Deep Dive
- Evil Mog worked as a network engineer in Afghanistan, supporting communication services for Canadian forces.
- The harsh environment and frequent rocket attacks posed significant challenges to maintaining network equipment.
- Evil Mog facilitated a video call between a soldier and his wife in Toronto for the birth of their child.
- He had to shut down all communications in the theater whenever a casualty occurred to prevent premature notification of families.
- The experience highlighted the importance of communication and support for soldiers in active war zones.
Shownotes Transcript
Some really incredible scan artists out there. And i'm in top two ones, and those ones really intriguing. One of my favorites is a guiding Victor less deg.
Well, that's not his real name, but that's the name. And he was famous for the guy was gone around gaming people. In the early nineteen hundreds.
There was one scheme I did where he got thirty two thousand dollars in liberty bonds together and went into a bank to trade them in. And the bank offered him ten thousand dollars in cash and some farming land. And he took that deal and signed all the paperwork.
But just as he was about to leave, he did some side of hand and switch the envelopes and walked out with the cash in the farmland and the liberty bonds that he walked in, where the bank did not like this, and called the cops on him, who caught him in kinds of city. But he convinced them that if they press charges, then the story would get out, and IT would be terrible for the reputation for the bank. Customers won't want to use a bank that's this careless with the deals they make.
He was so good at convincing them of this that the bank dropped the charges and gave him a thousand dollars to not tell anyone and keep the story quiet. But the most brazen scamp, the Victory alisa did, was when he went to paris. The ivy tower was built for the eighteen and eighty seven world's fair, and some thought I was going to be a temporary structure.
And by one thousand and twenty five, IT was needing repairs. Victor leaned into this and called five scrap metal companies to come meet him at a fancy hotel in paris, and he said he was a deputy director with the french government and even had fancy stationary to prove IT. And he told him that the maintenance of the iphone, tyra, was becoming too high, and they were looking for a company to dismantle purchase to scrap metal.
But he also said this deal needed to be hidden from the public to avoid controversy. And one of these companies was eager to take the deal and ended up paying Victor a large sum of money. And yeah, as soon as Victor got the cash, he immediately fled the country and left france.
He sold the iphone tower, but he kept a close eye on the news back in france to see how much trouble he had been. But the news never reported this. I guess the guy he scammed was too imparato reported to the police.
So Victor thought this was such a great scm. Why not do IT again? So he goes back to paris to try IT again. I mean, why let all that fancy stationary go to ways, you know? So we called five new companies in to pitch them to.
One of them are right through this game and called the cops factor, saw the cops were coming for him, and he nearly escaped this time, flying all the way to the united states. Amazingly, when he got to the united states, he scamped alco ent later tried to make counterfeit money, which is how he got arrested by making fake money. But fully enough, when he was arrested, he was put in the same prison as alcohol.
What a wild guy. Victor lost dang quest. These are true stories from the dark side of the internet. I'm jack reciter. This is dark net dies.
This episode is sponsored by a threat locker ran somewhere, supply chain attack and zero day exploited can strike without warning, leaving your businesses sensitive data and digital assets vulnerable. But imagine a world where your cyber security strategy could prevent these threats, that the power of threat locker, zero trust and point protection platform robot cyber security is a non negotiable to safeguard organizations from cyber attacks.
Threat locker implements a proactive, denied by default approach to cybersecurity, blocking every action process and user, unless specifically by your team. This least privilege strategy mitigates the exploitation ation of trusted applications and ensures twenty four, seven, three, sixty five protection of your organisation. The core of third locker is its protect sweet, including application allow, listing, ring fencing and network control.
Additional tools like the threat locker, detect E D R, storage control, elevation control and configuration manager enhancer, cyber security post, and streamline internal IT and security Operations. To learn more about how threat locker can help mitigate unknown threats in your digital environment and along your organization with respect and complain frameworks, visit threat locker dot com. That's threat locker dot com.
This episode is sponsored by vta. Whether you're starting or scaling your company in security program, demonstrating top notch security practices and establishing trust is more important than ever. Fanta automates compliance for sock two.
I saw twenty seven or or one and more, saving you time and money while helping you build customer trust. Plus, you can streamline security reviews by automating questionnaire and demonstrating your security posture with a customer facing trust center, all powered by vta ai. Over seven thousand global companies like a lassen flow health and cora use venta to manage risk and prove security in real time.
Get one thousand dollars of venta when you go to va. Dark, calm, flash, dark nets. That website is venta that spelled V A N T A venta dot com. Slash dark net and get a thousand dollars off. So what should we call you?
Evil marg is fine.
Okay, we will call evil marg. How do you get that name? Whether I come from?
So was funny. I, A glider pilot. And so the first aircraft ever flu was C, F.
