[00:07.350 --> 00:13.450]  Everybody, our last speaker of the day is here, so please get your seats and we'll get started.
[00:15.950 --> 00:20.550]  Side pocket, you'll have to pick up one of the microphones to get megaphone so everybody hears you.
[00:20.870 --> 00:21.730]  Okay.
[00:22.390 --> 00:31.170]  Welcome everybody to the last session of today and last one for the last presentation for DEF CON 30 VR event.
[00:31.170 --> 00:35.890]  We will be open tomorrow for people to hang out and socialize and also this evening.
[00:35.890 --> 00:41.170]  So hang around and try cow tipping and throwing the cow off the roof in the outside area.
[00:41.170 --> 00:45.570]  And also you can play catch with Trevor the cockroach.
[00:45.570 --> 00:53.350]  As well as there are now Easter egg teleport pads somewhere up on the beams that allows you to get up on the beams and roof.
[00:53.510 --> 00:57.330]  So without any further ado, I would like to introduce Side Pocket.
[01:00.690 --> 01:06.550]  He's going to present when Firefox gets angry, a web browser for red teamers.
[01:07.090 --> 01:14.510]  Side Pocket is co-founder of DEF CON group 201, an open group for hacker workshop projects in northeast New Jersey.
[01:14.510 --> 01:20.270]  Side Pocket is constantly wanting to help people to get better at whatever they want to do and learn.
[01:20.270 --> 01:25.190]  He also has a history with New York City 2600. Yay 2600!
[01:25.210 --> 01:29.190]  Radio Stadler at Hackers on Planet Earth.
[01:29.190 --> 01:34.130]  Tool, the lock picking group and Phone Losers of America.
[01:34.130 --> 01:38.210]  Museum of Urban Reclaimed Spaces and Yes Men.
[01:38.210 --> 01:43.130]  Find out more about DCG 201 at the link provided.
[01:43.150 --> 01:47.390]  So without any further ado, take it away Side Pocket.
[01:48.010 --> 01:51.310]  Okay, let's see if I can pick up the mic here.
[01:52.790 --> 01:55.410]  This is probably going to be my grandpa moment.
[01:56.370 --> 01:58.050]  Is the mic on?
[01:59.350 --> 02:02.850]  Hey, it's always a talk of mine when there's like weird technical difficulties.
[02:04.570 --> 02:08.570]  Let's see. Can anyone hear me or have I not picked up the mic yet?
[02:08.830 --> 02:09.790]  Oh, you're good to go.
[02:11.830 --> 02:14.990]  Awesome. Okay, so I am.
[02:14.990 --> 02:19.090]  Hello, sorry for anyone who was expecting to watch this yesterday.
[02:19.090 --> 02:26.690]  I had multiple monkey wrenches thrown in, including how I thought the presentation was going to go in a different way.
[02:26.690 --> 02:36.350]  That was my fault, not realizing how particularities of all space VR, as well as I was not expecting real life hitting me so hard over the weekend.
[02:37.410 --> 02:43.910]  So, but I'm here now. And basically, and I don't know how to do slides. Do I just say next slide?
[02:44.970 --> 02:46.110]  Yes, that's all you have to do.
[02:46.110 --> 02:52.790]  Awesome. So you can go to the next slide. I'm going to provide a little bit more of an in-depth intro about myself and kind of what they've talked about.
[02:54.970 --> 03:01.890]  Two co-founders, DCG201, the other co-founder is GI Jack, who is currently hanging around in California.
[03:01.890 --> 03:04.810]  I don't know if he's at DEF CON. I don't think he's at DEF CON this year.
[03:04.810 --> 03:08.310]  So he's probably like me and attending it virtually, but awesome dude.
[03:08.310 --> 03:12.490]  He will forever be the other co-founder of our group.
[03:12.490 --> 03:17.950]  Very fortunate to be part of DEF CON groups. I believe we are the fourth time New Jersey group has started.
[03:17.950 --> 03:23.330]  I also know for a fact that we're, this is like my humble brag, we are the longest running one.
[03:23.330 --> 03:26.970]  It's been five years and I'm hoping by March next year, it will be six years.
[03:27.370 --> 03:30.250]  We do a bunch of stuff. We were doing okay during the pandemic.
[03:30.250 --> 03:39.410]  And then a lot of real life stuff hit, funny enough, after we all got vaccinated, because biosecurity is just as important as computer security.
[03:39.410 --> 03:45.370]  And yeah, so we were on a bit of a kind of a in-person meeting hiatus, obviously.
[03:45.370 --> 03:48.110]  And we are going to kind of build ourselves back a bit.
[03:48.190 --> 03:50.710]  I'm also part of a lot of different other groups over the years.
[03:50.710 --> 03:55.730]  Basically, I am not one of the oldest hackers, but I have definitely been around and done some stuff.
[03:55.870 --> 04:01.830]  And every time games and liquor stores ask me for my age, it keeps longer and longer to scroll.
[04:02.050 --> 04:05.070]  If you want to find more about us, we are still retuning our website.
[04:05.070 --> 04:14.250]  So I would like to direct you over to either our Medium blog, which also has a huge list of guides for all the goings on for Hacker Summer Camp.
[04:14.250 --> 04:17.710]  They're updated in real time, as well as a general guide to how to survive Vegas.
[04:17.710 --> 04:24.970]  So if you have friends who want to know what's going on or how not to die in Vegas, you can go check out our guides and Medium blog.
[04:24.970 --> 04:38.410]  And there's also a linktree at linktr.ee slash Defcon 201, which provides all of our social links and other blogs, access to tour, etc.
[04:38.410 --> 04:39.590]  Next slide, please.
[04:41.730 --> 04:44.450]  This is going to be kind of a basically a short presentation.
[04:44.450 --> 04:53.870]  Originally, I thought I was going to be able to somehow stream, like, basically, like, re-mirror the browser and I would walk through that.
[04:53.870 --> 04:59.430]  This is going to be I'm going to instead do a more verbal walkthrough with one or two minor pictures.
[04:59.550 --> 05:05.490]  And this is going to be kind of like my like sneak peek overview of what this whole browser is.
[05:05.490 --> 05:14.330]  And then next week during our the day after our meeting, because now we we do video live streams a day after our physical meetups.
[05:14.490 --> 05:17.310]  I will actually do a video walkthrough of all this.
[05:17.310 --> 05:20.990]  That's also when the browser is going to drop.
[05:20.990 --> 05:25.810]  But before I get into I want to kind of talk to why I kind of created this whole thing.
[05:25.810 --> 05:28.130]  And this is nothing like super leader fancy.
[05:28.130 --> 05:41.090]  This is just one of those things that we often have in the hacker world where, you know, you would think there'd be something kind of like this of a web browser that's designed for more in-depth web or taking an existing web browser, modifying it.
[05:41.090 --> 05:43.250]  But I've just never seen this done before.
[05:43.250 --> 05:49.310]  And I came across it because I started myself as a total noob in the CTF.
[05:49.310 --> 05:54.530]  I've been slowly like learning a lot of new, more relevant hacker skills than when I was younger.
[05:54.530 --> 05:59.390]  I'm very recently through Jeopardy style and even one or two attack and CTF defenses.
[05:59.390 --> 06:04.290]  Not one anything, just practicing my skills, trying to see how far I can go, do hack in the box and stuff.
[06:04.510 --> 06:10.070]  And but one of my things is that I am really into web browsers.
[06:10.610 --> 06:21.550]  I grew up in that era, which I don't know if any of you folks have in the audience of that time period where in order to do anything on the web, you had to have the three horsemen of the apocalypse.
[06:21.850 --> 06:25.890]  At the time, I think it was Netscape, I think it was Netscape, Opera and Google.
[06:25.890 --> 06:30.570]  And then you would have Internet Explorer to just be like you're what they call in the movie hackers.
[06:30.570 --> 06:38.530]  Like it does like all the bitch work, you know, crack files stuff, a.k.a. just downloading the one or two things that Microsoft said particularly with.
[06:38.530 --> 06:47.930]  And ever since those times, I've always been keeping up to date with what different browsers are doing, new odd variants, changes, privacy violations, etc.
[06:47.930 --> 06:57.090]  And I also routinely test browsers, including browsers that people have put into their Linux distributions who want to know that their features work.
[06:57.090 --> 07:06.430]  And what I found during the CTF sort of stuff is that people would use the browser, especially for Jeopardy CTF to who?
[07:06.430 --> 07:14.690]  Yeah, I really like those. They would use the browser to obviously interface with the Jeopardy style CTF, which works exactly like the Jeopardy panel.
[07:14.690 --> 07:21.930]  We click on something that's worth X amount of points and it gives you files or a website to go to and you have to find the flag.
[07:21.930 --> 07:29.470]  And they might use, especially if there's a browser exploitation category, the browser to actually go to the destination.
[07:29.470 --> 07:45.690]  But then they would be endlessly loading and looking up so many different tools and resources that are external in their operating system, whether they've customized their own version of Linux or running on a subsystem in Windows or running Kali, etc.
