Darknet Diaries - 149: Mini-Stories: Vol 3

149: Mini-Stories: Vol 3

Sep 3, 2024 - 48m 04s

In this episode we hear EvilMog (https://x.com/Evil_Mog) tell us a story about when he had to troubleshoot networks in Afghanistan. We also get Joe (http://x.com/gonzosec) to tell us a penetration test story.SponsorsSupport for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.

Discover more and add this to your library.

Key Takeaways

1
Victor Lustig exemplified how to manipulate authority and trust to execute high-stakes scams, illustrating the timeless nature of deception.
2
The challenges of maintaining network integrity in war zones reflect the importance of technology in soldier morale and support.
3
Effective communication is crucial in cybersecurity, particularly for pen testers who must navigate the tension between technical actions and their business implications.

Sponsors, Brands & Products

Varonis

Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They also detect behavior that looks like ransomware and stop it automatically.

Axonius

Axonius correlates asset data from existing IT and security solutions to provide an always up-to-date inventory, allowing for easy identification of coverage gaps and automation of response actions.

ThreatLocker

ThreatLocker is a Zero Trust Endpoint Protection Platform that reinforces infrastructure by allowing trusted applications while blocking threats through Allowlisting and Ringfencing.

The Daring Scams of Victor Lustig

The episode kicks off with an engaging recounting of some daring scams executed by Victor Lustig, a notorious con artist in the early 1900s. Lustig's most infamous scams included convincing banks to accept phony bonds and misleading scrap metal dealers into purchasing the Eiffel Tower under the guise of a government project. His tactics exemplified his knack for persuasion and manipulation, which allowed him to deceive banks and businesses into believing in his manufactured authority. The stories reflect not only Lustig's cunning but also the historical context of his scams, illustrating how he operated in a time when trust in institutions was high.

EvilMog: Troubleshooting Networks in Afghanistan

The episode pivotality shifts to a guest known as EvilMog, who shares his experiences troubleshooting networks in Afghanistan while stationed there. His narrative captures the challenges faced in a war zone, detailing the delicate nature of maintaining communication systems amidst the chaos. He describes how critical his role was in ensuring soldiers could contact their families, often amidst formidable and dangerous situations—such as repairing equipment during rocket attacks. This segment delves into the human side of a military technician's job, emphasizing compassion and emergency problem-solving, revealing a profound impact on soldiers' morale.

Behind the Scenes of a Pen Test Gone Wrong

The podcast also features Joe, a penetration tester, who shares an incident during a simulated breach on a bank's network. A junior tester inadvertently took down the bank's network using a tool called Masscan, which overwhelmed the system. Joe highlights the importance of communication skills in his line of work and the substantial responsibility of pen testers to understand the ramifications of their actions. Joe’s story not only provides insight into the technical aspects of pen testing but also underscores the need for careful execution and the critical role of effective communication during crisis moments.

matches

But just as he was about to leave, he did some slight of hand and switched the envelopes and walked out with the cash and the farmland and the liberty bonds that he walked in with. The bank did not like this and called the cops on him who caught him in Kansas City, but he convinced them that if they pressed charges then this story would get out and it would be terrible for the reputation for the bank. Customers wouldn't want to use a bank that's this careless with the deals they make. He was so good at convincing them of this that the bank dropped the charges and gave him a thousand dollars to not tell anyone and keep the story quiet.

But the most brazen scam that Victor Lustig did was when he went to Paris. The Eiffel Tower was built for the 1887 World's Fair and some thought it was going to be a temporary structure and by 1925 it was needing repairs. Victor leaned into this and called five scrap metal companies to come meet him at a fancy hotel in Paris and he said he was a deputy director with the French government and even had fancy stationery to prove it and he told them that the maintenance of the Eiffel Tower was becoming too high and they were looking for a company to dismantle it and purchase the scrap metal. But he also said this deal needed to be hidden from the public to avoid controversy.

And one of these companies was eager to take the deal and ended up paying Victor a large sum of money. And yeah, as soon as Victor got the cash, he immediately fled the country and left France. He sold the Eiffel Tower, but he kept a close eye on the news back in France to see how much trouble he would be in. But the news never reported this.

I guess the guy he scammed was too embarrassed to report it to the police. So Victor thought, this was such a great scam. Why not do it again? So he goes back to Paris to try it again.

I mean, why let all that fancy stationery go to waste, you know? So he called five new companies in to pitch them to, but one of them saw right through the scam and called the cops. Victor saw the cops were coming from and he narrowly escaped this time fleeing all the way to the United States. Amazingly, when he got to the United States, he scammed Al Capone.

Later tried to make counterfeit money, which is how he got arrested by making fake money. But, funnily enough, when he was arrested, he was put in the same prison as Al Capone. What a wild guy Victor Lusteg was. These are true stories from the dark side of the internet.

I'm Jack Recyder. This is Dark Net Diaries. This episode is brought to you by Forronis. So many security incidents are caused by attackers finding and exploiting excessive permissions.

All it takes is one exposed folder, bucket, or API to cause a data breach crisis. The average organization has tens of millions of unique permissions and sharing links. Even if you could visualize your cloud data exposure, it would take an army of admins years to write size privileges. With how quickly data is created and shared, it's like painting the Golden Gate Bridge.

