Darknet Diaries - 149: Mini-Stories: Vol 3
Episode Date: September 3, 2024In this episode we hear EvilMog (https://x.com/Evil_Mog) tell us a story about when he had to troubleshoot networks in Afghanistan. We also get Joe (http://x.com/gonzosec) to tell us a penetr...ation test story.SponsorsSupport for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.
Transcript
Discussion (0)
There's some really incredible scam artists out there.
And I mean top tier ones.
And those ones really intrigue me.
One of my favorites is a guy named Victor Lustig.
Well, that's not his real name, but that's the name he was famous for.
This guy was going around scamming people in the early 1900s.
And there was one scam he did where he got $32,000 in Liberty Bonds together
and went into a bank to trade them in. And the bank offered him $10,000 in Liberty Bonds together and went into a bank to trade them in.
And the bank offered him $10,000 in cash and some farmland,
and he took that deal and signed all the paperwork.
But just as he was about to leave, he did some sleight of hand
and switched the envelopes and walked out with the cash and the farmland
and the Liberty Bonds that he walked in with.
The bank did not like this and called the cops on him,
who caught him in Kansas City.
But he convinced them that if they pressed charges, then the story would get out and it would be terrible for the reputation for the bank.
Customers wouldn't want to use a bank that's this careless with the deals they make.
He was so good at convincing them of this that the bank dropped the charges and gave him a thousand dollars to not tell anyone and keep
the story quiet. But the most brazen scam that Victor Lustig did was when he went to Paris.
The Eiffel Tower was built for the 1887 World's Fair and some thought it was going to be a
temporary structure and by 1925 it was needing repairs. Victor leaned into this and called five
scrap metal companies to come meet him at a fancy hotel in Paris.
And he said he was a deputy director with the French government
and even had fancy stationery to prove it.
And he told them that the maintenance of the Eiffel Tower was becoming too high
and they were looking for a company to dismantle it and purchase the scrap metal.
But he also said this deal needed to be hidden from the public to avoid controversy.
And one of these companies was eager to take the deal
and ended up paying Victor a large sum of money.
And yeah, as soon as Victor got the cash,
he immediately fled the country and left France.
He sold the Eiffel Tower.
But he kept a close eye on the news back in France
to see how much trouble he'd be in.
But the news never reported this.
I guess the guy he scammed was too embarrassed to report it to the police. So Victor thought, this was such a great scam. Why not do it again?
So he goes back to Paris to try it again. I mean, why let all that fancy stationery go to waste,
you know? So he called five new companies in to pitch them too. But one of them saw right through
the scam and called the cops.
Victor saw the cops were coming for him,
and he narrowly escaped, this time fleeing all the way to the United States.
Amazingly, when he got to the United States, he scammed Al Capone
and later tried to make counterfeit money,
which is how he got arrested, by making fake money.
But funnily enough, when he was arrested,
he was put in the same prison as
Al Capone.
What a wild guy Victor Lustag
was.
These are true stories
from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of delete me.
Delete me is a subscription service that finds and removes personal information from hundreds
of data brokers websites and continuously works to keep it off.
Data brokers hate them because delete me makes sure your personal profile is no longer theirs
to sell.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found. And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy. Take control of your data
and keep your private life private by signing up for Delete Me. Now at a special discount for
Darknet Diaries listeners. Today, get 20% off your Delete Me plan when you go to join deleteme.com
slash darknetdiaries and use promo code darknet at checkout. The only way to get 20% off is to go to join delete me.com slash darknet diaries and use promo code darknet at checkout.
The only way to get 20% off is to go to join delete me.com slash darknet diaries and enter
code darknet at checkout. That's join delete me.com slash darknet diaries. Use code darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information
Security world-class in security training. You can learn things like penetration testing,
securing the cloud, breaching the cloud, digital forensics, and so much more. But get this,
the whole thing is pay what you can. Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
So what should we call you?
Evil Mog is fine.
Okay, we'll call you Evil Mog.
How do you get that name? Where does that come from?
So it's funny. I'm a glider pilot.
And so the first aircraft I ever flew was CF or CG Mog.
But it also happened to be a Final Fantasy character.
The problem was I had that as my gamer handle for years.
And then I met Matthew O'Gorman at DerbyCon, and he had the same initials.
And so we decided to do Deconfliction
and because he had the name,
I figured I'd change mine to be Polite.
And so I became EvilMog
and that was my IRC handle from thenceforth.
IRC, I remember those days.
We were young then.
Did you do any stupid things when you were young on IRC?
Yeah, so I was kind of stupid
and was doing a fair bit of online piracy,
freaking, a little bit of other various things.
And back then, it was fairly easy to trace people
because, you know, young, dumb, and stupid.
And so, you know, I get this kind of stern knock on the door.
A stern knock sounded urgent and menacing.
He opened the door and saw the police were standing at his front door.
And they're like, we know everything you've been doing.
You have a choice.
You either stop now and play good, or we either put you in juvie,
but Canada's prisons are kind of crap for kids.
Or we can just get a technology ban on you that'll last until you're 30.
You'll never get a job in technology.
I'm like, yes, sir.
I'll be good, sir.
Here we are, sir.
And kind of off we went.
Okay, so hold on a second.
I've pirated, and I've done some freaking.
The cops never came to my house.
