WEBVTT 1 00:00:00.120 --> 00:00:03.600 Welcome to your custom deep dive. Today. We're going to 2 00:00:03.640 --> 00:00:08.199 explore hacking in cybersecurity with this book, pifes or GTFO, 3 00:00:08.880 --> 00:00:11.720 real world exploits, coding tricks, you name it. 4 00:00:12.000 --> 00:00:14.560 Yeah, it's like a hacker's almanac. Really a collection of 5 00:00:14.640 --> 00:00:17.480 articles really gets you thinking differently about how technology works, 6 00:00:17.480 --> 00:00:18.640 where vulnerabilities lie. 7 00:00:18.760 --> 00:00:20.519 Yeah, and right away I was drawn to the section 8 00:00:20.600 --> 00:00:21.640 on anti forensics. 9 00:00:22.359 --> 00:00:25.000 That's a good starting point for sure. It highlights this 10 00:00:25.160 --> 00:00:29.239 back and forth between hackers covering their tracks and investigators 11 00:00:29.239 --> 00:00:32.640 trying to uncover everything. There's one technique involves a disc 12 00:00:32.759 --> 00:00:35.679 overwriting its own data while it's being imaged, so. 13 00:00:35.600 --> 00:00:37.880 They're basically erasing the evidence in real. 14 00:00:37.719 --> 00:00:40.679 Time, exactly like a puzzle. The pieces are vanishing right 15 00:00:40.679 --> 00:00:42.560 as the forensic team is trying to put it together. 16 00:00:42.799 --> 00:00:45.640 Clever but unsettling. Makes you think strong security from the 17 00:00:45.679 --> 00:00:47.039 start is just so crucial. 18 00:00:47.159 --> 00:00:52.439 Absolutely, prevention is key. But sc or GTFO doesn't shy 19 00:00:52.479 --> 00:00:55.399 away from offensive techniques either. It dives deep into how 20 00:00:55.439 --> 00:00:58.719 hackers exploit these systems. Take elf files for example. 21 00:00:58.799 --> 00:01:00.840 Elf files remind me those. 22 00:01:00.719 --> 00:01:06.000 Are executable and linkable format files, essentially instructions for your computer. 23 00:01:06.879 --> 00:01:10.519 But hackers can manipulate the metadata within these files, tiny 24 00:01:10.560 --> 00:01:14.239 details most people would overlook to hide malicious code. 25 00:01:14.319 --> 00:01:17.200 So it's like slipping a secret message in the margins 26 00:01:17.200 --> 00:01:17.920 of a document. 27 00:01:18.120 --> 00:01:21.680 Great analogy, and when that file is executed, the hidden 28 00:01:21.680 --> 00:01:23.280 code springs into action. 29 00:01:23.560 --> 00:01:25.560 Makes you wonder how many files out there that seem 30 00:01:25.599 --> 00:01:28.280 harmless could be harboring malicious code. 31 00:01:28.359 --> 00:01:31.400 It really shows the hackers creativity and deep understanding of 32 00:01:31.480 --> 00:01:35.680 these file formats. Another example is the ifunc mechanism in libic, 33 00:01:35.760 --> 00:01:38.719 which is this fundamental library that many systems use. 34 00:01:38.959 --> 00:01:41.400 I'm not familiar with lip could be honest, what is it? 35 00:01:41.439 --> 00:01:44.239 So libtct think of it like a toolbox full of 36 00:01:44.319 --> 00:01:47.480 essential functions that programs use for everyday tasks, you know, 37 00:01:47.519 --> 00:01:50.159 things like printing to the screen or reading files, and 38 00:01:50.200 --> 00:01:53.840 this ifunc mechanism it lets you swap out these functions 39 00:01:53.879 --> 00:01:57.000 while things are running, like switching tools mid task. But 40 00:01:57.120 --> 00:02:00.680 hackers can hijack this mechanism to execute their own instead 41 00:02:00.680 --> 00:02:01.719 of the intended functions. 42 00:02:01.799 --> 00:02:03.480 So it's like in the middle of building a bookshelf, 43 00:02:03.519 --> 00:02:06.799 you reach for a screwdriver, but get a hammer, throws everything. 44 00:02:06.439 --> 00:02:12.319 Off, exactly subverting the existing functionalities for malicious purposes. You know, 45 00:02:12.439 --> 00:02:16.240 one story that grabbed my attention was this gold ATM hack. 46 00:02:16.439 --> 00:02:17.599 Sounds like a heist movie. 47 00:02:17.680 --> 00:02:18.639 Okay, yeah, So. 48 00:02:18.639 --> 00:02:21.280 A group of hackers they're given permission to hack a 49 00:02:21.360 --> 00:02:25.520 gold plated ATM designed with top notch security, both in 50 00:02:25.599 --> 00:02:27.560 terms of software and the physical defenses. 