WEBVTT 1 00:00:00.000 --> 00:00:02.399 All right, let's get ready for a deep dive into 2 00:00:02.439 --> 00:00:06.320 the world of penetrition testing. Exciting, but not the kind 3 00:00:06.360 --> 00:00:08.560 you see in the movies, you know, the Hollywood stuff. Right, 4 00:00:08.880 --> 00:00:12.599 We're gonna be looking at the real deal. The secrets 5 00:00:12.679 --> 00:00:18.079 from this book pentised Secrets. Okay, Breaking the Unbreakable Enterprise Security. 6 00:00:18.239 --> 00:00:19.039 I like that title. 7 00:00:19.480 --> 00:00:24.160 It's by Sager Bonsall and au j Burala. Hmmm, I'm 8 00:00:24.160 --> 00:00:28.320 not familiar, and it's it's fascinating because it really pulls 9 00:00:28.359 --> 00:00:31.359 back the curtain on what it actually takes to break 10 00:00:31.399 --> 00:00:36.119 into these systems that everyone thinks are you know, unbreakable. 11 00:00:35.600 --> 00:00:37.920 Right, yeah, So much of what we see about hacking 12 00:00:38.000 --> 00:00:42.479 is so unrealistic totally. It's all you know, flashy graphics 13 00:00:42.479 --> 00:00:43.719 and people typing really fast. 14 00:00:43.799 --> 00:00:44.880 Yeah yeah, yeah. 15 00:00:44.880 --> 00:00:48.960 But this book, it focuses on the strategy, the mindset. Okay, 16 00:00:49.079 --> 00:00:50.240 you know, the real secrets. 17 00:00:50.320 --> 00:00:52.240 So you're saying it's more like a mental game than 18 00:00:52.240 --> 00:00:53.200 a technical one. 19 00:00:53.439 --> 00:00:56.920 It's both, really, but the technical stuff that tools and techniques, 20 00:00:57.439 --> 00:01:00.560 that's just one part of the equation this book does 21 00:01:00.880 --> 00:01:03.840 is it gives you a much more realistic understanding of 22 00:01:03.880 --> 00:01:08.280 how enterprise security actually works. Okay, and maybe where it doesn't. 23 00:01:08.319 --> 00:01:09.719 So this is going to be like our you know, 24 00:01:10.159 --> 00:01:13.840 our mythbusting deep Dove's the real world of pen testing. 25 00:01:14.000 --> 00:01:14.439 Awesome. 26 00:01:15.519 --> 00:01:18.599 Let's start by debunking a major myth. Okay, the lone 27 00:01:18.640 --> 00:01:19.319 wolf hacker. 28 00:01:19.640 --> 00:01:21.120 Oh yeah, that's a good one, right. 29 00:01:21.200 --> 00:01:22.760 You always see that in the movies, right. 30 00:01:22.719 --> 00:01:24.480 The lone genius working in the dark. 31 00:01:24.599 --> 00:01:27.680 Yeah, all by themselves cracking these impossible. 32 00:01:27.120 --> 00:01:30.120 Codes, hacking into the CIA or something exactly. 33 00:01:30.280 --> 00:01:32.319 But in reality, it's not like that at all. Yep, 34 00:01:32.760 --> 00:01:34.799 especially when it comes to enterprise pen testing. 35 00:01:34.840 --> 00:01:35.319 Ah. 36 00:01:35.359 --> 00:01:37.439 This book makes it clear that it's a team effort. 37 00:01:37.480 --> 00:01:38.640 It's definitely team sport. 38 00:01:38.840 --> 00:01:39.840 Yeah, a team sport. 39 00:01:39.879 --> 00:01:41.599 Any different skills, different perspectives. 40 00:01:41.640 --> 00:01:44.239 Okay, so let's break down this team. Then, the book 41 00:01:44.280 --> 00:01:49.079 describes the structure of Sager Banzol's global pen testing team. 42 00:01:49.359 --> 00:01:51.959 Right, so Sager he's a founder of the company. He's 43 00:01:52.000 --> 00:01:56.000 the one who heads things up thanks overseeing projects, managing clients, 44 00:01:56.680 --> 00:01:58.000 you know that kind of stuff. 45 00:01:57.719 --> 00:01:59.200 Like the CEO, the big boss. 46 00:01:59.319 --> 00:02:00.120 Yeah you could say that. 47 00:02:00.359 --> 00:02:01.920 Okay, And then who else is on this team? 48 00:02:02.560 --> 00:02:07.239 Well, there's Aju. He's X Navy, which is interesting X. 49 00:02:07.319 --> 00:02:09.960 Navy, so he brings a different kind of experience exactly. 