WEBVTT 1 00:00:00.160 --> 00:00:01.439 Welcome to your deep dive. 2 00:00:01.560 --> 00:00:02.319 Oh love that name. 3 00:00:02.359 --> 00:00:05.120 By the way, today we're going to be looking at 4 00:00:05.200 --> 00:00:08.400 Collie net Hunter awesome, with the help of a book 5 00:00:08.439 --> 00:00:13.800 called Security Testing with Collie net Hunter okay by Daniel W. Dieter. 6 00:00:13.919 --> 00:00:15.279 Loll so similar. 7 00:00:15.519 --> 00:00:20.239 So I'd be wondering, like what even I penetration testing, right, 8 00:00:20.399 --> 00:00:23.000 good question, and like, how can my phone be like 9 00:00:23.039 --> 00:00:24.800 a hacking tool? 10 00:00:25.199 --> 00:00:27.280 It's a little scary when you think about it. 11 00:00:27.399 --> 00:00:30.839 Yeah, it is a little bit unnerving for sure. Yeah, well, 12 00:00:30.920 --> 00:00:33.439 let's bring an expert speaker to help us break this down. 13 00:00:33.640 --> 00:00:39.439 Sounds good. Yeah, so penetration testing okay. It is kind 14 00:00:39.439 --> 00:00:41.719 of like a security audit, okay, but with a little 15 00:00:41.719 --> 00:00:45.799 more you know, excitement to it. Basically, ethical hackers use 16 00:00:45.880 --> 00:00:50.359 the same tools and techniques as you know, the bad 17 00:00:50.399 --> 00:00:55.119 guys to find those weaknesses and systems, but with permission. 18 00:00:55.240 --> 00:00:57.479 Of course, we got to keep it legal, of course, 19 00:00:57.600 --> 00:01:02.159 of course. Collie net Hunter essentially turns your smartphone into 20 00:01:02.200 --> 00:01:05.879 a portable hacking lab. Whoa, which makes it so versatile 21 00:01:05.920 --> 00:01:06.599 it's incredible. 22 00:01:06.680 --> 00:01:09.640 Okay, I'm with you so far. But wouldn't like a 23 00:01:09.719 --> 00:01:13.120 regular computer, right be more powerful? For like all that 24 00:01:13.200 --> 00:01:13.760 kind of stuff. 25 00:01:13.760 --> 00:01:14.959 That's a really good question. 26 00:01:15.159 --> 00:01:16.120 Why use a phone? 27 00:01:16.200 --> 00:01:19.680 That's what makes net hunters so unique. It's stealthy. Okay, 28 00:01:19.920 --> 00:01:22.680 you could just be walking around a building testing the 29 00:01:22.719 --> 00:01:25.760 Wi Fi. Right, you could plug into a computer with 30 00:01:25.879 --> 00:01:29.719 like a malicious USB. Oh wow, still do all the 31 00:01:29.719 --> 00:01:32.319 stuff you would do on a laptop, you know, traditional testing, 32 00:01:32.319 --> 00:01:34.840 but ye on your phone. Yeah. Plus everyone's always on 33 00:01:34.879 --> 00:01:37.879 their phones totally, so it's perfect. You blend right in. Yeah, 34 00:01:37.959 --> 00:01:39.159 nobody suspects the thing. 35 00:01:39.319 --> 00:01:42.840 That's awesome. Okay, so it's like the ultimate undercover hacking tool. 36 00:01:43.000 --> 00:01:43.519 You got it. 37 00:01:43.599 --> 00:01:45.560 That's so cool. Okay, so let's unpack us this a 38 00:01:45.599 --> 00:01:50.680 little bit. Yeah, what exactly is Collie Netthunter. 39 00:01:52.079 --> 00:01:54.640 Well, you can kind of think of it as like 40 00:01:54.920 --> 00:02:00.280 a mini super powerful hacking computer running right inside your endroid, 41 00:02:00.719 --> 00:02:04.280 phone or tablet. It's based on Kalie Linux gotcha, which 42 00:02:04.319 --> 00:02:08.360 is kind of the gold standard for cybersecurity pros. Yeah, 43 00:02:08.400 --> 00:02:11.159 but instead of being tied to your desk, net hunter 44 00:02:11.240 --> 00:02:12.879 lets you take all that power anywhere. 45 00:02:13.159 --> 00:02:16.840 So I'm kind of picturing like a bunch of complicated 46 00:02:17.039 --> 00:02:19.439 hacking tools crammed into my phone. 47 00:02:19.479 --> 00:02:21.560 You would think that, right, Yeah, it's actually got a 48 00:02:21.680 --> 00:02:25.680 very user friendly interface. Oh really, tons of penetration testing 49 00:02:25.719 --> 00:02:28.759 apps ready to go. Wow. Okay, but if you are 50 00:02:28.800 --> 00:02:32.120 a terminal person and you're comfortable with that, yeah, you 51 00:02:32.120 --> 00:02:34.840 also have direct access to all those classic Calie Linux 52 00:02:34.919 --> 00:02:35.560 tools as well. 53 00:02:35.639 --> 00:02:38.759 Oh that's so cool. So there's something for everyone exactly, 54 00:02:38.800 --> 00:02:41.360 And I understand there are also like some special Android 55 00:02:41.400 --> 00:02:43.080 based tools too. 56 00:02:43.240 --> 00:02:49.080 Yes, exactly. Net Hunter takes advantage of the Android environment 57 00:02:49.719 --> 00:02:53.039 to give you even more tools like ce sploit, which 58 00:02:53.080 --> 00:02:56.560 is great for network analysis, gotcha, and drive droid Okay. 59 00:02:56.800 --> 00:03:00.639 Drive droid can actually turn your phone into a bootable 60 00:03:00.800 --> 00:03:01.599 USB drive. 61 00:03:01.960 --> 00:03:04.520 Wait, hold on, cool, right, my phone can become a 62 00:03:04.560 --> 00:03:07.719 bootable USB drive. What would I even use that for? 63 00:03:08.080 --> 00:03:11.639 Well, that is where it gets super interesting. Imagine you 64 00:03:11.800 --> 00:03:17.000 need to access like a locked computer okay, yeah, maybe 65 00:03:17.000 --> 00:03:21.240 to recover data or troubleshoot something. With drive droid, you 66 00:03:21.280 --> 00:03:25.520 can boot that computer huh into a different operating system. 