Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,640 --> 00:00:02,560 we know what firmware is running and 2 00:00:02,560 --> 00:00:04,720 this is without even logging in you 3 00:00:04,720 --> 00:00:06,160 literally just typed something in google 4 00:00:06,160 --> 00:00:08,400 and you found this yeah exactly 5 00:00:08,400 --> 00:00:12,599 you know i don't want to lose my channel 6 00:00:16,520 --> 00:00:21,039 [Music] 7 00:00:21,039 --> 00:00:22,560 hey everyone it's david bumble back with 8 00:00:22,560 --> 00:00:23,920 occupy the web for those of you who 9 00:00:23,920 --> 00:00:25,519 haven't watched our previous videos he's 10 00:00:25,519 --> 00:00:27,599 the author of this book fantastic book 11 00:00:27,599 --> 00:00:29,039 if you want to learn linux from a 12 00:00:29,039 --> 00:00:30,400 hacking perspective 13 00:00:30,400 --> 00:00:32,558 he's also got this book 14 00:00:32,558 --> 00:00:34,559 getting started becoming a master hacker 15 00:00:34,559 --> 00:00:36,239 occupy the web welcome thanks david 16 00:00:36,239 --> 00:00:37,840 thanks for having me back again this 17 00:00:37,840 --> 00:00:39,280 book's getting updated is all right it's 18 00:00:39,280 --> 00:00:40,800 getting updated and it's going to be 19 00:00:40,800 --> 00:00:44,559 republished by no starch press under a 20 00:00:44,559 --> 00:00:47,440 new name it's going to be called a cyber 21 00:00:47,440 --> 00:00:50,239 warrior handbook and it's going to be 22 00:00:50,239 --> 00:00:53,440 totally rewritten with new tutorials and 23 00:00:53,440 --> 00:00:56,480 it's going to be more targeted towards 24 00:00:56,480 --> 00:00:59,760 the cyber warrior than just the beginner 25 00:00:59,760 --> 00:01:02,559 uh hacker it was originally scheduled to 26 00:01:02,559 --> 00:01:04,720 come out later this year but the war 27 00:01:04,720 --> 00:01:06,720 kind of got in the way the war has been 28 00:01:06,720 --> 00:01:08,799 taking a lot of my time that should have 29 00:01:08,799 --> 00:01:10,880 been spending on updating that book but 30 00:01:10,880 --> 00:01:12,400 hopefully it'll be out this winter 31 00:01:12,400 --> 00:01:13,760 sometime a lot of you have given 32 00:01:13,760 --> 00:01:15,680 feedback about you know the content that 33 00:01:15,680 --> 00:01:17,439 you want to see and i'm really happy to 34 00:01:17,439 --> 00:01:18,960 announce that occupy the web is going to 35 00:01:18,960 --> 00:01:21,759 be doing a series of technical videos so 36 00:01:21,759 --> 00:01:23,600 we're going to dive into like a bunch of 37 00:01:23,600 --> 00:01:25,759 technical details and as part of this 38 00:01:25,759 --> 00:01:27,360 series we're going to be looking at mr 39 00:01:27,360 --> 00:01:29,200 robot hacks occupy the web on our 40 00:01:29,200 --> 00:01:30,640 previous video you were telling me one 41 00:01:30,640 --> 00:01:33,119 of the problems with youtube videos and 42 00:01:33,119 --> 00:01:34,960 perhaps with mr robot and all these 43 00:01:34,960 --> 00:01:37,119 movies is you know it's not realistic so 44 00:01:37,119 --> 00:01:39,600 i'm hoping we can take like a mr robot 45 00:01:39,600 --> 00:01:41,360 hack and you can show us like how it 46 00:01:41,360 --> 00:01:43,040 actually works in the real world yeah 47 00:01:43,040 --> 00:01:45,920 i'd love to do that and uh let's start 48 00:01:45,920 --> 00:01:48,479 off with one of the best hacks in the 49 00:01:48,479 --> 00:01:51,040 show and and one of the things i'd like 50 00:01:51,040 --> 00:01:54,399 to do is to explain why i like mr robot 51 00:01:54,399 --> 00:01:55,439 because 52 00:01:55,439 --> 00:01:57,920 i like mr robot because he does real 53 00:01:57,920 --> 00:01:59,439 hacking it's not because of the drugs 54 00:01:59,439 --> 00:02:01,759 yeah it's not because of drugs right 55 00:02:01,759 --> 00:02:03,620 drugs are a side benefit 56 00:02:03,620 --> 00:02:06,159 [Laughter] 57 00:02:06,159 --> 00:02:08,720 it's because it's real hacking it may be 58 00:02:08,720 --> 00:02:11,038 a more compressed time frame than 59 00:02:11,038 --> 00:02:13,599 reality that's because it's a tv show 60 00:02:13,599 --> 00:02:16,000 and they can't spend hours and days just 61 00:02:16,000 --> 00:02:17,840 like on youtube videos but if you watch 62 00:02:17,840 --> 00:02:20,319 very carefully he's actually doing hacks 63 00:02:20,319 --> 00:02:24,160 that are largely largely not all largely 64 00:02:24,160 --> 00:02:26,800 realistic it's really one of my favorite 65 00:02:26,800 --> 00:02:29,200 tv shows of all time not only because 66 00:02:29,200 --> 00:02:31,360 it's a hacker show but you know it's got 67 00:02:31,360 --> 00:02:33,519 rami malik those of you who may not be 68 00:02:33,519 --> 00:02:35,280 familiar with rami rami 69 00:02:35,280 --> 00:02:37,120 he's been an actor he's been around a 70 00:02:37,120 --> 00:02:39,920 little while and he's the guy who got 71 00:02:39,920 --> 00:02:42,640 the academy award for best actor for 72 00:02:42,640 --> 00:02:44,640 playing freddie mercury in bohemian 73 00:02:44,640 --> 00:02:46,959 rhapsody mr robot is really what made 74 00:02:46,959 --> 00:02:49,920 him famous this is really what launched 75 00:02:49,920 --> 00:02:52,080 his career was this tv show and 76 00:02:52,080 --> 00:02:54,160 basically it's the story 77 00:02:54,160 --> 00:02:55,760 of a 78 00:02:55,760 --> 00:02:57,360 young man who 79 00:02:57,360 --> 00:03:01,519 probably is on the autistic spectrum at 80 00:03:01,519 --> 00:03:03,360 least that's my interpretation he 81 00:03:03,360 --> 00:03:06,080 displays a lot of characteristics that 82 00:03:06,080 --> 00:03:08,560 we associate with asperger's his kind of 83 00:03:08,560 --> 00:03:11,519 asocial behaviors his inability to look 84 00:03:11,519 --> 00:03:13,680 people in the eye he's kind of really 85 00:03:13,680 --> 00:03:15,440 sensitive to touch he doesn't like to be 86 00:03:15,440 --> 00:03:17,760 touched he's very you know he's very 87 00:03:17,760 --> 00:03:20,319 focused on what he's doing these are all 88 00:03:20,319 --> 00:03:22,560 typical traits of somebody on the 89 00:03:22,560 --> 00:03:25,599 asperger's spectrum i can relate to this 90 00:03:25,599 --> 00:03:27,519 i mean if it's any help to you i mean 91 00:03:27,519 --> 00:03:30,640 that's probably very close to what i was 92 00:03:30,640 --> 00:03:32,879 in when i was his age okay that's 93 00:03:32,879 --> 00:03:34,080 amazing yeah 94 00:03:34,080 --> 00:03:36,159 and uh you know 95 00:03:36,159 --> 00:03:38,799 like him he struggles with this kind of 96 00:03:38,799 --> 00:03:40,560 being able to relate to other human 97 00:03:40,560 --> 00:03:42,959 beings and i've worked on it all my life 98 00:03:42,959 --> 00:03:45,840 and i think i've done okay and trying to 99 00:03:45,840 --> 00:03:48,879 be more social so not only can i relate 100 00:03:48,879 --> 00:03:51,680 to him as somebody who's a hacker but i 101 00:03:51,680 --> 00:03:53,200 can also relate to the kind of thing 102 00:03:53,200 --> 00:03:54,799 he's suffering with the things that he's 103 00:03:54,799 --> 00:03:56,879 trying to deal with in his everyday life 104 00:03:56,879 --> 00:03:59,200 obviously i love this show and if you 105 00:03:59,200 --> 00:04:01,200 want to if you want to know more about 106 00:04:01,200 --> 00:04:04,239 my personality you can see a lot of me 107 00:04:04,239 --> 00:04:06,640 in elliott and elliot is the main 108 00:04:06,640 --> 00:04:09,120 character elliot alderson you know we 109 00:04:09,120 --> 00:04:11,280 started off the show where he's 110 00:04:11,280 --> 00:04:14,799 basically working as a cyber security 111 00:04:14,799 --> 00:04:17,680 engineer for what he refers to as evil 112 00:04:17,680 --> 00:04:20,079 corp an evil corp is very large 113 00:04:20,079 --> 00:04:23,199 corporation who does a lot of bad stuff 114 00:04:23,199 --> 00:04:25,120 they're probably responsible for both 115 00:04:25,120 --> 00:04:28,000 the the death of his father and his best 116 00:04:28,000 --> 00:04:29,360 friend's 117 00:04:29,360 --> 00:04:30,240 mother 118 00:04:30,240 --> 00:04:32,400 angela and he you know he struggles with 119 00:04:32,400 --> 00:04:34,960 his idea that he's protecting this eagle 120 00:04:34,960 --> 00:04:37,199 this evil corporations his job is to 121 00:04:37,199 --> 00:04:40,160 protect some a company who he hates 122 00:04:40,160 --> 00:04:42,560 so we see this constant struggle in his 123 00:04:42,560 --> 00:04:45,120 personality of what and how he should do 124 00:04:45,120 --> 00:04:47,360 this that's kind of the beginning what 125 00:04:47,360 --> 00:04:49,440 we're gonna do today is we're going to 126 00:04:49,440 --> 00:04:52,880 address i think it's episode six season 127 00:04:52,880 --> 00:04:55,280 one episode six if i remember correctly 128 00:04:55,280 --> 00:04:56,800 that's right yeah 129 00:04:56,800 --> 00:04:58,800 and the reason i like this i i made sure 130 00:04:58,800 --> 00:05:00,160 about that so i made sure i watched it 131 00:05:00,160 --> 00:05:02,560 today to do my research so you did your 132 00:05:02,560 --> 00:05:04,639 research today as well yeah my research 133 00:05:04,639 --> 00:05:05,440 was 134 00:05:05,440 --> 00:05:07,919 enjoying watching uh mr robot which i 135 00:05:07,919 --> 00:05:10,240 could watch over and over and over again 136 00:05:10,240 --> 00:05:11,280 so 137 00:05:11,280 --> 00:05:13,600 i like this particular hack and 138 00:05:13,600 --> 00:05:16,000 those of you who know me and who are my 139 00:05:16,000 --> 00:05:18,479 students or have been to my website know 140 00:05:18,479 --> 00:05:19,360 that 141 00:05:19,360 --> 00:05:21,680 i think that scada 142 00:05:21,680 --> 00:05:24,639 ics is probably the most important area 143 00:05:24,639 --> 00:05:26,639 of hacking right now these are the 144 00:05:26,639 --> 00:05:29,120 systems that run the world every 145 00:05:29,120 --> 00:05:32,400 facility every refinery 146 00:05:32,400 --> 00:05:35,039 manufacturing facility electrical grid 147 00:05:35,039 --> 00:05:38,400 these are all run by industrial control 148 00:05:38,400 --> 00:05:40,639 systems and these industrial control 149 00:05:40,639 --> 00:05:43,759 systems are all run by what are