50 00:02:10.039 --> 00:02:14.479 His expertise is in GRC PRC. What's that governance, risk 51 00:02:14.800 --> 00:02:16.360 and compliance okay? 52 00:02:16.400 --> 00:02:19.000 And why is that important for a pen testing team. 53 00:02:19.199 --> 00:02:22.319 Because it's not just about breaking into systems, right, you 54 00:02:22.360 --> 00:02:25.879 need to understand the rules, the regulations. Oh I see 55 00:02:25.919 --> 00:02:28.639 the legal frameworks, and then you need to be able 56 00:02:28.719 --> 00:02:32.159 to assess the risks, identify the vulnerabilities. 57 00:02:32.240 --> 00:02:35.319 So AJ is like the strategic planner, making sure everything 58 00:02:35.360 --> 00:02:36.479 is done by the book. 59 00:02:36.680 --> 00:02:38.719 Yeah, you could say that. He's also really good with 60 00:02:38.759 --> 00:02:40.360 digital forensics. 61 00:02:39.800 --> 00:02:42.439 Okay, so if something goes wrong, he can cover their track. 62 00:02:42.680 --> 00:02:45.680 Not exactly covering their right of course, i'mant more like 63 00:02:45.840 --> 00:02:49.560 understanding how the attack happened, gathering evidence, you know that 64 00:02:49.639 --> 00:02:50.199 kind of stuff. 65 00:02:50.360 --> 00:02:54.120 Got it. So we've got the CEO and the strategist. 66 00:02:54.599 --> 00:02:55.919 Who else is on the stream team? 67 00:02:55.960 --> 00:02:57.319 Well, then you've got the specialists. 68 00:02:57.360 --> 00:02:58.719 The specialist okay. 69 00:02:58.439 --> 00:03:03.000 Like Jatindraendra. He's the web app whiz web app whiz. Yeah, 70 00:03:03.039 --> 00:03:05.439 he's got tons of bug bounty hunting experience. 71 00:03:05.039 --> 00:03:06.360 Called bounty hunting. 72 00:03:06.199 --> 00:03:11.639 Basically finding and reporting vulnerabilities in websites and apps, so he. 73 00:03:11.719 --> 00:03:13.759 Knows all the tricks of the trade. When it comes 74 00:03:13.800 --> 00:03:15.199 to web application exactly. 75 00:03:15.479 --> 00:03:17.840 He's the one who can find those subtle weaknesses that 76 00:03:18.039 --> 00:03:18.879 others might miss. 77 00:03:18.960 --> 00:03:20.639 Okay, and what about infrastructure. 78 00:03:21.199 --> 00:03:24.400 For that, you've got Man Deep Man Deeprak. He's top 79 00:03:24.479 --> 00:03:26.360 ranked in infrastructure testing. 80 00:03:26.120 --> 00:03:28.000 Top ranked. That's impressive. 81 00:03:28.280 --> 00:03:30.439 Yeah, and he's all the way from Australia. Wow. 82 00:03:30.560 --> 00:03:33.080 So they've really assembled a global team here. 83 00:03:33.319 --> 00:03:34.520 They've got the best of the best. 84 00:03:34.599 --> 00:03:37.800 Okay. So we've got the CEO, the strategists, the web 85 00:03:37.840 --> 00:03:41.479 app whiz, the infrastructure expert, anyone else. 86 00:03:41.560 --> 00:03:44.960 Oh yeah. They also have a senior exploit writer, Miss X. 87 00:03:45.080 --> 00:03:47.159 Let's call her Miss X Mysterious. 88 00:03:47.400 --> 00:03:50.960 She's brought in for specific projects that require her unique skills. 89 00:03:51.439 --> 00:03:52.520 Unique skills like. 90 00:03:52.400 --> 00:03:54.919 What well, she's the one who can create those custom 91 00:03:55.000 --> 00:03:59.960 exploit the ones that can bypass even the toughest security measures. 92 00:04:00.000 --> 00:04:02.360 So she's like the secret weapon, you could say that. 93 00:04:02.400 --> 00:04:05.919 And then lastly they have Paul right he handles network 94 00:04:05.960 --> 00:04:10.800 pen testing, but he also has expertise in compliance and 95 00:04:10.879 --> 00:04:11.599 legal matters. 96 00:04:11.639 --> 00:04:13.199 Yeah, he's one who make sure they stay on the 97 00:04:13.280 --> 00:04:14.080 right side of the law. 98 00:04:14.360 --> 00:04:17.319 Okay. So this team is like a well oiled machine. 