That's why Veronis built lease privilege automation. Veronis continuously eliminates data exposure while you sleep by making intelligent decisions about who needs access to data and who doesn't. Because Veronis knows who can and who does access data, their automation safely remediates risky permissions and links, making your data more secure by the minute. Even when you're not logged in, Veronis is classifying more data, revoking permissions and forcing policies and triggering alerts to their IR team to review on your behalf.

To see how Veronis can reduce risk while removing work from your plate, head on over to Veronis.com-darknet and start your free trial today. That's Veronis spelled V-A-R-O-N-I-S. This episode is sponsored by Threat Locker. Ransomware, supply chain attacks, and zero-to-exploits can strike without warning, leaving your business's sensitive data and digital assets vulnerable.

But imagine a world where your cybersecurity strategy could prevent these threats. That's the power of Threat Locker, Zero Trust, and Point Protection Platform. Threat Locker implements a proactive, denied by default approach to cybersecurity, locking every action, process, and user unless specifically authorized by your team. This least privileged strategy mitigates the exploitation of trusted applications and ensures 24-7 365 protection for your organization.

The core of Threat Locker is its protect suite, including application, allow listing, ring fencing, and network control. Additional tools like the Threat Locker Detect EDR, storage control, elevation control, and configuration manager, enhance your cybersecurity posture and streamline internal IT and security operations. To learn more about how Threat Locker can help mitigate unknown threats in your digital environments and align your organization with respected compliance frameworks, visit ThreatLocker.com. That's ThreatLocker.com.

So what should we call you? Evil mug is fine. Okay, we'll call you Evil mug. How do you get that name?

Where's that come from? All right. So it was funny. I'm a glider pilot.

And so the first aircraft ever flew was CF or CG Mog. But it also happened to be a formal fantasy character. The problem was I had that in my gamer handle for years. And then I met Matthew, a gourmet that Derby Cahn and he had the same initials.

And so we decided to deconfliction. And because he had the name, I figured I'd change mine to be polite. And so I became evil Mog. And that was my IRC handle from the fourth.

I see. I remember those days we were young then. Did you do any stupid things when you were young and not IRC? Yeah, so I was kind of stupid and was doing a fair bit of, you know, online piracy, freaking, you know, a little bit of other various things.

And, you know, back then it was really easy to trace people because, you know, young, dumb and stupid. And so, yeah, I get this kind a stern knock on the door. Stern knock sounded urgent and menacing. He opened the door and saw the police were standing at his front door.

And they're like, we know everything you've been doing. You have a choice. You either stop now and play good or you're going to, you know, we need to put you in a juby, but Canada's prisons are kind of crap for kids. So they're like, or we can just get a technology ban on you.

They'll last till you're 30. they'll never get a job in technology. Like yes, sir, I'll be good, sir. Here we are, sir.

And you know, kind of off we went. Okay, so hold on a second. I've pirated and I've done some freaking, the cops never came to my house. It sounds like you might have done more than that or went over the line.

I might have done a little bit more than that. Just a little bit. So you remember back with the early credit card numbers had a specific way of validating that they were legit? it.

I was publishing bogus credit card number generators that only sort of worked out the time on local BBS systems. They worked at all because I can't even imagine this way. They wouldn't they wouldn't work for authorization, but they'd work for input validation on websites to like, you know, hey, let's go pop on to let's say the early porn sites, for example, they get you enough to get your free trial and then they Did you have a seriously error route? When I was a teenager, I didn't understand how credit cards worked at all.

Like in my head, it just seemed like 16 random numbers. And if you knew those 16 numbers, could you buy stuff? So I thought, okay, let's test that theory. And as a teen, I went to a website put in 16 random numbers just to see what happened.

I thought if it worked, I'd have no idea whose number I just used. and I could just say I typed the wrong number if they asked me. But no matter how many 16-digit credit card numbers I put into a website, it never worked. Everyone was an invalid number, apparently it's more complicated than just that.

There's that whole lunch check, right? There's some math behind it that looked up it because I didn't have the gender to quite write. Like, some of the checks on this didn't match, but most of them kind of did. It was enough that it passed like a cheap reject, but that's about it.

Even Mog loved flying planes when he was a kid and signed up for junior glider classes taught by the Canadian military. I was a kid at back when I was younger from 12 to 19. I got my glider license before I learned how to drive a car. From there, he joined the military and taught other kids how to fly gliders.

But his other passion was computers and the military was offering to pay his training to learn more about computers. So, I had an option to go back to school, went back to SAIT as a network engineer, did six months of CCNA, MCSA, Linux, LTI-1, level 2, level 3 of that kind of stuff, and that's what kind of restarted my career when I was in my early 20s. So, he spent four years in the military and then went to work for IBM? So, basically, I got the phone call from my friend to go over to Afghanistan, Stan and he said there's this company called Network Innovations.

And basically what they do is they run the morale, voice, and internet services with the Canadian forces. So what that means is you have soldiers calling their families back home from like the big super fobs or the small little remote outposts. And so he's like, hey, do you want to go over for six months? And I'd already released from the reserves at this point.

I said, yeah, sure, let's go over. I had nothing else to do and I wanted some money. So and it was all tax-free so I had to play it over well there so hold on It's not just like going over to France afghanistan. There was an active war zone, wasn't it it was yeah I was totally regional command self in 2008 was Hot to say the least I want to do something useful always kind of did and my parents were like you're not going over.