called 150 00:05:43,759 --> 00:05:47,199 programmable logic controllers plc's 151 00:05:47,199 --> 00:05:50,000 these plcs are all very simple computers 152 00:05:50,000 --> 00:05:52,320 okay that allow the operator to 153 00:05:52,320 --> 00:05:54,400 basically you know open valves open 154 00:05:54,400 --> 00:05:56,639 doors closed doors 155 00:05:56,639 --> 00:05:58,479 it runs the 156 00:05:58,479 --> 00:06:00,720 industrial world i think it's been 157 00:06:00,720 --> 00:06:03,440 largely overlooked in terms of both 158 00:06:03,440 --> 00:06:06,880 security cyber security and the role 159 00:06:06,880 --> 00:06:10,160 that these plants will play in any kind 160 00:06:10,160 --> 00:06:12,000 of cyber war which you know we're in the 161 00:06:12,000 --> 00:06:14,479 middle of right now and we've seen 162 00:06:14,479 --> 00:06:17,280 the russians attack repeatedly the 163 00:06:17,280 --> 00:06:20,240 industrial control systems of ukraine 164 00:06:20,240 --> 00:06:22,400 and you know the russians are feeling a 165 00:06:22,400 --> 00:06:24,319 little bit coming back at them right now 166 00:06:24,319 --> 00:06:26,720 we won't go any deeper into it than that 167 00:06:26,720 --> 00:06:29,759 in this episode this is one of the most 168 00:06:29,759 --> 00:06:32,160 complex hacks that elliot does and 169 00:06:32,160 --> 00:06:34,240 there's a lot of reasons to like it one 170 00:06:34,240 --> 00:06:36,400 because it uses different technologies 171 00:06:36,400 --> 00:06:40,319 it ends up where he's trying to hack his 172 00:06:40,319 --> 00:06:42,960 girlfriend out of prison and of course 173 00:06:42,960 --> 00:06:45,840 the prisons are industrial control 174 00:06:45,840 --> 00:06:47,600 systems so what we're going to do is 175 00:06:47,600 --> 00:06:49,919 we're going to walk through what happens 176 00:06:49,919 --> 00:06:53,120 is elliott tries to hack shayla shayla 177 00:06:53,120 --> 00:06:54,160 has been 178 00:06:54,160 --> 00:06:57,680 kidnapped by the drug dealer vera is his 179 00:06:57,680 --> 00:07:01,440 name and vera is uh is an evil guy he's 180 00:07:01,440 --> 00:07:02,479 taken 181 00:07:02,479 --> 00:07:04,400 shayla and he's holding her hostage and 182 00:07:04,400 --> 00:07:07,120 he's told elliot that he's not gonna let 183 00:07:07,120 --> 00:07:08,479 shayla go 184 00:07:08,479 --> 00:07:10,880 until elliot hacks him out of prison and 185 00:07:10,880 --> 00:07:13,360 of course elliott says 186 00:07:13,360 --> 00:07:15,520 you got to be kidding right this is 187 00:07:15,520 --> 00:07:17,440 this is this is crazy i can't hack you 188 00:07:17,440 --> 00:07:19,120 out of prison yeah he did in one day as 189 00:07:19,120 --> 00:07:21,280 well is that right yeah exactly so one 190 00:07:21,280 --> 00:07:25,360 day so tavira was in jail and uh he's uh 191 00:07:25,360 --> 00:07:27,520 well shayla was hostage held hostage by 192 00:07:27,520 --> 00:07:29,360 his group is all right and he had to get 193 00:07:29,360 --> 00:07:31,919 vera out of jail but like tonight 194 00:07:31,919 --> 00:07:34,400 tonight yeah and he tells he tells vera 195 00:07:34,400 --> 00:07:36,400 i can't do that in one day 196 00:07:36,400 --> 00:07:38,400 and you know that's realistic i mean 197 00:07:38,400 --> 00:07:40,240 he's telling him that you know this kind 198 00:07:40,240 --> 00:07:43,360 of hack will take maybe weeks months 199 00:07:43,360 --> 00:07:45,520 vera's not buying it vera knows he's got 200 00:07:45,520 --> 00:07:47,919 to get out of jail tonight and he 201 00:07:47,919 --> 00:07:50,479 insists upon it uh and so elliot has to 202 00:07:50,479 --> 00:07:52,479 come up with a solution and the first 203 00:07:52,479 --> 00:07:55,680 solution he comes up with is that he has 204 00:07:55,680 --> 00:07:58,319 darlene darlene's is kind of sidekick i 205 00:07:58,319 --> 00:07:59,360 think that's what they used yeah the 206 00:07:59,360 --> 00:08:01,280 rubber ducky well they tried yeah they 207 00:08:01,280 --> 00:08:02,240 tried to 208 00:08:02,240 --> 00:08:04,240 essentially a rubber ducky yep i mean 209 00:08:04,240 --> 00:08:06,479 you can actually reprogram the firmware 210 00:08:06,479 --> 00:08:08,400 in any thumb drive to do what the rubber 211 00:08:08,400 --> 00:08:11,199 ducky does so rubber ducky is an example 212 00:08:11,199 --> 00:08:13,520 of a reprogrammed 213 00:08:13,520 --> 00:08:16,319 um thumb drive that when you put it you 214 00:08:16,319 --> 00:08:17,440 have to show us how to do that if you 215 00:08:17,440 --> 00:08:18,720 like take any thumb drive to do 216 00:08:18,720 --> 00:08:19,919 something like that maybe that's for 217 00:08:19,919 --> 00:08:21,759 another video that's for another video 218 00:08:21,759 --> 00:08:22,960 because that's beyond what we can do 219 00:08:22,960 --> 00:08:24,800 right here but yeah basically you have 220 00:08:24,800 --> 00:08:28,160 to upgrade the firmware on the 221 00:08:28,160 --> 00:08:32,320 thumb drive so that it appears to be a 222 00:08:32,320 --> 00:08:34,159 keyboard that's all it is there's all 223 00:08:34,159 --> 00:08:35,519 kinds of different thumb drives right 224 00:08:35,519 --> 00:08:37,519 and so your thumb drive normally the 225 00:08:37,519 --> 00:08:40,080 firmware in it tells your system that 226 00:08:40,080 --> 00:08:42,559 it's a storage device you can 227 00:08:42,559 --> 00:08:45,839 flash the firmware of the flash drive 228 00:08:45,839 --> 00:08:49,120 and give it the information that it is a 229 00:08:49,120 --> 00:08:51,760 keyboard and so now when it plugs when 230 00:08:51,760 --> 00:08:54,240 it plugs into your machine it's 231 00:08:54,240 --> 00:08:56,399 recognized as a keyboard and then the 232 00:08:56,399 --> 00:08:59,600 rubber ducky or the flash drive can send 233 00:08:59,600 --> 00:09:02,160 key strokes into the system so you can 234 00:09:02,160 --> 00:09:04,240 immediately start setting keystrokes in 235 00:09:04,240 --> 00:09:06,240 and do basically whatever you want with 236 00:09:06,240 --> 00:09:08,720 the system so you can program keystrokes 237 00:09:08,720 --> 00:09:10,800 already in there and that's the first 238 00:09:10,800 --> 00:09:13,519 attack that they try okay is that 239 00:09:13,519 --> 00:09:17,120 darlene put uses a exploit from 240 00:09:17,120 --> 00:09:19,120 i think they refer to the company as 241 00:09:19,120 --> 00:09:22,080 rapid9 which is kind of a reference to 242 00:09:22,080 --> 00:09:24,959 rapid seven who owns metasploit and 243 00:09:24,959 --> 00:09:27,600 elliott kind of scolds her and says hey 244 00:09:27,600 --> 00:09:29,600 you know what are you doing using you 245 00:09:29,600 --> 00:09:32,560 know a known exploit because it fails it 246 00:09:32,560 --> 00:09:35,360 fails because the antivirus detects it 247 00:09:35,360 --> 00:09:38,160 so let me back up a little bit darlene 248 00:09:38,160 --> 00:09:40,880 leaves these thumb drives all over the 249 00:09:40,880 --> 00:09:43,600 parking lot of the prison hoping that 250 00:09:43,600 --> 00:09:45,839 somebody will pick it up and put it in a 251 00:09:45,839 --> 00:09:47,920 machine inside the prison because 252 00:09:47,920 --> 00:09:51,360 elliott recognizes that prison systems 253 00:09:51,360 --> 00:09:54,080 are offline the problem he has is how do 254 00:09:54,080 --> 00:09:57,200 i get inside the prison network most 255 00:09:57,200 --> 00:10:00,160 scada systems are online prison systems 256 00:10:00,160 --> 00:10:02,240 and a few others are offline like things 257 00:10:02,240 --> 00:10:05,120 like dams and bridges and that type of 258 00:10:05,120 --> 00:10:07,279 thing usually they're offline but the 259 00:10:07,279 --> 00:10:09,760 prisons are offline so he realizes he 260 00:10:09,760 --> 00:10:12,480 has to get inside the network he can't 261 00:10:12,480 --> 00:10:14,560 reach it from the outside so the idea is 262 00:10:14,560 --> 00:10:17,279 to drop these rubber duckies like flash 263 00:10:17,279 --> 00:10:19,040 drives somebody will pick it up put it 264 00:10:19,040 --> 00:10:21,200 in the machine and in the show one of 265 00:10:21,200 --> 00:10:24,160 the guards does that as the commands 266 00:10:24,160 --> 00:10:26,160 within the flash drive are beginning to 267 00:10:26,160 --> 00:10:29,279 take over his antivirus detects it and 268 00:10:29,279 --> 00:10:32,160 stops it so that attack fails and one of 269 00:10:32,160 --> 00:10:35,200 the beauties okay of mr robot is it 270 00:10:35,200 --> 00:10:37,360 shows somebody failing in their attack 271 00:10:37,360 --> 00:10:40,880 right i mean most shows don't show that 272 00:10:40,880 --> 00:10:44,079 in reality hackers spend a lot of time 273 00:10:44,079 --> 00:10:46,560 on failed attacks in earlier episode we 274 00:10:46,560 --> 00:10:49,279 talked about the stuxnet attack and how 275 00:10:49,279 --> 00:10:52,880 that took three years and it failed many 276 00:10:52,880 --> 00:10:54,959 times during that three-year period and 277 00:10:54,959 --> 00:10:57,519 they kept on updating it to get it to 278 00:10:57,519 --> 00:11:00,399 work it's more realistic that you see 279 00:11:00,399 --> 00:11:01,839 somebody actually failing which you 280 00:11:01,839 --> 00:11:03,920 don't see in most movies and tv shows 281 00:11:03,920 --> 00:11:05,920 with hackers they always immediately get 282 00:11:05,920 --> 00:11:08,800 into the system in 30 seconds or less so 283 00:11:08,800 --> 00:11:11,120 he fails initially so he has to come up 284 00:11:11,120 --> 00:11:13,200 with a new plan just to ask you the 285 00:11:13,200 --> 00:11:16,320 question that rubber ducky piece was was 286 00:11:16,320 --> 00:11:18,399 real world is that right or close 287 00:11:18,399 --> 00:11:20,720 it's real world yeah it's the rubber 288 00:11:20,720 --> 00:11:22,399 ducky you can buy as you showed you can 289 00:11:22,399 --> 00:11:24,800 buy them at what hack five has i think 290 00:11:24,800 --> 00:11:27,200 yeah and but you can build your own 291 00:11:27,200 --> 00:11:29,120 either way there you know you can do it 292 00:11:29,120 --> 00:11:32,079 it's realistic and it fails because she 293 00:11:32,079 --> 00:11:34,880 used a known exploit that was detected 294 00:11:34,880 --> 00:11:37,120 