99 00:04:17.399 --> 00:04:21.279 It is with specialists for every aspect of appentist. 100 00:04:20.839 --> 00:04:22.839 And that's what it takes to be successful. 101 00:04:22.920 --> 00:04:25.560 So it's not just about being a hacker, No, it's 102 00:04:25.600 --> 00:04:30.319 about having a diverse team with a wide range of skills. 103 00:04:30.360 --> 00:04:30.839 Absolutely. 104 00:04:31.519 --> 00:04:35.319 Now I'm curious with all this expertise, Yeah, did they 105 00:04:35.399 --> 00:04:36.800 still face challenges? 106 00:04:36.920 --> 00:04:40.120 Oh? Absolutely, Even the best teams run into roadblocks. 107 00:04:40.199 --> 00:04:42.199 Okay, So what kind of challenges did they encounter? 108 00:04:42.399 --> 00:04:46.279 Well, the book describes how even this elite team faced 109 00:04:46.319 --> 00:04:49.279 some serious hurdles right from the start. 110 00:04:49.360 --> 00:04:52.240 From the start, you mean, during the initial recon Exactly. 111 00:04:52.240 --> 00:04:55.480 They were targeting a company with all the standard defenses 112 00:04:56.079 --> 00:04:57.000 cloud flair protection. 113 00:04:57.160 --> 00:04:59.079 Oh yeah, cloud flair. That's tough to get around. 114 00:04:59.439 --> 00:05:01.920 It is rate limiting, user agent locking. 115 00:05:02.240 --> 00:05:04.879 Okay. So they were trying to slow them down and 116 00:05:05.040 --> 00:05:08.639 filter out any suspicious traffic exactly. And they suspected there 117 00:05:08.720 --> 00:05:10.519 might be a web application firewall. 118 00:05:10.720 --> 00:05:13.560 Yeah a waif. That's a common defense, and. 119 00:05:13.480 --> 00:05:16.439 Of course endpoint security on all the computers. 120 00:05:16.560 --> 00:05:18.879 Right, So even if they managed to get through the 121 00:05:18.959 --> 00:05:22.720 perimeter defenses, they'd still have to deal with security software 122 00:05:22.759 --> 00:05:23.920 on individual machines. 123 00:05:24.000 --> 00:05:27.759 It's like a fortress with multiple layers of walls and moats, 124 00:05:28.000 --> 00:05:28.279 it is. 125 00:05:29.079 --> 00:05:30.879 But these guys they were determined. 126 00:05:31.040 --> 00:05:32.319 Okay, so how did they get. 127 00:05:32.120 --> 00:05:34.439 Past all that, Well, they had to get creative. 128 00:05:34.600 --> 00:05:35.600 Creative how so. 129 00:05:35.680 --> 00:05:40.360 They used custom scripts to bypass cloud flares protections. Custom 130 00:05:40.480 --> 00:05:43.240 scripts interesting, and they rotated EPs to. 131 00:05:43.199 --> 00:05:45.040 Make it look like the traffic was coming from different 132 00:05:45.079 --> 00:05:46.240 locations exactly. 133 00:05:46.560 --> 00:05:48.839 And they even analyzed user agent strings. 134 00:05:49.519 --> 00:05:51.319 User agent strings, what are those? 135 00:05:51.480 --> 00:05:54.319 Basically, it's a piece of information that your browser sends 136 00:05:54.319 --> 00:05:56.959 to a website. Okay, it tells the website what kind 137 00:05:56.959 --> 00:05:59.720 of browser you're using, what operating system you have, that 138 00:05:59.800 --> 00:06:00.279 kind of thing. 139 00:06:00.360 --> 00:06:00.800 I see. 140 00:06:00.959 --> 00:06:02.519 So they were trying to make their traffic look like 141 00:06:02.560 --> 00:06:04.279 it was coming from legitimate users. 142 00:06:04.439 --> 00:06:07.000 So they were like digital chameleons, blending in with the 143 00:06:07.000 --> 00:06:08.079 crowd exactly. 144 00:06:08.240 --> 00:06:11.519 Yeah. And what's even more impressive is their use of deduction. 145 00:06:11.759 --> 00:06:15.639 Deduction like Sherlock Holmes Exactly. They were looking for clues, 146 00:06:15.839 --> 00:06:18.439 clues like what kind of clues. 147 00:06:18.439 --> 00:06:21.920 Subtle hints that could reveal information about the company's systems. 