和 C。 G. Mog, but IT also happened to be a formal fantasy character. The problem was, I, that isn't my game or handle for years, and then I made make you a government. And at Jerry on and he had the same initials.
And so we decided d confliction, and because he had the name I forget, I change mind to be polite inside. I became evil. Mog, and that was my irr sea handle .
from four I R C, I member. Those days we were Young. Man, did you do any stupid things when you were Young? not?
R C, yeah, so I was kind of stupid and was doing a fair bit of your online piracy, freaking a little bit of other various things. And now back then, he is really easy. Trace people, ounce study. And yeah, I get this kind of turn.
knock on the door. Turn knock sounded urgent in main. He opened the door and saw the police were standing at his front door.
And they are we know everything you've been doing. You have a choice. You either stop now and play good, or you're a game we need to put in juv.
But canada prisons are kind of crap for kids so they like or we could just get a technology ban on the last thirty theyll ever get a job in technology like, yes, sir, i'll be good sir. Here we are, sir. You know kind of off we want.
Okay, so hold on a second. I've pirated and i've done some breaking. The cops never came to my house. IT sounds like you might have .
done more than that or went done a little bit. It's just a little bit. See you. We were back with the early credit card numbers have a specific way of valuing that they religious.
I was publishing bogus h credit card number generators that only sort of work at the time of local B, B. S. systems.
They did they work at all because I can even imagine this won't .
work for authorization, but they would work input validation on websites. So like you here, let's go pop, let's say the really point sites, for example, up to your free trial. Then they have visitors.
the air out. When I was a teenager, I didn't understand how create cards worked at all. Like my head is just seem like sixteen random numbers.
And if you knew those sixteen numbers, could you buy stuff? So I thought, okay, let's test that theory. And as a teen, I went to website.
I put in sixteen random numbers just to see what happened. I thought if IT worked, i'd have no idea whose number I just used. And I could just say I type the wrong number if they asked me. But no matter how many sixteen digit creditor numbers I put into a website, IT never worked. Everyone was an invalid number, apparently is more complicated than just that.
There is that whole lung check, right? There is a math up because they generally quite right, like somebody checks something didn't match for most of them, kind of did IT was enough that could pass like .
a cheap rejects, but that's about IT ever. Mog loved flying, playing when he was a kid, and signed up for junior glider .
classes top by the canadian military from in nineteen. I got my glider license before I learned how to driver a car.
From there, he joined the military and other kids how to fly glider. But his other passion was computers. And the military was offering to pay his training .
to learn more about computers. School went back to say, as a network engineer, six months of like C C N A, M C S A, uh, linux, L P I one, level two, level three, that stuff. And that's what kind of we started my career when I was my .
early one is so he spent four years in the military and then went to work for IBM.
So basically um I got the phone call from my friend to go to afghanistan and this he said, this is company called network innovations and basically what they do is they run the moral voiced internet services for the canadian forces so what that means is soldiers calling their families back home from like the big super vibes or the small, the remote oppos and so is okay you want to go for six months and I dirty released from the reserves at this point.
I said they actually let's go over. I had nothing else to do and I wanted some money. So and there was all tax free as I delayed over there.
So hold on. It's not just like gold. Over to france, afghanistan.
there was an active four zone. Wasn't a south in two thousand eight, was hot to say the least. I want to to do something useful always kind of did and my parents, like you're not going over.
I'm like, sorry, i'm going over. I want to pay off some debts and I want to go do something good with for the folks that are over there did look a predetermined training. Nothing much, just use the up.
He said that wear gas mask. He's had to put on a bullet proof vest. And then here's a whole backlot of vaccinations. And all the seven years, some kid from the sticks out in the middle of active war zone.
So even though he was military trained, he was in the war zone as a private contractor, and job was to go to forward Operating bases or forms to work on the network there.
The satellite, there's microwave basis. These people need to go to contact family also, like going to go nuts. I mean, it's like being stuck up in the bush for six months.
So my world was just moral voice. The canadian forces handled all the tactical and all the Operational. My entire mission was making sure people can call their families.
These fobs were often on the front line of the war zone in afghanistan. It's dusty or torn. And whether computers don't like these kind of environments because their delicate and fragile, not rugged, IT in battle ready. So he was constantly being sent to troubles, shoe computers and networking equipment that was breaking in war zones.
I'd set this up as well as say, for example, we would have a new site, and hey, we need to get now fob, whatever they hack back on online theyd. Send me out in the back of a convoy with a little paling case with, say, here's a tiny little began terminal to a small many satellite or in the case of a larger fob, here's a bunch of pelling cases with an auto acquire satellite dish you to go rollout, set up the sad com dish hooked into a couple of laptops in the order in the switch, a little tiny um P B X system at sea, and then the do couple phone call tests to make traveling works. That result wrote.
they set up this calm shack inside a forty foot long cargo sea container and he go base to base, setting up or fixing the networks inside there. There was never dull moment.
