- We know what firmware is running, and this is without even logging in. - You literally just
type something in Google and you found this, yeah. - Exactly. - You know, I don't wan`t to lose my channel. (OccupyTheWeb laughs) (soft beat music) Hey everyone. It's David Bombal, back with Occupy The Web. For those of you who haven't
watched our previous videos, he's the author of this book. Fantastic book. If you wanna learn Linux
from a hacking perspective. He's also got this book "Getting Started, Becoming a Master Hacker." Occupy The Web, welcome. - Thanks, David. Thanks for having me back again. - This book's getting
updated, is that right? - It's getting updated and
it's gonna be republished by No Starch Press under a new name. It's gonna be called "A
Cyber Warrior Handbook." And it's gonna be totally
rewritten with new tutorials and it's gonna be more targeted towards the cyber warrior than
just the beginner hacker. It was originally scheduled
to come out later this year, but the war kind of got in the way. The war has been taking a lot of my time that should have been spending
and updating that book. But hopefully it'll be
out this winter sometime. - A lot of you've given
feedback about, you know, the content that you want to see. And I'm really happy to
announce that OccupyTheWeb is gonna be doing a series
of technical videos. So, we are gonna dive into like a bunch of technical details. And as part of this series, we are gonna be looking
at Mr. Robot Hacks. OccupyTheWeb, on our previous video, you were telling me one of the
problems with YouTube videos and perhaps with Mr.
Robot and all these movies is, you know, it's not realistic. So, I'm hoping we can
take like a Mr. Robot hack and you can show us like
how it actually works in the real world. - Yeah, I'd love to do that. And let's start off with one
of the best hacks in the show. And, and one of the things I'd like to do is to explain why I
like Mr. Robot because, I like Mr. Robot, because he
does real hacking, you know. - It's not because of the drugs yeah. - It's not because of the drugs, right. Drugs are a side benefit. (both laughing) The, the it's because it's real hacking. It may be a more compressed
timeframe than reality. That's because it's a TV show and they can't spend hours and days just like on YouTube videos. But if you watch very carefully, he's actually doing hacks
that are largely largely not all, largely realistic. It's really one of my
favorite TV shows of all time. Not only because it's a hacker show, but you know, it's got Rami Malek. Those of you who may not
be familiar with Rami, Rami is, is been an actor. He's been around a little while. And he's the guy who got the
academy award for best actor for playing Freddie Mercury
in Bohemian Rhapsody. Mr. Robot is really what made him famous. This is really what launched his career, was this TV show. And basically it's the story of a young man who probably is on the autistic spectrum. At least that's my interpretation. He displays a lot of characteristics that we associate with Asperger's. His kind of asocial behaviors, his inability to look people in the eye, he's kind of really sensitive to touch. He doesn't like to be touched. He's very, you know, he's very
focused on what he's doing. These are all typical traits of somebody on the Asperger's spectrum. I can relate to this. I mean, if, if it's any help to you, I mean, that's probably
very close to what I was in, when I was his age, okay. - That's amazing, yeah. - And you know, like him, he struggles with this kind of being able to relate to other human beings and I've worked on it all my life and I think I've done okay. I'm trying to be more social. So, not only can I relate to
him as somebody who's a hacker, but I can also relate to kind
of things he's suffering with. The things that he's trying to deal with in his everyday life. Obviously I love this show. And if you wanna, if you wanna know more
about my personality, you can see a lot of me in Elliot. And Elliot is the main
character, Elliot Alderson. You know, we start off the show where he's basically working
as a cyber security engineer for what he refers to as Evil Corp. An Evil Corp is very large corporation who does a lot of bad stuff. They're probably responsible for both the, the death of his father and his best friend's mother, Angela. And he, you know, he struggles with this
idea that he's protecting this evil corporation. His job is to protect some,
a company who he hates. So, we see this constant
struggle in his personality of what and how he should do this. That's kind of the beginning. What we're gonna do today
is we're going to address, I think it's episode six. Season one, episode six, if I, if I remember correctly.