51 00:02:27.639 --> 00:02:28.639 Sounds impenetrable. 52 00:02:29.159 --> 00:02:32.520 But here's where it gets interesting. They bypassed all the 53 00:02:32.560 --> 00:02:35.960 software completely. They focus on the physical. Found a weakness 54 00:02:35.960 --> 00:02:38.759 at the back, a jumble of cables, exploited that to 55 00:02:38.800 --> 00:02:39.479 gain access. 56 00:02:39.560 --> 00:02:43.400 So software vulnerability just bypassed everything fancy by going for 57 00:02:43.439 --> 00:02:44.439 the physical hardware. 58 00:02:44.919 --> 00:02:47.919 Sometimes the simplest approach is the most effective, and it 59 00:02:47.960 --> 00:02:51.639 makes you realize security has many facets. Can't just focus 60 00:02:51.639 --> 00:02:53.719 on software. You need to consider the physical stuff too. 61 00:02:54.199 --> 00:02:56.400 It ties into the next concept, the illusion of a 62 00:02:56.439 --> 00:02:57.240 single computer. 63 00:02:57.599 --> 00:03:00.520 What do they mean by that? Aren't computers single units? 64 00:03:00.800 --> 00:03:02.800 We tend to think of a computer as one thing, 65 00:03:03.000 --> 00:03:07.639 but it's more like an ecosystem of connected components cpu cores, 66 00:03:08.240 --> 00:03:13.560 memory buses. You've got expansion buses, storage, networking, interrupts. All 67 00:03:13.599 --> 00:03:18.520 interacting in Each component could have its own vulnerabilities. 68 00:03:17.960 --> 00:03:19.919 Like thinking of a city as one building when it's 69 00:03:19.960 --> 00:03:23.360 really a network of systems, each with its own weak points. 70 00:03:23.479 --> 00:03:25.400 That's a good way to picture it, and it raises 71 00:03:25.400 --> 00:03:29.280 a question, how do you secure something so complex? Post 72 00:03:29.360 --> 00:03:32.159 c or GTFO explores this with the idea of a 73 00:03:32.159 --> 00:03:33.199 b Butlerian typewriter. 74 00:03:33.319 --> 00:03:35.520 Okay, that sounds interesting. What's a Butlerian typewriter? 75 00:03:35.639 --> 00:03:38.039 Well, think of it as a thought experiment. Imagine a 76 00:03:38.080 --> 00:03:41.080 device that can't store data or connect to anything. A 77 00:03:41.120 --> 00:03:42.960 typewriter physically incapable of. 78 00:03:42.879 --> 00:03:47.520 Being hacked completely offline, no saving information makes sense for privacy, 79 00:03:47.639 --> 00:03:50.080 But wouldn't that limit what it can do exactly? 80 00:03:50.120 --> 00:03:54.199 It forces us to think about the trade offs security, functionality, 81 00:03:54.360 --> 00:03:58.080 our reliance on digital connection. Could we create something immune 82 00:03:58.120 --> 00:04:00.000 to data breaches? What would we have to give? 83 00:04:00.360 --> 00:04:03.479 Thought provoking for sure? Now for something a bit more, 84 00:04:03.599 --> 00:04:07.280 let's say alarming burning a phone with software? How is 85 00:04:07.319 --> 00:04:10.879 that possible? Software can't physically damage hardware? Can it? 86 00:04:11.120 --> 00:04:11.719 Unsettling? 87 00:04:11.879 --> 00:04:12.280 Isn't it? 88 00:04:12.520 --> 00:04:16.879 Software can manipulate a phone's power regulation battery charging. Push 89 00:04:16.920 --> 00:04:20.120 those systems too far and you can actually damage the circuitry, 90 00:04:20.199 --> 00:04:22.399 like overloading a circuit causing it to fry. 91 00:04:22.600 --> 00:04:24.759 So lines of code can fry of phones insights. 92 00:04:25.199 --> 00:04:28.279 It highlights that software can have physical consequences, or a 93 00:04:28.319 --> 00:04:31.560 reminder that we often take technology for granted without understanding 94 00:04:31.639 --> 00:04:32.399 the complexities. 95 00:04:32.519 --> 00:04:35.360 It's being a basics. The book had a section on basic. 96 00:04:36.000 --> 00:04:36.920 Isn't that outdated? 