There’s some really incredible scam artists out there, and I mean top-tier ones, and those ones really intrigue me. One of my favorites is a guy named Victor Lustig. [MUSIC] Well, that’s not his real name, but that’s the name he was famous for. This guy was going around scamming people in the early 1900s, and there was one scam he did where he got $32,000 in
liberty bonds together and went into a bank to trade them in. The bank offered him $10,000 in
cash and some farmland, and he took that deal and signed all the paperwork. But just as he was about to leave, he did some sleight of hand and switched the envelopes, and walked out with the cash and the farmland and the liberty bonds that he walked in with. The bank did not like this and called the cops on him, who caught him in Kansas City.
But he convinced them that if they pressed charges, then this story would get out, and it would be terrible for the reputation for the bank. Customers wouldn’t want to use a bank that’s this careless with the deals they make. He was so good at convincing them of this, the bank dropped the charges and gave him $1,000 to not tell anyone and keep the story quiet.
But the most brazen scam that Victor Lustig did was when he went to Paris. The Eiffel Tower was built for the 1887 World’s Fair, and some thought it was going to be a temporary structure, and by 1925, it was needing repairs. Victor leaned into this and called five scrap metal companies to come meet him at a fancy hotel in Paris, and he said he was a deputy director with the French government,
and he even had fancy stationery to prove it. He told them that the maintenance of the Eiffel Tower was becoming too high and they were looking for a company to dismantle it and purchase the scrap metal. But he also said this deal needed to be hidden from the public to avoid controversy. One of these companies was eager to take the deal, and ended up paying Victor a large sum
of money. Yeah, as soon as Victor got the cash, he immediately fled the country and left France. He sold the Eiffel Tower. But he kept a close eye on the news back in France to see how much trouble he would be in, but the news never reported this. I guess the guy he scammed was too embarrassed to report it to the police. So, Victor thought this was such a great scam,
why not do it again? So, he goes back to Paris to try it again. I mean, why let all that fancy stationery go to waste, you know? So, he called five new companies in to pitch them, too, but one of them saw right through the scam and called the cops. Victor saw the cops were coming
for him and he narrowly escaped, this time fleeing all the way to the United States. Amazingly, when he got to the United States, he scammed Al Capone and later tried to make counterfeit money, which is how he got arrested, by making fake money. But funnily enough, when he was arrested, he was put in the same prison as Al Capone. What a wild guy Victor Lustig was.
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS] So, what should we call you?
EvilMog is fine.
Okay, we’ll call you EvilMog. How did you get that name? Where does that come from?
Alright, so, it was funny; I’m a glider pilot, and so, the first aircraft I ever flew was a CF or CG-MOG, but it also happened to be a Final Fantasy character. The problem was I had that as my gamer handle for years, and then I met Matthew Gorman at Derbycon, and he had the same initials. So, we decided — deconfliction, and because he had the name, I figured I’d
change mine to be polite. So, I became EvilMog, and that was my IRC handle from thence forth.
IRC; I remember those days. We were young then. Did you do any stupid things when you were young in IRC?
Yeah. [MUSIC] So, I was kind of stupid and was doing a fair bit of online piracy, phreaking, a little bit of other various things, and back then it was fairly easy to trace people because, you know, young, dumb, and stupid. So, I get this kinda stern knock on the door.
The stern knock sounded urgent and menacing. He opened the door and saw the police were standing at his front door.
They were like, we know everything you’ve been doing. You have a choice; you either stop now and play good or you’re gonna — you know, we either put you in juvie — but Canada’s prisons are kinda crap for kids, so they’re like, or we could just get a technology ban on you that’ll last ‘til you’re thirty. You’ll never get a job in technology. I’m like,
yes, sir, I’ll be good, sir. Here we are, sir, and, you know, kinda off we went.
Okay, so, hold on a second. I’ve pirated and I’ve done some phreaking. The cops never came to my house. It sounds like you might have done more than that or went over the line.
I might have done a little bit more than that, just a little bit. So, you remember back — the early credit card numbers had a specific way of validating that they were legit?
[Laughs]
I was publishing bogus credit card number generators that only sort of worked half the time on local BBS systems.
[Laughs] Did they work at all? ‘Cause I can’t even imagine this…
They wouldn’t work for authorization, but they’d work for input validation on websites. So, like, hey, let’s go pop on to — let’s say the early porn sites, for example. They’d get you to update your free trial, and then they’d mysteriously error out.
When I was a teenager, I didn’t understand how credit cards worked at all. In my head, it just seemed like sixteen random numbers, and if you knew those sixteen numbers, could you buy stuff? So, I thought, okay, let’s test that theory. As a teen, I went to a website,
put in sixteen random numbers just to see what happened. I thought, if it worked, I’d have no idea whose number I just used and I could just say I typed the wrong number if they asked me. But no matter how many sixteen-digit credit card numbers I put into a website, it never worked. Every one was an invalid number. Apparently it’s more complicated than just that.
