Hack like Mr Robot // WiFi, Bluetooth and Scada hacking

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
- We know what firmware is running, and this is without even logging in. - You literally just type something in Google and you found this, yeah. - Exactly. - You know, I don't wan`t to lose my channel. (OccupyTheWeb laughs) (soft beat music) Hey everyone. It's David Bombal, back with Occupy The Web. For those of you who haven't watched our previous videos, he's the author of this book. Fantastic book. If you wanna learn Linux from a hacking perspective. He's also got this book "Getting Started, Becoming a Master Hacker." Occupy The Web, welcome. - Thanks, David. Thanks for having me back again. - This book's getting updated, is that right? - It's getting updated and it's gonna be republished by No Starch Press under a new name. It's gonna be called "A Cyber Warrior Handbook." And it's gonna be totally rewritten with new tutorials and it's gonna be more targeted towards the cyber warrior than just the beginner hacker. It was originally scheduled to come out later this year, but the war kind of got in the way. The war has been taking a lot of my time that should have been spending and updating that book. But hopefully it'll be out this winter sometime. - A lot of you've given feedback about, you know, the content that you want to see. And I'm really happy to announce that OccupyTheWeb is gonna be doing a series of technical videos. So, we are gonna dive into like a bunch of technical details. And as part of this series, we are gonna be looking at Mr. Robot Hacks. OccupyTheWeb, on our previous video, you were telling me one of the problems with YouTube videos and perhaps with Mr. Robot and all these movies is, you know, it's not realistic. So, I'm hoping we can take like a Mr. Robot hack and you can show us like how it actually works in the real world. - Yeah, I'd love to do that. And let's start off with one of the best hacks in the show. And, and one of the things I'd like to do is to explain why I like Mr. Robot because, I like Mr. Robot, because he does real hacking, you know. - It's not because of the drugs yeah. - It's not because of the drugs, right. Drugs are a side benefit. (both laughing) The, the it's because it's real hacking. It may be a more compressed timeframe than reality. That's because it's a TV show and they can't spend hours and days just like on YouTube videos. But if you watch very carefully, he's actually doing hacks that are largely largely not all, largely realistic. It's really one of my favorite TV shows of all time. Not only because it's a hacker show, but you know, it's got Rami Malek. Those of you who may not be familiar with Rami, Rami is, is been an actor. He's been around a little while. And he's the guy who got the academy award for best actor for playing Freddie Mercury in Bohemian Rhapsody. Mr. Robot is really what made him famous. This is really what launched his career, was this TV show. And basically it's the story of a young man who probably is on the autistic spectrum. At least that's my interpretation. He displays a lot of characteristics that we associate with Asperger's. His kind of asocial behaviors, his inability to look people in the eye, he's kind of really sensitive to touch. He doesn't like to be touched. He's very, you know, he's very focused on what he's doing. These are all typical traits of somebody on the Asperger's spectrum. I can relate to this. I mean, if, if it's any help to you, I mean, that's probably very close to what I was in, when I was his age, okay. - That's amazing, yeah. - And you know, like him, he struggles with this kind of being able to relate to other human beings and I've worked on it all my life and I think I've done okay. I'm trying to be more social. So, not only can I relate to him as somebody who's a hacker, but I can also relate to kind of things he's suffering with. The things that he's trying to deal with in his everyday life. Obviously I love this show. And if you wanna, if you wanna know more about my personality, you can see a lot of me in Elliot. And Elliot is the main character, Elliot Alderson. You know, we start off the show where he's basically working as a cyber security engineer for what he refers to as Evil Corp. An Evil Corp is very large corporation who does a lot of bad stuff. They're probably responsible for both the, the death of his father and his best friend's mother, Angela. And he, you know, he struggles with this idea that he's protecting this evil corporation. His job is to protect some, a company who he hates. So, we see this constant struggle in his personality of what and how he should do this. That's kind of the beginning. What we're gonna do today is we're going to address, I think it's episode six. Season one, episode six, if I, if I remember correctly. - Yeah, that's right, yeah. - And the reason I like this particular- - I, I, I made sure about that. So, I made sure I watched it today to do my research. So, you did your research today as well, yeah? - My research was in enjoying watching Mr. Robot, which I could watch over and over and over again. So, I like this particular hack and those of you who know me and who are my students or have been to my website, know that I think that SCADA ICS is probably the most important area of hacking right now. These are the systems that run the world. Every facility, every refinery, manufacturing facility, electrical grid. These are all run by industrial control systems. And these industrial control systems are all run by what are called