148 00:06:22.160 --> 00:06:23.959 Hmmm, this sounds intriguing. 149 00:06:24.040 --> 00:06:28.120 It is. For example, they noticed some subtle differences in 150 00:06:28.160 --> 00:06:32.040 the way the website loaded, differences like what tiny things 151 00:06:32.120 --> 00:06:35.399 like the spacing of elements, okay, the way certain images 152 00:06:35.439 --> 00:06:38.560 were rendered, I see, and based on these tiny clues, 153 00:06:39.360 --> 00:06:42.439 they were able to deduce that the company was using 154 00:06:42.839 --> 00:06:44.480 WordPress word Press. 155 00:06:44.519 --> 00:06:46.120 Really that's pretty common. 156 00:06:46.120 --> 00:06:48.399 It is, but it narrows down the possibilities. 157 00:06:48.480 --> 00:06:48.879 Okay. 158 00:06:48.959 --> 00:06:51.560 And then they went even further. Yeah, they figured out 159 00:06:51.560 --> 00:06:54.240 that they were using a specific theme, a theme. 160 00:06:55.000 --> 00:06:55.360 What's that. 161 00:06:55.560 --> 00:06:58.639 It's like a template that determines the look and feel 162 00:06:59.000 --> 00:07:02.879 of a website. And the theme they were using was OCEANWP. 163 00:07:03.360 --> 00:07:04.079 OCEANWP. 164 00:07:04.279 --> 00:07:07.079 Okay, it's a popular theme. But now they knew exactly 165 00:07:07.160 --> 00:07:07.959 what they were dealing with. 166 00:07:08.040 --> 00:07:11.040 So they were like digital detectives putting together a puzzle. 167 00:07:11.360 --> 00:07:13.480 They were. And this is all before they even tried 168 00:07:13.480 --> 00:07:14.040 to break in. 169 00:07:14.199 --> 00:07:16.360 This is just the recon phase exactly. 170 00:07:16.720 --> 00:07:21.040 They were gathering information, building a profile of their target. 171 00:07:21.240 --> 00:07:26.240 So persistence, adaptability, attention to detail. Those are the key 172 00:07:26.279 --> 00:07:29.480 takeaways and a little bit of Sherlock Holmes thrown in exactly. 173 00:07:29.639 --> 00:07:32.519 But let's be honest, the part everyone's waiting for is 174 00:07:32.560 --> 00:07:34.160 the social engineering attack. 175 00:07:34.480 --> 00:07:36.839 Right, That's where things get really interesting. So tell me 176 00:07:36.879 --> 00:07:39.600 about it. We'll forget about those simple phishing emails, Okay, 177 00:07:39.639 --> 00:07:42.040 you know ones that say click here to reset your password. 178 00:07:42.240 --> 00:07:44.560 Yeah, those are so obvious. 179 00:07:44.160 --> 00:07:48.079 Like these guys. They went for something much more sophisticated. Sophisticated, 180 00:07:48.199 --> 00:07:50.399 a multi stage operation. 181 00:07:50.079 --> 00:07:52.519 Multi stage operation, okay, lay it on me. 182 00:07:52.759 --> 00:07:57.160 They did their research and they specifically targeted an employee. 183 00:07:57.279 --> 00:07:58.920 It's an employee, okay, who was it? 184 00:07:59.079 --> 00:08:01.639 A female secure the administrator. 185 00:08:01.120 --> 00:08:03.240 A security administrator. 186 00:08:02.639 --> 00:08:04.240 Yes, someone who should know better. 187 00:08:04.399 --> 00:08:06.920 I see. They wanted to challenge themselves. 188 00:08:06.959 --> 00:08:10.000 Maybe, But there's more to it. Uh huh. They also 189 00:08:10.120 --> 00:08:11.120 knew that she was a parent. 190 00:08:11.879 --> 00:08:15.240 A parent. Hmmm. Why is that important? 191 00:08:15.480 --> 00:08:18.720 Because parenting can create vulnerabilities. 192 00:08:17.959 --> 00:08:20.680 Vulnerabilities how so, well, think about it. 193 00:08:20.839 --> 00:08:24.399 Parents are always worried about their kids, right, especially their education. 194 00:08:24.600 --> 00:08:25.079 Uh huh. 195 00:08:25.079 --> 00:08:26.439 So they prayed on that concern. 