It sounds like you might have done more than that
or went over the line.
I might have done a little bit more than that.
Just a little bit.
So you remember back when the early credit card numbers
had a specific way of validating that they were legit?
I was publishing bogus credit card number generators
that only sort of worked half the time on local BBS systems.
Did they work at all?
Because I can't even imagine this work. They wouldn't work for authorization, but they'd work for input
validation on websites to like,
you know, hey, let's go pop on
to, let's say, the early porn sites, for
example. They'd get you enough to get your free
trial, and then they'd mysteriously error out.
When I was a teenager, I didn't understand how credit cards worked at all. Like in my head,
it just seemed like 16 random numbers. And if you knew those 16 numbers, could you buy stuff?
So I thought, okay, let's test that theory. And as a teen, I went to a website, put in 16 random
numbers just to see what happened.
I thought if it worked, I'd have no idea whose number I just used. And I could just say I typed
the wrong number if they asked me. But no matter how many 16 digit credit card numbers I put into
a website, it never worked. Every one was an invalid number. Apparently, it's more complicated
than just that. There's that whole LUNS check, right?
There's some math behind it I'd looked up
because I didn't have the generator quite right.
Some of the check sums didn't match,
but most of them kind of did.
It was enough that it passed like a cheap regex,
but that's about it.
Eva Mogg loved flying planes when he was a kid
and signed up for junior glider classes
taught by the Canadian military.
I was a cadet back when I was younger,
from 12 to 19. I got my glider back when I was younger, from 12 to 19.
I got my glider license before I learned how to drive a car.
From there, he joined the military and taught other kids how to fly gliders.
But his other passion was computers,
and the military was offering to pay his training to learn more about computers.
So I had an option to go back to school, went back to SAIT as a network engineer. Did six months of CCNA,
MCSA,
Linux LPI 1, level 2,
level 3, that kind of stuff.
And that's what kind of restarted my career
when I was in my early 20s.
So you spent four years in the military,
and then went to work for IBM.
So basically,
I got the phone call from my friend
to go over to Afghanistan, and he said, there's this company called Network Innovations. And basically, I got the phone call from my friend to go over to Afghanistan.
And he said, there's this company called Network Innovations.
And basically, what they do is they run the morale voice and internet services for the Canadian forces.
So what that means is you have soldiers calling their families back home from the big super fobs or the small little remote outposts.
And so he's like, hey, do you want to go over for six months?
And I'd already released from the reserves at this point.
I said, yeah, sure, let's go over.
I had nothing else to do, and I wanted some money,
and it was all tax-free, so I had to play it over.
So hold on, it's not just like going over to France.
Afghanistan, there was an active war zone, wasn't it?
It was, yeah, it was totally.
Regional Command South in 2008 was hot, to say
the least. I wanted
to do something useful. I always kind of did.
And my parents were like, you're not
going over. I'm like, sorry,
I'm going over. I want
to pay off some debts, and I want to go do something
good for
the folks that are over there.
Did a little bit of pre-deployment training.
Nothing much. Just here's how to wear a gas mask,
here's how to put on a bulletproof vest,
and then here's a whole whack load of vaccinations.
Then all of a sudden, there's some kid from the sticks
out in the middle of the active war zone.
So even though he was military trained,
he was in the war zone as a private contractor,
and his job was to go to Forward Operating Bases, or FOBs, to work on the network there.
There's satellite, there's microwave.
Basically, these people need to be able to contact family or else they're going to go nuts.
I mean, it's like being stuck out in the middle of the bush for six months.
So my world was just morale voice.
The Canadian forces handled all the tactical and all the operational.
My entire mission was making sure people could call their families.
These fobs were often on the front line of the war zone in Afghanistan. It's dusty,
war-torn, and weathered. Computers don't like these kind of environments because they're
delicate and fragile, not rugged and battle-ready. So he was constantly being sent to troubleshoot computers
and networking equipment that was breaking in war zones oh i'd set it up as well like say for
example we'd have a new site and they're like hey we need to get you know fob whatever the heck
back on or online they'd send me out in the back of a convoy with a little pelican case with say
here's a tiny little bn terminal, which is a small mini satellite,
or in the case of a larger FOB, here's a bunch of pelican cases with an auto-acquire satellite dish.
You'd go roll out, set up the SATCOM dish, hook it into a couple of laptops and a router and a switch,
a little tiny PBX system, etc. And then do a couple phone call tests to make sure everything works. That was all she wrote.
They set up this comm shack inside a 40-foot long cargo sea container.
And he'd go base to base, setting up or fixing the networks inside there.
And there was never a dull moment.
I roll it on site. I'm in the middle of doing a repair.
All you hear is the siren.
And then this crappy British voice they used used because they all had the same recording.
Rocket attack, rocket attack.
And that's all you're hearing.
You know, you bunker down in between a set of HESCO barriers,
which are basically just a bunch of gravel, some concrete,
a bunch of chicken wire all around.
You just hunker down in place and you sit there, chill out,
wait till the shelling stops.
You get up, see if there's any damage and get back to repairing the equipment.
So what kind of damage had to this equipment?
Thankfully, it missed us, but one landed in the poop pond.
That was terrible.
One landed and took out a recreational facility.
He says the equipment in this area would only last six months because it would get full of dust and just not last very long because of the harsh desert environment.
