In this episode we hear EvilMog (https://x.com/Evil_Mog) tell us a story about when he had to troubleshoot networks in Afghanistan. We also get Joe (http://x.com/gonzosec) to tell us a penetration test story.SponsorsSupport for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.
Some really incredible scam artists out there, and I mean top tier ones, and those ones really intrigue me. One of my favorites is a guy named Victor Lustig. Well, that's not his real name, but that's the name he was famous for. This guy was going around scamming people in the early 1900s.
And there was one scam he did where he got $32,000 in Liberty Bonds together and went into a bank to trade them in. And the bank offered him $10,000 in cash and some farmland. And he took that deal and signed all the paperwork.
But just as he was about to leave, he did some sleight of hand and switched the envelopes and walked out with the cash and the farmland and the Liberty Bonds that he walked in with. The bank did not like this and called the cops on him, who caught him in Kansas City.
But he convinced them that if they pressed charges, then the story would get out and it would be terrible for the reputation for the bank. Customers wouldn't want to use a bank that's this careless with the deals they make. He was so good at convincing them of this that the bank dropped the charges and gave him $1,000 to not tell anyone and keep the story quiet.
But the most brazen scam that Victor Lustig did was when he went to Paris. The Eiffel Tower was built for the 1887 World's Fair, and some thought it was going to be a temporary structure, and by 1925, it was needing repairs. Victor leaned into this and called five scrap metal companies to come meet him
at a fancy hotel in Paris, and he said he was a deputy director with the French government and even had fancy stationery to prove it. And he told them that the maintenance of the Eiffel Tower was becoming too high and they were looking for a company to dismantle it and purchase the scrap metal. But he also said this deal needed to be hidden from the public to avoid controversy.
And one of these companies was eager to take the deal and ended up paying Victor a large sum of money. And yeah, as soon as Victor got the cash, he immediately fled the country and left France. He sold the Eiffel Tower. But he kept a close eye on the news back in France to see how much trouble he'd be in. But the news never reported this.
I guess the guy he scammed was too embarrassed to report it to the police. So Victor thought, this was such a great scam, why not do it again? So he goes back to Paris to try it again. I mean, why let all that fancy stationery go to waste, you know? So he called five new companies in to pitch them, too. But one of them saw right through the scam and called the cops.
Victor saw the cops were coming for him, and he narrowly escaped, this time fleeing all the way to the United States. amazingly, when he got to the United States, he scammed Al Capone and later tried to make counterfeit money, which is how he got arrested, by making fake money. But funnily enough, when he was arrested, he was put in the same prison as Al Capone. What a wild guy Victor Lustag was.
These are true stories from the dark side of the Internet. I'm Jack Recider. This is Darknet Diaries. This episode is brought to you by Varonis. So many security incidents are caused by attackers finding and exploiting excessive permissions. All it takes is one exposed folder, bucket, or API to cause a data breach crisis.
The average organization has tens of millions of unique permissions and sharing links. Even if you could visualize your cloud data exposure, it would take an army of admins years to right-size privileges. With how quickly data is created and shared, it's like painting the Golden Gate Bridge. That's why Varonis built Least Privilege Automation.
Varonis continuously eliminates data exposure while you sleep by making intelligent decisions about who needs access to data and who doesn't. Because Varonis knows who can and who does access data, their automation safely remediates risky permissions and links, making your data more secure by the minute.
Even when you're not logged in, Varonis is classifying more data, revoking permissions, enforcing policies, and triggering alerts to their IR team to review on your behalf. To see how Varonis can reduce risk while removing work from your plate, head on over to Varonis.com slash Darknet and start your free trial today. That's Varonis spelled V-A-R-O-N-I-S dot com slash Darknet.
This episode is sponsored by ThreatLocker. Ransomware, supply chain attacks, and zero-day exploits can strike without warning, leaving your business's sensitive data and digital assets vulnerable. But imagine a world where your cybersecurity strategy could prevent these threats. That's the power of ThreatLocker Zero Trust Endpoint Protection Platform.
ThreatLocker implements a proactive, deny-by-default approach to cybersecurity, blocking every action, process, and user unless specifically authorized by your team. This least-privileged strategy mitigates the exploitation of trusted applications and ensures 24-7, 365 protection for your organization.
The core of ThreatLocker is its Protect Suite, including application, allow listing, ring fencing, and network control. Additional tools like the ThreatLocker detect EDR, storage control, elevation control, and configuration manager enhance your cybersecurity posture and streamline internal IT and security operations.
To learn more about how ThreatLocker can help mitigate unknown threats in your digital environment and align your organization with respected compliance frameworks, visit ThreatLocker.com. That's ThreatLocker.com. So what should we call you? Evil Mog is fine. Okay, we'll call you Evil Mog. How do you get that name? Where does that come from?
All right, so it was funny. I'm a glider pilot. And so the first aircraft I ever flew was CF or CG Mog. But it also happened to be a Final Fantasy character. The problem was I had that as my gamer handle for years. And then I met Matthew O'Gorman at DerbyCon, and he had the same initials. And so we decided to deconfliction. And because he had the name, I figured I'd change mine to be Polite.
