMultiplication signProxy serverInternetworkingVulnerability (computing)Data centerFlow separationEqualiser (mathematics)Content (media)Field (computer science)Similarity (geometry)HTTP cookieWebsiteException handlingLecture/ConferenceComputer animation
15:32
Virtuelles privates NetzwerkGamma functionHacker (term)Different (Kate Ryan album)Workstation <Musikinstrument>Interface (computing)PerimeterInformationDatabase transactionTouch typingRight angleVulnerability (computing)PlastikkarteDatabaseInstance (computer science)Level (video gaming)MehrplatzsystemSelf-organizationFirewall (computing)BuildingSystem administratorMultiplication signDirectory serviceCoprocessorCodeMobile appPhysical systemNeuroinformatikWeb 2.0Absolute valueSource codeInternetworkingStack (abstract data type)Process (computing)Computer animation
20:34
Hacker (term)Service (economics)CodeInformationStatistical hypothesis testingInternet forumSource codeProfil (magazine)User interfaceCartesian coordinate systemArmMetadataWeb pageFacebookSystem administratorGroup action1 (number)
22:43
Hacker (term)Electronic mailing listCartesian coordinate systemMultiplication signVulnerability (computing)SoftwareStatistical hypothesis testingInterface (computing)PasswordProfil (magazine)Service (economics)RootLocal ringPhysical systemWeb 2.0WordVirtual machineMereologyWebcamProxy serverAuthenticationBasis <Mathematik>Gastropod shellFirmwareComputer animation
25:25
Hacker (term)OracleService (economics)Scaling (geometry)Keyboard shortcutServer (computing)Goodness of fitPasswordMultiplication signDifferent (Kate Ryan album)SatelliteStatistical hypothesis testingDatabase1 (number)Zoom lensSoftwareType theoryConnected spaceWorkstation <Musikinstrument>Information securityData managementProcess (computing)VideoconferencingBuffer overflowVirtual machineOracleRight angleSQL ServerEncryptionVulnerability (computing)System administratorUbiquitous computing
29:18
OracleHacker (term)Range (statistics)Connected spaceSource codeLevel (video gaming)Statistical hypothesis testingGoodness of fitDifferent (Kate Ryan album)VideoconferencingLine (geometry)Software testingInternetworkingLecture/Conference
29:59
DatabaseGamma functionQuery languageClient (computing)Connected spaceCASE <Informatik>InjektivitätAuthenticationWindowPoint (geometry)DatabaseWeightSelectivity (electronic)Server (computing)Virtual machineReverse engineeringGastropod shellScripting languageTable (information)SoftwareLattice (order)OracleInterface (computing)Line (geometry)VideoconferencingStatistical hypothesis testingSQL Server 7.0Latent heatError messageComputer animation
34:48
Hacker (term)OracleAmenable groupComputer animation
35:33
Lattice (order)Statistical hypothesis testingReal numberComputer fontMultiplication signComputer animation
36:06
Zoom lensComputer fontVirtuelles privates NetzwerkHacker (term)OracleLattice (order)Multiplication signComputer animationXML
36:41
Lattice (order)ChainSelf-organizationDatabase transactionNumberElectronic mailing listCASE <Informatik>TrailPersonal area networkCoprocessorPlastikkarteType theoryFiber bundleEntire function
38:10
Menu (computing)Hacker (term)Multiplication signRevision controlBootingDefault (computer science)Physical systemStatistical hypothesis testingGame controllerGame theoryIntegrated development environmentHand fanVirtual machineSelf-organizationReal numberCASE <Informatik>Line (geometry)Personal identification numberLoginControl systemData centerServer (computing)Software bug
Transcript: English(auto-generated)
00:00
Thanks, everyone, for coming out. Welcome to Earth versus the giant spider, amazingly true stories of real penetration tests. My name is Rob Havelts and I'm the director of penetration testing for Trustwave spider labs. Over to my right, left, my other right, is my
00:23
Brazilian friend Wendell Henrique. I work on the Trustwave spider labs penetration team for almost three years, I guess. I have over nine years in the security industry. I have found some different set of products, web application firewalls, camera, remote application
00:45
systems and probably a lot of others. I represented at Black Hat, Waspy and the other big conference. We are in the process of getting up and painting technology for penetration test, project 3D and a few other things. That's me. And like I said, I'm the
01:10
director of pen testing at Trustwave spider labs. I've been around the security industry kind of forever. I've worked from starting up an ISP to doing TSCM to just
01:25
about every possible job in system administration and information security. I spoke at a lot of venues and this is a great opportunity for us to speak to you guys at probably one of
01:43
the best security conferences ever, DEF CON. Greatest crowd. So what's this all about? Basically we put together a collection of the weirdest, freakiest and most unlikely hacks
02:00
