Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,640 --> 00:00:02,560
we know what firmware is running and
2
00:00:02,560 --> 00:00:04,720
this is without even logging in you
3
00:00:04,720 --> 00:00:06,160
literally just typed something in google
4
00:00:06,160 --> 00:00:08,400
and you found this yeah exactly
5
00:00:08,400 --> 00:00:12,599
you know i don't want to lose my channel
6
00:00:16,520 --> 00:00:21,039
[Music]
7
00:00:21,039 --> 00:00:22,560
hey everyone it's david bumble back with
8
00:00:22,560 --> 00:00:23,920
occupy the web for those of you who
9
00:00:23,920 --> 00:00:25,519
haven't watched our previous videos he's
10
00:00:25,519 --> 00:00:27,599
the author of this book fantastic book
11
00:00:27,599 --> 00:00:29,039
if you want to learn linux from a
12
00:00:29,039 --> 00:00:30,400
hacking perspective
13
00:00:30,400 --> 00:00:32,558
he's also got this book
14
00:00:32,558 --> 00:00:34,559
getting started becoming a master hacker
15
00:00:34,559 --> 00:00:36,239
occupy the web welcome thanks david
16
00:00:36,239 --> 00:00:37,840
thanks for having me back again this
17
00:00:37,840 --> 00:00:39,280
book's getting updated is all right it's
18
00:00:39,280 --> 00:00:40,800
getting updated and it's going to be
19
00:00:40,800 --> 00:00:44,559
republished by no starch press under a
20
00:00:44,559 --> 00:00:47,440
new name it's going to be called a cyber
21
00:00:47,440 --> 00:00:50,239
warrior handbook and it's going to be
22
00:00:50,239 --> 00:00:53,440
totally rewritten with new tutorials and
23
00:00:53,440 --> 00:00:56,480
it's going to be more targeted towards
24
00:00:56,480 --> 00:00:59,760
the cyber warrior than just the beginner
25
00:00:59,760 --> 00:01:02,559
uh hacker it was originally scheduled to
26
00:01:02,559 --> 00:01:04,720
come out later this year but the war
27
00:01:04,720 --> 00:01:06,720
kind of got in the way the war has been
28
00:01:06,720 --> 00:01:08,799
taking a lot of my time that should have
29
00:01:08,799 --> 00:01:10,880
been spending on updating that book but
30
00:01:10,880 --> 00:01:12,400
hopefully it'll be out this winter
31
00:01:12,400 --> 00:01:13,760
sometime a lot of you have given
32
00:01:13,760 --> 00:01:15,680
feedback about you know the content that
33
00:01:15,680 --> 00:01:17,439
you want to see and i'm really happy to
34
00:01:17,439 --> 00:01:18,960
announce that occupy the web is going to
35
00:01:18,960 --> 00:01:21,759
be doing a series of technical videos so
36
00:01:21,759 --> 00:01:23,600
we're going to dive into like a bunch of
37
00:01:23,600 --> 00:01:25,759
technical details and as part of this
38
00:01:25,759 --> 00:01:27,360
series we're going to be looking at mr
39
00:01:27,360 --> 00:01:29,200
robot hacks occupy the web on our
40
00:01:29,200 --> 00:01:30,640
previous video you were telling me one
41
00:01:30,640 --> 00:01:33,119
of the problems with youtube videos and
42
00:01:33,119 --> 00:01:34,960
perhaps with mr robot and all these
43
00:01:34,960 --> 00:01:37,119
movies is you know it's not realistic so
44
00:01:37,119 --> 00:01:39,600
i'm hoping we can take like a mr robot
45
00:01:39,600 --> 00:01:41,360
hack and you can show us like how it
46
00:01:41,360 --> 00:01:43,040
actually works in the real world yeah
47
00:01:43,040 --> 00:01:45,920
i'd love to do that and uh let's start
48
00:01:45,920 --> 00:01:48,479
off with one of the best hacks in the
49
00:01:48,479 --> 00:01:51,040
show and and one of the things i'd like
50
00:01:51,040 --> 00:01:54,399
to do is to explain why i like mr robot
51
00:01:54,399 --> 00:01:55,439
because
52
00:01:55,439 --> 00:01:57,920
i like mr robot because he does real
53
00:01:57,920 --> 00:01:59,439
hacking it's not because of the drugs
54
00:01:59,439 --> 00:02:01,759
yeah it's not because of drugs right
55
00:02:01,759 --> 00:02:03,620
drugs are a side benefit
56
00:02:03,620 --> 00:02:06,159
[Laughter]
57
00:02:06,159 --> 00:02:08,720
it's because it's real hacking it may be
58
00:02:08,720 --> 00:02:11,038
a more compressed time frame than
59
00:02:11,038 --> 00:02:13,599
reality that's because it's a tv show
60
00:02:13,599 --> 00:02:16,000
and they can't spend hours and days just
61
00:02:16,000 --> 00:02:17,840
like on youtube videos but if you watch
62
00:02:17,840 --> 00:02:20,319
very carefully he's actually doing hacks
63
00:02:20,319 --> 00:02:24,160
that are largely largely not all largely
64
00:02:24,160 --> 00:02:26,800
realistic it's really one of my favorite
65
00:02:26,800 --> 00:02:29,200
tv shows of all time not only because
66
00:02:29,200 --> 00:02:31,360
it's a hacker show but you know it's got
67
00:02:31,360 --> 00:02:33,519
rami malik those of you who may not be
68
00:02:33,519 --> 00:02:35,280
familiar with rami rami
69
00:02:35,280 --> 00:02:37,120
he's been an actor he's been around a
70
00:02:37,120 --> 00:02:39,920
little while and he's the guy who got
71
00:02:39,920 --> 00:02:42,640
the academy award for best actor for
72
00:02:42,640 --> 00:02:44,640
playing freddie mercury in bohemian
73
00:02:44,640 --> 00:02:46,959
rhapsody mr robot is really what made
74
00:02:46,959 --> 00:02:49,920
him famous this is really what launched
75
00:02:49,920 --> 00:02:52,080
his career was this tv show and
76
00:02:52,080 --> 00:02:54,160
basically it's the story
77
00:02:54,160 --> 00:02:55,760
of a
78
00:02:55,760 --> 00:02:57,360
young man who
79
00:02:57,360 --> 00:03:01,519
probably is on the autistic spectrum at
80
00:03:01,519 --> 00:03:03,360
least that's my interpretation he
81
00:03:03,360 --> 00:03:06,080
displays a lot of characteristics that
82
00:03:06,080 --> 00:03:08,560
we associate with asperger's his kind of
83
00:03:08,560 --> 00:03:11,519
asocial behaviors his inability to look
84
00:03:11,519 --> 00:03:13,680
people in the eye he's kind of really
85
00:03:13,680 --> 00:03:15,440
sensitive to touch he doesn't like to be
86
00:03:15,440 --> 00:03:17,760
touched he's very you know he's very
87
00:03:17,760 --> 00:03:20,319
focused on what he's doing these are all
88
00:03:20,319 --> 00:03:22,560
typical traits of somebody on the
89
00:03:22,560 --> 00:03:25,599
asperger's spectrum i can relate to this
90
00:03:25,599 --> 00:03:27,519
i mean if it's any help to you i mean
91
00:03:27,519 --> 00:03:30,640
that's probably very close to what i was
92
00:03:30,640 --> 00:03:32,879
in when i was his age okay that's
93
00:03:32,879 --> 00:03:34,080
amazing yeah
94
00:03:34,080 --> 00:03:36,159
and uh you know
95
00:03:36,159 --> 00:03:38,799
like him he struggles with this kind of
96
00:03:38,799 --> 00:03:40,560
being able to relate to other human
97
00:03:40,560 --> 00:03:42,959
beings and i've worked on it all my life
98
00:03:42,959 --> 00:03:45,840
and i think i've done okay and trying to
99
00:03:45,840 --> 00:03:48,879
be more social so not only can i relate
100
00:03:48,879 --> 00:03:51,680
to him as somebody who's a hacker but i
101
00:03:51,680 --> 00:03:53,200
can also relate to the kind of thing
102
00:03:53,200 --> 00:03:54,799
he's suffering with the things that he's
103
00:03:54,799 --> 00:03:56,879
trying to deal with in his everyday life
104
00:03:56,879 --> 00:03:59,200
obviously i love this show and if you
105
00:03:59,200 --> 00:04:01,200
want to if you want to know more about
106
00:04:01,200 --> 00:04:04,239
my personality you can see a lot of me
107
00:04:04,239 --> 00:04:06,640
in elliott and elliot is the main
108
00:04:06,640 --> 00:04:09,120
character elliot alderson you know we
109
00:04:09,120 --> 00:04:11,280
started off the show where he's
110
00:04:11,280 --> 00:04:14,799
basically working as a cyber security
111
00:04:14,799 --> 00:04:17,680
engineer for what he refers to as evil
112
00:04:17,680 --> 00:04:20,079
corp an evil corp is very large
113
00:04:20,079 --> 00:04:23,199
corporation who does a lot of bad stuff
114
00:04:23,199 --> 00:04:25,120
they're probably responsible for both
115
00:04:25,120 --> 00:04:28,000
the the death of his father and his best
116
00:04:28,000 --> 00:04:29,360
friend's
117
00:04:29,360 --> 00:04:30,240
mother
118
00:04:30,240 --> 00:04:32,400
angela and he you know he struggles with
119
00:04:32,400 --> 00:04:34,960
his idea that he's protecting this eagle
120
00:04:34,960 --> 00:04:37,199
this evil corporations his job is to
121
00:04:37,199 --> 00:04:40,160
protect some a company who he hates
122
00:04:40,160 --> 00:04:42,560
so we see this constant struggle in his
123
00:04:42,560 --> 00:04:45,120
personality of what and how he should do
124
00:04:45,120 --> 00:04:47,360
this that's kind of the beginning what
125
00:04:47,360 --> 00:04:49,440
we're gonna do today is we're going to
126
00:04:49,440 --> 00:04:52,880
address i think it's episode six season
127
00:04:52,880 --> 00:04:55,280
one episode six if i remember correctly
128
00:04:55,280 --> 00:04:56,800
that's right yeah
129
00:04:56,800 --> 00:04:58,800
and the reason i like this i i made sure
130
00:04:58,800 --> 00:05:00,160
about that so i made sure i watched it
131
00:05:00,160 --> 00:05:02,560
today to do my research so you did your
132
00:05:02,560 --> 00:05:04,639
research today as well yeah my research
133
00:05:04,639 --> 00:05:05,440
was
134
00:05:05,440 --> 00:05:07,919
enjoying watching uh mr robot which i
135
00:05:07,919 --> 00:05:10,240
could watch over and over and over again
136
00:05:10,240 --> 00:05:11,280
so
137
00:05:11,280 --> 00:05:13,600
i like this particular hack and
138
00:05:13,600 --> 00:05:16,000
those of you who know me and who are my
139
00:05:16,000 --> 00:05:18,479
students or have been to my website know
140
00:05:18,479 --> 00:05:19,360
that
141
00:05:19,360 --> 00:05:21,680
i think that scada
142
00:05:21,680 --> 00:05:24,639
ics is probably the most important area
143
00:05:24,639 --> 00:05:26,639
of hacking right now these are the
144
00:05:26,639 --> 00:05:29,120
systems that run the world every
145
00:05:29,120 --> 00:05:32,400
facility every refinery
146
00:05:32,400 --> 00:05:35,039
manufacturing facility electrical grid
147
00:05:35,039 --> 00:05:38,400
these are all run by industrial control
148
00:05:38,400 --> 00:05:40,639
systems and these industrial control
149
00:05:40,639 --> 00:05:43,759
systems are all run by what are called
150