67 00:03:25.599 --> 00:03:28.719 Oh wow, directly from your phone. Okay, you could bypass 68 00:03:28.800 --> 00:03:30.360 security measures and get in. 69 00:03:30.560 --> 00:03:33.520 That's that's seriously cool and maybe a little bit scary. 70 00:03:33.800 --> 00:03:36.240 Yeah. Powerful stuff. 71 00:03:36.400 --> 00:03:38.719 But before we get too far ahead of ourselves, let's 72 00:03:38.719 --> 00:03:42.039 talk about like actually getting net Hunter on my phone. 73 00:03:42.879 --> 00:03:45.520 Is it as simple as just like downloading an app? 74 00:03:45.919 --> 00:03:48.199 You wish, right, I wish. No, it is. It's a 75 00:03:48.199 --> 00:03:51.800 little bit more involved than that, but it is totally 76 00:03:51.879 --> 00:03:54.240 doable if you follow the instructions. 77 00:03:54.360 --> 00:03:54.680 Okay. 78 00:03:55.439 --> 00:03:57.400 The key thing to remember your is you really should 79 00:03:57.439 --> 00:04:00.719 only install net Hunter on a dedicated device. You don't 80 00:04:00.719 --> 00:04:03.719 want to put this on your everyday phone, your personal phone, not. 81 00:04:03.719 --> 00:04:08.439 The one with all my photos banking apps. Okay, So 82 00:04:08.919 --> 00:04:10.280 what's involved in. 83 00:04:10.800 --> 00:04:14.400 So basically you'll need to root your device Okay, install 84 00:04:14.479 --> 00:04:18.360 some custom firmware. Okay, it sounds complicated, but the net 85 00:04:18.439 --> 00:04:22.959 hunter team has very detailed instructions on their GitHub page. 86 00:04:23.000 --> 00:04:25.720 Oh fantastic, follow those carefully and you'll be good. 87 00:04:25.800 --> 00:04:28.920 All right. So this is definitely for someone who's comfortable 88 00:04:29.439 --> 00:04:30.959 sinkering with their device. 89 00:04:30.759 --> 00:04:31.240 For sure. 90 00:04:31.439 --> 00:04:34.759 But once it's set up, what can I actually do 91 00:04:35.000 --> 00:04:37.759 OK with this net Hunter terminal, that's. 92 00:04:37.600 --> 00:04:42.639 A good question. That terminal is your gateway to the 93 00:04:42.639 --> 00:04:45.759 full power of Kelly Linux. Oh, that's where you run commands, 94 00:04:45.759 --> 00:04:49.079 you can install additional programs, really get your hands dirty. 95 00:04:49.439 --> 00:04:52.240 So that's like where the concept of comes in. 96 00:04:52.399 --> 00:04:53.839 You got it, That's exactly it. 97 00:04:54.000 --> 00:04:58.879 Crew that sounds. It sounds scary a little intimidating, but 98 00:04:58.920 --> 00:04:59.240 it's not. 99 00:05:00.040 --> 00:05:02.639 Basically, just a fancy way of saying. Net Hunter runs 100 00:05:02.680 --> 00:05:05.759 as a separate little operating system within Android. 101 00:05:05.920 --> 00:05:06.279 Okay. 102 00:05:06.519 --> 00:05:09.199 Think of it like you have a workshop in your house. Yeah, 103 00:05:09.279 --> 00:05:11.879 you can do your messy projects there. Yeah, and it 104 00:05:11.879 --> 00:05:13.199 doesn't affect the rest of your house. 105 00:05:13.319 --> 00:05:16.240 Okay. So it's like like a virtual machine. 106 00:05:16.519 --> 00:05:18.360 Yeah, you can think of it that way, but on 107 00:05:18.399 --> 00:05:22.199 my phone exactly, exactly. Okay, that's it's a contained environment 108 00:05:22.240 --> 00:05:25.759 where you can experiment and explore, gotcha, without messing up 109 00:05:25.800 --> 00:05:27.639 your phone's main operating system. 110 00:05:27.759 --> 00:05:32.480 Awesome. Okay, so speaking of exploring, Yeah, net Hunter comes 111 00:05:32.720 --> 00:05:36.439 preloaded with some pretty fascinating. 112 00:05:36.279 --> 00:05:38.040 Desktop apps it does. 113 00:05:38.519 --> 00:05:40.680 Have you ever heard of Showdan Showdan. 114 00:05:40.800 --> 00:05:42.920 Yeah, rings a beltings a bell? Yeah? Yeah. 115 00:05:43.040 --> 00:05:43.920 Isn't that the one that's. 116 00:05:43.759 --> 00:05:44.920 Like the Yeah. 117 00:05:44.959 --> 00:05:47.800 Yeah, it's like the Internet for the Internet of things, 118 00:05:47.879 --> 00:05:48.920 the hackers Google. 119 00:05:48.720 --> 00:05:52.360 The hacker's Google's yeah. Yeah. But instead of you know, 120 00:05:52.680 --> 00:05:59.079 indexing web pages, Showdan is indexing devices. Okay, anything connected 121 00:05:59.120 --> 00:06:05.920 to the Internet, like what we're talking, cameras, industrial control systems, servers, routers, 122 00:06:05.959 --> 00:06:09.240 you name it. Oh wow, if it's online Showdan probably 123 00:06:09.240 --> 00:06:09.920 knows about it. 124 00:06:10.720 --> 00:06:14.279 So potentially I could. I could use showden to find 125 00:06:14.639 --> 00:06:17.319 like all the webcams in particular city. 126 00:06:17.480 --> 00:06:22.399 You could. You could showdan can be incredibly powerful, Okay, 127 00:06:22.680 --> 00:06:25.839 but you got to use it responsibly ethically. 128 00:06:25.560 --> 00:06:26.439 Right of course. 129 00:06:26.639 --> 00:06:30.040 Understanding these tools, yeah, is the first step to actually 130 00:06:30.040 --> 00:06:31.079 defending against them. 131 00:06:31.160 --> 00:06:32.600 Absolutely. Knowledge is power. 132 00:06:32.839 --> 00:06:34.000 That's it. That's it. 133 00:06:34.560 --> 00:06:38.959 Okay. So shden gives us this amazing big picture of 134 00:06:39.079 --> 00:06:42.800 the connected world. What if we want to zero in 135 00:06:42.879 --> 00:06:48.199 on a specific device on a network and really get 136 00:06:48.199 --> 00:06:49.120 into the nitty gritty. 