- Yeah, that's right, yeah. - And the reason I like this particular- - I, I, I made sure about that. So, I made sure I watched
it today to do my research. So, you did your research
today as well, yeah? - My research was in
enjoying watching Mr. Robot, which I could watch over
and over and over again. So, I like this particular hack and those of you who know me and who are my students or have been to my website, know that I think that SCADA ICS is probably the most important
area of hacking right now. These are the systems that run the world. Every facility, every refinery, manufacturing facility, electrical grid. These are all run by
industrial control systems. And these industrial
control systems are all run by what are called
Programmable Logic Controllers, PLCs. These PLCs are all very
simple computers, okay. That allow the operator
to basically, you know, open valves, open doors, close doors. It runs the industrial world. I think it's been largely overlooked in terms of both security, cyber security and the role
that these plants will play in any kind of cyber war, which, you know, we're in the middle of right now. And we've seen the
Russians attack repeatedly, the industrial control systems of Ukraine. And you know, the Russians
are feeling a little bit coming back at them right now. We won't go any deeper into it than that. In this episode, this is one of the most
complex hacks that Elliot does. And there's a lot of reasons to like it. One, because it uses
different technologies. It ends up where he's trying
to hack his girlfriend out of prison. And of course the prisons are
industrial control systems. So, what we're gonna do is
we're gonna walk through what happens as Elliot
tries to hack Shayla. Shayla has been kidnapped
by the drug dealer, Vera is his name. And Vera is, is an evil guy. He's taken Shayla and
he's holding her hostage. And he's told Elliot that
he's not gonna let Shayla go until Elliot hacks him out of prison. And of course, Elliot says, "You gotta be kidding, right? This is, this is, this is crazy. I can't hack you outta prison." - He had to do it in one day as well. Is that right, yeah? - Exactly, so. - One day. So, so Vera was in jail and
he's was Shayla was hostage, held hostage by his group, is that right? And he had to get Vera outta
jail, but like tonight. - Tonight. - Yeah.
- And he tells, he tells Vera, "I can't do that in one day." And you know, that's realistic. I mean, he's telling him that, you know, this kind of hack will
take maybe weeks, months. Vera is not buying it. Vera knows he's gotta
get outta jail tonight and he insists upon it. And so, Elliot has to
come up with a solution. And the first solution he comes up with is that he has Darlene. Darlene's his kind of sidekick. - I think that's what they used, yeah. The rubber ducky. - Well, they tried. Yeah, they tried to use, - They tried this, yeah.
- Essentially a rubber ducky. Yep. I mean, you can actually
reprogram the firmware in any thumb drive to do
what the rubber ducky does. So, rubber ducky is, is an
example of a reprogrammed thumb drive that when you put it- - You gonna have to
show us how to do that. If like, take any thumb drive
to do something like that. Maybe that's for another video. - That's for another video, cause that's beyond what
we can do right here. But basically you have
to upgrade the firmware on the thumb drive so that it appears to be a keyboard. That's all it is. There's all kinds of
different thumb drives, right? And so your thumb drive, normally the firmware
in it tells your system that it's a storage device. You can flash the firmware
of the flash drive and give it the information
that it is a keyboard. And so now, when it plugs,
it plugs into your machine, it's recognized as a keyboard and then the rubber ducky or the flash drive can send
keystrokes into the system. So, you can immediately
start setting keystrokes in and do basically whatever
you want with the system. So, you can program
keystrokes already in there. And that's the first
attack that they try, okay. Is that Darlene put, uses a exploit from, I think they refer to
the company as RAPID9, which is kind of a reference
to RAPID7 who owns Metasploit and Elliott kind of scolds her and says, Hey, you know, what do
you doing using, you know, a known exploit because it fails. It fails because the
anti-virus detects it. So, let me back up a little bit. Darlene leaves these thumb drives all over the parking lot of the prison, hoping that somebody will pick it up and put it in a machine inside the prison. Because Elliot recognizes that
prison systems are offline. The problem he has is how
do I get inside the prison network? Most SCADA systems are online, prison systems and a
few others are offline. Like things like dams and
bridges and that type of thing, usually they're offline, but the prisons are offline. So, he realizes he has to
get inside the network. He can't reach it from the outside. So, the idea is to drop
these rubber duckies, like flash drives, somebody will pick it up, put it in the machine. And in the show, one of the guards does that. As the commands within the flash drive are beginning to take over, his antivirus detects it and stops it. So, that attack fails. And one of the beauties okay of Mr. Robot is it shows somebody failing
in their attack, right? I mean, most shows don't show that. In reality, hackers spend a
lot of time on failed attacks. In an earlier episode, we talked about the Stuxnet attack and how that took three years. And it failed many times
during that three year period. And they kept on updating
it to get it to work. It's more realistic that you
see somebody actually failing, which you don't see in most movies and TV shows with hackers in. They always immediately
get into the system in 30 seconds or less. So, he fails initially. So, he has to come up with a new plan. - Just to ask you the question,
that rubber ducky piece was, was real world. Is that right? Or close to real world?
