Darknet Diaries - 130: Jason's Pen Test
Episode Date: December 13, 2022Join us as we sit down with Jason Haddix (https://twitter.com/Jhaddix), a renowned penetration tester who has made a name for himself by uncovering vulnerabilities in some of the world’s bi...ggest companies. In this episode, Jason shares his funny and enlightening stories about breaking into buildings and computers, and talks about the time he discovered a major security flaw in a popular mobile banking app.SponsorsSupport for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.Support for this show comes from Arctic Wolf. Arctic Wolf is the industry leader in security operations solutions, delivering 24x7 monitoring, assessment, and response through our patented Concierge Security model. They work with your existing tools and become an extension of your existing IT team. Visit arcticwolf.com/darknet to learn more.
Transcript
Discussion (0)
I used to work for this company, and I worked on the overnight shift, and they had a parking garage, but the best parking spots were all assigned to management.
Not only that, you had to have a special parking garage badge to get in, so I always had to park far away.
What really bugged me is that I was on the night shift, and there were only three of us on the night shift, so it was like the whole parking garage was empty.
Well, one day I brought my skateboard to work and was just rolling around in the parking garage during my break. And I rolled up to the mechanical arm that blocked you from getting into the garage.
And to my surprise, it opened as I rolled up to it. What? I waited for it to go down and I tried
again and it opened when I got near it again. What I discovered was that there was a little
electronic eye, which detected when a car was trying to exit the parking garage and it would
lift the gate to let the car out. Well,
I pinpointed exactly where that I was and just tried to do something like take my shoe off and
place it in front of the sensor. And sure enough, that was enough to get the gate to lift up until
I moved my shoe. Well, naturally, I hopped in the car, drove up to the gate, got out of the car,
took my shoe off, put it on the exit sensor, and it raised the gate. And I got back in the car and was able to get through the gate
and grab my shoe on the way through and just park wherever I wanted.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries. This episode is sponsored by Delete Me. I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites
and continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan when you go to joindeleteme.com
slash darknetdiaries and use promo code darknet at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout. The only way to get 20% off is to go to
joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries. Use code darknet.
Support for this show comes from Black Hills Information Security. This is a company that Thank you. they can help. But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn
things like penetration testing, securing the cloud, breaching the cloud, digital forensics,
and so much more. But get this, the whole thing is pay what you can. Black Hills believes that
great intro security classes do not need to be expensive, and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training. That's blackhillsinfosec.com. Blackhillsinfosec.com.
In this episode, we're going to hear some stories from Jason Haddix.
I've always been into computers. I think I had my first computer when I was
11 or 12. I think my parents got it for me for Christmas. So 486, kind of just taught myself
because I was curious about how it worked and a little bit of programming, HTML and stuff like
that. Any dark stuff you were looking into back then or anything that was, you know, maybe your
parents wouldn't be happy you were seeing? Yeah, yeah. So, I mean, when I was in my early, early 20s, a friend of mine wanted a fake ID.
And we were all, you know, very young and impressionable at the time.
So I went out and a friend of mine was selling fake IDs and I bought one.
And, you know, back then it was like 120 bucks or something like that for a fake ID.
I got it eventually. It took a long time for him to get me one. And then when I got it,
it was really crappy. And I was really upset. And I figured, hey, I could probably do a better job
than this if I just learned it because I figured I knew computers and I knew stuff like that.
So I just started Googling. Back then, it wasn't really
Google, but I just started looking on the internet for resources. And so one of the resources that I
fell upon was Shadow Crew, which was probably one of the first darknet forums that was mainstream
before the darknet actually existed. It was still the regular web, but it was forums. And I started learning how to do everything to do with fake IDs.
I bought printers and learned how to make my own and probably a couple for my friends.
But it involved asking a lot of questions with the underground then, which was Shadow Crew.
Okay, yeah. So Jason was on Shadow Crew.
And if you aren't familiar with Shadow Crew, just go back and listen to the episode just before this called Gollum Fun.
While Jason was on Shadow Crew, he was focused on making fake IDs.
But he really didn't sell that many.
I mean, I would say I only sold a handful.
It was more of like an obsession for me, like to do it better than what I got.
Let's say maybe like three or four, like really good ones
and a whole bunch of failed ones
from my personal use,
like just from my friends, really.
Like I wasn't a distributor
even on the forums or like rated,
but I had shared a couple with like people
and they were like,
oh, these are getting really, really good.
And mine usually passed.
So it wasn't rocket science, right?