And one day, he got word that one of the comm shacks got rocketed at another base.
One of the rockets landed. It took out the satellite dish. It took out one of the comm trailers, and it took out a bunch of the cabling. These guys were down for about a week.
His orders are to travel there and get it back online.
Traveling to these fobs takes days or weeks to get to them.
I'd get out there, and thankfully I was smart,
and I pre-sent all the gear I needed on a convoy ahead of me.
There's this broken down, destroyed crater, effectively,
where the old piece was.
I come up and there's guys, basically giant bulldozers
and heavy equipment moving the old gear out.
The gear inside is just completely toast.
Meet up with the local sergeant who's like,
hey, we're putting your new gear down right where the old one was,
dropping this new sea container in.
What do you want to do with this old thing?
I'm like, take it back, salvage it, destroy it.
We don't really care. Use it for training.
You wire up the new SATCOM.
You're calling on to your folks out of the UK going,
hey, do you see my bird?
Yeah, we're locked on. Here's the activation.
Boom, new terminals are online.
You've deactivated the old accounts.
You do a couple plugins, test the new laptops.
And then there's already a lineup around the block of folks
who haven't gotten their email in like a week and a half, right?
And so all of a sudden, you start running them all in.
They're all nice and happy.
You run down to the chow hall.
You munch whatever warm food they've got.
You stick around for a day or two for troubleshooting,
and then you call your boss on the defense service network,
hey, can you guys get me a helicopter out?
They're like, sorry, man, all the birds are tasked.
So finally, you head yourself down to the talk
at the tactical operations center.
You introduce yourself, like, hey, when's your next convoy out?
If you're lucky, they send you out on a combat patrol,
which are way faster and less annoying than a convoy
because it's one or two vehicles and it's a little more comfortable.
If you're not lucky, you're crammed into the back of this armored personnel carrier
that's hot as balls wearing body armor in the heat
and yet take your eight hours to go 100 you know, 100 kilometers to get back home.
I also, I don't know why, but I'm picturing of you, like,
climbing up a tower, adjusting, you know, getting a spanner
on a satellite dish, adjusting it and getting, like,
shot at from up there and being like, hey, it's coming from that hill.
Get me covered.
I mean, that kind of has happened.
Not nearly as extreme, but have you ever tried to repair 200
pairs of Cat 5
in a sandstorm from
100 feet up in the air?
100 feet in the air? What's up there, anyway?
I was at Comtower. I had to go
there was this one bridge spot, because
most of the stuff at CAF was all underground,
but we had this one spot that was
basically all hooked up to a tower
because of the way this one extension went.
And so we had an outage.
Someone drove a piece of equipment through the cables
and so I had to go up and resplice all this outdoor cable
and I'm up on this tower and all of a sudden it's a sandstorm
and I'm like, oh no.
I can't work on this cable with gloves on
because it doesn't...
You ever tried twisting and terminating cable with gloves?
It just doesn't work.
So I'm getting blasted by sand
in this whiteout condition trying to terminate
because I'm not going to try and glide down the tower.
It's just not going to happen.
I'm hooked in there, ready to rock.
I got 30, 40 cables done before the sandstorm ended and then finished off the rest of the job.
So one of the things we did, in addition to making sure people call their families back home, is we ran a video teleconference unit.
And so people could see their families back home.
We found out one of the guys coming out of a FOB,
his convoy got bumped.
Now, bumped is a polite word for saying hit by an IED.
Thankfully, in this case, nobody died.
Thankfully.
Like, thank whatever data you believe in.
But it really shook this guy up.
Like, shook him up seriously fierce.
Yeah.
So, I mean, let's highlight.
There was a lot of deaths there.
Thankfully, because you were seeing that
around, weren't you?
The worst thing we had to do was every time somebody
died, we had to kill
all of the communications in theater,
including all the forward operating bases
and the super fob.
It was known as a calm lockout procedure.
We had a cell phone on. The second somebody
got confirmed casualty,
I got the phone call,
I hit the buttons,
and then I got to release it once they
notified the families.
So why is there a lockout?
It's so that people don't put things
on social media or get out
to the news articles before they
can notify the families.
It was one of the worst things ever.
Cause you're being on that phone call.
You're like,
shit.
Yeah.
You feel all sorts of terrible feelings and then you have to go act like a
professional,
cut the comms off.
And then when people are like,
Hey,
the internet's not working.
Like you gotta give this nonchalant comms lockout,
but still be like sympathetic about it.
And when you say comms lockout,
everyone in theater knew what you were talking about.
But it was one of those...
It was a weird, solemn duty
I had to do, you know what I mean?
Yeah, I mean, you weren't the one telling the families.
Nope, but I was killing the comms
and telling all the soldiers,
hey, why can't I call
family back home? Like, sorry, man, comms are offline due to a comm lockout. Yeah, and now all the soldiers, hey, why can't I call family back home?
Like, sorry, man, comms are offline due to a comm lockout.
Yeah, and now they're saying, oh, does that mean there's a confirmed casualty?
And now you got to answer these questions.
Yeah, and then my answer is like, I have no idea, man.
I just work here.
IEDs are super scary.
You're just driving along, listening to tunes, telling jokes to the other soldiers,
and then out of nowhere, boom,
your truck runs over a mine and blows up your vehicle.