- That's real. It's real world, yeah. It's, the rubber ducky
you can buy as you showed, you can buy 'em at what
Hak5 has 'em I think. And, but you can build your
own either way they're, you know, you can do it. It's realistic. And it fails because
she used a known exploit that was detected by the AV. That's realistic. If you use a known exploit, it's gonna get detected by the AV. Now, one of the things
that she might have done in this, at this particular point in time is she might have gone ahead and tried to obscure the exploit. And tried to get it past the AV. She complained that she said, "Hey, well, I didn't have time to do this. You gave me like an hour to do it." And she's right. She couldn't build an exploit in an hour. Well, one of the things that
was also kind of interesting at this point is that, notice that Elliot is trying
to SSH into the system. That seemed kind of odd to me because if I were doing it and, and most hackers will do this, is that they'll put in a reverse shell that will call back to him. So, instead of him calling in, they have a reverse shell that'll call him and connect to him. I thought that was kind
of unusual that they, they did it that way. So, Elliot's got this problem now. He's got hours, just hours
to be able to take down the prison system. And so, he still hasn't figured out how to get inside the network. So, he goes and visits Vera into prison and he takes his phone with him and he uses his phone to scan
for all the wifi network. So, he's using his phone. And those of you who have used Aircrack are familiar with this kind of scanner. There was a number of Android
and iPhone applications that'll do the same thing. And what you can see here is
that he's scanning on mon0. So, that's the interface and
notice that he's pulling up, it says ESSIDs. These are really the BSSIDs. These are essentially the MAC
addresses of all of the APs, and the channel that they're
on and their encryption. And of course their power here. He sees, okay. He goes back to his phone. He says, "Oh damn, they're all WPA2. It'll take me days to
be able to crack it." And that's, that's accurate. You can crack WPA2s, but it's a time consuming process. Can't do it in 30
seconds or three minutes. - Unless you watch my video
where I show you to do it in 15 seconds. (both laugh)
- Right, exactly. Exactly. - With a GPU, you know,
it's exactly right. It really depends how lucky you are. - It depends. Really to be able to crack WPA2, basically what you're doing is you're trying to take a word list and match the word list to
the password of the system. If somebody's used a very weak password, you can potentially crack it in a matter of seconds or minutes. I mean, if they've used, you know, a, a password that's
the same as the ESSID, you might be able to do
it in a matter of minutes, but Elliot looks at it and
goes, realistically says, "I can't do this. I can't do this in hours. I need to find another
way into the system." So, he's trying to figure this out. He's actually walking out of
visiting Vera at the jail. And while he is walking out, he sees on his screen
that somebody is connected to the internal network inside the jail. And it happens to be a police car. So, this gives him the idea. If I can get inside of his system, then I'll be inside of
the prison's network. So, the question is,
how does he get inside the squad car's laptop? And that's where we get to Bluetooth. - Just before we go there, can I ask you about the
WPA thing just quickly? So, reality versus movies, which phone would you recommend to do? Is it Android? Or Android's gonna be the
easiest to do this kind of stuff, or do you install Linux or
something on a, on a phone? - You can either install, you know, there's NetHunter that is
basically Kali on a phone, or you can just there's applications. You can just download both for
the iPhone and for Android, that'll do the scanning, like in this picture
that we just put up here. It doesn't tell us what this is, what the scanner it is, but just number 'em. Just go to the iPhone store, go to the, the Google play store
and look for wifi scanners. And there's all whole slew
of them that'll do this. - Yeah, so, that's just showing
you the networks available. It's not showing, it's not
letting you crack them. Is that right? Or is there specific app
that you would use on a phone to crack it all? I mean, it's gonna take forever. So, you're gonna push
that off to, to another, to a GB or something, yeah? - What you want to do is you
want to capture the handshake, right. So, he's just scanning for the networks. And then if you're using Kali, you want to go ahead and use Airodump and Airodump will allow you
to capture the handshake between the client and the AP. And then once you capture that handshake, inside that handshake is
the hash of the password. And that's what you try to crack with. He realizes that's not realistic. He can't, he can't do that. So, he realizes that the police car has a dedicated cellular connection to the network inside the jail. And he sees that when he's
walking out of the jail and he sees that that police car is connected inside that network. Immediately says, "Oh, I have a path inside
the network of the jail. The path is, I have to
get inside the laptop, inside the police car." (laughs) That's more difficult than
you might think, right? Maybe you do think it's difficult and it is difficult, right. So, here's where, you know, things get a little sketchy here. He's using hciconfig to scan
for the Bluetooth connections. And let me just show you how that works. All right, so, what I've done is I've
just downloaded Bluez, it's outta the repository at Kali. And what it does is has