I will, on side, in the middle, in the repair. All he here is the size and then coppy british voice they use because they all have the same recording, rocket attack, rocket attack. And that's all you're hearing and see aker down and between the set of barriers, which are basically just a bunch of gravel, some concrete, a bunch of chicken wire all around to be a but you just the honker down in place, their little way, the shelling stops. You get up, see damage and get back to repair.
ring the equip. So what kind damage had to the equipment?
Thankit missed us, but he went. One landed the pop pond that was terrible. One landed, took out like a recreational facility.
He says the equipment in this area would only last six months, because I would get full of dust, and just not last very long because of the harsh, deserted vironment. One day he got word that one of the come shocks got rocket at .
another beast of the took out the satellite dish. IT took out one of the calm trailers, and I took out, bunched the cabling. These guys were down for about a week.
His orders are to travel there and get back online. Traveling to these fob takes days or weeks to get to them.
Guys get out there and thankful. Ly, I was smart, and I percent all the gear I needed on a conway ahead of me. There's this broken down, destroyed crater, effectively, where the old piece was. There is like, I come up and there's guys based giant bulldozers, and they have the equipment moving, the old gear out, the gear in size, just completely toast.
Meet up with the local surgeon is like, hey, were put your new gear down, right where the old one was dropping this new seeking tayer in the, what do you want to do with this old thing? I take a back salad, destroy IT. We don't really care.
Use of our training. Yeah, wire up the new song you are calling on to your folks out of the U. K.
Going here. You see me, my bird. They were locked on.
Here's the activation boom. New terminals are online. You've be acted. The old accounts. You do a couple of plugging check, test the new laptops and then there's only a lineup around the block of folks who i've given their email like a we can have right? And so sudden one min, they're all nice and happy.
You're n down to the child hall munch, whatever warm food they've got a sticker afford dare to for trouble shooting and then you call your boss on the defense service network cake and you guys get me a helicopter they're like, sorry man all the birds are tasked so finding you head yourself down to the talk of the tackle Operation center introduced yourself the killings, the next convoy out if you're lucky, they present you out on the combat patrol, which are way faster and less annoying than a convoke is it's you one or two vehicles and it's little more comfortable. If you're not lucky, you're trend with the back of this army personnel Carrier that thought as balls were in body armor in the heat. Take your eight hours to go, you know, one hundred kilometers to get back home.
I also, I don't know why, but i'm picturing of you like climbing up a tower, adJusting, you know, he kenning a spanner on a satellite day, adJusting IT, and get like, shut up from up there being like a coming from that hill. Give me come.
I mean, that kind of has happened, really is extreme. But if you were tried to repair two hundred pairs of cat five in the sand, storm one hundred feedback in the air.
how to feed in the air? Whats up there? Anyway.
I was a countour. I had to go there, this one bridge spot, because most stuff, c caffe, was all underground. But we had this one spot, those basically all hooked up to a tower um because the way is one extension wind. And so we had an outage. Someone drove a piece of equipment through the cables.
And so to go up in the rear place on the outdoor cable and i'm up on this tower over sudden at the same storm and i'm like, oh no, I can't work on this cable with a glove zone because you just doesn't yeah ever try to be a twisting terminating cable of gloves doesn't work some like plastic by sand and this wide condition trying to terminate because i'm not trying cite them the hour, it's not going to happen. I'm i'm hooked in there really the rock and I got thirty, forty cables done before the same store and didn't then finish off to rest the job. So one of things we did, addition to making sure to call their families back home as we were a video teleconference unit um and so people could see their families back home.
We found out one of the guys coming back out of coming out of a fob, his kind like a bumped now bumped is a polite word for saying, hit by an ID thankfull. In this case, nobody died, thankfully, like, thank whatever data you believe in. But that really shook this guy up, like, shocking up some seriously fears.
yeah. If so, I mean, that highlight there was a lot of deaths there and saying, thankfully, because you are seeing that around.
weren't you? The worst thing we had to do was every time somebody died, we had to kill all of the communications in theater, including all the basis. And the super fob IT was the notice to come lock up procedure. We had a cell phone on the second somebody got firm casualty. I got the phone call, I hit the buttons, and then I got to release IT once they released to the families.
So what why is a clock out?
It's so that people don't put things on social media or get up to the news articles before they can notify .
the families.
OK IT was one of the worst things ever because you being on that phone call. You like shit yeah, you feel all sorts of terrible feelings and then you have to go actually professional cut the comes off. And then when people hate the internet not working, the heating of this, not lot comes like you, but still be like sympathetic about IT.
And we do say comes lock oi'd ever than thear knew what you are talking about. But IT was one of those. IT was a weird, solemn duty I had to do you don't mean.
yeah, I mean, you weren't the one telling the families.