[07:45.690 --> 07:52.730]  And if you want to get an example of this, on Thursday, I believe, there was the Global Cyber Games for Charity.
[07:52.730 --> 08:04.650]  If you're in Vegas, there's a giant esports arena and that's where they held these Global Cyber Games, which basically imagine doing CTF.
[08:04.650 --> 08:14.550]  Imagine if Evo, which is the huge fighting game tournament that actually came a week before in Vegas at the Melinda Bay where Black Hat normally is.
[08:14.550 --> 08:19.790]  So imagine doing CTF, but on like an esport gamer scale, there's a huge crowd and everything.
[08:19.790 --> 08:28.530]  And I was watching them. And while some of them had one or two extensions that I've made because I've been working on this type of modification for two years.
[08:28.550 --> 08:38.710]  I saw them still fumbling through trying to get through terminal, doing all of this external stuff to do man in the middle attacks, like basically like doing it the hard way.
[08:38.710 --> 08:44.870]  It's like using WeGet and manually installing a dot dev instead of just clicking on the dot dev and loading it.
[08:44.870 --> 08:51.910]  And they were like eating so much time. And so I was just watching this and it came to my philosophy with this, which I was like, one,
[08:51.910 --> 09:06.470]  I wanted to see if I could create a browser instance that would do a lot of the stuff that you would use for external tools in terminal and visually inside the browser.
[09:06.470 --> 09:15.590]  But the goal of is that you would do the least amount of stuff, especially for web penetration, testing categories and CTFs.
[09:15.590 --> 09:24.210]  You would do the, what do you call it, the minute, like every, there should be so much done in browser that it should be an exception that you load an external tool.
[09:24.210 --> 09:30.610]  I wanted to basically push to see how far you could go with just doing a ton of hacker stuff in browser.
[09:30.870 --> 09:32.470]  Next slide, please.
[09:34.090 --> 09:38.690]  So just a bit of methodology of me creating this, just a bit of background.
[09:38.690 --> 09:49.650]  I went to Firefox. I use Firefox because not only is it the sort of, normally I would say it's that sort of hacker and open source like big browser of choice.
[09:49.650 --> 09:54.650]  But honestly, sadly, practically one of the few only choices since Google is in everything.
[09:54.650 --> 10:05.830]  And while there are really cool extensions and tools that you can use in Google Chrome, and I will go into those as a separate thing in a later date, I'm trying to minimize.
[10:05.830 --> 10:14.530]  It's not much so much Google tracking stuff, although that's an issue, but the bloat and combined with how customizable Firefox is.
[10:14.650 --> 10:19.610]  This is, I took, I basically created a new profile on Firefox and I created this whole thing.
[10:19.610 --> 10:26.950]  Note about this browser. This browser, again, it's red teaming. It's designed for attack. It's a giant glass cannon.
[10:27.470 --> 10:38.070]  When you eventually, because as I'm going to mention a week from now, I'm going to make a blog post that will go in depth with most of the stuff that I've said here, maybe one or two other tweaks.
[10:38.070 --> 10:46.490]  And you'll be able to actually get the profile instance in a zip or a tar and bring it over, drag and drop into a Firefox profile.
[10:46.490 --> 10:55.270]  You go to the about colon profiles, drag and drop it in and everything should load the bookmarks, everything.
[10:56.910 --> 11:02.670]  But I'm worried that when people see this for the first time, that they're going to be like, hey, wait a minute.
[11:02.670 --> 11:12.830]  Like, why is there, for example, no uBlock origin? Why is there no privacy badger? Why is HTTPS not a default on there?
[11:12.830 --> 11:16.510]  And that's because, again, this is designed for red teaming on purpose.
[11:16.590 --> 11:23.670]  There are many, many different browsers I can point to from trying to, for some reason, brain's failing me right now.
[11:23.670 --> 11:25.770]  But there's many different ways you can configure Firefox.
[11:25.770 --> 11:31.390]  Go to privacyguides.org to configure it to be more private and secure on the defense side.
[11:31.810 --> 11:37.230]  There are so many like Librewolf is one of them that's on Google Chrome.
[11:37.230 --> 11:42.030]  There's so many done for privacy. I see that as more blue teaming thing and blue teaming is really important.
[11:42.030 --> 11:44.990]  But the focus here is this is designed for attack.
[11:45.190 --> 11:55.290]  And it lets certain vulnerabilities on default of that default Firefox loads on purpose to actually execute certain red teaming things.
[11:55.290 --> 11:59.490]  And you'll see what I mean in a moment when we get to the to the next section.
[11:59.490 --> 12:01.810]  And you'll see what the browser looks like.
[12:01.810 --> 12:06.630]  Fun thing, if you haven't noticed, the slide deck is actually what the browser looks like.
[12:06.630 --> 12:11.190]  So I had screenshot it at that top bar. That's what you see when it loads in.
[12:11.190 --> 12:15.010]  And of course, for a little fun, I put a little anomalous hacker thing in the corner just as a visual thing.
[12:15.090 --> 12:18.810]  And to note on that, you don't need you can change anything you want.
[12:18.810 --> 12:28.410]  And in fact, if you want to open your own Firefox profile and just download one or two or five of the extensions that are going to be in there, because there's going to be a lot of extensions.
[12:28.410 --> 12:33.190]  I did minimum profile changes and just use those. That's fine.
[12:33.190 --> 12:38.890]  When you eventually download the profile, if you want to go edit, add more extensions, take others out, that's fine.
[12:38.890 --> 12:56.250]  You don't have to use all of this. This is just me slaving away for roughly two years now and testing this on CTFs I've entered in and just literally eating up especially web exploitation sections of CTFs.
[13:00.990 --> 13:07.130]  This is a browser that's essentially error 15. It does not come with a shield. It's a sword, not a shield.
[13:07.130 --> 13:16.190]  Certain what you would consider privacy flaws were left in by design due to how some of the extensions and modifications works.
[13:16.190 --> 13:21.490]  So you can actually do reconnaissance, OSINT, and red teaming better.
[13:21.490 --> 13:28.630]  And that also, whether you download this profile, or you're just taking notes from what I'm saying here, you don't have to use all of these.
[13:28.630 --> 13:33.450]  I'm just putting this information in the downloads and what these extensions are modifications out there.
[13:33.450 --> 13:37.910]  So you can tweak and do this as ever you want, just like any sort of other open source tool.
[13:37.910 --> 13:38.970]  Okay, next slide.
[13:40.250 --> 13:45.530]  So this is a slide we're going to hang on for the most amount of part just because I ran out of time and crazy real life stuff.
[13:45.530 --> 13:51.610]  I don't know if the... my voice should still carry over by looking at this.
[13:51.610 --> 13:56.270]  Actually, I just remembered, the way I'm going to walk through this is I actually have the browser open on my end.
[13:56.270 --> 13:57.650]  So I'm going to read through a bunch of things.
[13:57.650 --> 14:03.250]  So this picture here is the most of the actions going to be in the upper right hand corner.
[14:04.450 --> 14:10.410]  I took a screenshot of it and made it bigger because I know with the slide deck, especially in all space VR, it might be hard to see.
[14:10.430 --> 14:12.010]  So you can see everything there.
[14:12.010 --> 14:16.430]  And I want to talk a bit about why I designed the extensions the way it is.
[14:16.430 --> 14:22.990]  Because unfortunately, the way Firefox works, when you load the profile, it's going to mass dump all of those icons.
[14:22.990 --> 14:26.010]  So it's going to be up to you to organize it the way you want.
[14:26.010 --> 14:30.110]  But I just wanted to show what I call the default configuration that I made.
[14:30.130 --> 14:39.030]  So one of the philosophies I had here was I want everything to be, or most things to be easy to see and read and recognizable just by looking at it.
[14:39.030 --> 14:46.270]  Even when you're in code looking at the backbone of different websites and stuff, everything should be readable.
[14:46.270 --> 14:48.730]  Most of the stuff's in the upper right hand corner.
[14:48.730 --> 14:52.950]  Some things are going to open their own tabs.
[14:52.950 --> 15:04.830]  And some things are in other sections of Firefox, whether it's the bookmark mode, or the F12 peeking behind the scenes, looking at the source file mode.
[15:04.870 --> 15:07.870]  But most of the stuff's in the upper right hand corner.
[15:07.870 --> 15:10.330]  So I wanted everything to be easy to access.
[15:10.330 --> 15:14.330]  I wanted things to be grouped into categories, which I will walk through.
[15:14.330 --> 15:23.850]  Also tiers, all the stuff on the top are like the most used and or ancillary extensions.
[15:23.890 --> 15:35.330]  The second row is really important because the second row or that middle row, the philosophy I also had is what I call the dashboard of a car.
[15:35.330 --> 15:48.870]  This is something I picked up from from a video game called Doom Eternal, where they talked about designing their UI, because I think UI design is horrifically underrated in all aspects of software development, especially nowadays.
[15:48.910 --> 15:55.630]  And they were talking about how because of the way they design their game, it's super fast paced, and you're juggling multiple things at the same time.