It often kills people,
and it's certainly enough to freak anyone out.
And while this IED didn't kill anyone,
one guy was really messed up from this.
He wasn't injured.
He was just shocked, really badly shocked.
Getting hit by an IED,
even if nobody gets injured in the
process, is enough to
send someone to spirals.
You get that whole mental, oh my god, what if
this had been me? What about the possible
guilt? All that kind of thing.
And the guy was
in really rough shape mentally.
So they originally asked,
could you give us some extra phone minutes and phone time?
That's how the request came in.
And us being us, we've got, yeah, here's a couple,
here's a couple hundred minutes to go hard.
And we're like, hey, is there anything else we can do?
And his guy's like, well, he's doing pretty rough.
Evil Mog starts talking with people,
trying to figure out what more he can do.
And that's when he found out
this soldier was about to be a dad.
His kid was due to be born any day back in Toronto.
And this gave Evil Mog an idea.
And I'm like, dude, we got to do something for this guy.
So thankfully, they had people on the ground in Toronto.
And I'm like, like hey can you go
spring over to cfb trent and go grab one of our spare um video teleconference units and get it
out to the hospital i'll do whatever it takes to requisition bandwidth just get me this stuff out
there i figured out we had some spare bandwidth available so i like slowed down everybody's video
teleconference and voice services and their wi-Fi a bit, and opened up an entirely new channel.
Because all we had was six megabits for a thousand people.
Almost no bandwidth whatsoever.
And so I was like, hey, you know, line this up.
I'm going to reserve you bandwidth for the next four or five days.
He learned that the wife was already checked into the hospital and was starting to give birth right now.
So he's calling Toronto to try to figure out how to contact the wife was already checked into the hospital and was starting to give birth right now. So he's calling Toronto to try to figure out
how to contact the wife at the hospital.
And so then we had to go contact their visitor unit,
say, hey, do you guys have enough bandwidth
for us to go get you video teleconference?
And thankfully, they had a really decent tech there.
He's like, well, actually, we can make some things happen.
What do you guys got for equipment?
Were you talking to the tech at the hospital?
Yeah.
Wow.
Okay.
Trying to coordinate this from halfway across the world is kind of interesting.
Exactly.
Yeah.
So you're saying, all right, here's the equipment I have.
Here's what you have.
Let's make a final common denominator.
I think we can connect these two things.
Exactly. Right. So they make a final common denominator. I think we can connect these two things. Exactly, right?
So they were running on Tanberg.
We were running on Tanberg.
And we made the gear all work out.
I popped onto the load balancers on our side.
So tell me about the tech side.
So did he put a computer on a cart and then wheel the cart into the room?
No, it was a TV on a cart with a Tanberg video teleconference unit.
Which is meant for doctors and nurses.
It's not meant for patients.
Yeah. He just threw
this on the thing. They wheeled her in. They plugged
her right in next to the
woman's bed there.
We swiveled the webcam over.
He managed to get us a public IP so we
could do remote control of it. And then, yeah,
we just set up the communication channels and off we went.
It was actually running rather well.
Okay, so you're like, oh, okay, cool.
You got it set up.
All right, I'll be right back.
Let me get the guy.
Yep.
I talked to Steve.
Steve called the guy's unit commander.
Unit commander called his section leader.
They pulled him out.
Said, look, you're to report to building 026 Bravo on Kandahar Airfield.
Show up here.
We're like, hey, man, we got a surprise for you.
Wheel him back out there, plop him down in one of our spare rooms that we had rigged up into this 40-foot sea container.
Plopped down a chair, made it comfortable.
You know, said, here's our little care package.
Here's some Kleenex.
Call us if you need anything.
And do you remember his face
when he saw his wife?
We weren't even looking.
We gave him his privacy.
Yeah.
I remember
how he was afterwards,
though.
After he saw his wife,
he walked in,
he was all doom and gloom.
This is going to sound
stereotypical,
but that thousand yard stare,
like you've seen some shit.
And then the guy,
you know,
right afterward,
I saw life in his eyes.
Yeah.
So that's how I knew we did a good thing.
Yeah.
I mean,
how do you think you impacted his life?
I mean,
from what I've been told,
the actions taken the first couple of days
after a major incident are the most critical.
And I think by giving him that level of support immediately,
I think I changed the guy's life way for the better.
I mean, they were talking originally
about having to discharge the guy.
From what I heard, he'd stuck around
another five, six years before he finally just
released and went off and doing something i can't remember what he's doing now but i think i've you
know changed the life of the better so i'm good with that yeah i mean it's it's also very possible
that you saved his life because i could have there's you know coming out of PTSD or getting affected that badly by it,
you can easily end your own life.
Exactly.
I like to think we saved a life there.
And no matter what I do in life,
I think that's the coolest thing I've ever done.
To me, this right here is the quintessential Darknet Diaries story
because of where I found it.
I went to DEF CON and I was invited to the Microsoft party and I sat down at a table to chat with people.
And that's where I met Evilmog.
And he was there telling us the story and I was so captivated by it that it made me cry.