00:05:43,759 --> 00:05:47,199
programmable logic controllers plc's
151
00:05:47,199 --> 00:05:50,000
these plcs are all very simple computers
152
00:05:50,000 --> 00:05:52,320
okay that allow the operator to
153
00:05:52,320 --> 00:05:54,400
basically you know open valves open
154
00:05:54,400 --> 00:05:56,639
doors closed doors
155
00:05:56,639 --> 00:05:58,479
it runs the
156
00:05:58,479 --> 00:06:00,720
industrial world i think it's been
157
00:06:00,720 --> 00:06:03,440
largely overlooked in terms of both
158
00:06:03,440 --> 00:06:06,880
security cyber security and the role
159
00:06:06,880 --> 00:06:10,160
that these plants will play in any kind
160
00:06:10,160 --> 00:06:12,000
of cyber war which you know we're in the
161
00:06:12,000 --> 00:06:14,479
middle of right now and we've seen
162
00:06:14,479 --> 00:06:17,280
the russians attack repeatedly the
163
00:06:17,280 --> 00:06:20,240
industrial control systems of ukraine
164
00:06:20,240 --> 00:06:22,400
and you know the russians are feeling a
165
00:06:22,400 --> 00:06:24,319
little bit coming back at them right now
166
00:06:24,319 --> 00:06:26,720
we won't go any deeper into it than that
167
00:06:26,720 --> 00:06:29,759
in this episode this is one of the most
168
00:06:29,759 --> 00:06:32,160
complex hacks that elliot does and
169
00:06:32,160 --> 00:06:34,240
there's a lot of reasons to like it one
170
00:06:34,240 --> 00:06:36,400
because it uses different technologies
171
00:06:36,400 --> 00:06:40,319
it ends up where he's trying to hack his
172
00:06:40,319 --> 00:06:42,960
girlfriend out of prison and of course
173
00:06:42,960 --> 00:06:45,840
the prisons are industrial control
174
00:06:45,840 --> 00:06:47,600
systems so what we're going to do is
175
00:06:47,600 --> 00:06:49,919
we're going to walk through what happens
176
00:06:49,919 --> 00:06:53,120
is elliott tries to hack shayla shayla
177
00:06:53,120 --> 00:06:54,160
has been
178
00:06:54,160 --> 00:06:57,680
kidnapped by the drug dealer vera is his
179
00:06:57,680 --> 00:07:01,440
name and vera is uh is an evil guy he's
180
00:07:01,440 --> 00:07:02,479
taken
181
00:07:02,479 --> 00:07:04,400
shayla and he's holding her hostage and
182
00:07:04,400 --> 00:07:07,120
he's told elliot that he's not gonna let
183
00:07:07,120 --> 00:07:08,479
shayla go
184
00:07:08,479 --> 00:07:10,880
until elliot hacks him out of prison and
185
00:07:10,880 --> 00:07:13,360
of course elliott says
186
00:07:13,360 --> 00:07:15,520
you got to be kidding right this is
187
00:07:15,520 --> 00:07:17,440
this is this is crazy i can't hack you
188
00:07:17,440 --> 00:07:19,120
out of prison yeah he did in one day as
189
00:07:19,120 --> 00:07:21,280
well is that right yeah exactly so one
190
00:07:21,280 --> 00:07:25,360
day so tavira was in jail and uh he's uh
191
00:07:25,360 --> 00:07:27,520
well shayla was hostage held hostage by
192
00:07:27,520 --> 00:07:29,360
his group is all right and he had to get
193
00:07:29,360 --> 00:07:31,919
vera out of jail but like tonight
194
00:07:31,919 --> 00:07:34,400
tonight yeah and he tells he tells vera
195
00:07:34,400 --> 00:07:36,400
i can't do that in one day
196
00:07:36,400 --> 00:07:38,400
and you know that's realistic i mean
197
00:07:38,400 --> 00:07:40,240
he's telling him that you know this kind
198
00:07:40,240 --> 00:07:43,360
of hack will take maybe weeks months
199
00:07:43,360 --> 00:07:45,520
vera's not buying it vera knows he's got
200
00:07:45,520 --> 00:07:47,919
to get out of jail tonight and he
201
00:07:47,919 --> 00:07:50,479
insists upon it uh and so elliot has to
202
00:07:50,479 --> 00:07:52,479
come up with a solution and the first
203
00:07:52,479 --> 00:07:55,680
solution he comes up with is that he has
204
00:07:55,680 --> 00:07:58,319
darlene darlene's is kind of sidekick i
205
00:07:58,319 --> 00:07:59,360
think that's what they used yeah the
206
00:07:59,360 --> 00:08:01,280
rubber ducky well they tried yeah they
207
00:08:01,280 --> 00:08:02,240
tried to
208
00:08:02,240 --> 00:08:04,240
essentially a rubber ducky yep i mean
209
00:08:04,240 --> 00:08:06,479
you can actually reprogram the firmware
210
00:08:06,479 --> 00:08:08,400
in any thumb drive to do what the rubber
211
00:08:08,400 --> 00:08:11,199
ducky does so rubber ducky is an example
212
00:08:11,199 --> 00:08:13,520
of a reprogrammed
213
00:08:13,520 --> 00:08:16,319
um thumb drive that when you put it you
214
00:08:16,319 --> 00:08:17,440
have to show us how to do that if you
215
00:08:17,440 --> 00:08:18,720
like take any thumb drive to do
216
00:08:18,720 --> 00:08:19,919
something like that maybe that's for
217
00:08:19,919 --> 00:08:21,759
another video that's for another video
218
00:08:21,759 --> 00:08:22,960
because that's beyond what we can do
219
00:08:22,960 --> 00:08:24,800
right here but yeah basically you have
220
00:08:24,800 --> 00:08:28,160
to upgrade the firmware on the
221
00:08:28,160 --> 00:08:32,320
thumb drive so that it appears to be a
222
00:08:32,320 --> 00:08:34,159
keyboard that's all it is there's all
223
00:08:34,159 --> 00:08:35,519
kinds of different thumb drives right
224
00:08:35,519 --> 00:08:37,519
and so your thumb drive normally the
225
00:08:37,519 --> 00:08:40,080
firmware in it tells your system that
226
00:08:40,080 --> 00:08:42,559
it's a storage device you can
227
00:08:42,559 --> 00:08:45,839
flash the firmware of the flash drive
228
00:08:45,839 --> 00:08:49,120
and give it the information that it is a
229
00:08:49,120 --> 00:08:51,760
keyboard and so now when it plugs when
230
00:08:51,760 --> 00:08:54,240
it plugs into your machine it's
231
00:08:54,240 --> 00:08:56,399
recognized as a keyboard and then the
232
00:08:56,399 --> 00:08:59,600
rubber ducky or the flash drive can send
233
00:08:59,600 --> 00:09:02,160
key strokes into the system so you can
234
00:09:02,160 --> 00:09:04,240
immediately start setting keystrokes in
235
00:09:04,240 --> 00:09:06,240
and do basically whatever you want with
236
00:09:06,240 --> 00:09:08,720
the system so you can program keystrokes
237
00:09:08,720 --> 00:09:10,800
already in there and that's the first
238
00:09:10,800 --> 00:09:13,519
attack that they try okay is that
239
00:09:13,519 --> 00:09:17,120
darlene put uses a exploit from
240
00:09:17,120 --> 00:09:19,120
i think they refer to the company as
241
00:09:19,120 --> 00:09:22,080
rapid9 which is kind of a reference to
242
00:09:22,080 --> 00:09:24,959
rapid seven who owns metasploit and
243
00:09:24,959 --> 00:09:27,600
elliott kind of scolds her and says hey
244
00:09:27,600 --> 00:09:29,600
you know what are you doing using you
245
00:09:29,600 --> 00:09:32,560
know a known exploit because it fails it
246
00:09:32,560 --> 00:09:35,360
fails because the antivirus detects it
247
00:09:35,360 --> 00:09:38,160
so let me back up a little bit darlene
248
00:09:38,160 --> 00:09:40,880
leaves these thumb drives all over the
249
00:09:40,880 --> 00:09:43,600
parking lot of the prison hoping that
250
00:09:43,600 --> 00:09:45,839
somebody will pick it up and put it in a
251
00:09:45,839 --> 00:09:47,920
machine inside the prison because
252
00:09:47,920 --> 00:09:51,360
elliott recognizes that prison systems
253
00:09:51,360 --> 00:09:54,080
are offline the problem he has is how do
254
00:09:54,080 --> 00:09:57,200
i get inside the prison network most
255
00:09:57,200 --> 00:10:00,160
scada systems are online prison systems
256
00:10:00,160 --> 00:10:02,240
and a few others are offline like things
257
00:10:02,240 --> 00:10:05,120
like dams and bridges and that type of
258
00:10:05,120 --> 00:10:07,279
thing usually they're offline but the
259
00:10:07,279 --> 00:10:09,760
prisons are offline so he realizes he
260
00:10:09,760 --> 00:10:12,480
has to get inside the network he can't
261
00:10:12,480 --> 00:10:14,560
reach it from the outside so the idea is
262
00:10:14,560 --> 00:10:17,279
to drop these rubber duckies like flash
263
00:10:17,279 --> 00:10:19,040
drives somebody will pick it up put it
264
00:10:19,040 --> 00:10:21,200
in the machine and in the show one of
265
00:10:21,200 --> 00:10:24,160
the guards does that as the commands
266
00:10:24,160 --> 00:10:26,160
within the flash drive are beginning to
267
00:10:26,160 --> 00:10:29,279
take over his antivirus detects it and
268
00:10:29,279 --> 00:10:32,160
stops it so that attack fails and one of
269
00:10:32,160 --> 00:10:35,200
the beauties okay of mr robot is it
270
00:10:35,200 --> 00:10:37,360
shows somebody failing in their attack
271
00:10:37,360 --> 00:10:40,880
right i mean most shows don't show that
272
00:10:40,880 --> 00:10:44,079
in reality hackers spend a lot of time
273
00:10:44,079 --> 00:10:46,560
on failed attacks in earlier episode we
274
00:10:46,560 --> 00:10:49,279
talked about the stuxnet attack and how
275
00:10:49,279 --> 00:10:52,880
that took three years and it failed many
276
00:10:52,880 --> 00:10:54,959
times during that three-year period and
277
00:10:54,959 --> 00:10:57,519
they kept on updating it to get it to
278
00:10:57,519 --> 00:11:00,399
work it's more realistic that you see
279
00:11:00,399 --> 00:11:01,839
somebody actually failing which you
280
00:11:01,839 --> 00:11:03,920
don't see in most movies and tv shows
281
00:11:03,920 --> 00:11:05,920
with hackers they always immediately get
282
00:11:05,920 --> 00:11:08,800
into the system in 30 seconds or less so
283
00:11:08,800 --> 00:11:11,120
he fails initially so he has to come up
284
00:11:11,120 --> 00:11:13,200
with a new plan just to ask you the
285
00:11:13,200 --> 00:11:16,320
question that rubber ducky piece was was
286
00:11:16,320 --> 00:11:18,399
real world is that right or close
287
00:11:18,399 --> 00:11:20,720
it's real world yeah it's the rubber
288
00:11:20,720 --> 00:11:22,399
ducky you can buy as you showed you can
289
00:11:22,399 --> 00:11:24,800
buy them at what hack five has i think
290
00:11:24,800 --> 00:11:27,200
yeah and but you can build your own
291
00:11:27,200 --> 00:11:29,120
either way there you know you can do it
292
00:11:29,120 --> 00:11:32,079
it's realistic and it fails because she
293
00:11:32,079 --> 00:11:34,880
used a known exploit that was detected
294
00:11:34,880 --> 00:11:37,120