There’s that whole lens check, right? There’s some math behind it. [Inaudible] ‘Cause I didn’t have the generator quite right. Like, some of the check sums didn’t match, but most of them kinda did. [MUSIC] It was enough that it could pass a cheap RegEx, but that’s about it.
EvilMog loved flying planes when he was a kid, and signed up for junior glider classes taught by the Canadian military.
I was a cadet back when I was younger, from twelve to nineteen. I got my glider license before I learned how to drive a car.
From there, he joined the military and taught other kids how to fly gliders. But his other passion was computers, and the military was offering to pay his training to learn more about computers.
So, I had an option to go back to school. I went back to SAIT as a network engineer, did six months of CCNA, MCSA, Linux Level PI-1, Level 2, Level 3, that kind of stuff, and that’s what kinda restarted my career when I was in my early twenties.
So, he spent four years in the military and then went to work for IBM.
So, basically, I got the phone call from my friend to go over to Afghanistan, and there’s — he said there’s this company called Network Innovations, and basically what they do is they run the Morale Voice, the internet services, for the Canadian Forces. So, what that means is you have soldiers calling their families back home from the big super FOBs or the small, little
remote outposts. So, he was like, hey, do you want to go over for six months? I had already released from the reserves at this point, and I said, yeah, sure, let’s go over. [MUSIC] I had nothing else to do and I wanted some money, so — and it was all tax-free, so I had to [inaudible] over…
Well, there — so, hold on; it’s not just like going over to France. Afghanistan was an active warzone, wasn’t it?
It was, yeah. It was, totally. Regional Command South in 2008 was hot, to say the least. I wanted to do something useful. I always kinda did, and my parents were like, you’re not going over. I’m like, sorry, I’m going over. I want to pay off some debts and I want to go do something good with — for the folks that are over there. You know, did a little bit of
pre-deployment training. Nothing much, just, here’s the — here’s how to wear a gas mask, here’s how to put on a bulletproof vest, and then here’s a whole whackload of vaccinations. Then all of a sudden there’s some kid from the sticks out in the middle of an active warzone.
So, even though he was military trained, he was in the warzone as a private contractor, and his job was to go to forward operating bases, or FOBs, to work on the network there.
There’s satellite, there’s microwave — basically, these people need to be able to contact family or else they’re going to go nuts. I mean, it’s like being stuck out in the middle of the bush for six months. So, my world was just Morale Voice. The Canadian Forces handled all the tactical and all the operational. My entire mission was making sure people could call their families.
These FOBs were often on the front line of the warzone in Afghanistan. It’s dusty, war-torn, and weathered. Computers don’t like these kind of environments because they’re delicate and fragile, not rugged and battle-ready. So, he was constantly being sent to troubleshoot computers and networking equipment that was breaking in warzones.
[MUSIC] Oh, I’d set it up, as well. Say, for example, we’d have a new site and they were like, hey, we need to get FOB whatever the heck back online. They’d send me out in the back of the convoy with a little Pelican case with — say, here’s a tiny, little BGAN terminal. It’s a small, mini-satellite. Or in the case of a larger FOB, here’s a bunch of Pelican cases with an
auto-acquire satellite dish. You’d go roll out, set up the SATCOM dish, hook it into a couple of laptops and a router and a switch, a little, tiny PBX system, et cetera, and then do a couple phone call tests to make sure everything works. That was all she wrote.
They set up this com shack inside a forty-foot-long cargo C container, and he’d go base to base setting up or fixing the networks inside there, and there was never a dull moment.
I roll out onsite. I’m in the middle of doing a repair. All you hear is this siren, and then this crappy British voice they use — ‘cause they all have the same recording;
rocket attack, rocket attack, and that’s all you’re hearing. Honestly, you just bunkered down in-between a set of Hesco barriers, which are basically just a bunch of gravel, some concrete, a bunch of chicken wire all around, enough to give you a bit — you just
hunkered down in place and you sit there, chill out, wait ‘til the shelling stops. You get up, see if there’s any damage, and get back to repairing the equipment.
So, what kind of damage had — to this equipment?
Thankfully it missed us, but it went — one landed in the Poo Pond. That was terrible. One landed and took out a recreational facility.
He says the equipment in this area would only last six months because it would get full of dust, and just not last very long because of the harsh desert environment. One day he got word that one of the com shacks got rocketed at another base.
One of the rockets landed. It took out the satellite dish, it took out one of the com trailers, and it took out a bunch of the cabling. These guys were down for about a week.
His orders are to travel there and get it back online. Traveling to these FOBs takes days or weeks to get to them.
