00:00:00.200,00:00:05.205
>Hi! Welcome to track 2. [crowd
responds] Yeah! [applause] So
I'm Fish, this is Jonothan. Um,

00:00:09.810,00:00:16.383
we're going to abuse VNC really,
really badly. Um. Do you have
anything? No? Yeah? >>No. I'm

00:00:16.383,00:00:21.388
good. >[laugh] Right. So this is
us. Yeah fun times. We both do
terrible terrible things on the

00:00:24.424,00:00:28.629
internet. Uhhh usually on
twitter, it's usually public and
usually it's very very amusing.

00:00:28.629,00:00:33.634
So internet stuff it seems like
it's getting nicer, but it's
proliferating lots and lots of

00:00:38.038,00:00:43.644
horribly broken vulnerable
devices so, the internet is
getting pretty bad. Uhhh its not

00:00:43.644,00:00:50.317
really getting better, they keep
adding more problems and more
vulnerabilities and no one gives

00:00:50.317,00:00:54.321
a crap about security. And then
you have this sort of thing
happen and then this sort of

00:00:54.321,00:00:59.293
things happen and then basically
this is just us, saying hey dude
you can totally see the faint

00:00:59.293,00:01:03.363
outline of some cyber cyber
something legislation in there.
And you can smell the totally

00:01:03.363,00:01:07.000
you are not allowed to hack all
the routers proposals. [Sniff]
Yeah thats right, that was

00:01:07.000,00:01:13.674
the...who was it? Was it the
FCC? So hahah cameras. >> Yeah
so I was doing a talk back in

00:01:13.674,00:01:17.711
March this year and uhhh the
screen you are seeing on the
left was a house. Was actually

00:01:17.711,00:01:21.481
close to where I was doing the
talk and I was also talking
about VNC stuff and I just

00:01:21.481,00:01:25.052
popped open a Windows and I'm
like hey this is a house if you
look to the left, you can

00:01:25.052,00:01:29.222
probably see it. And there's
just a bunch of stuff, so you
can go from cameras to people

00:01:29.222,00:01:34.227
putting SCADA stuff on cameras.
Umm and over time, sometimes
stuff gets fixed. So this

00:01:36.930,00:01:42.336
company had this on VNC, you
could basically go into the
settings and people could mess

00:01:42.336,00:01:47.140
things up. And what they did
when I reported, was they
removed it and on the same IP

00:01:47.140,00:01:50.410
address something else came back
and it was a camera and it was
looking at the same screen we

00:01:50.410,00:01:54.982
had on VNC before. [Laughter]
Just so people couldn't screw
with the settings. But you know

00:01:54.982,00:01:58.618
it's okay, because now you
cannot just mess with anything
and they just want to remotely

00:01:58.618,00:02:04.658
see what's going on, uhhh in the
factory. Ummm this is another
interesting one. So there's a

00:02:04.658,00:02:09.463
company in my country and when
you ship something back, because
you don't want it and they

00:02:09.463,00:02:14.234
unpack it, to see if you didn't
mess with it. If you didn't
unpack it. this is the camera

00:02:14.234,00:02:16.236
showing the guy unpacking all
this stuff, because they want it
registered, incase something's

00:02:16.236,00:02:18.238
up. So I could send my own
package and see it passing by,
basically. Now something else

00:02:18.238,00:02:20.240
that I've been doing which is,
kinda sketchy sometimes, is look
at the middle east. They have a

00:02:20.240,00:02:24.077
ton of interesting stuff, I only
put this one on there because I
don't wanna, I don't know put

00:02:24.077,00:02:30.417
people off. Or get the wrong
people looking at me. But there
is like a bunch of cameras and a

00:02:30.417,00:02:35.422
bunch of interesting devices
online in the middle east as
well. > Hahaha what could

00:02:47.734,00:02:53.807
possibly go wrong? Its burn your
house down as a conference. Ummm
umm so let's, let's introduce

00:02:53.807,00:02:58.245
introduce some 5th dimensional
thinking. It seems the world at
large is now in 1999, realizing

00:02:58.245,00:03:01.982
there is more on the Internet
except facebook and candy crush,
and this realization has

00:03:01.982,00:03:05.352
terrified people enough, to
believe that they need to have
like support groups to cope with

00:03:05.352,00:03:09.689
that idea. So we see uhh uhh
something like this, and for two
guys that spend their time

00:03:09.689,00:03:12.492
trolling the internet and
finding ridiculous, ridiculous
stuff that shouldnt be on the

00:03:12.492,00:03:17.497
internet, we are just like what
the f....really? Huhhhh. So
this. [Laughter]. Hmmm. >>

00:03:26.807,00:03:33.814
hahaha. >Yup you can browse the
internet from your fridge, what
could go wrong? [Laughter].