[15:55.630 --> 16:09.730]  So they didn't want their users to be hung up, their players to be hung up on the AI and figure out, oh, crap, I run out of ammo, where is it display how much ammo I have? What type is it? What am I holding right now? Do I have any health left?
[16:09.730 --> 16:30.890]  And so what they designed was not only they made everything clear in terms of like everything sharp, there's no contrasting, that there's actual contrast, there's things not blurred out, but that they did things where when you ran out of ammo, the ammo section would light up a certain color and each ammo type had its own sub color and stuff.
[16:30.890 --> 16:51.170]  So their idea was a dashboard at your car, the focus of the car is looking ahead driving on the road, you don't want to use the driver to be distracted by the stuff going on the dashboard. So when your oil runs out, the oil like blinks, you know that it's blinking off the corner of your eye in a certain section. So you know the oils off, your eyes are still focused on the road.
[16:51.170 --> 17:20.210]  And not only did I try to use that design a lot here, but that's specifically what all those extensions on the second row are for the most part, is that these extensions will light up and change depending on what sort of web page that you're currently on. So basically, they mostly remain inactive or will not tell you information. And then once you go on to a page or a certain page, they will light up to let you know, hey, I'm usable or hey, I found data and that's displayed there.
[17:20.210 --> 17:49.990]  And the bottom row is all like hard coded, like this is the type of functions, this is what you're going to be normally using in terms of like engaging in the actual website. And there's a little particular particulars here and there. But I'm going to continue on because again, there's a lot of extensions. But before we get into those, I and again, we're going to be hanging on this slide for most of the talk. So I apologize in advance, I just want to go on to the settings and then explain why configurations behind the scenes don't quite matter here.
[17:49.990 --> 18:15.570]  And also why they're configured the way they are. So if you've noticed on here, just due to laziness, I just have one URL, where you type the URL section. Ideally, dead serious, you probably want to do with both the URL bar and the search tab, just so that you're always on search anytime you need it. I just forgot to turn it on when I made the screenshot. So I'm just pointing that out.
[18:15.570 --> 18:45.490]  Um, in terms of the actual search engine itself, when you download it, and normally Firefox loads with Google, yes, Google's really important, you know, it has a lot of power behind it and has a lot of options. But even though this is mostly attack, I did want to balance the most usability with Google that wasn't Google. So the default search engine, which you can't see on here is the brave search engine, just because of how essentially it mines from Google and a bunch of other websites, and sort of puts them in a
[18:45.490 --> 19:14.370]  corner. And I just found them to be the right balance of not being ducked up, go, but not being Google either. Now, to be fair, I also still have as options ducked up, go, the best versions, the best version of search X, or S-E-A-R-X. There's many instances of that search engine, but I put that in there. Those are both in there as options, but I by default have brave browser selected on here.
[19:14.890 --> 19:42.710]  With privacy and security stuff, again, I set everything to standard, it's not on strict or custom, and I'll explain why in a bit. All of the WebRTC is still enabled on, because I know red flags are going off, like, why would you leave this on? But trust me, I'll explain why in a second. So WebRTC is on, so all of the audio video interfaces you'd be doing, such as live streaming or streaming videos in, that still completely works here.
[19:44.030 --> 20:08.950]  Most of the defaults are left on, I just want to double check. Yep, you can still, it does location, camera, those are all on. And I do have the security, the block dangerous content, all of that, leaving certificates on, and it is enabled to HTTPS only mode, which is why there's very few extensions to do sort of privacy stuff. Now, the question is, why would I leave most of that on? Well, for two reasons.
[20:08.950 --> 20:35.210]  One, there is an icon. Let me see if I can find it on my end, because my brain's dying right now, because of crazy enough today. Also, I hope the audience has not fallen. Trust me, we're gonna get some very interesting stuff in a second. This is just sort of a pretext, but there is a button. So if you see that little red icon on the second row to the immediate right of it, and this is the only one that has bad contrast, because it's gray by default.
[20:35.210 --> 20:52.730]  This is an extension that is the, and actually, I should have probably moved down the upper bar, but it's there right now. But there's literally an extension that's called privacy settings. It's available on Firefox and Google Chrome, if you use Google Chrome.
[20:52.730 --> 21:22.630]  And instead of typing in about privacy, about settings, or going into settings and running through and clicking them, you just click on that extension. And not only can you go through the everything you would need to turn on off in there, but it also has the presets in there, you can restore to default, you can go for full privacy, which sets even certain attributes to full privacy mode that Firefox normally does by default, or enhance, which is kind of like the middle ground area.
[21:22.730 --> 21:40.930]  So one of the reasons why I left everything on default is because you're going to be able to directly control privacy of your browser, you know, seeing if cookies are coming in or whatever, directly through that extension. So there's no need to actually fumble through menus, it's all right there.
[21:40.930 --> 22:09.350]  The second thing is that I found that when I do CTFs, that when you do web, web security, web exploitation sections, that when they send you to a website, you're looking for vulnerabilities in the website. So for example, Snowflake, which is a extension by TORS in there, it creates it's that little purple icon in the second row all the way to the right is a passive
[22:10.170 --> 22:27.910]  extension, it creates an external node, so other people on TORS can use it. Nice thing, why is it in a red teaming browser? If WebRTC for some reason doesn't work on your end, that extension won't work, it will go dim, it will not be purple anymore.
[22:27.910 --> 22:56.170]  So you will know if WebRTC is still enabled or not, if there's something going wrong with your computer, or someone's doing, let's say, an attack and defense situation. And let's say they want to abuse or turn off WebRTC. As soon as that goes down on your end, you're going to know because that extension is going to turn off again, it's like the dashboard of a car. So that's another reason I left things on. And finally, the other extensions I'm about to go through, and it's going to be a lot, so bear with me.
[22:58.890 --> 23:18.430]  defaults on because again, you want to give these access. So let's now break things down by row by row. And I actually have a slide for this first extension, which I'm shocked no one has ever used. So we're going to go to the next slide and then go back to the previous slide. So next slide, please.
[23:21.370 --> 23:50.090]  Awesome. So this is something very recent that I've added. And while it has been useful for me, this is a proof of concept. Essentially, the extension is called xLinux. You can go search for it, download, it's going to come default when I release the profile next week. And essentially what it is, is that you can spin up your own Linux terminal in browser that is hosted on a free cloud service.
[23:50.890 --> 24:16.530]  So, as I said here, when you open it, that's the window you're going to see. It's basically your own Linux, small Linux virtual machine without having to do anything. Linux client, it's all text by default, no installation. It's defaulted to the common network configuration to access the informant. It supports framebuffer. It's a GNU C compiled file system involved.
[24:16.530 --> 24:27.790]  And here's another thing, by the way. When you load this browser, another extension that's going to auto turn on is the NoScript extension, which blocks JavaScript.
[24:29.610 --> 24:50.970]  When you load up certain some of these extensions to do the actual red teaming, if it doesn't work, go into NoScript and click on the icon that says temporarily give trust to this page and that extension will then work and you don't have to load it every time.
[24:50.970 --> 25:12.910]  So if you load any of these and it opens like another window and it's like, hey, why can't I see the terminal? I'm trying to load the Linux terminal in browser, just turn that off because some of this stuff uses Java as a visual interface. So I'm just putting that out there. But hardware expectation, it's a 32-bit emulator, 32-bit RAM, so it's very low spec.
[25:12.910 --> 25:35.630]  And I will say that while unfortunately, which is a headache, it doesn't have ETP, it doesn't have DPGK, it does have a bunch of actually surprisingly useful stuff, has nmap automatically loaded, it has open SSL, it has Ruby and Python scripting and other programming languages by default, you can edit stuff in nano.
[25:35.630 --> 26:05.610]  And I just find it useful because obviously, when I'm in a CTF, I always have my terminal open on a tab anyhow, or if I'm sandboxed on Windows, I load up the Linux, Kali Linux subsystem I have. But it's just nice to know that, you know, when it's like, oh, I have to add something in nano or hey, I want to log in or SSH something in the terminal, but I don't know if they've like honeypot it or trapped it in this, you know, exercise of the flag I'm trying to get that I can spin up a terminal, like try to access the terminal.
[26:05.630 --> 26:35.610]  Through nano, try to SSH tunnel through with it, try the coding in that. And not only do I have it there, and I can use my terminal for something else, like doing other like type of, you know, different scans in the background. Well, this terminal just does this cloud terminal does base work. But let's say I there's multiple SSH tunnels in this in this exercise on the CTF, and I try one, and let's say there's like, four of them are false gates, they're honey potted, and you fall into that, instead of having to deal with your terminal, and possibly having to even reset
[26:35.610 --> 27:05.390]  your OS, you just simply close that browser tab. And that instance closes. And when you hit it again, a completely new one loads up. So it's just a nice disposable, instant terminal right in the browser, right away. Please go back to the previous slide. That's to me like one of the big feature extensions. Now we're going to breeze through a lot of these. The one immediately right to it is called simple text, simple text. I hope I pronounced that right. Just give me a second here.