It was just like having access
to the
printers, the templates, like understanding, you know, all that kind of stuff. So yeah,
it wasn't like I was a criminal enterprise that was making a lot of money or anything like that.
It was just that I found it really interesting. Like, like you could fall into anything,
like you could fall into a video game or you could fall into some kind of obsession, you know, like, you know, finishing a project.
I just I had to figure out how to do it.
And I did.
Then one day he goes on the Shadow Crew's website and sees it's been shut down.
The picture that they put up there with the dude behind the bars and said the Secret Service is coming for all of you.
And a whole bunch of your, you know, and then the indictment came out and a
whole bunch of people who I really only knew their screen names, but, you know, had been arrested
in multiple countries. Whoa, this really spooked Jason. People were getting arrested for selling
fake IDs on this site. And he was one of the people selling fake IDs there. The bust happened
and then the next day I gathered. So, you know, in the process of, you know, printing stuff,
you have three, you know, usually three different printers. You have laminates, you have stencils,
you have powders, you have all kinds of crazy stuff. You have inks. And so as soon as I had,
I just dumped it in a black trash bag, a couple black trash bags, put it in my trunk and drove. He was driving as fast as he could to another city,
far, far away.
His plan was to just throw it all into a dumpster
nowhere near where he lived
just to get rid of everything.
And on the way to do that,
I actually got pulled over.
Jason's heart was pounding so hard.
He didn't know why the cop pulled him over.
Maybe it was for the fake IDs,
and all that evidence was in the trunk of his car.
The cop walked up to his window and said he was speeding.
This was somewhat of a relief, but Jason was still really worried.
And I just thought he was going to ask me to pop my trunk
and see all my stuff in the trunk.
But the cop didn't. He just gave Jason a ticket and let him go.
Close call.
So Jason continued to drive to the next town, this time going a little slower to get rid of his stuff.
Dumped it in the next city in a dumpster with some lighter fluid and lit it all on fire.
Yeah, that was probably one of the scariest moments in my life.
And like I said, it scared me straight.
Hmm, that's interesting, eh?
That intimidating post that the Secret Service put up on Shadow Crew's site
was enough to make Jason quit the fake ID scene forever.
It's kind of hard to leave something like that behind.
With Shadow Crew, it was like he was let into some inner circle of people, almost like a family. And it's hard to build
up something like that and earn that trust just to walk away from it all and start over somewhere
else. Well, by this point, Jason had enough knowledge of computers that he knew he wanted
to make a career of it. He really liked the challenge of hacking into things too. So he took some classes and then
got a job fixing computers, then became a junior penetration tester. He did that for two years
and then got another job doing penetration testing at HP. This is where he was tasked
at hacking into companies to see if they were secure. So I started there as a staff penetration tester.
Did probably a couple hundred pen tests for the Fortune 500.
A couple hundred? That's a lot.
Yeah, I mean, I'd say I've probably done over my career maybe 300 pen tests or a little bit less than 300 pen tests probably over the years.
But yeah, I mean, we did one week assessments.
You would one week for the assessment, one week for the reporting.
It was really easy for HP to get those contracts because they already had these big ins through their IT group with
these companies. They were selling them printers, they were selling them enterprise software.
And then everybody at that time needed, if they were subject to any kind of compliance,
they needed a pen test for compliance to satisfy compliance. And so they would just go with the
people they already had a contract with, which was us. And so I got exposed to a ton of the big, big banks, a ton of big tech companies,
big enterprises. I pen tested a lot of stuff.
Ah, yes. Compliance. I believe to be PCI compliant, it requires that you have to have a penetration
test. And PCI is payment card industry. So like MasterCard, American Express, they won't let you
process their credit cards unless you're PCI compliant, which means you have to have an auditor that
comes to your company and analyzes your security practices and conducts a penetration test.
I guess HP was one of those auditors and offered this service, which is where Jason really honed
his skills as a hacker. Now, for the most part, Jason focused on network hacking.
There's a few types of penetration testers.
There's physical penetration testers,
where they physically try to get into a building
to see what they can access.
But there's also application pen testing.
This is where maybe a software maker
gives their application to you
and you try to find a bug with it.
And then there's network penetration testing.