137 00:06:49.240 --> 00:06:52.759 That's where seesploit comes in. Okay, seesploit. It's all about 138 00:06:53.519 --> 00:06:56.680 network scanning and vulnerability analysis. 139 00:06:56.959 --> 00:07:01.360 So imagine being able to see every device on a 140 00:07:01.439 --> 00:07:05.800 network exactly what ports are open, what services are running. 141 00:07:05.560 --> 00:07:07.560 And even potential weaknesses. 142 00:07:07.639 --> 00:07:11.519 Hold on exploit you could. You're making this sound like 143 00:07:11.560 --> 00:07:14.199 I could like hack into things with this app. 144 00:07:14.319 --> 00:07:17.639 You could, Okay, but remember we're talking about ethical hacking here. 145 00:07:17.759 --> 00:07:18.199 Of course. 146 00:07:18.319 --> 00:07:23.480 Sea sploit is meant for testing and research, not for 147 00:07:23.560 --> 00:07:25.040 doing anything illegal. 148 00:07:25.360 --> 00:07:27.759 Ethical exploration is the name of the game exactly. 149 00:07:27.800 --> 00:07:31.199 Okay, So ceaseplol's like your magnifying glass. Okay, Yeah, you're 150 00:07:31.240 --> 00:07:34.040 looking at those individual devices. Okay, yeah, examining them. 151 00:07:33.959 --> 00:07:37.319 Closely seesploit are magnifying glass. What else can we do 152 00:07:37.399 --> 00:07:39.199 with this powerful pocket size we. 153 00:07:39.279 --> 00:07:42.360 Talked about show Dan that big picture, Yeah, sea sploit 154 00:07:42.399 --> 00:07:45.639 the close up. But there's another side to net Hunter. 155 00:07:45.920 --> 00:07:49.560 It's a little more hands on. Okay, let's talk about 156 00:07:50.160 --> 00:07:51.199 hide attacks. 157 00:07:51.480 --> 00:07:55.319 Hide attacks. Okay, now you've really piqued my interest. Tell 158 00:07:55.319 --> 00:07:55.720 me more. 159 00:07:55.920 --> 00:08:01.040 So. HID stands for Human Interface device, Okay, and it's 160 00:08:01.040 --> 00:08:05.839 how your computer recognizes things like your keyboard and your mouse. 161 00:08:06.680 --> 00:08:10.079 What's so cool about net hunter is it can actually 162 00:08:10.120 --> 00:08:15.480 emulate a keyboard. Whoa. It can send commands to a 163 00:08:15.480 --> 00:08:17.959 connected computer as if you were typing them. 164 00:08:18.040 --> 00:08:20.720 So you're telling me I could plug my phone into 165 00:08:20.759 --> 00:08:24.759 a computer and it would start typing things on its own. Yeah, 166 00:08:24.879 --> 00:08:26.920 that sounds like something straight out of I know it's 167 00:08:26.920 --> 00:08:27.879 a sci fi movie. 168 00:08:28.000 --> 00:08:31.079 It does sound like that, Okay, but it's not science fiction. 169 00:08:32.000 --> 00:08:32.639 It's net Hunter. 170 00:08:32.919 --> 00:08:33.720 That's awesome. 171 00:08:33.879 --> 00:08:37.080 It happens incredibly fast too. Wow, you can automate these 172 00:08:37.200 --> 00:08:40.480 entire attack sequences. Huh, with just a few taps on 173 00:08:40.519 --> 00:08:41.039 your phone. 174 00:08:41.200 --> 00:08:44.720 So the book gives this kind of chilling example is 175 00:08:44.879 --> 00:08:49.799 creating a new admin user on a Windows system using 176 00:08:49.840 --> 00:08:54.080 these HID commands. So hold on, let me get this straight. Yeah, 177 00:08:54.159 --> 00:08:58.000 I could plug my phone into a computer and create 178 00:08:58.080 --> 00:09:03.279 a new user with admin privileges without anyone even touching 179 00:09:03.279 --> 00:09:04.360 the keyboard. 180 00:09:04.120 --> 00:09:08.279 If the system is vulnerable and you have physical access, right. 181 00:09:08.200 --> 00:09:13.360 Right, Yeah, it's like classic example why physical security is 182 00:09:13.559 --> 00:09:16.600 just as important as digital security. Yet it okay, but 183 00:09:17.200 --> 00:09:20.399 hid attacks, yes, can go even further. Oh yeah, Okay, 184 00:09:20.399 --> 00:09:22.679 there's a technique using PowerShell by. 185 00:09:22.519 --> 00:09:26.279 PowerShell ye, which is like it's a scripting language built 186 00:09:26.279 --> 00:09:28.840 into Windows. Right, Okay, they can actually give you a 187 00:09:28.879 --> 00:09:29.759 remote shell. 188 00:09:29.639 --> 00:09:33.360 A remote shell, So we're talking about like actually taking 189 00:09:33.440 --> 00:09:35.360 control of the computer. 190 00:09:35.000 --> 00:09:37.759 From its distance. That's exactly what we're talking about. Oh wow, 191 00:09:37.799 --> 00:09:40.919 So the book describes this scenario, okay, where you've got 192 00:09:40.960 --> 00:09:43.879 a penetration tester, part of what's called a red team. 193 00:09:44.519 --> 00:09:48.080 They're physically present with their net hunter device. They plug 194 00:09:48.120 --> 00:09:52.559 it into a target system, execute the HID attack, force 195 00:09:53.080 --> 00:09:56.879 that Windows computer to connect back to their own Calai 196 00:09:56.960 --> 00:10:01.879 Linux machine, gotcha, creating that remote Okay, So they've essentially 197 00:10:02.039 --> 00:10:03.080 established so it's. 198 00:10:02.919 --> 00:10:06.519 Like establishing like a secret back door into the system 199 00:10:07.200 --> 00:10:09.159 all through a harmless looking phone. 200 00:10:09.360 --> 00:10:09.919 That's right. 201 00:10:10.080 --> 00:10:12.000 This is some next level spy stuff. 202 00:10:12.080 --> 00:10:15.480 I know. It's so cooling. And the crazy thing is 203 00:10:15.960 --> 00:10:19.720 once that connection is established, Yeah, you can disconnect the 204 00:10:19.759 --> 00:10:22.360 net hunder phone, and they still have control. 