196 00:08:26.519 --> 00:08:29.319 Okay, So it's not just about technical skills. Yeah, it's 197 00:08:29.319 --> 00:08:33.279 about understanding human psychology exactly. That's fascinating it is. 198 00:08:33.440 --> 00:08:35.360 So here's how they did it, all right, I'm all yours. 199 00:08:35.840 --> 00:08:38.360 They created a fake website. 200 00:08:37.799 --> 00:08:39.600 A fake website okay. 201 00:08:39.399 --> 00:08:41.639 Offering free online math classes. 202 00:08:42.080 --> 00:08:43.080 Free math class. 203 00:08:43.200 --> 00:08:45.039 Yeah, they knew that would be tempting for a parent. 204 00:08:45.200 --> 00:08:47.679 Makes sense. Who wouldn't want free help with math? 205 00:08:48.159 --> 00:08:48.799 Exactly? 206 00:08:48.960 --> 00:08:49.720 That's what happened. 207 00:08:49.759 --> 00:08:53.480 Next, they created a sign in with Google button. 208 00:08:53.799 --> 00:08:55.600 Oh those are everywhere these days. 209 00:08:55.639 --> 00:08:57.960 They are, and that's what makes them so dangerous. 210 00:08:58.039 --> 00:09:00.759 Dangerous how so because. 211 00:09:00.440 --> 00:09:03.759 They allow websites to access to your Google account. But 212 00:09:03.879 --> 00:09:06.960 here's the clever part. Yeah, they restricted the scope. 213 00:09:06.679 --> 00:09:08.639 Of access, restricted the stove. 214 00:09:09.000 --> 00:09:11.919 Yeah, so they only requested access to her Gmail account. 215 00:09:12.039 --> 00:09:16.759 Hmmm, that's sneaky. So she wouldn't be suspicious exactly. 216 00:09:16.799 --> 00:09:18.600 She probably just thought, oh, they need my email to 217 00:09:18.639 --> 00:09:20.720 send me updates, right, that makes sense. But what she 218 00:09:20.759 --> 00:09:24.679 didn't realize is that they were now inside her Gmail. Wow. 219 00:09:24.799 --> 00:09:28.159 So stage one of their attack was a success. It was, 220 00:09:28.919 --> 00:09:29.879 but it doesn't stop there. 221 00:09:30.120 --> 00:09:31.799 Oh no, they had more tricks up their sleeves. 222 00:09:31.840 --> 00:09:32.759 Okay, what else did they do? 223 00:09:32.960 --> 00:09:35.840 They embedded a beef payload on the website. 224 00:09:35.879 --> 00:09:37.320 Beef payload. What's that? 225 00:09:38.080 --> 00:09:40.360 It's a tool for browser exploitation. 226 00:09:40.720 --> 00:09:43.720 Browser exploitation? You mean they could take control of her 227 00:09:43.720 --> 00:09:47.000 browser potentially potentially. 228 00:09:46.360 --> 00:09:49.399 Yeah, it depends on whether her browser had any vulnerabilities. 229 00:09:49.440 --> 00:09:52.320 But if it did, they could have gained further access 230 00:09:52.320 --> 00:09:53.000 to her computer. 231 00:09:53.120 --> 00:09:55.360 So beef was like their backup plan. 232 00:09:56.399 --> 00:09:57.440 Yeah, you could say that. 233 00:09:57.600 --> 00:10:01.840 And they also offered a dummy software installer m a 234 00:10:01.879 --> 00:10:04.320 software installer yeah, with a hidden interpreter shell. 235 00:10:04.600 --> 00:10:05.519 A interpreter shell. 236 00:10:05.600 --> 00:10:08.840 Yeah, it's like a backdoor that allows remote access and control. 237 00:10:08.840 --> 00:10:10.360 Though they were really covering. 238 00:10:10.080 --> 00:10:12.799 Their bases, they were, They had multiple ways to potentially 239 00:10:12.799 --> 00:10:13.480 get into her. 240 00:10:13.399 --> 00:10:15.480 System, and that's what makes them so dangerous. 241 00:10:15.559 --> 00:10:18.440 So what happened? Did any of these later stages work? 242 00:10:19.200 --> 00:10:19.919 It seems not. 243 00:10:20.279 --> 00:10:21.720 They didn't work. Why not? 244 00:10:22.240 --> 00:10:25.960 It's hard to say for sure. Yeah, but it's possible 245 00:10:26.279 --> 00:10:31.159 she had good antivirus software, okay, or data loss prevention tools. 246 00:10:31.320 --> 00:10:35.600 So even with a sophisticated plan, sometimes the simplest defenses 247 00:10:35.639 --> 00:10:36.080 can work. 248 00:10:36.240 --> 00:10:36.840 Absolutely. 