And this is where you try to break into a network using a computer over the internet or whatever. You might try
attacking it from the outside world, or you might be actually given permission to come into the
network and see what you can get to from inside the company. Like for instance, the people who
work in marketing shouldn't be allowed to just see everyone's passwords, right? And someone should
test that to see if it's truly secure. Jason did a few physical pen tests, and there's one he told me about,
which is actually hilarious. Okay, so you know when you work somewhere, you get to know the
security mechanisms that they have in place? Well, Jason worked for this place for a while,
and he was pretty familiar with the layout of the office and knew exactly how the doors worked in
the building. Well, later on, when he went to work
for another company, he was given the task of breaking into this previous employer. And since
he already knew the place well, he knew exactly what to bring. Okay, we need to get into this
building. Yeah. Let me pack, you know, some equipment for this. Yeah. And what do you throw in your bag?
Yeah, I mean, you throw your lock picks,
you throw your USB keys that have malware on them,
and you throw your blow-up doll.
Yeah, a blow-up doll.
He knew there was a certain door that had a magnetic lock.
Nobody was allowed in or out unless the magnet was disengaged.
Well, to get in, you need your badge, which disengages the magnet.
But to get out, you didn't need your badge.
You could just open the door by pushing it from the inside.
So how does the magnetic lock disengage for people leaving?
Well, it unlocks when it senses someone leaving.
And it had a little electronic eye
and could see when something got near the door on the inside
and it would unlock
the door. This was one thing he noticed, but he also noticed something else about this door.
The gap, the small, small gap between the door and the ground, you could slide something under
there. So when he was given this assignment, he packed a blow-up doll and went right up to the
door, pulled it out, which it was deflated and flat, and he put it on the ground and slid it under the door. The whole
doll was on the other side of the door, except for the part that you put your mouth on to blow it up.
So he laid on the ground and began blowing up the doll, which was inflating on the other side of the
door. That's exactly what it is. Just face on the pavement, blowing up the blow-up doll.
And then you hear the click of the door and you jump up and grab it.
Yeah, we had two people with us. So the other person would apply some slight pressure.
As soon as it unlocked, walk through the door, do the same thing.
It was a man-trapped door, two sets of doors. So do the same thing on the other one.
And then, you know, walk into the physical premises.
And then once you're in there, you have access to everything. I love this because to me, this is something I never would have expected someone to bring
on a physical pen test.
And to take pictures of it and to put it in the report must have been hilarious.
And there was this other physical pen test that he did that also had an interesting bit
to it.
His objective in this one was to break into the building and see if he could get into
the server room. It was him and two others on this assignment. Now, these server rooms are typically
more secure than the rest of the building. It usually has a different kind of key to get in
and cameras pointed at the door and more security layers. Well, step one was to get into the building
and there was a locked door to get into the building. So they simply waited until someone
was going in and they just went in right behind them and just tailgated door to get into the building. So they simply waited until someone was going in,
and they just went in right behind them
and just tailgated them right in through the door.
That worked.
They got in the building.
They scoped the place out,
and they figured out where the server room was,
and they didn't see an immediate way in,
but they had some ideas.
It just wasn't going to be easy.
Like, the blow-up doll trick was not going to work here.
And you could try picking the lock to get in,
but that takes a while, maybe 10 minutes or longer.
And it's just too much time to be standing there,
probably on camera, trying to force open the door.
So they got an idea to just hide in the office somewhere
and wait for everyone to go home for the night.
And so they ducked into a little room
and just waited for a few hours.
Until everybody was out, and then the objective was to get into a little room and just waited for a few hours. Until everybody was out.
And then the objective was to get into the server room.
And the server room was segregated from some of the other offices, basically with a locked door.
We didn't have the correct technology to clone a card.
We weren't successful to clone a card of an employee to the right type of employee to get into the server room. So we were kind of at our limit of trying to reach the objective for the test.
And so what we had noticed is that the ceiling tiles, if you look at any building,
their ceiling tiles allow some space to run wiring and air conditioning up above. And there was a small table outside of the door
of the IT server room, which had some flowers on it.
And so we were like,
we wonder if there's any gap
to try to crawl over the wall boundary.
I was probably the lowest on the totem pole at this point
with the company I was working at.
And so they convinced me to climb up into the ceiling tiles, uh, climbed up, um, pulled myself up through, you know, the,
the beaming part into the, the crawl space above the door divider and crawled over. And I'd been
pretty careful to keep, you know, on the metal kind of divider parts that hold the ceiling tiles on.
And those are more stable.
They hold a little bit of weight.
But on one of them, once I was over into that area, I put my knee down on the wrong area and promptly fell through the ceiling into the server room.
Flat on my stomach, knocked the air out of me.
I kind of thought I was going to die.