Programmable Logic Controllers, PLCs. These PLCs are all very simple computers, okay. That allow the operator to basically, you know, open valves, open doors, close doors. It runs the industrial world. I think it's been largely overlooked in terms of both security, cyber security and the role that these plants will play in any kind of cyber war, which, you know, we're in the middle of right now. And we've seen the Russians attack repeatedly, the industrial control systems of Ukraine. And you know, the Russians are feeling a little bit coming back at them right now. We won't go any deeper into it than that. In this episode, this is one of the most complex hacks that Elliot does. And there's a lot of reasons to like it. One, because it uses different technologies. It ends up where he's trying to hack his girlfriend out of prison. And of course the prisons are industrial control systems. So, what we're gonna do is we're gonna walk through what happens as Elliot tries to hack Shayla. Shayla has been kidnapped by the drug dealer, Vera is his name. And Vera is, is an evil guy. He's taken Shayla and he's holding her hostage. And he's told Elliot that he's not gonna let Shayla go until Elliot hacks him out of prison. And of course, Elliot says, "You gotta be kidding, right? This is, this is, this is crazy. I can't hack you outta prison." - He had to do it in one day as well. Is that right, yeah? - Exactly, so. - One day. So, so Vera was in jail and he's was Shayla was hostage, held hostage by his group, is that right? And he had to get Vera outta jail, but like tonight. - Tonight. - Yeah. - And he tells, he tells Vera, "I can't do that in one day." And you know, that's realistic. I mean, he's telling him that, you know, this kind of hack will take maybe weeks, months. Vera is not buying it. Vera knows he's gotta get outta jail tonight and he insists upon it. And so, Elliot has to come up with a solution. And the first solution he comes up with is that he has Darlene. Darlene's his kind of sidekick. - I think that's what they used, yeah. The rubber ducky. - Well, they tried. Yeah, they tried to use, - They tried this, yeah. - Essentially a rubber ducky. Yep. I mean, you can actually reprogram the firmware in any thumb drive to do what the rubber ducky does. So, rubber ducky is, is an example of a reprogrammed thumb drive that when you put it- - You gonna have to show us how to do that. If like, take any thumb drive to do something like that. Maybe that's for another video. - That's for another video, cause that's beyond what we can do right here. But basically you have to upgrade the firmware on the thumb drive so that it appears to be a keyboard. That's all it is. There's all kinds of different thumb drives, right? And so your thumb drive, normally the firmware in it tells your system that it's a storage device. You can flash the firmware of the flash drive and give it the information that it is a keyboard. And so now, when it plugs, it plugs into your machine, it's recognized as a keyboard and then the rubber ducky or the flash drive can send keystrokes into the system. So, you can immediately start setting keystrokes in and do basically whatever you want with the system. So, you can program keystrokes already in there. And that's the first attack that they try, okay. Is that Darlene put, uses a exploit from, I think they refer to the company as RAPID9, which is kind of a reference to RAPID7 who owns Metasploit and Elliott kind of scolds her and says, Hey, you know, what do you doing using, you know, a known exploit because it fails. It fails because the anti-virus detects it. So, let me back up a little bit. Darlene leaves these thumb drives all over the parking lot of the prison, hoping that somebody will pick it up and put it in a machine inside the prison. Because Elliot recognizes that prison systems are offline. The problem he has is how do I get inside the prison network? Most SCADA systems are online, prison systems and a few others are offline. Like things like dams and bridges and that type of thing, usually they're offline, but the prisons are offline. So, he realizes he has to get inside the network. He can't reach it from the outside. So, the idea is to drop these rubber duckies, like flash drives, somebody will pick it up, put it in the machine. And in the show, one of the guards does that. As the commands within the flash drive are beginning to take over, his antivirus detects it and stops it. So, that attack fails. And one of the beauties okay of Mr. Robot is it shows somebody failing in their attack, right? I mean, most shows don't show that. In reality, hackers spend a lot of time on failed attacks. In an earlier episode, we talked about the Stuxnet attack and how that took three years. And it failed many times during that three year period. And they kept on updating it to get it to work. It's more realistic that you see somebody actually failing, which you don't see in most movies and TV shows with hackers in. They always immediately get into the system in 30 seconds or less. So, he fails initially. So, he has to come up with a new plan. - Just to ask you the question, that rubber ducky piece was, was real world. Is that right? Or close to real world? - That's real. It's real world, yeah. It's, the rubber ducky you can buy as you showed, you can buy 'em at what Hak5 has 'em I think. And, but you can build your own either way they're, you know, you can do it. It's realistic. And it fails because she used a known exploit that was detected by the AV. That's realistic. If you use a known