No, but I was killing the comes and told all the orders here. I had a family back home. Every man comes are offline due to a come .
out yeah and now they're saying, oh, that mean there's a confirm casualty and now you .
got to answer these questions. No, I just work here.
I E S are super career, just driving along with in attis, telling jokes to the other soldiers, then out of nowhere on the truck runs over a mine and blows up your vehicle. IT often kills people, and it's certainly enough to freak anyone out. And while this ie d didn't kill anyone, one guy was really messed up from this.
He wasn't injured and he was just shocked, really badly shocked. Um you are getting hit by an I D, even if no one who gets injured in the process is enough to like, send some desperate because you get the whole mental, oh my god, what of this happened? Me, what about the see the possible guilt, all that kind of think and the the guy isn't really rough shaped mentally, literally.
Asked, could you get some extra phone medicine for the time with how the request came in? And we us being us, we've got, yeah because here's a couple hundred minutes go hard and well, like is there anything else we can do? And his guys like the way he's doing.
pretty rough ever. Mog starts to talking with people trying to figure what more he can do. And that's when he found out this soldier was about to be a dead. His kid was due to be born any day back in toronto. And this gave evil Morgan idea.
Not like, do we gone to do something for this guy so thankfully, they had people on the ground um in toronto. And am mike, can you go spring over to C F B and go grab one of our spare um video teleconference units and get IT out to the hospital, do whatever he takes the requisition bandwidth, get me the stuff out there. And I figured out we had some spirit bound available.
I like slowed down everybody's video with telecoms and voice services and their wifi a bit and opened up an entirely new channel cause all we had was six mega bits for a thousand people now, was no band with whatever. And so I was like, y, you know, line this up. I'm going to reserve you baLance like the next four, five days.
He learned that the wife was already checked into the hospital and was starting to give birth right now. So he's called in toronto to try to figure out how to contact the wife at the hospital.
and still made to go contact their visitor units. hate. Do you guys have you have bang with for us to go get your video, tell a conference.
And thanks for that. I really just some text there is like you actually, we can make some things happen. What you guys got for flip ment?
Were you talking to the check at the hospital 呀? Wow, okay, trying to create .
this from our way across the world. interest? exactly. yeah.
So so you say, right, here's equipment I have. Here's what you have. Let's make a final on a common denominator. But I think we can connect these two things exactly right?
So they running on tandberg, we were running on tandberg, and we made the gear all work out. I popped onto the load baLancer .
in our side and tell me about the tech side. So did he put like a computer on a car and then wheel the car into the room?
IT was a TV on a court with a tenbury video teleconferencing unit.
which which is meant for like doctors and nurses. It's not meant for patients.
Yeah, yeah, he's just drew this on the thing they will there and they plug the right and next woman bet there we sweep the web came over. Um he managed to get us a public ipc. We could do remote control of this and then we just set up the communication channels and off actually running rather well.
okay. So you're like, oh, okay, cool. You got to set up. All right, i'll be right back. Let me get the guy.
Yep, i've talked to Steve. Steve called the the guy's unit commander. You commander called the section leader.
They pull the note said like he used to report the building. Zero, two, six, bravo and kind of hair field show up here. We will.
Then we ve got a surprise for a real back out there, plopping down one of our spare rooms that we had break up into the forty foot sea container back down the chair, made IT comfortable. Beam said, here's star little care package. Here's some planets colossian ity that thing.
And do you remember his face when he saw his .
wife weren't even looking at the at this privacy?
Yeah.
I just I remember that how you was afterwards, though every says life, he walked and he resolved, dooming gloom. This guy sounds, there are typical, but that thousand yard stare, like you've seen some shit, and then the guy are. And afterward, see, I saw life in his eyes.
Yeah.
so as I knew.
we did a good thing. Yeah, I mean, how do you think you impacted his life?
I mean, from what I been told, the reactions taking on the first year a couple of days after major incident are the most critical and I think by giving him that levels support immediately, I think I changed the guy's life way for the Better when they were were talking really have to discharge the guy from what I heard he's stuck around um another five, six years before he finally released and often doing something I can remember what is doing now, but I think I i've Young changed the life for the Better so i'm good with that.
Yeah I mean, it's it's also very possible that he saved his life because there's you know coming out. P T, S, D. You can or you know getting affected that badly by IT, you can easily. Angel knife.
exactly. I mean, I like to think we saved a life there, and you won't. No matter what I do in life, I think that's the coolest thing I ever done.
To me, this right here is the quint to central dark net diary story. Because of where I found IT, I went to defcon and I was invited to the microsoft party, and I SAT down in a table to chat with people. And that's where I met evil mark, and he was there telling us the story.