97 00:04:37.199 --> 00:04:39.759 It might seem like a relic, but basic is relevant 98 00:04:39.759 --> 00:04:43.399 to security and hacking. The simplicity forces you to grasp 99 00:04:43.439 --> 00:04:47.319 programming fundamentals, which is key for reverse engineering. Think of 100 00:04:47.360 --> 00:04:50.399 it as the alphabet of computers. Learn the alphabet you 101 00:04:50.439 --> 00:04:53.680 can read, understand more complex code, and that's how you 102 00:04:53.759 --> 00:04:56.600 spot vulnerabilities, how you figure out how systems work. 103 00:04:56.839 --> 00:05:00.759 So master the fundamentals before tackling the complex stuff. Learned 104 00:05:00.839 --> 00:05:02.319 to walk before you can run. 105 00:05:02.639 --> 00:05:06.360 Precisely, Sometimes the most effective solutions are rooted in simplicity. 106 00:05:06.680 --> 00:05:09.959 Okay, last, but not least, let's talk about polyglots, like 107 00:05:10.079 --> 00:05:11.079 something out of a spy. 108 00:05:11.000 --> 00:05:13.879 Novel, files that can be interpreted as different file types. 109 00:05:14.240 --> 00:05:17.480 A digital master of disguise might look like a harmless 110 00:05:17.560 --> 00:05:20.800 JPEG image, but it could also contain hidden code that 111 00:05:20.920 --> 00:05:23.040 executes when open with a different program. 112 00:05:23.079 --> 00:05:26.720 It's a chameleon blending in and then bam reveals its 113 00:05:26.720 --> 00:05:27.319 true nature. 114 00:05:27.480 --> 00:05:32.079 The book dives into specific examples like JPEG, PDFPNG polyglots. 115 00:05:32.439 --> 00:05:35.040 A single file masquerading as three different types. 116 00:05:34.839 --> 00:05:37.439 Hold on one file can trick three different programs. 117 00:05:37.600 --> 00:05:40.839 Yes, and that ability to deceive is what makes them dangerous. 118 00:05:41.360 --> 00:05:45.040 They slip past security filters, trick users into executing malicious 119 00:05:45.040 --> 00:05:46.240 code without realizing it. 120 00:05:46.720 --> 00:05:49.560 Ingenius and terrifying. Never take anything for granted in the 121 00:05:49.639 --> 00:05:50.240 digital world. 122 00:05:50.279 --> 00:05:54.040 A key takeaway from PAC or GTFO. The digital world 123 00:05:54.079 --> 00:05:56.240 is full of hidden complexities, and we need to be 124 00:05:56.319 --> 00:05:57.639 questioning how things work. 125 00:05:58.240 --> 00:06:01.160 Always Well my mind is I think I need a 126 00:06:01.160 --> 00:06:03.279 moment to process all this before we dive into the 127 00:06:03.279 --> 00:06:04.399 next batch of exploits. 128 00:06:04.519 --> 00:06:06.680 Take your time, we'll pick up where we left off 129 00:06:06.720 --> 00:06:10.720 next time, exploring even more fascinating and sometimes unsettling concepts 130 00:06:10.720 --> 00:06:15.120 from post C or GTFO. Welcome back. Ready to go 131 00:06:15.240 --> 00:06:17.480 deeper with post C or GTFO. 132 00:06:17.639 --> 00:06:22.319 Absolutely still thinking about those polyglots, digital chameleons blending right. 133 00:06:22.240 --> 00:06:25.800 In really highlight how deceptive these threats can be. Speaking 134 00:06:25.839 --> 00:06:30.480 of deception, let's talk about random number generators or RNGs. 135 00:06:30.759 --> 00:06:33.600 Rng's I know they generate random numbers, but how are 136 00:06:33.639 --> 00:06:34.600 they a security risk? 137 00:06:34.839 --> 00:06:38.360 Well, in the digital world, true randomness is hard to achieve. 138 00:06:38.720 --> 00:06:42.040 Most RNGs use algorithms to make numbers seem random, but 139 00:06:42.079 --> 00:06:43.720 if a hacker figures out. 140 00:06:43.519 --> 00:06:44.879 That algorithm, you can predict the. 141 00:06:44.920 --> 00:06:48.319 Numbers exactly, and that can be bad for security encryption keys. 142 00:06:48.360 --> 00:06:51.120 For example, if they're generated with a predictable RNG, a 143 00:06:51.160 --> 00:06:52.519 hacker could crack the encryption. 144 00:06:52.759 --> 00:06:55.120 That's scary, like playing cards when your opponent knows what's 145 00:06:55.120 --> 00:06:55.560 in your hand. 146 00:06:55.759 --> 00:06:58.720 The book actually talks about a vulnerability, and a simplified 147 00:06:58.839 --> 00:07:02.079 version of the Dacoran RNG shows how a small flaw 148 00:07:02.079 --> 00:07:02.959 can be exploited. 149 00:07:03.240 --> 00:07:05.839 Not just theoretical. Then this happens in the real world. 