exploit, it's gonna get detected by the AV. Now, one of the things that she might have done in this, at this particular point in time is she might have gone ahead and tried to obscure the exploit. And tried to get it past the AV. She complained that she said, "Hey, well, I didn't have time to do this. You gave me like an hour to do it." And she's right. She couldn't build an exploit in an hour. Well, one of the things that was also kind of interesting at this point is that, notice that Elliot is trying to SSH into the system. That seemed kind of odd to me because if I were doing it and, and most hackers will do this, is that they'll put in a reverse shell that will call back to him. So, instead of him calling in, they have a reverse shell that'll call him and connect to him. I thought that was kind of unusual that they, they did it that way. So, Elliot's got this problem now. He's got hours, just hours to be able to take down the prison system. And so, he still hasn't figured out how to get inside the network. So, he goes and visits Vera into prison and he takes his phone with him and he uses his phone to scan for all the wifi network. So, he's using his phone. And those of you who have used Aircrack are familiar with this kind of scanner. There was a number of Android and iPhone applications that'll do the same thing. And what you can see here is that he's scanning on mon0. So, that's the interface and notice that he's pulling up, it says ESSIDs. These are really the BSSIDs. These are essentially the MAC addresses of all of the APs, and the channel that they're on and their encryption. And of course their power here. He sees, okay. He goes back to his phone. He says, "Oh damn, they're all WPA2. It'll take me days to be able to crack it." And that's, that's accurate. You can crack WPA2s, but it's a time consuming process. Can't do it in 30 seconds or three minutes. - Unless you watch my video where I show you to do it in 15 seconds. (both laugh) - Right, exactly. Exactly. - With a GPU, you know, it's exactly right. It really depends how lucky you are. - It depends. Really to be able to crack WPA2, basically what you're doing is you're trying to take a word list and match the word list to the password of the system. If somebody's used a very weak password, you can potentially crack it in a matter of seconds or minutes. I mean, if they've used, you know, a, a password that's the same as the ESSID, you might be able to do it in a matter of minutes, but Elliot looks at it and goes, realistically says, "I can't do this. I can't do this in hours. I need to find another way into the system." So, he's trying to figure this out. He's actually walking out of visiting Vera at the jail. And while he is walking out, he sees on his screen that somebody is connected to the internal network inside the jail. And it happens to be a police car. So, this gives him the idea. If I can get inside of his system, then I'll be inside of the prison's network. So, the question is, how does he get inside the squad car's laptop? And that's where we get to Bluetooth. - Just before we go there, can I ask you about the WPA thing just quickly? So, reality versus movies, which phone would you recommend to do? Is it Android? Or Android's gonna be the easiest to do this kind of stuff, or do you install Linux or something on a, on a phone? - You can either install, you know, there's NetHunter that is basically Kali on a phone, or you can just there's applications. You can just download both for the iPhone and for Android, that'll do the scanning, like in this picture that we just put up here. It doesn't tell us what this is, what the scanner it is, but just number 'em. Just go to the iPhone store, go to the, the Google play store and look for wifi scanners. And there's all whole slew of them that'll do this. - Yeah, so, that's just showing you the networks available. It's not showing, it's not letting you crack them. Is that right? Or is there specific app that you would use on a phone to crack it all? I mean, it's gonna take forever. So, you're gonna push that off to, to another, to a GB or something, yeah? - What you want to do is you want to capture the handshake, right. So, he's just scanning for the networks. And then if you're using Kali, you want to go ahead and use Airodump and Airodump will allow you to capture the handshake between the client and the AP. And then once you capture that handshake, inside that handshake is the hash of the password. And that's what you try to crack with. He realizes that's not realistic. He can't, he can't do that. So, he realizes that the police car has a dedicated cellular connection to the network inside the jail. And he sees that when he's walking out of the jail and he sees that that police car is connected inside that network. Immediately says, "Oh, I have a path inside the network of the jail. The path is, I have to get inside the laptop, inside the police car." (laughs) That's more difficult than you might think, right? Maybe you do think it's difficult and it is difficult, right. So, here's where, you know, things get a little sketchy here. He's using hciconfig to scan for the Bluetooth connections. And let me just show you how that works. All right, so, what I've done is I've just downloaded Bluez, it's outta the repository at Kali. And what it does is has multiple tools in it for Bluetooth hacking, okay. And Bluetooth manipulation. What I've done is I've got actually an external Linux, a Bluetooth adapter in the system. So, once I have these tools embedded, then I can go sudo, and then it's