205 00:10:22.519 --> 00:10:25.679 So they can just unplug and walk away and still. 206 00:10:25.399 --> 00:10:29.879 Have access access files, install malware. Oh my gosh, use 207 00:10:29.919 --> 00:10:32.519 that computer to attack other systems on the network. 208 00:10:32.639 --> 00:10:36.240 It's starting to feel like a scene from like a 209 00:10:36.279 --> 00:10:41.279 hacking movie. I know, surely there are safeguards. Of course, 210 00:10:41.360 --> 00:10:43.559 computers aren't just sitting ducks for this kind of attack. 211 00:10:43.759 --> 00:10:46.720 Of course, you've got things like user account controls, okay, 212 00:10:46.879 --> 00:10:54.000 intrusion detection systems. But yeah, their effectiveness really depends on 213 00:10:54.080 --> 00:10:58.120 how they're configured, and sometimes there's just sometimes they're not 214 00:10:58.120 --> 00:11:00.639 as strong as they should be. The you've always got 215 00:11:00.639 --> 00:11:02.600 attackers looking for ways to get in. 216 00:11:02.679 --> 00:11:06.440 So it's like this constant cat and mouse game between 217 00:11:06.480 --> 00:11:08.320 attackers and defenders. 218 00:11:08.360 --> 00:11:11.240 It's an arms race, an ongoing arms race, okay, yeah, 219 00:11:11.480 --> 00:11:12.399 trying to stay ahead. 220 00:11:12.480 --> 00:11:14.360 And that brings us to this. 221 00:11:14.240 --> 00:11:17.879 Is where it gets really interesting. Another fascinating tool it 222 00:11:17.919 --> 00:11:22.720 builds on these HID attacks okay, called duck hunter hid. 223 00:11:23.320 --> 00:11:25.480 Duck Hunter HID Okay. 224 00:11:25.440 --> 00:11:28.320 It's like having the power of Hawk Five's rubber Ducky. 225 00:11:28.440 --> 00:11:29.159 Rubber Ducky. 226 00:11:29.440 --> 00:11:31.360 That's an interesting name, right, what is that? 227 00:11:31.639 --> 00:11:36.039 So the rubber Ducky, it's a USB device, looks just 228 00:11:36.120 --> 00:11:39.320 like a regular flash drive. Okay, but it's actually a 229 00:11:39.480 --> 00:11:44.720 cleverly disguised hid attack tool. So it's not like it's 230 00:11:44.919 --> 00:11:48.120 not a toy. A toy, but it's very interesting. It 231 00:11:48.159 --> 00:11:54.360 can automatically inject keystrokes into a computer using scripts written 232 00:11:54.360 --> 00:11:57.960 in a language called duck Toolkit, a toolkit, and with 233 00:11:58.120 --> 00:12:01.799 Duck Hunter, you can run those same scripts right from 234 00:12:01.840 --> 00:12:02.360 your phone. 235 00:12:02.559 --> 00:12:04.159 So instead of carrying around. 236 00:12:03.879 --> 00:12:07.240 The story with separate like rubber Ducky device, I can 237 00:12:07.360 --> 00:12:08.240 just use my phone. 238 00:12:08.399 --> 00:12:08.960 You got it? 239 00:12:09.080 --> 00:12:10.799 Okay, that's even stealthier. 240 00:12:11.480 --> 00:12:14.360 It is that kind of very things can you do 241 00:12:14.440 --> 00:12:17.000 with The possibilities are pretty mind blowing. 242 00:12:17.639 --> 00:12:21.799 You can do things like send simple text strings okay, 243 00:12:22.279 --> 00:12:25.879 maybe a prank message or like a fake Aero pop up. 244 00:12:26.399 --> 00:12:30.039 But you can get way more advanced, like there's actually 245 00:12:30.120 --> 00:12:34.799 a script that can create a reverse shell connection. Oh 246 00:12:34.840 --> 00:12:36.000 wow on a Mac computer. 247 00:12:36.200 --> 00:12:39.279 Wait, so you're saying I could like potentially take control 248 00:12:39.320 --> 00:12:39.879 of a Mac. 249 00:12:40.039 --> 00:12:42.759 You could just by plugging. If it's vulnerable, then the 250 00:12:42.759 --> 00:12:45.840 security settings up properly configured, and. 251 00:12:45.799 --> 00:12:49.440 The books goes even better, goes even further. There's have 252 00:12:49.559 --> 00:12:53.639 you seen the show Mister Robot? Oh yeah, so this 253 00:12:53.799 --> 00:12:56.559 next example is inspired by mister Robot. 254 00:12:56.639 --> 00:12:59.120 Okay, very cool. It shows you how to use duck 255 00:12:59.200 --> 00:13:04.039 Hunter to actually steal passwords from a Windows system using 256 00:13:04.120 --> 00:13:07.080 something using a tool called mimic cats mimicts. 257 00:13:07.159 --> 00:13:08.639 Yeah, that doesn't sound good. 258 00:13:08.799 --> 00:13:10.960 No, it's not good if you're on the receiving end 259 00:13:10.960 --> 00:13:14.879 of this attack. So mimic cats is a very powerful tool. 260 00:13:15.399 --> 00:13:20.919 It can actually extract passwords from the Windows computer's memory. 261 00:13:21.039 --> 00:13:24.320 Oh wow. The book shows how to use duck Hunter. 262 00:13:24.960 --> 00:13:30.480 Run a script, execute mimicats. Yeah, grab those passwords and 263 00:13:30.559 --> 00:13:31.879 send them to a remote server. 264 00:13:32.120 --> 00:13:37.559 So it's basically like digitally pick pocketing a computer. That's 265 00:13:37.600 --> 00:13:39.759 both amazing and terrifying. 266 00:13:40.200 --> 00:13:42.879 So it shows you how vulnerable we are even when 267 00:13:42.879 --> 00:13:45.639 we think we're secure. We're not done yet. Oh no, 268 00:13:46.000 --> 00:13:49.559 ned Hunter has one more trick up its sleeve, the 269 00:13:49.679 --> 00:13:51.600 bad USB attack. 270 00:13:51.679 --> 00:13:53.200 Bad us B Yeah. 271 00:13:55.960 --> 00:13:57.679 It does, doesn't It speaks for itself. 