00:03:33.814,00:03:39.286
Hahah >> Yeah sometimes you find
the most sketchy devices. So
this one wasn't connected

00:03:39.286,00:03:44.291
online, uhhh this is basically,
uhhh it doses the drugs you get
in hospitals. Uhh but these used

00:03:46.359,00:03:49.930
to be hooked up on the hospital
networks locally and you could
telnet to them, and they could

00:03:49.930,00:03:55.268
do statistics and you know
change values. Ummm but somebody
thought you know we need to

00:03:55.268,00:04:00.540
upgrade this, it, we need to
rebrand this. We need to sell
more of this basically, so you

00:04:00.540,00:04:06.880
know it's running linux sort of
as well, so let's just add wifi
cause thats good. So they have

00:04:06.880,00:04:12.085
telnet, but nobody added
authentication. [Laughter]
[Crowd gasping]. So that's kinda

00:04:12.085,00:04:16.123
good. But then somebody actually
got a CVE, for the thing not
having authentication so

00:04:16.123,00:04:21.495
apparently you can now get CVEs
for features you want to have,
which is kinda neat. We don't

00:04:21.495,00:04:26.500
really know what's up with that.
> Hahahaha. I don't even.
[Cheers from crowd] [Laughing].

00:04:30.670,00:04:35.142
I'm not sure. I think this is
one of these, there are no words
slides. So we are just gonna

00:04:35.142,00:04:40.147
show you a picture. What could
possibly go wrong? Umm, so,uhhh.
Apparently theres, I'm not gonna

00:04:45.852,00:04:50.924
read this slide to you because
I'm sure most of you in the room
can read. Ummm apparently there

00:04:50.924,00:04:56.096
are toasters that will complain
to you if you don't feed them
whole wheat bread. You are not

00:04:56.096,00:05:01.001
allowed to eat this kind of
bread, you have to eat that kind
of bread. Umm and Fridges are

00:05:01.001,00:05:06.873
shutting down when certain types
of consistency...um
inconsistencies are detected. So

00:05:06.873,00:05:12.646
now you have your fridge telling
you like: you can or you can't
eat your food, or you can't

00:05:12.646,00:05:17.651
refrigerate your food. Cause you
know that's fine. Ummm and then
cut to more internet be-douchery

00:05:20.086,00:05:25.091
and you have, this, umm which we
found it on VNC. We are...what
on earth is that? At the time,

00:05:28.261,00:05:32.165
the little red arrow was moving
over this grid. So if you ever
played that game in the 80s, it

00:05:32.165,00:05:34.834
was Spectre or something, it
looked like that. It was like
this little arrow and it was

00:05:34.834,00:05:40.473
moving over this grid, and we
are like that's really weird,
it's alive. So we looked it up

00:05:40.473,00:05:46.546
and it's this tool, that's used
by farmers to...oh was it water,
no its not water? Maybe

00:05:46.546,00:05:51.518
it's....it's something involving
travelling over crops and I
can't remember whether it was to

00:05:51.518,00:05:56.523
give them nutrients or to, to
water them or to collect things.
But uhhh, theres a video that we

00:06:01.628,00:06:07.901
are trying to get. There you go!
And wonder if it will let us, no
it won't let us skip it. So like

00:06:07.901,00:06:13.406
sorry to make you wait for 30
seconds, but this is their demo
video. This is their like reel,

00:06:13.406,00:06:19.512
and you can see it at about the
45 second mark, you can see it
behind the dude's head. This guy

00:06:19.512,00:06:24.517
is in a tractor and this thing
is kind of like, if tesla was
wearing overalls and had to hay

00:06:26.553,00:06:30.123
seed. [Laughter] It drives the
tractor and it like keeps track
of where has been dealt with,

00:06:34.394,00:06:41.368
and in a minute, he pans up and
he moves his head and the dude
points at the thing. The audio

00:06:41.368,00:06:46.373
was crap so we cut the idea, but
uhh like this thing, in this
device, is on the internet, with

00:06:48.742,00:06:54.915
no authentication and you can
like: You want to take control
of a tractor? Over the internet?