And my goodness, to be at some DEF CON party and to hear a story so moving that it makes me cry that's one
reason I started this show I imagined in my head while I was listening to evil mom tell me that
story that I saw you across the room and I was like over here you gotta hear this story and I
brought you in to eavesdrop on these inner circles to hear the untold stories that are only shared
in intimate and private spaces that are all over the hacker culture, but are hard to find.
I love these chance encounters.
It's like finding a hidden path in a familiar landscape.
I hope stories like this fill you with the same great feeling I get when I hear them in person.
I have such a fun job.
I'm so grateful.
Okay, we're going to take an ad break here,
but stay with us because we have a new guest to tell us a new story after the break.
This episode is sponsored by SpyCloud. With major breaches and cyber attacks making the news daily,
taking action on your
company's exposure is more important than ever. I recently visited spycloud.com to check my dark
net exposure and was surprised by just how much stolen identity data criminals have at their
disposal. From credentials to cookies to PII. Knowing what's putting you and your organization
at risk and what to remediate is critical for protecting you and your users from account Thank you. your company's exposure from third-party breaches, successful phishes, or info-stealer infections. Get your free Darknet exposure report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
All right, so let's start out with who are you and what do you do?
Yeah, my name is Joe Sarkisian.
I work for Wolf & Company PC out of Boston.
I do penetration testing of all kinds, internal, external, Wi-Fi, social engineering, advanced security assessments, things like that.
So we have a client, not a big company, maybe like 20 people, and they contracted us to do your average assumed breach pentest, so to speak.
So we're on the inside, we're given access.
What would happen if somebody gets in there?
So we send them a remote Dropbox, a little Raspberry Pi that we send them,
they plug it into their network, and then we connect to that remotely.
And it's kind of like we're sitting there in person.
We've got on-the-wire access at that point on a subnet that they put us on.
So I begin the test. Typically, and here's the funny thing, is you'll look at pen test
frameworks. You should start here. You should do this. You should do that. I would challenge
you to find a pen tester that doesn't fire up Responder the second they get on a network and
try to get creds and be off to the races as soon as humanly possible, because that's what we do, quite frankly, on a lot of tests. So that's what I did
there. Okay. Responder is a pretty clever hacking tool. It's free to get. It's just a Python program.
And how you use it is you just start it and wait. Now, the thing about Windows computers is that
they always want to try to join a domain and connect to shared drives on the network.
And so if a Windows machine wants to connect to a shared drive,
it will try to get to that host directly.
And if it's there, it'll connect to it just fine or whatever.
But what does the Windows computer do if it can't find the shared drive that it's trying to connect to?
Well, it wants to connect to it very badly,
and it will try another way. It might ask the DNS server, hey, do you know the IP address for
the server I'm trying to get to? And the DNS server might be like, yeah, I got that. Here's
the IP right here. And then the computer might be like, that's the same IP I have, and I already
checked. That one's not online. So then if the Windows machine still can't find that shared
drive that it really wants to connect to, it then sends a broadcast message to all the computers on the local subnet, saying, hey, I'm that shared drive you're looking for.
That's me.
You found me.
I'm here.
And the Windows computer is like, oh, thank goodness.
I've been looking for you everywhere.
I'd like to connect to you.
And Responder is like, sure, of course you can connect to me.
But you need to authenticate first, yeah.
And the Windows computer is like, oh, yes, of course.
Okay, here's my username and password.
Now, Microsoft takes your security seriously.
So it doesn't actually send your password over the network.
Instead, it sends a password hash.
And since Responder is this dirty little liar on your network,
it snatches that username and that password hash
and gives it to the penetration tester or hacker who's running
the tool saying something like hey someone just tried to connect to me using this username and
this password hash here you go typically responder only works against computers in the same subnet
as it so if you're in the same subnet then yeah responder is an amazing tool at finding usernames
and password hashes now a password hash is not the password.
It's a gibberish set of characters that you get when your password goes through an algorithm.
And the thing is, in some cases, you can crack this hash to get the password.
And a common method for cracking passwords is brute force.
Take the top one million most common passwords and hash them.
And then see if any of those hashes match the password hash you just got.
And if so, you found the password.
Exactly.
So we use something called Hashcat.
We'll take that hash.
We will plug it into hash.
Tell me about this.
So to crack that, that's not on the Raspberry Pi
because the Raspberry Pi doesn't have the GPU cycles
to be able to throw a billion passwords at that thing
and try to figure out which one it is.
What's your method for cracking it?
Well, that's the scary thing.
Our method is the same thing that any bad guy
all around the world can do.
We have an Amazon account,
and we can spin up Amazon EC2 instances.
So what we do is we spin up these Tesla GPUs on an instance.
We have a couple of them.
And we will take that GPU power to just blow through password hashes
as fast as we possibly can based on that power.
It's going to be a lot faster than you have a Raspberry Pi or your local PC,
unless your local PC has a ton of graphics cards in it, which ours does not.
So yeah, we do that all in the cloud. or your local PC, unless your local PC has a ton of graphics cards in it, which ours does not.
So yeah, we do that all in the cloud, relatively cheap,
not super expensive to get done.
And usually we get results pretty quick within the first couple of hours.
Okay, now what's your kind of success rate on getting one hash and being able to crack that single hash?
I'm going to go 90 plus percent.
That depends. If we've been there before and they took our recommendations, I'm going to go 90 plus percent. That depends.
If we've been there before
and they took our recommendations,
it's going to take a lot longer.