by the av that's realistic if you use a 295 00:11:37,120 --> 00:11:38,959 known exploit it's going to get detected 296 00:11:38,959 --> 00:11:41,519 by the av now one of the things that she 297 00:11:41,519 --> 00:11:43,360 might have done in this at this 298 00:11:43,360 --> 00:11:45,120 particular point in time is she might 299 00:11:45,120 --> 00:11:48,160 have gone ahead and tried to obscure the 300 00:11:48,160 --> 00:11:50,800 exploit and try to get it past the av 301 00:11:50,800 --> 00:11:52,399 she complained that she said hey i 302 00:11:52,399 --> 00:11:53,920 didn't have time to do this you gave me 303 00:11:53,920 --> 00:11:55,920 like an hour to do it and she's right 304 00:11:55,920 --> 00:11:58,000 she couldn't build an exploit in an hour 305 00:11:58,000 --> 00:11:59,200 well one of the things that was also 306 00:11:59,200 --> 00:12:01,279 kind of interesting at this point is 307 00:12:01,279 --> 00:12:04,000 that notice that elliott is trying to 308 00:12:04,000 --> 00:12:06,639 ssh into the system that seemed kind of 309 00:12:06,639 --> 00:12:09,360 odd to me because if i were doing it and 310 00:12:09,360 --> 00:12:11,200 most hackers will do this is that 311 00:12:11,200 --> 00:12:13,760 they'll put in a reverse shell that will 312 00:12:13,760 --> 00:12:15,920 call back to him so instead of him 313 00:12:15,920 --> 00:12:17,760 calling in they have a reverse shell 314 00:12:17,760 --> 00:12:19,839 that'll call him and connect to him i 315 00:12:19,839 --> 00:12:21,519 thought that was kind of unusual that 316 00:12:21,519 --> 00:12:24,000 they they did it that way so elia's got 317 00:12:24,000 --> 00:12:26,320 this problem now he's got hours just 318 00:12:26,320 --> 00:12:29,120 hours to be able to take down 319 00:12:29,120 --> 00:12:31,680 the prison system and so he still hasn't 320 00:12:31,680 --> 00:12:33,920 figured out how to get inside the 321 00:12:33,920 --> 00:12:36,880 network so he goes and visits vera in 322 00:12:36,880 --> 00:12:38,959 the prison and he takes his phone with 323 00:12:38,959 --> 00:12:42,480 him and he uses his phone to scan for 324 00:12:42,480 --> 00:12:44,800 all the wi-fi networks so he's using his 325 00:12:44,800 --> 00:12:45,839 phone 326 00:12:45,839 --> 00:12:48,240 and those of you who have used aircrack 327 00:12:48,240 --> 00:12:50,399 are familiar with this kind of scanner 328 00:12:50,399 --> 00:12:52,959 there's a number of android and iphone 329 00:12:52,959 --> 00:12:54,800 applications that'll do the same thing 330 00:12:54,800 --> 00:12:56,079 and what you can see here is that he's 331 00:12:56,079 --> 00:12:59,279 scanning on monzero so that's the 332 00:12:59,279 --> 00:13:01,440 interface and notice that he's pulling 333 00:13:01,440 --> 00:13:03,760 up it says essids 334 00:13:03,760 --> 00:13:07,040 these are really the ssids these are 335 00:13:07,040 --> 00:13:10,320 essentially the mac addresses of all of 336 00:13:10,320 --> 00:13:13,279 the aps and the channel that they're in 337 00:13:13,279 --> 00:13:14,880 and their encryption and of course their 338 00:13:14,880 --> 00:13:18,240 power here he sees okay he goes back to 339 00:13:18,240 --> 00:13:20,480 his phone he sees oh damn they're all 340 00:13:20,480 --> 00:13:23,279 wpa2 it'll take me days to be able to 341 00:13:23,279 --> 00:13:24,959 crack it and that's that's accurate you 342 00:13:24,959 --> 00:13:27,519 can crack wpa2's but it's a 343 00:13:27,519 --> 00:13:30,000 time-consuming process can't do it in 30 344 00:13:30,000 --> 00:13:31,839 seconds or three minutes unless you 345 00:13:31,839 --> 00:13:33,200 watch my video where i show you to do it 346 00:13:33,200 --> 00:13:34,720 in 15 seconds 347 00:13:34,720 --> 00:13:36,320 right exactly 348 00:13:36,320 --> 00:13:38,240 exactly with a gpu you know it's exactly 349 00:13:38,240 --> 00:13:40,160 right it really depends how lucky it 350 00:13:40,160 --> 00:13:43,519 depends really to be able to crack wpa2 351 00:13:43,519 --> 00:13:44,720 basically what you're doing is you're 352 00:13:44,720 --> 00:13:47,120 trying to take a word list and match the 353 00:13:47,120 --> 00:13:50,240 word list to the password of the system 354 00:13:50,240 --> 00:13:52,639 if somebody's used a very weak password 355 00:13:52,639 --> 00:13:55,279 you can potentially crack it in a matter 356 00:13:55,279 --> 00:13:57,680 of seconds or minutes i mean if they've 357 00:13:57,680 --> 00:14:00,240 used you know a password that's the same 358 00:14:00,240 --> 00:14:02,880 as the essid you might be able to do it 359 00:14:02,880 --> 00:14:04,560 in a matter of minutes but elliott looks 360 00:14:04,560 --> 00:14:06,240 at it and goes realistically says i 361 00:14:06,240 --> 00:14:08,399 can't do this i can't do this in hours i 362 00:14:08,399 --> 00:14:12,560 need to find another way into the system 363 00:14:12,560 --> 00:14:14,800 so he's trying to figure this out he's 364 00:14:14,800 --> 00:14:17,760 actually walking out of visiting vera at 365 00:14:17,760 --> 00:14:20,320 the jail and while he's walking out he 366 00:14:20,320 --> 00:14:24,160 sees on his screen that somebody is 367 00:14:24,160 --> 00:14:25,760 connected to 368 00:14:25,760 --> 00:14:28,880 the internal network inside the jail and 369 00:14:28,880 --> 00:14:31,680 it happens to be a police car so this 370 00:14:31,680 --> 00:14:34,160 gives him the idea if i can get inside 371 00:14:34,160 --> 00:14:37,600 of his system then i'll be inside of the 372 00:14:37,600 --> 00:14:40,079 prison's network so the question is how 373 00:14:40,079 --> 00:14:44,959 does it get inside the squad cars laptop 374 00:14:44,959 --> 00:14:47,199 and that's where we get to bluetooth 375 00:14:47,199 --> 00:14:48,560 just before we go there can i ask you 376 00:14:48,560 --> 00:14:51,360 about the wpa thing just quickly so 377 00:14:51,360 --> 00:14:53,839 reality versus movies which 378 00:14:53,839 --> 00:14:56,320 phone would you recommend is it android 379 00:14:56,320 --> 00:14:58,240 or android's gonna be the easiest to do 380 00:14:58,240 --> 00:14:59,440 this kind of stuff or do you install 381 00:14:59,440 --> 00:15:01,279 linux or something on a phone you can 382 00:15:01,279 --> 00:15:03,440 either install you know there's net 383 00:15:03,440 --> 00:15:06,959 hunter that is basically cali on a phone 384 00:15:06,959 --> 00:15:08,959 or you can just there's applications you 385 00:15:08,959 --> 00:15:11,040 can just download both for the iphone 386 00:15:11,040 --> 00:15:13,279 and for android that'll do the scanning 387 00:15:13,279 --> 00:15:14,880 like in this picture that we just put up 388 00:15:14,880 --> 00:15:16,560 here it doesn't tell us what this is 389 00:15:16,560 --> 00:15:17,920 what the scanner it is but there's a 390 00:15:17,920 --> 00:15:19,440 number of them just go to the iphone 391 00:15:19,440 --> 00:15:22,160 store go to the at the google play store 392 00:15:22,160 --> 00:15:24,880 and look for wi-fi scanners and there's 393 00:15:24,880 --> 00:15:26,959 a whole slew of them that'll do this 394 00:15:26,959 --> 00:15:28,240 yeah so that's just showing you the 395 00:15:28,240 --> 00:15:30,079 networks available it's not showing it's 396 00:15:30,079 --> 00:15:31,519 not letting you crack them as all right 397 00:15:31,519 --> 00:15:32,880 or there's a specific app that you would 398 00:15:32,880 --> 00:15:34,800 use on a phone to crack at all i mean 399 00:15:34,800 --> 00:15:35,920 it's going to take forever so you're 400 00:15:35,920 --> 00:15:38,079 going to push that off to another to a 401 00:15:38,079 --> 00:15:40,160 gp or something yeah what you want to do 402 00:15:40,160 --> 00:15:42,800 is you want to capture the handshake 403 00:15:42,800 --> 00:15:45,199 right so he's just scanning for the 404 00:15:45,199 --> 00:15:48,320 networks and then if you're using kali 405 00:15:48,320 --> 00:15:51,519 you want to go ahead and use arrow dump 406 00:15:51,519 --> 00:15:54,720 and arrow dump will allow you to capture 407 00:15:54,720 --> 00:15:58,399 the handshake between the client and the 408 00:15:58,399 --> 00:16:00,639 ap and then once you capture that 409 00:16:00,639 --> 00:16:03,440 handshake inside that handshake is the 410 00:16:03,440 --> 00:16:05,920 hash of the password and that's what you 411 00:16:05,920 --> 00:16:08,320 try to crack with he realizes that's not 412 00:16:08,320 --> 00:16:10,720 realistic he can't you can't do that so 413 00:16:10,720 --> 00:16:13,519 he realizes that the police car has a 414 00:16:13,519 --> 00:16:16,800 dedicated cellular connection to the 415 00:16:16,800 --> 00:16:19,600 network inside the jail he sees that 416 00:16:19,600 --> 00:16:22,000 when he's walking out of the jail and he 417 00:16:22,000 --> 00:16:24,959 sees that that police car is connected 418 00:16:24,959 --> 00:16:27,680 inside that network immediately says oh 419 00:16:27,680 --> 00:16:31,120 i have a path inside the network of the 420 00:16:31,120 --> 00:16:33,920 jail the path is i have to get inside 421 00:16:33,920 --> 00:16:37,360 the laptop inside the police car 422 00:16:37,360 --> 00:16:39,279 that's more difficult than you might 423 00:16:39,279 --> 00:16:41,040 think right maybe you do think it's 424 00:16:41,040 --> 00:16:43,120 difficult and it is difficult right so 425 00:16:43,120 --> 00:16:44,959 here's where you know things get a 426 00:16:44,959 --> 00:16:47,600 little sketchy here he's using 427 00:16:47,600 --> 00:16:50,880 hci config to scan for 428 00:16:50,880 --> 00:16:53,279 the bluetooth connections and let me 429 00:16:53,279 --> 00:16:54,959 show you how that works all right so 430 00:16:54,959 --> 00:16:56,639 what i've done is i've just downloaded 431 00:16:56,639 --> 00:17:00,480 blue easy it's out of the repository at 432 00:17:00,480 --> 00:17:01,839 cali 433 00:17:01,839 --> 00:17:04,319 and what it does is has multiple tools 434 00:17:04,319 --> 00:17:06,720 in it for bluetooth hacking okay and 435 00:17:06,720 --> 00:17:08,880 bluetooth manipulation what i've done is 436 00:17:08,880 --> 00:17:11,919 i've got actually an external linux 437 00:17:11,919 --> 00:17:14,799 bluetooth adapter in the system so once 438 00:17:14,799 --> 00:17:17,760 