hc. This is what Elliott's doing in the show. hciconfig is just a tool similar to ifconfig that'll pull up all of the Bluetooth connections. And there it is, it shows me that my Bluetooth adapter and yours is probably gonna say "down" when you start. So, you have to start it and to do that, You go, sudo hciconfig, just like with ipconfig go up, and now you got it up and running. You can see here's the MAC address. Okay, let's go back to the, what. - Did you say you've got a dedicated Bluetooth adapter connected to your laptop yeah? - I did. - If you can gimme the device name, I'll put a link below so people can go and buy that if they want. - This one is actually a Panda. You can buy 'em on Amazon or Egghead or any of the various electronic stores. So, look for ones that, you know, have Bluetooth adapt, Bluetooth drivers for it. Some of the Windows ones won't work. Some of them will tell you they'll work in both. I've tried a number of 'em out. And usually the Windows ones simply won't work in Linux. So, make sure you get a Linux Bluetooth adapter. If you're running on a virtual machine like I am right now, of course you have to go ahead and attach it. So, you gotta go up here. This is virtual box. Gotta go up to USB and then make sure that, see, it says here Cambridge Silicon Radio. That's a chip set. It's actually, this is manufactured by Panda I believe. You also wanna make sure even before you get to this part, is you wanna go lsusb, to make sure what's connected to your USB and you see I've got, this is what's connected to my USB and here's my Cambridge Silicon Radio. Of course, Cambridge is a British firm. You see the LTD right there, and then let's go ahead and clear our screen. And so sudo hciconfig, this, let's look what it tells us. It tells us is on a USB Bus. It's a primary type. The name just like when you do ifconfig, the, it gives it a name for the adapter and the name is hci0. Yours might be hci1, it might be hci2, but usually it's gonna be hci0, just like your WLAN is usually wlan0. Your ethernet adapter is gonna be eth0. And then it gives you the address. This is the MAC address of the adapter. So, this is where he, you see in the, I'll go back to what he was showing on the show. You can see right here, hciconfig, hci0 up. He has two adapters. He's going to the second one and taking it up as well. And then he's got hciconfig, and he's pulling up the information, just like what we've done here. What we want to do now is that within this group of Bluetooth tools, there's a tool called hcitool. I'll just show you what it can do, pull up the help screen. And so of course, this is the help screen. That's what we're looking at right now. And it'll display the local devices, okay. Inquire. And these are remote devices. It'll scan for remote devices. And this is the next step that Elliot does is that he goes and heads and uses this tool to scan for Bluetooth devices in the area. And there's a number of other things, you can submit arbitrary HCI commands, you can do inquiries, but right now we're gonna kind of just do what Elliot did. And that's what he did is he went ahead and did hcitool scan. And it begins to scan. And what it's doing is it's looking for other Bluetooth devices. It pulls up one device, and this is, these are the speaker system in my office. Let's go ahead and turn on some other Bluetooth devices and see if we can see them as well. - It's really impressive that the show's so true though. And I can see why you like it. - Oh, I, I, I love this show. And so I'm glad that you had agreed to do the hacks, cause there's a lot of great hacks in this show. - No, we almost covered them all I think. So, let's just ask the audience. Do you want Occupy The Web to do like all of them? Just put in the comments below, the, you know, the ones that you really want to see and we can perhaps prioritize some of, of the others. - I'm gonna go ahead and try another, do another scan. I just turned on another, another device. This is very similar to, like I said, any type of scanning tool, sometimes it's gonna work, sometimes it's not, but you get the idea that it, there we go, okay. I just turned on another, another speaker system. So, this is what Elliott's doing. He's going out and he's scanning for these devices. What he does is he finds the device, the Bluetooth device in the laptop of the police car. Then he does an hcitool inquiry. Let's do that. Sudo hcitool inquiry. And this gives us even more information about the devices. Okay. So, it gives us the class. And this is key. If you go to the Bluetooth websites, the Special Interest Group website. So, here's the devices and these are just the numbers, okay. And the classes of all the devices, and this is kind of the key to hacking Bluetooth is to understand that Bluetooth devices are basically telling us what type of device they are. Here's another, here's a better one. I got another one up here for you. And you can see the classes and the ones that we just pulled up a minute ago, right, were speakers. These are all peripheral devices. So, when you connect to a Bluetooth device, it tells the other device that's trying to pair with it, what type of a device it is. Is it a wearable headset? Is it joystick for Nintendo? Like this one is here. It's a portable game controller. It communicates to the other device what it is. Notice that this one here is a keyboard, it's device, it's class 002540. That means when you connect to this Bluetooth device, it says I'm a keyboard, allow me to send keystrokes, okay, into your system. And there's really