I'm like Sorry, I'm going over I want to pay off some debts, and I want to go do something good with the, you know, for the folks that are over there, they, you know, did a little bit of free deployment training, nothing much, just used the, you know, here's how to wear a gas mask, here's how to put on a bulletproof vest, and then here's a whole lack of vaccinations. Then all of a sudden, there's some kid from the sticks out in the middle of a dynamic war zone. So even though he was military trained, he was in the war zone as a private a contractor, and his job was to go to forward operating bases or fobs to work on the network there. There's satellite, there's microwave, basically, these people need to be able to contact family.

We're also going to go nuts. I mean, it's like being stuck up in the middle of the bush for six months. So my world was just morale voice. The Canadian forces handled all the tactical and all the operational.

My entire mission was making sure people could call their families. These fobs were often on the front line of the war zone in Afghanistan. It's dusty, war-torn, and weathered. Computers don't like these kind of environments, because they're delicate and fragile, not rugged and bad already.

So he was constantly being sent to troubleshoot computers and networking equipment that was breaking in war zones. Oh, I'd set it up as well. Like, say, for example, we'd have a new site, and they're like, hey, we need to get, you know, fab whatever the heck back on our online. They'd send me out in the back of a convoy with a little pelican case with say here's a tiny little began terminal which is a small mini satellite or in the case of a larger fog.

Here's a bunch of pelican cases with an auto-acquire satellite dish. You'd go roll out, set up the SATCOM dish, hook it into a couple of laptops in a router in a switch, a little tiny PBX system, etc. and then do a couple phone call tests to make sure everything works. That was all she wrote.

They set up this calm shack inside a 40-foot-long cargo seed container and he'd go base-to-base setting up or fixing the networks inside there. There was never a dull moment. I roll it on-site. I'm in the middle of doing a repair.

All you hear is the siren and then this crappy British voice they use because they all have the same recording. Rocket attack, rocket attack, and that's all you're hearing. You know, obviously you just you bunker it down in between the set of Pesco barriers, which are basically just a bunch of gravel, some concrete, a bunch of chicken wire all around, enough to give you a bit. You just, you know, hunkered down in place and you sit there chill out, wait till the shelling stops.

You get up, see if there's any damage and get back to repairing the equipment. Was it, so what kind of damage had to this equipment? Thankfully it missed us, but it went one landed in the poop pond. that was terrible.

One landed and took out like a recreational facility. He says the equipment in this area would only last six months because it would get full of dust and just not last very long because of the harsh desert environment. And one day, he got word that one of the calm sharks got rocketed at another beast. One of the rockets landed.

It took out the satellite dish. It took out one of the calm trailers and it took out a bunch of the cabling. These guys were down for about a week. His orders are to travel there and get it back online.

Traveling to these fobs takes days or weeks to get to them. I get out there and thankfully I was smart and I pre-sent all the gear I needed on a convoy ahead of me. There's this broken down destroyed crater effectively where the old piece was. There's like I come up and there's guys basically giant bulldozers and the heavy equipment moving the old gear out the gear in size just completely toast Meet up with the local sergeant who's like, hey, we're putting a new gear down right where the old one was dropping this new secantainer in What do you want to do with this old thing?

I'm like, I'll take out back salvage it destroy it. We don't really care use it for training You know, wire up the new satcom. You are calling on to your folks out of the UK going, hey, do you see my bird? They are locked on.

Here's the activation. Boom, new terminals around the line. You've deactivated the old accounts. You do a couple plugins, test the new laptops.

And then there's already a lineup around the block of folks who have gotten their email in like a week and a half, right? And so all of a sudden, yeah, start running them all in. They're all nice and happy. You're on down to the chow hall.

Yeah, You know, a bunch whatever warm food they've got. You stick around for a deer to for troubleshooting and then you call your boss on the defense service network. Hey, can you guys get me a helicopter out there like sorry, man, all the birds are tasked. So fine.

Do you head yourself down to the talk the tactical operations center? You introduce yourself like, hey, when's your next convoy out? If you're lucky, they send you out on a combat patrol, which are way faster and less annoying than a convoy because it's, you know, one or two vehicles and. And it's a little more comfortable.

If you're not lucky, you're trying to the back of this armored personnel carrier that's hot as balls, we're in body armor and the heat and yet take your eight hours to go 100 kilometers to get back home. I also, I don't know why, but I'm picturing of you climbing up a tower, adjusting a spanner on a satellite dish, adjusting it and getting shot at from up there and being like, hey, it's coming from that hill. I mean, that kind of has happened, not nearly as extreme, but if you ever tried to repair 200 pairs of cat five in a sandstorm from 100 feet up in the air, 100 feet in the air, what's up there? Anyway.

I was a calm tower. I had to go, there was this one bridge spot because most of the stuff at calf was all underground, but we had this one spot that was basically all hooked up to a tower because the way there's one extension wind and so we had an outage. Someone drove a piece of equipment through the cables and so I had to go up and you know, resplice all this outdoor cable and I'm up on this tower and all of a sudden it's a sandstorm and I'm like oh no I can't work on this cable with gloves on because you just it doesn't yeah you've tried to be a twisting and terminating cable of gloves. It doesn't work.