multiple tools in it for Bluetooth hacking, okay. And Bluetooth manipulation. What I've done is I've got
actually an external Linux, a Bluetooth adapter in the system. So, once I have these tools embedded, then I can go sudo, and then it's hc. This is what Elliott's doing in the show. hciconfig is just a
tool similar to ifconfig that'll pull up all of
the Bluetooth connections. And there it is, it shows me that my Bluetooth adapter and yours is probably gonna
say "down" when you start. So, you have to start it and to do that, You go, sudo hciconfig, just like with ipconfig go up, and now you got it up and running. You can see here's the MAC address. Okay, let's go back to the, what. - Did you say you've got a
dedicated Bluetooth adapter connected to your laptop yeah? - I did. - If you can gimme the device name, I'll put a link below so people can go and buy that if they want. - This one is actually a Panda. You can buy 'em on Amazon or Egghead or any of the various electronic stores. So, look for ones that, you know, have Bluetooth adapt,
Bluetooth drivers for it. Some of the Windows ones won't work. Some of them will tell
you they'll work in both. I've tried a number of 'em out. And usually the Windows ones
simply won't work in Linux. So, make sure you get a
Linux Bluetooth adapter. If you're running on a virtual
machine like I am right now, of course you have to
go ahead and attach it. So, you gotta go up here. This is virtual box. Gotta go up to USB and
then make sure that, see, it says here Cambridge Silicon Radio. That's a chip set. It's actually, this is
manufactured by Panda I believe. You also wanna make
sure even before you get to this part, is you wanna go lsusb, to make sure what's connected to your USB and you see I've got, this is what's connected to my USB and here's my Cambridge Silicon Radio. Of course, Cambridge is a British firm. You see the LTD right there, and then let's go ahead
and clear our screen. And so sudo hciconfig, this, let's look what it tells us. It tells us is on a USB Bus. It's a primary type. The name just like when you do ifconfig, the, it gives it a name for the adapter and the name is hci0. Yours might be hci1, it might be hci2, but usually it's gonna be hci0, just like your WLAN is usually wlan0. Your ethernet adapter is gonna be eth0. And then it gives you the address. This is the MAC address of the adapter. So, this is where he, you see in the, I'll go back to what he
was showing on the show. You can see right here, hciconfig, hci0 up. He has two adapters. He's going to the second one
and taking it up as well. And then he's got hciconfig, and he's pulling up the information, just like what we've done here. What we want to do now is
that within this group of Bluetooth tools, there's a tool called hcitool. I'll just show you what it can do, pull up the help screen. And so of course, this is the help screen. That's what we're looking at right now. And it'll display the local devices, okay. Inquire. And these are remote devices. It'll scan for remote devices. And this is the next step that Elliot does is that he goes and
heads and uses this tool to scan for Bluetooth devices in the area. And there's a number of other things, you can submit arbitrary HCI commands, you can do inquiries, but right now we're gonna kind
of just do what Elliot did. And that's what he did is he
went ahead and did hcitool scan. And it begins to scan. And what it's doing is it's looking for other Bluetooth devices. It pulls up one device, and this is, these are the speaker system in my office. Let's go ahead and turn on
some other Bluetooth devices and see if we can see them as well. - It's really impressive that
the show's so true though. And I can see why you like it. - Oh, I, I, I love this show. And so I'm glad that you
had agreed to do the hacks, cause there's a lot of
great hacks in this show. - No, we almost covered them all I think. So, let's just ask the audience. Do you want Occupy The Web
to do like all of them? Just put in the comments below, the, you know, the ones
that you really want to see and we can perhaps prioritize
some of, of the others. - I'm gonna go ahead and try
another, do another scan. I just turned on another, another device. This is very similar to, like I said, any type of scanning tool, sometimes it's gonna work, sometimes it's not, but you get the idea that it, there we go, okay. I just turned on another,
another speaker system. So, this is what Elliott's doing. He's going out and he's
scanning for these devices. What he does is he finds the device, the Bluetooth device in the
laptop of the police car. Then he does an hcitool inquiry. Let's do that. Sudo hcitool inquiry. And this gives us even more
information about the devices. Okay. So, it gives us the class. And this is key. If you go to the Bluetooth websites, the Special Interest Group website. So, here's the devices and these
are just the numbers, okay. And the classes of all the devices, and this is kind of the
key to hacking Bluetooth is to understand that Bluetooth devices are basically telling us
what type of device they are. Here's another, here's a better one. I got another one up here for you. And you can see the classes and the ones that we just
pulled up a minute ago, right, were speakers. These are all peripheral devices. So, when you connect
to a Bluetooth device, it tells the other device
that's trying to pair with it, what type of a device it is. Is it a wearable headset? Is it joystick for Nintendo? Like this one is here. It's a portable game controller. It communicates to the
other device what it is. Notice that this one here is a keyboard, it's device, it's class 002540. That means when you connect