by the av that's realistic if you use a
295
00:11:37,120 --> 00:11:38,959
known exploit it's going to get detected
296
00:11:38,959 --> 00:11:41,519
by the av now one of the things that she
297
00:11:41,519 --> 00:11:43,360
might have done in this at this
298
00:11:43,360 --> 00:11:45,120
particular point in time is she might
299
00:11:45,120 --> 00:11:48,160
have gone ahead and tried to obscure the
300
00:11:48,160 --> 00:11:50,800
exploit and try to get it past the av
301
00:11:50,800 --> 00:11:52,399
she complained that she said hey i
302
00:11:52,399 --> 00:11:53,920
didn't have time to do this you gave me
303
00:11:53,920 --> 00:11:55,920
like an hour to do it and she's right
304
00:11:55,920 --> 00:11:58,000
she couldn't build an exploit in an hour
305
00:11:58,000 --> 00:11:59,200
well one of the things that was also
306
00:11:59,200 --> 00:12:01,279
kind of interesting at this point is
307
00:12:01,279 --> 00:12:04,000
that notice that elliott is trying to
308
00:12:04,000 --> 00:12:06,639
ssh into the system that seemed kind of
309
00:12:06,639 --> 00:12:09,360
odd to me because if i were doing it and
310
00:12:09,360 --> 00:12:11,200
most hackers will do this is that
311
00:12:11,200 --> 00:12:13,760
they'll put in a reverse shell that will
312
00:12:13,760 --> 00:12:15,920
call back to him so instead of him
313
00:12:15,920 --> 00:12:17,760
calling in they have a reverse shell
314
00:12:17,760 --> 00:12:19,839
that'll call him and connect to him i
315
00:12:19,839 --> 00:12:21,519
thought that was kind of unusual that
316
00:12:21,519 --> 00:12:24,000
they they did it that way so elia's got
317
00:12:24,000 --> 00:12:26,320
this problem now he's got hours just
318
00:12:26,320 --> 00:12:29,120
hours to be able to take down
319
00:12:29,120 --> 00:12:31,680
the prison system and so he still hasn't
320
00:12:31,680 --> 00:12:33,920
figured out how to get inside the
321
00:12:33,920 --> 00:12:36,880
network so he goes and visits vera in
322
00:12:36,880 --> 00:12:38,959
the prison and he takes his phone with
323
00:12:38,959 --> 00:12:42,480
him and he uses his phone to scan for
324
00:12:42,480 --> 00:12:44,800
all the wi-fi networks so he's using his
325
00:12:44,800 --> 00:12:45,839
phone
326
00:12:45,839 --> 00:12:48,240
and those of you who have used aircrack
327
00:12:48,240 --> 00:12:50,399
are familiar with this kind of scanner
328
00:12:50,399 --> 00:12:52,959
there's a number of android and iphone
329
00:12:52,959 --> 00:12:54,800
applications that'll do the same thing
330
00:12:54,800 --> 00:12:56,079
and what you can see here is that he's
331
00:12:56,079 --> 00:12:59,279
scanning on monzero so that's the
332
00:12:59,279 --> 00:13:01,440
interface and notice that he's pulling
333
00:13:01,440 --> 00:13:03,760
up it says essids
334
00:13:03,760 --> 00:13:07,040
these are really the ssids these are
335
00:13:07,040 --> 00:13:10,320
essentially the mac addresses of all of
336
00:13:10,320 --> 00:13:13,279
the aps and the channel that they're in
337
00:13:13,279 --> 00:13:14,880
and their encryption and of course their
338
00:13:14,880 --> 00:13:18,240
power here he sees okay he goes back to
339
00:13:18,240 --> 00:13:20,480
his phone he sees oh damn they're all
340
00:13:20,480 --> 00:13:23,279
wpa2 it'll take me days to be able to
341
00:13:23,279 --> 00:13:24,959
crack it and that's that's accurate you
342
00:13:24,959 --> 00:13:27,519
can crack wpa2's but it's a
343
00:13:27,519 --> 00:13:30,000
time-consuming process can't do it in 30
344
00:13:30,000 --> 00:13:31,839
seconds or three minutes unless you
345
00:13:31,839 --> 00:13:33,200
watch my video where i show you to do it
346
00:13:33,200 --> 00:13:34,720
in 15 seconds
347
00:13:34,720 --> 00:13:36,320
right exactly
348
00:13:36,320 --> 00:13:38,240
exactly with a gpu you know it's exactly
349
00:13:38,240 --> 00:13:40,160
right it really depends how lucky it
350
00:13:40,160 --> 00:13:43,519
depends really to be able to crack wpa2
351
00:13:43,519 --> 00:13:44,720
basically what you're doing is you're
352
00:13:44,720 --> 00:13:47,120
trying to take a word list and match the
353
00:13:47,120 --> 00:13:50,240
word list to the password of the system
354
00:13:50,240 --> 00:13:52,639
if somebody's used a very weak password
355
00:13:52,639 --> 00:13:55,279
you can potentially crack it in a matter
356
00:13:55,279 --> 00:13:57,680
of seconds or minutes i mean if they've
357
00:13:57,680 --> 00:14:00,240
used you know a password that's the same
358
00:14:00,240 --> 00:14:02,880
as the essid you might be able to do it
359
00:14:02,880 --> 00:14:04,560
in a matter of minutes but elliott looks
360
00:14:04,560 --> 00:14:06,240
at it and goes realistically says i
361
00:14:06,240 --> 00:14:08,399
can't do this i can't do this in hours i
362
00:14:08,399 --> 00:14:12,560
need to find another way into the system
363
00:14:12,560 --> 00:14:14,800
so he's trying to figure this out he's
364
00:14:14,800 --> 00:14:17,760
actually walking out of visiting vera at
365
00:14:17,760 --> 00:14:20,320
the jail and while he's walking out he
366
00:14:20,320 --> 00:14:24,160
sees on his screen that somebody is
367
00:14:24,160 --> 00:14:25,760
connected to
368
00:14:25,760 --> 00:14:28,880
the internal network inside the jail and
369
00:14:28,880 --> 00:14:31,680
it happens to be a police car so this
370
00:14:31,680 --> 00:14:34,160
gives him the idea if i can get inside
371
00:14:34,160 --> 00:14:37,600
of his system then i'll be inside of the
372
00:14:37,600 --> 00:14:40,079
prison's network so the question is how
373
00:14:40,079 --> 00:14:44,959
does it get inside the squad cars laptop
374
00:14:44,959 --> 00:14:47,199
and that's where we get to bluetooth
375
00:14:47,199 --> 00:14:48,560
just before we go there can i ask you
376
00:14:48,560 --> 00:14:51,360
about the wpa thing just quickly so
377
00:14:51,360 --> 00:14:53,839
reality versus movies which
378
00:14:53,839 --> 00:14:56,320
phone would you recommend is it android
379
00:14:56,320 --> 00:14:58,240
or android's gonna be the easiest to do
380
00:14:58,240 --> 00:14:59,440
this kind of stuff or do you install
381
00:14:59,440 --> 00:15:01,279
linux or something on a phone you can
382
00:15:01,279 --> 00:15:03,440
either install you know there's net
383
00:15:03,440 --> 00:15:06,959
hunter that is basically cali on a phone
384
00:15:06,959 --> 00:15:08,959
or you can just there's applications you
385
00:15:08,959 --> 00:15:11,040
can just download both for the iphone
386
00:15:11,040 --> 00:15:13,279
and for android that'll do the scanning
387
00:15:13,279 --> 00:15:14,880
like in this picture that we just put up
388
00:15:14,880 --> 00:15:16,560
here it doesn't tell us what this is
389
00:15:16,560 --> 00:15:17,920
what the scanner it is but there's a
390
00:15:17,920 --> 00:15:19,440
number of them just go to the iphone
391
00:15:19,440 --> 00:15:22,160
store go to the at the google play store
392
00:15:22,160 --> 00:15:24,880
and look for wi-fi scanners and there's
393
00:15:24,880 --> 00:15:26,959
a whole slew of them that'll do this
394
00:15:26,959 --> 00:15:28,240
yeah so that's just showing you the
395
00:15:28,240 --> 00:15:30,079
networks available it's not showing it's
396
00:15:30,079 --> 00:15:31,519
not letting you crack them as all right
397
00:15:31,519 --> 00:15:32,880
or there's a specific app that you would
398
00:15:32,880 --> 00:15:34,800
use on a phone to crack at all i mean
399
00:15:34,800 --> 00:15:35,920
it's going to take forever so you're
400
00:15:35,920 --> 00:15:38,079
going to push that off to another to a
401
00:15:38,079 --> 00:15:40,160
gp or something yeah what you want to do
402
00:15:40,160 --> 00:15:42,800
is you want to capture the handshake
403
00:15:42,800 --> 00:15:45,199
right so he's just scanning for the
404
00:15:45,199 --> 00:15:48,320
networks and then if you're using kali
405
00:15:48,320 --> 00:15:51,519
you want to go ahead and use arrow dump
406
00:15:51,519 --> 00:15:54,720
and arrow dump will allow you to capture
407
00:15:54,720 --> 00:15:58,399
the handshake between the client and the
408
00:15:58,399 --> 00:16:00,639
ap and then once you capture that
409
00:16:00,639 --> 00:16:03,440
handshake inside that handshake is the
410
00:16:03,440 --> 00:16:05,920
hash of the password and that's what you
411
00:16:05,920 --> 00:16:08,320
try to crack with he realizes that's not
412
00:16:08,320 --> 00:16:10,720
realistic he can't you can't do that so
413
00:16:10,720 --> 00:16:13,519
he realizes that the police car has a
414
00:16:13,519 --> 00:16:16,800
dedicated cellular connection to the
415
00:16:16,800 --> 00:16:19,600
network inside the jail he sees that
416
00:16:19,600 --> 00:16:22,000
when he's walking out of the jail and he
417
00:16:22,000 --> 00:16:24,959
sees that that police car is connected
418
00:16:24,959 --> 00:16:27,680
inside that network immediately says oh
419
00:16:27,680 --> 00:16:31,120
i have a path inside the network of the
420
00:16:31,120 --> 00:16:33,920
jail the path is i have to get inside
421
00:16:33,920 --> 00:16:37,360
the laptop inside the police car
422
00:16:37,360 --> 00:16:39,279
that's more difficult than you might
423
00:16:39,279 --> 00:16:41,040
think right maybe you do think it's
424
00:16:41,040 --> 00:16:43,120
difficult and it is difficult right so
425
00:16:43,120 --> 00:16:44,959
here's where you know things get a
426
00:16:44,959 --> 00:16:47,600
little sketchy here he's using
427
00:16:47,600 --> 00:16:50,880
hci config to scan for
428
00:16:50,880 --> 00:16:53,279
the bluetooth connections and let me
429
00:16:53,279 --> 00:16:54,959
show you how that works all right so
430
00:16:54,959 --> 00:16:56,639
what i've done is i've just downloaded
431
00:16:56,639 --> 00:17:00,480
blue easy it's out of the repository at
432
00:17:00,480 --> 00:17:01,839
cali
433
00:17:01,839 --> 00:17:04,319
and what it does is has multiple tools
434
00:17:04,319 --> 00:17:06,720
in it for bluetooth hacking okay and
435
00:17:06,720 --> 00:17:08,880
bluetooth manipulation what i've done is
436
00:17:08,880 --> 00:17:11,919
i've got actually an external linux
437
00:17:11,919 --> 00:17:14,799
bluetooth adapter in the system so once
438
00:17:14,799 --> 00:17:17,760