It's going to be a lot harder.
But when they don't...
A different question,
which is kind of in the same realm,
is suppose you have the entire AD database of hashes.
What percentage of passwords
do you think you're going to crack out of that?
So we will
probably get
on average, I would say,
and again, whether we've been there first
or not, they're taking recommendations, we'll probably get
50 to 60% within
the first four hours.
So he's basically trying billions of passwords
to see if any of them match this hash.
Of course, the longer that his hashcat tool runs,
the more passwords are tried.
And so they might start with the top 1 million most used passwords
and then try making slight modifications to those,
like putting a 1 at the end or capitalize the first letter.
Maybe add in their own word list, such as the company name
or mascot or city or address or person's name or kid's name.
If no luck there, then address, or person's name, or kid's name.
If no luck there, then try every word in the dictionary, but add numbers to the end of it, and maybe mix it up a little bit, and see if that works.
And just try tons of combinations.
And pretty much all the stuff I've listed so far probably only takes like a few hours
or less.
Now, after the tool has tried all this, it just then starts going through every single possible character combination
in the world, such as AAA, AAB, AAC, AAD. So this combination of finding a username and password
hash from Responder and then trying to crack it in Hashcat could take hours or even days,
since it's about waiting and timing and maybe brute
forcing the password. So in the meantime, he's looking around the network to see what else is
there. A good place to start is Nmap. Nmap is a basic tool that you can use to quickly scan the
network to see what's there. It'll basically ping every IP address in the network to see what
responds. And if any do, then it'll try to see if that host
has any open ports. Then
Nmap will spit out a report saying
here are all the computers on the network that I
found to be alive, and these are their open ports.
Exactly, yeah. So we'll look for
default passwords places.
We'll look for
null sessions on
host, right? Can I access this host
without a username or a password? Can I just get in there, maybe on a domain controller? Can I access this host without a username or a password?
Can I just get in there maybe on a domain controller?
We still find this.
You're able to, quote unquote,
authenticate to a domain controller as nobody
and start enumerating the domain.
Now, if you can do that,
you can get a list of users from a domain controller, right?
And then take that list of users
and start password spraying against that domain controller with that list of users, common passwords, right? And then take that list of users and start password spraying against that domain controller with that list of users
common passwords, right? And then maybe you get a hit on password
2023 exclamation point, right? Or a company name 2023
exclamation point. Crazier things have happened. So there's a lot of stuff
going on at once. He's got these background tasks running to try to get more
usernames and hashes, and he's also trying
to crack the hash he's got.
To this day, I've been doing this, I don't know, about five
years now. To this day,
whenever I see that first hash flashing
yellow across my screen when I'm on a pen test,
I still get a shot of adrenaline.
It's just like,
here we go.
Boom!
He cracked the password. Yes.
But who is this user?
Are they just like a low-level user?
Or are they a system admin?
He has to find out.
And to do that, he logs into a computer on the network to see what his access is.
And it's a normal user with no special privileges.
So now we have domain access as that user.
So typically what we'll do, we'll look for some basic privilege escalation opportunities.
And at the same time, we're looking for data.
So let's say we're kind of poking for both of those things.
We want to prove that risk, that this basic user maybe has access to some data that they don't need access to.
And if a bad guy gets access to this account as that person, they also get access to that data.
And that's something you need to work on.
So as we're rooting through file shares,
what does this person have access to?
We find this host
and it's like a Windows 10 host.
And we have access to a couple of shares on this host.
And we're rooting through,
typically we're looking for things
that are called like password.txt
or SSH, this, that,
or the other thing, or SSN.
We're looking for data
that's going to prove a problem for the company.
So I'm looking through,
and I find this folder
called, I believe
it's called MPEGs.
So I'm like, that's interesting. I don't typically
find something like that. Just a folder called MPEGs. So I'm like, that's interesting. I don't typically find something like that.
You know, just like a folder called MPEGs.
That's different.
I'm just curious what's in here.
So I look in, sure enough, there's a bunch of MPEG files.
I'm like, okay, that's interesting.
There's like maybe four or five of them.
So I download one of the MPEG files.
I get it locally and I'm like, oh, let's watch this file.
I open it and I see a camera feed. And the camera is just on a desk facing at someone's
kind of where they would sit, right, in front of the computer. And I'm like, that's weird.
You know, why would anybody put a camera on their desk? Right? That's just strange. What are they
recording? Doesn't make any sense.
Well, maybe there's something else to this.
I download the second one, because they're going in order, 1, 2, 3, 4.
I download the second one. It is the
same camera.
It is the same desk.
And this time, the camera is
underneath it.
And it was a
lady's desk I found out later. The way the camera was angled was,
yes, at their, you know, the front bottom half of their body. Let's put it that way.
Let's just say it was an inappropriate place to put a camera in an office if that lady wasn't
aware of it. Joe knew that what he was looking at was potentially going to get someone fired.
So he had to proceed with caution here.
So,
I see this, and now I'm like, oh god.
Like, everybody, every pen tester
has that, like, feeling
that, like, sooner or later, they're gonna
get this moment that is something like this.
Like, if you find, like, the proof
that somebody's stealing from the company,
or you find pictures you shouldn't,
or whatever it may be.
And this was the first time that I had found something like that,
and I was just awestruck at first.