I catch my breath. I kind of thought I was going to die. I catch my breath,
kind of make sure nothing was broken.
Luckily, nothing was.
Did anybody shout,
like, you okay over there?
Yeah.
I think the response was, oh, shit.
As soon as they heard
the tile crack through.
I can't really remember because I was falling
and still on the floor, kind of dazed.
But I'm sure one of them cared about my safety at the time.
And then they were wondering if I could open the door
from the inside, which I could.
Reached the objective in the end, which was nice.
So, yeah.
He was okay.
Bruised, shook up a bit, but okay.
And he was lucky he didn't fall onto any server racks
or sharp objects.
He landed just on the empty floor.
And he was also lucky he didn't land on any computers
and like pulled out cords
or caused an outage or something.
Anyway, after that,
he was able to get into a bunch of those servers
and prove how someone can get into their servers.
And if you step back and look at it,
he essentially walked in off the street and got into the computer room and gained full access to their main systems
there. And he only broke a few ceiling tiles doing it. The customer was happy to have this report.
It wasn't a big deal to replace the tiles. And this showed them the importance of having walls
up in the ceiling to prevent people from getting in that way. Now, even though Jason has done a
few physical pen tests, the majority of pen tests he's done have been network-based.
That is, trying to get into the main website or network
by just using a computer.
One time, he was tasked with hacking into a bank.
Yeah, absolutely.
So we were contracted to do a pen test on a large bank,
a worldwide presence bank.
And we had a big contract with this bank.
And when I say we, it was me and one other tester at the time working on this project.
And one was the network and web portion of the penetration test,
and the other was their new mobile app and their mobile application.
He was tasked with examining the mobile banking app to see if
he can get any customer information or sensitive information from the app itself. Have you tried
using these mobile banking apps? Do you get a weird feeling about it like I do? Something about
having my bank details in my pocket doesn't sit right with me. It seems silly since pretty much everything else is in my
pocket, but throwing my bank account in there too, I've always been very hesitant of this.
It's kind of the same feeling of like when I was doing online shopping for the first time and I
was asked to give my credit card into a website. I was like, no way am I doing that. Well, years
later, that's the main way I shop now. But my favorite definition of the term information security is to enable
business to be conducted safely in a hostile environment. The internet is a hostile environment.
And clearly, if a bank wants to come out with a mobile banking app, they better have someone
securing this app so business can be conducted safely. Well, this is what Jason was tasked with
doing. He was going to act hostile
to the app to see if it exposed any data it shouldn't. We started doing recon on them. We
had found a whole bunch of web servers and stuff like that. And we had their mobile app.
So I understand what recon is for a physical pen test, right? We're going to Google Maps,
we're looking on LinkedIn, seeing what kind of employees there are. But what kind of recon is there for a web app pen test or mobile app pen test?
Absolutely.
So this is kind of my specialty, I would say, instead of the hacking scene.
I'm kind of the godfather of reconnaissance for web applications,
and I've written multiple talks about it.
So basically, you have to think about a company, especially a big company like this one, like a bank.
They have hundreds, if not bordering on thousands of publicly exposed web servers.
And you know of the one.
You know of www.bank.com that you log into, maybe a couple other ones.
And so you have to basically find them. And so the active recon for a bank or any big web entity is basically finding all of their assets that are connected to the internet. So there's a number of methods that you can in terms of service. You can brute force
subdomain names. So if you're looking at www.bank.com, you can check to see if admin.bank.com
exists with the DNS registrars or just trying to resolve it. And if you get a response, that means
it resolves. You can go to that webpage and possibly check out sites like that. So you can brute force different names if you have a long list that means it resolves. You can go to that web page and possibly check out sites like that.
So you can brute force different names if you have a long list of different names that could exist, which we did.
So after finding all the domains, the next step is learning what you can do with those domains.
Where are they hosted? What kind of applications are running on them? Do they have any default credentials or known vulnerabilities?
A vulnerability scanner can pick up some of this,
but it's also good to kind of look through
every domain individually
and see if anything pops out at you.
Jason was on this engagement
with another person on his team
and they decided to split the work.
Jason was going to look at the mobile app
while his coworker would continue
to look at the domains they found.
So for the first week,
I was just kind of looking at the app,
trying to figure out how it worked. And at that
time, there was a new feature of the mobile app for this bank that you could take a picture of a
check and deposit it. Oh, yeah, I've seen this feature. Instead of running down to the bank to
deposit a check, you can just take a picture of it on your phone, and the app will deposit the
check into your account. This feature always seems suspicious to me.
