Hi, welcome to track two. Yay! So I'm Vist, this is Jonathan. Um, we're gonna abuse VNC
really, really badly. Um, do you have anything? No? Yeah? No, I'm good. Right, so this is
us. Um, yeah, fun times. We both do, we both do terrible, terrible things on the internet.
Uh, usually on Twitter it's very, very public and usually it's very, very amusing. Um, so
internet stuff is, it seems like it's getting nicer but it's proliferating lots and lots of
horribly broken vulnerable devices, right? So the internet's getting pretty bad. Um, it's not
really getting better. They keep adding more problems and more vulnerabilities and nobody
gives a crap about security and then you have this sort of thing happen and then this sort of
thing happen and then basically this is just us saying like, hey, dude, you could totally see
the faint outline of some cyber, cyber something legislation in there and you can smell the
totally, you're not allowed to hack all the router's proposals. You can, yeah, that's right,
that was the, uh, what was it, FCC? Yeah. So, cameras. Yeah, so I was doing a talk back in
March this year and, um, the screen you're seeing on the left was a house that was actually
close to where I was doing the talk and I was also talking about VNC stuff and I just popped
open the window. It's like, hey, this is the house. If you look to the left, you can see the
stuff. You can, you can probably see it. And there's just a bunch of stuff. So you can go from
cameras to people putting SCADA stuff on cameras. Um, and over time, sometimes stuff gets
fixed. So, um, this company had this on VNC. It could basically go into the settings and
people could mess things up. Uh, and what they did when I report is they removed it and then on
the same IP address, something else came back and it was a camera. It was looking at the same
screen we had on VNC before. Just so people couldn't screw with the setting. Uh, so, uh, I
think that's a good thing. But, you know, it's, it's okay because now you cannot mess with
anything and they just want to remotely see what's going on, uh, in the factory. Um, this is
another interesting one. So, there's a company, uh, in my country and when you ship something
back because you don't want it, uh, they unpack it and they check to see if you didn't mess with
it, if you didn't unpack it. This is the camera which shows the guy who's unpacking all this
stuff because they want to have it registered in case something's up. So I could send back my own
package and then see it pass by basically.
Now, something else I've been doing which is kind of sketchy sometimes is look at the Middle
East. They have a ton of interesting stuff. I only put this one in there because I don't want to,
I don't know, put people off or get the wrong people looking at me basically. But there's,
there's like a bunch of cameras and a bunch of interesting devices online in the Middle East
as well. What, what could possibly go wrong? It's burn your house down as a conference.
Um, so let's, let's introduce some 5th Dimension.
It appears as though the world at large is now in 1999 realizing that there's more on the
internet than just Facebook and Candy Crush. And this realization has terrified people enough to
believe that they need to have like support groups to cope with that idea. So we see a, a,
something like this and for two guys that spend their time trolling the internet and finding
ridiculous, ridiculous stuff that shouldn't be on the internet, we're just like, what the? Really?
So, this.
Yep. You, you can browse the internet from your fridge. What could go wrong?
Yeah, so sometimes you find the most sketchy devices. So this one wasn't connected online. Uh,
this is basically, um, it, it doses the drugs you get in the hospitals. Uh, but these used to be
hooked up on the hospital networks locally. You could tell that to them and they could do
statistics and, you know, change values. Um, but some of these things, um, they, they, they, they,
thought, you know, we need to upgrade this. It, we need to rebrand this. We need to sell more of this
basically. So, you know, it's running Linux, sort of, as well. So let's just add Wi-Fi because
that's good. They have Telnet. But nobody added authentication. So, that's kind of good. But
then somebody actually got a CVE for the thing not having authentication. So apparently you can
now get CVEs for features you want to have, which is kind of neat. So, we don't really know what's up with that.