no way for the system to check if that's real or not. So, this is what Elliot takes advantage of. In the show, he uses a device called MultiBlue. They don't manufacture 'em anymore, unfortunately, but basically what it is is this, it's a Bluetooth device that communicates, okay, that I am a keyboard. If you have a Bluetooth based keyboard, I'm working on a Bluetooth keyboard right now in this show. That's what this device does, okay. It says I'm a keyboard, let me send keyboard keystrokes to you, the other end of the connection. Elliot uses this, which used to cost, I think I bought mine for about $35, but basically once again, it's a Bluetooth dongle that has been basically flashed with a different class, okay. A class that says, Hey, I am a keyboard. So Elliot, what he does, is that he gets Darlene to kind of flirt with the cop. It's social engineering. Elliot is standing, is in a car nearby, okay. Bluetooth has a capability of connecting up to like a 100 meters, he's within that range and he's able to connect to the Bluetooth device in the police car. He uses a tool called Spooftooth. It's also, I believe spooftooth is in the repository. So , let's just quickly take a look and see if it is, and let's put in install in there. There it is. It's already installed on my system. Just like you can spoof an IP address or you can spoof a MAC address. It allows you to spoof a Bluetooth device. So what Elliot does is that he goes and spoofs the MAC address of one of these devices in the policeman's car. Does a, a scan like we did here. He gets the MAC address off the Bluetooth in the cop car, and then he spoofs it, okay. Here's the synopsis Bluetooth dash I device. And then specify a new BD ADDR. Right, and that's what we want to do. Let's go ahead and create this. It's pasting in the MAC address. And then it's the, the dash N for name right here. Specify the new name. Okay, dash N and then it's gonna be car537. So, what we're doing is we're assigning a new MAC address and a new name for that device. And you see it came back and said, Hey, address has been changed. Oh. And it came back. It said the address was changed, but it can't open the device. No such device. It dropped the device it looks like. So, let's try reconnecting it again, yeah. See, it's dropped the, the Cambridge Silicon Radio. Let's go ahead and try that again. - I think the lesson is like, you've always said it's stuff doesn't work perfectly the first time. That's reality versus TV, yeah. - Exactly, yeah. This is, and this is actually a notice here that it's down. When I went and reconnected it again, it's down. So, what we have to do is go hciconfig, hci0 up. All right. Okay, now when I do hciconfig, you'll see that it's up. - Reality, and that's, I'm glad to see you doing this because it it's reality for all of us, yeah. - Yeah, so, there it is up and running. All right. So, we're gonna try this command again, to be able to spoof this. So, we're gonna go ahead and run the hcitool, and then we're gonna scan. One of the things that I have found is that by using a, here we go, we got both of those devices. Sometimes the virtual machines will drop the devices that are external, okay. And that's what we're, we're dealing with here. But so we, got both of 'em. We scanned, imagine that one of these is car57, all right. And then what we're gonna do is then we're gonna try to spoof it. We're using hci0 as our device name. This is the MAC address we were trying to spoof and we're gonna name it car357. Hopefully virtual box doesn't drop our adapter. Let's go ahead and do it. It just dropped it. I could hear the sound of it dropping it. It did change the address. You can see that the device has been changed to 7C:96:D2:08:86:36 And if we didn't drop the adapter, we, it would also rename it so that it appears not only does it appear technically at, by the MAC address, but it also has a name that is recognizable, human readable name, that would be recognized by the police officer. So, this is the way that he goes ahead and spoofs the Bluetooth device. Now, this particular hack was done in, oh, about 2014. And some of the early Bluetooth, you could do this type of spoofing. In the more recent Bluetooth, you're gonna have more difficulty doing this because they're gonna, to be able to spoof it, you're gonna have to pair them. And even though you spoof the device name and the MAC address, you're still gonna have to pair 'em. So, it's gonna be one extra step there that they don't show in the show. So, he's now got himself inside the police car's laptop. - So, was he spoofing the, the, the keyboard, is that right? And that's what he was trying to do. Is that correct? - He's, he's taking the keyboard, that MultiBlue device, and he's making the laptop believe that it's a Bluetooth device that's already connected to his system. Cause normally when you want to connect a Bluetooth device, you have to pair it, right? And you have the, the pairing process. What he's doing is just saying, okay, I am the device that's already been paired on the laptop. And then once he has that pairing taking place, now he can use this device to inject commands into the cop car's laptop. And that's where things get interesting and maybe a little bit unrealistic. So, what he's doing now is that now once he's inside the cop car's laptop, he's inside the network of the detention center, of the jail. So, now what he has to do is he has to be able to inject commands into the prison, the jail, to be able to open up the doors. This is a little bit unrealistic. Normally what you would do