that we've ever found. And we'll walk you through these weird, freaky, unusual, just out of the ordinary stuff. We'll let you meet the victims of these odd hacks because some of these actually have serious implications. And we'll kind of walk you through a few of
02:25
these things and kind of wrap it up after that. So basically we've been in a unique opportunity to see some very real, interesting, uncommon and very non-trivial things that
02:46
can't really be found either using traditional attacking methods, vulnerability exploits or straight on technological methods or even ways that make sense and follow the laws of
03:03
seemingly the laws of physics. And we've done this because we have a huge team that only the coolest and freakiest stuff were selected to present to you guys. So by the end of
03:24
this presentation we hope to have you thinking about these systems and applications that organizations use every day and how even like the most basic things, security tools,
03:42
security systems, coffee machines and things like that might be used against them. So on with the Earth versus the giant spider. Do you want to talk about this one?
04:04
This is a big network around the world that sells food over the internet. They have some good maturity of security. So for example, the application we couldn't find any cross-site scripting, cycle injection or things like that. The application was
04:24
basically created in Java and Flash and no common pattern manipulation was working. For example, including negative values on products and things like that. However, during the
04:40
transaction we detected that the checkout was redirected to a third party gateway. And this gateway went and got this information and sent the information to a security channel directly to this company and they just got a response like approved or not
05:03
approved. So what we did is manipulate this request to change the response to the transaction itself on the gateway since it was a directory over JavaScript from our
05:22
browser by the main application. Consequently, the final price that appeared on the website and all the stuff was the real price of the products. But when we conclude the transaction, we could put any kind of price that we would like. And they just got accepted
05:43
or not. In this way you could get almost any kind of food for any value.
06:12
Talk to them, not me. Yeah, well, basically, as a result of this penetration test, we
06:24
could get some good amount of food delivered to our home with almost 50 cents at the end of the engagement. One of the cool things was we actually did engage a delivery driver that came out with bags of food and everything like that and took a bunch of pictures. And
06:45
it was all kinds of fun. But it's just a weird thing that, you know, and kind of a bad thing to do to let somebody kind of manipulate things and just kind of trust that everything is happening behind the scenes the way it should be. So moving on. So
07:08
this one was called the one PBX will rule them all kind of hack. This was a large financial institution that had a lot of different technologies in place, some new
07:24
technologies, but some like ancient technologies. In the course of like testing this institution, you know, one of the things that you normally want to do is kind of dial the space. Sometimes you do it just to voicemail surf and see who is out, who is
07:45
in, who is doing what, what people's names are and, you know, things like that. A side benefit of just kind of calling random numbers and listening is sometimes you run into something where you get a modem tone. Well, in doing this, you know, we
08:05
called a number, got a modem tone and just a weird like kind of series of characters and a login prompt that was kind of generic. But kind of dissecting like the series of
08:25
characters and what we got back from the modem over making like several calls, figured out that it was an old Siemens Rome PBX. Well, in this case, that's great. You
08:43
know, you get a PBX kind of manual. It turns out that they changed the administrator password, they changed the user, the upper password on it. But there was one account that actually had better credentials than administrator. It was field
09:01
tech account. And they didn't change that password. When you get into the field tech account, it actually lets you go into like any user account that you want. So went into the Rome PBX's administrator and, you know, just kind of browsed that. Having like done
09:22
some voicemail surfing previously, I knew that the extension for the help desk. So one of the features is to like clone a voicemail box. So one of the things we did is created a new extension, cloned the voicemail box for the corporate tech support. And at
09:42
the end of the day, we'd kind of listen to the various messages. Well, it turns out that there was some dude that was traveling on the road and called in frantically to tech support after hours when they weren't picking up asking a problem about a VPN problem.
