00:00:00.000-->00:00:04.972
>>SO, so let's get started this
is called Weaponize Your Feature
Codes. Um My name is MasterChen.

00:00:08.141-->00:00:13.413
Ah so ah let's get started. Ah
first with the who I am, uh I am
a GreyNoise podcast founder and

00:00:13.413-->00:00:17.885
uh co host. Uh there's our
website if you want to listen to
some of our episodes, later, ah

00:00:17.885-->00:00:23.056
not during the talk. Uh
[chuckle] So check us out, ah we
do a weekly podcast here in

00:00:23.056-->00:00:28.195
Vegas, ah once a week. I'm born
and raised here actually in
Vegas so this is uh [audience

00:00:28.195-->00:00:31.131
member: wooo.] yeah thanks
[chuckle] this is why I need to
be drunk on stage, it's just

00:00:31.131-->00:00:36.136
natural, you know? [laughter].
Um, so anyway born and raised
here but ah the podcast is done

00:00:39.239-->00:00:43.944
weekly here at the local uh Syn
Shop which is actually the next
bullet point. I'm a member of

00:00:43.944-->00:00:48.081
the Syn Shop Hacker Space here
in Vegas ah we do some cool
hardware hacking so check out

00:00:48.081-->00:00:52.552
that website as well. Uh I am
the secretary over at the uh Syn
Shop uh it's actually next to

00:00:52.552-->00:00:57.557
the Nevada DMV, perfect place
[laughter]. Um I spoke at
B-Sides uh in 2014 and actually

00:01:00.527-->00:01:06.500
this year as well. In 2014 it
was what I learned as a con man
and uh two days ago I did a talk

00:01:06.500-->00:01:11.505
on Vegas surveillance so the
cameras now are on me, that's
awesome [laughter]. Ah last year

00:01:14.107-->00:01:18.478
I did a talk at the Sky talks on
automating your stalking using
Twitter to follow somebody who's

00:01:18.478-->00:01:23.483
originally blocked you ah so
[laughter] if you want those
talk notes follow me on Twitter

00:01:28.422-->00:01:33.560
[laughter] and I can DM those to
you since that that talk was not
recorded [laughter] uh and I I

00:01:33.560-->00:01:39.333
do write some articles for 2600
do we have any 2600 readers out
there? [audience: cheer]

00:01:39.333-->00:01:44.404
alright, uh do we have any
Telefreakers out there?
[audience: silent] Oh okay oh

00:01:44.404-->00:01:47.975
okay [audience: laughter] no
worries I guess they figured
they'd live stream the talk

00:01:47.975-->00:01:52.379
later [laughter] alright cool uh
and actually I kinda want to
know a little bit about my

00:01:52.379-->00:01:57.384
audience ah so how many people
like this is your first Defcon?
[audience: cheer] holy shit!

00:01:59.853-->00:02:04.391
[laughter] uh welcome everybody,
ah, this is a cool crowd, so
I've been going to defcon since

00:02:04.391-->00:02:10.597
DC12 so uh I I'd like to say I'm
a veteran but this is my first
time on a DC stage so I'm like

00:02:10.597-->00:02:15.602
ohhh fuck, alright. [laughter]
uh how many times, er how many
of you guys this is your first

00:02:15.602-->00:02:20.607
time in Vegas? [audience: cheer]
be careful [laughter]. Alright
so why this talk? Uh well I got

00:02:24.678-->00:02:29.082
really involved with phone
phreaking out like Defcon15 and
I thought at that time I was

00:02:29.082-->00:02:34.254
like shit! I missed the boat
because all of this stuff is is
done you know the the the the

00:02:34.254-->00:02:39.059
beige box, the blue box, the any
colored box they just don't work
anymore because everyone is

00:02:39.059-->00:02:43.463
transitioning to VOIP and you
know it's just I can't do the
cool shit that was done in the

00:02:43.463-->00:02:49.603
80's and 90's but wait, like
like I just said, there's VOIP
um so that's why I can still be

00:02:49.603-->00:02:55.275
considered a phone phreak
hopefully. Um Now if you're
wondering about the drawings

00:02:55.275-->00:03:00.013
[laughter] um I looked for stock
images on Google because I was
like man I need you know I need

00:03:00.013-->00:03:04.951
a picture of somebody missing
the boat and [laughter] uh
[laughter] so every stock photo

00:03:07.721-->00:03:12.125
that I found I was like uh this
kinda sucks like ehhh it's not
something that I like I don't

00:03:12.125-->00:03:15.896
want to put it on my slides. So
I had my best friend who is in
the audience there Ninja Nerd

00:03:15.896-->00:03:19.766
BGM uh I had him draw some stick
figures for me because that's
what we used to do in high

00:03:19.766-->00:03:24.771
school uh so there is me on the
dock missing the boat [laughter]
there's more in the talk.

00:03:26.807-->00:03:33.413
Alright so today we'll be
focusing on uh call flooding
using our feature codes uh text

00:03:33.413-->00:03:39.086
message bonding or SMS flooding
using feature codes as well as
caller ID spoofing again now not

00:03:39.086-->00:03:45.826
all of this is new but we're
gonna try to implement it in a
new and more in efficient way.

00:03:45.826-->00:03:51.164
And there's also potential for
other feature codes uh so before
we actually do some of the demos

00:03:51.164-->00:03:56.269
we have the uh basic terminology
we're talking about a vertical
service codes so of course who's

00:03:56.269-->00:04:00.640
ever heard of like star 69
right? Like we've all heard of
star 69 you know who called you

00:04:00.640-->00:04:05.745
last if they didn't block their
caller ID, or star 672 block
your caller ID right? Uh so

00:04:05.745-->00:04:10.217
that's what we mean when we say
vertical service codes or
feature codes. Uh vertical

00:04:10.217-->00:04:15.822
service codes is what you use to
manipulate your little part of
the phone network. Uh and uh the

00:04:15.822-->00:04:21.995
next basic terminology is uh PBX
or private branch exchange uh
usually this is now done through

00:04:21.995-->00:04:26.233
software where before it was a
big you know big rack with
circuit switching and what not

00:04:26.233-->00:04:33.106
so it's cool that software has
condensed uh that so. Uh okay
before again before well