272 00:13:58.080 --> 00:13:59.639 What's so bad? 273 00:14:00.240 --> 00:14:03.080 So it all comes down to how Windows interacts with 274 00:14:03.279 --> 00:14:09.080 USB devices. There's this protocol called RNDIS stands for Remote 275 00:14:09.159 --> 00:14:15.159 Network Driver Interface Specification. It basically allows Windows yeah, to 276 00:14:15.559 --> 00:14:18.600 treat a USB device like a network adapter. 277 00:14:18.879 --> 00:14:21.679 Okay, I'm so far, so good, I'm following so far. Yeah, 278 00:14:21.679 --> 00:14:26.600 all right, So the bad USB attack takes advantage of 279 00:14:26.639 --> 00:14:27.399 this protocol. 280 00:14:27.600 --> 00:14:27.960 Okay. 281 00:14:28.080 --> 00:14:32.399 It redirects all the network traffic from the Windows computer 282 00:14:32.639 --> 00:14:34.440 Okay through the net hunter phone. 283 00:14:34.600 --> 00:14:35.840 Okay, so picture this. 284 00:14:36.000 --> 00:14:38.720 You plug your phone into a computer and suddenly all 285 00:14:38.759 --> 00:14:41.559 that Internet traffic that would normally go through the router 286 00:14:42.200 --> 00:14:43.600 is now going through your phone. 287 00:14:43.960 --> 00:14:47.600 So I become the man in the middle, able to 288 00:14:47.679 --> 00:14:51.240 see everything the computer is sending and receiving exactly. Talk 289 00:14:51.279 --> 00:14:55.919 about eavesdropping. Yeah, you are in a powerful position. Wow. 290 00:14:56.399 --> 00:15:00.120 You can use tools like URL snarf okayeep dump to 291 00:15:00.159 --> 00:15:01.840 capture and analyze all that activity. 292 00:15:01.919 --> 00:15:02.519 See what to see it. 293 00:15:02.600 --> 00:15:05.919 You can see what websites they're visiting, what files they're downloading. 294 00:15:06.320 --> 00:15:10.000 Maybe even snag some sensitive information, yeah, like passwords if 295 00:15:10.000 --> 00:15:14.039 you're not using secure connections. Oh wow, it's pretty scary stuff. 296 00:15:14.080 --> 00:15:15.320 This is a lot to process. 297 00:15:15.440 --> 00:15:18.440 It is. We've covered We've covered a lot, haven't we show? 298 00:15:18.480 --> 00:15:20.240 Then se sploy. 299 00:15:20.039 --> 00:15:22.960 Sea sploy drive, droy h Ide Attacks. 300 00:15:22.679 --> 00:15:28.399 Duck Hunter, duck huntert bad USB. It's right, my head 301 00:15:28.960 --> 00:15:29.519 is spinning. 302 00:15:29.759 --> 00:15:30.720 That's a lot to take it. 303 00:15:31.159 --> 00:15:33.399 And I'm guessing this is just the tip. 304 00:15:33.759 --> 00:15:36.039 This is really just the tip of the ice when 305 00:15:36.080 --> 00:15:37.159 it comes to net it. 306 00:15:37.080 --> 00:15:41.759 Comes to net Hunter's capabilities, there's a whole world of 307 00:15:41.879 --> 00:15:45.200 tools and techniques, yeah, that we haven't even touched on yet. 308 00:15:45.240 --> 00:15:49.159 It's mind blowing to think that something is as commonplace 309 00:15:49.200 --> 00:15:53.840 as a phone can be used for such advanced penetration testing. 310 00:15:54.399 --> 00:15:56.360 It is amazing what you can do with a smartphone 311 00:15:56.360 --> 00:15:56.879 these days. 312 00:15:56.960 --> 00:16:00.840 This deep dive has been a real eye open I'm glad. 313 00:16:01.200 --> 00:16:04.159 I'm glad you're enjoying it. So HID stands for Human 314 00:16:04.200 --> 00:16:08.919 interface device, Okay, and it's basically how your computer recognizes 315 00:16:08.960 --> 00:16:10.159 things like keyboards and mice. 316 00:16:10.320 --> 00:16:11.879 Okay, yeah. 317 00:16:11.919 --> 00:16:14.919 But the fascinating thing is net hunter can actually emulate 318 00:16:15.159 --> 00:16:15.840 a keyboard. 319 00:16:16.600 --> 00:16:20.159 What Yeah, So it can like send command. 320 00:16:19.840 --> 00:16:22.879 It sends commands to a connected computer as if you 321 00:16:22.879 --> 00:16:23.639 were typing them. 322 00:16:23.759 --> 00:16:26.480 So you're telling me, I could plug my phone into 323 00:16:26.600 --> 00:16:29.320 a computer and it would start typing things. 324 00:16:29.360 --> 00:16:31.720 It would, it would. That's the power of net Hunter. 325 00:16:31.840 --> 00:16:34.480 Oh wow, and it happens so fast. Really, you can 326 00:16:34.519 --> 00:16:38.200 automate entire attack sequences. Wow, just with a few taps 327 00:16:38.240 --> 00:16:38.840 on your phone. 328 00:16:38.919 --> 00:16:42.159 So the book gives this chilling example. 329 00:16:42.279 --> 00:16:44.120 It is a pretty chilling example of. 330 00:16:44.159 --> 00:16:48.799 Creating a new admin user on a Windows system using 331 00:16:48.840 --> 00:16:50.320 these HID commands. 332 00:16:50.639 --> 00:16:52.600 That's right, so imagine this. 333 00:16:53.159 --> 00:16:55.240 Hold on, let me get this straight. Yeah, yeah, I 334 00:16:55.240 --> 00:17:00.080 could plug my phone into a computer and create a 335 00:17:00.200 --> 00:17:05.319 new user with full admin privileges without. 336 00:17:05.119 --> 00:17:07.680 Anyone, without anyone touching the keyboard, even. 337 00:17:07.519 --> 00:17:08.480 Touching the keyboard. 338 00:17:09.119 --> 00:17:09.400 Wow. 339 00:17:10.079 --> 00:17:13.079 If the system's vulnerable and you have physical. 340 00:17:12.720 --> 00:17:15.039 Access, right right, you can do it. Okay. 341 00:17:15.039 --> 00:17:16.119 It's a classic. 