ACTIVE DEFENSE & Cyber Deception - with John Strand!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey quick intro before the video gets started just to let you know what you're about to see i get a chance to sit down with john strand incredible fella in the information security community all about cyber security all about hacking all about penetration testing and ultimately how to make your security posture better he's going to talk about his pay what you can trainings that are out through black hill security and anti-siphon training and it's honestly awesome because he gets to do some show-and-tell and some demonstrations for his cyber deception course now that's all about tricking the adversaries the threat actors and wasting their time so that you maybe as defenders have a better chance to actually detect and prevent any upcoming incidents it's super cool incredible great resources in here and i'll include those in the description all the links time stamps to jump around the video and i really hope you enjoy this cool conversation with john strand let's roll the clip alrighty well hey hello everyone thanks so much for tuning into this video here i am super honored to be joined by john strand uh one incredible kind of champion in the information security community and uh man i'm just super excited for us to hang out i don't think we've got a chance to talk one on one so uh happy to have you here john no i'm very excited to have you here like like i said you know we were talking just before it's either we're in a group of four people in like a panel discussion um or we're in a group of like 400 people you know whenever i'm teaching a class but i believe correct me if i'm wrong we got accepted for rsa right we did yeah i was gonna and that was weird uh you know that that should be fun but we're doing a panel discussion on uh the skills shortage in the industry and how there's so many different cool ways that we can address that skill shortage through uh kind of bespoke ad hoc uh gorilla tactic training methodologies that are out there that i'm excited about as well so well hey you're doing great stuff over at black hills information security right do you mind just hey you know it's okay to have an elevator spit a little bit it's okay to do your spiel so so at bhis we specialize in network penetration testing um incident response stock services but more often than not what we're doing is trying to basically lose as much money as possible um our catchphrase is proudly sucking at capitalism um so we're constantly giving away free tools free webcasts free training pay which can which we'll talk about later um you ever go to a conference with us you can get a copy of back doors and breaches for free um we ship those out of the spearfish general store and we got anti-siphon training it's all kinds of crazy stuff but kind of for me my personal mantras do cool with cool people and really having you know about i think we're up to like 89 people that are all working just to do really cool stuff for the industry is really really fulfilling for me so well hey i know you got some incredible folks over there i've got a copy of my backdoors and breaches game i'm signed up to the whole magazine newsletter you guys are doing everything right oh god i forgot about that i'm now a publisher yeah as well that was a mistake like i don't know how that happened it's like jason blanchard he was big in the uh he's banjo crash land on twitter but he was big in the comic book industry before he got into working content community for us and things like that and uh he's like so how do you feel about us doing a magazine and a comic book because he's got tons of friends in the comic book industry and uh yeah so now we got a publishing company called rick publishing which is hacker backwards and uh because it's it's little indian and uh we're basically out there and we're going to be doing all kinds of like cool hacker lore and turning it into a comic book format we're going to be partnering up with zach and our jack at dark net diaries and converting some of the dark net diary stuff into a comic book form which is going to be a blast as well so i forgot about that thanks for reminding me absolutely amazing stuff i think it's incredible i've got a copy and i'm looking forward to all the new editions coming out so i'm a fan thanks appreciate it well hey can we dive into your pay what you can training that is that's another model that i think is really kind of cool and a little bit of a whole shock wave because look we i specifically put out content and a little bit of education the best i can on youtube which is like yep free but you're not paying an arm and a leg for maybe some hardcore sitting in a schoolhouse dude i've seen some of your videos you get pretty you're pretty technically in-depth you got my little indian joke yeah um and there's going to be people like what is he talking about one little two no nbn cpu architectures rolling things in backwards associating big indian um but the whole point of you know the pay which you can training is the biggest single barrier that exists to get into computer security uh twitter it broke out again breaking into security how do you do it and the answer to that question is uh like mr krabs says on spongebob squarepants money uh if you have money you can get a degree if you have money you can get a certification if you have money you can get out there and get uh get training to get the certs that people are looking for but if you don't have money good luck um and years ago like the entire industry was a bunch of you know high school and college dropouts that were getting together at defcon and talking about how to break into bbs systems and we've matured thankfully as an as an industry over the years but you still have these barriers so you couple that with the problem of diversity and it is a problem right there's just not enough women uh minorities represented and everyone's trying to come up with ways to solve that and it's weird it's like it's like a bunch of middle-aged white dudes getting together to solve a problem that we really don't understand very well and ultimately what