Some like getting blasted by sand in this white out condition trying to terminate because I'm not going to try and climb down the tower. It's not going to happen. I'm hooked in there ready to rock. I got 30, 40 cables done before the sand storm and didn't finish off the rest of the job.

One of the things we did, the addition did make sure people would call their families back home as we ran a video teleconference you get it. And so people could see their families back home. We found out one of the guys coming back out of FGOT or coming out of a fob, his convoi got bumped. Now, bumped is a play word for saying hit by an IED.

Thankfully, in this case, nobody died. Thankfully, like, thank whatever data you believe in. But it really shook this guy up, like, shook him up seriously, seriously fierce. Yeah.

So, I mean, that's highlight. There There was a lot of deaths there and they're saying thankfully because you were seeing that around, weren't you? Well, the worst thing we had to do is every time somebody died, we had to kill all of the communications in theater, including all the Ford operating bases and the Super Fob. It was known as a calm lockout procedure.

We had a cell phone on. The second somebody got like confirmed casualty, I got the phone call, I hit the buttons, And then I got to release it once they release once they notify the families. So why is there a clock out? It's so that people don't put things on social media or get out to the news articles Before they can notify the families.

Hmm. Okay. It was one of the worst things ever because you're being on that phone call You're like shit. Yeah, you feel all sorts of terrible feelings and then you have to go act like a professional cut the comms off and then when people like, Hey, the internet's not working.

Like, you got to give this nonchalant comms like, Oh, but still be like sympathetic about it. And we do say comms like, Oh, Everton theater knew what you were talking about. But it was one of those. It was a weird solemn duty I had to do.

You know what I mean? Yeah, I mean, you weren't the one telling the families. No, but I was killing the comms and telling all the soldiers, Hey, why can't they call me you know, family back home, like, sorry, man, comms are offline due to a comlock out. Yeah, and now they're saying, well, oh, is that mean there's a confirmed casualty?

And now you got to answer these questions. Yeah, and then my answer, like, I have no idea, man, I just work here. IEDs are super scary. You're just driving along, listening to tunes, telling jokes to the other soldiers, and then out of nowhere, boom, your truck runs over a mine and blows up your vehicle.

It often kills people, and it's certainly enough to freak anyone out. And while this IED didn't kill anyone, one guy was really messed up from this. He wasn't injured. I mean, he was just shocked, really badly shocked.

You know, getting hit by an IED, even if no one gets injured in the process, is enough to like send someone to spiral, because you get that whole mental, oh my god, what if this had been me? What about the possible guilt, all that kind of thing? and the guy was in really rough shape mentally so they really asked could you get some extra phone minutes and phone time was how the request came in and we all us being us we've got yeah here's a couple of y'all here's a couple hundred minutes go hard and we're like is there anything else we can do and his guys like he's doing pretty rough evil mag starts talking with people trying to figure out what more that he can do and that's when he found out this soldier was about to be a dad. His kid was due to be born any day back in Toronto and this gave evil a Morgan idea.

And I'm like, dude, we got to do something for this guy. So thankfully they had people on the ground in Toronto. And I'm like, hey, can you go spring over to CFB Trent and go grab one of our spare video teleconference units and get it out to the hospital? I'll do whatever it takes to requisition bandwidth, just get me this stuff out there.

And I figured out we had some spare bandwidth available. So I like slowed down everybody's video teleconference and voice services and their Wi-Fi a bit And opened up an entirely new channel because all we had was six megabits for a thousand people and almost no bandwidth whatsoever And so I was like, hey, you know, line this up. I'm gonna reserve you bandwidth like the next Yeah, four or five days He learned that the wife was already checked into the hospital and was starting to give birth right now So he's calling Toronto to try to figure out how to contact the wife at the hospital And so then we had to go contact their visitor unit said you guys have you know, I've bandwidth for us to go get your video teleconference and thankfully they had a really decent tech there is like you'll actually we can make some things happen. What do you guys got for equipment?

Were you talking to the tech at the hospital? Yeah. Wow. Okay.

You're trying to coordinate this from halfway across the world. That's interesting. Exactly. Yeah.

So you're saying, okay, here's the equipment I have, here's what you have. Let's make a final, you know, a common denominator. We can get, I think we and connect these two things. Exactly, right?

And so they were running on Tanburg. We were running on Tanburg, and we made the gear roll workout. I popped onto the load balancer's on our side, and we ran. So yeah, tell me about the tech side.

So did he put like a computer on a cart and then wheeled the cart into the room? No, there was a TV on a cart with a Tanburg video teleconferencing on it. Which is meant for like doctors and nurses. It's not meant for patients.

Yeah, yeah. He's just through this other thing, they wheeled her and they plugged her right in. Next to the women's bed there, we swiveled the webcam over. He managed to get us a public IP so we could do remote control of this.

And then, yeah, we just set up the communication channels and the off we went. It was actually running rather well. Okay, so you're like, oh, okay, cool. You got it set up.

All right, I'll be right back. Let me get the guy. Yep. I talked to Steve.

Steve called the guy's unit commander, you'd a commander called a section leader, they pulled them out, said like you're to report to building zero, two, six bravo and candor hair field show up here. We're like, hey man, we got a surprise for you. Wheel them back out there, plopping down to one of our spare rooms that we had rigged up into this 40 foot sea container, plop down a chair, made it comfortable, you know, said here's our little care package, here's some flea call us if you need anything and do you remember his face when he saw his wife all right we weren't even looking to be in his privacy yeah I just I remember that he was afterwards though after he saw his wife he walked in he was all doom and gloom this is gonna sound stereotypical but that thousand yards stare like you've seen some shit and then the guy you know right afterward or that I saw life in his eyes. Yeah.