00:04:33.106-->00:04:39.346
everything everything is before
the demo [laughter] um before we
go into the demos we have also

00:04:39.346-->00:04:43.984
the history of the feature
codes. So it was developed by
AT&T it was called the custom

00:04:43.984-->00:04:49.956
local area signaling service.
And again it was developed in
the the eh 60s and 70s and it

00:04:49.956-->00:04:55.428
was designed to do such things
as block caller ID, who called
me last, uh call forwarding is

00:04:55.428-->00:05:00.367
another one that's like star 72
excuse me. Star 72 so uh class
was uh trademarked by AT&T so

00:05:04.304-->00:05:10.644
the other telcos came up with
vertical service code uh to mean
the same thing. Uh now is it

00:05:10.644-->00:05:14.748
called vertical service code?
It's because you're dealing with
your central office or your

00:05:14.748-->00:05:20.587
specific carrier so for instance
you can't dial star 69 to
manipulate AT&T central office

00:05:20.587-->00:05:24.658
if you are on the Verizon
network and you know I'm just
using that as an example but

00:05:24.658-->00:05:29.729
when we say vertical it's like
if your service is AT&T or if
your service is Verizon that's

00:05:29.729-->00:05:35.335
who you'll be dealing with when
you're dealing with these ah
vertical service codes. Now with

00:05:35.335-->00:05:40.340
this demonstration I have my own
PBX so I am the telco
[laughter]. Okay so this might

00:05:43.210-->00:05:47.881
be a little bit hard to see but
I took this from Wikipedia and
basically you see on the left

00:05:47.881-->00:05:53.453
hand side um all of the vertical
service codes for north america
according to the north american

00:05:53.453-->00:05:59.226
uh plan uh numbering plan
association now I've zoomed into
the part here where I've noticed

00:05:59.226-->00:06:04.164
that you know star 30 has
something and then it kinda just
skips to the star 5 x area so

00:06:06.333-->00:06:10.870
what I'm gonna do is I'm gonna
add the feature codes into right
in between there we're gonna be

00:06:10.870-->00:06:15.875
using star 4x today okay? [sigh]
So, what do we mean by
weaponize, oh let's talk about

00:06:18.645-->00:06:23.216
this drawing in a second
[laughter] uh what do we mean by
weaponize? Well obviously the

00:06:23.216-->00:06:27.954
star codes are not meant to be
malicious like you're not gonna
star 69 and you know root

00:06:27.954-->00:06:33.093
somebody or cause a DDOS or
whatever So when we take
something that's not meant to be

00:06:33.093-->00:06:37.998
a weapon and then we turn it
into a weapon it's called
weaponizing ah and now the scope

00:06:37.998-->00:06:42.669
of damage of course is simple
annoyance you know like getting
a million text messages all by a

00:06:42.669-->00:06:47.707
couple of dialing digits uh and
it can be all the way to uh
business and personal

00:06:47.707-->00:06:52.212
relationship ruining and so we
could talk about some of the
hypotheticals there uh later.

00:06:52.212-->00:06:58.184
Imagine you know like, well I'm
going to save that uh example
for later. Uh so the materials

00:06:58.184-->00:07:02.055
you will need, we're going to do
this like a science project, uh
you'll need a Linux machine, now

00:07:02.055-->00:07:07.661
this can be physical or virtual
it can be a VM uh but asterisk
which is what we're using today

00:07:07.661-->00:07:12.666
for the software PBX uh is run
primarily on Linux it runs well
on Linux um I've never ran it on

00:07:14.801-->00:07:19.873
a Windows machine and I don't
really care to, so [laughter]
materials you will need is a

00:07:19.873-->00:07:25.412
Linux box according to you know
my research. Ah and then you'll
need a hard or soft phone. Now a

00:07:25.412-->00:07:30.016
hard or soft phone is gonna be a
VOIP ready phone but it could be
like a a application on your

00:07:30.016-->00:07:35.355
phone such as Bria, X lite, uh
Zoiper, which is what I'll be
using today um or it could be a

00:07:35.355-->00:07:42.262
hard phone such as Polycom,
CISCO, Yab Lync, etcetera,
etcetera, so as long as there

00:07:42.262-->00:07:47.901
there tied to the PBX that has
that that feature code, uh,
it'll work. And you'll also need

00:07:47.901-->00:07:52.906
imagination [laughter] uh so I
don't watch Spongebob but I
kinda like that image so...

00:07:55.308-->00:08:00.313
[laugh] that's why I used it. Oh
wait, I didn't talk about this
one. So as you can see all these

00:08:00.313-->00:08:06.653
feature codes are being shot at
me, like star 69, uh, star 56,
uh, and it kinda looks like it's

00:08:06.653-->00:08:12.425
being shot at me from a penis
[laughter]. I think the
intention was like uh like a

00:08:12.425-->00:08:17.430
bazooka of some sort, yeah
thanks dude, but a a [laughter]
it looks like a penis, I'm going

00:08:20.834-->00:08:27.273
to be real with you you know? So
the structure of our feature
code in an asterisk dial plan

00:08:27.273-->00:08:32.545
you have what's called the
context and that separates your
functions according to uh it you

00:08:32.545-->00:08:38.451
know ah asterisk has it's own
scripting language so this uh
part here where it says context

00:08:38.451-->00:08:42.655
label uh that's what it will
look like in the code. And it
think of it like your functions

00:08:42.655-->00:08:47.827
or your your um uh yeah your
functions or your operations
that are your sub routines in

00:08:47.827-->00:08:53.566
your program language uh we will
start all of our feature codes
today with star four x and x

00:08:53.566-->00:09:00.340
meaning anything from 1 to 9 k?
Uh before is the the star four
is the uh feature code that

00:09:00.340-->00:09:04.077
we've picked or that I've picked
today and that's where uh it'll
look like so in the code like

00:09:04.077-->00:09:07.714
for an example uh star 42 and
then 7028675309 nobody has that
number I'm not DOXing anybody so

00:09:07.714-->00:09:09.716
that'll be the example that'll
be the structure of your dialing
When you're di- when you're

00:09:09.716-->00:09:11.718
dialing out with your outbound
routes uh is anybody in here
familiar with asterisk at all?