10:04
It just so happens that in a previous life, I was a certified checkpoint instructor and I happened to know a lot about checkpoint. In a previous life, I actually like sat on the app desk and did like checkpoint like managed services. And the problem he was
10:22
describing, I knew exactly what it was right away. It was a stupid like settings problem. So I actually just called the guy back. I called the guy back and I walked him through like his problem. First I asked him for his username. Then I asked him for his
10:42
password. You know, so that I can check and verify his account. And then I fixed his machine. Afterwards, like, you know, he logged in and, you know, he logged out and
11:05
bingo, logged in as himself, bang, free credentials. The funny part about that was in the wrap up of testing, we found out that this guy actually sent an email to the head of
11:22
tech support like praising them for like the wonderful tech support they got and the quick responsiveness of the tech. So that one was kind of awesome and freaky and weird.
11:42
And, you know, sometimes you just kind of have to think outside the box. But, you know, something stupid like, you know, not realizing that, hey, the field tech has their own like super account on this piece of antiquated technology can, you know, have kind of
12:04
severe implications. So. Well, this penetration test on the reality happened at least three or three times. Similar wishes like this one. Well, we were doing an internal penetration
12:24
test and during the internal penetration test, the network segmented was very limited. We had almost very few things to test like one open SSH server very well updated. One
12:44
Samba server that's almost without sharing no folders, nothing in the windows box or a few windows box that just block everything except ping like echo request and echo response.
13:05
Also, villain attack bypass or villain hoping was not possible on the specific customer and neither on this older two or three that used a similar attack during the last year. However, our spoofing that everybody knows and is very common was present, was
13:26
possible to be executed. But it gave no juice. We couldn't get any credential or anything special. However, during the previous external penetration test, we figured out that this
13:41
customer had an external site in a data center that had a VPN SSL and these external VPN SSL use a self-signet certificate and they use this a lot but we couldn't compromise during the external. So during the internal, we saw some traffic over the SSL port and
14:05
we did a man in the middle. Since it was a self-signet certificate, probably the users did not figure out the difference. When we dumped the contents, we saw connections to these
14:21
external VPN SSL server with self-signet certificates. So we just got the cookies and the quantity in our box with a burp suite and the access again, the same external data center server. And as a result, we get the whole VPN over SSL getting access to file
14:46
servers, applications and a lot of stuff that was not accessible before including credit card data and a lot of interesting stuff. So it's very interesting demonstration of how
15:02
sometimes a vulnerability that you couldn't exploit from the external side and is not easily detected by the automated tool can be exploited, for example, from the inside network. It's kind of interesting because it could have produced the same kind of vulnerability at least in three different customers during the last year. So this kind
15:22
of vulnerability is the kind of vulnerability we would like to show you. They are kind of different and not easy to find. We felt automated and stuff like that. And that's always interesting because you're taking an external, you know, and organizations tend to
15:44
think of the perimeter is the perimeter and the inside is the inside. And, you know, we need to secure the perimeter and the things that we do to secure the perimeter, you know, that's out there. And, you know, that's basically our wall against the big bad
16:03
Internet. And inside we need to do different things. But like Wendell said, you know, as a malicious attacker or a malicious insider could use external systems just as easily,
16:23
you know, against internal resources. There was another instance of something like akin to that where we were taking a look at a phone directory and from the inside of a
16:53
computer on the outside there was actually like an HR system with the vulnerability but you had to have like people's name and their like HR code. Well, when used with the
17:07
phone directory inside, it had the HR code and the vulnerable app from the outside, you know, gave enough information to kind of go through and like actually get like HR data from every single user at that company including the CEO's payroll information. So, those
17:29
are always interesting. And it's interesting because somehow it was internal that you have to compromise external to come back to internal. This one, this one makes no sense
17:48
and we're still trying to figure out how this even worked. But we were taking a look at a card processor for actually like an entire country that processed most of the MasterCard and