[MUSIC] I get out there, and thankfully I was smart, and I pre-sent all the gear I needed on a convoy ahead of me. There’s this broken-down, destroyed crater, effectively, where the old piece was. There’s — I come up and there’s guys with basically giant bulldozers and
heavy equipment moving the old gear out. The gear inside is just completely toast. I meet up with the local sergeant who’s like, hey, we’re putting new gear down right where the old one was, dropping this new C container in. What do you want to do with this old thing? I’m like, oh,
take it out back, salvage it, destroy it. We don’t really care. Use it for training. You wire up the new SATCOM, you’re calling on to your folks out of the UK, going, hey, do you see my bird? Yeah, we’re locked on. Here’s the activation. Boom, new terminals are online.
You deactivated the old accounts, you do a couple plug-ins, test the new laptops, and then there’s already a line-up around the block of folks who haven’t gotten their e-mail in like, a week and a half, right? So, all of a sudden you start running them all in,
they’re all nice and happy. You run down to the chow hall, you munch whatever warm food they’ve got, you stick around for a day or two for troubleshooting, and then you call your boss on the Defense Service Network; hey, can you guys get me a helicopter out? They’re like, sorry, man, all the birds are tasked. So, finally, you head yourself down to the TOC, the Tactical
Operations Center. You introduce yourself, like, hey, when’s your next convoy out? If you’re lucky, they send you out on a combat patrol which are way faster and less annoying than a convoy,
‘cause it’s, yeah, one or two vehicles and it’s a little more comfortable. If you’re not lucky, you’re crammed in the back of this armored personnel carrier that’s hot as balls, wearing body armor in the heat, and you take your — eight hours to go a hundred kilometers to get back home.
I also — I don’t know why, but I’m picturing — of you climbing up a tower, adjusting — getting a spanner on a satellite dish, adjusting it, and getting shot at from up there and being like, hey, it’s coming from that hill! Get me cover!
I mean, that kinda has happened. Not nearly as extreme, but have you ever tried to repair two hundred pairs of Cat 5 in a sand storm from a hundred feet up in the air?
A hundred feet in the air? What’s up there, anyway?
It was a com tower. I had to go through this one bridge spot — because most of the stuff at CAF was all underground, but we had this one spot that was basically all hooked up to a tower because of the way this one extension went. So, we had an outage. Someone drove a piece of equipment through the cables. So, I had to go up and re-splice all this outdoor cable. I’m up
on this tower and all of a sudden it’s a sand storm. I’m like, oh no. [Sand blowing] I can’t work on this cable with gloves on ‘cause it just, it doesn’t — you ever tried twisting and terminating cable with gloves? It just doesn’t work. So, I’m getting blasted by sand in this whiteout condition trying to terminate, ‘cause I’m not gonna try and climb down the tower. It’s just
not gonna happen. I’m hooked in there, ready to rock. I got thirty, forty cables done before the sand storm ended and then finished off the rest of the job. So, one of the things we did in addition to making sure people could call their families back home is we ran a video teleconference unit.
So, people could see their families back home. We found out one of the guys coming back out of — or coming out of a FOB, his convoy got bumped. Now, ‘bumped’ is a polite word for saying ‘hit by an IED’. Thankfully, in this case, nobody died, thankfully. Like, thank whatever deity you believe in, but it really shook this guy up, like, shook him up something seriously fierce.
Yeah, so, let’s highlight; there was a lot of deaths there, and…
Oh, there was.
…you’re saying thankfully because you were seeing that around, weren’t you?
Well, the worst thing we had to do was every time somebody died, we had to kill all of the communications in theatre, including all the fort operating bases and the super FOB. It was known as a com-lockout procedure. We had a cellphone on; the second somebody got — like, confirmed casualty, I got the phone call, I hit the buttons, and then I got to release it once they released — once they notified the families.
So, why is there a lockout?
It’s so that people don’t put things on social media or get out to the news articles before they can notify the families.
Hm, okay.
It was one of the worst things ever, ‘cause being on that phone call, you’re like, shit. You feel all sorts of terrible feelings, and then you have to go act like a professional, cut the coms off, and then when people are like, hey, the internet’s not working, you gotta give this nonchalant ‘coms lockout’ but still be sympathetic about
it. When you say ‘coms lockout’, everyone in theatre knew what you were talking about, but it was one of those — it was a weird, solemn duty I had to do, you know what I mean?
Yeah. I mean, you weren’t the one telling the families.
Nope, but I was killing the coms and telling all the soliders, hey — like, I had to call the family back home, like, sorry man, coms are offline due to a com lockout.
Yeah, and now they’re saying, well, oh, does that mean there’s a confirmed casualty? Now you gotta answer these questions.
Yeah, and then my answer — like, I have no idea, man. I just work here.
[MUSIC] IEDs are super scary. You’re just driving along, listening to tunes, telling jokes to the other soldiers, and then out of nowhere, boom, your truck runs over a mine and blows up your vehicle. It often kills people, and it’s certainly enough to freak anyone out. While this IED didn’t kill anyone, one guy was really messed up from this.