249 00:10:37.080 --> 00:10:39.679 But these guys, they were prepared for setbacks. 250 00:10:39.799 --> 00:10:41.440 Oh yeah, they always had a backup plan. 251 00:10:41.639 --> 00:10:42.840 So what did they do next? 252 00:10:42.879 --> 00:10:44.679 They used the compromise Gmail. 253 00:10:44.360 --> 00:10:46.519 Account, the Gmail they already had access to. 254 00:10:46.840 --> 00:10:50.519 Exactly. They used it to reset her LinkedIn password. 255 00:10:50.639 --> 00:10:52.440 Her LinkedIn password? Why LinkedIn? 256 00:10:53.200 --> 00:10:56.879 Because they wanted to target someone else, someone else, an intern? 257 00:10:57.080 --> 00:10:59.240 An intern, Yeah, a classic dumb admin. 258 00:10:59.360 --> 00:11:00.000 Dumb admins? 259 00:11:00.080 --> 00:11:02.960 What do you mean, someone who's eager to please? Okay, 260 00:11:03.159 --> 00:11:05.120 maybe a little too trusting, I see. 261 00:11:05.120 --> 00:11:08.159 They were going to exploit his naivety exactly. 262 00:11:08.519 --> 00:11:12.320 They created a sense of urgency. Urgency how they claimed 263 00:11:12.320 --> 00:11:13.279 the company was under. 264 00:11:13.200 --> 00:11:17.320 Attack, under attack, what kind of attack? Adidos attack add astack? 265 00:11:17.399 --> 00:11:18.440 Oh wow, that's serious. 266 00:11:18.600 --> 00:11:21.399 Yeah, and this poor intern he panicked, panicked, Yeah, he 267 00:11:21.440 --> 00:11:24.120 wanted to be the hero. Simmy fell for it, hook 268 00:11:24.279 --> 00:11:25.080 line and sinker. 269 00:11:25.679 --> 00:11:27.279 And what did they get from him? 270 00:11:27.720 --> 00:11:30.080 The information they needed to bypass cloud. 271 00:11:29.799 --> 00:11:33.120 Flare, the cloud Flare protection that they had been. 272 00:11:33.000 --> 00:11:34.519 Struggling with, exactly. 273 00:11:34.639 --> 00:11:38.279 So this intern he accidentally gave them the keys to 274 00:11:38.320 --> 00:11:41.480 the kingdom. You could say that it's amazing how one 275 00:11:41.559 --> 00:11:43.960 mistake can have such a huge impact. 276 00:11:44.279 --> 00:11:46.399 It is, and that's why social engineering is so. 277 00:11:46.360 --> 00:11:50.639 Effective, because it exploits human weaknesses exactly. But let's not 278 00:11:50.720 --> 00:11:53.279 forget about the technical side of things, right. The book 279 00:11:53.320 --> 00:11:56.240 also highlights the importance of misconfigurations. 280 00:11:56.519 --> 00:11:59.960 Oh yeah, misconfigurations can be just as valuable as any expert. 281 00:12:00.440 --> 00:12:02.639 So what kind of misconfigurations did they find? 282 00:12:02.759 --> 00:12:05.559 Well, remember those cloud Flare rules they got from the intern. 283 00:12:05.960 --> 00:12:08.759 One of them was a real golden ticket, A golden ticket. Yeah, 284 00:12:08.840 --> 00:12:10.639 it allowed bypass access. 285 00:12:10.240 --> 00:12:12.759 Bypass access, so they could get around cloud Flare. 286 00:12:13.000 --> 00:12:14.519 But there was a catch, a catch. 287 00:12:14.840 --> 00:12:15.759 What was it? 288 00:12:15.759 --> 00:12:18.799 It required a very specific whitelisted. 289 00:12:18.240 --> 00:12:20.720 IP address, whitelisted IP address okay. 290 00:12:20.480 --> 00:12:22.399 And they didn't have it, so it was a dead end. 291 00:12:22.799 --> 00:12:24.080 Not quite, not quite. 292 00:12:24.159 --> 00:12:24.480 Why not. 293 00:12:24.679 --> 00:12:29.000 Remember that dumb admin who gave them the cloud Flare details, Yeah, 294 00:12:29.039 --> 00:12:32.639 well he also inadvertently revealed the real IP address of 295 00:12:32.679 --> 00:12:36.000 their web server. He did through DNS entries. 