18:09
Visa transactions. And they were able to, you know, get a lot of information from them. We had a transaction switch that they couldn't touch that was from the card brands
18:21
and there was kind of a war of we suspect that's not secure, no it's not, yes it is, no it's not, yes it is kind of thing. And it was very much, you know, they said this, they said that kind of going back and forth. The best they could do is kind of like
18:42
build a wall around it. So, because of their, you know, their idea that it wasn't very secure, they put some very restricted firewall policies in place. They were using some weird old like technology that as it turns out was very misconfigured. Nothing would get
19:04
through to the transaction switch. It was kind of set down and you could only actually reach it from a couple of stations inside that were kind of like the major databases. Yeah, absolutely. That's exactly what I was getting at. Yeah. Right. And so what he's saying
19:33
is then that's exactly what we found out is so they spent all this time like building this firewall around it on like this legacy equipment and, you know, basically like things
19:45
source from port zero like being a wild card on a legacy stack. It like actually kind of sailed right through. So it turned out that, you know, the people that said like no it's not secure was actually right because sourcing traffic from port zero we found out a web
20:05
min interface on this transaction switch with an admin admin user pass pair. That's always the thing that you want running every financial transaction from your country from.
20:22
And, you know, because of that, like, you know, the web min interface, you're able to get in at an OS level and basically like, you know, see processing for basically the whole country. This one's really funny. All right. So, yeah. So, yeah. So, yeah.
20:49
There was an external pen test, you know, just as an outside in kind of thing. Very few services. A couple applications. There was an administrative like web interface. And it
21:04
was some cheesy thing we thought might be vulnerable but, you know, we were able to get like some of the code to leak and things like that enough so that, you know, you could Google it and kind of search for it. So it turned out that that led us to looking at
21:24
like comments and metadata in there. We actually found a news group where the administrator actually like posted like huge snippets of the source code for it as well as like all of his information. It was very, very chatty on the news groups.
21:46
Unfortunately, that didn't get us much. You know, so looking through like the snippets, like, you know, you think like bingo, I have like source code here. You know, surely I can get like something from that. It didn't end up getting much. However, we ended up
22:04
like looking up the guy by name and we found his Facebook page and like, you know, nicknames and a bunch of stuff about it. Which led us to a forum called Caucasian Asian Love. And it was a forum for Caucasian men to find Asian women to love. Yeah. So
22:35
this guy had a full profile on there. Apparently he was really, really into it and
22:41
really, really active in the Caucasian Asian Love. So anyway, we ended up building up a word list from his dating profile and his password was a variant of love machine with
23:00
the common U spelling of love. Which is actually rather awesome. So we ended up getting into the administrative interface which actually like yielded like a ton. So.
23:24
Well, it was another external penetration test where we couldn't find any trivial vulnerability. Basically, no kind of web vulnerability, no vulnerable services, no weak accounts, no things like that. It was a huge network. So we ended up building up
23:46
and we found that on this huge network they had almost 20 high definition IP cameras and they also a specific port that was recognized by network mapper that probably was the
24:03
application to centralize all these IP cameras into a single service. Well, these IP cameras, we looked around and we couldn't find any vulnerability. So we just looked for a
24:23
copy of these IP cameras and in our lab we tested them and we find a few vulnerabilities like authentication bypass that allowed us to dump the whole password from
24:41
the Linux-based system inside the IP camera and a lot of stuff we cracked the local root password and stuff. On the end we created a modified firmware and we uploaded over this interface and created a web shell. From this web shell on the web camera they was
25:02
connected on the inside network and consequently from these web cameras we could look for example, internal employees working, give zoom up to ten times, get screenshots, IP of systems, user names and obviously from the web shell we created on the modified firmware
25:22
we could access the whole internal network that was accessible from these IP cameras network that was on the management administrative segment. It is interesting because it resulted in an advisory. So we used the video cameras, that's a security service.