He wasn’t injured. He was just shocked, really, badly shocked. Getting hit by an IED, even if no one gets injured in the process, is enough to send someone to spiral. ‘Cause you get that whole mental — oh my god, what if this had been me? What about this…? Yeah, the possible guilt, all that kinda thing. The guy was in really rough shape mentally. So, they
originally asked, can you get some extra phone medicine? Phone time, was how the request came in. Us being us, we’ve got — yeah, here’s a couple hundred minutes. Go hard. We’re like, hey, is there anything else we can do? This guy is like, well, he’s doing pretty rough.
EvilMog starts talking with people, trying to figure out what more he can do, and that’s when he found out this soldier was about to be a dad. His kid was due to be born any day back in Toronto, and this gave EvilMog an idea.
I’m like, dude, we gotta do something for this guy. So, thankfully, they had people on the ground in Toronto, and I’m like, hey, could you go spring over to CFB Trenton, go grab one of our spare video teleconference units, and get it out to the hospital? I’ll do whatever it takes to requisition bandwidth. Just get me the
stuff out there. I figured out we had some spare bandwidth available, so I slowed down everybody’s video teleconference and voice services and their Wifi a bit and opened up an entirely new channel, ‘cause all we had was six megabits for a thousand people, almost no bandwidth whatsoever. So, I was like, hey, line this up. I’m gonna reserve you bandwidth for the next four or five days.
He learned that the wife was already checked into the hospital and was starting to give birth right now, so he’s calling Toronto to try to figure out how to contact the wife at the hospital.
So, then we had to go contact their Visitor Unit, say, hey, do you guys have enough bandwidth for us to go get a video teleconference? Thankfully, they had a really decent tech there. He was like, well, actually, we can make some things happen. What do you guys got for equipment?
Were you talking to the tech at the hospital?
Yeah.
[Laughs] Wow, okay.
You’re trying to coordinate this from halfway across the world. It’s kinda interesting.
Exactly, yeah. So, you’re saying, alright, here’s the equipment I have; here’s what you have. Let’s make a final — a common denominator. We can get — I think we can connect these two things.
Exactly, right? So, they were running on Tandberg, we were running on Tandberg, and we made the gear all work out. [MUSIC] I popped onto the load-balancers on our side and…
So, yeah, tell me about the tech side. So, did he put a computer on a cart and then wheel the cart into the room?
It was a TV on a cart with a Tandberg video teleconference unit.
Which is meant for doctors and nurses. It’s not meant for patients.
Yeah, yeah. He just threw this on the thing, they wheeled her in, they plugged her right in next to the woman’s bed there, we swiveled the webcam over. He managed to get us a public IP so we could do remote control of it, and then, yeah, we just set up the communication channels and off we went. It was actually running rather well.
Okay, so you’re like, oh, okay, cool, you got it set up. Alright, I’ll be right back. Let me get the guy.
Yep. I talked to Steve. Steve called the guy’s unit commander; the unit commander called the section leader. They pulled him out, said, you’re to report to Building 026 Bravo on Kandahar Airfield, show up here. We’re like, hey man, we got a surprise for you. [MUSIC] Wheel him back out there, plop him down in one of our spare rooms that we
had rigged up into this forty-foot C container, plopped down a chair, made it comfortable. Said, here’s our little care package. Here’s some Kleenex. Call us if you need anything.
Do you remember his face when he saw his wife?
We weren’t even looking. We gave him his privacy. I remember how he was afterwards, though. After he saw his wife — he walked in and he was all doom and gloom. This is gonna sound stereotypical, but that thousand-yard stare like you’ve seen some shit. Then the guy, right afterward, you saw life in his eyes.
Yeah.
So, that’s how I knew we did a good thing.
Yeah, I mean, how do you think you impacted his life?
I mean, from what I’ve been told, the actions taken in the first couple of days after a major incident are the most critical, and I think by giving him that level of support immediately, I think I changed the guy’s life way for the better. They were talking originally having to discharge the guy. From what I heard, he stuck around another five,
six years before he finally released and went off and — doing something. I can’t even remember what he’s doing now, but I think I changed a life for the better. So, I’m good with that.
Yeah, I mean, it’s also very possible that you saved his life, because…
I could have.
…there’s — coming out of PTSD, you can — or getting affected that badly by it, you can easily end your own life.
Exactly. So, I like to think we saved a life there. You know what? No matter what I do in life, I think that’s the coolest thing I’ve ever done.
[MUSIC] To me, this right here is the quintessential Darknet Diaries story because of where I found it. I went to Defcon and I was invited to the Microsoft party, and I sat down at a table to chat with people, and that’s where I met EvilMog. He was there telling us this story, and I was so captivated by it that it made me cry. My goodness, to be at some Defcon party and
to hear a story so moving that it makes me cry, that’s one reason I started this show. I imagined in my head while I was listening to EvilMog tell me that story that I saw you across the room, and I was like, psst, over here, you gotta here this story, and I brought you in to eavesdrop on these inner circles to hear the untold stories that are only shared in intimate and private spaces that
are all over the hacker culture but are hard to find. I love these chance encounters. It’s like finding a hidden path in a familiar landscape. I hope stories like this fill you with the same great feeling I get when I hear them in person. I have such a fun job. I’m so grateful. Okay, we’re gonna take a ad break here, but stay with us because we have a new guest to tell us a
new story after the break. Alright, so, let’s start out with who are you and what do you do?