happens is you get uh like scholarships and that's cool scholarships are awesome it changes the lives for the people that get the scholarships everyone's hearts in the right place but it doesn't fundamentally change the game and to change the game we've got to break down the barriers for everyone regardless of gender or background or socioeconomic status or religion or anything it just doesn't matter so the pay what you can model allows that so with pay what you can you show up you're like pay 25 bucks great you pay zero great i don't care if you can pay 4.95 which is blows my mind that there's this huge percentage of people that are like i could pay anything i want okay seems like a trap i'll pay full price you know it's like they're worried somehow but uh we just got amazing support from the community um and it's just exploded like the first time we did it we have 5 000 students and like teaching 5 000 people like you do videos you do webcasts you can do live streams and things but going through a lab live through with 5 000 people course of a completely different color right and it's just one of the coolest things i've ever done in my career we're going to keep doing it and the next one that's coming up is cyber deception i do three classes just pay what you can i do intro to socks core skills just like windows command line linux command line networking and i do intro to security which is the top 11 things you got to do these 11 things to keep yourself from getting popped and then the cyber deception class is the last one and as i was telling you before i do those other two classes to prep the students for cyber deception because i think the cyber deception class is the coolest most funnest thing in the world but that's the one i'm going to talk about and share some cool tools and tips and tricks that people can use at work right now today or you can set up in your own lab and make a hacker cry because that's what it's all about well would you mind going through a little bit of a sneak peek i don't know if you have anything you could just pull out of thin air but i don't i don't have any slides but let's go ahead and let's kind of set the stage and then i'll show a couple tools how's that sound absolutely i mean i'm super interested what what's the tech what are you showcasing what's the real content in that course you bet so whenever you're talking about cyber deception or active countermeasures or any of these different things hack back strike back technologies it oftentimes boils down to honey pots people like whoa we'll put up a windows 2000 honeypot and see if an attacker gets it the only thing you learn from that is that it's a bad idea to put up a windows 2000 honeypot and it's going to get popped uh that's it and at the end of the day we've learned nothing um it's kind of like you know you've done a lot of reverse engineering there's a ton of reverse engineering of malware where you're like here you can see that the malware sets up a c2 channel and it gives us direct access to the operating system through net libraries and it can do anything it wants on the network you see that again and again and again when you're doing honey pots of full operating systems you're not really learning anything so the goal of basic cyber deception is we want to degrade the attacker's ability to successfully break into a network by basically having them go someplace else interact with other things think of it like this it's real-time threat intelligence a lot of organizations spend a lot of money about yesterday's hacks on someone else's networks and they pay hundreds of thousands of dollars for that and there's value there no question but if you implement cyber deception properly if you put in honey pots like kippo and you know fake rdp servers and things like that then you're actually getting cyber threat intelligence on the attackers that are breaking or trying to break into your network and that's ultimately what we're after we want to basically waste their time and increase our ability to detect what they're doing so there's a formula detection time plus reaction time must be less than the amount of time it takes for an attacker to successfully break into your network so the more that we can increase the attacker's time the more that we can decrease the detection time the better our abilities are to react to a live attack that's undergoing so i'm going to share with you a couple of tools um one of them is from a really good friend of mine haroon at thinkist uh he has this open source project called canary tokens and anyone can run it and we go through how these all work deployment strategies and things like that i'm going to share with you an open website that people can generate their own canary token technologies and then i'm going to show you how we can take it a little bit further and now we can get geographic location of an attacker sometimes within 10 meters using a tool that we released called honey badger and then i'm going to show you another really simple cool tool called port spoof and i don't have that one up and running but i got slides from the class and i want to show off the slides from the class and how that all works because they're all out on github um so with that um the first one i want to share with you is let's go to canary tokens so the idea of this whenever we break the class down we break it into three categories annoyance attribution and attack and annoyance is basically what can we do to actually increase the work effort of an attacker trying to break into your organization so a standard honeypot would be like that so if you stood up a ssh honeypot something like kippo an attacker would break into that ssh honeypot and spend like 20 30 minutes trying to run commands on that ssh honeypot that's annoying as hell as an attacker it's really rough like when you hit honeypot you realize you just wasted a bunch of time so that increases the attacker's time and it sets off an alert that someone's messing with your honeypot so that would be annoyance we're going to talk about here is attribution so a couple of tools for attribution now in this website you can go to canarytokens.org this