And so I became Evil Mog, and that was my IRC handle from thenceforth.
IRC, I remember those days. We were young then. Did you do any stupid things when you were young and on IRC?
Yeah, so I was kind of stupid and was doing a fair bit of online piracy, freaking, a little bit of other various things. And back then, it was fairly easy to trace people because young, dumb, and stupid. And so I get this kind of stern knock on the door.
A stern knock sounded urgent and menacing. He opened the door and saw the police were standing at his front door.
And they're like, we know everything you've been doing. You have a choice. You either stop now and play good, or we either put you in juvie, but Canada's prisons are kind of crap for kids. Or we can just get a technology ban on you that'll last until you're 30 and you'll never get a job in technology. I'm like, yes, sir. I'll be good, sir. Here we are, sir. And, you know, kind of off we went.
Okay, so hold on a second. I've pirated. Mm-hmm. And I've done some freaking. The cops never came to my house. It sounds like you might have done more than that or went over the line.
I might have done a little bit more than that. Um... Just a little bit. See, remember back when the early credit card numbers had a specific way of validating that they were legit? I was publishing bogus credit card number generators that only sort of worked half the time on local BBS systems.
They were... Did they work at all? Because I can't even imagine this work.
They wouldn't work for authorization, but they'd work for input validation on websites to like, you know, hey, let's go pop on to, let's say, the early porn sites, for example. They'd get you enough to get your free trial, and then they'd mysteriously error out.
When I was a teenager, I didn't understand how credit cards worked at all. Like, in my head, it just seemed like 16 random numbers. And if you knew those 16 numbers, could you buy stuff? Yeah. So I thought, okay, let's test that theory. As a teen, I went to a website, put in 16 random numbers just to see what happened.
I thought if it worked, I'd have no idea whose number I just used and I could just say I typed the wrong number if they asked me. But no matter how many 16-digit credit card numbers I put into a website, it never worked. Every one was an invalid number. Apparently, it's more complicated than just that.
There's that whole LUNS check, right? There's some math behind it. I looked it up because I didn't have the generator quite right. Some of the check sums didn't match, but most of them kind of did. It was enough to get past a cheap regex, but that's about it.
Eva Mogg loved flying planes when he was a kid and signed up for junior glider classes taught by the Canadian military.
I was a cadet back when I was younger, from 12 to 19. I got my glider license before I learned how to drive a car.
From there, he joined the military and taught other kids how to fly gliders. But his other passion was computers, and the military was offering to pay his training to learn more about computers.
So I had an option to go back to school, went back to SAIT as a network engineer. Did six months of CCNA, MCSA, Linux LPI 1, Level 2, Level 3, that kind of stuff. And that's what kind of restarted my career when I was in my early 20s.
So he spent four years in the military and then went to work for IBM.
So basically, I got the phone call from my friend to go over to Afghanistan. And he said, there's this company called Network Innovations. And basically, what they do is they run the morale voice and internet services for the Canadian forces. So what that means is you have soldiers calling their families back home from the big super fobs or the small little remote outposts.
And so he's like, hey, do you want to go over for six months? And I'd already released from the reserves at this point. I said, yeah, sure, let's go over. I had nothing else to do, and I wanted some money, and it was all tax-free, so I deployed over.
Hold on. It's not just like going over to France. Afghanistan, there was an active war zone, wasn't it?
It was, yeah. It was totally. Regional Command South in 2008 was hot, to say the least. I wanted to go do something useful. I always kind of did, and my parents were like, you're not going over. I'm like, sorry, I'm going over. I want to pay off some debts, and I want to go do something good with...
You know, for the folks that are over there, you know, did a little bit of pre-deployment training, nothing much. Just here's how to wear a gas mask. Here's how to put on a bulletproof vest. And then here's a whole whack load of vaccinations. Then all of a sudden, there's some kid from the sticks out in the middle of the active war zone.
So even though he was military trained, he was in the war zone as a private contractor, and his job was to go to forward operating bases, or FOBs, to work on the network there.
There's satellite, there's microwave. Basically, these people need to be able to contact family or else they're going to go nuts. I mean, it's like being stuck out in the middle of the bush for six months. So my world was just morale voice. The Canadian forces handled all the tactical and all the operational. My entire mission was making sure people could call their families.
These fobs were often on the front line of the war zone in Afghanistan. It's dusty, war-torn, and weathered. Computers don't like these kind of environments because they're delicate and fragile, not rugged and battle-ready. So he was constantly being sent to troubleshoot computers and networking equipment that was breaking in war zones.
Oh, I'd set it up as well. Like, say, for example, we'd have a new site and they're like, hey, we need to get, you know, fob whatever the heck back online. They'd send me out in the back of a convoy with a little Pelican case with, say, here's a tiny little BGAN terminal, which is a small mini satellite.