to this Bluetooth device, it says I'm a keyboard, allow me to send keystrokes, okay, into your system. And there's really no way for the system to check if that's real or not. So, this is what Elliot
takes advantage of. In the show, he uses a device called MultiBlue. They don't manufacture 'em
anymore, unfortunately, but basically what it is is this, it's a Bluetooth
device that communicates, okay, that I am a keyboard. If you have a Bluetooth based keyboard, I'm working on a Bluetooth
keyboard right now in this show. That's what this device does, okay. It says I'm a keyboard, let me send keyboard keystrokes to you, the other end of the connection. Elliot uses this, which used to cost, I think I bought mine for about $35, but basically once again, it's a Bluetooth dongle that
has been basically flashed with a different class, okay. A class that says, Hey, I am a keyboard. So Elliot, what he does, is that he gets Darlene to
kind of flirt with the cop. It's social engineering. Elliot is standing, is
in a car nearby, okay. Bluetooth has a capability
of connecting up to like a 100 meters, he's within that range and he's able to connect
to the Bluetooth device in the police car. He uses a tool called Spooftooth. It's also, I believe spooftooth
is in the repository. So , let's just quickly take
a look and see if it is, and let's put in install in there. There it is. It's already installed on my system. Just like you can spoof an IP address or you can spoof a MAC address. It allows you to spoof a Bluetooth device. So what Elliot does is that he goes and spoofs the MAC address
of one of these devices in the policeman's car. Does a, a scan like we did here. He gets the MAC address off
the Bluetooth in the cop car, and then he spoofs it, okay. Here's the synopsis
Bluetooth dash I device. And then specify a new BD ADDR. Right, and that's what we want to do. Let's go ahead and create this. It's pasting in the MAC address. And then it's the, the dash N for name right here. Specify the new name. Okay, dash N and then
it's gonna be car537. So, what we're doing is we're
assigning a new MAC address and a new name for that device. And you see it came back and said, Hey, address has been changed. Oh. And it came back. It said the address was changed, but it can't open the device. No such device. It dropped the device it looks like. So, let's try reconnecting it again, yeah. See, it's dropped the, the
Cambridge Silicon Radio. Let's go ahead and try that again. - I think the lesson is
like, you've always said it's stuff doesn't work
perfectly the first time. That's reality versus TV, yeah. - Exactly, yeah. This is, and this is actually
a notice here that it's down. When I went and reconnected
it again, it's down. So, what we have to do is go hciconfig, hci0 up. All right. Okay, now when I do hciconfig, you'll see that it's up. - Reality, and that's, I'm glad to see you doing this because it it's reality for all of us, yeah. - Yeah, so, there it is up and running. All right. So, we're gonna try this command again, to be able to spoof this. So, we're gonna go ahead
and run the hcitool, and then we're gonna scan. One of the things that I have
found is that by using a, here we go, we got both of those devices. Sometimes the virtual
machines will drop the devices that are external, okay. And that's what we're,
we're dealing with here. But so we, got both of 'em. We scanned, imagine that one
of these is car57, all right. And then what we're gonna do
is then we're gonna try to spoof it. We're using hci0 as our device name. This is the MAC address we were trying to spoof and
we're gonna name it car357. Hopefully virtual box doesn't drop our adapter. Let's go ahead and do it. It just dropped it. I could hear the sound of it dropping it. It did change the address. You can see that the
device has been changed to 7C:96:D2:08:86:36 And if we didn't drop the adapter, we, it would also rename
it so that it appears not only does it appear
technically at, by the MAC address, but it also has a name
that is recognizable, human readable name, that would be recognized
by the police officer. So, this is the way that he goes ahead and spoofs the Bluetooth device. Now, this particular hack was done in, oh, about 2014. And some of the early Bluetooth, you could do this type of spoofing. In the more recent Bluetooth, you're gonna have more
difficulty doing this because they're gonna,
to be able to spoof it, you're gonna have to pair them. And even though you spoof the device name and the MAC address, you're still gonna have to pair 'em. So, it's gonna be one extra
step there that they don't show in the show. So, he's now got himself
inside the police car's laptop. - So, was he spoofing the, the,
the keyboard, is that right? And that's what he was trying to do. Is that correct? - He's, he's taking the keyboard, that MultiBlue device, and he's making the laptop believe that it's a Bluetooth device
that's already connected to his system. Cause normally when you want
to connect a Bluetooth device, you have to pair it, right? And you have the, the pairing process. What he's doing is just saying, okay, I am the device that's already been paired on the laptop. And then once he has that
pairing taking place, now he can use this
device to inject commands into the cop car's laptop. And that's where things get interesting and maybe a little bit unrealistic. So, what he's doing now is that now once he's inside the cop car's laptop, he's inside the network
of the detention center, of the jail. So, now what he has to do is
he has to be able to inject commands into the prison, the jail, to be able to open up the doors. This is a little bit unrealistic. Normally what you would do
in a situation like this is you would go and you