So that's how I knew we did a good thing. Yeah, I mean, how do you think you impacted his life? I mean, from what I've been told, the actions taken in the first couple of days after major incident are the most critical. And I think by giving him that level of support immediately, I think I changed the guy's life way for the better.

I mean, they were talking really having to discharge the guy from what I heard. He'd stuck around another five, six years before he finally released and went off and doing something. I can't remember what he's doing now, but I think I've changed the life of the better. So I'm good with that.

Yeah. I mean, it's also very possible that you saved his life because there's, you know, coming went out of PTSD or getting affected that badly by it, you can easily end your own life. Exactly. So I mean, I like to think we saved a life there.

And you know what, no matter what I do in life, I think that's the coolest thing I've ever done. To me, this right here is the quintessential darknet diary story because of where I found it. I went to Defcon and I was invited to the Microsoft party and I sat down at a table to chat with people And that's where I met Evil Mock and he was there telling us the story and I was so captivated by it They didn't made me cry Am I goodness to be at some DEF CON party and to hear a story so moving that it makes me cry That's one reason I started this show. I imagined in my head while I was listening to Evil Mock Tell me that story that I saw you across the room and I was like over here You got to hear this story and I brought you in to Eve's drop on these inner circles To hear the untold stories that are only shared in intimate and private spaces that are all over the hacker culture, but are hard to find.

I love these chance encounters. It's like finding a hidden path in a familiar landscape. I hope stories like this fill you with the same great feeling I get when I hear them in person. I have such a fun job.

I'm so grateful. Okay, we're going to take an ad break here, but stay with us because we have a new guest to tell us a new story after the break. This episode is sponsored by Exonius. Complexity is inevitable in IT and security and it's increasing.

Exonius is here to help you control it. As a system of record for all digital infrastructure, the Exonius platform correlates asset data from existing tools to provide an always-up-to-date inventory, uncover security gaps, and automate response actions. Go to exonius.com slash darknet to learn more and get a demo. That's exonius spelled A-X-O-N-I-U-S, exonius.com slash darknet.

All right, so let's start out with who are you and what do you do? Yeah, my name is Joe Sarkishan. I worked for Wolf and company PC out of Boston, but I do penetration testing of all kinds, internal, external, Wi-Fi, social engineering, advanced securities estimates, things like that. So we have a client, not a big company, maybe like 20 people and they've contracted us to do your average assume to breach Pentez, so to speak, right?

So we're on the inside, we're given access, what would happen if somebody gets in there? So we send them a remote drop box, little Raspberry Pi that we send them, they plug it into their network, and then we connect to that remotely. And it's kind of like we're sitting there in person, right? We've got on the wire access at that point, on a submit that they put us on.

So I've been in the test, you know, typically, and here's the funny thing is, you know, you'll look at like, you know, Pentast frameworks, you should start here, you should do that. I would challenge you to find a Pentastar that doesn't fire up responder. The second they get on a network and try to get creds and be off the races as soon as it's really possible, because that's what we do quite frankly on a lot of tests, so that's what I did there. Okay.

Responder is a pretty clever hacking tool. It's free to get, it's just a Python program, and how you use it is you just start it and wait. Now the thing about Windows computers is that they always want to try to join a domain and connect to shared drives on the network, and so if a Windows machine wants to connect to a shared drive. It will try to get to that host directly.

And if it's there, it'll connect to it just fine or whatever. But what does the Windows computer do if it can't find the shared drive that it's trying to connect to? Well, it wants to connect to it very badly, and it will try another way. It might ask the DNS server, hey, do you know the IP address for the server I'm trying to get to?

And the DNS server might be like, yeah, I got that. Here's the IP right here. And then the computer might be like, ah, that's the same IP I have. And I already checked.

That one's not online. So then if the Windows machine still can't find that shared drive that it really wants to connect to, it then sends a broadcast message to all the computers on the local subnet saying, Hey, I'm looking for this shared drive. If any of you are it, please respond. And that's when responder springs into action.

It It sneakily says, well, yes, I'm that shared drive you're looking for, that's me, you found me, I'm here. And the Windows computer is like, oh, thank goodness, I'm looking for you everywhere, I'd like to connect you. And responders like, sure, of course you can connect to me, but you need to authenticate first, yeah. And the Windows computer is like, oh, yes, of course, okay, here's my username and password.

Now, Microsoft takes your security seriously, so it doesn't actually send your password over the network, instead it sends a password hash. And since Responder is this dirty little liar on your network, it snatches that username and that password hash and gives it to the penetration tester or hacker who's running the tool. Saying something like, hey, someone just tried to connect to me using this username and this password hash, here you go. Typically, responder only works against computers in the same subnet as it.

So if you're in the same subnet, then yeah, responder is an amazing tool at finding usernames and password hashes. Now a password hash is not the password. It's a gibberish set of characters that you get when your password goes through an algorithm. And the thing is, in some cases, you can crack this hash to get the password.