[27:05.610 --> 27:35.390]  Sorry, sublime text. You know, obviously, everyone has their own personal coding applications. I usually go between VS Codium for really big stuff and simple text for really basic stuff. I basically try to load stuff. So I'm sorry, simple text, I try to load stuff in sublime text initially, and then if I realize any more complex stuff, I'll copy pasta or move the files over to VS Codium and work from there. And particularly during that global cyber CTF, when they were running certain Python programs and scripting stuff,
[27:35.390 --> 28:03.250]  I saw a lot of like, I'm waiting to download and having to go back and forth or taking code and trying to copy pasta and the formatting was bad to go in and reformat it because the copy pasting system didn't work quite well. What this extension simply does, it just hangs out there. And what you can do is if you see code right there, you can highlight it or right click the extension. And then it says edit with sublime text, you click on that and it will automatically load sublime text.
[28:03.250 --> 28:17.030]  So you have to have sublime text installed, loads it and puts all that code there in the exact formatting that had displayed on the website. And that has really sped up my productivity when I've done for coding challenges.
[28:17.550 --> 28:36.250]  Even though I find it useful to the right of that that green icon, a possible thing that I just like is Fiddler. Fiddler is a program that I've used to just kind of see the crosstalk communication between websites behind the scenes. It's an external application. This does the same thing that the sublime text extension does.
[28:36.950 --> 29:01.630]  Basically, you can highlight a URL or go on a web page and you click that extension and it will load Fiddler and immediately say, hey, that web page you're currently on, look at that. So instead of going into Fiddler and fiddling with it and configuring it, it just automatically does that and loads that program immediately. So you can load that, run Fiddler in the background, it starts looking at all the crosstalk, go back in the browser, back to your other tool and do a bunch of things there.
[29:01.630 --> 29:23.950]  Another optional thing right to it. There's no really good VPN extensions if you kind of want to change your network, how you're going to communicate over the network and different proxies and stuff. Boxy proxy is obviously good to change between proxy systems. I just didn't load that on here because you can easily go again to the privacy settings and load that sort of stuff. But if you want to add that on there, that's up to you.
[29:23.950 --> 29:50.090]  So by default, you're normally supposed to subscribe it to get this extension by put the extension in there. It's a paid thing. So you would have to pay for it. But I think it's just a couple of bucks. And to be honest, if you're constantly having to switch in networks kind of, you know, hey, this page loads weird, you know, on my ISP, you know, will it load different in Sweden? Or can I bypass this restriction by doing that? To me, it's just worth it.
[29:50.090 --> 30:19.530]  To the right of that is an onion browser button. It does exactly what it says, when you click that, it will immediately start running Tor. If you have a Tor connection or Tor node open, it will immediately start connecting that. So you can immediately just start using .onions and other things directly in the Firefox browser. And anytime you don't want to, you can turn that off. That's another also important thing of the Snowflake extension. If that thing also is kind of wonky, that means maybe there's also something wrong with Tor. Also, if you press that button and Tor is not working, but you've already loaded it.
[30:20.330 --> 30:40.970]  Again, troubleshooting, it saves you time. That way, you know, instead of trying to do the action and everything fails. To the right of that is just one last foo-foo thing. It's an optional light mode, dark mode. I'm a fan of dark mode just for my eyes. When you're looking at the screen all the time with CTF stuff, and all the backgrounds are bright white or whatever, it starts to drive you crazy. So I just have that as an option.
[30:40.970 --> 31:08.870]  And then the last one on the upper section is a simple pastebin. Again, that's exactly what it sounds. It's just a way to take local notes. So that way you see something instead of trying to go to a URL for a pastebin or stumble stuff, you just click the icon, type some stuff, click out the icon, close it. And then when you're like, wait a minute, what was that ISP that I wrote? Click on that. Oh, it's there. Copy-paste it. Done. And so that way, again, it's in browser and you're not opening other things.
[31:08.870 --> 31:38.850]  So let's go to now the starting with the more real fun stuff, that second row. So that red icon in the corner, this is actually exclusive to this browser. It's an older version of this extension. Due to odd, I don't know if it was legal trouble or something. This extension, you can't download it anymore. I currently have it on here because it's still very useful. And I'm actually looking into redoing it so that you can download this for Firefox.
[31:38.870 --> 32:08.030]  Again, because it's open source. I'll fork it. I have the credit original person. I already asked the original person extension. And simply what it is, it's a built in WP scan or WordPress scan. I also have the URL as a bookmark as a backup here for one that's like a browser page. But this to me is super useful as extension. Basically, you click it. And if it's red, that means there's no WordPress. But if you went to a WordPress website, such as New York City 2600 page, wink, wink, it will light up green.
[32:08.030 --> 32:27.630]  So one, you'll know that that page is running WordPress, you don't have to scan it with Nmap or something to find that out. When you click on it, you get multiple interesting information again, without having to use a WP scan or Nmap scan in terminal. Give me one second here.
[32:29.390 --> 32:57.610]  I really hope everyone's not falling asleep here. So like things that you'll know information can pull is what themes and plugins that they're using. You can see any of the usernames of the people who've registered and monitor this website, you can check out if available the user registration, all that data, you can also see the path disclosure. And probably the most useful thing is the scan vulnerability function where we'll start scanning for whatever version of that WordPress is running.
[32:57.630 --> 33:27.610]  And you can see how many vulnerabilities patched and open you have in there. So for example, again, instead of usually most people in CTF are familiar with a WP scan as the terminal application, and I've used that multiple times. But since I've ever got this extension, as soon as I find there's a vulnerability and a flag for WordPress, I just click on the icon, click the test vulnerabilities, it spits them all out, I copy pasta that vulnerability, and now I can look up what the vulnerability is, and start cracking at it, or copy pasting into Nmap.
[33:27.610 --> 33:56.170]  Or any other red teaming program and have it working on it right away. So literally, instead of having to just, you know, look at the crosstalk with Fiddler, and then doing an Nmap scan and going through that data, and then writing it down and moving it over, it's, oh, it's green WordPress, click, hey, what vulnerabilities, click, oh, it's that CVE, copy pasta that CVE in, okay, that's the ISP for copy pasta, put that in that red teaming program, and now it's eating away at it, and I can hop on to something else.
[33:56.170 --> 34:26.150]  Again, this is sort of the philosophy of what I was trying to do here with a lot of these extensions. Next to that is the privacy settings, I've already gone through that. Next one is kind of, these next two are interesting. This is the sort of browser control stuff. This gives you data on a bunch of different things about the website you're currently on. So the first one is Umatrix. Now Umatrix, you might be familiar, the dirty version of this is essentially Umatrix is sort of an advanced version, I'm really budging the terms here, but it's sort of an advanced version,
[34:26.150 --> 34:55.890]  if you're familiar with uBlock Origin, Umatrix is a more comprehensive version of it. So when you click on it, it gives you this giant grid, you can manually turn it on and off. And it shows you cookie data, first party and otherwise, CSS data, image, media script, XRH frames, and anything it can't categorize. And you might wonder why I have that on there. Because as you probably have heard, Umatrix is being depreciated recently. And yes, it's being
[34:56.430 --> 35:25.810]  depreciated as something preventing privacy. It's too complicated. Most people don't use it, the person who stopped updating it a couple of months ago, I still find it really interesting that one I can see in the corner, it'll count how many Oh, this is how much stuff it's found of like what analytics are tracking and what scripting it's using. And when I click on it shows me a nice grid. So as a blue team, this is what I mean about this being a red teaming thing. As blue teaming, this is kind of useless, just install uBlock Origin, if you want to block ads and
[35:25.810 --> 35:52.990]  stuff. But as a red teaming thing for reconnaissance, I still find Umatrix really useful. Similarly, right next to it, you have no script, which will immediately let you turn on and off the JavaScript for either individual pages or for everything. And you will instantly know not only if it's running JavaScript, but it'll tell you what it's running and break down what type of scripts it's running and etc. So you can start playing with websites that you're hold on a second.
[35:54.470 --> 36:22.970]  You can start playing with when you go to like a page and you're trying to find, okay, is it running JavaScript? Yes. What type of JavaScript it's running? Um, if I block it, how will the page load? Maybe the page loads odd. Oh, that's weird. Why is it like that? Oh, there's actually a weird thing you can do with JavaScript in order to just pop the password in here. So you don't even have to do the login. Cool. That's what this is all about.
[36:22.990 --> 36:44.370]  This is useful for an alternative if you don't want to use no script, by the way, is LibreJS. The reason why so LibreJS will give you a more comprehensible list. But ironically, it hard blocks JavaScript automatically harder than no script. So I just find no script like much more easy to use. So I'm not having to fuss around and thinking about it.
[36:44.370 --> 37:11.490]  The next one to the right of it is a copy URL to clipboard. That's just kind of just sitting there, probably going to eventually perma remove that icon, because there's a bunch of tools you can use when you just normally copy pasting and also when you right click on things. And what that will simply do is when you hover a URL and you right click it, you can go to the copy URL, and it will copy it under multiple different things.