My head starts racing, like, what do I do about this?
And so the first instinct was pick up the phone
and call my point of contact immediately.
The problem with that is, this is a small company. I don't know anything more than
this point of contacts name and the fact that I worked with them year over year. I
don't know what he does personally. I don't know what he's into. I don't know
if he's the person that put this camera there, but he's the only point of contact I have, right? So he's the one I'm calling. So I pick up
the phone and I get on the phone. I tell him, hey, just so you know, I found under the desk camera
footage of, and then he cuts me off completely and says, stop right there, I'm calling HR. And at that point, I had kind of this wave of relief over me
because at this point, I'm like, okay, well,
he's probably not the one that put it there
because he's wanting to call HR immediately.
So HR gets on the phone, I explain it to them,
they say, thank you very much, and that's the end of the call.
It's interesting to stumble upon this
as a security consultant since it's not
really a network security issue.
It's more of a see something
say something issue. Do you even
put this in the final security report?
Joe went on to complete the pen
test and he found some misconfigurations in Active
Directory which gave him
administrator access which pretty
much gives him keys to the kingdom.
The network admin can reset anyone's passwords,
see all shared drives, probably even read everyone's email.
So he put all this into a report and delivered his findings on the final call.
Basically, it's the typical stuff.
Like you said, we found this, we found that.
Here's recommendations for fixing that. Okay, great.
And we didn't feel like it was our place or appropriate to bring that up on that call.
However, I did end up talking to that client a month later.
And we were going over some remediation strategies for them.
And basically they're like, hey, how's everything else going?
How you been? I'm like, I'm good.
How about that other thing? I'm just curious about that other thing.
This is a much more casual conversation.
I'm just curious. Is everything okay with that other thing we found?
And he kind of just gave me this look on the Zoom call.
He's like, yep, yeah, that's been handled.
And I knew not to push,
but I knew that whatever had to be done had been done.
At least it seemed like it had,
and it seemed like it worked out for them.
I wasn't going to get pulled into court
for having to testify for anything,
which I was actually kind of ready for i'm like oh this
might be the first time but it just didn't happen that way so i got lucky yeah as far as like your
success rate sure i mean you're always going to find something even if it's like a cvv level
three right but i mean as far as just success rate of just like owning the whole network and
gaining access to sensitive systems, getting, you know, half the user's passwords in the whole
organization, that kind of thing. Is that fairly high? Do you feel pretty confident like, yeah,
I'll probably be able to own this network? It's with no exaggeration, 95% of clients that we are able to do that with year over year.
And I think he can get to that point because of how many penetration tests he's done.
He's gone into dozens of networks and exploited hundreds of devices.
And after doing it over and over and over, you start to develop a pattern and know exactly where to look for weaknesses. And once you do develop a pattern,
pen tests start to become automatic since they repeat the same steps almost every time.
And so, once he was done with one pen test job,
he'd move right on to the next.
And this time, it was a bank.
It was a regional bank,
and we were doing some more traditional audit work
as well as pen testing.
And I had one of our junior pen testers on that job with me.
So this person was, you know, they came with a little bit of experience in the door.
They'd been with us for, I don't know, four to six months at that point.
So they arrive on site and they're greeted by the on-site team.
They're shown where to sit and where to plug into the network.
And this was a simulated breach. So if someone got into the network
who shouldn't be on it, what could they see or do while there?
So the two of them get all set up in this room and, well, you already know what tool they're going to
start up first. That's going to be Responder.
So we started doing our thing, you know, like doing a little Responder stuff, whatever. And for whatever reason, this person's having
a hard time with Responder.
Their Python's not working, the tool's not working.
I'm trying to help them through it.
So I'm like, you know what?
It's a teaching moment.
I'm going to let them figure this out.
I'm not going to give them the answer.
I'm not going to coach them to it.
I want to see how they handle this.
Okay, so they've taught me that Responder
is their go-to tool for starting a network assessment.
But if that's not working for whatever reason,
what do you do next?
I have a 30-minute client call with another client I need to take.
So I'm going to be over here.
I'm like, you know what, you take the reins on this.
It's the beginning of the test, what can go wrong?
So I'm on the call, and he's doing his thing. And I don't know, like five, ten minutes go by, I'm on this. It's the beginning of the test. What can go wrong? So I'm on the call, and he's doing
his thing. And I don't know, like five, ten minutes
go by, I'm on this call.
And I start noticing there's a lot
of phones ringing in adjacent
offices. And I start to hear a lot of shuffling
and people kind of running around.
And I'm not sure what's going on. I'm like,
whatever, it's probably nothing.
All of a sudden,
I see our point of contact
come flying down the hall in a panic.
He busts into the room.
He goes, what are you doing to our network?
And I'm like, I got to call you back.
So I get off my call.
I'm like, I'm sorry, what's going on?
He's like, everything's down.
We can't reach anything.
The core, oh my God, nothing works.
We're like, okay.
So to the junior guy, whatever you're doing, stop.
So he stops.
Maybe five, ten minutes go by and things kind of quiet down.
We check in with the point of contact.
He's like, yeah, whatever that was, don't do that ever again.
He's obviously upset, understandably so.
So in the process of figuring out what happened,
I'm talking to the junior tester and I say,
what were you doing?