00:06:54.915,00:06:59.753
[Laughter] Cause you can do
that, because somebody thought
it was a good idea. And now we

00:06:59.753,00:07:04.691
have this. Fun fun times. Hahaha
>> So what's also interesting,
like all these devices are on

00:07:06.860,00:07:12.499
3G, 4G uplinks, so if you just
scan certain Verizon and AT&T
networks, you will get different

00:07:12.499,00:07:17.370
stuff pop up every time. So this
one you couldn't find it back if
you scanned the next day, it

00:07:17.370,00:07:22.876
would be somewhere else.
Whenever they turned it on and
whatever IP they got. Ummm so

00:07:22.876,00:07:28.081
yeah we got these Ancient
industrial stuff we've been
tweeting about mostly, like any

00:07:28.081,00:07:33.219
dam or water irrigation system,
we will find it. But there is a
lot of new toys basically, just

00:07:33.219,00:07:38.758
like the infusing thing at the
hospital. There is also this
which is an exercise bike. This

00:07:38.758,00:07:43.363
was in Hawaii and we could get
the exercise bike and remotely
see like the screen, we had to

00:07:43.363,00:07:48.368
press start and pick what you
wanted and then we actually
found one that was live. So you

00:07:48.368,00:07:52.405
could see like the guy...well
you could not actually see the
guy cycling but atleast you

00:07:52.405,00:07:57.310
could see him, you know, him
progressing. > How to embarrass
yourself over the internet live.

00:07:57.310,00:08:02.849
>>Hahahaha. And there's also
this kind of stuff. So this is
like a solar power thing you can

00:08:02.849,00:08:09.656
have at home. [Cough]. These
were all open in Germany, so the
manufacturer didn't do anything,

00:08:09.656,00:08:14.461
and again they were on 3G
sections of the network. And it
was reported and they said it

00:08:14.461,00:08:16.463
they fixed it, so what they did
they added a new GUI and then
they said it's fixed.

00:08:16.463,00:08:21.468
[Laughter]. They are still there
basically. And yeah you found
your boat. > Why is there a

00:08:29.409,00:08:34.414
yacht on the internet? Who
thought this was a good idea? It
lets you control the engine.

00:08:39.953,00:08:45.458
There is not enough booze at
this conference. Anyway there is
a lot of that, but it happens on

00:08:45.458,00:08:50.697
twitter. Why...I don't even. You
find...what do you do? You find
a yacht on the internet, and

00:08:50.697,00:08:56.369
then what? You just go
[inaudible]. You make a meme or
you download instagiffer and you

00:08:56.369,00:09:02.642
make some gifs. Umm but it gets
worse, it gets much worse. Fun
times. >> Yeah so sometimes you

00:09:02.642,00:09:08.381
find really weird sketchy stuff.
So this was a guy who was
cashing out people accounts, and

00:09:08.381,00:09:14.320
he was on VNC. So we could
basically see him like, uhh pull
out accounts, so the right side

00:09:14.320,00:09:18.825
column is the email address and
says if it has any balance, if
it's connected to Mastercard or

00:09:18.825,00:09:23.463
VISA, and then if he pulled
anything off if it, like if it
had a positive balance. And this

00:09:23.463,00:09:29.102
guy is just cashing out people
and we could just watch him do
this on VNC, which is kind of

00:09:29.102,00:09:34.808
interesting. Oh yeah and then
you found your Aquarium. >
Hahaha. I thought this was an

00:09:34.808,00:09:39.512
aquarium and I thought wow
someone spent a lot of money on
their saltwater aquarium. It was

00:09:39.512,00:09:44.517
the ocean, the ocean. This was a
camera that was in a place I did
not know existed at the time.