Yeah, my name is Joe Sarkisian. I work for Wolf & Company P.C. out of Boston. I do pentration testing of all kinds; internal, external, Wifi, social engineering, advanced security assessments, things like that. So, we have a client — not a big company; maybe like, twenty people, and they contracted us to do your average assumed-breach pen test,
so to speak. Alright, so, we’re on the inside, we’re given access. What would happen if somebody gets in there? So, we send them a remote Dropbox, a little Raspberry Pi that we send them. They plug it into their network and then we connect to that remotely, and it’s kinda like we’re sitting there in person, right? We’ve got on-the-wire access at this point,
on assignment that they put us on. So, I begin the test. Typically — and here’s the funny thing, is you look at pen test frameworks — you should start here, you should do this, you should do that. I would challenge you to find a pen tester that doesn’t fire up Responder the second they get on a network and try to get creds and be off to the races as soon as humanly possible,
‘cause that’s what we do, quite frankly, on a lot of tests. So, that’s what I did there.
Okay, Responder is a pretty clever hacking tool. [MUSIC] It’s free to get. It’s just a Python program, and how you use it is you just start it and wait. Now, the thing about Windows computers is that they always want to try to join a domain and connect to shared drives on the network. So, if a Windows machine wants to connect to a shared drive, it will try to get to that host directly,
and if it’s there, it’ll connect to it just fine or whatever. But what does the Windows computer do if it can’t find the shared drive that it’s trying to connect to? Well, it wants to connect to it very badly, and it will try another way. It might ask the DNS server, hey, do you know the IP address for this server I’m trying to get to? The DNS server might be like,
yeah, I got that. Here’s the IP right here. Then the computer might be like, oh, that’s the same IP I have, and I already checked; that one’s not online. So then, if the Windows machine still can’t find that shared drive that it really wants to connect to, it then sends a broadcast message to all the computers on the local subnet saying,
hey, I’m looking for this shared drive. If any of you are it, please respond. That’s when Responder springs into action. It sneakily says, why, yes, I’m that shared drive you’re looking for. That’s me. You found me. I’m here. The Windows computer is like, oh, thank goodness, I’ve been looking for you everywhere. I’d like to connect to you. Responder is like, sure, of course you
can connect to me, but you need to authenticate first. Yeah. The Windows computer is like, oh yes, of course. Okay, here’s my username and password. Now, Microsoft takes your security seriously, so it doesn’t actually send your password over the network. Instead, it sends a password hash.
Since Responder is this dirty, little liar on your network, it snatches that username and that password hash and gives it to the penetration tester or hacker who’s running the tool, saying something like, hey, someone just tried to connect to me using this username and this password hash. Here you go. Typically, Responder only works against computers in the same subnet
as it. So, if you’re in the same subnet, then, yeah, Responder is an amazing tool at finding usernames and password hashes. Now, a password hash is not the password. It’s a gibberish set of characters that you get when your password goes through an algorithm, and the thing is, in some cases, you can crack this hash to get the password. A common method for cracking passwords
is brute force. Take the top one million most common passwords and hash them, and then see if any of those hashes match the password hash you just got. If so, you found the password.
Exactly. So, we use something called Hashcat. We’ll take that hash, we will plug it into…
Ooh, tell me about this. So…
Sure.
So, to crack that, that’s not on the Raspberry Pi, ‘cause a Raspberry Pi doesn’t have the GPU, CPU cycles to be able to throw a billion passwords at that thing and try to figure out which one it is. What’s your method for cracking it?
Well, that’s the scary thing, ‘cause our method is the same thing that any bad guy all around the world can do, right? We can — we have an Amazon account, right, and we can spin up Amazon EC2 instances. So, what we do is we spin up these Tesla GPUs on an instance — we have a couple of them — and we will take that GPU power to just blow through password hashes as fast as
we possibly can based on that power. It’s gonna be a lot faster than a Raspberry Pi or your local PC, unless your local PC has a ton of graphics cards in it, which ours does not. So, yeah, we do that all in the Cloud relatively cheap, not super expensive to get done, and usually we get results pretty quick. You know, within the first couple of hours.
Okay, now, what’s your success rate on getting one hash and being able to crack that single hash?
I’m gonna go ninety-plus percent. It depends. If we had been there before and they took our recommendations, it’s gonna take a lot longer. It’s gonna be a lot harder. But if they don’t…
A different question which is kind of in the same realm is suppose you have the entire AD database of hashes…
Sure.
What percentage of passwords do you think you’re gonna crack out of that?
So, we will probably get — on average I would say — and again, whether we’ve been there first or not and they’re taking recommendations, we’ll probably get fifty to sixty percent within the first four hours.