150 00:07:06.040 --> 00:07:10.600 Imagine an online gambling site using a predictable RNG. A 151 00:07:10.639 --> 00:07:13.759 hacker who cracks it could predict the outcome of poker 152 00:07:14.120 --> 00:07:18.160 roulette unfair advantage, so they could rig the system exactly. 153 00:07:18.560 --> 00:07:22.240 Shows how these abstract math concepts have real consequences in 154 00:07:22.279 --> 00:07:23.079 the digital world. 155 00:07:23.519 --> 00:07:26.920 So should we be skeptical of anything claiming to be random. 156 00:07:27.120 --> 00:07:31.000 A little skepticism is always good. True randomness is tricky, 157 00:07:31.040 --> 00:07:35.319 and computing any flaw in an RNG potential security nightmare. 158 00:07:35.439 --> 00:07:38.720 Okay, moving on from random numbers, the kosher phone concept 159 00:07:38.720 --> 00:07:39.399 that was interesting. 160 00:07:39.519 --> 00:07:43.680 It is an intriguing idea. Modify a phone's firmware, remove 161 00:07:43.759 --> 00:07:49.079 features some communities consider inappropriate, distracting, social media apps, games, 162 00:07:49.319 --> 00:07:51.319 certain types of Internet access. 163 00:07:51.000 --> 00:07:54.680 A curated digital environment tailor to specific values. 164 00:07:54.360 --> 00:07:57.639 Exactly using technology that aligns with your beliefs and priorities. 165 00:07:57.759 --> 00:08:00.600 But how do they modify the firmware sounds technically challenging. 166 00:08:00.879 --> 00:08:03.600 The book describes how someone figured out the encryption on 167 00:08:03.639 --> 00:08:06.560 a Nokia twenty seven to twenty phone, which allowed them 168 00:08:06.560 --> 00:08:08.959 to change the firmware bypass restrictions. 169 00:08:09.000 --> 00:08:11.120 Wait, they cracked the encryption. That's complex. 170 00:08:11.279 --> 00:08:14.480 It takes a deep understanding of the phones software and hardware, 171 00:08:14.519 --> 00:08:17.439 for sure, but it shows even secure firmware can be 172 00:08:17.480 --> 00:08:19.199 modified if you know what you're doing. 173 00:08:19.480 --> 00:08:23.000 So even with these kosher phones, there's still control, just 174 00:08:23.040 --> 00:08:26.480 by a different party. It reminds you that technology is 175 00:08:26.600 --> 00:08:29.839 rarely neutral. There are always choices about what's allowed and 176 00:08:29.879 --> 00:08:30.279 what's not. 177 00:08:30.680 --> 00:08:33.879 That's a really sharp observation. It raises questions about who 178 00:08:33.879 --> 00:08:36.080 gets to decide what we can do with our devices. 179 00:08:36.240 --> 00:08:39.840 Okay, ready for something fun. The Tetris game that's also 180 00:08:39.879 --> 00:08:41.639 a boot sector that was in the book. 181 00:08:41.720 --> 00:08:45.279 Oh yeah, classic example of creativity in the hacking community. 182 00:08:45.440 --> 00:08:47.919 They fit a whole Tetris game into the five hundred 183 00:08:47.919 --> 00:08:49.600 and twelve bytes of a boot sector. 184 00:08:49.799 --> 00:08:52.440 Wait, you can play Tetris while your computer boots up. 185 00:08:52.759 --> 00:08:55.120 Amazing more than a trick, though, It shows you can 186 00:08:55.120 --> 00:08:58.120 push the limits of code. Even the smallest environments can 187 00:08:58.159 --> 00:09:00.759 be used for something unexpected, delightful. 188 00:09:00.960 --> 00:09:03.200 Limitations sparking creativity. 189 00:09:02.679 --> 00:09:09.039 Exactly, and that spirit is all over pt or GTFO exploring, experimenting, 190 00:09:09.360 --> 00:09:10.519 challenging how we think. 191 00:09:10.759 --> 00:09:14.200 Okay, this one's a bit more head scratching, exploiting affuses 192 00:09:14.240 --> 00:09:16.600 with Unicode. Not even sure where to start with that. 193 00:09:16.759 --> 00:09:20.399 Let's break it down. Effuses they're like tiny fuses inside 194 00:09:20.440 --> 00:09:24.960 a device, permanently programmed with settings, often for security. 195 00:09:24.759 --> 00:09:26.759 So once they're set, there's no changing. 196 00:09:26.440 --> 00:09:28.960 Them, right, like tiny switches you can only flip once. 197 00:09:29.399 --> 00:09:32.559 But here's the thing. Some programs use a special comment 198 00:09:32.600 --> 00:09:36.159 in their code to declare the files encoding as UTF 199 00:09:36.200 --> 00:09:37.440 eight UTF. 200 00:09:37.080 --> 00:09:39.600 Eight that's for Unicode characters. But how does that relate 201 00:09:39.639 --> 00:09:40.480 to effuses. 