Um, I, I, I don't even. I'm, I'm not sure. I think this is one of the there are no words slides so
we're just going to show you a picture. Like, that's the greatest expression. What could
possibly go wrong? Um, so, apparently there's, I, I won't read the slide to you because I'm sure
most of you in the room can read. Um, apparently there are toasters that will complain at you if you
don't feed them whole wheat bread. Like, you're not allowed to eat this kind of bread. You
have to eat that kind of bread. Um, and fridges are shutting down, um, when certain types of
consistency, inconsistencies are detected. So now you have your fridge telling you, like, you
can or can't eat your food. Or you can't refrigerate your food. Because, you know, that's
fine. Um, and then cut to more internet badooshery and you have this. Um, which is, uh,
when we found it on, on, uh, VNC, we're, we're, what on earth is that? And at the time, the
little red arrow was, like, moving over this grid. So have you ever played that game in the 80s,
like, Spectre or something? It looked like that. It was like this little arrow and it was moving
over this grid. And we're like, that's really weird. It's alive. Um, so we looked it up and
it's this tool that's used by farmers to, oh, is it water? No, it's not water. Maybe it's, it's
something involving traveling over crops. And I can't remember whether it's to give them nutrients
or to, to, uh, water them or to collect things. But, um, there's a video that we're trying to
get. There we go. So, um, I wonder if it'll let us. Yeah, it won't let us skip it. So, like,
sorry to make you wait for 30 seconds. But, like, this is their demo video. This is their, like,
reel. Um, and you can see it at about the 45 second mark. You can see it behind the dude's head.
This guy's in a tractor and this thing is kind of like if Tesla was wearing overalls and had a
hayseed. Like, it drives the tractor and it, like, keeps track of where has been dealt with. And in
a minute, uh, it, he pans up and he, like, dude moves his head and he points at the thing. The
audio was crap so he cut the audio. But, uh, like, this thing in this device is on the
internet.
With no authentication and you can, like, you, you want to take control of a tractor over the
internet? Because you can do that. Because somebody thought it was a good idea. And now we have
this. Fun, fun times. Yeah, so it's also interesting, like, all these devices are on, like,
3G, 4G uplinks. So if you just scan certain Verizon and AT&T networks, you'll get different
stuff pop up every time. So this one, you couldn't find it back if you scanned the next day. It would be somewhere else.
Whenever they turn it on and whatever IP they got. Um, so, yeah, we got these ancient industrial stuff. We've
been probably tweeting about mostly, like, any dam or water irrigation system. We'll find it. But there's a lot of
new toys, basically. Just, like, the infusion thing at the hospital. Um, there's also this, which is an
exercise bike. This was in Hawaii. And we could get the exercise bike and remotely see, like, the
screen where you have to press start and then pick whatever you wanted. And then we actually found one that was
live, so you could see, like, the guy. Or you couldn't see the guy cycling, but at least you could see, you
know, him progressing. How to embarrass yourself over the internet live. And there's also
this kind of stuff. So this is, like, a solar cell power thing you can have at home. Um, these were all
open in Germany. So the manufacturer didn't do anything. And again, they were on, like, 3G, uh, sections of the
network. Uh, and it was reported. And then they said they fixed it. So what they did is they added a
new GUI. And then they said it's fixed. There's, they're still there, basically. Um, yeah, and you
found your boat. Why is there a yacht on the internet? Who thought this was a good idea? It lets you
control the engine. There isn't enough booze in this conference. Uh, so, uh, so, uh, uh, uh, uh, uh, uh, uh, uh, uh,
anyway, yeah, so there's a lot of that, but it happens on Twitter. Why, I, I don't even. Like, you
find what, what do you do? You find a yacht on the internet and then what? You just go, you make a
meme. That, that's, you, you download Instagiffer and you make some gifs. Um, but it gets worse. It
gets much worse. Fun times. Yeah, so sometimes you find really weird sketchy stuff. So this is a guy
who was cashing out paypal accounts. Uh, and he was on PNC. So we could basically see him like, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh.