Or in the case of a larger fob, here's a bunch of Pelican cases with an auto-acquire satellite dish. You'd go roll out, set up the SATCOM dish, hook it into a couple of laptops and a router and a switch. a little tiny PBX system, et cetera, and then do a couple phone call tests to make sure everything works. That was all she wrote.
They set up this comm shack inside a 40-foot-long cargo sea container. And he'd go base to base, setting up or fixing the networks inside there. And there was never a dull moment.
I roll it on site. I'm in the middle of doing a repair. All you hear is the siren. And then this crappy British voice they used, because they all had the same recording. Rocket attack, rocket attack. And that's all you're hearing.
You know, you bunker down in between a set of HESCO barriers, which are basically just a bunch of gravel, some concrete, a bunch of chicken wire all around, enough to give you a bit. You just, you know, hunker down in place and you sit there, chill out, wait till the shelling stops. You get up, see if there's any damage and get back to repairing the equipment.
So what kind of damage had to this equipment?
Thankfully, it missed us, but one landed in the poop pond. That was terrible. One landed and took out a recreational facility.
He says the equipment in this area would only last six months because it would get full of dust and just not last very long because of the harsh desert environment. And one day, he got word that one of the comm shacks got rocketed at another base.
One of the rockets landed. It took out the satellite dish. It took out one of the comm trailers, and it took out a bunch of the cabling. These guys were down for about a week.
His orders are to travel there and get it back online. Traveling to these fobs takes days or weeks to get to them.
I get out there and thankfully I was smart and I pre-sent all the gear I needed on a convoy ahead of me. There's this broken down, destroyed crater effectively where the old piece was. I come up and there's guys, basically giant bulldozers and heavy equipment moving the old gear out. The gear inside is just completely toast.
Meet up with the local sergeant who's like, hey, we're putting your new gear down right where the old one was, dropping this new sea container in. What do you want to do with this old thing? I'm like, take it back, salvage it, destroy it. We don't really care. Use it for training. You wire up the new SATCOM. You are calling on to your folks out of the UK going, hey, do you see my bird?
Yeah, we're locked on. Here's the activation. Boom, new terminals are online. You've deactivated the old accounts. You do a couple plugins, test the new laptops, and then there's already a lineup around the block of folks who have gotten their email in like a week and a half, right? And so all of a sudden, you start running them all in. They're all nice and happy. You run down to the chow hall.
You munch whatever warm food they've got. You stick around for a day or two for troubleshooting, and then you –
call your boss on the defense service network hey can you guys get me a helicopter out they're like sorry man all the birds are tasked so finally you head yourself down to the talk the tactical operations center you introduce yourself like hey when's your next convoy out if you're lucky they send you out on a combat patrol which are way faster and less annoying than a convoy because it's you know one or two vehicles and
It's a little more comfortable. If you're not lucky, you're crammed into the back of this armored personnel carrier that's hot as balls wearing body armor in the heat, and yet take your eight hours to go 100 kilometers to get back home.
I also, I don't know why, but I'm picturing of you like climbing up a tower, adjusting, you know, getting a spanner on a satellite dish, adjusting it and getting like shot at from up there and being like, hey, it's coming from that hill. Give me cover.
I mean, that kind of has happened. Not nearly as extreme, but have you ever tried to repair 200 pairs of Cat 5 in a sandstorm from 100 feet up in the air? 100 feet in the air? What's up there anyway? Yeah. I was a comm tower. I had to go through this one bridge spot because most of the stuff at CAF was all underground.
But we had this one spot that was basically all hooked up to a tower because of the way this one extension went. And so we had an outage. Someone drove a piece of equipment through the cables. And so I had to go up and resplice all this outdoor cable. And I'm up on this tower and all of a sudden it's a sandstorm. And I'm like, oh, no.
I can't work on this cable with gloves on because it doesn't... You ever tried twisting and terminating cable with gloves? It just doesn't work. So I'm getting blasted by sand in this whiteout condition trying to terminate because I'm not going to try and climb down the tower. It's just not going to happen. I'm hooked in there, ready to rock.
I got 30, 40 cables done before the sandstorm ended and then finished off the rest of the job. One of the things we did, in addition to making sure people call their families back home, is we ran a video teleconference unit. And so people could see their families back home. We found out one of the guys coming out of a FOB, his convoy got bumped.
Now, bumped is a polite word for saying hit by an IED. Thankfully, in this case, nobody died. Thankfully. Whatever data you believe in. But it really shook this guy up. It shook him up seriously fierce.
Yeah. Let's highlight, there was a lot of deaths there. There was. Thankfully, because you were seeing that around, weren't you?
Well, the worst thing we had to do is every time somebody died, we had to kill all of the communications in theater, including all the forward operating bases and the super fob. It was known as a calm lockout procedure. We had a cell phone on. The second somebody got confirmed casualty, I got the phone call, I hit the buttons, and then I got to release it once they notified the families.
So why is there a lockout? It's so that people don't put things on social media or get out to the news articles before they can notify the families. Hmm. It was one of the worst things ever. Because being on that phone call, you're like, shit. You feel all sorts of terrible feelings. And then you have to go act like a professional, cut the comms off.