would find the wiring diagram for that particular device. And there are almost all online. There's a block diagram of the PLC. These are almost all the same. The diagram is the same. Here's a, here's the one that's often used in the prison system. This is a, Siemens SIMATIC S7-1500, which was actually the
same one that was used in the Stuxnet attack. - So, that's what was used
to open and close the doors in the prison, in the
movie so-called, yeah. - This is what's opening and
close the doors in the prison, right. So, these are just
programmable logic controllers. This is one of the most
widely used in the world. Here's other prison diagram. This is a typical prison diagram. Each one of these are housing pods. And then there's an equipment room, which usually contains these
PLCs and a central control. Inside this equipment room, this is where the PLCs are and they control the opening
and closing of the doors in the prison. Now all of this kind of
information is available online. If you look in the right places. No matter who's making these devices, they provide this kind of
detail about their systems so that the users can
program them properly, maintain them properly. This is basically a simple diagram of the opening and closing of
the doors within this prison. Elliot could do this, right, but it still would've
taken him days, weeks, months to do this process. And he does it in a matter of hours. It is possible, it's out there, right. If you go to the, you know, you go to the manufacturer's websites and usually this will be
included in a document that'll be like 150 pages long, a PDF document that you can
go ahead and dig through and figure out how these
systems actually work. And then the next step he has to do is that he has to go ahead and
write a ladder logic program to control the PLCs. Ladder logic looks
something like this here. Yeah, I teach ladder
logic in my SCADA class and we use a trilogy, which is a training educational software for doing ladder logic. This is simple logic to run
the various devices in a plant. So, you're reading a device, waiting for the information to come. Then you're opening a
valve or closing a valve. This particular circuit
right here is running it. And then it takes a step through and it waits five seconds in the clock. And then it makes a manual decision, okay. Either to open or close. And it finishes that circuit. And then it goes through another, it goes through each one of, this is called ladder logic because it goes through this circuit and then this circuit and then this circuit. So, this is really
relatively simple stuff. The only issue is that you have
to understand what circuits you're actually working
with within the system. And that's why it's really
unrealistic to expect that Elliot did that in a matter of hours. One of the things that could be done okay, is that you could just throw
scatter a bunch of commands into the system and see
what happens, right. That's a possibility. But that would probably be detected. Now, I will just kinda give
you a hint that, you know, that's something that
can be used in cyber war, is that you can just send random commands into these systems and see what happens. And if it explodes, then you know you did the right thing. (both laugh) - What's unrealistic about
that is he's connected via this Bluetooth keyboard or a fake keyboard. And he's injected, he's injecting a whole bunch of stuff with no visibility of what's on the other side. Is that right? - Right, he, he has, the only visibility he has
is that he could pull up this schematic. This would be available to him. He could pull this up online
and find this schematic. And you can see that all the
circuits are detailed here. As you can see door fully open L3, LS3, LS2, is device fully locked. LS4, door fully closed. And then we have speeds
our, our LS5 and LS6. So, this is available to him online, but then he has to write the ladder logic to be able to control each
one of these various circuits, to be able to open and close the doors and notice that in, in the
show he talks about, well, let's open up all of the
doors and that way, nobody, nobody will be able to
connect this to me or you. All this information is
usually available online. This is available for one
particular prison system that I found online. - It's crazy that you
can just find this stuff. - They've gotta do this
for their clients, right. And no matter what PLC
you're talking about, whether it be Siemens
or Schneider Electric, they have these, these diagrams, these PDFs online that
give you a total breakdown of how the system works. Let's take a look at
one other things that, one of the things I did
is use some Google Dorks to find some of those SIMATIC PLCs. Here's the dork I used right here, inurl:/portal/portal/.mwsl These are our PLCs that are
connected via TCP/IP right. That's why we can connect to 'em. And we can go ahead and
find these things online and just found this one right here. Here it is, that anybody anywhere
in the world can connect to this S7-1200. Remember the one we looked at a little, little while ago was the S7-1500. It's a similar model. Not exactly the same, but we can go ahead and
look at its diagnostics. We can get its serial number. So, we know exactly what PLC this is. We know it's hardware number. We know what firmware's running, and this is without even logging in. - You literally just
type something in Google and you found this, yeah. - Exactly. Just here, here it is right here. It's just used, when you go back and show. - Just for everyone watching, I've had to blur this
because of YouTube rules. So I've blurred a lot of this,
- Oh. - But we'll but the information is there. - Oh, I'm sorry.