[MUSIC] So, he’s basically trying billions of passwords to see if any of them match this
hash. Of course, the longer that his Hashcat tool runs, the more passwords are tried. So, they might start with the top one million most-used passwords and then try making slight modifications to those, like putting a 1 at the end or capitalize the first letter, maybe add in their own word list such as the company name or mascot or city or address or person’s name or
kid’s name. If no luck there, then try every word in the dictionary, but add numbers to the end of it and maybe mix it up a little bit and see if that works, and just try tons of combinations. Pretty much all the stuff I’ve listed so far probably only takes a few hours or less. Now, after the tool has tried all this, it just then starts going through every single possible
character combination in the world, such as AAA, AAB, AAC, AAD. So, this combination of finding a username and password hash from Responder and then trying to crack it in Hashcat could take hours or even days, since it’s about waiting and timing and maybe brute-forcing the password. So, in the meantime, he’s looking around the network to see what else is there. A good place to start
is Nmap. Nmap is a basic tool that you can use to quickly scan the network to see what’s there. It’ll basically ping every IP address in the network to see what responds, and if any do, then it’ll try to see if that host has any open ports. Then Nmap will spit out a report saying, here are all the computers on the network that I found to be alive, and these are their open ports.
Exactly, yeah. So, we’ll look for default password places, we’ll look for null sections on [inaudible], right? Can I access this host without a username or a password, right? Can I just get in there maybe on a domain controller? We still find this. You’re able to, quote, unquote, “authenticate” to a domain controller as nobody and start enumerating
the domain. Now, if you can do that, you can get a list of users from a domain controller, right, and then take that list of users and start password-spraying against that domain controller with that list of users, common passwords, and then maybe you get a hit on Password2023!, right, or Companyname2023!. Crazier things have happened.
So, there’s a lot of stuff going on at once. He’s got these background tasks running to try to get more usernames and hashes, and he’s also trying to crack the hash he’s got.
Yeah, I mean, to this day — I’ve been doing this, I don’t know, about five years now. [MUSIC] To this day, whenever I see that first hash flashing yellow across my screen when I’m on a pen test, I still get a shot of adrenaline. It’s just like, here we go.
Boom, he cracked the password. Yes! But who is this user? Are they just a low-level user or are they a system admin? He has to find out, and to do that, he logs into a computer on the network to see what his access is, and it’s a normal user with no special privileges.
So, now we have domain access as that user. So, typically what we’ll do — we’ll look for some
basic privilege-escalation opportunities, and at the same time, we’re looking for data. So, let’s say we’re kinda poking for both of those things. We want to prove that risk that this basic user maybe has access to some data that they don’t need access to, and if a bad guy gets access to this account as that person, they also get access to that data, and that’s something you need to work
on. So, as we’re rooting through file sharers, and — what does this person have access to? We find this host, and it’s a Windows 10 host, and it we have access to a couple of shares on this host. We’re rooting through. Typically we’re looking for things that are called password.txt or SSH, this, that, or the other thing, or SSN, right? We’re looking for data that’s gonna prove a problem
for the company. So, I’m looking through and I find this folder called — I believe it was called Mpegs. So, I’m like, that’s interesting. I don’t typically find something like that when I’m — it’s just a folder called Mpegs. That’s different. So, I’m just curious. What’s in here? So, I look in. Sure enough, it was a bunch of mpeg files. I’m like, okay, that’s interesting. There
was maybe four or five of them. So, I download one of the mpeg files. I get it locally and I’m like, oh, let’s watch this file. [MUSIC] I open it and I see a camera feed, and the camera is just on a desk facing at someone’s — kinda where they would sit in front of the computer. I’m like, that’s weird. Why would anybody put a camera on their desk? It’s just strange. What are they
recording? It doesn’t make any sense. Alright, well, maybe there’s something else to this. So, I download the second one, ‘cause they’re going in order; one, two, three, four. In the second one, it is the same camera, it is the same desk, and this time, the camera is underneath it. It was a lady’s desk, I found out later. The way the camera was angled was, yes,
at their — the front bottom-half of their body. Let’s put it that way.
Let’s just say it was an inappropriate place to put a camera in an office if that lady wasn’t aware of it. Joe knew that what he was looking at was potentially going to get someone fired, so he had to proceed with caution here.
So, I see this and now I’m like, oh, god. Everybody — every pen tester has that feeling that sooner or later they’re gonna get this moment that is something like this. Like, you find the proof that somebody’s stealing from the company or you find pictures you shouldn’t or whatever it may be. This was the first time that I had found something like that, and I was kind of just awestruck at
first. My head starts racing. I’m like, what do I do about this? So, the first instinct was pick up the phone and call my point of contact immediately. The problem with that is this is a small company. I don’t know anything more than this point of contact’s name and the fact that I
worked with him year over year. I don’t know what he does personally. I don’t know what he’s into. I don’t know if he’s the person that put this camera there, but he’s the only point of contact I have, so he’s the one I’m calling. So, I pick up the phone and I get him on the phone. I tell him, hey, just so you know, I found under-the-desk camera footage of — and then he cuts me off
completely and says, stop right there. I’m calling HR. At that point I had a kind of — this wave of relief over me because at this point I’m like, okay, well, he’s probably not the one that put it there because he’s wanting to call HR immediately. So, HR gets on the phone. I explain it to them. They say, thank you very much, and that’s the end of the call.