And then when people are like, hey, the internet's not working. You've got to give this nonchalant comms lockout, but still be sympathetic about it. And when you say comms lockout, everyone in theater knew what you were talking about. But it was one of those... It was a weird, solemn duty I had to do, you know what I mean? Yeah, I mean, you weren't the one telling the families.
Nope, but I was killing the comms and telling all the soldiers, hey, why can't I call family back home? Like, sorry, man, comms are offline due to a comm lockout.
Yeah, and now they're saying, oh, does that mean there's a confirmed casualty? And now you've got to answer these questions.
Yeah, and then my answer is like, I have no idea, man, I just work here.
IEDs are super scary. You're just driving along, listening to tunes, telling jokes to the other soldiers, and then out of nowhere, boom, your truck runs over a mine and blows up your vehicle. It often kills people, and it's certainly enough to freak anyone out. And while this IED didn't kill anyone, one guy was really messed up from this.
He wasn't injured. He was just shocked, really badly shocked, getting hit by an IED. even if nobody gets injured in the process, is enough to send someone to spirals. Because you get that whole mental, oh my God, what if this had been me? What about the possible guilt? All that kind of thing. And the guy was in really rough shape mentally.
So they originally asked, could you give us some extra phone minutes and phone time? That's how the request came in. And us being us, we've got, yeah, here's a couple hundred minutes to go hard. And we're like, hey, is there anything else we can do? And his guy's like, well, he's doing pretty rough.
Evil Mog starts talking with people, trying to figure out what more he can do. And that's when he found out this soldier was about to be a dad. His kid was due to be born any day back in Toronto. And this gave Evil Mog an idea.
And I'm like, dude, we got to do something for this guy. So thankfully, they had people on the ground in Toronto. And I'm like, hey, can you go spring over to CFB Trent and go grab one of our spare video teleconference units? and get it out to the hospital. I'll do whatever it takes to requisition bandwidth. Just get me the stuff out there. I figured out we had some spare bandwidth available.
So I slowed down everybody's video teleconference and voice services and their Wi-Fi a bit and opened up an entirely new channel. Because all we had was six megabits for a thousand people. Almost no bandwidth whatsoever. And so I was like, hey, you know, line this up. I'm going to reserve you bandwidth for like the next... four or five days.
He learned that the wife was already checked into the hospital and was starting to give birth right now. So he's calling Toronto to try to figure out how to contact the wife at the hospital.
And so then we had to go contact their visitor unit and say, hey, do you guys have enough bandwidth for us to go get you video teleconference? And thankfully, they had a really decent tech there. He's like, well, actually, we can make some things happen. What do you guys got for equipment?
Were you talking to the tech at the hospital?
Yeah. Wow, okay. Trying to coordinate this from halfway across the world is kind of interesting. Exactly, yeah.
So you're saying, all right, here's the equipment I have, here's what you have, let's make a final common denominator. I think we can connect these two things.
Exactly, right? So they were running on Tanberg, we were running on Tanberg, and we made the gear all work out. I popped onto the load balancers on our side, and...
So tell me about the tech side. So did he put like a computer on a cart and then wheel the cart into the room?
No, it was a TV on a cart with a Tandberg video teleconference unit.
Which is meant for like doctors and nurses. It's not meant for patients.
Yeah. Yeah. He just threw this on the thing. They wheeled her in. They plugged her right in next to the woman's bed there. We swiveled the webcam over. He managed to get us a public IP so we could do remote control of it. And then, yeah, we just set up the communication channels and off we went. It was actually running rather well.
Okay. So you're like, oh, okay, cool. You got it set up. All right. I'll be right back. Let me get the guy.
Yep. I talked to Steve. Steve called the guy's unit commander. Unit commander called the section leader. They pulled him out, said, look, you're to report to building 026 Bravo on Kandahar Airfield. Show up here. We're like, hey, man, we got a surprise for you. Wheel him back out there, plop him down in one of our spare rooms that we had.
rigged up into this 40-foot sea container, plopped down a chair, made it comfortable, said, here's our little care package, here's some Kleenex, call us if you need anything.
And do you remember his face when he saw his wife?
We weren't even looking, we gave him his privacy. Yeah. I remember how he was afterwards, though. After he saw his wife, he walked in, he was all doom and gloom. This is going to sound stereotypical, but that thousand-yard stare, like, you've seen some shit.
Mm-hmm.
And then the guy, right afterward, I saw life in his eyes. Yeah. So that's how I knew we did a good thing.
Yeah. I mean, how do you think you impacted his life?
I mean, from what I've been told, the actions taken the first couple of days after a major incident are the most critical. And I think by giving him that level of support immediately, I think I changed the guy's life way for the better. I mean, they were talking originally about having to discharge the guy.
From what I heard, he'd stuck around another five, six years before he finally released and went off and doing something. I can't even remember what he's doing now. But I think I've changed the life for the better, so... I'm good with that.