You just need a photo of the check, not the actual thing?
And you have to enter the amount you're depositing?
What's stopping you from depositing the same check twice or entering in whatever amount
you like?
There's lots to test here.
And there must be a whole slew of new attack vectors when a feature like this rolls out,
right? I was looking at this app and I was capturing the traffic that went from the mobile
app to the servers that took care of the processing of the image of the check. Okay, that's a good
place to start. When you send the bank a check pick, where does it go? I was proxying the web
traffic between the phone and the web server with an interception proxy like Burp Suite.
And so it's a common tool for web hackers.
It just lets you see the traffic between websites in your browser, websites in your mobile phone.
And so what it did first is it took the image of the check and then turned it into a binary representation of the image and then sent it across an API, which at the end was uploaded,
was reconstructed and put on a server. The server that it went to was an AWS storage bucket.
This is Amazon's cloud storage. So check images were being sent to this storage place.
And as Jason continued to watch the traffic, he was able to identify exactly which storage bucket on AWS these checks were stored in.
So you could just visit the backend and there was a whole bunch of images of checks just in this directory.
And so that is a little bit more of a privacy breach, right?
So are you talking about an open AWS bucket that anybody can visit?
Yes.
And because this was the first iteration of this feature,
and that was when AWS was still in its young years.
Yeah, absolutely.
It was an open AWS S3 bucket of check images.
Whoa, this is bad.
An open AWS bucket means the entire contents of that storage bucket
is available for anyone to see.
They can see everything on there.
Now,
in some cases, this is fine. Like, for instance, darknetdiaries.com is hosted on AWS, and the whole
bucket is open and visible for anyone to see. But I don't have any private data on there. There's no
user data. There's no backend database. Everything is supposed to be visible to the world. But I
don't think it's a good idea for a bank to store all their cash checks through the
mobile app in an open AWS bucket. Anyone can see all the cash checks. Jason was looking at these
checks and just couldn't believe it. There was about 2 million checks in this instance. So
lots of checks. And each one has your address printed on it and your account number,
which is considered somewhat private data
and the banks are supposed to protect that.
If you've ever seen the gif of like when Tiger Woods
would score like a good swing or something like that
on a golf course,
like he does the little like,
like closes his fist
and it's like a little like a fist bump in the air or whatever.
Like that's my default pen test move.
Like when I find something critical, in, in this case it exposed, you know, names, addresses, uh, account
numbers and, you know, uh, transaction history for, you know, users using this feature. So it was,
it was a decent size finding. It wasn't like the most critical ever, but it was a decent size
finding. And, um, really the first thing is you get kind of hot and sweaty and you're like,
all right, sweet. I think I have something. This is really great. You get a little nervous because
if you've been a pen tester for a long time, you know that they're probably monitoring the network
and at any given time, you could lose access to something that's good. So the first thing you do
is take many screenshots of the traffic that you have and the vulnerability.
And so you have images for your report at the end.
So sort of doing all that,
sort of making sure I gathered all the evidence
in case I needed to prove out that it actually existed
in case a ghost patched it or something like that.
So yeah, I mean, those are the feelings.
But when you hit a bank like this,
especially one that has like a big, big name,
like it's pretty exhilarating.
And yeah, I mean, that's the whole reason
you get into pen testing is to find big fines like that.
Okay, so that's a big deal.
He'll want to tell them about that for sure
and get them to lock down access to that.
But he wasn't done testing.
This mobile app was for iPhone. But he wasn't done testing. This mobile app
was for iPhone. So he grabbed the app off the phone and moved it to a computer to analyze.
One of the first things he looked at was the plist file. This lists the properties of the app.
And here you might find things like server names or information where data is stored on the phone.
But as you look through the plist file, he found some hard-coded credentials,
a username and password used to authenticate to something like an API or database.
We had found a server that had a default install of Apache,
and the manager console was open to the internet, so slash manager slash HTML.
And so we used credentials that we had found hardcoded in the mobile app, which happens all the time. People hardcode credentials and mobile app plists even to this day and use it just as on a whim. just tried it to make sure on this manager console to see if maybe the admin was the same of the service or whatever.
And it turned out it was.
So we used these hard-coded credentials that were in the mobile app
that we were able to reverse out on this website and got into that.
Aha, web admin access to the server had been obtained.
Amazing.