[37:11.490 --> 37:35.930]  So instead of just directly copying on that link, it will give you the option to copy to clipboard in its formatting, HTML, markdown, bulletin board code, ASCII docs, all sorts of that. So it gives you a lot more control of what you're copy pasting, which is really important, especially if you're in challenges where it's directly listing certain web data or even programming data.
[37:35.930 --> 38:03.570]  To the right of that is a cookie editor. So not only, and this is why I left cookies on, it's like, what, that's a security thing. I want the website to try to send me cookies, because not only will this intercept these cookies, it will break down what cookies are there. You can turn them on, disable them, and you can click on the cookie and start editing the individual cookies directly. So this is a very powerful tool that the web page you're trying to do is trying to send you cookies.
[38:03.570 --> 38:25.190]  Let's say even an attack and defense where you like, let's say you're trying to go on to the defense's computer, and they put like various landing web pages, and they're trying to send you malicious cookies, this will intercept those cookies, and you'll see they're malicious, and you can stop them. Or you can take a malicious cookie or just cookie sitting there, find the vulnerability of it, and then weaponize that cookie back at them, things like that.
[38:25.750 --> 38:30.310]  The thing that looks like the Windows icon to the right of it is a containerized system.
[38:31.810 --> 38:50.730]  Firefox's probably big thing is the fact that now you can use containers, which basically sandbox websites, and you can put them in different categories. Probably the most famous of this, which is not installed here on by default, is the Facebook container, which is that Facebook and anything relating to Facebook stick in its own container will not cross talk with the other browsers.
[38:50.730 --> 39:10.250]  So let's say you log into Facebook and the Facebook container that you've made, we go on different website, it's not going to pull Facebook's data and cross it over. And that's which is how Facebook tracks you and stuff. We don't need that. What we need is something where we can containerize stuff with more control. And yes, you can right click and modern Firefox and set containers.
[39:10.250 --> 39:20.710]  But I also put this simple one in here. So you can go in, you can create your own container folder, and put any sort of organization you want and containerize whatever web content.
[39:20.730 --> 39:50.350]  That you need. To the right of that is, oh, this is really fascinating. So this is, this is sort of one of those leftover icons, but it's really important, I'm actually going to loop around back to that near the end. To the right of that, that little, that little purple flask is a test and feedback application. So what it is, now warning, based on Microsoft Teams, but you don't have to install or run Microsoft Teams just goes through that and it's up to you if you want it.
[39:50.350 --> 40:09.310]  I put it there simply just because, let's say your teammates, you're together, you've randomly formed a CTF team, what the heck do you communicate on? And then it's like, okay, let's do Zoom. Oh, crap, three of my teammates don't have Zoom. Okay, they're going to install Zoom. Great. Now Zoom is not working on one of their computers because Apple just decided to push somewhere, whatever.
[40:09.310 --> 40:19.490]  And also, you'd have to go over to that chat application in order to chat, which also might take up that entire screen, whichever one you use, which means you're not doing actual CTF work.
[40:19.490 --> 40:48.830]  This puts everything in there. You get to make a connection in browser, it stays in there, you can create a room, it will pull other things. Remember, this is all in the browser. And anytime you want to take notes and share notes and teammates, you can like, for example, I found a, I found a variability on the landing page or, hey, my terminal managed to crack this, screenshot that, you click that extension, it opens up the chat thing, you put that right in there. And this is great. If you're on a team with CTFs, this is just a great in-browser way to just instantly communicate with everyone.
[40:48.830 --> 41:14.610]  Similarly, with communication to the right of that is an RSS feed reader. It's currently blank. It might, when this releases next week, have some built-in RSS feeds from, you know, certain things like dark writing and stuff. But basically, if you're also getting real-time updates, let's say from the CTF itself, they have an RSS that's sending updates of which teams are in the lead, or what timescales or what or what challenges have been announced, you can simply add the RSS feed in there.
[41:14.610 --> 41:32.970]  And when they update, you'll see a little number icon, it'll be like, bing, you found an update, click on it, and you're like, okay, our rival just dropped down a couple of points, we're now ahead of them now, good, we can keep focusing on this, or, oh, these challenges dropped, hey, Larry, go get on those challenges, you load up the team app next week, go get them right away, that sort of stuff.
[41:33.390 --> 41:43.670]  To the right of that, I personally find this useful, just in general, because some of the CTF challenges nowadays, now we're leveraging social media.
[41:44.390 --> 42:04.190]  And so I've literally, there was one CTF a year ago, where the challenge was, is that they on purpose created a bunch of fake Twitter bots. And basically, you had to figure out, you had to basically go to a legit Twitter feed, and find where they accidentally on purpose retweeted one of their bot posts.
[42:04.190 --> 42:31.530]  And basically, it's like, you know, the game at DEF CON spot the bed, this is spot the bot. And this app is really important. I think it's even useful if you don't even are not even doing red team, and it's called Bot Sentinel. It's from the folks at BotSentinel.com. And what it is, is that when you go to social media, especially for Twitter, and it's specifically designed for Twitter, it will let you know, based on a bunch of metric information, who is a real person typing, and who's a bot.
[42:31.530 --> 43:01.510]  And if they're a bot, what have they done as a bot that flags them as a bot. So if you are social media bot hunting for a challenge, this is an amazing tool. That's actually how I captured the flag. Everyone's trying to like, read the different posts, trying to find typos, or like something that sounds too stiff, or repeating stuff. And I just simply went on there, and Bot Sentinel was like, hey, that's the bot, clicked on the bot, scroll down there, like there's a weird post, the fifth, what was the 36th post was weird, scroll down, and it's like, oh, that's the bot.
[43:01.530 --> 43:12.370]  Scroll down. That was the flag. And I got the flag that way. So that's still there. Um, next one, next, the one to the right of that, that little warning icon is the content farm terminal.
[43:12.610 --> 43:28.670]  Um, this should happen. I'm particularly thinking of attack and defense. Um, you might be redirected, or even when you're like, let's say you're trying to search up something like a certain command, you might accidentally end up on a content farm,
[43:28.670 --> 43:53.990]  which often chunks your CPU memory, floods your system with ads. So even if you have an ad blocker, I've actually literally accidentally one time went to a content farm terminator, I'm trying to look up an evil maid attack example, where basically that website, they had the evil maid attack, it was correct information, but their website was so full of ads, it actually killed my pop up blocker, which also killed my browser.
[43:53.990 --> 44:23.970]  This will let you know if you accidentally stumble on a content farm, it will load the page. And then we'll say, Hey, this is a content farm, we blocked them from content farming, then very useful. Um, these next ones I find really interesting. So the one next to it is called permission to hack that's right now it's blanked out, because it's not on something that's permission to hack. What is permission to hack, you can actually make text files embedded in a website that will let them know that if you're doing bug
[44:23.970 --> 44:53.950]  bounty or vulnerability hunting, if you find vulnerabilities, who to report that to, and it's called a permission to hack text file. And simply if you go, for example, if you use this browser, and you go to Google, it will make a little green H instead of that red, no icon. And that lets you know, oh, it actually want me to search for vulnerabilities and bugs and security flaws on their website. And then when you click on it, it will load up the text that says, Hey, where I can actually do it right now.
[44:53.970 --> 45:20.690]  So let's go to github, github.com. And on my end, it just turned to the green H. And when I clicked on it, it loaded up in a new page, where to contact for github, which is hackerone.com slash github, the acknowledgements, preferred languages, their policy for doing it, even actually put in github, where they hire. So it's like if you're good at bug bounties, now you know where to go to apply for that sort of testing position.
[45:20.690 --> 45:46.350]  And it's just very useful because I've had people when they do bug bounty stuff, or they don't know if they're like, you know, okay, this is a major company, but do they want people to find vulnerabilities? Because I don't want to find one and be like, hi, find one. And then all of a sudden, you hear FBI open up and your door kicks in. This is a just a simple way to find out, hey, not only are they looking for just random people to find vulnerabilities, but it will also let you know thanks to their text file in order to report them.
[45:46.350 --> 46:16.330]  Similarly, next to that one, a lot of websites, especially big name websites, have what's called a robot.txt viewer. And this simply tells bots that are looking at their website, how to behave and what they can't and can't do, which is honestly really good to recon for especially if you're doing website reconnaissance, let's say an attack and defense, as well as just vulnerabilities, because sometimes, knowing how the way bots are behaving, you can then start to figure out
[46:16.330 --> 46:45.810]  what part of their asses they didn't cover and get through that. We're about halfway done here. I just want to make sure if the audience is awake or not. I can't always tell with all the space. Everyone right now looks amazing and has awesome clothing. I see a little heart thing in the back. Thank you there. Thank you for all of that. Hopefully I'm not boring you to death. We're almost actually done here. And the more we go down, the more meatier the stuff gets. So here's going to be the last of what I like to call the dashboard icons, the ones that are either useful for communicating,
[46:46.370 --> 47:11.230]  organizing web stuff, or light up or light off. And actually, funny thing on my end, so I went to the NYC 2600 website for the WP scan, and Umatrix only picked up one odd frame flaw, went to GitHub, it picked up 33 different flawed arrangements, from trackers trying to track me to bad frame loads to CSS breaks and everything. So I just find that interesting.