- No, don't worry. We'll just blur it out, that's fine. - We didn't hack it, okay. - No, no, no. - This is, this is available to anybody. This is just the portal that
the PLC provides to its users. And so what we're doing is
just using the same portal and notice that we haven't logged in. Right, this is what's into,
this is what's available to anybody. - It's like going to a website, yeah. - It's like going to a website, exactly. I haven't logged into the, anything, okay. You see, it looks like
this is a check system, that looks like check to me. So, it's, it's amazing
that all of this stuff is available.
- IP addresses, it's crazy. - Yeah. And here's the watch tables, user defined pages, the homepage of the application. Okay, takes us back to the plant. So, we can get more information. That looks like check to me, I don't know, but I, I don't read check, but it looks like it. In any case, So here's, this is just one Siemens. And this is one that is,
has the portal available to, for the maintenance and
control of this particular PLC. I don't know what plant
this is connected to, but these are available online
for anybody who wants to go ahead and read 'em. So, this puts the, here it is. Looks like it's a Farmer
Custom Fructoplant. I guess this is all gonna get blurred out. - Yeah, no, we'll have to blur it out. And, but I think the, the point is on the previous
video where we spoke about SCADA, we had some comments like, "We don't connect our SCADA
systems to the internet." And you've just shown like there, there's one straightaway. It took you like five seconds, yeah. - Yeah, it, there, there are millions of them
connected to the internet. Now, I give the people
who said that credit, that theirs are not okay. So, some plants are not, but most of them are online. Like the prison, the prison is offline for
good reason, right. (laughs) The prison. So, that's what made Elliot's
job so much more difficult is that he had to get inside the network. But many of 'em, you don't have to get inside the network. Not only can you see them
through their portal, but you can connect to them
through their maintenance port and send commands in and be able to read memory. So, you can pull out
their memory contents, you can send commands in to many of them. And so this is why I'm
so concerned about SCADA, is that so many of these facilities are online and they're not well protected. And this is a good example
of one that anybody could go ahead and just pull up online. And there's literally millions of them. And you can use Shodan to find them. You can use, you know, Google Dorks to find them, and you can connect right to them and, and pull all the information you need to be able to then go ahead
and study how they operate, get the schematics for it, and then be able to read its memory. And many of them, you can read their memory
and get the passwords that are built into memory. Just like Mimikatz. So Mimikatz, if you're not
familiar with it, folks is, is a tool that allows
you to pull the memory out of Windows system. And once you pull out the
memory on a Windows system, Mimikats then can parse
out the password in memory. The same thing applies here is
that once we are able to pull the memory out of the system, then we can pull the password. We can parse out the password from memory. So, these systems are all vulnerable. Not all of 'em, let's, let's be clear, many are vulnerable to attack. And Russia is learning
this at the very moment. At this very moment, Russia is learning how
vulnerable their systems are to this type of attack. - For everyone watching,
obviously, cause of YouTube, we can't show everything here, but you cover this in
your courses, don't you? - I do, yeah. And we have this course
coming up in September. So, I usually teach
this course once a year. It's kind of the, one of the specialty courses
that we offer at Hackers-Arise. Is, is one, I teach you
what, how these PLCs work. So, you have an understanding
of how they function. And then we look at various
ways that they can be exploited. And then also how you can make them safer. And there's many ways of
exploiting these systems. You know, one of the things that we haven't even talked about is that because these systems
usually cover many acres, sometimes miles, kilometers, right, there has to be communication
across these vast distances. Oftentimes the communication methods, whether it be wifi or
cellular or what have you are also vulnerable to being hacked. Once again, the issue
that Elliott had was that he couldn't get inside the network. So, even if the system's offline, okay. Say the system is offline, and if it's a system that
has to cover vast distances and like most of these facilities do, they're huge plants, they have to communicate and running cable isn't real, isn't realistic, okay. Especially running cable in a
system that has a lot of EMI. So, what they do is they
use various communication technologies to communicate
to different parts of the facility. And those communication
technologies are all, not all, many of them