What kind of test were you doing?
He's like, I was running Responder, whatever.
Okay, cool.
Well, what else were you doing?
Well, I figured I'd save time and I would run a port scan.
Like, okay, what would you use for that?
And he says, well, I always use MassScan.
And I'm like, okay, not Nmap? He's like,
no, no, no, mass scan's faster. Okay, so Nmap is a basic tool to scan the network. It's simple
and efficient and usually safe. And when you're testing a live network, you want to be as light
footed as you can. And Nmap is a gentle tool to scan the network with. It just does like
a simple knock on the door. Is anyone home? And it really just stops there, which is nice since
you don't want to disrupt business or wreck any systems in your process. Since after all, this is
a bank which needs to continue their service to customers. But MassScan is a bit beefier of a tool
compared to Nmap. It can make a map of your network,
but it's designed to scan huge amounts of systems at once.
Like, it shines really well
when it's supposed to scan, like, millions of IPs at once,
or even the whole Internet.
This network, at most, had, like, thousands of IPs.
MassScan is just too powerful of a tool for this scenario.
But this junior pen tester was convinced that
because it's a beefier tool, it's better for the job.
I'm like, oh, I'm aware Mascan's faster.
Show me the command you ran with Mascan.
So he shows me the command you ran with Mascan,
and when you run Mascan,
you have the option of how many packets per second
you want to run that at.
He had added like two or three zeros to the default,
which means he was blazing across all of their submats,
running mass scan and doing a port scan.
And that is what brought their network to its knees
for five to 10 minutes, is that he was careless.
And if you want to kind of step back from that,
I was careless as the quote unquote tester
in the room at that point in time.
Okay, so this junior pen tester was absolutely flooding the network with traffic.
They weren't told what exactly they impacted,
but I'm going to speculate on what happened here.
He had a computer that was plugged in using an Ethernet cable.
So his next hop from his laptop would have probably been a network switch or router.
If he's sending massive amounts of traffic,
it could easily overwhelm that next hop.
Just too many packets at once going through that and opening too many sessions. It can fill up the session table. If he's sending massive amounts of traffic, it could easily overwhelm that next hop.
Just too many packets at once going through that and opening too many sessions.
It can fill up the session table.
Memory or CPU on the device could just be maxed out, and it just might not accept any more packets.
Essentially doing a denial of service on that next hop, if it was a switch or a router.
And what that would do is it'd cause everyone who's also connected to that device to not be able to reach anything beyond it.
Like the pipes are clogged kind of thing.
And if there are servers also connected to that switch,
then those servers would be unreachable by anyone too.
The other option is if this mass scan tool was configured to scan IPs outside the network, the traffic might have traversed the firewall.
And this is a device that acts as a security checkpoint
between the internal network and the outside internet,
which does a little bit more inspection of packets.
And if every IP that Mascan was trying to hit
was getting inspected by the firewall,
that might be too much for the firewall to handle.
It just can't accept that much stuff.
Not only that, but it might have taken up all the bandwidth
that that site had for internet access as well,
making the whole internet go down for the site.
Either scenario, Joe realized it was them who took down the network.
And now they had a really big problem on their hands to deal with.
So we end up with like this big call.
He didn't necessarily like break anything.
He just slowed the network down to a crawl because he was shoving so much traffic through
it that nothing else could get where it needed to go. So the CIO, chief information officer on the call, a lot of big muckety mucks.
And basically they're like, tell us why we shouldn't fire you from this right now, essentially.
And we had to go through the whole rigmarole with them and explain like, look, you know,
it was a typo on a screen. We didn't do it on purpose, we're very sorry, we won't do it again, yada, yada, yada. And luckily, like they came around. But I'm pretty sure we don't have pen
testing work at that bank anymore. So yeah, that was not fun. We've had to change our procedures
since that's happened. One thing that I thought isn't explicitly taught to pen testers, but I believe is possibly the most important skill for them to have,
is communication skills.
It's not entirely unusual to be put in a hot situation
where there's some very stressed out people on the phone or in the room,
or people that are just really difficult to work with.
And the better you can speak their language,
the more effective you're going to be at working with them.
If you're a pen tester and you find some awful, glaring security issue in the network,
how do you explain the problem to the business leaders
in a way that they will prioritize it and fix it?
They aren't ding-dongs.
They have degrees and are highly accomplished people,
but they don't understand the details of cybersecurity.
So you need to have those communication skills
to speak their language so they get it.
And that, to me, is a mark of a great penetration tester.
A big thank you to Evil Mog for telling us about this time in Afghanistan.
And also thank you to Joe for telling us about his pen test story that went all wrong.
They were able to keep working after that and provided value to the client despite the rough start.
I've got a t-shirt shop that I really want you to check out.
There are over 50 designs in there and I am positive you will find a shirt that you'll love in the store.
Please visit shop.darknetdiaries.com
and treat yourself to something nice.
This episode was created by me, the One-Eyed Jack reciter.
Our editor is the encrypted kid, Tristan Ledger.
Mixing done by Proximity Sound
and our intro music is by the mysterious Breakmaster Cylinder.
I took a trip down to the Capitol in Washington, D.C.
and a little bee landed on a flower next to me.
And I nodded at it, and I said,
That's a U.S. bee.
This is Darknet Diaries.