And I was so captivated by IT that he made me cry, am my goodness, to be at some defcon party and to hear a story so moving that he makes me cry. That's one reason I started this show I imagined in my head while I was listening to evil mom tell me that story that I saw you across the room. And I was like, over here you've got to hear this story.
And I brought you in to eve, drop on these inner circles to hear the untold stories that are only shared, an intimate and private spaces that are all over the hacker culture. What are hard to find, I love these chance encounters, is like finding a hidden path in a familiar landscape. I hope the stories like this fill you with the same great feeling I get when I hear them in person. I have such a fun job and so grateful. Okay, we're going to take a ad break here to stay with us because we have a new guest to tell us a new story after the break.
This episode, sponsored by delete me, I hope dark na diets, is taught you something about how people can use your data against you, what you do once your data is out there, because he feels impossible to try to take IT off the internet. How are you meant to fight these massive data brokers were selling your info. Well, you could try out this service called delete me.
Delete me does all the hard work of wiping you and your family's personal information of the web. Data brokers hate delete me because your personal profile is no longer there is to sell. I tried IT, and immediately they have got busy scaring the internet from my name and gave me reports on what they found on me, that they got busy deleting things for me.
And I was great to have someone on my team when IT comes to my privacy, take control of your data and keep you a private life private by signing up forward. Delete me now with a special discount for doctor are is listers today get twenty percent off you delete me plan when you go to join, delete me to com slash dark net dies and use promotion de dd at checkout. The only way to get twenty percent off is to go to join delete me dot com slash dark net diaries and enter code D D 2 at checkout let's join delete me dot com flash darkness dies code D D twenty。 right? So let's start out with, who are you?
What do you do? Yeah, I worked for a wolf f and company, P C, at a boon kinna nal social engineering, things like that. So we have a client, not a big company, maybe like twenty people, and they contract us to do you you're average assumed the breach and as so to speak, right?
So we're on the inside. We're giving access what what happened of something is on there. So we 那么 a remote dropbox um you little rasper pie that we send them, they have logged in their network and then we connect to that remotely.
And it's kind of like we're sit in there in person, right? We've got on the wire access at that point on a substance that put us on. So I do in the test um you know typically and here's the funny thing, as you know you look at like you know pta h frameworks, you should start here.
You should do this. You should do that. I would chAllenge you to find them up. fantastic. That doesn't fire up responder. Um the second they get on a network and try to get correct and be after the races as soon possible because that's what we do, quite Frankly, a lot of us. So that's what I did there.
okay? Responder is a pretty clever hacking tool. It's free to get. It's just a python program and how you use IT is you just start IT and wait.
Now the thing about windows computers is that they always want to to try to join a domain and connect to share drives on the network. And so a windows machine wants to connect to a share drive. IT will try to get to that host directly, and if it's there to connect to IT just fine or whatever.
But what does the windows computer do if I can't find the shared drive that is trying to connect to? Well, IT wants to connect to IT very badly, and I will try another way. You might ask the DNS server, hey, do you know that I P addressed for the server on trying to get to and the DNA server might be like, yeah, I got that.
Here's the IP right here and then the computer might be like, that's the same I, P, I have and I already checked, I was not online. So then if the windows machines still can't find that share drive that I really wants to connect to, IT then sends a broadcast message to all the computers on the local subset saying, hey, i'm looking for this share drive. If any of you are its, please respond and that's when responder springs in an action IT sneaky says, why? Yes, i'm that shared drive you're looking for at me.
You found me. I'm here and the wind is computers like off and good as i'm looking at for you everywhere i'd like to connect to you and responders like, sure, of course you can connect to me, but you need to authenticate first yeah and the windows computer is like, oh, yes, of course. Okay, here's my username of password.
Microsoft takes your security seriously, so IT doesn't actually send your password over the network. Instead, IT sends a password hash and since responder is this dirty little liar on your network, is snatches that username in the password hash and gives IT to the penetration tester or hacker who's running the tool saying something like someone just try to connect to me using this user name and this password hash, here you go. Typically, responder only works against computers in the same substance as IT.
So if you're in the same subject, then yeah, responder is an amazing tool finding usernames and password shes. Now password hash, not the password. It's A A jibed h set of characters that you get when your password goes through an algorithm.
And the thing is, in some cases, you can crack this hash to get the password. And a common method for cracked in passwords is brute force. Take the top one million most common passwords and hash them and then see if any of those hashes matches the password hash you just got. And if so, you found the password exactly.
So we use something called hash cat. Um i'll take that hash, we will tell .
me so to crack that. But that's not on the reserve pipe as a reserve pie doesn't have the G P U C P U cycles to be able to throw billion passwords that that thing and try to figure out which one IT is. What's your what's your method for for cracking up?
What is scary thing is, our method is the same thing that any bad guy and all around the world can do, right? We can, we have an amazon account, right? And we can spend up the amazon easy two instance. Ces, so what we do is we spend up, you know these like tesler GPU on an instance.