i have these tools embedded uh then i
439
00:17:17,760 --> 00:17:20,559
can go sudo and then it's hc this is
440
00:17:20,559 --> 00:17:22,880
what elliot's doing in the show hci
441
00:17:22,880 --> 00:17:25,039
config is just a tool similar to
442
00:17:25,039 --> 00:17:27,839
ifconfig that'll pull up all of the
443
00:17:27,839 --> 00:17:30,240
bluetooth connections and
444
00:17:30,240 --> 00:17:32,160
there it is it shows me that my
445
00:17:32,160 --> 00:17:34,960
bluetooth adapter and yours is probably
446
00:17:34,960 --> 00:17:37,280
going to say down when you start so you
447
00:17:37,280 --> 00:17:40,799
have to start it and do that you go sudo
448
00:17:40,799 --> 00:17:46,640
hci config just like with ipconfig go up
449
00:17:46,640 --> 00:17:48,240
and now you got it up and running you
450
00:17:48,240 --> 00:17:50,080
can see here's the mac address okay
451
00:17:50,080 --> 00:17:52,400
let's go back to the what uh did you say
452
00:17:52,400 --> 00:17:54,080
you've got a dedicated uh bluetooth
453
00:17:54,080 --> 00:17:55,840
adapter connected to your laptop i did
454
00:17:55,840 --> 00:17:57,520
if you can give me the device name i'll
455
00:17:57,520 --> 00:17:59,120
put a link below so people can go and
456
00:17:59,120 --> 00:18:00,480
buy that if they want
457
00:18:00,480 --> 00:18:02,480
this one is actually
458
00:18:02,480 --> 00:18:05,360
a panda you can buy them on amazon or
459
00:18:05,360 --> 00:18:07,840
egghead or any of the uh
460
00:18:07,840 --> 00:18:10,080
various electronics stores so look for
461
00:18:10,080 --> 00:18:12,240
ones that you know have bluetooth adapt
462
00:18:12,240 --> 00:18:14,320
and bluetooth drivers for some of the
463
00:18:14,320 --> 00:18:15,919
windows ones won't work some of them
464
00:18:15,919 --> 00:18:17,679
will tell you they'll work in both i've
465
00:18:17,679 --> 00:18:20,240
tried a number of them out and usually
466
00:18:20,240 --> 00:18:22,320
the windows ones simply won't work in
467
00:18:22,320 --> 00:18:24,559
linux so make sure you get a linux
468
00:18:24,559 --> 00:18:27,840
bluetooth adapter if you're running on a
469
00:18:27,840 --> 00:18:30,080
virtual machine like i am right now of
470
00:18:30,080 --> 00:18:31,520
course you have to go ahead and attach
471
00:18:31,520 --> 00:18:32,960
it so you got to go up here this is
472
00:18:32,960 --> 00:18:35,520
virtual box got to go up to usb
473
00:18:35,520 --> 00:18:37,200
and then make sure that see it says your
474
00:18:37,200 --> 00:18:39,039
cambridge silicon radio that's the
475
00:18:39,039 --> 00:18:40,720
chipset it's actually this is
476
00:18:40,720 --> 00:18:42,480
manufactured by
477
00:18:42,480 --> 00:18:44,720
panda i believe you also want to make
478
00:18:44,720 --> 00:18:46,799
sure even before you get to this part if
479
00:18:46,799 --> 00:18:48,960
you want to go ls usb to make sure
480
00:18:48,960 --> 00:18:51,600
what's connected to your usb and you see
481
00:18:51,600 --> 00:18:53,039
i've got this is what's connected to my
482
00:18:53,039 --> 00:18:55,600
usb and here's my cambridge silicon
483
00:18:55,600 --> 00:18:57,760
radio of course cambridge is a british
484
00:18:57,760 --> 00:19:00,240
firm you see the ltd right there and
485
00:19:00,240 --> 00:19:02,320
then let's go ahead and clear our screen
486
00:19:02,320 --> 00:19:03,280
and so
487
00:19:03,280 --> 00:19:07,679
sudo hci config this let's look what it
488
00:19:07,679 --> 00:19:10,320
tells us it tells us is on a usb bus
489
00:19:10,320 --> 00:19:13,120
it's a primary type the name just like
490
00:19:13,120 --> 00:19:15,840
when you do ifconfig then it gives a
491
00:19:15,840 --> 00:19:18,440
name to the adapter and the name is
492
00:19:18,440 --> 00:19:21,840
hci0 yours might be hci1 it might be
493
00:19:21,840 --> 00:19:25,440
hci2 but usually it's going to be hci0
494
00:19:25,440 --> 00:19:29,520
just like your wlan is usually wlan0
495
00:19:29,520 --> 00:19:31,360
your ethernet adapter is going to be
496
00:19:31,360 --> 00:19:34,960
eth0 and then it gives you the address
497
00:19:34,960 --> 00:19:37,440
this is the mac address of the adapter
498
00:19:37,440 --> 00:19:39,760
so this is where he you see in the i go
499
00:19:39,760 --> 00:19:42,240
back to what he was showing on the show
500
00:19:42,240 --> 00:19:45,039
you can see right here hci config hci
501
00:19:45,039 --> 00:19:47,600
zero up he has two adapters he's going
502
00:19:47,600 --> 00:19:49,520
to the second one and taking it up as
503
00:19:49,520 --> 00:19:53,120
well and then he's got hci config and
504
00:19:53,120 --> 00:19:54,880
he's pulling up the information just
505
00:19:54,880 --> 00:19:56,720
like what we've done here what we want
506
00:19:56,720 --> 00:19:58,080
to do now
507
00:19:58,080 --> 00:20:02,080
is that within this group of bluetooth
508
00:20:02,080 --> 00:20:06,240
tools there's a tool called hci tool
509
00:20:06,240 --> 00:20:08,400
i'll just show you what it can do pull
510
00:20:08,400 --> 00:20:10,400
up the help screen and so of course this
511
00:20:10,400 --> 00:20:11,840
is the help screen as we're looking at
512
00:20:11,840 --> 00:20:14,240
right now and it'll display the local
513
00:20:14,240 --> 00:20:17,520
devices okay inquire and these remote
514
00:20:17,520 --> 00:20:20,640
devices it'll scan for remote devices
515
00:20:20,640 --> 00:20:22,559
and this is the next step that elliott
516
00:20:22,559 --> 00:20:24,559
does is that he goes and heads and uses
517
00:20:24,559 --> 00:20:25,760
this tool
518
00:20:25,760 --> 00:20:28,640
to scan for bluetooth devices in the
519
00:20:28,640 --> 00:20:30,799
area and there's a number of other
520
00:20:30,799 --> 00:20:32,960
things you can submit arbitrary hci
521
00:20:32,960 --> 00:20:35,840
commands you can do inquiries
522
00:20:35,840 --> 00:20:37,039
but right now we're going to kind of
523
00:20:37,039 --> 00:20:38,720
just do what eliot did and that's what
524
00:20:38,720 --> 00:20:42,480
he did is he went ahead and did hci tool
525
00:20:42,480 --> 00:20:44,000
scan
526
00:20:44,000 --> 00:20:45,679
and it begins to scan and what it's
527
00:20:45,679 --> 00:20:47,679
doing is it's looking for other
528
00:20:47,679 --> 00:20:51,520
bluetooth devices it pulls up one device
529
00:20:51,520 --> 00:20:53,360
and this is a these are the speaker
530
00:20:53,360 --> 00:20:55,679
system in my office let's go ahead and
531
00:20:55,679 --> 00:20:57,919
turn on some other bluetooth devices and
532
00:20:57,919 --> 00:20:59,039
see if we can
533
00:20:59,039 --> 00:21:01,120
see them as well it's really impressive
534
00:21:01,120 --> 00:21:02,960
that the show is so true though and i
535
00:21:02,960 --> 00:21:04,320
can see why you like it
536
00:21:04,320 --> 00:21:08,240
oh i i i love this show and so i'm glad
537
00:21:08,240 --> 00:21:09,360
that uh
538
00:21:09,360 --> 00:21:11,919
you uh had agreed to do the hacks
539
00:21:11,919 --> 00:21:13,440
because there's a lot of great hacks in
540
00:21:13,440 --> 00:21:15,200
this show no we've covered them all i
541
00:21:15,200 --> 00:21:16,799
think so let's just ask the audience do
542
00:21:16,799 --> 00:21:18,720
you want occupy the web to do like all
543
00:21:18,720 --> 00:21:20,640
of them just put in the comments below
544
00:21:20,640 --> 00:21:21,840
you know the ones that you really want
545
00:21:21,840 --> 00:21:23,760
to see and we can perhaps prioritize
546
00:21:23,760 --> 00:21:25,440
some over others i'm going to go ahead
547
00:21:25,440 --> 00:21:27,760
and try and do another scan i just
548
00:21:27,760 --> 00:21:30,640
turned on another another device
549
00:21:30,640 --> 00:21:32,960
this is very similar to like i said any
550
00:21:32,960 --> 00:21:34,720
type of scanning tool sometimes it's
551
00:21:34,720 --> 00:21:36,480
going to work sometimes it's not but you
552
00:21:36,480 --> 00:21:39,360
get the idea that it there we go okay i
553
00:21:39,360 --> 00:21:40,960
just turned on another another speaker
554
00:21:40,960 --> 00:21:43,200
system so this is what elliot's doing
555
00:21:43,200 --> 00:21:45,280
he's going out and he's scanning for
556
00:21:45,280 --> 00:21:48,159
these devices what he does is he finds
557
00:21:48,159 --> 00:21:51,280
the device the bluetooth device in the
558
00:21:51,280 --> 00:21:53,760
laptop of the police car then he does an
559
00:21:53,760 --> 00:21:57,280
hci tool inquiry let's do that sudo
560
00:21:57,280 --> 00:22:01,039
hci tool inquiry and this gives us even
561
00:22:01,039 --> 00:22:03,679
more information about the devices okay
562
00:22:03,679 --> 00:22:06,159
so it gives us the class and this is key
563
00:22:06,159 --> 00:22:09,200
if you go to the bluetooth websites the
564
00:22:09,200 --> 00:22:10,960
special interest group
565
00:22:10,960 --> 00:22:13,840
website so here's the devices and these
566
00:22:13,840 --> 00:22:16,559
are just the numbers okay and the
567
00:22:16,559 --> 00:22:19,679
classes of all the devices and this is
568
00:22:19,679 --> 00:22:21,360
kind of the key to
569
00:22:21,360 --> 00:22:23,919
hacking bluetooth is to understand that
570
00:22:23,919 --> 00:22:26,960
bluetooth devices are basically telling
571
00:22:26,960 --> 00:22:29,360
us what type of device they are here's
572
00:22:29,360 --> 00:22:30,480
another there's a better one i got
573
00:22:30,480 --> 00:22:32,080
another one up here for you and you can
574
00:22:32,080 --> 00:22:34,559
see the classes and the ones that we
575
00:22:34,559 --> 00:22:37,039
just pulled up a minute ago right were
576
00:22:37,039 --> 00:22:38,799
speakers these are all peripheral
577
00:22:38,799 --> 00:22:41,679
devices so when you connect to a
578
00:22:41,679 --> 00:22:44,480
bluetooth device it tells the other
579
00:22:44,480 --> 00:22:46,080
device that's trying to pair with it
580
00:22:46,080 --> 00:22:48,400
what type of a device it is is that a
581
00:22:48,400 --> 00:22:50,480
wearable headset is a joystick for
582
00:22:50,480 --> 00:22:52,240
nintendo like this one is here it's a
583
00:22:52,240 --> 00:22:54,799
portable game controller it communicates
584
00:22:54,799 --> 00:22:56,720
to the other device what it is notice
585
00:22:56,720 --> 00:22:58,880