00:09:48.354,00:09:52.192
The Maldives, which is
apparently a very very fancy
island chain. This is a camera

00:09:52.192,00:09:58.965
in a hotel that shaped like a
Octagon, that's below the Ocean.
It's like submerge, and one side

00:09:58.965,00:10:03.503
of the restau...it's a
reastau...its a restau..yeah the
restaurant is submerged and one

00:10:03.503,00:10:07.640
side of it, this whole thing is
this big octagon of plexiglass.
So you go and you have dinner

00:10:07.640,00:10:11.578
under the ocean, and one side of
it has coral reef, and the
camera that's on their website,

00:10:11.578,00:10:18.351
which sort of advertises their
hotel, is pointing out the
window. So when you see it, this

00:10:18.351,00:10:21.888
is what you see and you are like
this whoa that's kind of
interesting. And its RTSP, and

00:10:21.888,00:10:25.024
it's live and if you know the
address, and you know how to
plugin into VNC, you can just

00:10:25.024,00:10:28.661
hit play and just full screen it
on one of your displays. And
then you have this huge fish

00:10:28.661,00:10:30.964
tank right. So it's really neat,
this is the view from dinner.
Like if you can afford the

00:10:30.964,00:10:32.966
$16,000 a night hotel room. But
you can also do what I did which
was leave it up full screen and

00:10:32.966,00:10:36.135
be like, this is really neat
I'll just leave it up while I'm
working whatever. Then you go

00:10:36.135,00:10:38.137
out and you have dinner and you
are like what the f...what? Why
are there people? There were

00:10:38.137,00:10:40.139
divers on the other side that
had gone in and where cleaning
the glass. Ummm but yeah. When

00:10:40.139,00:10:44.344
you think you find everything
you find this and you realize,
no there's still more. Umm but

00:10:44.344,00:10:49.349
yeah, and yet there is still
much more. It doesn't end, it
never ends. >> Yeah and it goes

00:10:58.558,00:11:03.496
from funny to really bad. So
this is a cardiac imaging
device, which was online. You

00:11:13.339,00:11:18.211
could just reach VNC open,
nothing. Same kind of stuff, 3G
network, so one day you would

00:11:18.211,00:11:23.983
find it other day not. Just
depends if it's actually turned
on. Ummm so you have this thing

00:11:23.983,00:11:30.123
which is, its in some kind of
company, and its to scan badges
or to register badges. They put

00:11:30.123,00:11:35.128
up their finger for fingerprint
screen and it pops up all their
information. So would you want

00:11:35.128,00:11:37.697
to steal identities, you just
sit there, you have a
fingerprint, you have all of

00:11:37.697,00:11:42.035
their information. You just wait
and you go printscreen,
printscreen, printscreen.

00:11:42.035,00:11:46.306
[Laughter] Yeah. Ummm and then
we found this, which is kind of
interesting. So usually if you

00:11:46.306,00:11:48.308
want to SWAT somebody you
usually do a call and at the end
you will just end up in jail or

00:11:48.308,00:11:50.310
fined. You can now do it over
VNC [laughter]. So this is some,
yeah some station somewhere, and

00:11:50.310,00:11:52.312
this is the software they use to
control which patrols are out
where. And we could just call

00:11:52.312,00:11:57.317
one up basically. So let's say
you want to SWAT somebody, you
just enter the address, you send

00:12:08.728,00:12:13.733
10 squads there and you hit go,
and they all get an update and
they go there. [Laughter]. So

00:12:13.733,00:12:20.406
yeah...a little less traceable.
Umm and then there's this, so
originally I thought this was

00:12:20.406,00:12:25.445
like a device controlling a
X-ray machine. Turns out umm you
actually need to press a button

00:12:25.445,00:12:31.484
on the hardware to make a x-ray
image. Then this is stored on a
data store and then you have a

00:12:31.484,00:12:37.123
machine that interacts with the
datastore. So what I was looking
at was some doctor I guess, who

00:12:37.123,00:12:43.129
was working with the data on the
datastore, and he was just
making notes and annotations in

00:12:43.129,00:12:48.034
the documents basically. Yeah my
guess at first was he was
controlling it, but yeah close

00:12:48.034,00:12:53.039
enough right? Ummm so yeah we do
a lot of scans. As in literally
we are probably one of 5 people