We have a couple of them, and we will you know take that you know GPU powers to just blow through pastor ashes as fast as we possibly can based on that power going to be lot faster than you will the rest berry pie or your local P C, unless your local P, C has a toner graphic cards in at which not. So yeah, we do that all in the cloud. Relatively cheap, not very expensive to get done. Uh, and you know usually results pretty quick. You know it's in the first couple of hours.
okay. Now um what's your kind of success rate on getting one hash and being able to crack that single hash?
I'm in ago, ninety plus percent. That depends if we've been there before and they took our recommendations going to take a little longer. A lot of but a different .
question, which is kind of in the same realm, is like suppose you have the entire A D database of a hashes a what percentage of a password do you think you're gona crack out that?
So we will probably get on average, I would say. And again, whether we've been there first or not, they're taking recommendations will probably yet fifty to sixty percent within the first like four hours.
So he's basically trying billions of passwords to see if any of them attched this hash. Of course, the longer that his hash cat tool runs, the more passwords are tried. And so they might start with the top one million most used passwords and then try making slight modifications to those, like putting a wine at the end or capitalized the first letter, maybe add in their own wordless, such as the company name or mascot or city or address or person's name or kids name.
If no, look there, try every word in the dictionary, and but add numbers to the end of IT, and maybe mix IT up a little bit and see if that works. I just tried tons of combinations and and pretty much all the stuff abolishes so far, probably when IT takes like a few hours or less. Now, after the tools tried, all this, IT just then starts going through every single possible character combination in the world, such as A, A, A, A, A, B, A A C, A A D.
So this combination of finding a user name and password hash from responder and then trying to crack IT in hash cat could take hours or even days since this, about waiting and timing and maybe brute forcing the password. So in the meantime, he's looking around the network to see what else is there a good place to start his n map. And map is a basic tool that you can use to quickly get the network to see what's there. You will basically paying every I P address and the tworog see what response, and if any do, then you'll try to see if that host has any open ports. Then and map will spit out report saying, here are all the computers on the network that I found to be alive, and these are their open ports.
exactly. yes. So we will look for the fall password places.
Um we will look for, you know uh no sessions on on on host right? Can I access this host without a use name or password? right? Can I just get in there maybe on a domain control, we still find this. You're able to code on code a to a domain controller as nobody and started numeration the domain.
Now if you can do that, you can get listed users from a domain controller right and then take that list of users and start password spring against that dome controller with that list of users common passwords, right? And then maybe you get ahead on password twenty twenty three explanation ation point right? Or a company name twenty twenty three explanation point, where is your things have happened?
So there's a lot of stuff going on at once. He's got these background tasks running to try to get more using names and hashes, and he's also trying to .
crack the hash he's got. Yeah I mean, to this day, I know I know about five years now to to this day when I do that for a cash flash and yellow Green anta, I still a shot of a journal. And right is just like here we go.
He cracked the password, yes, but who is this user? Are they just like a low level user? Or are they a system in? He has to find out. And to do that, he logs into a computer on the network to see what his access is. And it's a Normal user with no special privileges.
So now we have, uh, domain exercise that user. So typically, what will do will look for some basic, you know private justice lation opportunities. And at the same time, we're looking for data, right?
So let's say we're kind of poking for both of those things, right? We want to prove that risk and that this basic user maybe has access to some data that they don't need access to. And if for bagua, I get access to this account as that person, they also get access to that data and that something you need to work on.
So as for rooting through file shares, um you know what is this person of access to uh we find this this host um and the cycle windows ten host and we have access to couple of shares on this host and we're written three typically are looking for things that are called like password of txt. You are leg as the age this time of the other thing or S S N, right? We're looking for data that's going to prove a problem for the company.
So i'm looking through and I find this folder um called, I believe color impacts. So like that's interesting. I don't typically find something like that. Ah you know like i'd just start to gold m acx that's different. I'm just curious what's in here. So I look and there's shot off as much and back files um like okay that's interesting is like maybe four or five them so I downloaded one of them back files.
I get IT locally and on my god my let's watched this file uh I open IT and I see a camera feed and the camera is just on a desk facing at someone's, uh, kind of where they would sit right in front of the computer oh my god, weird and why would anybody put a camera on their desk? right? It's just strange.
What are the recording has many sense. So there, well, maybe there is something else to this. So I demand the second one because they're going in order. One is I only like one IT is the same camera. IT is the same desk. And this time the camera is underneath IT and IT was A A A lady's death I found out later um the way the camera was Angel was yes that there know the front bottom half of their body let's put in that way let's just say IT was an inappropriate .
place to put a camera in an office if that lady wasn't aware of IT, joe knew that what he was looking at was potentially going to get someone fired. So we had to proceed with caution .
here so I see this and now i'm like, oh god, like everybody every panthea or has that like feeling that like sooner later they are going to get this moment? That is something like this. Like if you find like the proof that somebody stealing from the company are, you find uh, pictures you shouldn't or you know whatever that may be uh, and this was the first time that I have found something like that.