is from thinkist and you can actually download this entire package um on github so you can basically clone this entire thing you're going to need to set up a dns entry pointing at your canary token server and they have a number of tokens that are available to you right i want to go through a couple of these different tokens right create a web bug you can create a dns token there's mr dan kaminsky may he rest in peace but you can actually generate something like a word document so if i click word document i can put in an email address right and then i can put in a token trigger phrase just anything it doesn't really matter and then it's going to create a token for me and i can download it and then i can open this file right here and that'll open it up in word that'll open it up in word there it is and it's a blank document now whenever you look at this document i want to point out a couple of things that i think are important the first thing is it's completely empty you can copy and paste anything you want into this document you can rename this document to anything that you want it to be and in the background there's two different main ways that you can create a document that does beaconing you can do it through cascading style sheets and you can do it through an image source tag you don't see those things here because it's actually in metadata in the back end of the document so as soon as the document opens up it tries to reach back and grab an image and import it into the document and then that reaching back it allows us to actually track where this document actually is okay with the cascading style sheet same way it's basically going to identify the format of the document but it's a blank document doesn't really matter so that's kind of how this stuff works in the background the other thing is this is interesting because sometimes people freak out they're like well we got this warning an attacker is not going to run it if they get this warning it says protected view be careful files from the internet can contain viruses unless you need to edit it is safer to stay in protected view now this error would make sense if it was triggered based on the code that was put into it for tracking it's not when microsoft whenever you download something from the internet to your computer um it does this you like zone files and a bunch of weird things that you've talked about on on your shows before but it knows that this was downloaded and microsoft always throws this freaking error every time so it's amazing whenever you're talking about positive and negative feedback mechanisms everybody including our wiley attackers are pretty much just going to be like whatever enable editing and they're going to go and you can put whatever you want i'm hacking hollywood style right now my keyboard going really quick i learned how to hack on csi i usually hack with another hacker on the keyboard with me um but there you go i just put in a bunch of stuff keep an eye on it thank you appreciate that bill gates um so we have this document you can paste whatever you want and then the goal is put this on a file share somewhere in your environment and name it something like passwords.doc or something of that nature right and if an attacker gets into your network they can use tools from things like powershell empire like share finder and things of that nature cobalt strike has a bunch of modules that allows it to search for certain files and as an attacker one of the first things you're going to do is you're going to try to find any documents with the word passwords in them this is just table stakes it's what we do in pen testing all the time give them what they're looking for put the tools in their pathway that they're going to hit and open them up and then meanwhile in the background it sometimes takes a little while for the canary token server back end to actually trigger it not trigger it but actually get it into the database it reached back to canary tokens and it was able to it was able to actually do some level of tracking on this particular token and this says this token has been triggered once view its history and here google api keys are down but it was able to get the ip address the date timestamp the http it was able to get my city which is spearfish south dakota um the asn for my network i'm not coming in through tor and uh you know if you actually downloads to get the latitude and longitude so i don't know why their mapping isn't working you can see it flashes for a second and then it just stops so i don't know what's going on with your api but this is a lot of good information um where you can actually track this now the first time i ever did this was that northrop grumman we had a sapsar program saps out stands for special access program so you have secret top-secret top-secret sci sensitive compartmentalized information and then you have sap programs that you have to have an sci level clearance and then you have to be read into the special access program and we believed that one of the users in that particular program was taking documents home during the weekend and they were using these documents and working on them on an unclass computer which is a big big big no-no so what we did is we embedded this type of technology into a bunch of those documents and lo and behold one of the users was taking the documents home on the weekend and they got their hand slapped my favorite thing that i've ever done with this i was working with the law enforcement agency i had just flown into atlantic city for a conference and uh i got a call from a law enforcement agency at like 11 o'clock midnight and uh they said we're working a case where like i think it was like 9 or 12 years old i can't remember a girl that had been kidnapped and they had a good idea who had kidnapped her friend of the family because he had changed his skype icon to be a picture of the girl crying now this is back in the day i don't know if you remember but skype before was bought by microsoft if you showed up with a warrant they basically told you to pound sam they weren't going to share any information whatsoever about anything for anybody that was using any