00:09:11.718-->00:09:13.720
Um on a daily basis are you guys
like VOIP administrators out
there or anybody? Okay so you're

00:09:13.720-->00:09:18.725
finding this interesting just
because alright, cool [laughter]
alright, so our first one is the

00:09:34.941-->00:09:39.646
call flood and I will be
flooding my own phone here in a
second um, so basically as you

00:09:39.646-->00:09:44.984
can see up here uh again the top
starts with the context label
and that's our subroutine uh so

00:09:44.984-->00:09:50.089
you'll see that everything in
here it's going to be grabbing
input, it's going to then, my

00:09:50.089-->00:09:55.862
server's then going to take that
input and put it into a call
file, okay now the call file is

00:09:55.862-->00:10:02.535
then going to go into the
asterisk spool and then out, uh
out to your upstream carrier and

00:10:02.535-->00:10:09.108
it'll send you know uh let's see
so down here you'll see um call
amount, CALL AMT all in caps,

00:10:09.108-->00:10:14.848
that's the variable and it's
accepting three digit dials so I
can send anywhere from one call

00:10:14.848-->00:10:19.853
to 999 calls at one time uh so
that's that's just my own limit
that I've set I figured ah we'll

00:10:22.388-->00:10:27.393
be nice a little bit so I'm
limited to at least 999 as a max
um and so these ah this next

00:10:31.231-->00:10:36.236
part is uh the call flood uh
shell script so after we enter
the information into the ten

00:10:38.738-->00:10:43.710
digit dial or into the feature
code it's going to be made into
that text file and this script

00:10:43.710-->00:10:48.481
right here takes that text file
and forwards it to the spooler
for us many times as I've

00:10:48.481-->00:10:54.053
specified so the counter is
equal basically to the call
amount that I've given so it

00:10:54.053-->00:10:59.826
could be five hundred it could
be six hundred it could be one
if I'm nice, I'm never nice uh

00:10:59.826-->00:11:04.264
[laughter] for testing, for
testing. Uh so and that's
basically what the code looks

00:11:04.264-->00:11:07.634
like all of this is on Github
and the link is at the end of
the uh of the presentation

00:11:10.670-->00:11:16.276
[sigh] so now it's demo time.
And as those who might may know
uh live demos they just work

00:11:16.276-->00:11:21.281
great uh [laugh] so we're going
to see if the demo gods are in
my favor um I'll let you guys

00:11:23.583-->00:11:28.721
interpret this stick figure
there [laugh] I think that's
what the face of God might look

00:11:28.721-->00:11:35.128
like or whatever I don't know
[laugh] Okay so the way this is
going to work is I'm going to

00:11:35.128-->00:11:41.167
dial from my softphone uh it's
the softphone Zoiper application
I will dial from here it'll go

00:11:41.167-->00:11:46.172
out to my PBX and then out and
it'll come back around to my
cell phone provider so uh I am

00:11:48.241-->00:11:53.780
calling myself I am going to
flood myself [laugh] and so
you'll be able to hear all these

00:11:53.780-->00:11:58.785
calls as I explain uh the next
part so let's go ahead and do
this, star 4 zero [beeping] ...

00:12:08.728-->00:12:13.733
let's say what's a good number?
Fifty, I'm gonna send myself
fifty calls here. >>seven, zero,

00:12:23.576-->00:12:28.581
two, eight [audience: laughter]
>>I was ready [laughter] now I
did put this on uh on full

00:12:30.617-->00:12:35.321
volume so in a second you'll be
hearing call after call after
call after call and that's okay

00:12:35.321-->00:12:40.560
because as long as the demo
works, oh it's this one it's
this one, oh the first one came

00:12:40.560-->00:12:45.565
in that's great, okay well there
will definitely be more as you
will hear in just a second. Um

00:12:48.568-->00:12:55.475
so basically the caller ID if
you saw in the, uh previous
slide, uh the caller ID is set

00:12:55.475-->00:13:00.413
to 3020000001 so the caller ID
is not coming from my phone or
from my application it's

00:13:03.716-->00:13:09.555
changed, its spoofed, you know.
Um, let's see here, let's see
what the voicemail sounds like,

00:13:09.555-->00:13:14.560
because it's leaving me
voicemails right now. Are you
ready for this? Monkeys having

00:13:18.164-->00:13:23.169
sex. Oh come on [phone: Bings]
now you, now you don't want to
work okay [laugh] let's try that

00:13:28.241-->00:13:33.246
again, let's try that again
[monkey shrieking] [audience:
laughter] okay, so for those who

00:13:39.819-->00:13:45.491
don't know, oh, there's another
call [phone ringing] okay so I'm
going to have to dismiss this

00:13:45.491-->00:13:50.463
for the rest of my talk, okay so
basically what you're hearing
there [phone bings] so that's

00:13:50.463-->00:13:57.036
another voicemail [audience:
laughter] the live demo worked
and now it's interrupting my

00:13:57.036-->00:14:01.374
speech [phone bings] oh there's
another text, this works, it
worked, alright so what you're

00:14:01.374-->00:14:08.047
hearing is the monkeys having
sex so basically when the caller
answers the phone, that is what

00:14:08.047-->00:14:13.052
they will be hearing [clapping]
[laughter] now if they ignore
the call like I'm doing [phone

00:14:20.960-->00:14:24.530
ringing] [laughter] 3020000001
end. That might get annoying, I
should've picked like ten, oh

00:14:24.530-->00:14:29.469
son of a bitch [laugh] okay so
what you're hearing though is
basically if you answer that

00:14:29.469-->00:14:34.207
phone if you answer that call as
the target [phone vibrating] I'm
going to put this on silent now,

00:14:34.207-->00:14:39.011
like maybe everybody else should
be doing, no I'm just kidding I
don't care, huh okay so

00:14:39.011-->00:14:42.415
basically when you answer the
call that's what you'll be
hearing and even if you ignore

00:14:42.415-->00:14:48.287
the call that's going to go to
your voicemail so you either
have a choice to check the

00:14:48.287-->00:14:52.925
voicemail or to then delete it
which if you don't have visual
voicemail could get really

00:14:52.925-->00:14:57.730
difficult [laughter]. [phone
vibrating] So ah here we go,
end, I gotta go to like silent