[47:11.910 --> 47:37.970]  To the right of that is traffic light. Traffic light is to me the most it's done by bit. Sorry, yeah, it's done by Bitdefender, folks at Bitdefender. And simply what it is, is it will let you know how skeevy a website is or not. And if it's like an actual like scam website, or they detected like malicious code being embedded in the website, it will automatically block you from visiting that website. And again,
[47:37.970 --> 48:07.950]  especially in attack and defense, or maybe even the CTF itself, they're being dicks, they like to throw you like, like basically like honeypot you web wise into just spam hell or DDoS hell, or like literally running malware off your browser, this will prevent most of that. And if the website's fine, like GitHub right now, it's a checkbox, and it does a traffic light system yellow, it's unsure, or it's like you should be okay, just there's odd stuff about so it'll tell you don't click this.
[48:07.970 --> 48:37.950]  This is a tracker that's probably tracking you if it's red, it will not let you access it whatsoever. And it will tell you why, which again, let's say someone did direct you to a malicious page during attack and defense. And they stop it, it will tell you again, why, which might also give you good recon to how they set up that page. And I literally had someone who used that tool, where they were maliciously redirected to a page and tried to load malware. But now not only could they they knew I had malware, so they
[48:37.950 --> 49:07.770]  could actually pull the malware off the page and edit the malware. But they actually realized that they put up a page of coping malware at you and doing the computer that prevented that website itself that hosted the malware to run had a security flaw. So they were able to use the other tools and scan it, then basically attack. It's like sending a bullet, like shooting a bullet up someone else's gun. It was absolutely amazing. And that's actually how I heard about traffic light. And I installed
[49:07.770 --> 49:37.750]  and I've been using it for myself, both as a casual thing, as well as in this browser doing exercises. And it's pretty useful, in my opinion. And then again, Snowflake, no good thing, general to have, but Snowflake lets you know automatically without having to fuss through menus and stuff. Like you don't have to load up uMatrix to see if WebRTC is not working. If Snowflake goes down, the icon goes down, you know, WebRTC is not working. And there's either something configured a badly on your end, or something rotten in Denmark is
[49:37.750 --> 50:07.510]  happening on your network. So that's a good thing to know. And the last one, this is the thing I've used, I'll be honest, I've only used this twice, did help me in these instances, but I've only used it twice. And it's called HackerOneScope. And it's really simple. People out there probably know HackerOne, they're a huge, there's a bunch of bug bounty platform services, but they're probably the biggest one, they host their own conventions, they I know they have a huge presence at DEF CON, I believe they're also at Black Hat, they did their own mini con during HackerSummerCamp and stuff.
[50:08.050 --> 50:37.490]  So let's say again, let's say you're using this red teaming browser, bug, bug bounty, and your main page is HackerOne, because it is the biggest and most popular. So I imagine most people are going to be using it. And you want to know the scope URLs, which is, which is essentially like little lines of code. And they like they look like code, but it's they look like basically ISPs. And it lets you know with each bug, basically each line is basically a basically like a barcode, different bug bounty tasks. So instead of having to scroll through all the pages,
[50:37.490 --> 50:41.890]  and clicking on it, and then finding that unique identifier, when you're on that HackerOne page,
[50:41.890 --> 50:46.630]  you just click on that icon, and it brings up in the browser, every single one of the IDs for each
[50:46.630 --> 50:52.490]  of the bug bounties. And you can copy pasta them. And that works not only with you trying to figure
[50:52.490 --> 50:58.530]  out, oh, what bug bounties are they looking for? But it will also show you the ones where people
[50:58.530 --> 51:04.350]  have found bugs that they haven't corrected yet, that are basically like, we found this bug,
[51:04.350 --> 51:09.090]  the exploit still works, but we're impending trying to fix it. So if you're doing recon,
[51:09.090 --> 51:14.110]  especially for like a big website or something, again, doing bug bounties, and you want to I'm
[51:14.110 --> 51:19.430]  not saying you should, but let's say you want to exploit one of those you Oh, type in the website
[51:19.430 --> 51:25.190]  and HackerOne. Oh, they have it do the scope. And then you'll see the scope for Oh, they have this
[51:25.190 --> 51:30.230]  CV and they haven't patched it yet. And then you can go to pound on that. So that's that row.
[51:30.230 --> 51:35.530]  We're on the last row. And these are going to go by really quick. But honest, this is where
[51:35.530 --> 51:41.350]  this row is where you're going to be directly interfacing with the website and doing actual,
[51:41.350 --> 51:46.790]  like, mostly red teaming stuff. Red teaming and reconnaissance is the focus of this browser. Okay.
[51:46.950 --> 51:52.770]  So that blue one to the left that says LAN is exactly what you think it is. And there's actually
[51:52.770 --> 51:57.310]  one more slide, but don't move from this slide. Just stay on the slide. We'll get to that in a
[51:57.310 --> 52:00.790]  second. It was the only screenshot I could do of because I would normally have screenshots of all
[52:00.790 --> 52:06.290]  these but again, real life. I apologize. But that LAN button, it's simply called and it's exactly
[52:06.290 --> 52:13.350]  what it sounds. It is the LAN port scan for bitter. This is a godsend, particularly with
[52:13.350 --> 52:19.350]  attack and defense CTS. I've had people thought that I've like configured these like amazing
[52:19.350 --> 52:26.610]  dynamic firewalls with a with like machine learning to know like when to turn on and
[52:26.610 --> 52:32.050]  off certain ports. No, here's the in secret. I load up this browser. And if someone tries to
[52:32.050 --> 52:37.530]  crawl up my browser on a LAN port, I just simply click on it once. And it does the
[52:38.570 --> 52:44.190]  the it disables the LAN port for scan for that tab. And if I click it again, it's going to disable
[52:44.190 --> 52:47.930]  it for the entire browser. And then when I click it once again, all the ports open again. So I'll
[52:47.930 --> 52:53.290]  literally have one of those icons light up or I'll have an application that tells me, hey, there's
[52:53.290 --> 52:57.670]  weird scans going on in your browser. And then I just real time click that and continue on my work
[52:57.670 --> 53:02.130]  and they're they're fucked. They got blocked. So like people think I've done like this amazing
[53:02.130 --> 53:07.190]  scripting and stuff or that like I'm doing some insane multitasking. No, it's Oh, cool. You're
[53:07.190 --> 53:13.250]  trying to scan me browsing the website blocked. That's it. That's what the tool does. That's a
[53:13.250 --> 53:18.470]  secret. So to the right of that is an amazing app. I will put this way if you had to download
[53:19.810 --> 53:26.630]  a deep net that does something a PwnFox. This is really cool. It's spelled P-W-N-F-O-X.
[53:26.810 --> 53:32.350]  And not only can you not only can you containerize stuff, which by the way,
[53:32.350 --> 53:37.310]  if you've already set up containers with the previous extension, we'll find those. So list
[53:37.310 --> 53:45.490]  those containers dependently. But when you go to a certain container, it will do burp proxy and burp
[53:45.490 --> 53:51.550]  scans in browser or whatever URL you have containerized. So let's say you're amassing
[53:51.730 --> 53:53.750]  a list, you're going through different challenges, or maybe there's multiple
[53:53.750 --> 53:58.130]  web pages you want burp scan, and you can put them all in one container and then open up PwnFox
[53:58.130 --> 54:03.290]  and then do the burp proxy scan on it. And now you have all the information for that. So again,
[54:03.290 --> 54:11.810]  right there in browser. The next four things are all information stuff. So this is not directly
[54:11.810 --> 54:17.930]  interfacing, but these are really good resources without having you to fumble through manuals
[54:17.930 --> 54:25.710]  virtually or in person. And just to know how good these tools are, two of the tools were done by the
[54:25.710 --> 54:30.970]  winning team of the global cyber games, this hacker summer camp that happened on Thursday,
[54:30.970 --> 54:37.870]  which made me confident that two professional teams with one of them that won, their person
[54:37.870 --> 54:43.990]  who was their web browser exploit expert won, because they had two of these. So that's how
[54:43.990 --> 54:52.410]  important these all are. So the first one is simply called hack tools. And this thing does
[54:52.410 --> 54:57.730]  multiple, multiple stuff that you can look up, it gives basically it's a giant cheat sheet.