202 00:09:41.080 --> 00:09:44.559 While the book says some programs misread these comments, it 203 00:09:44.600 --> 00:09:47.279 can cause them to read data from affuses. They shouldn't 204 00:09:47.279 --> 00:09:47.759 be able to. 205 00:09:47.759 --> 00:09:51.879 Access a hidden back door created by a misunderstanding. 206 00:09:51.080 --> 00:09:54.200 Of the code precisely shows the danger of assuming how 207 00:09:54.279 --> 00:09:57.639 software should act. Even something like a comment about character 208 00:09:57.759 --> 00:09:59.960 encoding can have unexpected security issues. 209 00:10:00.120 --> 00:10:04.320 Hackers find these vulnerabilities in the most unexpected places amazing. 210 00:10:04.440 --> 00:10:08.840 That's what makes PPC or GTFOL so valuable. Exposes these 211 00:10:08.840 --> 00:10:12.039 complexities makes us think critically about the systems we rely on, 212 00:10:12.519 --> 00:10:13.720 question our assumptions. 213 00:10:14.320 --> 00:10:17.080 This is changing how I think about cybersecurity. It's not 214 00:10:17.120 --> 00:10:21.080 just firewalls, antivirus, it's understanding how these systems work on 215 00:10:21.159 --> 00:10:22.000 a deeper level. 216 00:10:22.360 --> 00:10:25.639 Exactly. The more you understand, the better you can protect yourself. 217 00:10:25.720 --> 00:10:29.600 Speaking of protection and encryption, that sounded like something from 218 00:10:29.600 --> 00:10:30.360 a magic show. 219 00:10:30.799 --> 00:10:34.519 Pretty clever technique. A file that, when you encrypt it 220 00:10:34.559 --> 00:10:37.080 with one algorithm becomes a different file type. 221 00:10:37.120 --> 00:10:41.360 So encrypted jpeg, it becomes a PDF. Digital alchemy. 222 00:10:41.440 --> 00:10:46.240 Great way to put it. Manipulating fileheaders, data structures, exploiting 223 00:10:46.240 --> 00:10:49.399 how different file formats are parsed like a chameleon, changing 224 00:10:49.440 --> 00:10:50.639 colors to blend. 225 00:10:50.320 --> 00:10:52.559 In a file that adapts depending on how it's viewed. 226 00:10:52.720 --> 00:10:55.960 Exactly, not limited to two file types either. The authors 227 00:10:55.960 --> 00:10:58.279 make a file that can be a jpeg, a PDF, 228 00:10:58.360 --> 00:11:01.879 even a PE executable, a Windows program. 229 00:11:01.440 --> 00:11:05.679 File, one file, three different things. That's impressive, scary. 230 00:11:05.840 --> 00:11:09.399 It's a powerful technique that shows how deceptive cybersecurity threats 231 00:11:09.440 --> 00:11:12.440 can be, and it underlines the importance of understanding file 232 00:11:12.480 --> 00:11:14.159 formats how they can be manipulated. 233 00:11:14.279 --> 00:11:17.240 Okay, my mind is officially blown. Anything else that'll keep 234 00:11:17.279 --> 00:11:17.799 me up at night? 235 00:11:17.960 --> 00:11:21.200 How about netwatch, a proof of concept tool lets you 236 00:11:21.240 --> 00:11:23.759 debug a computer from outside its operating system. 237 00:11:23.879 --> 00:11:26.000 You mean, controlling a computer without being logged in? 238 00:11:26.159 --> 00:11:30.399 Basically, yeah, exploits a future called System management Mode or SMM. 239 00:11:30.720 --> 00:11:32.240 SMM not familiar. 240 00:11:31.919 --> 00:11:35.039 That it's a special mode in most modern computers, runs 241 00:11:35.039 --> 00:11:37.960 in the background, separate from the main OS handles things 242 00:11:38.039 --> 00:11:40.279 like power, system security, a. 243 00:11:40.240 --> 00:11:43.200 Hidden operating system alongside the main one good. 244 00:11:43.000 --> 00:11:45.600 Way to think about it. And because SMM is so 245 00:11:45.759 --> 00:11:49.840 low level, often undocumented, it's a target for hackers. Netwatch 246 00:11:49.919 --> 00:11:53.679 lets someone tap into this, observe, even manipulate the system. 247 00:11:53.919 --> 00:11:55.759 Really deep level stuff. 