And I was kind of like, just all struck at first, and I my head started ating like water whi do about this. And so the first instinct was pick up the phone and call my point of contacts immediately. And the problem with that is this is a small company.
I don't know anything more than this point of context name in the fact that I work with them year over year. I don't know what he does personally, I don't know what isn't here. I don't know if he is the person to put this camera there, but he is the only point of contact I have, right? So he's the one on calling.
So I pick up the phone and I get on the phone. I tell him, I just say, you know, I found under the best camera footage of and then he cuts me off completely and says, stop right there. I'm calling H. R. And at that point I had A A kind of this wave of relief for me because at this point of my go table, if he's problem, the one they put in there because he is wanting to college her immediately, so he sure gets on the phone, I explain that to them uh, they say thank you very much uh and at the end of the call is .
interesting to stumble upon this as a security consultation since it's not really a network security issue. It's more of them see something says issue, like do you even put this in the final security report? John went on to complete the past, and he found some misconceptions.
Urac and active directory, which gave him administrator access, which pretty much gives some keys to the kingdom. The network admin can recite anyone's passwords to all shared drives, probably even read everyone's email. So we put all this in the report and delivered his findings .
on the final call. You basically is the typical stuff. He said, know, we found that. You know, here's recommendations for fixing that. Okay, great.
And we didn't feel like I was our place are appropriate to bring that up on that call. However, I didn't have talk in to that client of a month later. And you know we were going over some remediation strategies for them.
And you know he basically like, has everything else going on how you been able about like everybody you know um how about that other thing? I'm just curious. But the other thing with this is a much more casual conversation. Just curious everything okay.
That other thing we found and cannot just give me this look on the thing like yeah, yeah that's been handled and I knew not to push, but I knew that whatever had to be done, i'd been done at least IT seemed like IT ahead and IT seemed like IT worked out for them. Uh, I wasn't going to a get pulled in the court for the test of five for anything which I was actually kind of ready for all my god might be the first. So lucky.
yeah. As far as like your um success rate, I mean you're always going to find something even if it's like A C V V level three. But I mean as far as just success rate of just like owning the whole network can gaining access sensitive systems, getting you know half of users passport in the whole organization that kind of thing.
Is that is that fairly high? Do you feel pretty confident? Like yeah, i'll probably be able to own this tworog.
It's with no exaggeration, ninety five percent of clients that we are able to do that with early.
And I think he can get to that point because of how many penetration tests he's done. He's gone into dozens of networks and exploited hundreds of devices. And after doing that, over and over and over, you start to develop a pattern and know exactly where to look for weaknesses.
Once you do develop a pattern, can tests start to become automatics since they repeat the same steps almost every time? And so once he was done with one pen test job, he'd move right until the next. In this time he was a bank .
IT was a regional bank and we were doing some more traditional on network is baLanced and testing. Um and I had one of our junior fantasia on a job in me. So this person was they came have a little bit of experience in the door. They're been to this her or now four to six months at that point.
So they arrive on site and agreement by the onsite team there shown where to sit and where to plug into the network. And this was a simulated breach. So if someone got into the network, who shouldn't beyond IT, what could they see or do? Well there.
So the two of them get all set up in this room. And well, you already know what tool they gonna start up first. That's gonna responder start .
to doing that thing, you know, like doing little responder stuff, whatever. And for whatever reason this pertains has been a hard time. Uh, was responded like their python's not working, the tools not working.
I'm trying to help them through IT. So you know like you know what is a teaching moment? I'm onna, let them figure this out, right? Like i'm not going the answer i'm not. I'm going to go to I want to see how the handle st.
okay. So they've taught me that responder is there. Go to tool for starting in newark assessment. But if that's not working for whatever reason, well, what do you do next?
I have a thirty minute cent call with another client I need to take. So I want to be over here. I'm like, you know what? You'll take the rains on this like it's beginning the test walking wrong. So I on the call and he's doing this thing and I don't like five, ten minutes go by him on this call and I started noticing that a lot like phones ringing in a jacket and officers and I started A A lot of shuffling, and people can't like one around.
And i'm not sure what's go on and I go, whatever, is probably nothing at all sudden I see your point of contact can flying down the hall in a panic, see bus on the roomy goes, what are you doing or tworog GUI go back. I get off my call. I like, i'm sorry, but what's going on? Like everything's down, we can't reach anything.
The core oh my god, nothing works were like OK. So make to the junior guys whatever you're doing to stop. So he stops like five ten minutes go by and things kind of quiet down.