It’s interesting to stumble upon this as a security consultant since it’s not really a network security issue. It’s more of a see-something, say-something issue.
Do you even put this in the final security report? Joe went on to complete the pen test, and he found some misconfigurations in Active Directory which gave him administrator access, which pretty much gives him keys to the kingdom. The network admin can reset anyone’s password, see all shared drives, probably even read everyone’s e-mail. So, he put all this into a report and delivered his findings on the final call.
Basically, it was the typical stuff, like you said. We found this, we found that, here’s recommendations for fixing that. Okay, great. We didn’t feel like it was our place or appropriate to bring that up on that call. However, I did end up talking to that client a month later. We were going over some remediation strategies for them. Basically,
they’re like, hey, how’s everything else going? How you been? Blah, blah, blah. I’m like, I’m good, you know? How about that other…? I’m just curious about that other thing. This was a much more casual conversation. I’m just curious; everything okay with that other thing we found? Then he kinda just gave me this look on the Zoom call. He’s like, yup, that’s
been handled. I knew not to push, but I knew that whatever had to be done had been done. At least, it seemed like it had, and it seemed like it worked out for them. I wasn’t gonna get pulled into court for — have to testify for anything, which I was actually kind of ready for. I’m like, oh, this might be the first time, but it just didn’t happen that way. So, I got lucky.
Yeah, as far as your success rate…
Sure.
…you’re always gonna find something, even if it’s a CVV Level 3, right? But I mean, as far as just success rate of owning the whole network and gaining access to sensitive systems, getting half the users’ passwords in the whole organization, that kind of thing, is that fairly high? Do you feel pretty confident, like, yeah, I’ll probably be able to own this network?
It’s, with no exaggeration, ninety-five percent of clients that we are able to do that with, year over year.
I think he can get to that point because of how many penetration tests he’s done. He’s gone into dozens of networks and exploited hundreds of devices, and after doing it over and over and over, you start to develop a pattern and know exactly where to look for weaknesses. Once you do develop a pattern,
pen tests start to become automatic since they repeat the same steps almost every time. So, once he was done with one pen test job, he’d move right on to the next, and this time, it was a bank.
[MUSIC] It was a regional bank, and we were doing some more traditional audit work as well as pen testing, and I had one of our junior pen testers on that job with me. So, this person was — they came with a little bit of experience in the door. They’d been with us, for, I don’t know, four to six months at that point.
So, they arrive onsite and they’re greeted by the onsite team. They’re shown where to sit and where to plug into the network. This was a simluated breach, so if someone got into the network who shouldn’t be on it, what could they see or do while there? So, the two of them get all set up in this room and, well, you already know what tool they’re gonna start up first. That’s gonna be Responder.
So, we started doing our thing, doing a little Responder stuff, whatever, and for whatever reason, this person’s having a hard time with Responder. Their Python’s not working. The tool’s not working. I’m trying to help him through it. So, I’m like, you know what? It was a teaching moment. I’m gonna let them figure this out. I’m not gonna give him the answer. I’m not gonna coach him. I want to see how they handle this.
Okay, so, they’ve taught me that Responder is their go-to tool for starting a network assessment. But if that’s not working for whatever reason, what do you do next? Hm.
I have a thirty-minute client call with another client that I need to take. So, I’m gonna be over here. I’m like, you know what? You take the reins on this. It’s the beginning of the test. What can go wrong? So, I’m on the call and he’s doing his thing. I don’t know,
five, ten minutes go by. I’m on this call, and I start noticing there’s a lot of phones ringing in adjacent offices, and I start to hear a lot of shuffling and people kinda running around. I’m not sure what’s going on. I’m like, whatever, it’s probably nothing. All of a sudden, I see our point of contact come flying down the hall in a panic. [MUSIC] He busts into the room and he goes,
what are you doing to our network? I’m like, I gotta call you back. So, I get off my call. I’m like, I’m sorry, what’s going on? He’s like, everything’s down. We can’t reach anything. The core — oh my god, nothing works. We’re like, okay. So, I’m like, to the junior guy, whatever you’re doing, stop. So, he stops. Five, ten minutes go by and things kinda quiet down.
We check in with the point of contact. He’s like, yeah, whatever that was, don’t do that ever again. He’s obviously upset, understandably so. So, in the process of figuring out what happened, I’m talking to the junior tester. I say, what were you doing? What kind of test were you doing? He’s like, you know, I was running Responder, whatever. Okay, cool. Well, what else were you doing? Well,
I figured I’d save time and I would run a port scan. Okay, what did you use for that? He says, well, I always use Masscan. I’m like, okay, not Nmap? He’s like, no, no, Masscan’s faster.