skype handles ip addresses geographic locations nothing so we got a friend of the suspect to work with us and he sent a word document to this individual saying dude there's warrants out for your arrest here's the document the suspect opened the document that had a picture of the warrant for his arrest in it and it beaconed back now if you have the ip address date timestamp and if you can get the source port as well that is enough information to go with a warrant to go to an isp in this situation you got the organization as clarity and they can actually get you the physical address of that ip address at that specific time so wow that's so that's just one cool example this is free we have another version of it that we teach in the class as well word web bugs where you can generate it completely on your own so that's awesome right super easy to do you can set it up so let's get a little bit weird here um this is another one of my favorites i'm not going to go through and demo it um but i'm going to put in an email address whatever and a reminder note and i'm going to put in a protected domain let's just say john dot co whatever doesn't matter now what this is going to do is it's going to generate some javascript now this javascript is really interesting and how it works is also interesting so if an attacker is targeting an organization one of the things that we are always doing as pen testers is we are constantly cloning authentication portals for a spear phishing campaign so let's say you've got a email gateway or a vpn right i will clone that vpn page and i will send in a spearfishing attack saying hey you've got to authenticate immediately or you're about to be locked out and then when the user clicks that link it takes them to a webpage that looks identical to their vpn page and i'm harvesting credentials on the back end so what you can do is this you can take this javascript and it says if the current domain is not john.co because the attacker is not going to be able to put the website up on my own my own could like it's just not going to happen they're going to create up something they're going to call it j-o-n-co or something they're going to try to do some type of domain look-alike thing using cyrillic characters or any kind of goofiness that they can to trick that user into thinking that's okay and as soon as it realizes that it's being rendered and it's not on john.co it's going to reach out and it's going to grab a jpeg image so you embed this and it actually tells you exactly where you're supposed to embed it and it embeds it within embed it within your web page for like vpn or authentication and now anytime an attacker tries to clone your website you're going to be able to get their ip address before they ever launched the attack against your organization and they give you some helpful recommendations they're like well we could send it through an office skater here um and we can try to obfuscate the javascript a little bit as well so it doesn't look quite so obvious right you can obfuscate that code there you go now you've got some javascript like javascript that's that's fun um once again seeing your videos you you look you love looking at this stuff i can see it in your head right now you're like i know how to take that apart uh but and your viewers do too um but once again attackers aren't going to look into it that deep and that's even if they do that's a good thing i get a lot of people that say well an attacker will see that and then they're gonna they're gonna start de-obfuscating all the javascript that they see all the time i'm okay with this i think that this is a good thing and the reason why is the more time they take to do things is the less time they're spending attacking our networks so let's put some paranoia um on there thing so there you go i don't think that that actually triggered it some of these uh obfuscation routines online will actually trigger it this one um this one clearly didn't um what's another token we had word documents java obfuscation um you can actually put it inside of a straight up executable um where you can just basically it'll take an existing executable you have to upload an executable and then you can actually put in that executable phones back as soon as somebody tries to run run it so you could create an executable called vpnconfig.exe do a robots.txt reference on your website no index no follow don't go to this directory called help desk and put your executable there and the attackers your user population won't but the attackers will go and download this executable and run it um it'll do some level of attribution so those are just a couple of things from harun's thing and we've got like 20 labs in the class this is just like one of those labs and i'm going to show you a couple of other tools but i want to pause john does this all make sense you have any questions i think this is awesome honestly uh i see this notion on the custom exe in binary the the field that your cursor's in you could have it sent back to you in an email or a web hook right uh have you played with that web hook much is it is it almost always gonna strictly go to canarytokens.org for you to see or could you do some weird voodoo stuff like hey i wanna i want a discord notification that i see something popped so what you can do is there's two things that i see organizations do uh the first thing that i see organizations do is they'll set up an email address and then as soon as something comes into that era email address they'll actually trigger a jira ticket from it they'll just watch it based on email the other thing you can do is remember this is all in canarytokens.org you can actually download and you can build the entire canary tokens um server on your own with your own website so then you get full access to the backend database you get full access to everything that's doing so you can absolutely create those hooks that as soon as something comes in it can actually trigger a ticket as well so the way that we do it is the email one we have a domain that we have created at black hills information security that if somebody tries to clone one of our web email servers um it basically