248 00:11:55.440 --> 00:11:58.080 A secret backdoor right into the computer's. 249 00:11:57.559 --> 00:12:00.679 Heart exactly, and it highlights the complexity in our systems, 250 00:12:00.799 --> 00:12:03.440 the potential for exploitation we might not even know about. 251 00:12:03.600 --> 00:12:05.639 It's a rabbit hole the more we dig, the more 252 00:12:05.679 --> 00:12:06.159 we find. 253 00:12:06.399 --> 00:12:09.120 That's the beauty and the challenge of cybersecurity. Always more 254 00:12:09.159 --> 00:12:14.279 to learn, threats, always evolving, but understanding the basics, staying curious, 255 00:12:14.480 --> 00:12:17.320 that's how we protect ourselves and the systems we rely on. 256 00:12:18.000 --> 00:12:20.399 Speaking of basics, what about a H two point one 257 00:12:20.399 --> 00:12:23.399 point five point four. I know that's wireless stuff like zigbe, 258 00:12:23.519 --> 00:12:25.120 but what are the security implications? 259 00:12:25.200 --> 00:12:29.240 POUSE or GTFO looks at a technique called packet and 260 00:12:29.279 --> 00:12:33.279 packet PIP. It can bypass security on these networks packet. 261 00:12:32.919 --> 00:12:36.000 And packet, hiding one message inside another. 262 00:12:36.279 --> 00:12:40.240 Great analogy. It's putting data within other data packets. Security 263 00:12:40.279 --> 00:12:42.679 filters often miss this, so it can be used to 264 00:12:42.720 --> 00:12:45.679 sneak bad code or data onto a network like a. 265 00:12:45.720 --> 00:12:47.919 Trojan horse, sneaking past defenses. 266 00:12:48.159 --> 00:12:50.879 The book even shows how to make PIP attacks even 267 00:12:50.960 --> 00:12:54.440 harder to detect, misaligning the symbols within the packets. 268 00:12:54.679 --> 00:12:57.320 Misaligning symbols sounds like next level hacking. 269 00:12:57.559 --> 00:13:00.799 It's understanding the details of the protocol exploit nuances most 270 00:13:00.840 --> 00:13:02.240 people wouldn't even think about. 271 00:13:02.399 --> 00:13:05.840 There's a pattern here. Hacking is as much about creativity, 272 00:13:05.960 --> 00:13:09.120 thinking outside the box as it is technical skills. 273 00:13:09.200 --> 00:13:13.000 Absolutely, it's about challenging assumptions, experimenting, pushing the limits. 274 00:13:13.240 --> 00:13:14.799 Well, this part of the deep dive has been a 275 00:13:14.799 --> 00:13:16.679 lot to take in. I need a minute to process 276 00:13:16.720 --> 00:13:18.799 at all before we get to the final exploits from 277 00:13:18.879 --> 00:13:20.000 payog or GTFO. 278 00:13:20.440 --> 00:13:22.519 Take your time. We'll be back soon to wrap up 279 00:13:22.519 --> 00:13:25.200 this journey into the world of hacking and cybersecurity. 280 00:13:25.600 --> 00:13:28.399 Welcome back, final part of our deep dive into payo 281 00:13:28.600 --> 00:13:32.799 or GTFO. This book has really really opened my eyes 282 00:13:32.840 --> 00:13:36.480 to like the hidden stuff, vulnerabilities in the technology we 283 00:13:36.559 --> 00:13:37.240 use every day. 284 00:13:37.440 --> 00:13:39.799 Yeah, it's been a wild ride for sure through this 285 00:13:39.919 --> 00:13:42.559 whole world of hacking and cybersecurity. 286 00:13:43.080 --> 00:13:46.200 So, last leg of the journey. What mind bending exploits 287 00:13:46.240 --> 00:13:46.799 do you have for me? 288 00:13:47.519 --> 00:13:50.399 Let's start with something called an aldy rand backdoor r 289 00:13:50.480 --> 00:13:51.000 D rand. 290 00:13:51.080 --> 00:13:53.879 That sounds familiar, something to do with random number generation 291 00:13:54.120 --> 00:13:56.320 on Intel CPUs good memory. 292 00:13:56.919 --> 00:14:00.360 It's an instruction on newer Intel processors suppose to give 293 00:14:00.399 --> 00:14:04.000 you these high quality random numbers, really important for encryption. 294 00:14:04.320 --> 00:14:06.440 Okay, so where's the backdoor part coming. 