25:41
The great thing about that one is you take a look, once you're into these video cameras and these were like, by them having like the good video cameras instead of the crappy grainy black and white ones, it really helped a lot because you had an optical zoom of
26:01
ten times and some of these were trained on like machines and keyboards and things like that. So it ended up becoming like a password bonanza as you like kind of just sat there remotely in a different country, watching a user like kind of like sit down at a
26:23
station and type in their password and I'm like okay, so that user name has this password and throughout the day you end up like collecting a bunch of stuff and then once you have credentials, the stuff on that hardened exterior, you know, with the various
26:48
servers that you can do much with, isn't really like so hardened anymore. You can kind of, a lot of password reuse is problematic and all pervasive. So, you know, it tends
27:08
to lead to compromise that way. All right. So after this one, we have a video to show
27:23
you of, you know, exactly how this all works, but I'll let Wendell describe it first and do you want to like come here and then I'll hand you this? Sure. All right. Go for it.
27:50
Well, personally, I really like database security and we commonly find raw BI in the internal network penetration test. We see a lot of database, SQL server, protocols,
28:04
DB2 and the MySQL and a lot else. Well, sometimes we can compromise them with different techniques, overflows, weak accounts, problems like bad TNS configured services,
28:20
et cetera, in Oracle. However, sometimes we can get like ARP spoofing, but no new connections, not people reconnection, or they have strong passwords, so we can't get the, decrypt the credentials during the span time of the engagement. And that's a frustrating thing. You're in the middle and you're seeing all this stuff and you wish you could do
28:45
something with it and, you know, it's like, well, I have all these sessions going, why can't I just grab one? So that's what Wendell and Steve did. They wrote a tool to basically, all right, this is an already authenticated session. Let's just go ahead and
29:02
grab one. Yeah, exactly. Also, big thanks to Steve to work with us. He did a great job. And also supports the SQL server. So the main idea is if you have the sessions running for Oracle or even SQL server, why force them to disconnect and get credentials or
29:23
whatever, if you can just take this connection and send all comments and do whatever we want. So, as you know, we can show screenshots of this penetration test we are talking about because they are customer and it's not a good thing, but we created the in-house
29:41
video just to demonstrate how it works. We used it recently a lot in different internal penetration tests with a good level of success. And the tool also is free and available on the internet for who is interested. So we start off with this tool called VAMP that
30:26
actually like does the ARP spoofing. It's a pro script that does kind of like some reverse ARP spoofing. With VAMP, then you'd run this tool called Thicknet. And now we
30:40
are just showing a normal connection to Oracle database from a supposedly client. This like a client that you want to access. It's first showing that we can't log in with the credential window at the database as you can see on the first line. Then it's logged
31:00
with the user Steve that's a valid user. So Steve is executing a very simple query like select 123 from the wall or whatever. Now back to Thicknet. If you use the L S comment, we can see the sessions. And the one is marked with the I letter that means
31:21
that it's injectable. It was detected as injectable by Thicknet. So the next thing you do is you actually like go ahead and use Thicknet to steal the session. It's a real easy thing. And basically what you end up with is taking that session over and
31:49
the normal user just reconnects. In most cases, they don't know that anything really happens. It's just kind of like a blip. And a lot of database clients have connection
32:01
pools. Anyway, so they just start a new connection. You take their old one and basically end up with a shell interface to the Oracle database. At this point, we could for example send any comments. I see we've stolen the connection. So just to demonstrate, we
32:27
are sending this SQL query that you'll be creating an account that's called the window that on the beginning of the video was not an account that existed on the database. As you can see, you get on the ending the ORA error 01003. This means that
32:54
the command was sent and the parcel successfully. Now we are just stopping the
33:01
RPP poison and making sure VAMP makes sure that we are not breaking the RAP tables. And now we are trying to log in again with the same account that was the window just to make sure it really works. We use the VAMP to intercept and injecting a live
33:20
connection and to create a new account on the Oracle database. Now as you can see, we can log with the account that previously doesn't exist on the database. Now we can do any query like the privilege of this account. Just to demonstrate that it's possible to
33:53
execute any query, obviously in this case, the session that was stolen was a administrative query. So we could create an account but you can always get the
34:05
privilege of that account. For example, recently on our team meeting, we got another guy from the network penetration testing team and it's very nice to last week we got a stolen SQL server, Microsoft SQL server with this tool and they could use the
34:21
XPCM shell to execute commands just from a stolen session also. We have the other nice things from T-Connect like steal credentials and even Microsoft has some very specific stuff from Windows clients that leaky Windows authentication. So I suggest everybody that is
34:42
interested to check T-Connect. It's very interesting.