And a common method for cracking passwords is brute force. Take the top one million most common passwords and hash them and then see if any of those hashes match the password hash You just got and if so you found the password Exactly. So we use something called hash cat We'll take that hash. We will put it on this so to crack that That's not on the Raspberry Pi because the Raspberry Pi doesn't have the GPU CPU cycles to be able to throw a billion passwords at that thing and try to figure out which one it is What's your what's your method for for cracking it?

Well, it's a scary thing is our method is the same thing that any bad guy all around the world can do, right? We can we have an Amazon account, right? And we can spin up Amazon EC2 instances So what we do is we spin up, you know these like Tesla GPUs on an instance We have a couple of them and we will you know take that you know GPU power to just blow through a password ashes as fast as we possibly can based on that power, going to be a lot faster than you will Raspberry Pi or your local PC unless your local PC has a ton of graphics cards in it, which ours is not. So yeah, we do that all in the cloud relatively cheap, not super expensive to get done, and usually we get results pretty quick, you know, within a first couple of hours.

Okay. Now, what's your kind of success rate on getting one hash and being able to crack that single hash? I'm going to go 90 plus percent. That depends.

If we've been there before and they took our recommendations, it's going to take a while longer. It's going to be a lot harder. But a different question, which is kind of in the same realm, is like, suppose you have the entire AD database of a hashes. What percentage of passwords do you think you're going to crack out of that?

So we will probably get on average, I would say. And again, whether we've been there first or not, they're taking recommendations. We'll probably get 50 to 60 percent within the first like four hours. So he's basically trying billions of passwords to see if any of them match this hash Of course, the longer that his hash cat tool runs the more passwords are tried and so they might start with the top One million most used passwords and then try making slight modifications to those like putting a wine at the end or capitalize the first letter Maybe add in their own wordless, such as the company name or mascot or city or address or person's name or kids name If no luck there then try every word in the dictionaries and but add numbers to the end of it and maybe mix it up a little bit And see if that works and just try tons of combinations and and pretty much all this stuff I've listed so far probably only takes like a few hours or less now after the tools tried all this It just then starts going through every single possible character combination in the world such as A, A, A, A, B, A, A, C, A, A, D.

So this combination of finding a user name and password hash from responder, and then trying to crack it in hash cat could take hours or even days, since it's about waiting and timing and maybe brute forcing the password. So in the meantime, he's looking around the network to see what else is there. A good place to start is end map. End map is a basic tool that you can use to quickly scan the network to see what's there.

It'll basically ping every IP address in the network to see what responds. And if any do, then it'll try to see if that host has any open ports. Then and map will spit out a report saying, here are all the computers on the network that I found to be alive, and these are their open ports. Exactly.

Yeah. So we'll look for default passwords places. We'll look for null sessions on host, right? Can I access this host without a user name or a password, right?

Can I just get in there, maybe on a domain controller? We still find this. You're able to quote unquote authenticate to a domain controller as nobody and start enumerating the domain. Now, if you can do that, you can get a list of users from a domain controller, right?

And then take that list of users and start password spraying against that domain controller with that list of users, common passwords, right? And then maybe you get a hit on password 2023 exclamation point, right, or a company name, 2020, three-exclamation point. Crazy things have happened. So there's a lot of stuff going on at once.

He's got these background tasks running to try to get more usernames and hashes. And he's also trying to crack the hash he's got. Yeah, I mean, to this day, I've been doing this, I don't know, about five years now. To this day, whenever I see that first hash flashing yellow across my screen when I'm on a pentast, I still get a shot of a journal, right?

It's just like, here we go. So he cracked the password, yes, but who is this user? Are they just like a low-level user? Or are they a system admin?

He has to find out. And to do that, he logs into a computer on the network to see what his access is. And it's a normal user with no special privileges. So now we have domain access as that user.

So typically what we'll do will look for some basic privilege escalation opportunities. And at the same time, we're looking for data. So, let's say we're kind of poking for both of those things, right? We want to prove that risk that this basic user maybe has access to some data that they don't need access to.

And if a bad guy gets access to this account as that person, they also get access to that data and that's something you need to work on. So as we're rooting through file shares, what does this person have access to? We find this host, and it's like a Windows 10 host, and we have access to a couple of shares on this host, and we're written through, typically we're looking for things that are called like password.txt or like SSH, this, that, and the other thing, or SSN, right? We're looking for data that's going to prove a problem for the company.

So I'm looking through, and I find this folder called, I believe it's called like MPEGs. So I'm like, that's interesting. I don't typically find something like that, you know, like I just don't have a folder called MPEGs. That's different. So I'm just curious what's in here. So I look in, there's sure enough there's a bunch of MPEG files.

I'm like, okay, that's interesting, there's like maybe four or five of them. So I download one of the MPEG files. I get it locally, and I'm like, oh, let's watch this file. I open it, and I see a camera feed.

And the camera is just on a desk facing at someone's kind of where they would sit, right, in front of the computer. And I'm like, that's weird. You know, why would anybody put a camera on their desk, right? It's just strange.

What are they recording? Doesn't make any sense. So there, well, maybe there's something else to do this. So I download the second one, because they're going in order.

one to three four. And the second one, it is the same camera, it is the same desk, and this time the camera is underneath it. And it was a lady's desk, I found out later, the way the camera was angled was yes, that they're, you know, they're the front, bottom half of their body, let's put it that way. Let's just say it was an inappropriate place to put a camera in an office if that lady he wasn't aware of it.