295 00:14:06.559 --> 00:14:09.639 Well, the book describes as technique manipulating the box. 296 00:14:09.399 --> 00:14:11.759 Emulator box emulator. I don't know that. 297 00:14:11.639 --> 00:14:15.480 One it's software lets you simulate computer hardware, like creating 298 00:14:15.519 --> 00:14:19.120 a virtual computer inside your computer. The author they were 299 00:14:19.159 --> 00:14:21.200 able to tweak box to make a back door that 300 00:14:21.279 --> 00:14:22.600 leaks data through rd. 301 00:14:22.600 --> 00:14:26.039 Rand, So it's not truly random. It's being manipulated to 302 00:14:26.039 --> 00:14:27.320 give out specific data. 303 00:14:27.360 --> 00:14:29.279 You got it, And because it's at the hardware level, 304 00:14:29.320 --> 00:14:32.200 it'd be super hard to detect, like whispering a secret 305 00:14:32.200 --> 00:14:33.840 message within random noise. 306 00:14:33.919 --> 00:14:37.240 That's both ingenious and terrifying, like a secret message hidden 307 00:14:37.279 --> 00:14:39.679 in plain sight, but on a tiny level. 308 00:14:39.960 --> 00:14:43.440 The author even goes further, suggests a generic by eighty 309 00:14:43.440 --> 00:14:46.360 six back door that could be almost impossible to. 310 00:14:46.320 --> 00:14:47.519 Detect, undetectable. 311 00:14:47.639 --> 00:14:51.720 How it's exploiting, like the deep complexities of BY eighty 312 00:14:51.720 --> 00:14:55.600 six architecture, those little things that allow for manipulation without 313 00:14:55.600 --> 00:14:58.840 setting off any alarms. It's like ah, a ghost in 314 00:14:58.879 --> 00:15:00.399 the machine, leaves no trace. 315 00:15:00.759 --> 00:15:03.759 Starting to feel like there's nowhere safe in the digital world. 316 00:15:04.679 --> 00:15:07.399 If even the hardware can be messed with, Where do 317 00:15:07.440 --> 00:15:08.279 we draw the line. 318 00:15:08.399 --> 00:15:12.600 It's not about despare it's about awareness. POC or GTFO 319 00:15:13.120 --> 00:15:15.879 wants to give us knowledge, not scare us. The more 320 00:15:15.919 --> 00:15:18.879 we understand these vulnerabilities, the better we can handle them. 321 00:15:19.000 --> 00:15:21.480 Knowledge is power, right, The more we know, the better 322 00:15:21.519 --> 00:15:22.360 we can protect. 323 00:15:22.120 --> 00:15:25.600 Ourselves exactly, and sometimes that knowledge is surprising. Like there's 324 00:15:25.639 --> 00:15:29.039 this article about a breakout board for many PCIe many. 325 00:15:28.919 --> 00:15:31.639 PCIe that's for connecting network cars, hard drives, that kind 326 00:15:31.639 --> 00:15:32.159 of stuff, right. 327 00:15:32.200 --> 00:15:33.759 Right, the author they show you how to make a 328 00:15:33.799 --> 00:15:36.600 breakout board that lets you connect a mini PCIe device 329 00:15:36.879 --> 00:15:37.879 to a USB port. 330 00:15:38.000 --> 00:15:39.600 Okay, but why is that a security thing? 331 00:15:39.759 --> 00:15:43.600 Think about it. You can now control PCIe devices, which 332 00:15:43.639 --> 00:15:48.120 are usually only accessible inside the computer from an external device. 333 00:15:48.000 --> 00:15:51.000 So you could get into a computer's hard drive network 334 00:15:51.080 --> 00:15:52.720 card from outside the system. 335 00:15:52.799 --> 00:15:55.159 That's the point. It creates all these new ways to 336 00:15:55.200 --> 00:15:57.840 exploit things. The author even shows how to use this 337 00:15:58.039 --> 00:16:01.000 to run Linux on an Intel Galilee board, which wasn't 338 00:16:01.000 --> 00:16:01.600 designed for that. 339 00:16:01.919 --> 00:16:05.279 So it's about like bending the rules of hardware, making 340 00:16:05.360 --> 00:16:06.600 it do things it wasn't. 341 00:16:06.399 --> 00:16:09.159 Meant to, exactly, pushing the boundaries of what technology can do. 342 00:16:09.240 --> 00:16:11.919 Sometimes that means blurring the lines between how it's supposed 343 00:16:11.919 --> 00:16:14.840 to be used and creative misuse. 344 00:16:15.279 --> 00:16:20.200 Speaking of blurring lines, booting pac or GTFO from a 345 00:16:20.200 --> 00:16:22.480 Cisco Blade server, that's a bold move. 346 00:16:22.679 --> 00:16:25.799 It shows how vulnerable. These remote management interfaces can be 347 00:16:26.440 --> 00:16:29.279 the author. They used a security flaw in Cisco system 348 00:16:29.320 --> 00:16:32.080 to boot the book from a Blade server, basically turn 349 00:16:32.200 --> 00:16:35.399 this high end server into a platform for hacking tools. 