342 00:17:15.759 --> 00:17:18.920 Example, it is. It really highlights it does why physical 343 00:17:18.960 --> 00:17:22.720 security is just as important for sure as digital You 344 00:17:22.799 --> 00:17:27.920 got it. Okay, but hide attacks? Yes, can go even further. 345 00:17:28.200 --> 00:17:31.680 Oh yeah, okay, there's a technique using PowerShell. 346 00:17:31.839 --> 00:17:33.920 PowerShell, which is like it's. 347 00:17:33.759 --> 00:17:37.279 A scripting language built into Windows. Yep. They can actually 348 00:17:37.279 --> 00:17:38.680 give you a remote shell, a. 349 00:17:38.680 --> 00:17:43.640 Remote shell, So we're talking about actually taking control of 350 00:17:43.759 --> 00:17:46.319 the computer from a distance, from a distance. 351 00:17:46.359 --> 00:17:49.079 That's right. Pretty powerful stuff. 352 00:17:48.799 --> 00:17:49.720 That's incredible. 353 00:17:50.279 --> 00:17:54.240 So the book actually describes a scenario where you've got 354 00:17:54.400 --> 00:17:57.160 a penetration tester, part of what's called a red team. 355 00:17:57.759 --> 00:18:01.519 They're physically present, okay with their net hunter device okay, 356 00:18:01.559 --> 00:18:04.720 plug it into the target system, execute the HID attack, 357 00:18:05.240 --> 00:18:09.000 force that Windows computer to connect back to their own 358 00:18:09.079 --> 00:18:13.359 Kylie Linux machine, creating that remote shell. Okay, so they've 359 00:18:13.440 --> 00:18:14.960 essentially established. 360 00:18:14.440 --> 00:18:18.359 It's like establishing like a secret backdoor into the system. 361 00:18:18.440 --> 00:18:20.599 That's it, all through a harmless looking phone. 362 00:18:20.720 --> 00:18:21.160 That's right. 363 00:18:22.079 --> 00:18:23.960 This is some next level Spice stuff. 364 00:18:23.960 --> 00:18:25.319 It really is. It's very cool. 365 00:18:25.440 --> 00:18:26.119 That's amazing. 366 00:18:26.359 --> 00:18:30.680 And the crazy thing is once that connection is established, 367 00:18:31.279 --> 00:18:33.279 you can disconnect the net hunter phone. 368 00:18:33.359 --> 00:18:36.759 Wait, so they can unplug it and walk away, and 369 00:18:36.839 --> 00:18:39.160 walk away and still have access, still have. 370 00:18:39.160 --> 00:18:44.240 Full access, oh my god, access files, install malware, use 371 00:18:44.359 --> 00:18:48.440 that computer to attack other systems on the network. 372 00:18:48.960 --> 00:18:52.440 This is starting to feel like, yeah, scene. 373 00:18:52.240 --> 00:18:54.319 From I know, it's very cinematic. 374 00:18:54.000 --> 00:18:55.200 Like a hacking movie. 375 00:18:55.440 --> 00:18:57.480 Right, Yeah, it's pretty wild. 376 00:18:57.920 --> 00:19:00.160 Surely there are safeguards in place, right. 377 00:19:00.240 --> 00:19:02.319 Of course, there are. 378 00:19:01.599 --> 00:19:04.799 Computers aren't just sitting ducks for this kind of attack. 379 00:19:04.920 --> 00:19:07.799 Of Course, you've got things like user account controls, intrusion 380 00:19:07.839 --> 00:19:14.480 detection systems, but their effectiveness really depends on how they're configured. 381 00:19:14.640 --> 00:19:16.160 And sometimes they're just and. 382 00:19:16.079 --> 00:19:18.960 Sometimes they're just not as strong as they should be, 383 00:19:19.279 --> 00:19:21.599 not as strong unfortunately as they should be. 384 00:19:22.279 --> 00:19:25.559 Determined attackers, they're always looking for a way in, right, 385 00:19:25.680 --> 00:19:26.880 they'll find those cracks. 386 00:19:28.319 --> 00:19:30.960 So it's a constant yeah, cat and mouse, it is. 387 00:19:31.079 --> 00:19:34.039 It is between attackers and defenders. 388 00:19:33.480 --> 00:19:35.880 A defender constantly trying to outsmart each other. 389 00:19:36.119 --> 00:19:37.480 An ongoing arms race. 390 00:19:38.000 --> 00:19:40.480 It is. It's an arms race for sure. And that 391 00:19:40.519 --> 00:19:44.119 brings us to another fascinating tool that builds on these 392 00:19:44.440 --> 00:19:47.440 HID attacks called duck Hunter HID. 393 00:19:47.680 --> 00:19:48.559 Duck Hunter HID. 394 00:19:49.240 --> 00:19:52.160 It's basically like bring in the power of Hawk Five's 395 00:19:52.279 --> 00:19:52.920 rubber Ducky. 396 00:19:53.240 --> 00:19:55.720 Rubber Ducky. Yeah, that's an interesting name. 397 00:19:55.920 --> 00:19:56.920 It is a catchy name. 398 00:19:57.200 --> 00:19:57.799 What is that? 399 00:19:57.880 --> 00:20:02.400 So the rubber Ducky Okay? The USB device looks just 400 00:20:02.480 --> 00:20:06.000 like a regular flash drive, but it's actually a cleverly 401 00:20:06.079 --> 00:20:08.240 disguised HID attack tool. 402 00:20:08.440 --> 00:20:10.680 WHOA. So it's not like it's not. 403 00:20:10.720 --> 00:20:13.839 A toy a toy, no, but it is very interesting. 404 00:20:14.240 --> 00:20:20.359 It can automatically inject keystrokes into a computer using scripts 405 00:20:20.720 --> 00:20:24.079 written in a language called duck Toolkit. Duck Toolkit okay, 406 00:20:24.119 --> 00:20:27.480 and with duck Hunter you can run those same scripts directly. 407 00:20:27.200 --> 00:20:30.559 From your phone, So instead of carrying around this exactly separate, 408 00:20:30.680 --> 00:20:33.680 rubber ducky device, Yeah, I can just use my phone. 409 00:20:33.880 --> 00:20:35.720 Got Okay, that's even stealthier. 410 00:20:35.799 --> 00:20:39.119 It is much more stealthy kind of things. So many things. 