Now, this web server was running something called Tomcat,
which as an admin, you could upload stuff to it. So Jason just uploaded a payload using Metasploit
to it, which gave him command line or operating system level access to this web server. It's one
thing to be able to log into a website as an admin, but you gain a whole new level of power
when you can get into the operating system as an admin, which is what he was able to do at this bank. And then once you have a foothold like that, we were able to start scanning
some internal IPs that connected to that server on more internal IP space of theirs, so inside
their company, as well as see a whole bunch of transaction data and customer data on the server that we had exploited.
So it was a second really big finding.
I can't really talk about too much of it because a lot of the stuff is covered under NDA.
But it had client name, transaction data, a whole bunch of stuff on there as well.
So we had two ways to really breach customer data on their network.
This was quite the report they submitted to the client.
The bank was pretty happy that Jason found on these problems, and they got the entire
mobile development team on the call and had Jason explain to them exactly what he found
and how to fix this.
They were surprised, but they all agreed this is very important stuff to fix.
We have one more penetration test story from
Jason, and you're going to want to hear this one, but we're going to take a quick break first. So
stay with us. This episode is sponsored by Vanta. Trust isn't just earned, it's demanded. Whether
you're a startup founder navigating your first audit or a seasoned security professional scaling
your GRC program, proving your commitment to security has never been more critical or more complex. And that's where Vanta comes in.
Businesses use Vanta to establish trust by automating compliance needs across over 35
frameworks like SOC 2 and ISO 27001, centralized security workflows, complete questionnaires up to
five times faster, and proactively manage vendor risk. Vanta helps you start or scale your security program by connecting you with auditors
and experts to conduct your audit and set up your security program quickly.
Plus, with automation and AI throughout the platform, Vanta gives you time back
so you can focus on building your company. Join over 9,000 global companies like Atlassian,
Quora, and Factory who use Vanta to manage risk and prove
security in real time. For a limited time, listeners get $1,000 off Vanta at vanta.com
slash darknet. That's spelled V-A-N-T-A, vanta.com slash darknet for $1,000 off.
Jason Haddix has pen tested hundreds of websites in his professional career,
and one stands out as particularly interesting.
Okay, so this one's one of the ones that is interesting.
A buddy of mine had taken on some pen-test contracts,
and he had taken on one too many.
And he basically had hit me up and said,
hey, do you want to do a Moonlight test?
Moonlight test is basically, I already have a job,
but he can give me a contracting gig on testing a site.
And I said, yeah, sure, why not?
And so he forwarded me the info for the site.
It turned out to be a pornography site,
but not just a pornography site.
It was a site that had a store for items related to sex toys and stuff like that.
It had private cam access to view live workers doing their thing.
And then also pre-recorded videos. It had messaging systems for you to chat with the cam people and
all kinds of stuff. So it was a big site. So he sent over the contract and I took it.
The funny parts about this are like, the first thing I did was I had to go to my wife and be
like, hey, you might see some weird stuff on my computer if you walk by.
It's for work, I swear.
Because there's just a lot of graphic stuff and the nature of testing the site.
So I had to give her a disclaimer up front.
But yeah, so I went through my normal methodology starting out,
and I registered to the website. And the client had really set a goal
of getting access to this one account on the site.
And so that was the goal of a majority of it,
was to get access to this one account,
which had a private picture in it.
And if you could get access to the picture,
he would have considered that a success
because no one was ever supposed to have access to that picture.
So this was a user account or a cam girl account? It was a cam girl account with messages and pictures associated to it. So the way this site worked is like,
you could watch live cams and then pictures that you had taken kind of like Patreon or,
you know, any of those other services you could pay to access specific pictures too.
So he had set up a picture
in the picture section that he wanted
us to access and it would show that we had unauthorized
access
for one of his...
I don't know if it was a real or fictitious cam girl.
So it sounds like
security
so that nobody steals our...
Nobody gets unauthorized access to the paid content.
To the content, yeah.
He was really worried about that.
It's kind of a funny objective
because it's not like, make sure our stuff's secure.
It's, hey, make sure no one's stealing.
I guess you could see it either way, right?
You could see it like he wanted to protect
the integrity of the workers
and he cared more about the workers than the,
or like the content creators
or more than the users of the site.
But no, no, absolutely.
You could see it in the dark way of just like,
he's trying to protect his bottom line for sure.
Yeah.
So yeah, so I started creating account,
just my own account to be a content creator on the sites.
I uploaded some just random photos into the photo storage area.
There was the store as well.
So I purchased an item.
I sent some DMs.
And this whole time, I'm capturing all this web traffic through a proxy and seeing what calls get made.