in a situation like this is you would go and you would find the wiring diagram for that particular device. And there are almost all online. There's a block diagram of the PLC. These are almost all the same. The diagram is the same. Here's a, here's the one that's often used in the prison system. This is a, Siemens SIMATIC S7-1500, which was actually the same one that was used in the Stuxnet attack. - So, that's what was used to open and close the doors in the prison, in the movie so-called, yeah. - This is what's opening and close the doors in the prison, right. So, these are just programmable logic controllers. This is one of the most widely used in the world. Here's other prison diagram. This is a typical prison diagram. Each one of these are housing pods. And then there's an equipment room, which usually contains these PLCs and a central control. Inside this equipment room, this is where the PLCs are and they control the opening and closing of the doors in the prison. Now all of this kind of information is available online. If you look in the right places. No matter who's making these devices, they provide this kind of detail about their systems so that the users can program them properly, maintain them properly. This is basically a simple diagram of the opening and closing of the doors within this prison. Elliot could do this, right, but it still would've taken him days, weeks, months to do this process. And he does it in a matter of hours. It is possible, it's out there, right. If you go to the, you know, you go to the manufacturer's websites and usually this will be included in a document that'll be like 150 pages long, a PDF document that you can go ahead and dig through and figure out how these systems actually work. And then the next step he has to do is that he has to go ahead and write a ladder logic program to control the PLCs. Ladder logic looks something like this here. Yeah, I teach ladder logic in my SCADA class and we use a trilogy, which is a training educational software for doing ladder logic. This is simple logic to run the various devices in a plant. So, you're reading a device, waiting for the information to come. Then you're opening a valve or closing a valve. This particular circuit right here is running it. And then it takes a step through and it waits five seconds in the clock. And then it makes a manual decision, okay. Either to open or close. And it finishes that circuit. And then it goes through another, it goes through each one of, this is called ladder logic because it goes through this circuit and then this circuit and then this circuit. So, this is really relatively simple stuff. The only issue is that you have to understand what circuits you're actually working with within the system. And that's why it's really unrealistic to expect that Elliot did that in a matter of hours. One of the things that could be done okay, is that you could just throw scatter a bunch of commands into the system and see what happens, right. That's a possibility. But that would probably be detected. Now, I will just kinda give you a hint that, you know, that's something that can be used in cyber war, is that you can just send random commands into these systems and see what happens. And if it explodes, then you know you did the right thing. (both laugh) - What's unrealistic about that is he's connected via this Bluetooth keyboard or a fake keyboard. And he's injected, he's injecting a whole bunch of stuff with no visibility of what's on the other side. Is that right? - Right, he, he has, the only visibility he has is that he could pull up this schematic. This would be available to him. He could pull this up online and find this schematic. And you can see that all the circuits are detailed here. As you can see door fully open L3, LS3, LS2, is device fully locked. LS4, door fully closed. And then we have speeds our, our LS5 and LS6. So, this is available to him online, but then he has to write the ladder logic to be able to control each one of these various circuits, to be able to open and close the doors and notice that in, in the show he talks about, well, let's open up all of the doors and that way, nobody, nobody will be able to connect this to me or you. All this information is usually available online. This is available for one particular prison system that I found online. - It's crazy that you can just find this stuff. - They've gotta do this for their clients, right. And no matter what PLC you're talking about, whether it be Siemens or Schneider Electric, they have these, these diagrams, these PDFs online that give you a total breakdown of how the system works. Let's take a look at one other things that, one of the things I did is use some Google Dorks to find some of those SIMATIC PLCs. Here's the dork I used right here, inurl:/portal/portal/.mwsl These are our PLCs that are connected via TCP/IP right. That's why we can connect to 'em. And we can go ahead and find these things online and just found this one right here. Here it is, that anybody anywhere in the world can connect to this S7-1200. Remember the one we looked at a little, little while ago was the S7-1500. It's a similar model. Not exactly the same, but we can go ahead and look at its diagnostics. We can get its serial number. So, we know exactly what PLC this is. We know it's hardware number. We know what firmware's running, and this is without even logging in. - You literally just type something in Google and you found this, yeah. - Exactly. Just here, here it is right here. It's just used, when you go back and show. - Just