i have these tools embedded uh then i 439 00:17:17,760 --> 00:17:20,559 can go sudo and then it's hc this is 440 00:17:20,559 --> 00:17:22,880 what elliot's doing in the show hci 441 00:17:22,880 --> 00:17:25,039 config is just a tool similar to 442 00:17:25,039 --> 00:17:27,839 ifconfig that'll pull up all of the 443 00:17:27,839 --> 00:17:30,240 bluetooth connections and 444 00:17:30,240 --> 00:17:32,160 there it is it shows me that my 445 00:17:32,160 --> 00:17:34,960 bluetooth adapter and yours is probably 446 00:17:34,960 --> 00:17:37,280 going to say down when you start so you 447 00:17:37,280 --> 00:17:40,799 have to start it and do that you go sudo 448 00:17:40,799 --> 00:17:46,640 hci config just like with ipconfig go up 449 00:17:46,640 --> 00:17:48,240 and now you got it up and running you 450 00:17:48,240 --> 00:17:50,080 can see here's the mac address okay 451 00:17:50,080 --> 00:17:52,400 let's go back to the what uh did you say 452 00:17:52,400 --> 00:17:54,080 you've got a dedicated uh bluetooth 453 00:17:54,080 --> 00:17:55,840 adapter connected to your laptop i did 454 00:17:55,840 --> 00:17:57,520 if you can give me the device name i'll 455 00:17:57,520 --> 00:17:59,120 put a link below so people can go and 456 00:17:59,120 --> 00:18:00,480 buy that if they want 457 00:18:00,480 --> 00:18:02,480 this one is actually 458 00:18:02,480 --> 00:18:05,360 a panda you can buy them on amazon or 459 00:18:05,360 --> 00:18:07,840 egghead or any of the uh 460 00:18:07,840 --> 00:18:10,080 various electronics stores so look for 461 00:18:10,080 --> 00:18:12,240 ones that you know have bluetooth adapt 462 00:18:12,240 --> 00:18:14,320 and bluetooth drivers for some of the 463 00:18:14,320 --> 00:18:15,919 windows ones won't work some of them 464 00:18:15,919 --> 00:18:17,679 will tell you they'll work in both i've 465 00:18:17,679 --> 00:18:20,240 tried a number of them out and usually 466 00:18:20,240 --> 00:18:22,320 the windows ones simply won't work in 467 00:18:22,320 --> 00:18:24,559 linux so make sure you get a linux 468 00:18:24,559 --> 00:18:27,840 bluetooth adapter if you're running on a 469 00:18:27,840 --> 00:18:30,080 virtual machine like i am right now of 470 00:18:30,080 --> 00:18:31,520 course you have to go ahead and attach 471 00:18:31,520 --> 00:18:32,960 it so you got to go up here this is 472 00:18:32,960 --> 00:18:35,520 virtual box got to go up to usb 473 00:18:35,520 --> 00:18:37,200 and then make sure that see it says your 474 00:18:37,200 --> 00:18:39,039 cambridge silicon radio that's the 475 00:18:39,039 --> 00:18:40,720 chipset it's actually this is 476 00:18:40,720 --> 00:18:42,480 manufactured by 477 00:18:42,480 --> 00:18:44,720 panda i believe you also want to make 478 00:18:44,720 --> 00:18:46,799 sure even before you get to this part if 479 00:18:46,799 --> 00:18:48,960 you want to go ls usb to make sure 480 00:18:48,960 --> 00:18:51,600 what's connected to your usb and you see 481 00:18:51,600 --> 00:18:53,039 i've got this is what's connected to my 482 00:18:53,039 --> 00:18:55,600 usb and here's my cambridge silicon 483 00:18:55,600 --> 00:18:57,760 radio of course cambridge is a british 484 00:18:57,760 --> 00:19:00,240 firm you see the ltd right there and 485 00:19:00,240 --> 00:19:02,320 then let's go ahead and clear our screen 486 00:19:02,320 --> 00:19:03,280 and so 487 00:19:03,280 --> 00:19:07,679 sudo hci config this let's look what it 488 00:19:07,679 --> 00:19:10,320 tells us it tells us is on a usb bus 489 00:19:10,320 --> 00:19:13,120 it's a primary type the name just like 490 00:19:13,120 --> 00:19:15,840 when you do ifconfig then it gives a 491 00:19:15,840 --> 00:19:18,440 name to the adapter and the name is 492 00:19:18,440 --> 00:19:21,840 hci0 yours might be hci1 it might be 493 00:19:21,840 --> 00:19:25,440 hci2 but usually it's going to be hci0 494 00:19:25,440 --> 00:19:29,520 just like your wlan is usually wlan0 495 00:19:29,520 --> 00:19:31,360 your ethernet adapter is going to be 496 00:19:31,360 --> 00:19:34,960 eth0 and then it gives you the address 497 00:19:34,960 --> 00:19:37,440 this is the mac address of the adapter 498 00:19:37,440 --> 00:19:39,760 so this is where he you see in the i go 499 00:19:39,760 --> 00:19:42,240 back to what he was showing on the show 500 00:19:42,240 --> 00:19:45,039 you can see right here hci config hci 501 00:19:45,039 --> 00:19:47,600 zero up he has two adapters he's going 502 00:19:47,600 --> 00:19:49,520 to the second one and taking it up as 503 00:19:49,520 --> 00:19:53,120 well and then he's got hci config and 504 00:19:53,120 --> 00:19:54,880 he's pulling up the information just 505 00:19:54,880 --> 00:19:56,720 like what we've done here what we want 506 00:19:56,720 --> 00:19:58,080 to do now 507 00:19:58,080 --> 00:20:02,080 is that within this group of bluetooth 508 00:20:02,080 --> 00:20:06,240 tools there's a tool called hci tool 509 00:20:06,240 --> 00:20:08,400 i'll just show you what it can do pull 510 00:20:08,400 --> 00:20:10,400 up the help screen and so of course this 511 00:20:10,400 --> 00:20:11,840 is the help screen as we're looking at 512 00:20:11,840 --> 00:20:14,240 right now and it'll display the local 513 00:20:14,240 --> 00:20:17,520 devices okay inquire and these remote 514 00:20:17,520 --> 00:20:20,640 devices it'll scan for remote devices 515 00:20:20,640 --> 00:20:22,559 and this is the next step that elliott 516 00:20:22,559 --> 00:20:24,559 does is that he goes and heads and uses 517 00:20:24,559 --> 00:20:25,760 this tool 518 00:20:25,760 --> 00:20:28,640 to scan for bluetooth devices in the 519 00:20:28,640 --> 00:20:30,799 area and there's a number of other 520 00:20:30,799 --> 00:20:32,960 things you can submit arbitrary hci 521 00:20:32,960 --> 00:20:35,840 commands you can do inquiries 522 00:20:35,840 --> 00:20:37,039 but right now we're going to kind of 523 00:20:37,039 --> 00:20:38,720 just do what eliot did and that's what 524 00:20:38,720 --> 00:20:42,480 he did is he went ahead and did hci tool 525 00:20:42,480 --> 00:20:44,000 scan 526 00:20:44,000 --> 00:20:45,679 and it begins to scan and what it's 527 00:20:45,679 --> 00:20:47,679 doing is it's looking for other 528 00:20:47,679 --> 00:20:51,520 bluetooth devices it pulls up one device 529 00:20:51,520 --> 00:20:53,360 and this is a these are the speaker 530 00:20:53,360 --> 00:20:55,679 system in my office let's go ahead and 531 00:20:55,679 --> 00:20:57,919 turn on some other bluetooth devices and 532 00:20:57,919 --> 00:20:59,039 see if we can 533 00:20:59,039 --> 00:21:01,120 see them as well it's really impressive 534 00:21:01,120 --> 00:21:02,960 that the show is so true though and i 535 00:21:02,960 --> 00:21:04,320 can see why you like it 536 00:21:04,320 --> 00:21:08,240 oh i i i love this show and so i'm glad 537 00:21:08,240 --> 00:21:09,360 that uh 538 00:21:09,360 --> 00:21:11,919 you uh had agreed to do the hacks 539 00:21:11,919 --> 00:21:13,440 because there's a lot of great hacks in 540 00:21:13,440 --> 00:21:15,200 this show no we've covered them all i 541 00:21:15,200 --> 00:21:16,799 think so let's just ask the audience do 542 00:21:16,799 --> 00:21:18,720 you want occupy the web to do like all 543 00:21:18,720 --> 00:21:20,640 of them just put in the comments below 544 00:21:20,640 --> 00:21:21,840 you know the ones that you really want 545 00:21:21,840 --> 00:21:23,760 to see and we can perhaps prioritize 546 00:21:23,760 --> 00:21:25,440 some over others i'm going to go ahead 547 00:21:25,440 --> 00:21:27,760 and try and do another scan i just 548 00:21:27,760 --> 00:21:30,640 turned on another another device 549 00:21:30,640 --> 00:21:32,960 this is very similar to like i said any 550 00:21:32,960 --> 00:21:34,720 type of scanning tool sometimes it's 551 00:21:34,720 --> 00:21:36,480 going to work sometimes it's not but you 552 00:21:36,480 --> 00:21:39,360 get the idea that it there we go okay i 553 00:21:39,360 --> 00:21:40,960 just turned on another another speaker 554 00:21:40,960 --> 00:21:43,200 system so this is what elliot's doing 555 00:21:43,200 --> 00:21:45,280 he's going out and he's scanning for 556 00:21:45,280 --> 00:21:48,159 these devices what he does is he finds 557 00:21:48,159 --> 00:21:51,280 the device the bluetooth device in the 558 00:21:51,280 --> 00:21:53,760 laptop of the police car then he does an 559 00:21:53,760 --> 00:21:57,280 hci tool inquiry let's do that sudo 560 00:21:57,280 --> 00:22:01,039 hci tool inquiry and this gives us even 561 00:22:01,039 --> 00:22:03,679 more information about the devices okay 562 00:22:03,679 --> 00:22:06,159 so it gives us the class and this is key 563 00:22:06,159 --> 00:22:09,200 if you go to the bluetooth websites the 564 00:22:09,200 --> 00:22:10,960 special interest group 565 00:22:10,960 --> 00:22:13,840 website so here's the devices and these 566 00:22:13,840 --> 00:22:16,559 are just the numbers okay and the 567 00:22:16,559 --> 00:22:19,679 classes of all the devices and this is 568 00:22:19,679 --> 00:22:21,360 kind of the key to 569 00:22:21,360 --> 00:22:23,919 hacking bluetooth is to understand that 570 00:22:23,919 --> 00:22:26,960 bluetooth devices are basically telling 571 00:22:26,960 --> 00:22:29,360 us what type of device they are here's 572 00:22:29,360 --> 00:22:30,480 another there's a better one i got 573 00:22:30,480 --> 00:22:32,080 another one up here for you and you can 574 00:22:32,080 --> 00:22:34,559 see the classes and the ones that we 575 00:22:34,559 --> 00:22:37,039 just pulled up a minute ago right were 576 00:22:37,039 --> 00:22:38,799 speakers these are all peripheral 577 00:22:38,799 --> 00:22:41,679 devices so when you connect to a 578 00:22:41,679 --> 00:22:44,480 bluetooth device it tells the other 579 00:22:44,480 --> 00:22:46,080 device that's trying to pair with it 580 00:22:46,080 --> 00:22:48,400 what type of a device it is is that a 581 00:22:48,400 --> 00:22:50,480 wearable headset is a joystick for 582 00:22:50,480 --> 00:22:52,240 nintendo like this one is here it's a 583 00:22:52,240 --> 00:22:54,799 portable game controller it communicates 584 00:22:54,799 --> 00:22:56,720 to the other device what it is notice 585 