411 00:20:39.160 --> 00:20:42.720 The possibilities are really amazing. Yeah. You can send simple 412 00:20:42.759 --> 00:20:45.960 text strings, maybe a prank message or like a fake 413 00:20:46.079 --> 00:20:49.079 error pop up. You can also get a lot more advanced, 414 00:20:49.960 --> 00:20:53.599 like there's actually a script that can create a reverse 415 00:20:53.640 --> 00:20:55.839 shell connection on a Mac computer. 416 00:20:56.400 --> 00:20:59.319 Wait, so you're saying I could potentially take control of 417 00:20:59.359 --> 00:21:03.440 it just by plugging in my phone and running a script. 418 00:21:03.559 --> 00:21:07.160 If the Mac is vulnerable and the security settings aren't 419 00:21:07.160 --> 00:21:11.680 properly configured, you can absolutely do it. Okay, it's amazing, right. 420 00:21:11.680 --> 00:21:14.400 And the book goes even further. Well, yeah, there's this U. 421 00:21:14.640 --> 00:21:16.759 You're familiar with the TV series Mister Robot. 422 00:21:16.920 --> 00:21:18.160 Mister Robot, you have seen it. 423 00:21:18.400 --> 00:21:21.599 Okay, so this next example is actually inspired by mister Robot. 424 00:21:21.799 --> 00:21:22.759 Okay, very cool. 425 00:21:22.880 --> 00:21:25.400 It shows you how to use duck Hunter to actually 426 00:21:25.440 --> 00:21:29.440 steal passwords WHOA from a Windows systems using something called 427 00:21:29.599 --> 00:21:31.720 using a tool called mimicats. 428 00:21:31.480 --> 00:21:34.359 Mimicat mimicits Okay, Yeah, that doesn't sound good. 429 00:21:34.559 --> 00:21:36.240 It's not good if you're on the receiving end of this, 430 00:21:36.359 --> 00:21:36.880 that's for sure. 431 00:21:37.000 --> 00:21:37.720 That is so. 432 00:21:37.880 --> 00:21:40.200 Mimicats is a very powerful tool. 433 00:21:40.400 --> 00:21:41.000 Okay. 434 00:21:41.079 --> 00:21:45.319 It can extract passwords from a Windows computer's memory. 435 00:21:45.400 --> 00:21:46.920 Whoa, right out of the memory. 436 00:21:47.000 --> 00:21:48.480 That's right, while it's running. 437 00:21:48.559 --> 00:21:49.240 Oh wow. 438 00:21:49.400 --> 00:21:52.039 The book shows you how to use duck Hunter yeah, 439 00:21:52.079 --> 00:21:57.480 to run a script right, execute mimicats okay, grab those passwords, 440 00:21:57.559 --> 00:21:59.920 oh my god, and send them to a remote server. 441 00:22:00.599 --> 00:22:04.559 So it's like digitally pickpocketing. That's it. 442 00:22:05.039 --> 00:22:08.640 That's It's crazy, isn't it Both amazing and terrifying. It is. 443 00:22:09.039 --> 00:22:11.920 It's a good reminder of how vulnerable we are, even 444 00:22:11.960 --> 00:22:13.519 when we think our systems are secure. 445 00:22:13.599 --> 00:22:13.839 Yeah. 446 00:22:13.880 --> 00:22:16.079 Absolutely, and we're not even done yet. 447 00:22:16.519 --> 00:22:16.960 Oh no. 448 00:22:17.119 --> 00:22:19.839 Net Hunter has one more trick up its sleeve. Okay, 449 00:22:19.960 --> 00:22:24.759 the bad USB attack bad USB. Yeah, okay, the name 450 00:22:24.839 --> 00:22:25.680 kind of. 451 00:22:25.480 --> 00:22:28.920 It does for itself, speaks for itself. What's so bad? 452 00:22:29.079 --> 00:22:32.559 So it all comes down to how Windows interacts with 453 00:22:32.759 --> 00:22:33.720 USB devices. 454 00:22:33.799 --> 00:22:34.160 Okay. 455 00:22:34.359 --> 00:22:38.799 There's this protocol called r NDIS okay, stands for Remote 456 00:22:38.960 --> 00:22:42.000 Network Driver Interface Specification. 457 00:22:42.200 --> 00:22:42.480 Okay. 458 00:22:42.839 --> 00:22:47.559 Essentially, it allows Windows to treat a USB device like 459 00:22:47.599 --> 00:22:50.839 a network adapter. Okay, you're following so far. 460 00:22:50.880 --> 00:22:51.319 I'm following. 461 00:22:51.720 --> 00:22:55.200 Yeah, all right. So the bad USB attack takes advantage 462 00:22:55.240 --> 00:22:58.680 of this protocol. Okay, it redirects all the network traffic 463 00:22:59.119 --> 00:23:02.920 from a Windows computer through the net hunter phone. Okay, 464 00:23:03.039 --> 00:23:07.200 so picture this. You plug your phone into a computer. Yeah, 465 00:23:07.240 --> 00:23:09.640 and suddenly all that Internet traving that would normally go 466 00:23:09.720 --> 00:23:12.279 through the router is now flowing through your phone. 467 00:23:12.359 --> 00:23:13.559 So I become like the man in them. 468 00:23:13.640 --> 00:23:14.960 You become man in the middle. That's right. 469 00:23:15.000 --> 00:23:15.720 We're able to see. 470 00:23:15.880 --> 00:23:20.200 You've got everything the computer is sending and receiving. Talk 471 00:23:20.200 --> 00:23:21.359 about eavesdropping. 472 00:23:21.519 --> 00:23:23.119 You are in a powerful position. 473 00:23:23.640 --> 00:23:24.000 Wow. 474 00:23:24.039 --> 00:23:26.000 You can use tools like you are all snarf and 475 00:23:26.039 --> 00:23:29.319 TCP dump to capture and analyze all that activity. 476 00:23:29.599 --> 00:23:33.240 You can see what websites they're visiting, what files they're downloading. 477 00:23:33.640 --> 00:23:37.640 You can even snag sensitive information like passwords if they're 478 00:23:37.640 --> 00:23:41.480 not using secure connections. Oh wow, this is that scary stuff. 479 00:23:41.559 --> 00:23:43.039 A lot to process it is. 480 00:23:43.160 --> 00:23:44.359 It is covered showed in. 481 00:23:44.440 --> 00:23:49.599 We've covered so much. Splice drive, droid drive, droid h idea. 482 00:23:49.400 --> 00:23:51.039 Tack each idea, tax. 483 00:23:51.640 --> 00:23:54.559 Duck hunter, bad USB, bad USB. That's right. 