35:36
Okay. So technology is against me. Okay. So it's time to, you know, talk about some of
36:27
the victims of these attacks because they all have very serious implications. You know, they make for kind of like fun stories and, you know, sometimes funny, you get a chuckle out of them. But let's talk about none of these attacks really led to anything
36:47
trivial. The reason, you know, why they're included here is all of these attacks led to ginormous compromises of huge amounts of data. You know, in some cases, CHD numbering in
37:08
the millions, PII numbering in the millions and huge, huge, huge amounts of data. So the organizations that, you know, we're talking about here are multinational banks,
37:27
global restaurant franchise, major retail chains, credit card processor for an entire nation. And the types of data stolen that we're talking about here is, you know, every
37:41
Visa and MasterCard transaction processed in the entire country, hundreds of millions of pan and track data, HR data. In one case, you know, it led to accessing like, you know, like the DHS terrorist watch list for financial institutions that they're supposed to check
38:03
against. And, you know, obviously like billions of dollars in transactions. So just kind of in conclusion to this before I say something about stuff you didn't see is, you know,
38:26
this talk was focused on those complex or uncommon hacks found in real environments. Some are very high end and important systems. And some are unlikely but true. And this is,
38:50
you know, a bizarre world where you have like old ancient anomalies, you know, like affecting like newer systems, security systems that are used to hack organizations, you
39:06
know, new techniques developed on the fly and things like that. So, you know, we're happy to be here. Hopefully you enjoyed these stories. So, I think one of the things
39:24
that we were going to do with this is we spent like two weeks setting up like this whole like hacking challenge that we were going to run during the talk. And so, you know, we checked on it when we got here. We checked on it last night. Checked on it this
39:44
morning and like three machines that we had like wouldn't boot. And that's just awesome. So, you know, the winner was supposed to get a prize. And so we still have the
40:06
prize. But I know like a lot of you out there have like bizarre and weird stories of their own. So we're going to change it. Anybody that comes up with just a truly weird fucked up
40:25
story will get the prize of a Duke Nukem Forever PC version game. Anybody want to take a
40:44
shot? Come on up. Well, yeah. We're sharing a story. We're sharing a story. We're showing you that we have the game today but you won't actually get it for another 12
41:00
years. Have a seat. What's your name? Tim. Tim, what's your weird fucked up story? Well, we were doing a pen test one time and we were war dialing all their phone lines. And like you, we found a system that was returning odd characters. And basically we
41:25
were able to determine that this was an HVAC control system. And so did some research and found that there was a default technician log in. Got into the HVAC control system. And
41:41
then we shut down the exhaust fan in their server room. So then we just sent somebody out dressed up as an HVAC technician. And we were able to get right into the data center. What do you guys think? Does Tim get the prize? Oh, yeah. Thank you. Sure.
42:13
Wait. No, no, no. Does anybody else? Like I saw a couple people that were kind of coming towards this stuff. Anybody else want to try it for the runner up prize? Anyone?
42:31
All right. Well, in that case, I'll drink the cachaca myself. Thanks, everyone. Hope you enjoyed it and thanks for coming out.