00:22:56,720 --> 00:22:58,880 that this one here is a keyboard its 586 00:22:58,880 --> 00:23:01,600 device is class zero zero two five four 587 00:23:01,600 --> 00:23:04,159 oh that means when you connect to this 588 00:23:04,159 --> 00:23:07,039 bluetooth device it says i'm a keyboard 589 00:23:07,039 --> 00:23:10,240 allow me to send keystrokes okay into 590 00:23:10,240 --> 00:23:12,559 your system and there's really no way 591 00:23:12,559 --> 00:23:14,720 for the system to check if that's real 592 00:23:14,720 --> 00:23:17,039 or not so this is what elliott takes 593 00:23:17,039 --> 00:23:19,120 advantage of in the show he uses a 594 00:23:19,120 --> 00:23:21,360 device called multi-blue they don't 595 00:23:21,360 --> 00:23:23,679 manufacture them anymore unfortunately 596 00:23:23,679 --> 00:23:25,840 but basically what it is is this base 597 00:23:25,840 --> 00:23:28,159 it's a bluetooth device that 598 00:23:28,159 --> 00:23:31,280 communicates okay that i am a keyboard 599 00:23:31,280 --> 00:23:33,360 if you have a bluetooth based keyboard 600 00:23:33,360 --> 00:23:34,799 i'm working on a bluetooth keyboard 601 00:23:34,799 --> 00:23:36,320 right now in this show that's what this 602 00:23:36,320 --> 00:23:39,679 device does okay it says i'm a keyboard 603 00:23:39,679 --> 00:23:43,120 let me send keyboard keystrokes to you 604 00:23:43,120 --> 00:23:45,440 the other end of the connection elliot 605 00:23:45,440 --> 00:23:47,760 uses this which used to cost i think i 606 00:23:47,760 --> 00:23:49,760 bought mine for about 35 dollars but 607 00:23:49,760 --> 00:23:52,799 basically once again it's a bluetooth 608 00:23:52,799 --> 00:23:56,559 dongle that has been basically flashed 609 00:23:56,559 --> 00:23:59,600 with a different class okay a class that 610 00:23:59,600 --> 00:24:03,520 says hey i am a keyboard so elliot what 611 00:24:03,520 --> 00:24:06,799 he does is that he gets darlene to kind 612 00:24:06,799 --> 00:24:08,799 of flirt with the cops it's social 613 00:24:08,799 --> 00:24:11,279 engineering elliot is standing is in a 614 00:24:11,279 --> 00:24:14,480 car nearby okay bluetooth has the 615 00:24:14,480 --> 00:24:17,279 capability of connecting up to like a 616 00:24:17,279 --> 00:24:20,000 hundred meters he's within that range 617 00:24:20,000 --> 00:24:21,840 and he's able to connect to the 618 00:24:21,840 --> 00:24:25,600 bluetooth device in the police car he 619 00:24:25,600 --> 00:24:28,799 uses a tool called spooftooth it's also 620 00:24:28,799 --> 00:24:30,159 i believe spooftooth is in the 621 00:24:30,159 --> 00:24:32,640 repository so let's just quickly take a 622 00:24:32,640 --> 00:24:35,760 look and see if it is and let's put in 623 00:24:35,760 --> 00:24:37,679 install in there there it is it's 624 00:24:37,679 --> 00:24:39,600 already installed on my system just like 625 00:24:39,600 --> 00:24:41,840 you can spoof an ip address so you can 626 00:24:41,840 --> 00:24:44,480 spoof a mac address it allows you to 627 00:24:44,480 --> 00:24:45,600 spoof 628 00:24:45,600 --> 00:24:48,880 a bluetooth device so what elliott does 629 00:24:48,880 --> 00:24:51,679 is that he goes and spoofs the mac 630 00:24:51,679 --> 00:24:54,080 address of one of these devices in the 631 00:24:54,080 --> 00:24:56,799 policeman's car does a scan like we did 632 00:24:56,799 --> 00:24:58,880 here he gets the mac address off the 633 00:24:58,880 --> 00:25:01,440 bluetooth in the cop car and then he 634 00:25:01,440 --> 00:25:03,679 spoofs it okay here's the synopsis 635 00:25:03,679 --> 00:25:07,679 bluetooth dash i device and then specify 636 00:25:07,679 --> 00:25:10,960 a new bd addr right that's what we want 637 00:25:10,960 --> 00:25:13,440 to do let's go ahead and create this 638 00:25:13,440 --> 00:25:16,159 it's pasting in the mac address and then 639 00:25:16,159 --> 00:25:18,240 it's the uh 640 00:25:18,240 --> 00:25:20,640 dash n for name right here specify the 641 00:25:20,640 --> 00:25:23,600 new name okay dash in and then it's 642 00:25:23,600 --> 00:25:25,039 going to be car 643 00:25:25,039 --> 00:25:27,120 five five three seven so what we're 644 00:25:27,120 --> 00:25:29,200 doing is we're assigning a new mac 645 00:25:29,200 --> 00:25:31,600 address and a new name for that device 646 00:25:31,600 --> 00:25:34,159 and you see it came back and said hey 647 00:25:34,159 --> 00:25:36,480 address has been changed oh 648 00:25:36,480 --> 00:25:38,559 and it came back we said the address was 649 00:25:38,559 --> 00:25:40,559 changed but it can't open the device no 650 00:25:40,559 --> 00:25:42,320 such device it dropped the device it 651 00:25:42,320 --> 00:25:44,159 looks like so let's try reconnecting it 652 00:25:44,159 --> 00:25:46,240 again yeah see it's dropped the 653 00:25:46,240 --> 00:25:48,559 cambridge silicon radio let's go ahead 654 00:25:48,559 --> 00:25:50,000 and try that again 655 00:25:50,000 --> 00:25:51,279 i think the lesson is like you've always 656 00:25:51,279 --> 00:25:53,120 said it's um stuff doesn't work 657 00:25:53,120 --> 00:25:54,640 perfectly the first time that's reality 658 00:25:54,640 --> 00:25:57,919 versus tv yeah exactly yeah this is and 659 00:25:57,919 --> 00:26:00,720 this is actually a notice here that it's 660 00:26:00,720 --> 00:26:02,640 down when i want to reconnect it again 661 00:26:02,640 --> 00:26:03,840 it's down 662 00:26:03,840 --> 00:26:06,240 so what we have to do is go 663 00:26:06,240 --> 00:26:09,600 hci config 664 00:26:09,600 --> 00:26:10,480 i 665 00:26:10,480 --> 00:26:11,520 zero 666 00:26:11,520 --> 00:26:12,960 up 667 00:26:12,960 --> 00:26:14,640 all right 668 00:26:14,640 --> 00:26:17,840 okay now when i do hci config you'll see 669 00:26:17,840 --> 00:26:20,240 that it's 670 00:26:20,640 --> 00:26:22,159 reality and that's i'm glad to see you 671 00:26:22,159 --> 00:26:23,679 doing this because it 672 00:26:23,679 --> 00:26:25,919 it's reality for all of us yeah yeah so 673 00:26:25,919 --> 00:26:27,679 there it is up and running all right so 674 00:26:27,679 --> 00:26:29,600 we're going to try this command again to 675 00:26:29,600 --> 00:26:31,600 be able to spoof this so we're going to 676 00:26:31,600 --> 00:26:35,039 go ahead and run the hci tool and then 677 00:26:35,039 --> 00:26:36,720 we're going to scan 678 00:26:36,720 --> 00:26:38,400 one of the things that i have found is 679 00:26:38,400 --> 00:26:40,320 that by using a here we go we got both 680 00:26:40,320 --> 00:26:42,559 of those devices sometimes the virtual 681 00:26:42,559 --> 00:26:44,880 machines will drop the devices that are 682 00:26:44,880 --> 00:26:46,720 external okay and that's what we're 683 00:26:46,720 --> 00:26:48,559 dealing with here but so we got both of 684 00:26:48,559 --> 00:26:50,480 them up we scanned imagine that one of 685 00:26:50,480 --> 00:26:53,279 these is car 57 all right and then what 686 00:26:53,279 --> 00:26:54,400 we're going to do is then we're going to 687 00:26:54,400 --> 00:26:55,360 try to 688 00:26:55,360 --> 00:26:59,200 spoof it we're using hci 0 as our device 689 00:26:59,200 --> 00:27:01,440 name this is the mac address we're 690 00:27:01,440 --> 00:27:02,880 trying to spoof and we're going to name 691 00:27:02,880 --> 00:27:07,600 it car 357 hopefully virtualbox doesn't 692 00:27:07,600 --> 00:27:09,600 drop our adapter let's go ahead and do 693 00:27:09,600 --> 00:27:11,120 it it just dropped it i could hear the 694 00:27:11,120 --> 00:27:13,039 sound of it dropping it it did change 695 00:27:13,039 --> 00:27:15,440 the address you can see that the device 696 00:27:15,440 --> 00:27:17,360 has been changed to 697 00:27:17,360 --> 00:27:21,000 7c 96d208 698 00:27:21,120 --> 00:27:24,240 and if we didn't drop the adapter we it 699 00:27:24,240 --> 00:27:27,120 would also rename it so that it appears 700 00:27:27,120 --> 00:27:29,760 not only does it appear technically by 701 00:27:29,760 --> 00:27:31,840 the mac address but it also has a name 702 00:27:31,840 --> 00:27:34,320 that is recognizable human readable name 703 00:27:34,320 --> 00:27:36,559 that would be recognized by the police 704 00:27:36,559 --> 00:27:38,960 officer so this is the way that he goes 705 00:27:38,960 --> 00:27:42,320 ahead and spoofs the bluetooth device 706 00:27:42,320 --> 00:27:44,720 now this particular hack was done in oh 707 00:27:44,720 --> 00:27:47,120 about 2014 and some of the early 708 00:27:47,120 --> 00:27:49,760 bluetooth you could do this type of 709 00:27:49,760 --> 00:27:52,559 spoofing in the more recent bluetooth 710 00:27:52,559 --> 00:27:53,840 you're going to have more difficulty 711 00:27:53,840 --> 00:27:55,840 doing this because they're going to be 712 00:27:55,840 --> 00:27:57,760 able to spoof it you're going to have to 713 00:27:57,760 --> 00:27:59,760 pair them and even though you spoofed 714 00:27:59,760 --> 00:28:01,360 the device name in the mac address 715 00:28:01,360 --> 00:28:02,720 you're still going to have to pair them 716 00:28:02,720 --> 00:28:04,559 so there's going to be one extra step 717 00:28:04,559 --> 00:28:06,960 there that they don't show in the show 718 00:28:06,960 --> 00:28:11,120 so he's now got himself inside the 719 00:28:11,120 --> 00:28:14,159 police car's laptop so was he spoofing 720 00:28:14,159 --> 00:28:16,320 the the keyboard is that right and uh 721 00:28:16,320 --> 00:28:17,440 that's what he was trying to do is that 722 00:28:17,440 --> 00:28:20,080 correct he's he's taking the keyboard 723 00:28:20,080 --> 00:28:23,600 that multi-blue device and he's making 724 00:28:23,600 --> 00:28:26,720 the laptop believe that it's a bluetooth 725 00:28:26,720 --> 00:28:28,880 device that's already connected to his 726 00:28:28,880 --> 00:28:30,799 system because normally when you want to 727 00:28:30,799 --> 00:28:32,880 connect a bluetooth device you have to 728 00:28:32,880 --> 00:28:35,039 pair it right you have the pairing 729 00:28:35,039 --> 00:28:36,080 process 730 00:28:36,080 --> 00:28:39,039 what he's doing is saying okay i am the 731 00:28:39,039 --> 00:28:42,480 device that's already been paired on the 732 00:28:42,480 --> 00:28:45,440 laptop and then once he has that pairing 733 00:28:45,440 --> 