for everyone watching, I've had to blur this because of YouTube rules. So I've blurred a lot of this, - Oh. - But we'll but the information is there. - Oh, I'm sorry. - No, don't worry. We'll just blur it out, that's fine. - We didn't hack it, okay. - No, no, no. - This is, this is available to anybody. This is just the portal that the PLC provides to its users. And so what we're doing is just using the same portal and notice that we haven't logged in. Right, this is what's into, this is what's available to anybody. - It's like going to a website, yeah. - It's like going to a website, exactly. I haven't logged into the, anything, okay. You see, it looks like this is a check system, that looks like check to me. So, it's, it's amazing that all of this stuff is available. - IP addresses, it's crazy. - Yeah. And here's the watch tables, user defined pages, the homepage of the application. Okay, takes us back to the plant. So, we can get more information. That looks like check to me, I don't know, but I, I don't read check, but it looks like it. In any case, So here's, this is just one Siemens. And this is one that is, has the portal available to, for the maintenance and control of this particular PLC. I don't know what plant this is connected to, but these are available online for anybody who wants to go ahead and read 'em. So, this puts the, here it is. Looks like it's a Farmer Custom Fructoplant. I guess this is all gonna get blurred out. - Yeah, no, we'll have to blur it out. And, but I think the, the point is on the previous video where we spoke about SCADA, we had some comments like, "We don't connect our SCADA systems to the internet." And you've just shown like there, there's one straightaway. It took you like five seconds, yeah. - Yeah, it, there, there are millions of them connected to the internet. Now, I give the people who said that credit, that theirs are not okay. So, some plants are not, but most of them are online. Like the prison, the prison is offline for good reason, right. (laughs) The prison. So, that's what made Elliot's job so much more difficult is that he had to get inside the network. But many of 'em, you don't have to get inside the network. Not only can you see them through their portal, but you can connect to them through their maintenance port and send commands in and be able to read memory. So, you can pull out their memory contents, you can send commands in to many of them. And so this is why I'm so concerned about SCADA, is that so many of these facilities are online and they're not well protected. And this is a good example of one that anybody could go ahead and just pull up online. And there's literally millions of them. And you can use Shodan to find them. You can use, you know, Google Dorks to find them, and you can connect right to them and, and pull all the information you need to be able to then go ahead and study how they operate, get the schematics for it, and then be able to read its memory. And many of them, you can read their memory and get the passwords that are built into memory. Just like Mimikatz. So Mimikatz, if you're not familiar with it, folks is, is a tool that allows you to pull the memory out of Windows system. And once you pull out the memory on a Windows system, Mimikats then can parse out the password in memory. The same thing applies here is that once we are able to pull the memory out of the system, then we can pull the password. We can parse out the password from memory. So, these systems are all vulnerable. Not all of 'em, let's, let's be clear, many are vulnerable to attack. And Russia is learning this at the very moment. At this very moment, Russia is learning how vulnerable their systems are to this type of attack. - For everyone watching, obviously, cause of YouTube, we can't show everything here, but you cover this in your courses, don't you? - I do, yeah. And we have this course coming up in September. So, I usually teach this course once a year. It's kind of the, one of the specialty courses that we offer at Hackers-Arise. Is, is one, I teach you what, how these PLCs work. So, you have an understanding of how they function. And then we look at various ways that they can be exploited. And then also how you can make them safer. And there's many ways of exploiting these systems. You know, one of the things that we haven't even talked about is that because these systems usually cover many acres, sometimes miles, kilometers, right, there has to be communication across these vast distances. Oftentimes the communication methods, whether it be wifi or cellular or what have you are also vulnerable to being hacked. Once again, the issue that Elliott had was that he couldn't get inside the network. So, even if the system's offline, okay. Say the system is offline, and if it's a system that has to cover vast distances and like most of these facilities do, they're huge plants, they have to communicate and running cable isn't real, isn't realistic, okay. Especially running cable in a system that has a lot of EMI. So, what they do is they use various communication technologies to communicate to different parts of the facility. And those communication technologies are all, not all, many of them are vulnerable to attack. Once you're inside the communication, then you're inside the facility, you're inside the network. And then you can literally send commands inside of the plant and rake havoc. - I'd love to show more of this on YouTube, but you know, I, I don't wanna lose my channel. So, I would suggest all of you go and go and look at Hacker-Arise. You've