00:14:57.730-->00:15:02.668
on this one, um but basically,
no excuse me, sorry, oh it's
interrupting me, okay yeah now

00:15:08.741-->00:15:14.680
it's off now it's like no calls
no vibration, uh so that's a way
to call flood okay, so I sent

00:15:14.680-->00:15:18.317
fifty calls to myself and as you
can see it's just going to keep
going until this call stream is

00:15:18.317-->00:15:24.524
done and ready but you could
send upwards of 900 and 999 and
if you program to more than just

00:15:24.524-->00:15:30.163
a four digit input it can go
much further and much longer
than that so you can probably

00:15:30.163-->00:15:36.569
disrupt somebody's phone service
for a good eight hour shift, or
full day, [laughter] it's

00:15:36.569-->00:15:43.009
completely dependent on you and
how you wanna program by the way
I'm not a lawyer uh INO so be

00:15:43.009-->00:15:48.681
careful. Alright so the demo
worked, okay that's cool thank
you demo gods wherever you are,

00:15:48.681-->00:15:54.120
the beard looks good on you.
Okay so let's talk about the
star four zero feature code

00:15:54.120-->00:15:59.158
mitigations techniques how do we
stop an attack like this? Well
if you have an asterisk box you

00:15:59.158-->00:16:05.798
can take that caller ID and then
drop any call from that caller
ID so if uh if you're the target

00:16:05.798-->00:16:11.604
and you're getting spammed you
can say ahhh let's drop all the
calls from this particular uh uh

00:16:11.604-->00:16:17.243
caller ID and it'll drop the
call now that could easily be
mi- remitigated or like a chess

00:16:17.243-->00:16:21.914
board I can say okay well let me
change the caller ID with every
call so the first call would

00:16:21.914-->00:16:26.919
come from 3020000001 the second
call would come from 0002, 0003,
eccetera, eccetera, eccetera, so

00:16:30.690-->00:16:35.895
even if you're blocking that
caller ID uh I will get through
and [laugh] if you block all of

00:16:35.895-->00:16:40.066
the 302 area code or whatever
area code I'm using a lot of
people don't want to do that

00:16:40.066-->00:16:44.437
especially if you're a business
because then that blocks
potentially real business if I

00:16:44.437-->00:16:49.809
was to block all of the 702 area
codes uh none of Vegas would be
able to call me and so that's

00:16:49.809-->00:16:56.649
that's a business disruption so
you can drop the calls um but
mmm why would you want to if

00:16:56.649-->00:17:00.953
that's disrupting your business
and you don't know how long the
attack is going so while that is

00:17:00.953-->00:17:05.992
a mitigation technique uhh it's
kind of on uh faulty ground
there. Uh now what about people

00:17:05.992-->00:17:11.264
who are not hiding behind a PBX
like for instance this phone is
still going and I can't stop it,

00:17:11.264-->00:17:16.836
that's okay, hopefully it's done
in an hour [laugh] but if you're
not hiding behind a PBX where

00:17:16.836-->00:17:21.941
you can control the call flow,
uh what then? How would you then
uh drop the calls or stop that

00:17:21.941-->00:17:28.147
attack? I'd like to discuss that
with people who know more than
me actually Uh okay so our next

00:17:28.147-->00:17:34.120
feature code is star four one
and it's going to be the SMS
flood. So instead of sending a

00:17:34.120-->00:17:40.893
call flood now, we will be
sending um uh a text message
bomb or you know same idea but

00:17:40.893-->00:17:45.665
instead of five hundred calls
we're sending five hundred text
messages okay? So the code is

00:17:45.665-->00:17:50.870
set up the same way uh we're
taking star four one as the
input and that this next part in

00:17:50.870-->00:17:56.275
the uh after that break in the
code you'll see that that's uh
what is that, star two two, or

00:17:56.275-->00:18:01.747
sorry two two eight, so I'm
going to use that as an
extention to tell uh my feature

00:18:01.747-->00:18:08.321
er my uh my call er my uh I'm
sorry text message flooder I
will denote that as AT&T two

00:18:08.321-->00:18:10.323
eight eight AT&T right? So
Sprint will be like SPR whatever
that DTMF dial tone would be or

00:18:10.323-->00:18:12.325
whatever that DTM er DTMF touch
tone would be. Um I am
personally a Google fi

00:18:12.325-->00:18:17.330
subscriber so to flood this it
would be four six six which is
what we'll be using in just a

00:18:22.802-->00:18:27.807
second [laugh] uh so this is how
we start our text message flood.
Now I will turn the volume back

00:18:32.278-->00:18:39.151
on so you can hear how many
times I get a text message
because I'm a masochist uh who

00:18:39.151-->00:18:44.624
wants to pick a number, I can't
believe I'm doing this to mysel
[audience member: four twenty]

00:18:44.624-->00:18:49.628
four twe- [laugh] I like where
your head is at [laughter], I'm
just kidding [audience member:

00:18:51.931-->00:18:58.004
256] two fifty six, okay let's
see, uh let's see I guess I
could be that mean to myself

00:18:58.004-->00:19:02.942
awesome [audience: laughter]
challenge accepted [laugh] okay
what was that? Oh okay okay

00:19:11.684-->00:19:17.523
[laugh] okay so again I am using
my own phone as the test subject
so I'm I'm calling out and it's

00:19:17.523-->00:19:22.528
coming right back to my phone uh
so I will be dialing star four
one 702 redacted [laugh] and

00:19:25.698-->00:19:30.703
then we'll go from there [phone:
beeping] [phone: zero, two...]
okay so I'll, two hundred times,

00:19:53.492-->00:19:58.397
alright so it'll tell me who I'm
targeting and for how many times
uh so while I'm waiting for that

00:19:58.397-->00:20:05.137
to come in, again, to explain
this uh feature code it's going
to dial out of my PBX uh it's

00:20:05.137-->00:20:10.276
actually starting a call
flooding script that then
attacks the email gateway to my

00:20:10.276-->00:20:17.116
MMS service so it's a big loop
uh here we go uh the text is
from actually let me do this

00:20:17.116-->00:20:22.121
part the text is from your mom
at porn hub dot com [laughter]
yeah, so obviously the email was