And then just noting down kind of how each one happened.
So the first thing that I noticed was that when you set up your account, and it's common for some
sites to not really care about this, was that the password policy was pretty much whatever you
wanted it to be. So for this site, when you basically signed up to be a user or a creator, it was five characters minimum and no special characters or numbers required.
You could just make it whatever you want as long as it was five characters.
Okay, so a five-character password minimum is pretty weak.
But that's only a suggestion to improve at this point.
It's like a theoretical issue.
And it would be nice if he could demonstrate how
that's a real problem. If he had a list of user accounts, he could try to brute force their
passwords and see if anyone had a five-character password. But he didn't have that. Next, what he
did was he tried to see how the site handled password resets. So he initiated one. What the
site did was it reset his password and then emailed him this new password.
But he noticed the password that the site created for him was a five-character password.
And every time he'd reset the password, it was always five characters.
Well, to a hacker like Jason, he started thinking how he could use this to his advantage.
You know, basically, you could start a password reset for any user on the site,
any email address.
And I had, he gave us the email address for the account he wanted us to target.
And then you could brute force the five characters that it was using
because it was minimum five characters
and the password reset would only set us send a five character password.
And you could brute force that in about 15 minutes.
And so I went through every character in about 15 minutes.
There was a small rate limit required,
but it wasn't overly complex to bypass the rate limit.
And eventually, right away on the test,
broke into the account with the image that he wanted to
through the password reset and the weak password policy.
What's the tool you use to do that?
I did it in Burp Suite, which is an interception proxy.
But what you're doing is you're going to the website,
logging with that email address,
and then typing in a random five-character password,
and then again and again and again?
Yep. So every combination of 1, 0,
or 0, 0, 0, 0, 0
through 9, 9,
9, 9, 9, and trying every
combination
between that number
and basically keep on trying over and over again
once I did the password reset because it
reset it from what they had chose
originally.
And so that was the first really easy one.
So, I didn't know Burp Suite did that.
Just keep trying passwords.
Yeah, so you can, in Burp Suite, they have a tool called Intruder.
And Intruder basically can capture a web request, and then you can highlight a section you want
to edit and load a list or a rule to try a whole bunch of different requests.
And so basically, I captured the request for a regular login and then highlighted the area
where the password was and then told it to try everything between 00000 and 99999.
And I just ran all of those requests. and told it to try everything between 0, 0, 0, 0, 0, and 9, 9, 9, 9, 9.
And it just ran all of those requests,
added a small little wait in between each one.
And then eventually, you know which one hits when there's a different response type from the server.
So you just wait until you see the different response type from the server.
Well, that was easy.
He was able to gain access to the account that he was asked to try to get
into. And this is fascinating to me because by and large, this is the top thing I get people
asking me to help them hack. I am constantly getting hit up on my DMs of people wanting me
to help them hack into something. And I'm like, oh, what are we going to do? Hack into a bank or
free someone from prison? And they're like, oh no, sir, I need you to hack into my girlfriend's account
on social media.
There's always a ton of people
who are trying to get into someone else's account.
And here's a rather easy way
to just get into anyone's account on this porn site.
Reset their password, then brute force it.
It's just a five character password
and it'll take 15 minutes to do.
Imagine taking over the accounts
of the top earners on this site.
I mean, what's interesting is that
password complexity is a really touchy topic
for websites, right?
Your bank obviously has password complexity
and makes you add special characters
and minimum number of characters and stuff like that.
But content sites that basically,
they don't deem access to your account super private,
or they deem it private,
but they want the least amount of friction
for users to get into their account.
Sometimes they choose this on purpose.
And when we talked to the guy on the out call, which is several steps ahead because we did many
other things to the site. But when we talked to this guy on the out call, he knew that the password
complexity was weak and he had kept it weak on purpose because it offered less friction for his
users to get into their accounts. So it was like a purse whistle thing. And so he ended up having
to change the complexity
of the password requirement for users and for content creators, and then also had to change
the flow for the forgot password as well. So it wouldn't just set one. It would give you the link
like normal sites do and then send you to a page to change your own password to something you want
to set it to. Okay, so if you can reset the password
and take over any user account on this site,
which user should you take control over next?
We found our guy's admin account as well.
It was literally admin at thecompany.com.
And we reset his password and logged in to his account,
which had super user access as well.
So we could see pretty much the back end of the site as well from a management point of view, which was really interesting because he had way more functions available to him than anybody else.