Joe knew that what he was looking at was potentially going to get someone fired. So we had to proceed with caution here. So I see this and now I'm like, oh God, like everybody, every pentaster has that like feeling that like sooner or later they're gonna get this moment that is something like this. Like it's you find like the proof that somebody's stealing from the company or you find pictures you shouldn't or whatever it may be, and this was the first time that I had found something like that, and I was kind of like just awestruck at first, and my head started racing like, what do I do about this?

And so the first instinct was pick up the phone and call my point of contact immediately. Now the problem with that is this is a small company. I don't know anything more than this point of contact's name and the fact that I worked with them year over year. I don't know what he does personally.

I don't know what he's into. I don't know if he's the person that put this camera there But he's the only point I contact I have right so he's the one. I'm calling so I pick up the phone and I get on the phone. I tell him hey just so you know I found Under the desk camera footage of and then he cuts me off completely and says Stop right there.

I'm calling HR. And at that point, I had a kind of this wave of relief over me because at this point, I'm like, okay, well, he's probably not the one that put it there because he's wanting to call HR immediately. So HR gets on the phone. I explain it to them.

They say, thank you very much. And that's the end of the call. It's interesting to stumble upon this as a security consultant since it's not really a network security issue? It's more of a, see something, say something issue.

Like, do you even put this in the final security report? Joe went on to complete the pen test and he found some misconfigurations and active directory, which gave him administrator access, which pretty much gives him keys to the kingdom. The network admin can reset anyone's passwords, see all shared drives, probably even read everyone's email. So he put all this into a report and delivered his findings on the final call.

You know, basically, you know, it's the typical stuff like you said, you know, we found this, we found that, you know, here's Recommendations for fixing that okay great and we didn't feel like it was our place or appropriate to bring that up on that call however I did and I'm talking to that client a month later and you know, we were going over some remediation strategies for them and you know Basically, they're like, hey, how's everything else going? How you been blah blah blah? I'm like, yeah, I'm good, you know How about that other thing? I'm just curious about that other thing.

This is a much more casual conversation. I'm just curious. Everything okay with that other thing we found, and it kind of just gave me this look on the Zoom call. I was like, yep, that's been handles, and I knew not to push, but I knew that whatever had to be done had been done, at least it seemed like it had, and it seemed like it worked out for them.

I wasn't going to get pulled into court for after test of five for anything, which I was actually kind of ready for. My god, this might be the first time, but it just didn't happen that way. So I got lucky. Yeah, but as far as like your success rate, I mean, you're always going to find something, even if it's like a CVV level three.

But I mean, as far as just success rate of just like owning the whole network and gaining access to sensitive systems, getting, you know, half the user's passwords in the whole organization. That kind of thing, is that fairly high? Do you feel pretty confident? Yeah, I'll probably be able to own this network.

It's with no exaggeration, 95% of clients that we are able to do that with. You're over here. And I think he can get to that point because of how many penetration tests he's done. He's gone into dozens of networks and exploited hundreds of devices.

And after doing it over and over and over, you start to develop a pattern and know exactly where to look for weaknesses. And once you do develop a pattern, Penn test starts to become automatic since they repeat the same steps almost every time. And so once he was done with one Penn test job, he'd move right on to the next. And this time it was a bank.

It was a regional bank and we were doing some more traditional audit work as well as pen testing and I had one of our junior pen testers on that job in me. So this person was, you know, they came with a little bit of experience in the door. They've been a list for, I don't know, four to six months at that point. So they arrive on site and they're greeted by the on-site team.

They're shown where to sit and where to plug into the network. And this was a simulated breach. So if someone got into the network who shouldn't be on it, what could they see or do well there? So the two of them get all set up in this room and well, you already know what tool they're going to start up first.

That's going to be responder. So you're going to start doing everything, you know, like doing little responder stuff whatever. And for whatever reason, this person's having a hard time with responder, like their Python's not working, the tools not working, I'm trying to help them through it. So you know, I'm like, you know what, it's a teaching moment.

I'm going to let them figure this out, right? Like I'm not going to give them the answer. I'm not going to, I'm not going to coach them to it. I want to see how they handle this.

Okay, so they've taught me that responder is their go-to tool for starting a network assessment. But if that's not working for whatever reason, what do you do next? I have a 30 minute client call with another client that I need to take. So I'm going to be over here.

I'm like, you know what? You take the reins on this. It's the beginning of the test. You're walking around.

So I'm on the call and he's doing this thing. And I don't know, like, five, 10 minutes go by, I'm on this call. And I start noticing that there's a lot of like, phones ringing in adjacent offices. And I start to hear a lot of shuffling and people kind of like run around.

And I'm not sure what's going on in my head or whatever, it's probably nothing. Also, I see our point of contact conflying down the hall in a panic. The bus in the room, he goes, what are you doing to our network? And I'm like, I gotta call you back.

So I get off my call, I'm like, I'm sorry, what's going on? It's like, everything's down, we can't reach anything. The core, oh my god, nothing works. We're like, okay.

So make to the junior guy, whatever you're doing, to stop. So he stops, maybe like five, 10 minutes go by and things kind of quiet down. We check in with the point of contact. He's like, yeah, whatever that was, don't do that ever again.