00:20:26.425-->00:20:31.430
spoofed okay so I am sending a
MMS from my PBX server back
through to the Google Fi uh

00:20:34.400-->00:20:41.340
email gateway which then goes to
my cell phone and uh it'll just
keep going like that and uh for

00:20:41.340-->00:20:47.012
a very long time I'm kind of
waiting for more yep it's going
it's going [beep] yep there you

00:20:47.012-->00:20:52.017
go, ding, let's ding this a
couple more times I've forgotten
what number we picked [laugh] oh

00:20:55.354-->00:21:00.259
two hundred that's right [beep]
two hundred oh there's another
one your mom at porn hub dot com

00:21:00.259-->00:21:06.165
so you can see how this becomes
very annoying. You could see how
this becomes very annoying. You

00:21:06.165-->00:21:10.302
could see how this becomes very
annoying. See I just sent you
three right there, right [laugh]

00:21:10.302-->00:21:15.307
alright so, let's talk about
practical use, so it's a text
message bomb, it's an SMS flood,

00:21:17.977-->00:21:24.783
it's pretty annoying but how can
this be uh utilized on a really
big attack surface. Uh so let's

00:21:24.783-->00:21:29.321
say instead of just sending a
you know your mom at porn hub
dot com what if we sent a

00:21:29.321-->00:21:35.494
message with a malicious link.
Like if you want to stop the
flood click on this link, we're

00:21:35.494-->00:21:40.499
lying to the target [laughter]
so you're not actually going to
stop the flood by clicking on

00:21:42.568-->00:21:47.439
the malicious link, but what if
we told them that? What if we
said hey, if you want to stop

00:21:47.439-->00:21:52.578
this flood click the malicious
link. So they click the
malicious link, it installs

00:21:52.578-->00:21:55.848
whatever you want to install or
you know however you wanna set
that up that's out of the scope

00:21:55.848-->00:21:59.919
of this talk, but the links you
can send, you can send these
links and if there uh noob

00:21:59.919-->00:22:04.857
enough or green enough they'll
click on that because they want
to stop the call flood, they

00:22:04.857-->00:22:08.394
don't want two hundred messages,
and they don't know that it's
two hundred, they just know that

00:22:08.394-->00:22:12.531
they have a flood of text
messages going on right now. So
they'll probably do anything to

00:22:12.531-->00:22:16.168
stop it especially if you're
sending upwards of four
thousand, five thousand, any

00:22:16.168-->00:22:20.606
upward limit, it's still going,
there you go it's still going,
the good news though is that the

00:22:20.606-->00:22:26.545
calls stopped [laugh] so uh
that's the thing we can send
this through maliciously or we

00:22:26.545-->00:22:32.518
can use this to send a malicious
link, and again, we're lying,
but that's an that's an easy way

00:22:32.518-->00:22:38.257
to install that link right
there. OKay now, another cool,
well uhhh cools not the right

00:22:38.257-->00:22:43.729
word, um another creepy thing,
that's a better word, uh creepy
thing, is a 3am text from a

00:22:43.729-->00:22:49.868
mistress, so let's say for
instance and this is just an
example I promise, um, 3am you

00:22:49.868-->00:22:54.874
know that your target is
cheating on his wife. So you
send three hundred messages at

00:22:57.343-->00:23:02.281
3am saying I miss you [laughter]
ding ding ding ding guess who
starts asking questions? Uh I

00:23:06.919-->00:23:11.924
don't suggest it this is just a
hypothetical scenario okay?
[laughter] But obviously you can

00:23:15.594-->00:23:19.798
see how this does not just
become annoying but then it
becomes potentially relationship

00:23:19.798-->00:23:25.104
ruining. Because then the person
loses that trust it becomes more
of a social engineering slash

00:23:25.104-->00:23:30.042
phishing game right? So now the
wife or the significant other is
like who was that, who was that,

00:23:30.042-->00:23:35.080
who is calling you from you know
eccetera eccetera [laugh] and so
that's how we can make this uh a

00:23:35.080-->00:23:40.953
little bit more powerful and
going a little bit beyond code.
Uh so that's the end of the star

00:23:40.953-->00:23:44.290
four one feature code, it's
still going, so maybe it's not
the end of it, I don't know why

00:23:44.290-->00:23:49.295
I picked two hundred, oh yeah
that's right, because I'm on
stage [laugh] alright so SMS

00:23:51.530-->00:23:57.636
flood mitigation uh okay so it's
up to the carrier to limit SMS
and how fast and how often it

00:23:57.636-->00:24:02.841
comes through uh so that's kind
of out of the hands of the
target obviously this is kind of

00:24:02.841-->00:24:07.846
just still going on uh I have
fifty three currently [laugh] so
I have about a hundred and fifty

00:24:10.482-->00:24:16.755
more. Uh now you could also use
Google Voice because I found out
that the email gateway hosted by

00:24:16.755-->00:24:22.494
Google Voice does not send those
messages so as I try to send
from a Google Voice number or

00:24:22.494-->00:24:28.200
I'm sorry to a Google Voice
number uh Google just drops it
you can't get through that email

00:24:28.200-->00:24:33.105
gateway at least by this method
and so it won't uh it won't go
through I've tested that and it

00:24:33.105-->00:24:39.311
uh again my method it's verified
that it does not work for Google
Voice but the funny thing is it

00:24:39.311-->00:24:45.384
works for Google Fi, project Fi,
you can still send these
messages and they still work. Is

00:24:45.384-->00:24:50.923
that because Google Fi is
running off of the T-Mobile and
Sprint networks, ah maybe, ah

00:24:50.923-->00:24:56.161
that part I haven't investigated
but, you are still susceptible
if you are a uh a project fi

00:24:56.161-->00:25:01.266
user. Now as far as the other uh
carriers uh with permission I
have tested Verizon, AT&T and of

00:25:01.266-->00:25:03.268
course the numbers were a lot
smaller, like uh three, just to
make sure it works, uh but I've

00:25:03.268-->00:25:08.273
tested them on all these major
carriers, and it does work, it's
just exploiting the email

00:25:13.746-->00:25:19.818
gateway that they have posted as
public information on their
website. Now what's another

00:25:19.818-->00:25:24.556
mitigation technique, you could
turn off your phone, just
kidding because it won't work,