Yeah, I mean, it's also very possible that you saved his life. I could have. Because coming out of PTSD or getting affected that badly by it, you can easily end your own life.
Exactly. I like to think we saved a life there. And no matter what I do in life, I think that's the coolest thing I've ever done.
To me, this right here is the quintessential Darknet Diaries story because of where I found it. I went to DEFCON, and I was invited to the Microsoft party, and I sat down at a table to chat with people, and that's where I met Evilmog. And he was there telling us the story, and I was so captivated by it that it made me cry.
And my goodness, to be at some DEFCON party and to hear a story so moving that it makes me cry, that's one reason I started this show. I imagined in my head while I was listening to Eva Long tell me that story that I saw you across the room and I was like, psst, over here, you gotta hear this story.
And I brought you in to eavesdrop on these inner circles to hear the untold stories that are only shared in intimate and private spaces that are all over the hacker culture but are hard to find. I love these chance encounters. It's like finding a hidden path in a familiar landscape. I hope stories like this fill you with the same great feeling I get when I hear them in person.
I have such a fun job. I'm so grateful. Okay, we're going to take an ad break here, but stay with us because we have a new guest to tell us a new story after the break. This episode is sponsored by Exonius. Complexity is inevitable in IT and security, and it's increasing. Exonius is here to help you control it.
As a system of record for all digital infrastructure, the Exonius platform correlates asset data from existing tools to provide an always up-to-date inventory, uncover security gaps, and automate response actions. Go to Exonius.com slash Darknet to learn more and get a demo. That's Exonius, spelled A-X-O-N-I-U-S. Exonius.com slash Darknet.
All right, so let's start out with who are you and what do you do?
Yeah, my name is Joe Sarkisian. I work for Wolfen Company PC out of Boston. I do penetration testing of all kinds, internal, external, Wi-Fi, social engineering, advanced security assessments, things like that. So we have a... Client, not a big company, maybe like 20 people. And they contracted us to do your average assumed breach pentest, so to speak. So we're on the inside, we're given access.
What would happen if somebody gets in there? So we send them a remote Dropbox, a little Raspberry Pi that we send them, they plug it into their network, and then we connect to that remotely. And it's kind of like we're sitting there in person. We've got on-the-wire access at that point on a subnet that they put us on. So I begin the test.
Typically, and here's the funny thing, is you'll look at pen test frameworks. You should start here. You should do this. You should do that. I would challenge you to find a pen tester that doesn't fire up Responder the second they get on a network and try to get creds and be off to the races as soon as humanly possible because that's what we do, quite frankly, on a lot of tests.
So that's what I did there. Okay. Responder is a pretty clever hacking tool. It's free to get. It's just a Python program. And how you use it is you just start it and wait. Now, the thing about Windows computers is that they always want to try to join a domain and connect to shared drives on the network.
And so if a Windows machine wants to connect to a shared drive, it will try to get to that host directly. And if it's there, it'll connect to it just fine or whatever. But what does the Windows computer do if it can't find the shared drive that it's trying to connect to? Well, it wants to connect to it very badly, and it will try another way.
It might ask the DNS server, hey, do you know the IP address for the server I'm trying to get to? And the DNS server might be like, yeah, I got that. Here's the IP right here. And then the computer might be like, that's the same IP I have, and I already checked. That one's not online.
So then if the Windows machine still can't find that shared drive that it really wants to connect to, it then sends a broadcast message to all the computers on the local subnet saying, hey, I'm looking for this shared drive. If any of you are it, please respond. And that's when Responder springs into action. It sneakily says, why, yes, I'm that shared drive you're looking for. That's me.
You found me. I'm here. And the Windows computer is like, oh, thank goodness. I've been looking for you everywhere. I'd like to connect to you. And Responder is like, sure, of course you can connect to me. But you need to authenticate first. Yeah. And the Windows computer is like, oh, yes, of course. Okay, here's my username and password. Now, Microsoft takes your security seriously.
So it doesn't actually send your password over the network. Instead, it sends a password hash. And since Responder is this dirty little liar on your network, it snatches that username and that password hash and gives it to the penetration tester or hacker who's running the tool. Saying something like, hey, someone just tried to connect to me using this username and this password hash. Here you go.
Typically, Responder only works against computers in the same subnet as it. So if you're in the same subnet, then yeah, Responder is an amazing tool at finding usernames and password hashes. Now, a password hash is not the password. It's a gibberish set of characters that you get when your password goes through an algorithm.
And the thing is, in some cases, you can crack this hash to get the password. And a common method for cracking passwords is brute force. Take the top one million most common passwords and hash them. And then see if any of those hashes match the password hash you just got. And if so, you found the password. Exactly. So we use something called Hashcat. We'll take that hash.
We will plug it into hash. Tell me about this. So to crack that, that's not on the Raspberry Pi because the Raspberry Pi doesn't have... the CPU cycles to be able to throw a billion passwords at that thing and try to figure out which one it is. What's your method for cracking it?