triggers and it notifies us by watching the email address um the other thing that's kind of funny is you know they got these reputation websites online where they'll be like well how good is the security for this company um one of those companies scanned bhis and they gave us an f they're like there's all kinds of insecure things on bhis and they found all of our honey pots and we submitted that they were all honey pots and now we're in a which i thought was pretty cool that's hilarious that's kind of fun all right uh any other questions on this one no i think this is super cool i i'm excited for if any folks are interested i'll drop the links and include them in the in the description of videos we produce years but uh hey more power to the people this is awesome yeah absolutely the next one this is i wanted to show people what the labs look like and i know that we're going to have people that watch this and they're going to be like his github repository is public and anybody can download his labs yes that's the point it's intentional you know this is a pay which you can class if you're like i can totally rip off this class that this guy's giving away for free to help people you're a jackass um but you totally can if you want to just don't brag about it that's weird um so here's all the labs that we have for all the classes you know we got app locker deny host domain log review honey badger sysmon all of these different things and they're all here you can basically click into them and one of my favorites though is this little tool called port spoof it's been around for a long time still works on linux systems like a champ so if you if you once again if you've been following john's videos like i have you know that 16 bits is 65 536 some people will say 65 535 those people are wrong because 0 is a valid number so you have all of these different ports that exist in tcp and in udp on your computer system if you're setting up your server correctly you're using baby two right like a web port and possibly ssh and maybe both of those aren't exposed maybe just the web port is exposed via the internet and you have it firewalled off but that's good security hygiene but what if just hypothetically we could use those other 65 535 ports other than what's actually being used for the server the service itself what would that do to an attacker and basically them trying to break into your system how would that work well port spoof is one tool that kind of answers that question so i'm going to walk through like these are the instructions for the for the lab right it gives the install location the website a description of it and then gets into basic usage of the tool the first thing that you would do if you're setting up port spoof is you're going to run iptables and what you're going to do is you're going to be creating a rule to nat and then you're going to put it in the pre-routing chain and then you're going to say the protocol is going to be tcp and if the destination port is between 1 and 25 535 gonna redirect to port four four four four so you can adjust the port ranges with your ip tables rules to kind of step around your service but as an example we're now rerouting every single port on this system to a single port on the system now why are we doing that because if an attacker runs a port scan they're going to try to identify what ports are open or a vulnerability scan they're going to try to identify what ports are open and what are the services behind those ports what port spoof does is it responds to all the tcp send requests every single one of them and if you scan it with nmap it basically says that all those ports are open now there's nothing there it's just send synack that's it um nothing all that interesting so if you were to do a version scan with nmap where you do nmap you're giving a port between 1 and 10 sv for a version scan give it your ip address it's going to try to identify the service but it's going to say it's the tcp rap because it's like i don't know what the hell that is but what you can do is you can take a signatures file something like the nmap signatures file and port spoof will respond with those signatures now this gets interesting because what happens if you're running a vulnerability scanner or a version scan and something like nmap it's going to attempt to identify the fingerprint of that service and now all 65 536 ports that exist well in this situation one through 65 535 will have a valid random service behind it now why exactly is this cool well this is really cool because of time whenever you run a syn scan it's going to take a matter of seconds to run a sin scan against 10 ports if you run a service scan with port spoof running it takes like three to four minutes for it to scan 10 ports so when you set this up if somebody's trying to scan your network it's going to take them potentially days to scan one ip address on your system and this takes five minutes to set up so if we're going back to attribution annoyance and attack this is definitely in the annoyance category if we look at detection time plus reaction time must be less than the amount of time it takes to attack a system this just really kicked the attack time through the roof the other thing that's fun is scanners like nessus and nmap really aren't all that good at exiting cleanly and giving you the results that they currently have if you just hit control c n maps like okay done it walks away it's just like that um so it makes it very hard for the attacker to figure out that something's wrong also you have like the sunk cost fallacy for attackers and i know this all too well like well this nessa scan's been running for two hours if i stop it now i'll have to re-run that two hours and i'll have to do it again and that's beautiful um that's beautiful so any questions on this one john no i love this i i'm thinking as you were showcasing this like oh my goodness i've been in that situation because you know like the videos that i showcased i think people that watch and play along with try hack me or hack the box or doing some pencil pen testing and red teaming uh i think they know the pain of literally it taking forever