that this one here is a keyboard its
586
00:22:58,880 --> 00:23:01,600
device is class zero zero two five four
587
00:23:01,600 --> 00:23:04,159
oh that means when you connect to this
588
00:23:04,159 --> 00:23:07,039
bluetooth device it says i'm a keyboard
589
00:23:07,039 --> 00:23:10,240
allow me to send keystrokes okay into
590
00:23:10,240 --> 00:23:12,559
your system and there's really no way
591
00:23:12,559 --> 00:23:14,720
for the system to check if that's real
592
00:23:14,720 --> 00:23:17,039
or not so this is what elliott takes
593
00:23:17,039 --> 00:23:19,120
advantage of in the show he uses a
594
00:23:19,120 --> 00:23:21,360
device called multi-blue they don't
595
00:23:21,360 --> 00:23:23,679
manufacture them anymore unfortunately
596
00:23:23,679 --> 00:23:25,840
but basically what it is is this base
597
00:23:25,840 --> 00:23:28,159
it's a bluetooth device that
598
00:23:28,159 --> 00:23:31,280
communicates okay that i am a keyboard
599
00:23:31,280 --> 00:23:33,360
if you have a bluetooth based keyboard
600
00:23:33,360 --> 00:23:34,799
i'm working on a bluetooth keyboard
601
00:23:34,799 --> 00:23:36,320
right now in this show that's what this
602
00:23:36,320 --> 00:23:39,679
device does okay it says i'm a keyboard
603
00:23:39,679 --> 00:23:43,120
let me send keyboard keystrokes to you
604
00:23:43,120 --> 00:23:45,440
the other end of the connection elliot
605
00:23:45,440 --> 00:23:47,760
uses this which used to cost i think i
606
00:23:47,760 --> 00:23:49,760
bought mine for about 35 dollars but
607
00:23:49,760 --> 00:23:52,799
basically once again it's a bluetooth
608
00:23:52,799 --> 00:23:56,559
dongle that has been basically flashed
609
00:23:56,559 --> 00:23:59,600
with a different class okay a class that
610
00:23:59,600 --> 00:24:03,520
says hey i am a keyboard so elliot what
611
00:24:03,520 --> 00:24:06,799
he does is that he gets darlene to kind
612
00:24:06,799 --> 00:24:08,799
of flirt with the cops it's social
613
00:24:08,799 --> 00:24:11,279
engineering elliot is standing is in a
614
00:24:11,279 --> 00:24:14,480
car nearby okay bluetooth has the
615
00:24:14,480 --> 00:24:17,279
capability of connecting up to like a
616
00:24:17,279 --> 00:24:20,000
hundred meters he's within that range
617
00:24:20,000 --> 00:24:21,840
and he's able to connect to the
618
00:24:21,840 --> 00:24:25,600
bluetooth device in the police car he
619
00:24:25,600 --> 00:24:28,799
uses a tool called spooftooth it's also
620
00:24:28,799 --> 00:24:30,159
i believe spooftooth is in the
621
00:24:30,159 --> 00:24:32,640
repository so let's just quickly take a
622
00:24:32,640 --> 00:24:35,760
look and see if it is and let's put in
623
00:24:35,760 --> 00:24:37,679
install in there there it is it's
624
00:24:37,679 --> 00:24:39,600
already installed on my system just like
625
00:24:39,600 --> 00:24:41,840
you can spoof an ip address so you can
626
00:24:41,840 --> 00:24:44,480
spoof a mac address it allows you to
627
00:24:44,480 --> 00:24:45,600
spoof
628
00:24:45,600 --> 00:24:48,880
a bluetooth device so what elliott does
629
00:24:48,880 --> 00:24:51,679
is that he goes and spoofs the mac
630
00:24:51,679 --> 00:24:54,080
address of one of these devices in the
631
00:24:54,080 --> 00:24:56,799
policeman's car does a scan like we did
632
00:24:56,799 --> 00:24:58,880
here he gets the mac address off the
633
00:24:58,880 --> 00:25:01,440
bluetooth in the cop car and then he
634
00:25:01,440 --> 00:25:03,679
spoofs it okay here's the synopsis
635
00:25:03,679 --> 00:25:07,679
bluetooth dash i device and then specify
636
00:25:07,679 --> 00:25:10,960
a new bd addr right that's what we want
637
00:25:10,960 --> 00:25:13,440
to do let's go ahead and create this
638
00:25:13,440 --> 00:25:16,159
it's pasting in the mac address and then
639
00:25:16,159 --> 00:25:18,240
it's the uh
640
00:25:18,240 --> 00:25:20,640
dash n for name right here specify the
641
00:25:20,640 --> 00:25:23,600
new name okay dash in and then it's
642
00:25:23,600 --> 00:25:25,039
going to be car
643
00:25:25,039 --> 00:25:27,120
five five three seven so what we're
644
00:25:27,120 --> 00:25:29,200
doing is we're assigning a new mac
645
00:25:29,200 --> 00:25:31,600
address and a new name for that device
646
00:25:31,600 --> 00:25:34,159
and you see it came back and said hey
647
00:25:34,159 --> 00:25:36,480
address has been changed oh
648
00:25:36,480 --> 00:25:38,559
and it came back we said the address was
649
00:25:38,559 --> 00:25:40,559
changed but it can't open the device no
650
00:25:40,559 --> 00:25:42,320
such device it dropped the device it
651
00:25:42,320 --> 00:25:44,159
looks like so let's try reconnecting it
652
00:25:44,159 --> 00:25:46,240
again yeah see it's dropped the
653
00:25:46,240 --> 00:25:48,559
cambridge silicon radio let's go ahead
654
00:25:48,559 --> 00:25:50,000
and try that again
655
00:25:50,000 --> 00:25:51,279
i think the lesson is like you've always
656
00:25:51,279 --> 00:25:53,120
said it's um stuff doesn't work
657
00:25:53,120 --> 00:25:54,640
perfectly the first time that's reality
658
00:25:54,640 --> 00:25:57,919
versus tv yeah exactly yeah this is and
659
00:25:57,919 --> 00:26:00,720
this is actually a notice here that it's
660
00:26:00,720 --> 00:26:02,640
down when i want to reconnect it again
661
00:26:02,640 --> 00:26:03,840
it's down
662
00:26:03,840 --> 00:26:06,240
so what we have to do is go
663
00:26:06,240 --> 00:26:09,600
hci config
664
00:26:09,600 --> 00:26:10,480
i
665
00:26:10,480 --> 00:26:11,520
zero
666
00:26:11,520 --> 00:26:12,960
up
667
00:26:12,960 --> 00:26:14,640
all right
668
00:26:14,640 --> 00:26:17,840
okay now when i do hci config you'll see
669
00:26:17,840 --> 00:26:20,240
that it's
670
00:26:20,640 --> 00:26:22,159
reality and that's i'm glad to see you
671
00:26:22,159 --> 00:26:23,679
doing this because it
672
00:26:23,679 --> 00:26:25,919
it's reality for all of us yeah yeah so
673
00:26:25,919 --> 00:26:27,679
there it is up and running all right so
674
00:26:27,679 --> 00:26:29,600
we're going to try this command again to
675
00:26:29,600 --> 00:26:31,600
be able to spoof this so we're going to
676
00:26:31,600 --> 00:26:35,039
go ahead and run the hci tool and then
677
00:26:35,039 --> 00:26:36,720
we're going to scan
678
00:26:36,720 --> 00:26:38,400
one of the things that i have found is
679
00:26:38,400 --> 00:26:40,320
that by using a here we go we got both
680
00:26:40,320 --> 00:26:42,559
of those devices sometimes the virtual
681
00:26:42,559 --> 00:26:44,880
machines will drop the devices that are
682
00:26:44,880 --> 00:26:46,720
external okay and that's what we're
683
00:26:46,720 --> 00:26:48,559
dealing with here but so we got both of
684
00:26:48,559 --> 00:26:50,480
them up we scanned imagine that one of
685
00:26:50,480 --> 00:26:53,279
these is car 57 all right and then what
686
00:26:53,279 --> 00:26:54,400
we're going to do is then we're going to
687
00:26:54,400 --> 00:26:55,360
try to
688
00:26:55,360 --> 00:26:59,200
spoof it we're using hci 0 as our device
689
00:26:59,200 --> 00:27:01,440
name this is the mac address we're
690
00:27:01,440 --> 00:27:02,880
trying to spoof and we're going to name
691
00:27:02,880 --> 00:27:07,600
it car 357 hopefully virtualbox doesn't
692
00:27:07,600 --> 00:27:09,600
drop our adapter let's go ahead and do
693
00:27:09,600 --> 00:27:11,120
it it just dropped it i could hear the
694
00:27:11,120 --> 00:27:13,039
sound of it dropping it it did change
695
00:27:13,039 --> 00:27:15,440
the address you can see that the device
696
00:27:15,440 --> 00:27:17,360
has been changed to
697
00:27:17,360 --> 00:27:21,000
7c 96d208
698
00:27:21,120 --> 00:27:24,240
and if we didn't drop the adapter we it
699
00:27:24,240 --> 00:27:27,120
would also rename it so that it appears
700
00:27:27,120 --> 00:27:29,760
not only does it appear technically by
701
00:27:29,760 --> 00:27:31,840
the mac address but it also has a name
702
00:27:31,840 --> 00:27:34,320
that is recognizable human readable name
703
00:27:34,320 --> 00:27:36,559
that would be recognized by the police
704
00:27:36,559 --> 00:27:38,960
officer so this is the way that he goes
705
00:27:38,960 --> 00:27:42,320
ahead and spoofs the bluetooth device
706
00:27:42,320 --> 00:27:44,720
now this particular hack was done in oh
707
00:27:44,720 --> 00:27:47,120
about 2014 and some of the early
708
00:27:47,120 --> 00:27:49,760
bluetooth you could do this type of
709
00:27:49,760 --> 00:27:52,559
spoofing in the more recent bluetooth
710
00:27:52,559 --> 00:27:53,840
you're going to have more difficulty
711
00:27:53,840 --> 00:27:55,840
doing this because they're going to be
712
00:27:55,840 --> 00:27:57,760
able to spoof it you're going to have to
713
00:27:57,760 --> 00:27:59,760
pair them and even though you spoofed
714
00:27:59,760 --> 00:28:01,360
the device name in the mac address
715
00:28:01,360 --> 00:28:02,720
you're still going to have to pair them
716
00:28:02,720 --> 00:28:04,559
so there's going to be one extra step
717
00:28:04,559 --> 00:28:06,960
there that they don't show in the show
718
00:28:06,960 --> 00:28:11,120
so he's now got himself inside the
719
00:28:11,120 --> 00:28:14,159
police car's laptop so was he spoofing
720
00:28:14,159 --> 00:28:16,320
the the keyboard is that right and uh
721
00:28:16,320 --> 00:28:17,440
that's what he was trying to do is that
722
00:28:17,440 --> 00:28:20,080
correct he's he's taking the keyboard
723
00:28:20,080 --> 00:28:23,600
that multi-blue device and he's making
724
00:28:23,600 --> 00:28:26,720
the laptop believe that it's a bluetooth
725
00:28:26,720 --> 00:28:28,880
device that's already connected to his
726
00:28:28,880 --> 00:28:30,799
system because normally when you want to
727
00:28:30,799 --> 00:28:32,880
connect a bluetooth device you have to
728
00:28:32,880 --> 00:28:35,039
pair it right you have the pairing
729
00:28:35,039 --> 00:28:36,080
process
730
00:28:36,080 --> 00:28:39,039
what he's doing is saying okay i am the
731
00:28:39,039 --> 00:28:42,480
device that's already been paired on the
732
00:28:42,480 --> 00:28:45,440
laptop and then once he has that pairing
733
00:28:45,440 --> 00:28:48,320
taking place now he can use this device