350 00:16:35.240 --> 00:16:38.039 Like hijacking a fortress and using its own weapons against it. 351 00:16:38.279 --> 00:16:42.679 Powerful analogy. It shows that even these big systems supposedly secure, 352 00:16:43.039 --> 00:16:46.200 have weaknesses. Can't get complacent with cybersecurity. 353 00:16:46.480 --> 00:16:48.000 No system is perfect, that's for sure. 354 00:16:48.039 --> 00:16:52.440 Now let's switch gears a bit Return oriented programming or 355 00:16:52.840 --> 00:16:54.120 ROP ROP. 356 00:16:54.639 --> 00:16:56.519 That sounds intense, What is it. 357 00:16:57.120 --> 00:16:59.279 Imagine you want to build a house, but you only 358 00:16:59.320 --> 00:17:03.039 have pre built rooms. ROP is like arranging those rooms 359 00:17:03.039 --> 00:17:04.799 in a clever way to create a new. 360 00:17:04.680 --> 00:17:08.240 Structure, repurposing existing stuff instead of building from scratch. 361 00:17:08.440 --> 00:17:12.960 Exactly, ROP makes malicious code by chaining together these little 362 00:17:12.960 --> 00:17:15.720 bits of existing code, code that's already in the system, 363 00:17:16.160 --> 00:17:19.279 harmless on their own, but arrange them carefully, you can 364 00:17:19.319 --> 00:17:20.759 execute any code you want. 365 00:17:21.000 --> 00:17:23.880 Putting together a puzzle where the pieces are good code 366 00:17:24.279 --> 00:17:25.880 but the final picture is bad. 367 00:17:26.000 --> 00:17:28.000 Great way to think about it. And because the pieces 368 00:17:28.039 --> 00:17:31.880 are legitimate, ROP attacks can sneak past security systems looking 369 00:17:31.880 --> 00:17:33.160 for normal code injections. 370 00:17:33.279 --> 00:17:35.519 Was a stealthy way to get in, hiding right there 371 00:17:35.519 --> 00:17:36.200 in plain sight. 372 00:17:36.400 --> 00:17:39.319 The book shows you how rop can exploit a vulnerability 373 00:17:39.319 --> 00:17:41.319 in a web browser, real world stuff. 374 00:17:41.400 --> 00:17:43.279 So that's how they get in. But how do they 375 00:17:43.319 --> 00:17:47.160 stay hidden once they're inside? Don't systems have ways to 376 00:17:47.240 --> 00:17:48.160 detect intruders? 377 00:17:48.480 --> 00:17:50.319 Right? They use things like canaries. 378 00:17:50.400 --> 00:17:52.680 Canaries like the birds they used in coal. 379 00:17:52.519 --> 00:17:56.480 Mines, exactly. In cybersecurity, canaries are special values. They're put 380 00:17:56.480 --> 00:17:59.519 on the stack to detect buffer overflows. 381 00:17:59.079 --> 00:18:01.359 Stack buffer overflows. Now I'm getting lost. 382 00:18:01.440 --> 00:18:04.039 Think of the stack like a pile of plates buffer 383 00:18:04.039 --> 00:18:07.440 overflows adding too many plates the pile falls over. Canaries 384 00:18:07.440 --> 00:18:10.359 are a warning telling the system if someone's messing at the. 385 00:18:10.319 --> 00:18:12.559 Stack, the trip wire setting off an alarm. 386 00:18:12.640 --> 00:18:17.079 Great analogy, but poh A Nisi or GTFO describes how 387 00:18:17.119 --> 00:18:21.200 attackers can actually disable these canaries. They use special instructions 388 00:18:21.200 --> 00:18:23.079 in their shell code, the malicious code. 389 00:18:22.880 --> 00:18:25.680 They inject, so they disarm the alarm before breaking in. 390 00:18:25.920 --> 00:18:29.519 Exactly, it's this constant back and forth, attackers and defenders, 391 00:18:29.559 --> 00:18:31.000 always trying to outsmart each other. 392 00:18:31.119 --> 00:18:34.319 Security is never finished, it's always changing, adapting. 393 00:18:34.400 --> 00:18:36.839 Now ready for a dive into the world of Jason P. 394 00:18:37.079 --> 00:18:40.200 And Rosetta Flash honestly never heard of them. Explain it like, 395 00:18:40.240 --> 00:18:40.960 I'm five. 396 00:18:41.119 --> 00:18:44.759 Okay, Jason p it stands for Jason with padding. It's 397 00:18:44.799 --> 00:18:46.759 a way to get data from a different domain, something 398 00:18:46.839 --> 00:18:49.799 usually blocked for security, like trying to borrow a book 399 00:18:49.799 --> 00:18:52.839 from a library that's not in your network. And Risetta 400 00:18:52.920 --> 00:18:56.240 Flash that's a tool lets you create flash files that 401 00:18:56.359 --> 00:18:59.759