for an nmap scan to come back and when it lights up with so many ports open it's extremely overwhelming and you're like okay now i have to kind of go look at each one of those and if it's a trap if it's a decoy uh hey that's uh that's a strong arm for the defenders and the attackers are i'm just i'm we're wasting our time well and more importantly it's fun yeah i mean let's be honest attacking is fun right it's a challenge a goal an objective and it's a challenge you're working towards something defending for most people in security is like you have this brown paper bag over your head someone hits you with a baseball bat you're like oh somebody hit me with a baseball bat and we're blind this makes it fun for defenders like we can put it in the hands of the defenders to just have a good time with the attackers and it is this is a blast like and i i run a pen testing company like and i have customers that call me up they're like so we're we're going to be hiring you guys here in a couple of weeks you could come in and break into our network what can we do to make the attacker's life miserable i'm like oh well here's a couple of different things that you can do and um they my testers will call me and be like so did you talk to this customer before i got there like maybe because i i ran into honey pots i rented a honey user accounts i run into all these things did you have anything to do with that possibly so then they start crying and as i like to say it's nothing like collecting pentester and hacker tears they make the best wine oh yeah so um so that one's easy i've got one more that i want to show real quick that's just like super super super stupid simple to run that you guys everybody that's watching this right now in your like on your youtube channel do this now um this is called a honey user account um so the goal of the honey user account is we want to create a user on a system we have this whole lab here and yeah you can look at it on github and strand.js and i use just an example the built-in event logging event viewer on windows where you can create a user on your system that as soon as somebody tries to authenticate as the user frank it'll automatically generate an alert that the user frank has been accessed it's called a honey user account so i want your the people that are watching your show they need to go out they need to create honey user accounts create an account log into that account set the login hours to zero keep it active give it a really long password and then put a rule in your sim that if anybody tries to log in as that account they're going to generate an alert now you'll be like well how is the attacker going to find that we're in an environment of five thousand ten thousand a hundred thousand users doesn't matter the reason why is attackers use tools that'll automatically download all of the users in an entire domain via command like net net user space forward slash domain and then they will attempt to password spray every one of those users so here is an example you can see that we tried to do a password spray of winter 2020 and we found these users had winter 2020. even though frank's not in here it attempted to log in as frank with winter 2020 and an alert would be generated on the back end this is like 10 minutes folks and you'll be able to detect almost any attacker any pen tester within matter of moments of them getting access in your system because this is what we do anytime we get access on a system we're going to do a password spread and we talk about this with kerberostable accounts and things like that as well so lots of cool stuff in the class and really a lot of the stuff the reason why i put the stuff up out on github is if somebody doesn't want to take the class just want to look at the labs fine it's great just implement this because this is going to make a difference in your security posture so all right so any questions on that one john no that was awesome i i honestly can see the value in that like right away um there are a lot of folks that are going to be saying hey you know i'm i'm working through oscp or i'm doing hey the pmpt certification exam where you're performing a pen test uh and in there hey you're in that world to kind of learn and understand how this looks when adversarial emulation and acting as the adversary when you're doing the right teaming and pen testing you do exactly that you you do kerberos you do look around for those users and spray that password is everywhere you can uh and if it just lights up the defender's immediately on your tail and yep so when they start asking those questions cool i might be doing this stuff in this test but what does it look like on the other side dude that's the question right and even at bhis a few years ago before we started kind of doing like helping customers with purple teaming we would run these tools but we didn't know what were the events that would be generated what would be the registry keys that would be created you know jpcert did a lot of really great work where they did the tools analysis sheet showing you know all these different evidence artifacts points that are created whenever somebody tries to run a tool like winrm and really trying to do that and map up cyber deception to the actual attack methodologies is really what this class is all about so also i wanted to throw a shout out to mitre and gauge i'm sure that a lot of your viewers have heard of the miter attack matrix um this is the cyber deception and adversarial um not absolutely the cyber deception matrix from mitre so if you're ever talking to people like well there's no standard for us to do this mitre actually has standards and they talk about decoys and artifact systems and isolation artifact diversity detonating malware and things like sandboxes so our class actually matches up to the miter engage framework so we want to make sure that we tied it to a framework because when people try to do cool things they're like well is there any is there any like is there any audit framework that requires it yeah miter the engage framework so it gives you a little bit of leverage to do cool stuff in your environment so one more tool and