734
00:28:48,320 --> 00:28:51,600
to inject commands into the cop car's
735
00:28:51,600 --> 00:28:53,600
laptop and that's where things get
736
00:28:53,600 --> 00:28:55,840
interesting and maybe a little bit
737
00:28:55,840 --> 00:28:58,799
unrealistic so what he's doing now is
738
00:28:58,799 --> 00:29:02,000
that now once he's inside the cop car's
739
00:29:02,000 --> 00:29:06,159
laptop he's inside the network of the
740
00:29:06,159 --> 00:29:08,960
detention center of the jail so now what
741
00:29:08,960 --> 00:29:11,120
he has to do is he has to be able to
742
00:29:11,120 --> 00:29:15,679
inject commands into the prison the jail
743
00:29:15,679 --> 00:29:17,919
to be able to open up the doors this is
744
00:29:17,919 --> 00:29:20,320
a little bit unrealistic normally what
745
00:29:20,320 --> 00:29:22,320
you would do in a situation like this is
746
00:29:22,320 --> 00:29:24,159
you would go and you would find the
747
00:29:24,159 --> 00:29:26,559
wiring diagram for
748
00:29:26,559 --> 00:29:28,080
that particular device and they're
749
00:29:28,080 --> 00:29:30,080
almost all online there's a block
750
00:29:30,080 --> 00:29:33,279
diagram of the plc these are almost all
751
00:29:33,279 --> 00:29:36,000
the same the diagram is the same here's
752
00:29:36,000 --> 00:29:38,399
a here's the one that's often used in
753
00:29:38,399 --> 00:29:40,720
the prison system this is a siemens
754
00:29:40,720 --> 00:29:43,760
cymatic s7 1500 which was actually the
755
00:29:43,760 --> 00:29:46,960
same one that was used in the
756
00:29:46,960 --> 00:29:49,120
stuxnet attack so that's what was used
757
00:29:49,120 --> 00:29:50,399
to open and close the doors in the
758
00:29:50,399 --> 00:29:51,919
prison in the movie so called yeah this
759
00:29:51,919 --> 00:29:53,520
is what's open and closed the doors in
760
00:29:53,520 --> 00:29:55,279
the prison right so these are just
761
00:29:55,279 --> 00:29:57,679
programmable logic controllers this is
762
00:29:57,679 --> 00:29:59,919
one of the most widely used in the world
763
00:29:59,919 --> 00:30:02,399
here's a prison diagram this is a
764
00:30:02,399 --> 00:30:04,880
typical prison diagram each one of these
765
00:30:04,880 --> 00:30:07,039
are housing pods and then there's an
766
00:30:07,039 --> 00:30:09,039
equipment room which usually contains
767
00:30:09,039 --> 00:30:11,760
these plc's and a con central control
768
00:30:11,760 --> 00:30:13,520
inside this equipment room this is where
769
00:30:13,520 --> 00:30:16,080
the plc's are and they control the
770
00:30:16,080 --> 00:30:18,880
opening and closing of the doors in the
771
00:30:18,880 --> 00:30:20,480
prison now all of this kind of
772
00:30:20,480 --> 00:30:22,320
information is available online if you
773
00:30:22,320 --> 00:30:24,559
look in the right places no matter who's
774
00:30:24,559 --> 00:30:27,760
making these devices they provide this
775
00:30:27,760 --> 00:30:29,440
kind of detail
776
00:30:29,440 --> 00:30:32,640
about their systems so that the users
777
00:30:32,640 --> 00:30:35,440
can program them properly maintain them
778
00:30:35,440 --> 00:30:37,840
properly this is basically a simple
779
00:30:37,840 --> 00:30:40,559
diagram of the opening and closing of
780
00:30:40,559 --> 00:30:43,279
the doors within this prison elliot
781
00:30:43,279 --> 00:30:45,039
could do this right but it still would
782
00:30:45,039 --> 00:30:48,399
have taken him days weeks months to do
783
00:30:48,399 --> 00:30:50,799
this process and he does it in a matter
784
00:30:50,799 --> 00:30:53,039
of hours it is possible it's out there
785
00:30:53,039 --> 00:30:54,880
right if you go to the you know you go
786
00:30:54,880 --> 00:30:56,880
to the manufacturer's websites and
787
00:30:56,880 --> 00:30:58,720
usually this will be included in a
788
00:30:58,720 --> 00:31:01,360
document that'll be like 150 pages long
789
00:31:01,360 --> 00:31:03,440
a pdf document that you can go ahead and
790
00:31:03,440 --> 00:31:05,279
dig through and figure out how these
791
00:31:05,279 --> 00:31:07,519
systems actually work and then the next
792
00:31:07,519 --> 00:31:09,760
step he has to do is that he has to go
793
00:31:09,760 --> 00:31:14,240
ahead and write a ladder logic program
794
00:31:14,240 --> 00:31:17,519
to control the plc's ladder logic looks
795
00:31:17,519 --> 00:31:19,279
something like this here
796
00:31:19,279 --> 00:31:22,240
i teach ladder logic in my scada class
797
00:31:22,240 --> 00:31:24,960
and we use a trilogy which is a
798
00:31:24,960 --> 00:31:26,320
training
799
00:31:26,320 --> 00:31:29,279
educational software for doing ladder
800
00:31:29,279 --> 00:31:32,799
logic this is simple logic to run the
801
00:31:32,799 --> 00:31:35,039
various devices in a plant so you're
802
00:31:35,039 --> 00:31:36,880
reading a device waiting for the
803
00:31:36,880 --> 00:31:38,640
information to come then you're opening
804
00:31:38,640 --> 00:31:40,559
a valve or closing a valve this
805
00:31:40,559 --> 00:31:42,240
particular circuit right here is running
806
00:31:42,240 --> 00:31:44,159
it and then it takes a step through and
807
00:31:44,159 --> 00:31:46,399
it waits five seconds on the clock and
808
00:31:46,399 --> 00:31:48,880
then it makes a manual decision okay
809
00:31:48,880 --> 00:31:51,279
either open or close and it finishes
810
00:31:51,279 --> 00:31:53,039
that circuit and then it goes through
811
00:31:53,039 --> 00:31:54,880
another it goes through each one of this
812
00:31:54,880 --> 00:31:57,440
is called ladder logic because it goes
813
00:31:57,440 --> 00:31:59,519
through this circuit and then this
814
00:31:59,519 --> 00:32:01,840
circuit and then this circuit so this is
815
00:32:01,840 --> 00:32:05,120
really relatively simple stuff the only
816
00:32:05,120 --> 00:32:07,279
issue is that you have to understand
817
00:32:07,279 --> 00:32:09,600
what circuits you're actually working
818
00:32:09,600 --> 00:32:11,519
with within the system and that's why
819
00:32:11,519 --> 00:32:14,159
it's really unrealistic to expect that
820
00:32:14,159 --> 00:32:16,960
elliott did that in a matter of hours
821
00:32:16,960 --> 00:32:19,200
one of the things that could be done
822
00:32:19,200 --> 00:32:21,360
okay is that you could just throw
823
00:32:21,360 --> 00:32:23,840
scatter a bunch of commands into the
824
00:32:23,840 --> 00:32:26,399
system and see what happens right that's
825
00:32:26,399 --> 00:32:28,799
a possibility but that would probably be
826
00:32:28,799 --> 00:32:30,720
detected now i will just kind of give
827
00:32:30,720 --> 00:32:33,200
you a hint that you know that's
828
00:32:33,200 --> 00:32:36,480
something that can be used in cyber war
829
00:32:36,480 --> 00:32:38,720
is that you can just send random
830
00:32:38,720 --> 00:32:41,039
commands into these systems and see what
831
00:32:41,039 --> 00:32:43,360
happens and if it explodes then you know
832
00:32:43,360 --> 00:32:46,240
you did the right thing
833
00:32:46,240 --> 00:32:47,840
what's unrealistic about that is he's
834
00:32:47,840 --> 00:32:50,720
connected via this uh bluetooth keyboard
835
00:32:50,720 --> 00:32:53,120
or a fake keyboard and he's injected
836
00:32:53,120 --> 00:32:54,640
he's injecting a whole bunch of stuff
837
00:32:54,640 --> 00:32:56,000
with no visibility of what's on the
838
00:32:56,000 --> 00:32:58,240
other side is that right right he has
839
00:32:58,240 --> 00:33:00,159
the only visibility he has is that he
840
00:33:00,159 --> 00:33:02,720
could pull up this schematic this would
841
00:33:02,720 --> 00:33:04,720
be available to him he could pull this
842
00:33:04,720 --> 00:33:07,039
up online and find the schematic and you
843
00:33:07,039 --> 00:33:08,960
can see that all the circuits are
844
00:33:08,960 --> 00:33:11,360
detailed here as you can see door fully
845
00:33:11,360 --> 00:33:17,120
open l3 ls3 ls2 is device fully locked
846
00:33:17,120 --> 00:33:20,399
ls4 is the door fully closed and then we
847
00:33:20,399 --> 00:33:22,440
have speeds our
848
00:33:22,440 --> 00:33:26,399
ls5 and ls6 so this is available to him
849
00:33:26,399 --> 00:33:29,360
online but then he has to write the
850
00:33:29,360 --> 00:33:32,159
ladder logic to be able to control each
851
00:33:32,159 --> 00:33:35,279
one of these various circuits to be able
852
00:33:35,279 --> 00:33:37,840
to open and close the doors and notice
853
00:33:37,840 --> 00:33:40,000
that in the show he talks about well
854
00:33:40,000 --> 00:33:42,399
let's open up all of the doors and that
855
00:33:42,399 --> 00:33:44,399
way nobody nobody will be able to
856
00:33:44,399 --> 00:33:46,960
connect this to me or you all this
857
00:33:46,960 --> 00:33:49,519
information is usually available online
858
00:33:49,519 --> 00:33:51,200
this is available for one particular
859
00:33:51,200 --> 00:33:53,519
prison system that i found online it's
860
00:33:53,519 --> 00:33:55,200
crazy that you can just find this stuff
861
00:33:55,200 --> 00:33:56,799
they've got to do this for their clients
862
00:33:56,799 --> 00:33:59,679
right and no matter what plc you're
863
00:33:59,679 --> 00:34:01,919
talking about whether it be siemens or
864
00:34:01,919 --> 00:34:04,080
schneider electric they have these these
865
00:34:04,080 --> 00:34:07,519
diagrams these pdfs online that give you
866
00:34:07,519 --> 00:34:09,520
a total breakdown of how the system
867
00:34:09,520 --> 00:34:11,280
works let's take a look at one of the
868
00:34:11,280 --> 00:34:13,359
things that one of the things i did is
869
00:34:13,359 --> 00:34:16,480
use some google dorks to find some of
870
00:34:16,480 --> 00:34:19,520
those cymatic plc's here's the dork i
871
00:34:19,520 --> 00:34:22,639
used right here in url portal portal
872
00:34:22,639 --> 00:34:26,639
mwlf mwsl these are plc's that are
873
00:34:26,639 --> 00:34:29,679
connected via tcpip right that's why we
874
00:34:29,679 --> 00:34:31,520
can connect to them we can go ahead and
875
00:34:31,520 --> 00:34:33,918
find these things online and let's find
876
00:34:33,918 --> 00:34:36,480
this one right here here it is anybody
877
00:34:36,480 --> 00:34:38,239
anywhere in the world can connect to