[MUSIC] Okay, so, Nmap is a basic tool to scan the network. It’s simple and efficient and usually safe. When you’re testing a live network, you want to be as lightfooted as you can. Nmap is
a gentle tool to scan the network with. It just does a simple knock on the door. Is anyone home? It really just stops there, which is nice since you don’t want to disrupt business or wreck any systems in your process, since after all, this is a bank which needs to continue their service to customers. But Masscan is a bit beefier of a tool compared to Nmap. It can make a map of
your network, but it’s designed to scan huge amounts of systems at once. It shines really well when it’s supposed to scan millions of IPs at once, or even the whole internet. This network at most had thousands of IPs. Masscan is just too powerful of a tool for this scenario, but this junior pen tester was convinced that because it’s a beefier tool, it’s better for the job.
I’m like, oh, I’m aware Masscan’s faster. Show me the command you ran with Masscan. So, he shows me the command he ran on Masscan, and when you run Masscan, you have the option of how many packets per second you want to run that at. He had added two or three zeroes to the default, which means he was blazing across all of their subnets, running Masscan, and doing a port scan,
and that is what brought their network to its knees for five to ten minutes, is that he was careless. If you want to kinda step back from that, I was careless as the quote, unquote, “master” in the room at that point in time.
Okay, so, this junior pen tester was absolutely flooding the network with traffic. They weren’t told what exactly they impacted, but I’m gonna speculate on what happened here. He had a computer that was plugged in using an Ethernet cable, so his next stop from his laptop would have probably been a network switch or router. If he’s sending massive amounts
of traffic, it could easily overwhelm that next hop. There’s just too many packets at once going through that and opening too many sessions. It can fill up the session table. Memory or CPU on the device could just be maxed out, and it just might not accept any more packets, essentially doing a denial-of-service on that next hop, if it was a switch or a router.
What that would do is it’d cause everyone who’s also connected to that device to not be able to reach anything beyond it, like the pipes are clogged kinda thing, and if there are servers also connected to that switch, then those servers would be unreachable by anyone,
too. The other option is if this Masscan tool was configured to scan IPs outside the network, the traffic might have traversed the firewall, and this is a device that acts as a security checkpoint between the internal network and the outside internet, which does a little bit more inspection of packets. If every IP that Masscan was trying to hit was getting inspected by the
firewall, that might be too much for the firewall to handle. It just can’t accept that much stuff. Not only that, but it might have taken up all the bandwidth that that site had for internet access as well, making the whole internet go down for the site. Either scenario, Joe realized it was them who took down the network, and now they had a really big problem on their hands to deal with.
[MUSIC] So, we ended up with this big call. He didn’t necessarily break anything. He just slowed the network down to a crawl because he was shoving so much traffic through it that nothing else could get where it needed to go. So, the CIO, chief information officer, on the call, a lot of big muckety-mucks. Basically they’re like,
tell us why we shouldn’t fire you from this right now, essentially. We had to go through the whole rigmarole with them and explain, look, it was a typo on a screen. We didn’t do it on purpose. We’re very sorry, we won’t do it again, yadda, yadda, yadda, and luckily they came around. But I’m pretty sure we don’t have pen testing work at that bank anymore. So, yeah,
that was not fun. We’ve had to change our procedures since that’s happened.
One thing that I thought isn’t explicitly taught to pen testers but I believe is possibly
the most important skill for them to have is communication skills. It’s not entirely unusual to be put in a hot situation where there’s some very stressed-out people on the phone or in the room or people that are just really difficult to work with, and the better you can speak their language, the more effective you’re gonna be at working with
them. If you’re a pen tester and you find some awful, glaring security issue in the network, how do you explain the problem to the business leaders in a way that they will prioritize it and fix it? They aren’t ding-dongs. They have degrees and are highly accomplished people, but they don’t
understand the details of cyber security. So, you need to have those communication skills to speak their language so they get it, and that, to me, is a mark of a great penetration tester. (OUTRO): [Outro music] A big thank-you to EvilMog for telling us about this time in Afghanistan, and also thank you to Joe for telling us about his pen test story that went all wrong. They
were able to keep working after that and provided value to the client despite the rough start. I’ve got a t-shirt shop that I really want you to check out. There are over fifty designs in there, and I am positive you will find a shirt that you’ll love in the store. Please visit shop.darknetdiaries.com and treat yourself to something nice. This episode was created by me,
the one-eyed Jack Rhysider. Our editor is the encrypted kid, Tristan Ledger, mixing done by Proximity Sound, and our intro music is by the mysterious Breakmaster Cylinder. I took a trip down to the capital in Washington, DC, and a little bee landed on a flower next to me. I nodded at it and I said, that’s a USB. This is Darknet Diaries.