[54:57.730 --> 55:05.270]  If you can't remember bash commands, or zhs, netcat, pht, PowerShell, Python, Ruby, you can
[55:05.270 --> 55:12.230]  as much TTY spawn shells, it gives you basically a cheat sheet list for all sorts of different types
[55:12.230 --> 55:17.370]  of commands that you can enter in, in order to do different types of exploits without having
[55:17.370 --> 55:21.670]  you to fumble out through the notes. And they're all easily categorized. The next one is called
[55:21.670 --> 55:30.050]  recon. And this basically gives you all the tools you need. You can also right click URLs to use it
[55:30.050 --> 55:34.350]  opens up a new tab. And it allows you to do multiple different things you could do a who
[55:34.350 --> 55:39.870]  is which you will not use because of an extension that we already have later, you can do dsn lookups
[55:39.870 --> 55:46.170]  first DNS, host records, zone lookup, zone transfers, reverse IP lookup for that address
[55:46.170 --> 55:51.810]  geo IP, you can m map scan directly in the browser without even having to load up the terminal trace
[55:51.810 --> 55:56.670]  route, you can do all sorts of stuff with all the sort of recon things that you would normally need
[55:56.670 --> 56:01.290]  multiple terminal applications for right in that one browser tab. And you can leave that tab open
[56:01.290 --> 56:06.030]  and just constantly click back and go back to it. One click opens up the tab, do all the recon
[56:06.030 --> 56:11.090]  you want with that with that ISP, and you're good. I just need a quick drink break here. So hang on.
[56:15.830 --> 56:20.170]  That's been one of my most useful things to cut down time because in CTFs,
[56:20.170 --> 56:24.490]  you know, some things obviously have to percolate like if you're compiling, but time is essential.
[56:24.730 --> 56:28.230]  Next one after that, that thing that looks like a guy with a trench coat and a top hat
[56:28.230 --> 56:36.070]  is the penetration testing kit. No, it's not a dildo. This thing does everything else the other
[56:36.070 --> 56:42.850]  two don't do. Let's see here because I'm opening up mine. It's showing OWASP, if there's OWASP
[56:42.850 --> 56:48.890]  secure headers, the cookie storage in it, spawns up different sessions. I'm on GitHub right now,
[56:48.890 --> 56:55.890]  it's telling me the value, I can look up the path or directory on this, the age of the website here,
[56:55.890 --> 57:01.370]  gives me SCA information. It's now actually, it's auto searching. So, you know how I said
[57:01.370 --> 57:08.530]  with WP scan, it searched WordPress one for vulnerabilities. This thing will search
[57:08.530 --> 57:12.650]  vulnerabilities for everything else that's not WordPress. So GitHub usually answers their game
[57:12.650 --> 57:18.470]  so there was no vulnerable CVEs that were found. But if you did have a website that was not as
[57:18.470 --> 57:23.990]  secure, SCA scan will bring up all the current CVEs. It shows you all the different types of
[57:23.990 --> 57:29.850]  proxy stuff that website's done. You can do it, you can edit and do our builder information.
[57:29.890 --> 57:35.810]  You can also do scan our attack, sorry, our attack information, so red teaming attack
[57:35.810 --> 57:43.450]  information you put in here. You can also do decoder stuff. And you can also, it also does
[57:43.450 --> 57:50.090]  its own inbuilt editor. So this is probably going to be your main red teaming thing, to be honest,
[57:50.090 --> 57:54.970]  besides one other thing in here that I'm going to get to in two icons. The last one of these of
[57:54.970 --> 58:00.810]  like resource stuff is what's called Evil Villain. You can turn it on and off. And what this simply
[58:00.810 --> 58:06.870]  does, I'm going to switch it on for this, is it gives you, again, all the other information this
[58:06.870 --> 58:14.850]  doesn't. So pretty much the first two, the hack tools and the recon, perfect research information.
[58:14.850 --> 58:21.390]  The penetration testing kit and Evil Villain will be most of your actual red teaming tools
[58:21.390 --> 58:25.330]  in browsers for particularly web exploits and stuff. And again, anything you would need simple
[58:25.330 --> 58:29.710]  in terminal, you just launch terminal in browser. If you need to do more complex stuff, that's when
[58:29.710 --> 58:34.070]  you go to your actual terminal. Again, saves time. Everything's in one location. It's also easier to
[58:34.070 --> 58:39.810]  take browser screenshots that way, especially in Firefox, rather than to do it just through
[58:39.810 --> 58:45.570]  your desktop and you're fumbling around through files. So it's all sorts of things you can do,
[58:45.570 --> 58:51.050]  can show blacklist information, different, you can turn on different functions, inner HTML,
[58:51.050 --> 58:55.550]  outer HTML, create contextual fragments, all the documents, and things like that. It just
[58:55.550 --> 59:00.770]  basically picks up all the stuff that the penetration testing kit doesn't. So the one
[59:00.770 --> 59:04.530]  next to him, by the way, jump two slides forward if you can. This is the only other slide I
[59:04.530 --> 59:13.390]  unfortunately have. I'm sorry. I'm sorry if I'm swearing. I apologize for that. My bad. Okay. So
[59:13.390 --> 59:17.530]  yeah, so this is unfortunately the only screenshot of one of the things I could do. So this is the
[59:17.530 --> 59:25.510]  so big question is always like, can you do man in the middle attack in browser? And yes, you can.
[59:25.770 --> 59:32.010]  While the penetration testing kit has a simple R attack scripting thing, this is a more in-depth
[59:32.010 --> 59:37.750]  man-in-the-middle scripting for the web. So doing any sort of web or networking information,
[59:37.750 --> 59:43.230]  you can open this tab and you can insert your own scripts that you've made, blocking rules,
[59:43.230 --> 59:47.890]  header rules, response, and content scripts. And this just manages so you can take all your scripts
[59:47.890 --> 59:52.670]  and put them in whichever rule section you want, and it will auto-deploy them and see if you can,
[59:52.670 --> 59:57.070]  if those scripts execute, congratulations, you've done a minimal attack for that network or that
[59:57.070 --> 01:00:03.530]  particular website. So the next two things are more of stuff that like you would normally use
[01:00:03.530 --> 01:00:09.270]  if you were a website builder, but they're still very useful in terms of particularly doing
[01:00:09.870 --> 01:00:15.550]  CTF stuff for web CTF category. So the first I'm actually going to let's see.
[01:00:15.930 --> 01:00:22.570]  So the first one is called web tester. And once again, this gives you different
[01:00:24.470 --> 01:00:29.950]  commands that you can put into the URL or in the scripting of a website itself
[01:00:30.630 --> 01:00:36.850]  in order to figure out how things work. So if you bring up the penetration testing kit,
[01:00:36.850 --> 01:00:42.990]  or you're working on scripts for man in the middle, and you want to see if which XSS scripts
[01:00:42.990 --> 01:00:50.790]  exploits work or XXE or SQLi, this has the master list of all of them. And you can literally,
[01:00:50.790 --> 01:00:54.690]  typing them individually or trying to remember them, you can copy past them in order like,
[01:00:54.690 --> 01:00:59.650]  let's see, it's when I did the scan, it says an XSS vulnerability. So it's like, let's do
[01:01:00.490 --> 01:01:07.010]  quote autofocus on focus alert. Do that one that didn't work. Let's try script alert one thing.
[01:01:07.010 --> 01:01:11.910]  Oh, that's the one that did it. That's the SSX exploit. So that's what that's useful for. It's
[01:01:11.910 --> 01:01:17.270]  one last reference thing. The one to the right of that, this is kind of bizarre. I've used I've
[01:01:17.270 --> 01:01:24.650]  actually used this more than you think. This is an AWS agent key ID signer. So I literally had one
[01:01:24.650 --> 01:01:31.370]  challenge where you had to back wall on AWS and basically had to take over the AWS account. And
[01:01:31.370 --> 01:01:39.290]  what I did was I did the scan with the penetration testing box tool. And then with that information,
[01:01:39.290 --> 01:01:45.630]  I found it's CVE, I found a specific CVE for that website that that server was using,
[01:01:45.630 --> 01:01:54.470]  that actually gives you partial information, or the AWS key ID. And normally, that's kind of useful
[01:01:54.470 --> 01:01:59.230]  because it's just like, hey, you can show kind of part of the key ID, but you can't really enter
[01:01:59.230 --> 01:02:04.030]  in because you need to have special things or know how in order to sign it. With this extension,
[01:02:04.030 --> 01:02:09.230]  you can so I copied that key ID, I put that in there, I did other stuff to guess the secret,
[01:02:09.230 --> 01:02:15.650]  and then did that, that sign that pass that code off to that website, their network broke
[01:02:15.650 --> 01:02:20.750]  because that website and then I got access to the actual agent. And I got that point. So
[01:02:21.390 --> 01:02:26.810]  it may seem kind of useless if you don't are not dealing with AWS keys, whether it's for bug bounty
[01:02:26.810 --> 01:02:33.150]  or on your CTF, you can remove that or temporary turn off if you want. But this actually helped me
[01:02:33.150 --> 01:02:39.570]  get a flag on something. So that's why it's still up there. Okay, so do more quick recon things.
[01:02:39.570 --> 01:02:44.890]  This one I actually have to put in. This one has like a not CAPTCHA, but it has its own like,
[01:02:44.890 --> 01:02:51.290]  are you a human? Yes. So the BW is called built with and simply what this does is any website
[01:02:51.290 --> 01:02:54.710]  you're on, you click that, it tells you everything you need to know about the website of how they
[01:02:54.710 --> 01:03:01.350]  made it. So let's go right now. Actually, let's go to the NYC 2600. And I'll bring it up right here.