then i am done um this particular tool is called honeybadger and it's under adhd project there's a this is a fork of a tool from landmaster 53 tim tomes um we've updated it quite a bit and i'm going to show you um an update up to date version of honey badger and the goal is you have that document right that word document it triggered and it gave us an ip address that's nice but that's not super geolocation not exactly where that attacker lives so what if we wanted to get that level of fidelity well honey badger answers that question so what honey badger does is it does a wireless site survey of your system so if i go if i go to cmd run this administrator like this and i run net sh um if i run net sh wlan show networks this is actually going to show me every single one of the wireless networks that are near me okay so the thought process is what would happen if i were to trick an attacker to download something like an excel spreadsheet and when they ran that excel spreadsheet it would trigger a macro that would do a wireless site survey feed that data to google and then google would come back with geolocation within like 20 meters of where that attacker's computer system is and that's what honey badger does all right so this is actually a honey badger instance we have a number of different instances that are running and these are some of the places that i've ran honey badger and we always run in an excel spreadsheet and whenever we run we actually run it in a couple of different ways so if somebody were to do a word web bug if somebody were to do an excel document we can get a much higher level of accuracy and i'm going to show you just how accurate we can actually get the other thing i wanted to point out is trace routing so the ip address that you get at home um many times if you look at that ip address the geolocation is going to be very generic it'll basically be like somewhere in south dakota and the reason why is isps when they hand out those ip addresses for routers they're using dhcp and they don't know where it's actually going to be at all now while that particular ip address is like whatevs i don't know where that is the actual edge router right on the other side of your router your point of presence for your isp usually has much higher geographic geolocation than the actual end ip so what we do is it'll also trace route to the ip address of the next routing hop back from the ip address and then it'll get geo geographic location so it won't be you know right on top of the house where the attacker is but it gets you into the neighborhood which i think is pretty cool so that's neat i'm not going to talk about that much what i am going to talk about is the excel spreadsheet now the excel spreadsheet um in honey badger it is actually just using vb and it's not obfuscated and almost every single av engine on the face of the planet as soon as you run that vb script is going to freak out and burn you immediately um so i'm going to encourage you if you're going to pull down the vbe code from honeybadger you're going to have to do some obfuscation and some av bypass on yourself i'm not creating an 80 bypass engine i'm just giving you the tools you're going to have to go the rest of the way but the way it actually works and how good it works is actually pretty freaky so this is this particular one it found all the wireless access points near my home the actual signal strength of all the wireless access points and then it gave us a latitude and longitude and google said it was accurate within 12 meters and i can tell you right now this put the pin right on top of my home now the goal of doing something like this and how you would actually set this up this is me i was presenting at a hotel in san antonio this is how you know you can travel the world right yeah i this guy gets around um so this is actually the hotel i was at when i was like getting it going you see hilton honors oh that's hilarious and you can see the pin is just like like this is the hotel i stayed at i think it's a double tree and that's right on top of the building wow now i've done some training for dod and it's always concerning when i'm teaching someone from the air force and they're like yeah that's close enough like for what oh my god um but it gets you right on top of where the attacker is that actually ran it um i was on vacation and i decided what the hell i'll run it down here so here's the isp right this is if you were doing just ip address geolocation um the ip would be san jose and then if you actually go to geo location it puts it right on top of the house i was staying at um in costa rica when i was on vacation so yes boys and girls it works overseas as well um so the whole point of all this is we can actually get this level of accuracy on where the attacker is with tools like honey badger and i want to spend a couple of moments and talk about just the legalities of this um the the cases that you would want to look at are um susan clements jeffrey versus absolute software and in that particular case susan clements jeffrey um basically bought a stolen computer she was a substitute teacher and bought a stolen computer that was stolen from another school district took it home and basically started cyber sexting her boyfriend and it had absolute software which is like lojack for computers where they could access the camera and the microphone and they took multiple pictures of susan clements jeffrey in various states of undress and sexual activity she sued it was settled out of court they were going to pay because they were going to lose now the judge in that particular case judge judge walter rice that judge actually ruled it is one thing to track a stolen computer system based on its geographic location or ip address it is something entirely different to violate federal wiretapping laws to do so the point of what that judge put forth in that case susan clements jeffrey versus absolute software is when somebody steals something from you this is your excel spreadsheet this is your word document and in that case he drew a very clear line in the sand it is one thing to track a stolen computer based on ip address or geographic