I mean, he would see that his password was reset.
That's strange.
I didn't do that.
Not if you do it at 3 a.m. his time.
So he did?
Yeah.
Yeah.
Yeah, so you do it.
You know, we waited until late at night.
So, yeah.
Tricky.
Yeah.
But that's what you got to do.
That's what you got to do, yeah.
He also found a pretty clever bug about uploading images.
This site allowed users, especially cam girls,
to upload content. And Jason made an account and uploaded an image and watched how the server
handled it. Well, it tagged him in the upload request. And so he tried to upload another image,
but this time tagging another user to see if that did anything. And the server took that as another
user has uploaded this. So he found a way to upload images to other users' accounts on the site, which is interesting.
I mean, you could deface someone else's account this way, putting all kinds of images and stuff on their account that others would see when they visited it.
We had found a couple of cross-site scripting bugs. And then we had also managed to accomplish
seeing the paid streams for the users
without paying for them.
You could look at the source code of the HTML
when you were attempting to look at somebody's paid stream.
And normally you would click a button
and pay with your credit card to access the paid stream.
And there was a parameter in there called debug
that was set to false. And when you set it to true, you were able to access the stream without
paying for it. And so that was another way that we could bypass the paid nature.
So at this point, we could reset anybody's password and take over their account.
We had access to the backend admin site. We had cross-site scripting.
We could view streams without paying for them.
We pretty much had everything that we kind of thought.
But then also in the store, we had been working on the store.
And towards the end of the week, we had found that there was an SQL injection bug that allowed us to dump the complete database purchases and credit card data for everything that had been ordered on his store that was associated to the site, which is not only just sensitive because you have credit card data,
but also sensitive because these are very sensitive purchases, very sensitive nature. So we had all that transaction data as well. So that was that test. And there's a lot of
things I learned from that test about that industry and stuff like that. It was really interesting and cool.
Sounds like this site had a lot of security problems. And you might not immediately think of why it's so important to secure a porn site. But one of the other things that this site allowed users to do was hook up with each other.
And it's reminiscent of this scandal.
A major hack tonight is threatening to expose embarrassing information on millions of people around the world. They all signed up for a website named Ashley Madison, which helps married people find people who want to cheat with them.
This was a news clip from CBS Los Angeles.
The site Jason worked on was a competitor to Ashley Madison.
And he did this pen test just before Ashley Madison had their breach. If it wasn't for Jason finding these
security issues, this site could have easily been the story on everyone's nightly news.
And the reason why that story was so scandalous was because it was very embarrassing for a lot of
high profile people who were found to be users on the site.
In fact, I believe two people committed suicide for having their details exposed in the Ashley
Madison preach. So it's wild to think how Jason may have really saved not only the reputation
of this company by detecting these bugs before someone else did, but also potentially saving
the lives of some of its users, maybe that's
a stretch. If you were
a Jason at the early 20s on ShadowCrew
and you looked into the future
of Crystal Ball and you saw Jason doing that sort of
stuff when he's older, I wonder
what young Jason would have thought.
I mean, he would have thought it was pretty cool,
honestly.
He hadn't had
years of professional experience though like to temper
his excitement and do bad things so um yeah i mean it's an interesting perspective you're looking
back at that young jason young jason's doing dumb stuff but young jason looking up at older jason
older jason's doing really cool stuff yet Yet young Jason thinks he's doing cool stuff.
Yeah, absolutely.
And it's weird to think that young Jason thinks
young Jason is cool and old Jason is cool,
but old Jason thinks old Jason's cool,
but young Jason's not.
Yeah, that was a lot of Jason.
But yeah, absolutely.
Absolutely true.
I'm lucky I have that perspective now though. Right. And got
paid well for that test. So, uh, yeah, I mean, it is really like, I hate to be a shill, right. But
like penetration testing and security testing nowadays and having all of the protection we have
and like being able to do it as a job is one of the most coolest fucking jobs that you can have.
I'll never get over it.
A lot of people talk about like, you know, like, oh, you graduate out of it.
I don't think I will ever graduate out of wanting to pop systems in some way.
So, yeah. A big thank you to Jason Haddix for coming on the show and telling us these stories.
You can follow him on Twitter.
His name there is J-H-A-D-D-I-X.
This show is made by me, the slow poker, Jack Recider.
This episode was assembled by Tristan Ledger and mixing done by Proximity Sound.
Our theme music is done by the Abnormi Breakmaster Cylinder.
The only dates I get these days are updates.
This is Darknet Diaries.