878
00:34:38,239 --> 00:34:41,359
this s7 1200 remember the one we looked
879
00:34:41,359 --> 00:34:44,000
at a little little while ago was the s7
880
00:34:44,000 --> 00:34:46,800
1500 it's a similar model not exactly
881
00:34:46,800 --> 00:34:49,040
the same but we can go ahead and look at
882
00:34:49,040 --> 00:34:52,079
its diagnostics we can get its serial
883
00:34:52,079 --> 00:34:54,399
number so we know exactly
884
00:34:54,399 --> 00:34:57,280
what plc this is we know its hardware
885
00:34:57,280 --> 00:34:59,760
number we know what firmware is running
886
00:34:59,760 --> 00:35:02,079
and this is without even logging in you
887
00:35:02,079 --> 00:35:03,520
literally just typed something in google
888
00:35:03,520 --> 00:35:06,720
and you found this yeah exactly just
889
00:35:06,720 --> 00:35:09,200
here it is right here it's just
890
00:35:09,200 --> 00:35:11,440
used when you go back and show you just
891
00:35:11,440 --> 00:35:12,960
for everyone watching i've had to blur
892
00:35:12,960 --> 00:35:15,280
this because of youtube rules so upload
893
00:35:15,280 --> 00:35:16,880
a lot of this
894
00:35:16,880 --> 00:35:18,079
but the information is there no don't
895
00:35:18,079 --> 00:35:19,839
worry we'll just blur it out we didn't
896
00:35:19,839 --> 00:35:22,320
hack it okay this is this is available
897
00:35:22,320 --> 00:35:24,560
to anybody this is just the portal that
898
00:35:24,560 --> 00:35:27,359
the plc provides to its users and so
899
00:35:27,359 --> 00:35:29,760
what we're doing is just using the same
900
00:35:29,760 --> 00:35:32,000
portal and notice that we haven't logged
901
00:35:32,000 --> 00:35:33,920
in right this is what's into this is
902
00:35:33,920 --> 00:35:35,599
what's available it's like a website
903
00:35:35,599 --> 00:35:37,440
yeah it's like going to a website
904
00:35:37,440 --> 00:35:38,960
exactly i haven't logged into the
905
00:35:38,960 --> 00:35:41,200
anything okay you see it looks like this
906
00:35:41,200 --> 00:35:42,000
is
907
00:35:42,000 --> 00:35:44,640
a check system that looks like check to
908
00:35:44,640 --> 00:35:47,359
me so it's it's amazing that all of this
909
00:35:47,359 --> 00:35:49,920
stuff is addresses it's crazy
910
00:35:49,920 --> 00:35:50,800
yeah
911
00:35:50,800 --> 00:35:52,960
and here's the watch tables
912
00:35:52,960 --> 00:35:55,760
user-defined pages the home page of the
913
00:35:55,760 --> 00:35:58,320
application okay takes us back to the
914
00:35:58,320 --> 00:36:00,960
plant so we can get more information
915
00:36:00,960 --> 00:36:02,640
that looks like check to me i don't know
916
00:36:02,640 --> 00:36:04,640
but i don't read check but it looks like
917
00:36:04,640 --> 00:36:06,800
it in any case so here's this is just
918
00:36:06,800 --> 00:36:09,760
one siemens and this is one that is has
919
00:36:09,760 --> 00:36:12,560
the portal available to for the
920
00:36:12,560 --> 00:36:14,720
maintenance and control of this
921
00:36:14,720 --> 00:36:17,200
particular plc i don't know what plant
922
00:36:17,200 --> 00:36:19,359
this is connected to but these are
923
00:36:19,359 --> 00:36:22,079
available online for anybody who wants
924
00:36:22,079 --> 00:36:23,839
to go ahead and read them so this puts
925
00:36:23,839 --> 00:36:26,400
the here it is looks like it's farmer
926
00:36:26,400 --> 00:36:28,960
custom fructo plant i guess this is all
927
00:36:28,960 --> 00:36:30,640
going to get blurred out
928
00:36:30,640 --> 00:36:32,160
yeah we'll have to blur it out but i
929
00:36:32,160 --> 00:36:34,079
think the the point is on the previous
930
00:36:34,079 --> 00:36:35,920
video where we spoke about skater we had
931
00:36:35,920 --> 00:36:37,760
some comments like we don't connect our
932
00:36:37,760 --> 00:36:39,440
skater systems to the internet and
933
00:36:39,440 --> 00:36:40,720
you've just shown
934
00:36:40,720 --> 00:36:42,960
like there there's one straight away it
935
00:36:42,960 --> 00:36:45,760
took you like five seconds yeah yeah
936
00:36:45,760 --> 00:36:47,920
there there are millions of them
937
00:36:47,920 --> 00:36:49,760
connected to the internet now
938
00:36:49,760 --> 00:36:51,920
i give the people who said that credit
939
00:36:51,920 --> 00:36:54,960
that theirs are not okay so some plants
940
00:36:54,960 --> 00:36:58,000
are not but most of them are online like
941
00:36:58,000 --> 00:37:00,160
the prison the prison is offline for
942
00:37:00,160 --> 00:37:01,760
good reason right
943
00:37:01,760 --> 00:37:03,760
you know the prison so that's what made
944
00:37:03,760 --> 00:37:06,560
elliot's job so much more difficult is
945
00:37:06,560 --> 00:37:09,440
that he had to get inside the network
946
00:37:09,440 --> 00:37:11,359
but many of them you don't have to get
947
00:37:11,359 --> 00:37:14,880
inside the network not only can you see
948
00:37:14,880 --> 00:37:17,200
them through their portal but you can
949
00:37:17,200 --> 00:37:19,520
connect to them through their
950
00:37:19,520 --> 00:37:21,040
maintenance
951
00:37:21,040 --> 00:37:25,040
port and send commands in and be able to
952
00:37:25,040 --> 00:37:26,880
read memory so you can pull out the
953
00:37:26,880 --> 00:37:29,119
memory contents you can send commands in
954
00:37:29,119 --> 00:37:31,839
to many of them and so this is why i'm
955
00:37:31,839 --> 00:37:34,800
so concerned about scada is that so many
956
00:37:34,800 --> 00:37:37,599
of these facilities are online and
957
00:37:37,599 --> 00:37:39,599
they're not well protected and this is a
958
00:37:39,599 --> 00:37:41,839
good example of one that anybody could
959
00:37:41,839 --> 00:37:44,000
go ahead and just pull up online and
960
00:37:44,000 --> 00:37:45,920
there's literally millions of them and
961
00:37:45,920 --> 00:37:47,920
you can use showdown to find them you
962
00:37:47,920 --> 00:37:50,160
can use you know google dorks to find
963
00:37:50,160 --> 00:37:52,560
them and you can connect right to them
964
00:37:52,560 --> 00:37:55,040
and and pull all the information you
965
00:37:55,040 --> 00:37:57,920
need to be able to then go ahead and
966
00:37:57,920 --> 00:38:00,400
study how they operate get the
967
00:38:00,400 --> 00:38:03,119
schematics for it and then be able to
968
00:38:03,119 --> 00:38:05,359
read its memory and many of them you can
969
00:38:05,359 --> 00:38:07,520
read their memory and get the passwords
970
00:38:07,520 --> 00:38:10,320
that are built into memory just like
971
00:38:10,320 --> 00:38:12,400
mimikats so mimikatz if you're not
972
00:38:12,400 --> 00:38:15,040
familiar with it folks is a tool that
973
00:38:15,040 --> 00:38:17,760
allows you to pull the memory out of
974
00:38:17,760 --> 00:38:20,240
windows system and once you pull out the
975
00:38:20,240 --> 00:38:23,119
memory on a windows system mimikatz then
976
00:38:23,119 --> 00:38:26,560
can parse out the password in memory the
977
00:38:26,560 --> 00:38:29,520
same thing applies here is that once we
978
00:38:29,520 --> 00:38:32,160
are able to pull the memory out of these
979
00:38:32,160 --> 00:38:34,880
systems then we can pull the password we
980
00:38:34,880 --> 00:38:37,040
can parse out the password from memory
981
00:38:37,040 --> 00:38:40,400
so these systems are all vulnerable not
982
00:38:40,400 --> 00:38:41,680
all of them let's
983
00:38:41,680 --> 00:38:45,040
be clear many are vulnerable to attack
984
00:38:45,040 --> 00:38:48,320
and russia is learning this at the very
985
00:38:48,320 --> 00:38:50,400
moment at this very moment russia is
986
00:38:50,400 --> 00:38:52,480
learning how vulnerable their systems
987
00:38:52,480 --> 00:38:54,400
are to this type of attack for everyone
988
00:38:54,400 --> 00:38:56,880
watching um obviously because of youtube
989
00:38:56,880 --> 00:38:59,760
we can't show everything here but you
990
00:38:59,760 --> 00:39:01,920
cover this in your courses don't you i
991
00:39:01,920 --> 00:39:04,000
do yeah and we have this course coming
992
00:39:04,000 --> 00:39:06,560
up in september so i usually teach this
993
00:39:06,560 --> 00:39:08,720
course once a year it's kind of one of
994
00:39:08,720 --> 00:39:11,280
the specialty courses that we offer at
995
00:39:11,280 --> 00:39:12,960
hackers arise is
996
00:39:12,960 --> 00:39:16,720
is one i teach you what how these plc's
997
00:39:16,720 --> 00:39:19,200
work so you have a understanding of how
998
00:39:19,200 --> 00:39:21,200
they function and then we look at
999
00:39:21,200 --> 00:39:23,760
various ways that they can be exploited
1000
00:39:23,760 --> 00:39:26,000
and then also how you can make them
1001
00:39:26,000 --> 00:39:27,680
safer and there's many ways of
1002
00:39:27,680 --> 00:39:29,280
exploiting these systems and one of the
1003
00:39:29,280 --> 00:39:30,720
things that we haven't even talked about
1004
00:39:30,720 --> 00:39:32,880
is that because these systems usually
1005
00:39:32,880 --> 00:39:35,200
cover many acres
1006
00:39:35,200 --> 00:39:36,880
sometimes miles
1007
00:39:36,880 --> 00:39:39,200
kilometers right there has to be
1008
00:39:39,200 --> 00:39:41,760
communication across these vast
1009
00:39:41,760 --> 00:39:44,560
distances oftentimes the communication
1010
00:39:44,560 --> 00:39:47,200
methods whether it be wi-fi or cellular
1011
00:39:47,200 --> 00:39:49,680
or what have you are also vulnerable to
1012
00:39:49,680 --> 00:39:52,320
being hacked once again the issue that
1013
00:39:52,320 --> 00:39:54,480
eliot had was that he couldn't get
1014
00:39:54,480 --> 00:39:56,079
inside the network so even if the
1015
00:39:56,079 --> 00:39:58,720
system's offline okay say the system is
1016
00:39:58,720 --> 00:40:01,119
offline and if it's a system that has to
1017
00:40:01,119 --> 00:40:04,000
cover vast distances and like most of
1018
00:40:04,000 --> 00:40:06,800
these facilities do they're huge plants
1019
00:40:06,800 --> 00:40:08,720
they have to communicate and running
1020
00:40:08,720 --> 00:40:11,520
cable isn't real isn't realistic okay
1021
00:40:11,520 --> 00:40:13,599
especially running cable in a system
1022
00:40:13,599 --> 00:40:16,640
that has a lot of emi so what they do is
1023
00:40:16,640 --> 00:40:18,720