00:25:24.556-->00:25:29.428
you turn on the phone, and
you'll start getting those
messages again, yeah, you won't

00:25:29.428-->00:25:34.433
forget me [laugh]. Uh so that's
the star four one uh feature
code [clears throat] okay so

00:25:37.002-->00:25:42.408
this next one I call it a spoofy
ghost. We'll be spoofing caller
ID. [phone: Ding] Ah there you

00:25:42.408-->00:25:45.911
go dinged again, maybe I should
turn it on silent again, no no
let's keep it, let's keep it

00:25:45.911-->00:25:51.450
going [laugh] As so spoofy
ghost, it's the same idea, we
are we are taking the feature

00:25:51.450-->00:25:57.956
code and we are taking input
from the dial pattern and then
changing the caller ID to what

00:25:57.956-->00:26:02.895
matches there, okay? So
actually, the target will be uh,
I'll be using star four two the

00:26:05.497-->00:26:12.104
target will be the ten digit uh
phone number that goes after
that uh uh feature code and then

00:26:12.104-->00:26:18.210
it'll ask for my target which
will be myself so it'll ask for
the target and then it'll go and

00:26:18.210-->00:26:23.215
call me with whatever number I
specify so just to let you guys
know I know it's going to be

00:26:23.215-->00:26:28.220
hard and I don't have a video of
the caller ID but I will be
spoofing from 702-867-5309 who

00:26:30.756-->00:26:34.793
knows why? [Audience: Jenny's
phone number] Thank you! Okay
just making sure, you're at a

00:26:34.793-->00:26:41.767
VOIP talk [laugh] you need to
know your numbers. Ah so let's
uh let's do this demo because

00:26:41.767-->00:26:46.772
it's demo time [laugh]. Alright,
here we go, star four two,
[dialing] it said please wait

00:27:09.895-->00:27:14.900
while I connect your call oh, I
actually did that backwards
[laugh] I'm sorry, I dialed all

00:27:21.139-->00:27:26.144
zeros instead of the other way
around so, [beep] okay so this
time I called from all eights,

00:27:41.693-->00:27:46.698
it's ringing, [ringing] okay
it's hard to see but it's
702-888-8888888 uh so basically

00:27:57.743-->00:27:59.978
what we're doing here uh is
making it easier to launch a
text and that's the whole point

00:27:59.978-->00:28:04.983
of this talk is to make it
easier to launch a text so uh
and I'll get to that in just one

00:28:07.986-->00:28:12.824
second, so again spoofing caller
ID spoofing is not new it's been
around for a long time but it's

00:28:12.824-->00:28:18.497
still practical, we can use
caller ID spoofing in uh social
engineering attacks, um and you

00:28:18.497-->00:28:23.168
can still use it for voicemail
hacking on certain carriers but
that's that's quickly becoming a

00:28:23.168-->00:28:28.740
thing of the past. Um, but hey
it's still something that can be
used to gain trust and run an

00:28:28.740-->00:28:35.514
exploit of the human variety. Uh
so what was all that imagination
talk I said earlier, see, it's

00:28:35.514-->00:28:40.118
not Spongebob but it's my
friends drawing, let's see
there's a dinosaur in there, uh

00:28:40.118-->00:28:44.089
an upside down purple fish not a
gold fish ah but apparently
there's imagination, I wonder

00:28:44.089-->00:28:48.260
what goes on in his head,
actually I don't, I don't wonder
what is going on in his head, ah

00:28:48.260-->00:28:50.462
so what about all that other
talk, we had star four one, we
had star four zero, we had star

00:28:50.462-->00:28:52.831
four one, and star four two, uh
I am working on using star four
three as a voicemail brute

00:28:52.831-->00:28:57.836
forcer but what about star four
four through star four nine?
These aren't used um these

00:29:02.774-->00:29:07.779
aren't used by the north
american numbering plan
association so they're just kind

00:29:09.915-->00:29:13.318
of there for the taking, I'm not
stepping on any other
administration or I'm not

00:29:13.318-->00:29:17.556
stepping on any other
configurations such as uh star
sixty nine, or what not that

00:29:17.556-->00:29:21.526
still is used regularly but what
are we going to do with all of
these other uh feature codes.

00:29:21.526-->00:29:27.799
Well what if we use uh the
feature code like star four four
as an end maps scan, star four

00:29:27.799-->00:29:32.804
four IP address as your input,
right? So you can launch the
attack without being at a at a

00:29:34.973-->00:29:40.612
computer, you're doing it from
your, you're doing it from your
phone, so that's something that

00:29:40.612-->00:29:46.084
I imagine as far as ways that
the feature codes can be used.
Another thing I see in my head

00:29:46.084-->00:29:52.357
is like a combined attack, like
what if we use star four six as
both a call flooder and a text

00:29:52.357-->00:29:58.830
message flooder at the same
time? Like Roswell beat Roxy
[laugh] okay nobody gets that

00:29:58.830-->00:30:02.601
reference [laugh] so you have
that too. So what are these
combined attacks I mean there's

00:30:02.601-->00:30:07.139
a lot of things you can do
there's a lot of potential, and
I leave that up to you guys, in

00:30:07.139-->00:30:12.310
fact that's my question, uh do
we have any idea of another way
that we can launch an attack

00:30:12.310-->00:30:17.315
from the star feature code? No?
Alright. Um so the idea though
here is to launch automated

00:30:22.287-->00:30:29.127
campaigns. So for instance if
you had and I'm going to go back
to the end map example, if you

00:30:29.127-->00:30:35.934
used, uh the IP address as um as
input when you're dialing you
have uh you have a script that's

00:30:35.934-->00:30:40.272
already set up to search for
these flags or to scan for these
flags uh you know like you're

00:30:40.272-->00:30:44.543
Christmas tree and all these
other scan flags that you want
for your end map scan you take

00:30:44.543-->00:30:50.148
that IP address as input and
then you're launching the attack
or the scan from your phone

00:30:50.148-->00:30:55.721
without being in front of a of a
computer so that's that's
something that I thought was

00:30:55.721-->00:30:59.624
kind of cool. Uh that hasn't
been coded yet so that's
probably the next thing I'll