location and that's as far as we go we just get the ip address and geographic location we aren't getting persistent access to the hacker's computer we aren't pulling down their browsing history we aren't trying to dox them beyond what we can get off of the location of that computer system but this is incredibly powerful and you can do it legally now this isn't something you want to put on the edge of your website and just allow anybody to download you want this to be something that's protected you want this to be on a file server on the inside of your network you want to be careful about how you implement it but you can and if you want some more laws uh come to the class we talk about all kinds of different laws that's not a good selling point is it john if you'd like to talk about law come hang out with me um but uh but no seriously i'm inviting everybody to come in and uh and do this uh like i said it's pay what you can so you're out nothing um if you're like well he's full of crap well come on come hang out let's talk about it um let's talk about what we can and cannot do because right now if you're looking at the security industry and the way that it stands today we're really using variations and permitations of existing technologies that i was using 20 years ago av ids ips firewalls like all of that crap we were doing 20 years ago and we could say well it's much better it is but the attackers are getting better and the reason why we're losing is we're all using the same technologies the russians have access to the exact same defensive technology that you're deploying right now i guarantee it so do the chinese so does the nsa so the only thing that we can really bring to bear when we're dealing with advanced adversaries is how can we actually put in some variety and spice in our network some deception in our network and then get them to make mistakes so that's what we got so john what questions do you have for me i am super excited when can i get started taking this course my we are firing i should have had that up on my website um so if you look at anti-siphon um we uh we have our full training catalog out there and um the we have other classes that we do charge for um these are by other people um but if you're looking at my classes you can go to pay what you can training and we have a number of pay which you can classes score sock core skills getting started with security this one right here active defense and cyber deception is the one that we're talking about but we also have packet decoding with chris brenton regular expressions your new lifestyle with joff and then password cracking 101 but if you click on this class it'll give you the schedule of when we're actually going to be doing it and we're going to be kicking this class off monday january 24th it's four days half days so it's really only a two day class don't we don't like do death by powerpoint or anything like that tons of hands-on labs associated with it you get a fully functional windows vm that has all the labs built in and you can run them till the end of time which i think is good but it's four half days starting on january 24th awesome well hey i would love to be able to include this link just as well uh people need to be able to see this i'm super excited to cruise through that github maybe poke around maybe get an idea for some of the other labs but maybe create some issue trackers and some pull requests fix my grammar help out the community yep yeah and that is that's actually funny we joke about that but my students go through my labs and i'm like dude you misspelt this and then that and the other thing and they're constantly making my labs better and it's just awesome well this is an absolutely incredible resource i know that was just a taste of everything that i don't know you've got to offer here but it's fantastic to see hey this is pay what you can so if people are willing to say look i i got zero dollars uh i'd still love to attend or i've got the 459 i'd still love to attend nope absolutely and that's what it's all about right just trying to get more people trained up that's all well hey thank you so so much john if there's any other last resources or last things that you might uh think hey well that would be great to offer or great to showcase yours i've got one final thing that's not mine not at all um john are you familiar with the holiday hack challenge i am absolutely yeah so the holiday hack challenge i was screaming on twitter the other day i saw that it opened the the gates for kringle con were finally here they opened up um this is by ed scotus and the team at counter hack it's free and if you're looking cyber ranges are great this is that every previous year of the holiday hack challenge is available and you can play them online if somebody's trying to get into security you know we talked about try hack me hack the box holiday hack challenges are right there so please you know spread the love spread the cheer uh get out there and holiday hack this year so there you go i'm looking forward to it i hope to be able to record some other videos and showcase some of that great content they it's always a blast every year so you bet very cool well hey i'll get out of your way i know uh hey we'll get back to work we'll we'll turn two we'll keep keep making hackers cry but this has been a ton of fun and a really great um i don't know just a cool opportunity that you're putting out here so i'm excited to get to know what everyone else thinks so you know all the engagement youtube comments and all that likes and subscriptions it'd be great if folks trash talk don't forget the chat that's true that's true all the hate comments yeah i hate the hate comments keep us warm at night keep them coming all right well we'll turn the uh we'll turn the red light recording off but thank you again and again john strain great to chat with you and incredible stuff you're doing you bet and i do have to get running man i'll talk to you later cool take care

Info

Channel: John Hammond

Views: 6,820

Rating: undefined out of 5

Keywords:

Id: 7LXfBSuaFFE

Channel Id: undefined

Length: 48min 51sec (2931 seconds)

Published: Wed Dec 15 2021