296 00:12:36.120 --> 00:12:37.480 DNS entries, oh, icee. 297 00:12:37.519 --> 00:12:39.720 So now they had the IP address they needed, so they. 298 00:12:39.600 --> 00:12:40.519 Could just walk right in. 299 00:12:40.679 --> 00:12:42.000 Not so fast, not so fast? 300 00:12:42.000 --> 00:12:42.759 What else was there? 301 00:12:42.919 --> 00:12:46.519 There was an ADC and ADC an application delivery. 302 00:12:46.039 --> 00:12:47.639 Controller okay, And what does that do. 303 00:12:48.080 --> 00:12:50.519 It's like a security guard that stands between the outside 304 00:12:50.559 --> 00:12:54.960 world and your web server ICE. And this ADC was 305 00:12:55.120 --> 00:12:58.840 locked down tight walk down. Yeah, I was only talking 306 00:12:58.840 --> 00:12:59.480 to cloud. 307 00:12:59.200 --> 00:13:02.120 Flare so they could access it directly, not without the 308 00:13:02.159 --> 00:13:04.919 right credential. So it was another dead end, it seemed 309 00:13:04.919 --> 00:13:06.879 that way. But I have a feeling they found a 310 00:13:06.919 --> 00:13:07.720 way around it. 311 00:13:07.840 --> 00:13:12.039 They did. How they discovered that an exchange. 312 00:13:11.519 --> 00:13:13.480 Server an exchange server, what's that? 313 00:13:13.639 --> 00:13:14.440 It's a mail server? 314 00:13:14.600 --> 00:13:15.679 A mail server okay. 315 00:13:15.679 --> 00:13:19.000 And it was placed in the DMZ, the DMZ the 316 00:13:19.000 --> 00:13:20.440 demilitarized zone okay. 317 00:13:20.440 --> 00:13:21.919 And why is that a problem. 318 00:13:21.919 --> 00:13:26.200 Because the DMZ is meant for public facing services. It's 319 00:13:26.240 --> 00:13:28.360 like leaving the front door to your house wide open. 320 00:13:29.279 --> 00:13:32.639 So it was a major security risk. It was, and 321 00:13:32.679 --> 00:13:34.279 they found a way to exploit it. 322 00:13:34.360 --> 00:13:36.960 They did tell me more. Remember how we talked about 323 00:13:37.000 --> 00:13:40.399 staying up to date. Uhh, Well, their diligence paid off. 324 00:13:41.200 --> 00:13:43.759 They discovered a zero day exploit. 325 00:13:44.360 --> 00:13:46.360 A zero day exploit, what's that? 326 00:13:46.440 --> 00:13:49.679 A vulnerability that's unknown to the public. Okay, and this 327 00:13:49.759 --> 00:13:52.120 exploit specifically targeted exchange server. 328 00:13:52.440 --> 00:13:55.399 So they had the keys and the map to the vault. 329 00:13:56.000 --> 00:13:58.279 You could say that it work. They were cautious. 330 00:13:58.559 --> 00:13:59.000 Cautious. 331 00:13:59.039 --> 00:14:01.480 Yeah, they tested it in a controlled environment. 332 00:14:01.159 --> 00:14:02.879 First, Okay, that makes sense. 333 00:14:02.720 --> 00:14:05.200 To make sure it worked as expected. And of course 334 00:14:05.240 --> 00:14:07.960 they had the username and password. 335 00:14:08.039 --> 00:14:09.600 From our friend, the dumb admin. 336 00:14:09.919 --> 00:14:10.440 Exactly. 337 00:14:10.559 --> 00:14:13.000 It's like a domino effect. One mistake leads to. 338 00:14:13.000 --> 00:14:15.360 Another, and that's how they got into the exchange server. 339 00:14:15.559 --> 00:14:19.240 So they were in. They had a foothold in network. 340 00:14:18.879 --> 00:14:20.039 But they weren't done yet. 341 00:14:20.200 --> 00:14:20.759 There's more. 342 00:14:21.159 --> 00:14:23.960 Oh yeah, the story's just getting started, all right. 343 00:14:24.000 --> 00:14:25.679 Well, I can't wait to hear what happens next. 344 00:14:25.759 --> 00:14:29.080 Me neither. So remember that keylogger, Yeah. 345 00:14:28.919 --> 00:14:31.200 The one running on the GRC admin's. 346 00:14:30.759 --> 00:14:34.080 Computer, right on his Buntu machine Ubuntu, right, it actually 347 00:14:34.120 --> 00:14:35.279 caught something really interesting? 348 00:14:35.480 --> 00:14:38.159 Oh like what, Well, it seems. 349 00:14:37.919 --> 00:14:41.639 He used RDP to log into another machine RDP, what's 350 00:14:41.679 --> 00:14:43.360 that Remote desktop protocol? 