Well, that's the scary thing is our method is the same thing that any bad guy all around the world can do, right? We have an Amazon account, right? And we can spin up Amazon EC2 instances. So what we do is we spin up these Tesla GPUs on an instance. We have a couple of them. And we will take that GPU power to just blow through password ashes as fast as we possibly can based on that power.
It's going to be a lot faster than doing it with Raspberry Pi or your local PC, unless your local PC has a ton of graphics cards in it, which ours is not. So yeah, we do that all in the cloud, relatively cheap, not super expensive to get done. And usually we get results pretty quick, within the first couple of hours.
Okay. Now, what's your kind of success rate on getting one hash and being able to crack that single hash?
I'm going to go 90 plus percent. That depends. If we've been there before and they took our recommendations, it's going to take a lot longer. It's going to be a lot harder.
A different question, which is kind of in the same realm, is suppose you have the entire AD database of hashes. What percentage of passwords do you think you're going to crack out of that?
So we will probably get on average, I would say, and again, whether we've been there first or not, they're taking recommendations, we'll probably get 50 to 60% within the first like four hours.
So he's basically trying billions of passwords to see if any of them match this hash. Of course, the longer that his hashcat tool runs, the more passwords are tried. And so they might start with the top 1 million most used passwords and then try making slight modifications to those, like putting a 1 at the end or capitalize the first letter.
Maybe add in their own word list, such as the company name or mascot or city or address or person's name or kid's name. If no luck there, then... Try every word in the dictionary, but add numbers to the end of it and maybe mix it up a little bit and see if that works. And just try tons of combinations. And pretty much all the stuff I've listed so far probably only takes like a few hours or less.
Now, after the tool has tried all this, it just then starts going through every single possible character combination in the world, such as AAA, AAB, AAC, AAD. So this combination of finding a username and password hash from Responder and then trying to crack it in Hashcat could take hours or even days, since it's about waiting and timing and maybe brute forcing the password.
So in the meantime, he's looking around the network to see what else is there. A good place to start is Nmap. Nmap is a basic tool that you can use to quickly scan the network to see what's there. It'll basically ping every IP address in the network to see what responds. And if any do, then it'll try to see if that host has any open ports.
Then Nmap will spit out a report saying, here are all the computers on the network that I found to be alive, and these are their open ports. Exactly, yeah.
So we'll look for default passwords places. We'll look for null sessions on host. Can I access this host without a username or a password? Can I just get in there maybe on a domain controller? We still find this. You're able to quote unquote authenticate to a domain controller as nobody and start enumerating the domain.
Now, if you can do that, you can get a list of users from a domain controller, right? And then take that list of users and start password spraying against that domain controller with that list of users, common passwords, right? And then maybe you get a hit on password 2023 exclamation point, right? Or a company name 2023 exclamation point, right? crazier things have happened.
So there's a lot of stuff going on at once. He's got these background tasks running to try to get more usernames and hashes, and he's also trying to crack the hash he's got.
Yeah, I mean, to this day, I've been doing this, I don't know, about five years now. To this day, whenever I see that first hash flashing yellow across my screen when I'm on a pen test, I still get a shot of adrenaline, right? It's just like, here we go.
Boom. He cracked the password. Yes. But who is this user? Are they just like a low-level user? Or are they a system admin? He has to find out. And to do that, he logs into a computer on the network to see what his access is. And it's a normal user with no special privileges.
So now we have domain access as that user. So typically what we'll do, we'll look for some basic, you know, privilege escalation opportunities. And at the same time, we're looking for data, right? So let's say we're kind of poking for both of those things, right? We want to prove that risk that this basic user maybe has access to some data that they don't need access to.
And if a bad guy gets access to this account as that person, they also get access to that data. And that's something you need to work on. So as we're rooting through file shares, what does this person have access to? We find this host. And it's like a Windows 10 host. And we have access to a couple of shares on this host. And we're rooting through.
Typically, we're looking for things that are called like password.txt or like SSH, this, that, or the other thing, or SSN, right? We're looking for data that's going to prove a problem for the company. So I'm looking through. And I find this folder called, I believe it's called like MPEGs. So I'm like, that's interesting. I don't typically find something like that.
You know, just like a folder called MPEGs. That's different. I'm just curious what's in here. So I look in. Sure enough, there's a bunch of MPEG files. I'm like, okay, that's interesting. There's like maybe four or five of them. So I download one of the MPEG files. I get it locally, and I'm like, let's watch this file. I open it, and I see a camera feed.
And the camera is just on a desk facing at someone's kind of where they would sit, right, in front of the computer. And I'm like, that's weird. You know, why would anybody put a camera on their desk, right? That's just strange. What are they recording? It doesn't make any sense. So all right, well, maybe there's something else to this.
So I download the second one because they're going in order, one, two, three, four. Download the second one. It is the same camera. It is the same desk. And this time the camera is underneath it. And it was a lady's desk I found out later. The way the camera was angled was, yes, at their, you know, the front bottom half of their body. Let's put it that way.
Let's just say it was an inappropriate place to put a camera in an office if that lady wasn't aware of it. Joe knew that what he was looking at was potentially going to get someone fired. So he had to proceed with caution here.