484 00:23:54.759 --> 00:23:56.160 My head is spinning. 485 00:23:56.279 --> 00:23:57.759 It's a lot to take in, and. 486 00:23:57.720 --> 00:23:59.599 I'm guessing this is just the tip. 487 00:24:00.160 --> 00:24:02.799 It really is just the tip of the ice iceberg 488 00:24:03.039 --> 00:24:04.079 when it comes to net Hunter. 489 00:24:04.519 --> 00:24:07.880 When it comes to net Hunter's capability. 490 00:24:07.240 --> 00:24:09.039 There's so much more we haven't even touched on. 491 00:24:09.759 --> 00:24:13.480 It's mind blowing to think that something as commonplace as 492 00:24:13.519 --> 00:24:16.559 a phone it can be used for such advanced It 493 00:24:16.559 --> 00:24:18.119 really is penetration testing. 494 00:24:18.680 --> 00:24:21.160 It's incredible what you can do with a smartphone these days. 495 00:24:21.279 --> 00:24:24.079 This deep dive has been a real eye opener. 496 00:24:24.160 --> 00:24:25.359 I'm glad to hear that. 497 00:24:25.680 --> 00:24:28.960 So we've seen how net Hunter can be used to 498 00:24:29.279 --> 00:24:35.559 simulate these real world attacks. Yeah, and expose you know, vulnerabilities, right, 499 00:24:36.119 --> 00:24:37.160 but what does it. 500 00:24:37.119 --> 00:24:40.079 All mean for That's the big question, right, Yeah. 501 00:24:39.839 --> 00:24:43.720 For like someone like me who's not like a cybersecurity expert, 502 00:24:44.000 --> 00:24:44.559 you know, but. 503 00:24:44.920 --> 00:24:48.160 Really shows you that security is multifaceted. Okay, we tend 504 00:24:48.240 --> 00:24:52.200 to focus on you know, strong passwords, yeah, keeping our 505 00:24:52.240 --> 00:24:56.880 software updated, right, the basics. Yeah, but net Hunter shows us, Yeah, 506 00:24:57.000 --> 00:25:02.799 the physical security, understanding those hack factors. That's just as important. 507 00:25:02.839 --> 00:25:05.200 Easy to forget that, Yeah, it is that someone could 508 00:25:05.200 --> 00:25:09.440 get access to our data just by having physical access 509 00:25:09.519 --> 00:25:12.799 to our devices. It's a good reminder to be it 510 00:25:12.839 --> 00:25:16.640 is careful about who we let touch our computers and phones. 511 00:25:16.680 --> 00:25:20.079 Absolutely, and it's not just about protecting ourselves, right, think 512 00:25:20.079 --> 00:25:26.400 about businesses, organizations. Manhunter really shows us the importance of 513 00:25:26.440 --> 00:25:29.920 penetration testing. You got to find those weaknesses before the 514 00:25:29.960 --> 00:25:30.519 bad guys do. 515 00:25:30.880 --> 00:25:34.200 Be proactive, exactly, be proactive. So it's a reminder that 516 00:25:34.279 --> 00:25:39.920 it is even in our increasingly like digital world, physical access, 517 00:25:39.960 --> 00:25:43.440 physical access is huge, can be a major security risk. 518 00:25:43.519 --> 00:25:45.599 It's a big way, and it makes you realize he 519 00:25:45.680 --> 00:25:53.559 does that seemingly harmless devices like our smartphones can be incredibly. 520 00:25:52.920 --> 00:25:54.079 Powerful, powerful tools. 521 00:25:54.160 --> 00:25:56.039 Ye in the wrong hand, that's right. 522 00:25:56.160 --> 00:25:59.440 Yea, And we've really only scratched the surface of what's 523 00:25:59.480 --> 00:26:02.079 possible that Hunter. Yeah, this has given you a little 524 00:26:02.119 --> 00:26:05.400 taste of mobile pen testing. Yeah, but there's a whole 525 00:26:05.480 --> 00:26:06.519 universe out there. 526 00:26:06.400 --> 00:26:07.880 Right waiting to be explored. 527 00:26:08.160 --> 00:26:08.680 Exactly. 528 00:26:09.440 --> 00:26:12.680 I am definitely feeling inspired to that's great, learn more. 529 00:26:12.799 --> 00:26:14.680 This has been an incredible journey. 530 00:26:14.720 --> 00:26:15.640 I'm glad you enjoyed it. 531 00:26:15.720 --> 00:26:18.039 Yeah, I feel like I've gained a whole new perspective 532 00:26:18.359 --> 00:26:19.960 good on cybersecurity. 533 00:26:20.039 --> 00:26:24.519 Knowledge is power and understanding these tools the tactics used. Yeah, 534 00:26:24.599 --> 00:26:27.880 that's the first step to building stronger defenses. 535 00:26:28.200 --> 00:26:31.440 So to wrap things up, what's like the one, what's 536 00:26:31.440 --> 00:26:34.960 the key takeaway? Key takeaway? You hope our listeners right, 537 00:26:35.039 --> 00:26:36.839 they realize walk away with today. 538 00:26:37.200 --> 00:26:42.160 Security is an ongoing process. It's not a destination. There's 539 00:26:42.200 --> 00:26:46.279 always something new to learn, new threats to consider, ways 540 00:26:46.319 --> 00:26:47.480 to improve our defenses. 541 00:26:47.640 --> 00:26:51.640 So stay curious, stay in form and curious, stay in form, 542 00:26:51.799 --> 00:26:54.319 head of the game. That's it, well said, Thank you 543 00:26:54.440 --> 00:26:58.519 and for our listeners. If this deep dive has sparked 544 00:26:58.519 --> 00:27:02.079 your interest in cyber security, don't stop. 545 00:27:01.759 --> 00:27:02.880 Here, keep going. 546 00:27:03.000 --> 00:27:07.640 There are so many resources available online, everything from my 547 00:27:07.799 --> 00:27:16.359 line beginner friendly guides to like books, courses, advanced training courses, aloring, 548 00:27:16.920 --> 00:27:17.880 keep learning. 549 00:27:18.039 --> 00:27:19.839 Keep learning, and stay safe out there. 550 00:27:19.920 --> 00:27:20.559 Stay safe,