00:30:59.624-->00:31:04.563
try. Uh, so it's still going,
it's still going, let's see how
many I'm at right now I'm at 152

00:31:14.506-->00:31:19.144
[laugh] so there's still a
little bit more to go, and
there's another one, so uh

00:31:19.144-->00:31:24.349
that's the end of the uh feature
codes this is the these are my
references, uh the code that I

00:31:24.349-->00:31:30.021
used, the feature codes and the
batch scripting it was just it
was an asterisk scripting and

00:31:30.021-->00:31:35.827
bash that's on my Github which
you can see there that I
prepared for Defcon and so there

00:31:35.827-->00:31:40.832
we are. Uh are there any
questions with uh today's talk?
What was that? Oh yeah yeah you

00:31:48.473-->00:31:52.944
know I'll keep that there, go
ahead and take pictures I don't
care, uh okay so I don't know if

00:31:52.944-->00:31:57.115
there are microphones running
around I will try to uh I I have
really bad vision so I'll try to

00:31:57.115-->00:32:02.053
see if hands are raised, yes?
[audience member: asks inaudible
question] uh I'm sorry can you

00:32:11.797-->00:32:17.202
repeat that one more time?
>>yeah okay, you're sending it
to the email address, couldn't

00:32:17.202-->00:32:22.774
you also they also have SMS
addresses? >>Oh okay I
apologize, that's ah me being

00:32:22.774-->00:32:27.512
not so detailed. So the way that
this attack is working right
now, the one that is still going

00:32:27.512-->00:32:34.419
on, I am actually sending it to
that SMS gateway, I uh, the from
address was the your mom at porn

00:32:34.419-->00:32:39.424
hub dot com. >>right couldn't
you just like bomb somebody
basically and run up their data

00:32:41.426-->00:32:46.932
charges? >>Ah yes, in fact a
long time ago there was this uh
coworker that I had who said I

00:32:46.932-->00:32:53.672
don't need text messaging, five
hundreds enough [laughter]
you're laughing because you see

00:32:53.672-->00:32:59.244
my face, so five hundred is not
enough because you have stuff
like stuff like what we've just

00:32:59.244-->00:33:03.782
what we've just mentioned, uh
you're five hundred allotted
monthly text messages will, and

00:33:03.782-->00:33:07.219
I don't think it's a problem in
this room, but if somebody has
that, I mean you're talking

00:33:07.219-->00:33:12.290
about an average of a half an
hour and the rest of your text
messages are done for the month

00:33:12.290-->00:33:17.295
>>Okay so with call flood you're
spoofing the caller ID? >>yes
>>So there's no way to backtrack

00:33:21.700-->00:33:27.372
it for them to get you, trace
you? >>Uh there would be a lot
of work to trace and a lot of

00:33:27.372-->00:33:33.778
involvement with other >>But if
you're doing the email or you're
doing the SMS then you're

00:33:33.778-->00:33:40.418
probably, probably need to run
like your own SMTP over a VPN
and come out somewhere else?

00:33:40.418-->00:33:46.458
>>Oh yeah absolutely, all of
this can be done, so yep! Uh
remember that the folk uh and I

00:33:46.458-->00:33:51.363
know we have a lot of technical
people in here obviously so the
scope of this talk is how do we

00:33:51.363-->00:33:55.500
launch the attack, now what
attack are we talking about?
Whether it be like an SMS bomb

00:33:55.500-->00:34:00.538
through a VPN and etcetera
etcetera that's obviously there
but it's outside of the scot of

00:34:00.538-->00:34:04.376
this of you know this talk but
yes, that's there, how you
decide to launch the attack is

00:34:04.376-->00:34:09.814
up to you. The bottom line is
that these feature codes are
input vectors so you are

00:34:09.814-->00:34:15.353
inputting information into your
computer that then runs the
attack so it's the it's this

00:34:15.353-->00:34:20.759
linux box that we've set up that
runs the attack so it's running
the call flooder, it's running

00:34:20.759-->00:34:25.764
the uh text message flooder and
that's all you know taken care
of on the server end. Uh yes?

00:34:31.369-->00:34:36.374
>>[Inaudible question] >>So once
you launch the attack you can't
stop it. You better really want

00:34:42.514-->00:34:47.852
your target to get these
messages [laugh] um now as far
as duration goes, that depends

00:34:47.852-->00:34:51.890
on the speed of your computer
because of how fast it can send
out the spool it also depends on

00:34:51.890-->00:34:57.929
how your carrier handles that
type of calling or you know uh
mass calling um and another

00:34:57.929-->00:35:02.167
thing too is when we're talking
about call flooding um and
grabbing all those messages like

00:35:02.167-->00:35:08.239
for instance uh if I wanted to
send 100 calls I send such a
high amount because not all of

00:35:08.239-->00:35:14.179
them will go through so maybe
the maybe your upstream provider
only lets through 50 because

00:35:14.179-->00:35:18.783
it's just inundated with a whole
bunch of call attempts so it
says okay I'll send out 50 but

00:35:18.783-->00:35:24.723
not 500 and that's okay if we
want to get the job done, fifty
calls gets the message there you

00:35:24.723-->00:35:29.728
go so yes? >>[inaudible
question] >>Uhhh not a lot, I
don't have the exact numbers, I

00:35:38.837-->00:35:43.208
have been using this VOIP
provider for quite awhile and
I've never really, I mean, It's

00:35:43.208-->00:35:46.711
cheap calling and that's the
cool thing about VOIP right is
it's cheap calling so even if

00:35:46.711-->00:35:48.713
you're talking about outbound
it's really not expensive at all
actually. This attack is very

00:35:48.713-->00:35:50.715
cheap as far as the call
flooding goes because if the
call is not answered you

00:35:50.715-->00:35:52.717
actually don't get charged for
the termination so you're really
talking about a penny a minute

00:35:52.717-->00:35:54.719
if answered so it's not it's not
expensive at all. Uh over there,
I'm sorry? >>[inaudible

00:35:54.719-->00:35:56.721
question] >>So you're asking if
I could change it to, I'm sorry
if I can do uh MMS like change

00:35:56.721-->00:35:58.723
the address of the MMS? Oh okay
um so this SMS flood is actually
a an MMS attack vector so you're