He's obviously upset, understand, he'll be so. So, in the process, the figure out what happened, I'm talking to the junior tester. And I say, what are you doing? What kind of test are you doing?

He's like, you know, I was going to respond or whatever. Okay, cool. What else are you doing? Well, you know, I figured I'd save time and I would run, you know, like a port scan.

Like, okay. Would you use for that? And he says, well, I always use mass scan. I don't like, okay.

Hey, not on map? He's like, no, I don't know, mask ends faster. Okay, so end map is a basic tool to scan the network. It's a simple and efficient and usually safe.

And when you're testing a live network, you want to be as light-footed as you can. An end map is a gentle tool to scan the network with. It just does like a simple knock on the door. Is anyone home?

And it really just stops there. Which is nice since you don't want to disrupt business or wreck any systems in your process. Since after all, this is a bank which needs to continue their service to customers. But Mass Scan is a bit beefier of a tool compared to Endmap.

It can make a map of your network, but it's designed to scan huge amounts of systems at once. Like it shines really well when it's supposed to scan millions of IPs at once or even the whole internet. This network at most had thousands of IPs. Mass Scan is just too powerful of a tool for this scenario, but this junior pen tester was convinced that because it's a beefier tool, it's better for the job. I'm like, oh, I'm aware of Mascans faster.

Show me the command you ran with Mascans. So he shows me the command you ran with Mascans, and when you run Mascans, you have the option of how many packets per second you want to run that at. He had added like two or three zeros to the default, which means he was blazing across all of their submats running Mascans and doing a port scan. And that is what brought their network to its knees for five to ten minutes is that he was careless and If you want to kind of step back from that, I was careless as the quote unquote Esther in the room at that point in time Okay, so this junior pen tester was absolutely flooding the network with traffic They weren't told what exactly they impacted, but I'm gonna speculate on what happened here He had a computer that was plugged in using an Ethernet cable, so his next top from his laptop would have probably been a network switch or router.

If he's sending massive amounts of traffic, it could easily overwhelm that next hop. Just too many packets at once going through that and opening too many sessions, it can fill up the session table. Memory or CPU on the device could just be maxed out and it just might not accept any more packets. Essentially doing a denial of service on that next hop, if it was a switch or a router.

And what that would do is it caused everyone who's also connected to that device to not be able to reach anything beyond it. Like the pipes are clogged, kind of thing. And if there are servers also connected to that switch, then those servers would be unreachable by anyone too. The other option is if this mass scan tool was configured to scan IPs outside the network, the traffic might have traversed the firewall.

And this is a device that acts as a security checkpoint between the internal network and the outside internet, net, which does a little bit more inspection of packets. And if every IP that Mascann was trying to hit was getting inspected by the firewall, that might be too much for the firewall to handle, it just can't accept that much stuff. Not only that, but it might have taken up all the bandwidth that that site had for internet access as well, making the whole internet go down for the site. Either scenario, Joe realized it was them who took down the network, and now they had a really big problem on their hands to deal with.

So we end up with, like, this big call, he didn't necessarily, like, break anything. He just slowed the network down to a crawl because he was shoving so much traffic through it that nothing else could get where he needed to go. So the CIO, chief and praise officer on the call, a lot of big muckety mucks, and basically they're like, tell us why we shouldn't fire you from this right now, essentially. And we had to go through a whole rigmarole with him and explain, like, look, you know, There was a typo on a screen, we didn't do it on purpose, we were very sorry, we won't do it again, yada, yada, yada, and luckily they came around, but I'm pretty sure we don't have pen testing work as head back anymore.

So yeah, that was, that was not fun. We've had to change our procedures since that's happened. One thing that I thought isn't explicitly taught to pen testers, but I believe is possibly the most important skill for them to have is communication skills. It's not entirely unusual to be put in a hot situation where there's some very stressed out people on the phone or in the room or people that are just really difficult to work with.

And the better you can speak their language, the more effective you're going to be at working with them. If you're a pen tester and you find some awful glaring security issue in the network, how do you explain the problem to the business leaders in a way that they will prioritize it and fix it? They aren't ding-dongs. They have degrees and are highly accomplished people, but they don't understand the details of cybersecurity, so you need to have those communication skills to speak their language so they get it.

And that, to me, is a mark of a great penetration A big thank you to Evil Mag for telling us about this time in Afghanistan and also thank you to Joe for telling us about his pen test story that went all wrong. They were able to keep working after that and provided value to the client despite the rough start. I've got a t-shirt shop that I really want you to check out. There are over 50 designs in there, and I am positive.

You will find a shirt that you'll love in the store. Please visit shop.darknetdiaries.com and treat yourself to something nice. This episode was created by me, the one-night jack recider. Our editor is the encrypted kid, Tristan Ledger, mixing done by proximity sound in our intro music is by the mysterious break master cylinder.

I took a trip down to the capital in Washington, DC, and a little bee landed on a flower next to me. And I nodded at it, and I said, that's a USB. This is Dr. Tentaris.","created_at":"2024-09-05T19:57:04.000000Z","updated_at":"2025-07-15T06:07:24.000000Z","requested_by":[1],"status":"completed","delay_time":null,"worker_id":null,"job_id":null,"execution_time":null,"runpod_job_id":null,"error_message":null,"completed_at":null,"word_level_timestamps":null,"claimed_at":null,"retry_count":0}

Ask questions about this episode