pull out accounts so like the right side first column is all the email addresses then it says
if it has any balance if it's connected to a MasterCard or Visa and then if he pulled
anything off like if it had a positive balance and this guy was just cashing out paypal and we
could just watch him do this on VNC. Just kind of interesting. Yeah and then you find your
aquarium. I thought this was an aquarium and I was really excited like wow somebody spent a lot
of money on their salt water aquarium. It was the ocean. The the ocean. Um this was a camera
that was in a place that I didn't know existed at the time. The Maldives which is apparently
really really fancy island chain. This is a camera in a hotel that's shaped like an octagon
that's below the ocean. It's like submerged and one side of the restaurant it's a it's a
yeah the restaurant is submerged and one side of it like the whole thing is this big octagon
of plexiglass. So you go in here and it's like a big plexiglass and you go in here and it's like
you have dinner under the ocean and one side of it has coral reef and the camera that's on
their website that sort of advertises the hotel is pointing out the window. So when you see it I
mean this is what you see. You're like whoa that's kind of interesting and it's RTSP and it's
live and if you know the address and you know how to plug it into VNC you can just hit play and
just full screen it on one of your displays and you have this huge like fish tank right? So it's
really neat. Like this is this is the view from dinner like if you can afford the $16,000 a
night hotel room.
But you can also do what I did which was leave it full screen and be like oh this is really neat
I'll just leave this up while I'm working whatever. And then you go out for like dinner or
whatever and you come back and you see this and you go what the what why are there people?
Um there were divers on the other side that had gone in and were cleaning the glass. Um but
yeah when you think you found everything you find this and you go no there's still more. Um but
yeah there's and yet there is still much more. It doesn't end. It never ends.
Yeah and it goes from funny to really bad. So this is a cardiac imaging device.
Um hmm.
Which was online. You could just reach VNC open nothing. Same kind of stuff 3G network so one day
you would find it other day you won't. Just depends if it's actually turned on. Um so you have
this thing which is it's in some kind of company and it's like to scan badges or to register badges.
They put up their finger for fingerprint screen and it pops up all their information. So would you
wanna I don't know steal identity? You just sit there you have a fingerprint screen. It's like a
fingerprint. You have all their information. You just wait. You just go print screen, print
screen, print screen. It's yeah. Um and then we found this. Which is kind of interesting. So let's
say you wanna swat somebody. You usually do a call and then at the end you'll just end up in jail
or fined. You can now do it over VNC. So this is some yeah some station somewhere and this is the
software to use to manage like which patrols are out where. And we could just call one up
basically. So let's say you wanna swat somebody. You just enter the address. And then you just
send like I don't know 10 squads there and you hit go. And they all get an update and they go
there. So yeah. Little bit less traceable. Um and then there's this. So originally I thought this
was a device that was controlling like an x-ray machine. Turns out um you actually need to press
a button on the hardware to make an x-ray image. Uh and this is stored on a data store and then
you have a machine that interacts with a data store. So what I was looking at was actually some
doctor I guess. Who would like to know if I need to use a device that would perform the same kind of
was working with the data on the data store and he was just making notes and annotations uh in
the documents basically. So yeah my guess was first that he was actually controlling it but he
wasn't but close enough right? Um so yeah we do a lot of scans as in literally we are probably
one of the five people that constantly bash VNC on the globe. Is is EratoRob in the room? No?
Okay. Is John Matherly in the room? No? Okay. There's basically six of us that scan the whole
world routinely for VNC and like four or five of us are at con. So just fun times. Yeah so we do
scans and we get back results basically we I usually scan for the RFP header so connect on
anything on known ports uh expect RFP headers back and just store them store the IP addresses and
you get about three hundred and thirty five thousand that will respond to you. Eight thousand
of those will not respond to you. Uh and then you get about three hundred and thirty five
thousand. Okay think that way as well are we done? Cool. Very nice. This finder works
really well. This might be right. This is for your internal or for your backup projects.