00:35:58.723-->00:36:03.661
using the email gateway so you
can I'm sorry what was that
you're using the what? Um that's

00:36:51.710-->00:36:55.914
a good question I will have to
find out, I didn't do that for
this talk so uh I could do

00:36:55.914-->00:37:00.852
research and we could talk about
that so. Uh orange shirt please
[audience: inaudible question]

00:37:07.392-->00:37:12.530
Oh and keep it on the line?
Actually yes you can, so that's
that's a good way to piss off

00:37:12.530-->00:37:18.436
the attacker right? Uh luckily
with all of my testing, that
hasn't happened. But I'm

00:37:18.436-->00:37:22.640
testing, you know, it's it's
there, everybody who has been
called, knows that I'm calling,

00:37:22.640-->00:37:27.645
but uh yeah that's a good way to
just rack up the bill. Uh not
yet but I will now [laugh] but

00:37:30.949-->00:37:34.219
you know, that's okay that's why
I come to these things, that's
why I come to Defcon because you

00:37:34.219-->00:37:39.224
guys have better ideas than I do
so I'm going to limit myself
now, alright, any other

00:37:43.294-->00:37:49.234
questions? >>[inaudible
question] >>Um so it depends on
the channel uh I believe like I

00:37:49.234-->00:37:53.071
have a ten channel trunk so
we're talking about like ten
consistent calls of like like

00:37:53.071-->00:37:58.910
consecutive calls so if uh if
you have like a line of five
hundred or five hundred calls,

00:37:58.910-->00:38:03.848
ten will go at a, uh ten will go
out at a time. >>[inaudible
question] >>Uh let's make that

00:38:09.921-->00:38:14.926
star four seven [laugh] right?
Remember we still have all these
feature codes uh and again I am

00:38:16.995-->00:38:22.000
grabbing all of these ideas so
hopefully I get to code it first
[laugh] um but yes that is

00:38:22.000-->00:38:27.172
absolutely possible, uh the uh
basically you spoof one then you
spoof the other they call each

00:38:27.172-->00:38:33.611
other and piss each other off so
ex boyfriend, ex girlfriend,
call at 2 in the morning, ooooh

00:38:33.611-->00:38:38.616
[laugh] uh let's see let's see
if I can get any from this side,
any questions guys? Yes >>Uh are

00:38:41.319-->00:38:46.324
you able to accept input from
the victim like if they hit call
or if they press number three

00:38:49.027-->00:38:53.798
have another script run? >>Uh
yes actually, you would have to
set up an IVR to do that, so an

00:38:53.798-->00:38:59.270
IVR for those that don't know is
like an auto attended, so you
answer a call and it's like, so

00:38:59.270-->00:39:03.575
you're saying press one for
billing, press two for not
getting owned, press three for

00:39:03.575-->00:39:10.148
an operator, so you can do that
yes, so basically the call would
wait for input from the user and

00:39:10.148-->00:39:15.486
it could then pick their poison,
oh I want to get call flooded
today [laugh] let's dial zero

00:39:15.486-->00:39:21.392
for that, or let's let's get a
thousand text messages, let's
dial two. That's definitely

00:39:21.392-->00:39:26.397
possible. Any other questions?
Up front where? I am blind, ah
yes >>[inaudible question] >>Um,

00:39:36.641-->00:39:41.746
respect I guess? Like I mean
there really is nothing stopping
me from using any of the feature

00:39:41.746-->00:39:46.684
code the PBX is my own creation
as far as like you know the way
it's set up the call flow

00:39:46.684-->00:39:52.090
etcetera, so I could set up star
69 to do an attack like this, I
just pick these other feature

00:39:52.090-->00:39:56.728
codes because I didn't want to
step on anybodies toes not that
I would be but it's almost like

00:39:56.728-->00:40:01.466
a like phreaker honor code like
oh you know I'm not going to
mess with the system that's

00:40:01.466-->00:40:05.904
already there in place, I'm
going to use that system, but
let's keep you know star 69 for

00:40:05.904-->00:40:10.908
what it is you know? It's It's
my own limit. Was there a
question in the front? Way okay

00:40:13.011-->00:40:17.348
sorry the speaker was like sorry
the speaker was in the way and I
don't mean me, I mean the the

00:40:17.348-->00:40:22.120
speaker. Uh if you have that
question go ahead and answer- er
ask it, yeah >>[inaudible

00:40:22.120-->00:40:27.125
question] [laughter] >>I believe
we have star four nine
[laughter] again you guys uh all

00:40:38.136-->00:40:43.641
of this is very good question
all of this is potential ah and
this is all uh within your minds

00:40:43.641-->00:40:50.114
of like how do I want to code
this thing so basically what I
put here is kinda like a a

00:40:50.114-->00:40:54.852
infrastructure a way to maybe do
it but remember we don't have
star four four we don't have

00:40:54.852-->00:40:59.557
star four five yet so what else
can we come up with? Absolutely
we can do something like that,

00:40:59.557-->00:41:04.495
that that can all be coded. Yes
>>[inaudible question] >>I'm
sorry >>how about you call dump

00:41:09.767-->00:41:15.640
them and it puts them on hold
for forty minutes? >>Ah now
you're talking about toll fraud,

00:41:15.640-->00:41:21.512
toll fraud, we'll call a 900
number well no I"m not going to
call a 900 number [laugh] that's

00:41:21.512-->00:41:26.584
three dollars a minute [laugh]
uh but yeah again it's all
potential it's all there uh

00:41:26.584-->00:41:31.756
anything you want to do now it's
up to your creativity so if this
is inspiring to you guys, cool

00:41:31.756-->00:41:38.262
um and I mean that that's where
it is I've we've laid down some
ground work and uh if you guys

00:41:38.262-->00:41:43.768
have some coding ideas follow me
on Twitter, get me on Github and
uh let's talk about what we can

00:41:43.768-->00:41:48.773
do next. Let's break some shit.
In within reason. [laughter]
within reason please [laugh] Uh

00:41:51.642-->00:41:55.646
so I have five minutes here
guys, I just want to say thank
you again this is the biggest

00:41:55.646-->00:42:00.585
crowd I've ever spoken in front
of and it's not even big one of
a con [applause]