are vulnerable to attack. Once you're inside the communication, then you're inside the facility, you're inside the network. And then you can literally send commands inside of the plant and rake havoc. - I'd love to show more
of this on YouTube, but you know, I, I don't
wanna lose my channel. So, I would suggest all of you go and go and look at Hacker-Arise. You've got, Occupy The Web, you've got a bunch of stuff
like in like blog articles and stuff on your website where people can see some information or they can sign up for
like your subscription. Is it the $37 a month thing where they? - It's $32.99 a month to
take the live courses. And the SCADA hacking course
is included in the live courses that are coming up in September. So, you can sign up and that'll
get you into that course. We have Metasploit coming up next month. We have web app hacking coming in July. I don't remember what we have in August, but we do have SCADA
coming up in September. - I think for everyone who's watching, please give us feedback. What would you like to see from Mr. Robot or other types of hacks? I think one that we've had feedback on was the hacking CCTV one, a lot of people were saying
like, "Show us a demo." So, maybe we can put up a camera somewhere or you've got some cameras
and we can show how to, how to actually do the
practical part of like CCTV or IP camera hacking
rather than just, you know, talking about it. - I can show you some real,
real cameras I can hack. - Yeah, the problem is I
can't show that on YouTube. That's, that's the frustration it's like, I'd love you to do it. But I mean, if you, if it's a system that we
have permission to look at, or it's a system that we own, then we can, then we can demo it. I know, I know you, you,
you can do this, but I mean. - We've hacked a lot of
cameras in, in Ukraine and I try to put one of those up every day on my Twitter account for people to see. Mostly I put it up there
for the Russians to see, okay, the idea is, is, Hey, look at, we can, we can watch you. Okay, we can see you. If you continue your bad behavior, then we, we will be able
to focus on your faces and bring this to the
international criminal court. It's it's not that hard to do. You know what we need to
do is maybe set up a lab so we can do it actually
for the YouTube channel. I have a student who has a,
who has volunteered his lab. So, we'll have to make
arrangements with him. - Yeah, that'd be great if we can do that in another video, unfortunately we cannot hack
anything that we don't have permission to attack. So, for our next video, have you, which, which Mr. Robot,
do you, video show, would you, would you like to cover, or which technology
would you like to cover? - We can do some Steganography where he hides all his data in his CDs. You know, I thought one of
the most intriguing ones at the end of the show when
he traces the Dark Army. So he uses his memory forensics to be able to trace the Dark Army. That was a good one. That was really complex. You know, it's not gonna
necessarily be interesting to a lot of people, but I liked it. You know, what he, people might like is
using the Raspberry Pi where he goes inside
of the storage facility and he connects a Raspberry
Pi into the HVAC system. - We said what, there're like 40 hacks or
something we can go through. So,
- There's a lot. - I'd vote, I'd vote for those two, but, - Okay, - Everyone who's watching
can vote for something else. Let us know what you want. - What people will also like is the, is how Angela stole, used Mimikats to steal her boss's password. And one of my favorites is how
Elliot hacked the cell phones of the FBI, which actually is- - That would be a good one. Yeah, I like that. - That's that's not hard to do really. So, what he did is that he used a device that acts as a cell tower. They put it under one of the desks and the FBI was in there doing their work and they connect it to the cell tower and he was able to listen
into all their conversations. And surprisingly, it's not that difficult if
you have physical access near the person that
you're trying to hack. And they were able to intercept
all of the phone calls. To me that the power of being
able to intercept phone calls is really, and that's a lot of power, and it's one that people don't
realize how easy it is to do. - I think we've got a lot to cover. We've got a lot to cover, yeah. - We've got a lot to cover, right. And one of the things at
some point in the future I'd like to do with you is
this Software-defined radio. - Yeah. I, I really like that actually. Yeah, Software-defined
radio would be great. Yeah. - Yeah, and we're, we're doing a class in Software-defined radio in July, yeah. We can, we can do like maybe a, a simple software-defined, like intro to software-define radio and do real base basic stuff. And then maybe do later
on do a more advanced one. - Occupy The Web, I'm gonna keep you busy for a long time. Really, thank you for
sharing your knowledge. Appreciate it. - I enjoy it. Thank you. Thanks for having me. - So everyone look forward
to a whole bunch of Mr. Robot sort of videos coming. Give us your feedback, stuff that you'd like to see. I think we've got a long list and hope you enjoy it. (soft beat music)