We check in with the point of contact. He's like, yeah whatever that was, don't do that ever again. Um he's obviously upset understanding me so so in the process the figure would happen. I'm talking to the junior tester and I say what what we do in ah what what what can I tell you doing?
He said, he know, responder, not ever okay, call what else you do on, oh, you know, I I figured i'd save time and I would run you know, like a, like a port skin. Like, okay, would you use for that? And he says, well, I I always use mass.
Can I don't leg? okay? Not a map is like, no, you know, mask's faster, okay. So n map is a basic .
tool to see the network, is a simple and efficient and usually safe. And when you're testing a live network, you want to be as like as you can. An end map is a gentle tool to scan the network with IT just does like a simple knock on the door.
Is anyone home? And IT really just stopped there, which is nice since you don't wanted disrupt to business or read any systems in your process since, after all, this is a bank which needs to continue their service to customers. But mass scan is a bit beef er of a tool compared to n map.
IT can make a map of your new ork, but it's designed to scan huge amounts of systems at once like IT shines really well when it's supposed to can like millions of ips at once or even the whole internet. This network almost had like thousands of IP. Mn is just too powerful of a tool for this scenario. But this junior pin tester was convinced that because it's to be for your tool.
it's Better for the job. Oh no, i'm aware. And faster. Show me the command run on mass. So he shows me the command run on masking.
And when you run min, you the option of how many packs per second you want to run that that he had added, like two or three zeros, the default, which means he was blazing across all of their subjects, running mass can and doing a port scan. And that is what brought there are network to its knees for five to ten minutes, is that he was careless. And if you want to kind of step back from that eye was careless as the quote go after in the room at that point time.
So okay, so this junior pen tester was absolutely flooding the network with traffic. They weren't told what exactly the impacted, but i'm gonna a speculate on what happened here. He had a computer that was plugged using an e internet table, so desktop from his laptop would have probably been a network switch router.
If he's sending massive amounts of traffic, you could easily overwhelm that next hop, just too many packets at once. Going through that opening many sessions, IT can fill up the session table memory or CPU on the boys could just be maxed out, and I just might not accept any more in packets, essentially doing a denial of service on that next top if there was a switch or router. And what that would do is cause everyone who is also connected to that device to not be able to reach anything beyond IT like the pipes are clock kinds thing.
And if there are servers also connected to that switch, that those servers would be unreachable by anyone to the other option, as if this mass can tool was configure to scan ips outside the network, the traffic might have traversed the firewall. And this is a device that access the security checkpoint between the internal network and the outside internet, which does a little bit more inspection of packets. And if every IP that masking was trying to hit was getting inspected by the firewall, that might be too much for the firewall to handle.
IT just can't accept that much stuff. Not only that, but I might have taken up all the band with that that site had for internet access as well, making the whole internet go down for the site either scenario. Joe realized IT was them who took down the network, and now they had a really big problem on their hands to do with.
So we end up with, like this big call, I didn't necessarily like to break anything. You just slow the network down to a crawl because you are shoving so much traffic through IT that nothing else can get where. So the cio chief and praise es on the coal are a lot of big marketing Marks.
And basically, they're like, tell us why we shouldn't fire you from this right now, essentially. And we had to go through a whole original of them explain, like, look, you know, IT was a type of a screen we didn't do you on purpose were very sorry, we won't do IT again, the atta, atta and locally like they came around. But i'm pretty sure we don't have been testing work and had back anymore.
So yeah, that was I was not fun. We've had to change our procedures. And since that happened.
one thing that I thought isn't explicit taught to ten testers, but I believe is possible. The most important skill for them to have is communication skills. It's not entirely unusual to be put in a hot situation where there's some very stressed out people on the phone or in the room or people that are just really difficile to work with and the Better you can speak their language, the more effective you're going to be at working with them.
If you are a pantler and you find some awful glaring security issue in the network, how do you explain the problem to the business leaders in a way that they will pride or tize IT and fix IT? They aren't ding dogs. They have degrees and are highly accomplish people, but they don't understand the details of cybersecurity. So you need to have those communication skills to speak their language so they get IT. And that, to me, is a mark of a great penetration tester.
A big thank you to evil mog for telling us about this time in afghanistan, and also thank you to joke for telling us about his pana story that went all wrong. They are we able to keep working after that and provided values to the client despite a rough start? I've got A T shirt shop that I really want you to check out.
There are over fifty designs in there, and I am positive. You will find a shirt that you will love in the store. Please visit shop dark net dies that come and treat yourself is so nice.
This episode was created by me. The one I jack resist. Our editor is the encysted kid trust and leger, mixed by proxy or intro music is by the mysterious R.
I took a trip down to the capital in washington, D. C. And a little b landed on a flower next to me.
I noted that IT. I said, that's a USB. This is dark titles.