got, Occupy The Web, you've got a bunch of stuff like in like blog articles and stuff on your website where people can see some information or they can sign up for like your subscription. Is it the $37 a month thing where they? - It's $32.99 a month to take the live courses. And the SCADA hacking course is included in the live courses that are coming up in September. So, you can sign up and that'll get you into that course. We have Metasploit coming up next month. We have web app hacking coming in July. I don't remember what we have in August, but we do have SCADA coming up in September. - I think for everyone who's watching, please give us feedback. What would you like to see from Mr. Robot or other types of hacks? I think one that we've had feedback on was the hacking CCTV one, a lot of people were saying like, "Show us a demo." So, maybe we can put up a camera somewhere or you've got some cameras and we can show how to, how to actually do the practical part of like CCTV or IP camera hacking rather than just, you know, talking about it. - I can show you some real, real cameras I can hack. - Yeah, the problem is I can't show that on YouTube. That's, that's the frustration it's like, I'd love you to do it. But I mean, if you, if it's a system that we have permission to look at, or it's a system that we own, then we can, then we can demo it. I know, I know you, you, you can do this, but I mean. - We've hacked a lot of cameras in, in Ukraine and I try to put one of those up every day on my Twitter account for people to see. Mostly I put it up there for the Russians to see, okay, the idea is, is, Hey, look at, we can, we can watch you. Okay, we can see you. If you continue your bad behavior, then we, we will be able to focus on your faces and bring this to the international criminal court. It's it's not that hard to do. You know what we need to do is maybe set up a lab so we can do it actually for the YouTube channel. I have a student who has a, who has volunteered his lab. So, we'll have to make arrangements with him. - Yeah, that'd be great if we can do that in another video, unfortunately we cannot hack anything that we don't have permission to attack. So, for our next video, have you, which, which Mr. Robot, do you, video show, would you, would you like to cover, or which technology would you like to cover? - We can do some Steganography where he hides all his data in his CDs. You know, I thought one of the most intriguing ones at the end of the show when he traces the Dark Army. So he uses his memory forensics to be able to trace the Dark Army. That was a good one. That was really complex. You know, it's not gonna necessarily be interesting to a lot of people, but I liked it. You know, what he, people might like is using the Raspberry Pi where he goes inside of the storage facility and he connects a Raspberry Pi into the HVAC system. - We said what, there're like 40 hacks or something we can go through. So, - There's a lot. - I'd vote, I'd vote for those two, but, - Okay, - Everyone who's watching can vote for something else. Let us know what you want. - What people will also like is the, is how Angela stole, used Mimikats to steal her boss's password. And one of my favorites is how Elliot hacked the cell phones of the FBI, which actually is- - That would be a good one. Yeah, I like that. - That's that's not hard to do really. So, what he did is that he used a device that acts as a cell tower. They put it under one of the desks and the FBI was in there doing their work and they connect it to the cell tower and he was able to listen into all their conversations. And surprisingly, it's not that difficult if you have physical access near the person that you're trying to hack. And they were able to intercept all of the phone calls. To me that the power of being able to intercept phone calls is really, and that's a lot of power, and it's one that people don't realize how easy it is to do. - I think we've got a lot to cover. We've got a lot to cover, yeah. - We've got a lot to cover, right. And one of the things at some point in the future I'd like to do with you is this Software-defined radio. - Yeah. I, I really like that actually. Yeah, Software-defined radio would be great. Yeah. - Yeah, and we're, we're doing a class in Software-defined radio in July, yeah. We can, we can do like maybe a, a simple software-defined, like intro to software-define radio and do real base basic stuff. And then maybe do later on do a more advanced one. - Occupy The Web, I'm gonna keep you busy for a long time. Really, thank you for sharing your knowledge. Appreciate it. - I enjoy it. Thank you. Thanks for having me. - So everyone look forward to a whole bunch of Mr. Robot sort of videos coming. Give us your feedback, stuff that you'd like to see. I think we've got a long list and hope you enjoy it. (soft beat music)
Info
Channel: David Bombal
Views: 2,131,339
Rating: undefined out of 5
Keywords: mr robot, rami malek, elliot alderson, mr robot tv show, mr robot clips, revolutionary hacks, mr. robot, mr robot hacking, bluetooth, bluetooth hacking, bluetooth hack, hacker, hacker movie, hacking, hack bluetooth speaker, hack bluetooth, hack bluetooth devices, hack bluetooth kali linux, mr robot scada, scada, scada hacks, google dorks, kali linux tutorial, kali linux hacking tutorials, how to hack wifi password, kali linux, hack, mr robot hack, mr robot hacks explained
Id: 3yiT_WMlosg
Channel Id: undefined
Length: 45min 22sec (2722 seconds)
Published: Sun Jun 05 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.