So I see this, and now I'm like, oh, God. Like, everybody, every pen tester has that, like... feeling that sooner or later, they're going to get this moment that is something like this. You find the proof that somebody's stealing from the company, or you find pictures you shouldn't, or whatever it may be. And this was the first time that I had found something like that.
And I was kind of just awestruck at first. And my head starts racing like, what do I do about this? And so the first instinct was pick up the phone and call my point of contact immediately. Now, the problem with that is this is a small company. I don't know anything more than this point of contact's name and the fact that I worked with him year over year. I don't know what he does personally.
I don't know what he's into. I don't know if he's the person that put this camera there. But he's the only point of contact I have, right? So he's the one I'm calling. So I pick up the phone and I get on the phone. I tell him, hey, just so you know, I found... under the desk camera footage of, and then he cuts me off completely and says, stop right there. I'm calling HR.
And at that point, I had a kind of this wave of relief over me because at this point, I'm like, okay, well, he's probably not the one that put it there because he's wanting to call HR immediately. So HR gets on the phone. I explain it to them. They say, thank you very much. And that's the end of the call.
It's interesting to stumble upon this as a security consultant, since it's not really a network security issue. It's more of a see something, say something issue. Like, do you even put this in the final security report? Joe went on to complete the pen test, and he found some misconfigurations in Active Directory, which gave him administrator access, which pretty much gives him keys to the kingdom.
The network admin can reset anyone's password, see all shared drives, probably even read everyone's email. So he put all this into a report and delivered his findings on the final call.
You know, basically, you know, it's the typical stuff. Like you said, you know, we found this, we found that, you know, here's recommendations for fixing that. Okay, great. And we didn't feel like it was our place or appropriate to bring that up on that call. However, I did end up talking to that client a month later.
And, you know, we were going over some remediation strategies for them and, you know... Basically, they're like, hey, how's everything else going? How you been? I'm like, I'm good. How about that other thing? I'm just curious about that other thing. This is a much more casual conversation. I'm just curious. Is everything okay with that other thing we found?
And he kind of just gave me this look on the Zoom call. He's like, yep, that's been handled. And I knew not to push, but I knew that Whatever had to be done had been done. At least it seemed like it had. And it seemed like it worked out for them. I wasn't going to get pulled into court for having to testify for anything, which I was actually kind of ready for.
I'm like, oh, this might be the first time. But it just didn't happen that way. So I got lucky.
Yeah, as far as like your success rate, I mean, you're always going to find something, even if it's like a CVV level three. But I mean, as far as just success rate of just like owning the whole network and gaining access to sensitive systems, getting half the user's passwords in the whole organization, that kind of thing, is that fairly high?
Do you feel pretty confident like, yeah, I'll probably be able to own this network?
It's, with no exaggeration, 95% of clients that we are able to do that with year over year.
And I think he can get to that point because of how many penetration tests he's done. He's gone into dozens of networks and exploited hundreds of devices. And after doing it over and over and over, you start to develop a pattern and know exactly where to look for weaknesses. And once you do develop a pattern, pen tests start to become automatic since they repeat the same steps almost every time.
And so, once he was done with one pen test job, he'd move right on to the next. And this time, it was a bank.
It was a regional bank, and we were doing some more traditional audit work as well as pen testing. And I had one of our junior pen testers on that job with me. So this person was, you know, they came with a little bit of experience in the door. They'd been with us for, I don't know, four to six months at that point.
So they arrive on site and they're greeted by the on-site team. They're shown where to sit and where to plug into the network. And this was a simulated breach. So if someone got into the network who shouldn't be on it, what could they see or do while there? So the two of them get all set up in this room and, well, you already know what tool they're going to start up first.
That's going to be Responder.
So we started doing our thing, you know, like doing a little Responder stuff, whatever. And for whatever reason, this person's having a hard time with Responder. Like, their Python's not working. The tool's not working. I'm trying to help them through it. So, you know, I'm like, you know what? It's a teaching moment. I'm going to let them figure this out. Right?
Like, I'm not going to give them the answer. I'm not going to coach them to it. I want to see how they handle this.
Okay, so they've taught me that Responder is their go-to tool for starting a network assessment. But if that's not working for whatever reason, what do you do next? Hmm.
I have a 30-minute client call with another client I need to take. So I want to be over here. I'm like, you know what? You take the reins on this. It's the beginning of the test. What can go wrong? So I'm on the call and he's doing his thing. And I don't know, like five, 10 minutes go by, I'm on this call. And I started noticing there's a lot of, like, phones ringing in adjacent offices.
Sorry.
I get off my call. I'm like, I'm sorry, what's going on? He's like, everything's down. We can't reach anything. The core, oh my God, nothing works. We're like, okay. So to the junior guy, whatever you're doing, stop. So he stops. Maybe like five, 10 minutes go by and things kind of quiet down. We check in with the point of contact. He's like, yeah, whatever that was, don't do that ever again.