Do it if it comes back right we're good. How do you run VNC via why don't you just visit
brain attack leader and his work is outstanding. Jeff's work is awesome. Joining this Microsoft
right? These are numbers that make no sense. There's a bunch more that should probably not
exist. Um but if you actually look at them you can sort of figure out what it is. So um you got
Apple remote uh desktop which basically what they did is they changed authentication to use
Apple ID kind of stuff. Uh so the rest of the VNC part it's it's pretty normal. It's it's
standard VNC just different authentication. Um you got real VNC personal. So the guys who
originally built uh the RFV protocol they actually made a company and now they're also
selling products. So you got uh real VNC personal which is on uh 4.00. Alright so then you
got real VNC enterprise which is 5.01. You got something unknown and you have a guy who's been
messing with us. He's basically running a honeypot. Gives back whatever number um depending
on the port you connect to. But there was something else with no version. So you got a
version saying 0000. Um 3.5 thousand actually. Um so yeah we found a bug. I'll just
kind of skip through this because we're sort of slowly running out of time. Basically we got
a discussion on Twitter and we ended up finding a really nasty bug in this thing. So uh too
much talk. Let's see. So what it ended up with is this. So we can use these VNC devices to
reflect back on the internet. Or we can use this. So we can use these VNC devices to reflect back on
the internet. Or reflect back into the internal network. So these are 3.5 thousand devices
which allow us to use them as anonymous proxies. Or we can go back into their network. Which are
just open. No authentication. Nothing. Full port control through some bugs we had. Um we
actually got a CVE for this. Uh because he fixed uh we did port wrapping and they fixed it.
Yay! Um but it actually gets worse. So he did a fix. There was a CVE. He made an update. Um and
like 4 days ago just when I was making these slides or sort of finishing them. Um he got back to
me and he said hey why are you using this bug? There's also like a feature that can do this. You
don't need to abuse this bug to do port wrapping and connect anywhere. You really you don't. You
can just do it anyway. So this means you can connect to any host on any port on any protocol
inside or outside the network through these devices. Um and even more interesting these
devices have blacklisting, whitelisting. Um this is locally hosted so if you connect to one of
them and you connect to a local host through these things you can get on the interface and
you just can turn off filtering. So literally if you do a crawl through these things you set
allow connection and refuse connection to nothing. All the filtering is gone. You can go
anywhere you like. That's that's kinda neat. Yeah the fix was whitelisting but you just
proxy to local host and turn off the whitelisting. Okay good job. Yeah so we call this Stargate
because you know people who get the reference you go in somewhere you don't know where you end
up. Sometimes you end up from the same IP address. Sometimes you go through somebody's
network out to the internet on the other side. We don't know where. So basically it's an open
proxy and you can pivot into it and go through anything inside. We made Python scripts so if
anybody wants to look at this and use it it's up there. If somebody actually manages to use this
in like some kind of red teaming or pen test please tell us. Because we we haven't found
anything interesting on the inside yet. It's pretty difficult. You go into a network and then
you sort of have to guess what's always going to be there except the web interface. Um so we have
some demos so let's see if we can actually do this. Two and a half minutes for demo. In time.
Okay yeah we'll do the most interesting one actually. Uh let's see. I already have the yeah
so what I did um I'm running a Stargate proxy locally on my host and I have a VM uh which is
proxying towards my host through the Stargate proxy through the Stargate uh back on the
internet. So um we can let's do the most interesting one then if we don't have enough time.
So there's there's a bunch of them online but this is one we found which is kind of
interesting. Uh so let's see we can probably go to Google if it works. So just to show you can go
into Google and it will.
If it works proxy through the Stargate back onto Google. Depending how fast it is. Here you go.
So what language is that? Is it just. Oh well there you go. So this thing is apparently in France.
Yeah. Okay that's French. So let's see what happens if we actually go to the server uh it's
hosted on. Um. So this is browsing the local host. Oh there's one thing. This thing does not
support concurrent connections. Yeah. So this you're doing local host you get by Google 404 so it's because it's
badly caching. So yeah. So now. Alright so now we get something internal in this network. We get
an Apache server which is inside the network which we cannot reach from the outside. Uh and then we
can actually with this one go server status. I can barely see if I'm typing correctly. Is it good?
Alright so. There you go. Internal server status page from a page. From an internal server status page.
From a service. Through a proxy through the Stargate. So this should only be available to local host but
because we're proxying through the box that's hosting the thing we are local host so fun times. Yeah.
Are we done? Okay. Yeah. We're done done. We're done done. Okay. Thank you everybody.
Thank you.