351 00:14:43.480 --> 00:14:43.840 Okay? 352 00:14:44.000 --> 00:14:47.480 And the keylogger, well, it caught everything everything, you mean, 353 00:14:47.559 --> 00:14:49.399 his username is password, the whole thing. 354 00:14:49.519 --> 00:14:51.399 So they had access to another machine just like. 355 00:14:51.399 --> 00:14:54.320 That, not exactly, just like that. 356 00:14:54.360 --> 00:14:54.919 What do you mean? 357 00:14:55.240 --> 00:14:58.000 The keylogger logs, they were a bit of a puzzle. 358 00:14:58.360 --> 00:15:00.960 A puzzle, yeah, like a co They needed to crack 359 00:15:01.519 --> 00:15:05.480 a code. I don't get it, okay. So for example, 360 00:15:05.919 --> 00:15:10.600 instead of seeing chloroeyah, the log showed xlr okay. 361 00:15:10.639 --> 00:15:12.759 So it was jumbled up exactly, so they had to 362 00:15:12.799 --> 00:15:13.279 decode it. 363 00:15:13.279 --> 00:15:16.000 They had to figure out what each jumbled sequence represented. 364 00:15:16.559 --> 00:15:19.120 So it wasn't just a simple substitution cipher. 365 00:15:19.559 --> 00:15:21.039 No, it was more complex than that. 366 00:15:21.120 --> 00:15:22.039 Give me another example. 367 00:15:22.120 --> 00:15:26.879 Okay, So perch top roochtop that actually stood for rusktop. 368 00:15:27.919 --> 00:15:30.000 Okay. And what about the username and password? 369 00:15:30.679 --> 00:15:35.120 The username was logged as rossok do rosok do. 370 00:15:36.039 --> 00:15:37.360 That doesn't sound like a real name. 371 00:15:37.519 --> 00:15:40.240 It wasn't. Everything was encoded, so how. 372 00:15:40.120 --> 00:15:42.399 Did they even begin to decipher all this? 373 00:15:42.960 --> 00:15:46.360 They started by looking for patterns patterns. Yeah, they noticed 374 00:15:46.360 --> 00:15:49.279 that certain letters never got replaced, like witch letters the 375 00:15:49.279 --> 00:15:52.559 ones on the top row of a cordy keyboard. Oh interesting, 376 00:15:52.879 --> 00:15:55.600 like E R tuop. 377 00:15:56.039 --> 00:15:58.960 So maybe the key logger was recording keystrikes based on 378 00:15:58.960 --> 00:15:59.879 their physical location. 379 00:16:00.360 --> 00:16:01.120 That's what they thought. 380 00:16:01.240 --> 00:16:03.440 Okay, so what about the other letters, Well. 381 00:16:03.399 --> 00:16:05.879 They noticed that some letters were replaced by the letter 382 00:16:05.919 --> 00:16:07.000 before them on the keyboard. 383 00:16:07.120 --> 00:16:08.159 Okay, give me an example. 384 00:16:08.200 --> 00:16:11.039 So C was replaced by x x's before C. 385 00:16:11.200 --> 00:16:14.600 Right exactly, and L became K right again. But you 386 00:16:14.679 --> 00:16:16.480 said it wasn't a simple substitution. 387 00:16:17.320 --> 00:16:21.639 There were some inconsistencies like what well A, for example, 388 00:16:22.080 --> 00:16:25.840 it had no clear relation to any other letter, so. 389 00:16:25.799 --> 00:16:28.440 It was random, it seemed that way. And JAY was 390 00:16:28.480 --> 00:16:30.919 replaced by K, which is the letter after it, not 391 00:16:31.000 --> 00:16:31.799 before right. 392 00:16:31.720 --> 00:16:33.639 So there were definitely some exceptions to the rule. 393 00:16:33.759 --> 00:16:36.120 So how did they figure out the rest of the code, 394 00:16:36.639 --> 00:16:39.159 especially the username and password. 395 00:16:38.960 --> 00:16:40.440 Through careful analysis? 396 00:16:40.639 --> 00:16:41.399 Analysis? 397 00:16:41.480 --> 00:16:43.279 Yeah, they use a tool called CrypTool. 398 00:16:43.519 --> 00:16:44.519 Cryptol what's that. 399 00:16:44.639 --> 00:16:47.360 It's a program that can help you analyze and decrypt 400 00:16:47.399 --> 00:16:48.480 different types of codes. 401 00:16:48.720 --> 00:16:52.080