00:12:57.310,00:13:02.248
who constantly [laughter] bash
VNC on the globe. > Is is Erodo
ROb in the room? No. Is John

00:13:04.851,00:13:11.658
Matherly in the room? No. Uhh
there's basically 6 of us, that
scan the whole World routinely

00:13:11.658,00:13:16.663
for VNC and like 4-5 of us are
at CON. So yeah fun times. >>
Yeah so we do scans and we get

00:13:18.931,00:13:23.436
back results basically...we..I
usually scan for the RFB header.
So connect on anything on known

00:13:23.436,00:13:28.675
ports, expect RFB headers back
and just store them and store
the IP addresses. And you get

00:13:28.675,00:13:34.347
about 335000 that will respond
to you. 8000 of those will not
have authentication, you can

00:13:34.347,00:13:39.552
connect and do whatever you
want. Ummm now what's
interesting, when you look at

00:13:39.552,00:13:43.823
the visioning. So you get back
all these banners and you get
like a major and minor version,

00:13:43.823,00:13:50.329
I can just..you can just graph
these. Umm but if you look at
the official versioning, or the

00:13:50.329,00:13:54.934
official documents that were
brought out saying this is
version 3 point something . Ummm

00:13:54.934,00:14:00.873
there's 3.3, 3.7 and 3.8 those
are the official versions
basically. Now if you look in

00:14:00.873,00:14:05.878
these graphs, these should not
exists, these are numbers that
make no sense. There's a bunch

00:14:05.878,00:14:11.150
more that should probably not
exist, but when you look at them
you can kinda figure out what it

00:14:11.150,00:14:16.756
is. So um you go to Apple
Remote, uhhh Desktop, which
basically what they did they

00:14:16.756,00:14:22.428
changed the authentication to
use Apple ID kind of stuff, but
the rest of the VNC part its

00:14:22.428,00:14:27.600
pretty normal, it's standard
VNC, just different
authentication. Ummm you go to

00:14:27.600,00:14:33.339
realvnc personal, so the guys
who originally wrote the RFB
protocol, they actually made a

00:14:33.339,00:14:38.211
company and now they're also
selling products. So you got
realvnc personal which is on

00:14:38.211,00:14:44.951
4.00. > Just hit the 5 minute
mark. >> Ohhh. > Only 5 minutes
left. >> So then you have

00:14:44.951,00:14:50.356
realvnc enterprise which is
5.0.1, you got something unknown
and then you have the guy who

00:14:50.356,00:14:55.661
has been messing with us. He's
basically running a honeypot,
gives back whatever number ummm

00:14:55.661,00:14:59.866
depending on the port you
connect to. But there is
something else with no version

00:14:59.866,00:15:04.804
saying 0.0.0. Umm 3.5 thousand
actually. We found a bug so i'll
just kinda skip through this

00:15:07.173,00:15:13.212
cause we are sort of slowly
running out of time. Basically
we got a discussion on twitter,

00:15:13.212,00:15:18.217
and we ended up finding a really
nasty bug in this thing, so uhhh
too much talk. Let's see. So

00:15:21.120,00:15:26.125
what it ended up with is, this.
We can use these VNC devices to
reflect back on the internet, or

00:15:29.462,00:15:33.933
reflect back onto the internal
network. So these are 3 and a
half thousand devices which us

00:15:33.933,00:15:39.105
allow us to use them as
anonymous proxies or it can go
back into their network, which

00:15:39.105,00:15:42.508
are just open. No
authentication, nothing. Full
port control through some bugs

00:15:42.508,00:15:47.914
we had, umm we actually got this
CVE for this, because he
fixed..uhh we did port dropping

00:15:47.914,00:15:52.919
and they fixed it. [Clapping].
Heyyy! Umm but it actually gets
worse, so he did a fix, there

00:15:56.088,00:16:01.394
was a CVE, he made an update,
and then 4 days ago when I was
making these slides or sort of

00:16:01.394,00:16:06.532
finishing them, he got back to
me and said: hey why are you
using this bug, there's also

00:16:06.532,00:16:10.203
like a feature to do this. You
don't need to abuse this bug to
do port dropping and connect

00:16:10.203,00:16:14.273
anywhere, you really don't..you
can just do it anyway. So this
means that you can connect to

00:16:14.273,00:16:18.878
any host on any port on any
protocol, inside or outside the
network, through these devices.