00:28:48,320 taking place now he can use this device 734 00:28:48,320 --> 00:28:51,600 to inject commands into the cop car's 735 00:28:51,600 --> 00:28:53,600 laptop and that's where things get 736 00:28:53,600 --> 00:28:55,840 interesting and maybe a little bit 737 00:28:55,840 --> 00:28:58,799 unrealistic so what he's doing now is 738 00:28:58,799 --> 00:29:02,000 that now once he's inside the cop car's 739 00:29:02,000 --> 00:29:06,159 laptop he's inside the network of the 740 00:29:06,159 --> 00:29:08,960 detention center of the jail so now what 741 00:29:08,960 --> 00:29:11,120 he has to do is he has to be able to 742 00:29:11,120 --> 00:29:15,679 inject commands into the prison the jail 743 00:29:15,679 --> 00:29:17,919 to be able to open up the doors this is 744 00:29:17,919 --> 00:29:20,320 a little bit unrealistic normally what 745 00:29:20,320 --> 00:29:22,320 you would do in a situation like this is 746 00:29:22,320 --> 00:29:24,159 you would go and you would find the 747 00:29:24,159 --> 00:29:26,559 wiring diagram for 748 00:29:26,559 --> 00:29:28,080 that particular device and they're 749 00:29:28,080 --> 00:29:30,080 almost all online there's a block 750 00:29:30,080 --> 00:29:33,279 diagram of the plc these are almost all 751 00:29:33,279 --> 00:29:36,000 the same the diagram is the same here's 752 00:29:36,000 --> 00:29:38,399 a here's the one that's often used in 753 00:29:38,399 --> 00:29:40,720 the prison system this is a siemens 754 00:29:40,720 --> 00:29:43,760 cymatic s7 1500 which was actually the 755 00:29:43,760 --> 00:29:46,960 same one that was used in the 756 00:29:46,960 --> 00:29:49,120 stuxnet attack so that's what was used 757 00:29:49,120 --> 00:29:50,399 to open and close the doors in the 758 00:29:50,399 --> 00:29:51,919 prison in the movie so called yeah this 759 00:29:51,919 --> 00:29:53,520 is what's open and closed the doors in 760 00:29:53,520 --> 00:29:55,279 the prison right so these are just 761 00:29:55,279 --> 00:29:57,679 programmable logic controllers this is 762 00:29:57,679 --> 00:29:59,919 one of the most widely used in the world 763 00:29:59,919 --> 00:30:02,399 here's a prison diagram this is a 764 00:30:02,399 --> 00:30:04,880 typical prison diagram each one of these 765 00:30:04,880 --> 00:30:07,039 are housing pods and then there's an 766 00:30:07,039 --> 00:30:09,039 equipment room which usually contains 767 00:30:09,039 --> 00:30:11,760 these plc's and a con central control 768 00:30:11,760 --> 00:30:13,520 inside this equipment room this is where 769 00:30:13,520 --> 00:30:16,080 the plc's are and they control the 770 00:30:16,080 --> 00:30:18,880 opening and closing of the doors in the 771 00:30:18,880 --> 00:30:20,480 prison now all of this kind of 772 00:30:20,480 --> 00:30:22,320 information is available online if you 773 00:30:22,320 --> 00:30:24,559 look in the right places no matter who's 774 00:30:24,559 --> 00:30:27,760 making these devices they provide this 775 00:30:27,760 --> 00:30:29,440 kind of detail 776 00:30:29,440 --> 00:30:32,640 about their systems so that the users 777 00:30:32,640 --> 00:30:35,440 can program them properly maintain them 778 00:30:35,440 --> 00:30:37,840 properly this is basically a simple 779 00:30:37,840 --> 00:30:40,559 diagram of the opening and closing of 780 00:30:40,559 --> 00:30:43,279 the doors within this prison elliot 781 00:30:43,279 --> 00:30:45,039 could do this right but it still would 782 00:30:45,039 --> 00:30:48,399 have taken him days weeks months to do 783 00:30:48,399 --> 00:30:50,799 this process and he does it in a matter 784 00:30:50,799 --> 00:30:53,039 of hours it is possible it's out there 785 00:30:53,039 --> 00:30:54,880 right if you go to the you know you go 786 00:30:54,880 --> 00:30:56,880 to the manufacturer's websites and 787 00:30:56,880 --> 00:30:58,720 usually this will be included in a 788 00:30:58,720 --> 00:31:01,360 document that'll be like 150 pages long 789 00:31:01,360 --> 00:31:03,440 a pdf document that you can go ahead and 790 00:31:03,440 --> 00:31:05,279 dig through and figure out how these 791 00:31:05,279 --> 00:31:07,519 systems actually work and then the next 792 00:31:07,519 --> 00:31:09,760 step he has to do is that he has to go 793 00:31:09,760 --> 00:31:14,240 ahead and write a ladder logic program 794 00:31:14,240 --> 00:31:17,519 to control the plc's ladder logic looks 795 00:31:17,519 --> 00:31:19,279 something like this here 796 00:31:19,279 --> 00:31:22,240 i teach ladder logic in my scada class 797 00:31:22,240 --> 00:31:24,960 and we use a trilogy which is a 798 00:31:24,960 --> 00:31:26,320 training 799 00:31:26,320 --> 00:31:29,279 educational software for doing ladder 800 00:31:29,279 --> 00:31:32,799 logic this is simple logic to run the 801 00:31:32,799 --> 00:31:35,039 various devices in a plant so you're 802 00:31:35,039 --> 00:31:36,880 reading a device waiting for the 803 00:31:36,880 --> 00:31:38,640 information to come then you're opening 804 00:31:38,640 --> 00:31:40,559 a valve or closing a valve this 805 00:31:40,559 --> 00:31:42,240 particular circuit right here is running 806 00:31:42,240 --> 00:31:44,159 it and then it takes a step through and 807 00:31:44,159 --> 00:31:46,399 it waits five seconds on the clock and 808 00:31:46,399 --> 00:31:48,880 then it makes a manual decision okay 809 00:31:48,880 --> 00:31:51,279 either open or close and it finishes 810 00:31:51,279 --> 00:31:53,039 that circuit and then it goes through 811 00:31:53,039 --> 00:31:54,880 another it goes through each one of this 812 00:31:54,880 --> 00:31:57,440 is called ladder logic because it goes 813 00:31:57,440 --> 00:31:59,519 through this circuit and then this 814 00:31:59,519 --> 00:32:01,840 circuit and then this circuit so this is 815 00:32:01,840 --> 00:32:05,120 really relatively simple stuff the only 816 00:32:05,120 --> 00:32:07,279 issue is that you have to understand 817 00:32:07,279 --> 00:32:09,600 what circuits you're actually working 818 00:32:09,600 --> 00:32:11,519 with within the system and that's why 819 00:32:11,519 --> 00:32:14,159 it's really unrealistic to expect that 820 00:32:14,159 --> 00:32:16,960 elliott did that in a matter of hours 821 00:32:16,960 --> 00:32:19,200 one of the things that could be done 822 00:32:19,200 --> 00:32:21,360 okay is that you could just throw 823 00:32:21,360 --> 00:32:23,840 scatter a bunch of commands into the 824 00:32:23,840 --> 00:32:26,399 system and see what happens right that's 825 00:32:26,399 --> 00:32:28,799 a possibility but that would probably be 826 00:32:28,799 --> 00:32:30,720 detected now i will just kind of give 827 00:32:30,720 --> 00:32:33,200 you a hint that you know that's 828 00:32:33,200 --> 00:32:36,480 something that can be used in cyber war 829 00:32:36,480 --> 00:32:38,720 is that you can just send random 830 00:32:38,720 --> 00:32:41,039 commands into these systems and see what 831 00:32:41,039 --> 00:32:43,360 happens and if it explodes then you know 832 00:32:43,360 --> 00:32:46,240 you did the right thing 833 00:32:46,240 --> 00:32:47,840 what's unrealistic about that is he's 834 00:32:47,840 --> 00:32:50,720 connected via this uh bluetooth keyboard 835 00:32:50,720 --> 00:32:53,120 or a fake keyboard and he's injected 836 00:32:53,120 --> 00:32:54,640 he's injecting a whole bunch of stuff 837 00:32:54,640 --> 00:32:56,000 with no visibility of what's on the 838 00:32:56,000 --> 00:32:58,240 other side is that right right he has 839 00:32:58,240 --> 00:33:00,159 the only visibility he has is that he 840 00:33:00,159 --> 00:33:02,720 could pull up this schematic this would 841 00:33:02,720 --> 00:33:04,720 be available to him he could pull this 842 00:33:04,720 --> 00:33:07,039 up online and find the schematic and you 843 00:33:07,039 --> 00:33:08,960 can see that all the circuits are 844 00:33:08,960 --> 00:33:11,360 detailed here as you can see door fully 845 00:33:11,360 --> 00:33:17,120 open l3 ls3 ls2 is device fully locked 846 00:33:17,120 --> 00:33:20,399 ls4 is the door fully closed and then we 847 00:33:20,399 --> 00:33:22,440 have speeds our 848 00:33:22,440 --> 00:33:26,399 ls5 and ls6 so this is available to him 849 00:33:26,399 --> 00:33:29,360 online but then he has to write the 850 00:33:29,360 --> 00:33:32,159 ladder logic to be able to control each 851 00:33:32,159 --> 00:33:35,279 one of these various circuits to be able 852 00:33:35,279 --> 00:33:37,840 to open and close the doors and notice 853 00:33:37,840 --> 00:33:40,000 that in the show he talks about well 854 00:33:40,000 --> 00:33:42,399 let's open up all of the doors and that 855 00:33:42,399 --> 00:33:44,399 way nobody nobody will be able to 856 00:33:44,399 --> 00:33:46,960 connect this to me or you all this 857 00:33:46,960 --> 00:33:49,519 information is usually available online 858 00:33:49,519 --> 00:33:51,200 this is available for one particular 859 00:33:51,200 --> 00:33:53,519 prison system that i found online it's 860 00:33:53,519 --> 00:33:55,200 crazy that you can just find this stuff 861 00:33:55,200 --> 00:33:56,799 they've got to do this for their clients 862 00:33:56,799 --> 00:33:59,679 right and no matter what plc you're 863 00:33:59,679 --> 00:34:01,919 talking about whether it be siemens or 864 00:34:01,919 --> 00:34:04,080 schneider electric they have these these 865 00:34:04,080 --> 00:34:07,519 diagrams these pdfs online that give you 866 00:34:07,519 --> 00:34:09,520 a total breakdown of how the system 867 00:34:09,520 --> 00:34:11,280 works let's take a look at one of the 868 00:34:11,280 --> 00:34:13,359 things that one of the things i did is 869 00:34:13,359 --> 00:34:16,480 use some google dorks to find some of 870 00:34:16,480 --> 00:34:19,520 those cymatic plc's here's the dork i 871 00:34:19,520 --> 00:34:22,639 used right here in url portal portal 872 00:34:22,639 --> 00:34:26,639 mwlf mwsl these are plc's that are 873 00:34:26,639 --> 00:34:29,679 connected via tcpip right that's why we 874 00:34:29,679 --> 00:34:31,520 can connect to them we can go ahead and 875 00:34:31,520 --> 00:34:33,918 find these things online and let's find 876 00:34:33,918 --> 00:34:36,480 this one right here here it is anybody 877 00:34:36,480 --> 00:34:38,239 anywhere in the world can connect to 878 00:34:38,239 --> 00:34:41,359 this s7 1200 remember the one we looked 879 00:34:41,359 --> 00:34:44,000 at a little little while ago was the s7 880 00:34:44,000 --> 00:34:46,800 1500 it's a similar model not exactly 881 00:34:46,800 --> 00:34:49,040 the same but we can go ahead and look at 882 00:34:49,040 --> 00:34:52,079 its diagnostics we can get its serial 883 00:34:52,079 --> 00:34:54,399 number so we know exactly 884 00:34:54,399 --> 00:34:57,280 what plc this is we know its hardware 885 00:34:57,280 --> 00:34:59,760 number we know what firmware is running 886 00:34:59,760 --> 00:35:02,079 and this is without even logging in you 887 00:35:02,079 --> 00:35:03,520 literally just typed something in google 888 00:35:03,520 --> 00:35:06,720 and you found this yeah exactly just 889 00:35:06,720 --> 00:35:09,200 here it is right here it's just 890 00:35:09,200 --> 00:35:11,440 used when you go back and show you just 891 00:35:11,440 --> 00:35:12,960 for everyone watching i've had to blur 892 00:35:12,960 --> 00:35:15,280 this because of youtube rules so upload 893 00:35:15,280 --> 00:35:16,880 a lot of this 894 00:35:16,880 --> 00:35:18,079 but the information is there no don't 895 00:35:18,079 --> 00:35:19,839 worry we'll just blur it out we didn't 896 00:35:19,839 --> 00:35:22,320 hack it okay this is this is available 897 00:35:22,320 --> 00:35:24,560 to anybody this is just the portal that 898 00:35:24,560 --> 00:35:27,359 the plc provides to its users and so 899 00:35:27,359 --> 00:35:29,760 what we're doing is just using the same 900 00:35:29,760 --> 00:35:32,000 portal and notice that we haven't logged 901 00:35:32,000 --> 00:35:33,920 in right this is what's into this is 902 00:35:33,920 --> 00:35:35,599 what's available it's like a website 903 00:35:35,599 --> 00:35:37,440 yeah it's like going to a website 904 00:35:37,440 --> 00:35:38,960 exactly i haven't logged into the 905 00:35:38,960 --> 00:35:41,200 anything okay you see it looks like this 906 00:35:41,200 --> 00:35:42,000 is 907 00:35:42,000 --> 00:35:44,640 a check system that looks like check to 908 00:35:44,640 --> 00:35:47,359 me so it's it's amazing that all of this 909 00:35:47,359 --> 00:35:49,920 stuff is addresses it's crazy 910 00:35:49,920 --> 00:35:50,800 yeah 911 00:35:50,800 --> 00:35:52,960 and here's the watch tables 912 00:35:52,960 --> 00:35:55,760 user-defined pages the home page of the 913 00:35:55,760 --> 00:35:58,320 application okay takes us back to the 914 00:35:58,320 --> 00:36:00,960 plant so we can get more information 915 00:36:00,960 --> 00:36:02,640 that looks like check to me i don't know 916 00:36:02,640 --> 00:36:04,640 but i don't read check but it looks like 917 00:36:04,640 --> 00:36:06,800 it in any case so here's this is just 918 00:36:06,800 --> 00:36:09,760 one siemens and this is one that is has 919 00:36:09,760 --> 00:36:12,560 the portal available to for the 920 00:36:12,560 --> 00:36:14,720 maintenance and control of this 921 00:36:14,720 --> 00:36:17,200 particular plc i don't know what plant 922 00:36:17,200 --> 00:36:19,359 this is connected to but these are 923 00:36:19,359 --> 00:36:22,079 available online for anybody who wants 924 00:36:22,079 --> 00:36:23,839 to go ahead and read them so this puts 925 00:36:23,839 --> 00:36:26,400 the here it is looks like it's farmer 926 00:36:26,400 --> 00:36:28,960 custom fructo plant i guess this is all 927 00:36:28,960 --> 00:36:30,640 going to get blurred out 928 00:36:30,640 --> 00:36:32,160 yeah we'll have to blur it out but i 929 00:36:32,160 --> 00:36:34,079 think the the point is on the previous 930 00:36:34,079 --> 00:36:35,920 video where we spoke about skater we had 931 00:36:35,920 --> 00:36:37,760 some comments like we don't connect our 932 00:36:37,760 --> 00:36:39,440 skater systems to the internet and 933 00:36:39,440 --> 00:36:40,720 you've just shown 934 00:36:40,720 --> 00:36:42,960 like there there's one straight away it 935 00:36:42,960 --> 00:36:45,760 took you like five seconds yeah yeah 936 00:36:45,760 --> 00:36:47,920 there there are millions of them 937 00:36:47,920 --> 00:36:49,760 connected to the internet now 938 00:36:49,760 --> 00:36:51,920 i give the people who said that credit 939 00:36:51,920 --> 00:36:54,960 that theirs are not okay so some plants 940 00:36:54,960 --> 00:36:58,000 are not but most of them are online like 941 00:36:58,000 --> 00:37:00,160 the prison the prison is offline for 942 00:37:00,160 --> 00:37:01,760 good reason right 943 00:37:01,760 --> 00:37:03,760 you know the prison so that's what made 944 00:37:03,760 --> 00:37:06,560 elliot's job so much more difficult is 945 00:37:06,560 --> 00:37:09,440 that he had to get inside the network 946 00:37:09,440 --> 00:37:11,359 but many of them you don't have to get 947 00:37:11,359 --> 00:37:14,880 inside the network not only can you see 948 00:37:14,880 --> 00:37:17,200 them through their portal but you can 949 00:37:17,200 --> 00:37:19,520 connect to them through their 950 00:37:19,520 --> 00:37:21,040 maintenance 951 00:37:21,040 --> 00:37:25,040 port and send commands in and be able to 952 00:37:25,040 --> 00:37:26,880 read memory so you can pull out the 953 00:37:26,880 --> 00:37:29,119 memory contents you can send commands in 954 00:37:29,119 --> 00:37:31,839 to many of them and so this is why i'm 955 00:37:31,839 --> 00:37:34,800 so concerned about scada is that so many 956 00:37:34,800 --> 00:37:37,599 of these facilities are online and 957 00:37:37,599 --> 00:37:39,599 they're not well protected and this is a 958 00:37:39,599 --> 00:37:41,839 good example of one that anybody could 959 00:37:41,839 --> 00:37:44,000 go ahead and just pull up online and 960 00:37:44,000 --> 00:37:45,920 there's literally millions of them and 961 00:37:45,920 --> 00:37:47,920 you can use showdown to find them you 962 00:37:47,920 --> 00:37:50,160 can use you know google dorks to find 963 00:37:50,160 --> 00:37:52,560 them and you can connect right to them 964 00:37:52,560 --> 00:37:55,040 and and pull all the information you 965 00:37:55,040 --> 00:37:57,920 need to be able to then go ahead and 966 00:37:57,920 --> 00:38:00,400 study how they operate get the 967 00:38:00,400 --> 00:38:03,119 schematics for it and then be able to 968 00:38:03,119 --> 00:38:05,359 read its memory and many of them you can 969 00:38:05,359 --> 00:38:07,520 read their memory and get the passwords 970 00:38:07,520 --> 00:38:10,320 that are built into memory just like 971 00:38:10,320 --> 00:38:12,400 mimikats so mimikatz if you're not 972 00:38:12,400 --> 00:38:15,040 familiar with it folks is a tool that 973 00:38:15,040 --> 00:38:17,760 allows you to pull the memory out of 974 00:38:17,760 --> 00:38:20,240 windows system and once you pull out the 975 00:38:20,240 --> 00:38:23,119 memory on a windows system mimikatz then 976 00:38:23,119 --> 00:38:26,560 can parse out the password in memory the 977 00:38:26,560 --> 00:38:29,520 same thing applies here is that once we 978 00:38:29,520 --> 00:38:32,160 are able to pull the memory out of these 979 00:38:32,160 --> 00:38:34,880 systems then we can pull the password we 980 00:38:34,880 --> 00:38:37,040 can parse out the password from memory 981 00:38:37,040 --> 00:38:40,400 so these systems are all vulnerable not 982 00:38:40,400 --> 00:38:41,680 all of them let's 983 00:38:41,680 --> 00:38:45,040 be clear many are vulnerable to attack 984 00:38:45,040 --> 00:38:48,320 and russia is learning this at the very 985 00:38:48,320 --> 00:38:50,400 moment at this very moment russia is 986 00:38:50,400 --> 00:38:52,480 learning how vulnerable their systems 987 00:38:52,480 --> 00:38:54,400 are to this type of attack for everyone 988 00:38:54,400 --> 00:38:56,880 watching um obviously because of youtube 989 00:38:56,880 --> 00:38:59,760 we can't show everything here but you 990 00:38:59,760 --> 00:39:01,920 cover this in your courses don't you i 991 00:39:01,920 --> 00:39:04,000 do yeah and we have this course coming 992 00:39:04,000 --> 00:39:06,560 up in september so i usually teach this 993 00:39:06,560 --> 00:39:08,720 course once a year it's kind of one of 994 00:39:08,720 --> 00:39:11,280 the specialty courses that we offer at 995 00:39:11,280 --> 00:39:12,960 hackers arise is 996 00:39:12,960 --> 00:39:16,720 is one i teach you what how these plc's 997 00:39:16,720 --> 00:39:19,200 work so you have a understanding of how 998 00:39:19,200 --> 00:39:21,200 they function and then we look at 999 00:39:21,200 --> 00:39:23,760 various ways that they can be exploited 1000 00:39:23,760 --> 00:39:26,000 and then also how you can make them 1001 00:39:26,000 --> 00:39:27,680 safer and there's many ways of 1002 00:39:27,680 --> 00:39:29,280 exploiting these systems and one of the 1003 00:39:29,280 --> 00:39:30,720 things that we haven't even talked about 1004 00:39:30,720 --> 00:39:32,880 is that because these systems usually 1005 00:39:32,880 --> 00:39:35,200 cover many acres 1006 00:39:35,200 --> 00:39:36,880 sometimes miles 1007 00:39:36,880 --> 00:39:39,200 kilometers right there has to be 1008 00:39:39,200 --> 00:39:41,760 communication across these vast 1009 00:39:41,760 --> 00:39:44,560 distances oftentimes the communication 1010 00:39:44,560 --> 00:39:47,200 methods whether it be wi-fi or cellular 1011 00:39:47,200 --> 00:39:49,680 or what have you are also vulnerable to 1012 00:39:49,680 --> 00:39:52,320 being hacked once again the issue that 1013 00:39:52,320 --> 00:39:54,480 eliot had was that he couldn't get 1014 00:39:54,480 --> 00:39:56,079 inside the network so even if the 1015 00:39:56,079 --> 00:39:58,720 system's offline okay say the system is 1016 00:39:58,720 --> 00:40:01,119 offline and if it's a system that has to 1017 00:40:01,119 --> 00:40:04,000 cover vast distances and like most of 1018 00:40:04,000 --> 00:40:06,800 these facilities do they're huge plants 1019 00:40:06,800 --> 00:40:08,720 they have to communicate and running 1020 00:40:08,720 --> 00:40:11,520 cable isn't real isn't realistic okay 1021 00:40:11,520 --> 00:40:13,599 especially running cable in a system 1022 00:40:13,599 --> 00:40:16,640 that has a lot of emi so