they use various communication
1024
00:40:18,720 --> 00:40:20,480
technologies to communicate the
1025
00:40:20,480 --> 00:40:22,319
different parts of the facility and
1026
00:40:22,319 --> 00:40:25,119
those communication technologies are all
1027
00:40:25,119 --> 00:40:26,160
not all
1028
00:40:26,160 --> 00:40:28,800
many of them are vulnerable to attack
1029
00:40:28,800 --> 00:40:30,960
once you're inside the communication
1030
00:40:30,960 --> 00:40:32,800
then you're inside the facility you're
1031
00:40:32,800 --> 00:40:34,560
inside the network and then you can
1032
00:40:34,560 --> 00:40:38,000
literally send commands inside of the
1033
00:40:38,000 --> 00:40:40,640
plant and wreak havoc i'd love to show
1034
00:40:40,640 --> 00:40:42,800
more of this on youtube but you know i
1035
00:40:42,800 --> 00:40:44,480
don't want to lose my channel so i would
1036
00:40:44,480 --> 00:40:46,160
suggest all of you go and
1037
00:40:46,160 --> 00:40:48,480
go look at hackers arise um you've got
1038
00:40:48,480 --> 00:40:49,760
occupy the web you've got a bunch of
1039
00:40:49,760 --> 00:40:51,599
stuff like in like blog articles and
1040
00:40:51,599 --> 00:40:53,119
stuff on your website where people can
1041
00:40:53,119 --> 00:40:55,200
see some information or they can sign up
1042
00:40:55,200 --> 00:40:56,880
for like your subscription is that the
1043
00:40:56,880 --> 00:40:59,319
37 dollars a month thing it's
1044
00:40:59,319 --> 00:41:02,960
32.99 a month to take the live courses
1045
00:41:02,960 --> 00:41:05,680
and the scada hacking course is included
1046
00:41:05,680 --> 00:41:07,760
in the live courses that are coming up
1047
00:41:07,760 --> 00:41:09,839
in september so you can sign up and
1048
00:41:09,839 --> 00:41:12,319
they'll get you into that course
1049
00:41:12,319 --> 00:41:14,880
we have metasploit coming up next month
1050
00:41:14,880 --> 00:41:17,520
we have web app hacking coming in july i
1051
00:41:17,520 --> 00:41:19,119
don't remember what we have in august
1052
00:41:19,119 --> 00:41:22,079
but we do have scada coming up in
1053
00:41:22,079 --> 00:41:23,359
september i think for everyone who's
1054
00:41:23,359 --> 00:41:25,200
watching please give us feedback what
1055
00:41:25,200 --> 00:41:27,359
would you like to see from mr robot or
1056
00:41:27,359 --> 00:41:29,359
other types of hacks i think one that
1057
00:41:29,359 --> 00:41:31,040
we've had feedback on was this the
1058
00:41:31,040 --> 00:41:32,960
hacking cctv one
1059
00:41:32,960 --> 00:41:34,480
a lot of people were saying like show us
1060
00:41:34,480 --> 00:41:36,480
a demo so maybe we can put up a camera
1061
00:41:36,480 --> 00:41:38,160
somewhere or you've got some cameras and
1062
00:41:38,160 --> 00:41:40,560
we can show how to how to actually do
1063
00:41:40,560 --> 00:41:43,119
the practical part of like cctv or ib
1064
00:41:43,119 --> 00:41:45,520
camera hacking rather than just um you
1065
00:41:45,520 --> 00:41:46,960
know talking about it
1066
00:41:46,960 --> 00:41:49,119
i can show you some real real cameras i
1067
00:41:49,119 --> 00:41:50,400
can hack
1068
00:41:50,400 --> 00:41:52,000
yeah the problem is i can't show that on
1069
00:41:52,000 --> 00:41:54,079
youtube that's that's the frustration
1070
00:41:54,079 --> 00:41:55,520
it's like i'd love you to do it but i
1071
00:41:55,520 --> 00:41:57,200
mean if you um if it's a system that we
1072
00:41:57,200 --> 00:41:59,119
have permission to look at or it's a
1073
00:41:59,119 --> 00:42:01,119
system that we own then we can then we
1074
00:42:01,119 --> 00:42:04,079
can demo it i know you you can do this
1075
00:42:04,079 --> 00:42:05,359
but i mean
1076
00:42:05,359 --> 00:42:08,000
we've hacked a lot of cameras in in
1077
00:42:08,000 --> 00:42:09,599
ukraine and
1078
00:42:09,599 --> 00:42:11,920
i try to put one of those up every day
1079
00:42:11,920 --> 00:42:14,319
on my twitter account for people to see
1080
00:42:14,319 --> 00:42:15,760
mostly i put it up there for the
1081
00:42:15,760 --> 00:42:18,800
russians to see okay the idea is is hey
1082
00:42:18,800 --> 00:42:21,440
look at we can we can watch you okay we
1083
00:42:21,440 --> 00:42:24,800
can see you if you continue your bad
1084
00:42:24,800 --> 00:42:28,079
behavior then we will be able to focus
1085
00:42:28,079 --> 00:42:30,720
on your faces and bring this to the
1086
00:42:30,720 --> 00:42:32,640
international criminal court it's it's
1087
00:42:32,640 --> 00:42:34,400
not that hard to do you know what we
1088
00:42:34,400 --> 00:42:36,160
need to do is maybe set up a lab so we
1089
00:42:36,160 --> 00:42:37,839
can do it actually for the youtube
1090
00:42:37,839 --> 00:42:40,400
channel i have a student who has a who
1091
00:42:40,400 --> 00:42:42,800
has volunteered his lab so we'll have to
1092
00:42:42,800 --> 00:42:44,640
make arrangements with him yeah that'd
1093
00:42:44,640 --> 00:42:45,760
be great if we can do that in another
1094
00:42:45,760 --> 00:42:47,599
video unfortunately we cannot hack
1095
00:42:47,599 --> 00:42:48,960
anything that we don't have permission
1096
00:42:48,960 --> 00:42:51,040
to attack so for our next video have you
1097
00:42:51,040 --> 00:42:54,240
which um which uh mr robot do you video
1098
00:42:54,240 --> 00:42:55,839
or show would you would you like to
1099
00:42:55,839 --> 00:42:57,359
cover or which technology would you like
1100
00:42:57,359 --> 00:42:59,200
to cover we can do some steganography
1101
00:42:59,200 --> 00:43:02,000
where he hides all his data in his cds
1102
00:43:02,000 --> 00:43:03,440
you know i thought one of the most
1103
00:43:03,440 --> 00:43:05,200
intriguing ones at the end of the show
1104
00:43:05,200 --> 00:43:08,000
when he traces the dark army so he uses
1105
00:43:08,000 --> 00:43:10,079
memory forensics to be able to trace the
1106
00:43:10,079 --> 00:43:12,000
dark army that was a good one that was
1107
00:43:12,000 --> 00:43:14,400
really complex you know it's not going
1108
00:43:14,400 --> 00:43:16,640
to necessarily be interesting to a lot
1109
00:43:16,640 --> 00:43:18,960
of people but i liked it you know what
1110
00:43:18,960 --> 00:43:21,119
people might like is using the raspberry
1111
00:43:21,119 --> 00:43:24,000
pi where he goes inside of the storage
1112
00:43:24,000 --> 00:43:26,160
facility and he connects a raspberry pi
1113
00:43:26,160 --> 00:43:28,720
into the uh hvac system we said what
1114
00:43:28,720 --> 00:43:30,000
they're like 40 hacks or something we
1115
00:43:30,000 --> 00:43:31,839
can go through so there's a lot vote
1116
00:43:31,839 --> 00:43:33,119
vote for those two
1117
00:43:33,119 --> 00:43:34,640
but okay everyone who's watching can
1118
00:43:34,640 --> 00:43:35,920
vote for something else let us know what
1119
00:43:35,920 --> 00:43:39,040
you want what people also like is the
1120
00:43:39,040 --> 00:43:41,760
is how angela stole used mimikatz to
1121
00:43:41,760 --> 00:43:43,280
steal her boss's
1122
00:43:43,280 --> 00:43:46,640
password and one of my favorites is how
1123
00:43:46,640 --> 00:43:49,200
elliott hacked the cell phones of the
1124
00:43:49,200 --> 00:43:51,760
fbi which actually is
1125
00:43:51,760 --> 00:43:53,760
a good one yeah i like that that's
1126
00:43:53,760 --> 00:43:56,560
that's not hard to do really so what he
1127
00:43:56,560 --> 00:43:59,760
did is that he used a device that acts
1128
00:43:59,760 --> 00:44:02,079
as a cell tower they put it under one of
1129
00:44:02,079 --> 00:44:04,640
the desks and the fbi was in there doing
1130
00:44:04,640 --> 00:44:06,560
their work and they connected to the
1131
00:44:06,560 --> 00:44:09,119
cell tower and he was able to listen
1132
00:44:09,119 --> 00:44:11,040
into all their conversations and
1133
00:44:11,040 --> 00:44:13,280
surprisingly it's not that difficult if
1134
00:44:13,280 --> 00:44:16,880
you have physical access near the person
1135
00:44:16,880 --> 00:44:19,119
that you're trying to hack and they were
1136
00:44:19,119 --> 00:44:21,200
able to intercept all of the phone calls
1137
00:44:21,200 --> 00:44:23,520
to me that the power of being able to
1138
00:44:23,520 --> 00:44:26,240
intercept phone calls is really
1139
00:44:26,240 --> 00:44:28,400
and that's a lot of power
1140
00:44:28,400 --> 00:44:30,319
and it's one that people don't realize
1141
00:44:30,319 --> 00:44:32,480
how easy it is to do i think we've got a
1142
00:44:32,480 --> 00:44:33,839
lot to cover we've got a lot of cover
1143
00:44:33,839 --> 00:44:35,760
yeah we've got a lot to cover right and
1144
00:44:35,760 --> 00:44:37,119
one of the things at some point in the
1145
00:44:37,119 --> 00:44:39,920
future i'd like to do with you is this
1146
00:44:39,920 --> 00:44:42,160
software-defined radio yeah i really
1147
00:44:42,160 --> 00:44:44,000
like that actually yeah software defined
1148
00:44:44,000 --> 00:44:46,400
radio be great yeah yeah and we're doing
1149
00:44:46,400 --> 00:44:48,960
a class in software-defined radio in uh
1150
00:44:48,960 --> 00:44:51,839
july yeah we can we can do like maybe a
1151
00:44:51,839 --> 00:44:53,760
a simple software defined like intro to
1152
00:44:53,760 --> 00:44:56,000
software-defined radio and real
1153
00:44:56,000 --> 00:44:58,079
basic stuff and then maybe do later on
1154
00:44:58,079 --> 00:45:00,079
do a more advanced one okay by the web
1155
00:45:00,079 --> 00:45:01,359
i'm going to keep you busy for a long
1156
00:45:01,359 --> 00:45:02,960
time really thank you for sharing your
1157
00:45:02,960 --> 00:45:04,880
knowledge i appreciate it i enjoy it
1158
00:45:04,880 --> 00:45:06,400
thank you thanks for having me so
1159
00:45:06,400 --> 00:45:07,920
everyone look forward to a whole bunch
1160
00:45:07,920 --> 00:45:10,880
of mr robots uh sort of videos coming
1161
00:45:10,880 --> 00:45:12,319
give us your feedback stuff that you'd
1162
00:45:12,319 --> 00:45:13,520
like to see i think we've got a long
1163
00:45:13,520 --> 00:45:14,400
list
1164
00:45:14,400 --> 00:45:15,119
and
1165
00:45:15,119 --> 00:45:16,890
hope you enjoy
1166
00:45:16,890 --> 00:45:20,050
[Music]
1167
00:45:22,000 --> 00:45:24,079
you
83167
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.