00:16:18.878,00:16:23.883
Ummm and even more interesting
these devices have
blacklisting....uh whitelisting.

00:16:26.519,00:16:31.457
This is locally hosted so if you
connect to one, and you connect
to localhost on these things,you

00:16:31.457,00:16:35.795
can get on the interface and you
can just turn off filtering. So
literally if you do curl through

00:16:35.795,00:16:41.200
these things, you set allow
connection, refused connection
to nothing, all the filtering is

00:16:41.200,00:16:46.539
gone and you can go anywhere
that you like. Thats kind of
neat. >Yeah the fix was

00:16:46.539,00:16:49.842
whitelisting, but you just
proxied to local host and turned
off the whitelisting.

00:16:52.178,00:16:58.217
[Laughter]. Okay good job. >> So
we called this stargate, because
you know people get the

00:16:58.217,00:17:01.387
reference, you go in somewhere
and you don't know where you end
up. Sometimes end up from the

00:17:01.387,00:17:05.825
same IP address, sometimes you
go through somebody's network
out to the internet on the other

00:17:05.825,00:17:11.063
side. We don't know where. So
basically its a open proxy and
you can pivot into it and got to

00:17:11.063,00:17:16.068
anything inside. We made python
scripts, so if anyone wants to
look at this, it's up there. If

00:17:18.537,00:17:23.776
someone actually manages to use
this in some kind of red-teaming
or a pentest, please tell us.

00:17:23.776,00:17:27.680
Because we haven't found
anything interesting on the
inside yet, it's pretty

00:17:27.680,00:17:31.183
difficult to go into a network
and then you sort of have to
guess what's always gonna be

00:17:31.183,00:17:37.590
there, except the web interface.
Ummm so we have some demos, so
let's actually see if we can do

00:17:37.590,00:17:42.061
this > 2 and a half minutes for
demo. >> In time. We will do the
most interesting one actually

00:17:42.061,00:17:47.066
[Laughter] Uhhh let's see.
Alrighty have the. Okay what I
did is I run a stargate proxy

00:17:52.038,00:17:57.643
locally on my host and I have a
VM that's proxying towards my
host, through the stargate

00:17:57.643,00:18:02.581
proxy, through the stargate back
on the internet. Umm sooo ummm
we can do the most interesting

00:18:05.184,00:18:10.189
one then before we run out of
time. So there's a bunch of them
online, but this is one we find

00:18:12.458,00:18:17.463
which was kind of interesting.
Uhhhh. So let's see if we can
then probably go to Google if it

00:18:20.566,00:18:25.571
works. So just to show you can
go into Google, and it will..it
works. Proxy through stargate

00:18:27.640,00:18:32.645
back on to google, depending how
fast it is. Here we go. What
language is that? is it just?

00:18:35.514,00:18:39.752
[Audience inaudible] Well there
you go, apparently this is in
France. > Yeah its french.yeah.

00:18:39.752,00:18:46.525
>> So let's see what happens if
we actually go to the server
uhhh it's hosted on. > So this

00:18:46.525,00:18:50.329
is browsing the local host. >>Oh
there's one thing. This thing
does not support concurrent

00:18:50.329,00:18:55.334
connections. So this, you are
doing local host, you get by
Google 404s, it's because it's

00:18:55.334,00:19:00.272
badly caching. Yeah. So now,
alright so now we get something
internal in this network. We get

00:19:02.742,00:19:07.980
and apache server which is in
the network, we cannot reach it
from the outside. Uhhh and then

00:19:07.980,00:19:12.985
we can actually with this one go
serverstatus, uhhh I can barely
see it typing. [Inaudible]

00:19:17.723,00:19:22.728
>There you go. >>Internal server
status page, from a pa...from a
internal service, through a

00:19:26.098,00:19:30.669
proxy through the stargate. >So
this should only be available to
local hosts, but because we are

00:19:30.669,00:19:37.109
proxying through the box that's
hosting the thing, we are
localhost. So fun times. Are we

00:19:37.109,00:00:00.000
done? [Clapping]. Yeah! Alright.
We are done done. Thank you
everybody. [Clapping]