He's obviously upset, understandably so. So in the process of figuring out what happened, I'm talking to the junior tester, and I say, what were you doing? What kind of test were you doing? He's like, you know, I was running Responder, whatever. Okay, cool. Well, what else were you doing? Well, you know, I figured I'd save time, and I would run, you know, like a port scan.
Like, okay, what would you use for that? And he says, well, I always use MassScan. And I'm like, okay, not Nmap? He's like, no, no, no, mass scan's faster.
Okay, so NMAP is a basic tool to scan the network. It's simple and efficient and usually safe. And when you're testing a live network, you want to be as light-footed as you can. And NMAP is a gentle tool to scan the network with. It just does like a simple knock on the door. Is anyone home?
And it really just stops there, which is nice since you don't want to disrupt business or wreck any systems in your process. Since after all, this is a bank which needs to continue their service to customers. but mass scan is a bit beefier of a tool compared to Nmap. It can make a map of your network, but it's designed to scan huge amounts of systems at once.
Like it shines really well when it's supposed to scan like millions of IPs at once, or even the whole internet. This network at most had like thousands of IPs. Mass scan is just too powerful of a tool for this scenario. But this junior pen tester was convinced that because it's a beefier tool, it's better for the job.
I'm like, oh, I'm aware mass scan is faster. show me the command you ran with Mascan. So he shows me the command you ran with Mascan, and when you run Mascan, you have the option of how many packets per second you want to run that at. He had added like two or three zeros to the default, which means he was blazing across all of their submats running Mascan and doing a port scan.
And that is what brought their network to its knees for five to ten minutes, is that he was careless and If you want to kind of step back from that, I was careless as the quote-unquote tester in the room at that point in time.
Okay, so this junior pen tester was absolutely flooding the network with traffic. They weren't told what exactly they impacted, but I'm going to speculate on what happened here. He had a computer that was plugged in using an Ethernet cable. So his next hop from his laptop would have probably been a network switch or router.
If he's sending massive amounts of traffic, it could easily overwhelm that next hop. Just too many packets at once going through that and opening too many sessions, it can fill up the session table. Memory or CPU on the device could just be maxed out and it just might not accept any more packets. Essentially doing a denial of service on that next hop if it was a switch or a router.
And what that would do is it'd cause everyone who's also connected to that device to not be able to reach anything beyond it. Like the pipes are clogged kind of thing. And if there are servers also connected to that switch, then those servers would be unreachable by anyone too. The other option is if this mass scan tool was configured to scan IPs
outside the network, the traffic might have traversed the firewall. And this is a device that acts as a security checkpoint between the internal network and the outside internet, which does a little bit more inspection of packets. And if every IP that MassScan was trying to hit was getting inspected by the firewall, that might be too much for the firewall to handle.
It just can't accept that much stuff. Not only that, but it might have taken up all the bandwidth that that site had for internet access as well, making the whole internet go down for the site. Either scenario, Joe realized it was them who took down the network. And now they had a really big problem on their hands to deal with.
So we end up with like this big call. He didn't necessarily like break anything. He just slowed the network down to a crawl because he was shoving so much traffic through it that nothing else could get where it needed to go. So the CIO, chief information officer on the call, a lot of big muckety mucks. And basically they're like, tell us why we shouldn't fire you from this right now, essentially.
And we had to go through the whole rigmarole with them and explain like, look, you know, It was a typo on a screen. We didn't do it on purpose. We're very sorry. We won't do it again. Yada, yada, yada. And luckily, like, they came around. But I'm pretty sure we don't have pen testing work at that bank anymore. So, yeah, that was not fun. We've had to change our procedures since that's happened.
One thing that I thought isn't explicitly taught to pen testers, but I believe is possibly the most important skill for them to have is communication skills. It's not entirely unusual to be put in a hot situation where there's some very stressed out people on the phone or in the room or people that are just really difficult to work with.
And the better you can speak their language, the more effective you're going to be at working with them. If you're a pen tester and you find some awful, glaring security issue in the network, how do you explain the problem to the business leaders in a way that they will prioritize it and fix it? They aren't ding-dongs.
They have degrees and are highly accomplished people, but they don't understand the details of cybersecurity. So you need to have those communication skills to speak their language so they get it. And that, to me, is a mark of a great penetration tester. A big thank you to Evil Mog for telling us about this time in Afghanistan.
And also thank you to Joe for telling us about his pen test story that went all wrong. They were able to keep working after that and provided value to the client despite the rough start. I've got a t-shirt shop that I really want you to check out. There are over 50 designs in there and I am positive you will find a shirt that you'll love in the store.
Please visit shop.darknetdiaries.com and treat yourself to something nice. This episode was created by me, the One-Eyed Jack reciter. Our editor is the encrypted kid, Tristan Ledger. Mixing done by Proximity Sound, and our intro music is by the mysterious Breakmaster Cylinder. I took a trip down to the capital in Washington, D.C., and a little bee landed on a flower next to me.
And I nodded at it, and I said, that's a U.S. bee. This is Darknet Diaries.