what they do is 1023 00:40:16,640 --> 00:40:18,720 they use various communication 1024 00:40:18,720 --> 00:40:20,480 technologies to communicate the 1025 00:40:20,480 --> 00:40:22,319 different parts of the facility and 1026 00:40:22,319 --> 00:40:25,119 those communication technologies are all 1027 00:40:25,119 --> 00:40:26,160 not all 1028 00:40:26,160 --> 00:40:28,800 many of them are vulnerable to attack 1029 00:40:28,800 --> 00:40:30,960 once you're inside the communication 1030 00:40:30,960 --> 00:40:32,800 then you're inside the facility you're 1031 00:40:32,800 --> 00:40:34,560 inside the network and then you can 1032 00:40:34,560 --> 00:40:38,000 literally send commands inside of the 1033 00:40:38,000 --> 00:40:40,640 plant and wreak havoc i'd love to show 1034 00:40:40,640 --> 00:40:42,800 more of this on youtube but you know i 1035 00:40:42,800 --> 00:40:44,480 don't want to lose my channel so i would 1036 00:40:44,480 --> 00:40:46,160 suggest all of you go and 1037 00:40:46,160 --> 00:40:48,480 go look at hackers arise um you've got 1038 00:40:48,480 --> 00:40:49,760 occupy the web you've got a bunch of 1039 00:40:49,760 --> 00:40:51,599 stuff like in like blog articles and 1040 00:40:51,599 --> 00:40:53,119 stuff on your website where people can 1041 00:40:53,119 --> 00:40:55,200 see some information or they can sign up 1042 00:40:55,200 --> 00:40:56,880 for like your subscription is that the 1043 00:40:56,880 --> 00:40:59,319 37 dollars a month thing it's 1044 00:40:59,319 --> 00:41:02,960 32.99 a month to take the live courses 1045 00:41:02,960 --> 00:41:05,680 and the scada hacking course is included 1046 00:41:05,680 --> 00:41:07,760 in the live courses that are coming up 1047 00:41:07,760 --> 00:41:09,839 in september so you can sign up and 1048 00:41:09,839 --> 00:41:12,319 they'll get you into that course 1049 00:41:12,319 --> 00:41:14,880 we have metasploit coming up next month 1050 00:41:14,880 --> 00:41:17,520 we have web app hacking coming in july i 1051 00:41:17,520 --> 00:41:19,119 don't remember what we have in august 1052 00:41:19,119 --> 00:41:22,079 but we do have scada coming up in 1053 00:41:22,079 --> 00:41:23,359 september i think for everyone who's 1054 00:41:23,359 --> 00:41:25,200 watching please give us feedback what 1055 00:41:25,200 --> 00:41:27,359 would you like to see from mr robot or 1056 00:41:27,359 --> 00:41:29,359 other types of hacks i think one that 1057 00:41:29,359 --> 00:41:31,040 we've had feedback on was this the 1058 00:41:31,040 --> 00:41:32,960 hacking cctv one 1059 00:41:32,960 --> 00:41:34,480 a lot of people were saying like show us 1060 00:41:34,480 --> 00:41:36,480 a demo so maybe we can put up a camera 1061 00:41:36,480 --> 00:41:38,160 somewhere or you've got some cameras and 1062 00:41:38,160 --> 00:41:40,560 we can show how to how to actually do 1063 00:41:40,560 --> 00:41:43,119 the practical part of like cctv or ib 1064 00:41:43,119 --> 00:41:45,520 camera hacking rather than just um you 1065 00:41:45,520 --> 00:41:46,960 know talking about it 1066 00:41:46,960 --> 00:41:49,119 i can show you some real real cameras i 1067 00:41:49,119 --> 00:41:50,400 can hack 1068 00:41:50,400 --> 00:41:52,000 yeah the problem is i can't show that on 1069 00:41:52,000 --> 00:41:54,079 youtube that's that's the frustration 1070 00:41:54,079 --> 00:41:55,520 it's like i'd love you to do it but i 1071 00:41:55,520 --> 00:41:57,200 mean if you um if it's a system that we 1072 00:41:57,200 --> 00:41:59,119 have permission to look at or it's a 1073 00:41:59,119 --> 00:42:01,119 system that we own then we can then we 1074 00:42:01,119 --> 00:42:04,079 can demo it i know you you can do this 1075 00:42:04,079 --> 00:42:05,359 but i mean 1076 00:42:05,359 --> 00:42:08,000 we've hacked a lot of cameras in in 1077 00:42:08,000 --> 00:42:09,599 ukraine and 1078 00:42:09,599 --> 00:42:11,920 i try to put one of those up every day 1079 00:42:11,920 --> 00:42:14,319 on my twitter account for people to see 1080 00:42:14,319 --> 00:42:15,760 mostly i put it up there for the 1081 00:42:15,760 --> 00:42:18,800 russians to see okay the idea is is hey 1082 00:42:18,800 --> 00:42:21,440 look at we can we can watch you okay we 1083 00:42:21,440 --> 00:42:24,800 can see you if you continue your bad 1084 00:42:24,800 --> 00:42:28,079 behavior then we will be able to focus 1085 00:42:28,079 --> 00:42:30,720 on your faces and bring this to the 1086 00:42:30,720 --> 00:42:32,640 international criminal court it's it's 1087 00:42:32,640 --> 00:42:34,400 not that hard to do you know what we 1088 00:42:34,400 --> 00:42:36,160 need to do is maybe set up a lab so we 1089 00:42:36,160 --> 00:42:37,839 can do it actually for the youtube 1090 00:42:37,839 --> 00:42:40,400 channel i have a student who has a who 1091 00:42:40,400 --> 00:42:42,800 has volunteered his lab so we'll have to 1092 00:42:42,800 --> 00:42:44,640 make arrangements with him yeah that'd 1093 00:42:44,640 --> 00:42:45,760 be great if we can do that in another 1094 00:42:45,760 --> 00:42:47,599 video unfortunately we cannot hack 1095 00:42:47,599 --> 00:42:48,960 anything that we don't have permission 1096 00:42:48,960 --> 00:42:51,040 to attack so for our next video have you 1097 00:42:51,040 --> 00:42:54,240 which um which uh mr robot do you video 1098 00:42:54,240 --> 00:42:55,839 or show would you would you like to 1099 00:42:55,839 --> 00:42:57,359 cover or which technology would you like 1100 00:42:57,359 --> 00:42:59,200 to cover we can do some steganography 1101 00:42:59,200 --> 00:43:02,000 where he hides all his data in his cds 1102 00:43:02,000 --> 00:43:03,440 you know i thought one of the most 1103 00:43:03,440 --> 00:43:05,200 intriguing ones at the end of the show 1104 00:43:05,200 --> 00:43:08,000 when he traces the dark army so he uses 1105 00:43:08,000 --> 00:43:10,079 memory forensics to be able to trace the 1106 00:43:10,079 --> 00:43:12,000 dark army that was a good one that was 1107 00:43:12,000 --> 00:43:14,400 really complex you know it's not going 1108 00:43:14,400 --> 00:43:16,640 to necessarily be interesting to a lot 1109 00:43:16,640 --> 00:43:18,960 of people but i liked it you know what 1110 00:43:18,960 --> 00:43:21,119 people might like is using the raspberry 1111 00:43:21,119 --> 00:43:24,000 pi where he goes inside of the storage 1112 00:43:24,000 --> 00:43:26,160 facility and he connects a raspberry pi 1113 00:43:26,160 --> 00:43:28,720 into the uh hvac system we said what 1114 00:43:28,720 --> 00:43:30,000 they're like 40 hacks or something we 1115 00:43:30,000 --> 00:43:31,839 can go through so there's a lot vote 1116 00:43:31,839 --> 00:43:33,119 vote for those two 1117 00:43:33,119 --> 00:43:34,640 but okay everyone who's watching can 1118 00:43:34,640 --> 00:43:35,920 vote for something else let us know what 1119 00:43:35,920 --> 00:43:39,040 you want what people also like is the 1120 00:43:39,040 --> 00:43:41,760 is how angela stole used mimikatz to 1121 00:43:41,760 --> 00:43:43,280 steal her boss's 1122 00:43:43,280 --> 00:43:46,640 password and one of my favorites is how 1123 00:43:46,640 --> 00:43:49,200 elliott hacked the cell phones of the 1124 00:43:49,200 --> 00:43:51,760 fbi which actually is 1125 00:43:51,760 --> 00:43:53,760 a good one yeah i like that that's 1126 00:43:53,760 --> 00:43:56,560 that's not hard to do really so what he 1127 00:43:56,560 --> 00:43:59,760 did is that he used a device that acts 1128 00:43:59,760 --> 00:44:02,079 as a cell tower they put it under one of 1129 00:44:02,079 --> 00:44:04,640 the desks and the fbi was in there doing 1130 00:44:04,640 --> 00:44:06,560 their work and they connected to the 1131 00:44:06,560 --> 00:44:09,119 cell tower and he was able to listen 1132 00:44:09,119 --> 00:44:11,040 into all their conversations and 1133 00:44:11,040 --> 00:44:13,280 surprisingly it's not that difficult if 1134 00:44:13,280 --> 00:44:16,880 you have physical access near the person 1135 00:44:16,880 --> 00:44:19,119 that you're trying to hack and they were 1136 00:44:19,119 --> 00:44:21,200 able to intercept all of the phone calls 1137 00:44:21,200 --> 00:44:23,520 to me that the power of being able to 1138 00:44:23,520 --> 00:44:26,240 intercept phone calls is really 1139 00:44:26,240 --> 00:44:28,400 and that's a lot of power 1140 00:44:28,400 --> 00:44:30,319 and it's one that people don't realize 1141 00:44:30,319 --> 00:44:32,480 how easy it is to do i think we've got a 1142 00:44:32,480 --> 00:44:33,839 lot to cover we've got a lot of cover 1143 00:44:33,839 --> 00:44:35,760 yeah we've got a lot to cover right and 1144 00:44:35,760 --> 00:44:37,119 one of the things at some point in the 1145 00:44:37,119 --> 00:44:39,920 future i'd like to do with you is this 1146 00:44:39,920 --> 00:44:42,160 software-defined radio yeah i really 1147 00:44:42,160 --> 00:44:44,000 like that actually yeah software defined 1148 00:44:44,000 --> 00:44:46,400 radio be great yeah yeah and we're doing 1149 00:44:46,400 --> 00:44:48,960 a class in software-defined radio in uh 1150 00:44:48,960 --> 00:44:51,839 july yeah we can we can do like maybe a 1151 00:44:51,839 --> 00:44:53,760 a simple software defined like intro to 1152 00:44:53,760 --> 00:44:56,000 software-defined radio and real 1153 00:44:56,000 --> 00:44:58,079 basic stuff and then maybe do later on 1154 00:44:58,079 --> 00:45:00,079 do a more advanced one okay by the web 1155 00:45:00,079 --> 00:45:01,359 i'm going to keep you busy for a long 1156 00:45:01,359 --> 00:45:02,960 time really thank you for sharing your 1157 00:45:02,960 --> 00:45:04,880 knowledge i appreciate it i enjoy it 1158 00:45:04,880 --> 00:45:06,400 thank you thanks for having me so 1159 00:45:06,400 --> 00:45:07,920 everyone look forward to a whole bunch 1160 00:45:07,920 --> 00:45:10,880 of mr robots uh sort of videos coming 1161 00:45:10,880 --> 00:45:12,319 give us your feedback stuff that you'd 1162 00:45:12,319 --> 00:45:13,520 like to see i think we've got a long 1163 00:45:13,520 --> 00:45:14,400 list 1164 00:45:14,400 --> 00:45:15,119 and 1165 00:45:15,119 --> 00:45:16,890 hope you enjoy 1166 00:45:16,890 --> 00:45:20,050 [Music] 1167 00:45:22,000 --> 00:45:24,079 you 83167