[01:03:01.350 --> 01:03:07.290]  Let's see, it's yeah, it says WordPress, Google front APIs, contains form seven,
[01:03:07.290 --> 01:03:11.790]  its framework is 2015. This is all public information, by the way, so I'm not like
[01:03:11.790 --> 01:03:18.010]  doxing them or anything. It has an Apple mobile web clips icon, viewport meta, it's basically
[01:03:18.010 --> 01:03:26.030]  very iOS compatible here. Its email hosting provider is SFS usage. That's SSL by default,
[01:03:26.030 --> 01:03:34.130]  and this again, just amazing recon. So I can like break down and know exactly what this website is
[01:03:34.130 --> 01:03:38.550]  built out of. And then I start finding websites with that. I've also encountered, there's actually
[01:03:38.550 --> 01:03:44.010]  plenty of CTS where sometimes in order to do proper recon for something on tech and defense,
[01:03:44.010 --> 01:03:50.390]  or let's say with the website, you there are actual flags sometimes where in order to do
[01:03:50.390 --> 01:03:54.270]  the exploits on the website, you actually have to look up an older version. And yes,
[01:03:54.270 --> 01:03:58.890]  you could type in archive.org or Wayback Machine and funnel through that. Or you can click on that
[01:03:58.890 --> 01:04:03.510]  trash bin icon and the Wayback Machine is right there. So you click on that, you type in the URL.
[01:04:03.510 --> 01:04:07.690]  Oh, by the way, are we still on that? Kurt, man, the middle slide. Can we go back two more slides
[01:04:07.690 --> 01:04:17.350]  so we can see the whole bar again? I realized I forgot to go back. There we go. Perfect. So
[01:04:17.730 --> 01:04:22.650]  sorry about that. And literally, I think in like two more minutes, we'll be done with this.
[01:04:22.650 --> 01:04:26.390]  But this gives you Wayback Machine right there. So instead of having to even type in the URL
[01:04:27.010 --> 01:04:32.170]  for Wayback Machine, you just click on that, type in whatever URL copy past that URL, and it will
[01:04:32.170 --> 01:04:35.870]  bring up all the stuff right there, you click on the older version, it will load a separate
[01:04:35.870 --> 01:04:40.190]  tab for it right there. So you don't have to fumble through Wayback Machine's actual website.
[01:04:40.830 --> 01:04:45.030]  The other gray, the gray icon to the right of that, because we're going left to right here.
[01:04:45.350 --> 01:04:52.090]  This is simply edits the website. In code wise, this will not affect the website directly.
[01:04:52.090 --> 01:04:57.710]  Let's say you're doing reconnaissance on a website or attack on defense, or you're trying to find a
[01:04:57.710 --> 01:05:02.490]  web exploit. And you have to jump for something else. But you want to write, hey, this is where
[01:05:02.490 --> 01:05:06.550]  we're gonna get into this moment, a hidden input is, you can click on that. And above the hidden
[01:05:06.550 --> 01:05:13.450]  input, you can type like, you know, quote, and make it red text, hidden input, unquote, and it
[01:05:13.450 --> 01:05:17.110]  will display that on the website visually. And then you go back and edit it. And then when you
[01:05:17.110 --> 01:05:20.310]  go back to the page, like where did I put the hidden input? Oh, I wrote it right here. So
[01:05:20.310 --> 01:05:23.870]  this basically allows you to doodle on the website and change whatever you want. It does
[01:05:23.870 --> 01:05:28.530]  not affect the end website. It also loads the website in that browser, you're not editing any
[01:05:28.530 --> 01:05:33.610]  of the actual code. It's just visually for you. So you can take notes on what you're doing with
[01:05:33.610 --> 01:05:39.110]  that website. Um, we get out of that mode in a second. So you click it to turn it off. It's
[01:05:39.110 --> 01:05:43.050]  going to be a bunch of web stuff next. So we're going to jump to over. So we're skipping that
[01:05:43.050 --> 01:05:48.190]  bug. There's a reason why I'm skipping all the little bug icons, by the way. So the next one
[01:05:48.190 --> 01:05:56.630]  that's that HTML5 logo that's left to the gear, this is simply a blocker. So it has four categories,
[01:05:56.630 --> 01:06:02.890]  JavaScript, CSS, image, object and media. And you can go to website and you can click on the CSS tab.
[01:06:02.890 --> 01:06:08.710]  And when you refresh the page, all the CSS will turn off and it will load but not load any of the
[01:06:08.710 --> 01:06:13.130]  CSS. Same thing, you can turn off all the images, you can turn off all the JavaScript, even though
[01:06:13.130 --> 01:06:19.170]  you could do that also with no script, all the objects, all the media. And again, not only
[01:06:19.170 --> 01:06:25.050]  you can tell by futzing with it, how a website's built without even looking at the code.
[01:06:25.610 --> 01:06:31.350]  If you want more comprehensive editing for a website, you have that gear icon, which is web
[01:06:31.350 --> 01:06:37.130]  developer. This lets you access and see. It allows you to disable, turn on, off, way more things. So
[01:06:37.130 --> 01:06:41.470]  for example, they have a CSS tab and this allows you to disable all styles, you can disable all
[01:06:41.470 --> 01:06:46.550]  the embed styles, all the print styles, edit the CSS or view it directly. And it's just a more
[01:06:46.550 --> 01:06:52.490]  comprehensive of the previous extension. These next two are quite simple. So that little Superman
[01:06:52.490 --> 01:07:00.050]  icon with the HTML5 logo opens up a new pad, you can edit HTML5 directly in there, not the
[01:07:00.050 --> 01:07:05.150]  website you were on. But if you have to generate any sort of HTML, like copy it, does it right there,
[01:07:05.150 --> 01:07:09.490]  gives you four windows, an HTML editor, a CSS editor, a JavaScript editor, and the preview of
[01:07:09.490 --> 01:07:13.330]  all three of them will look like when you load it. And you can do website stuff there without
[01:07:13.330 --> 01:07:19.990]  loading VS Codium or TXT or whatever. Similar to its one next with that little M pointed down icon
[01:07:19.990 --> 01:07:27.270]  to its right. Markdown editor opens up a new window for markdown. And it works exactly like
[01:07:27.270 --> 01:07:31.490]  any other editor on the left is the markdown code on the right is all the formatting that you can
[01:07:31.490 --> 01:07:36.610]  see. So you can edit markdowns right there. Also to note, I've configured this browser
[01:07:37.870 --> 01:07:43.230]  a so that not only when you click on a dot MD or a markdown file, it will actually show the
[01:07:43.230 --> 01:07:48.930]  markdown code in the website. So it won't load down the it won't download the file, it won't
[01:07:48.930 --> 01:07:52.870]  show you the finished thing with the formatting, it will show you the markdown code right there.
[01:07:52.870 --> 01:07:57.450]  So you can copy pasta that into the markdown editor all in browser. But it also does that
[01:07:57.450 --> 01:08:01.670]  with JSON files. So instead of downloading the JSON, if you want to download it, you can right
[01:08:01.670 --> 01:08:06.690]  click save it. But if you click on the link, it will load all the dot JSON information right there
[01:08:06.690 --> 01:08:12.010]  in the browser. So just putting that out there. Okay, we're almost done here. So the next one,
[01:08:12.010 --> 01:08:15.590]  which is very useful, let's say you're going to a website, you're doing recon,
[01:08:15.590 --> 01:08:19.450]  or you're trying to find exploit, but it has a billion pieces of information.
[01:08:20.150 --> 01:08:22.930]  There's like, let's say you're on the New York Times, or you're trying to find bugs,
[01:08:22.930 --> 01:08:25.750]  bugs from New York Times, but it's just you know, you know, the New York Times are just
[01:08:25.750 --> 01:08:31.110]  bullet shot, just stuff everywhere, images and everything. What this does, it's called the
[01:08:31.110 --> 01:08:36.050]  headings map, you click on it, it opens up kind of like a browser bookmark tab to the left of
[01:08:36.050 --> 01:08:40.830]  the website. It's the current website you're looking at there opens it up. And it gives you
[01:08:40.830 --> 01:08:47.750]  in text a breakdown in a tree. So, you know, for New York Times, it will say top news story,
[01:08:47.750 --> 01:08:52.150]  and then underneath that list, all the news story listings, and then underneath that will be like
[01:08:52.150 --> 01:08:57.890]  opinion piece header, all of that. So just visually, in text breaks down all the stuff
[01:08:57.890 --> 01:09:02.410]  that you're seeing, so you're not overwhelmed with noise. And you can go and click on a section
[01:09:02.410 --> 01:09:06.910]  and it will bring visually the website you're looking at right to that section. Again, we're
[01:09:06.910 --> 01:09:10.130]  trying to speed up the process. So instead of you trying to be like, what am I looking at,
[01:09:10.130 --> 01:09:13.610]  what I'm looking for, you click on headings map. Okay, that's what I was looking for content
[01:09:13.610 --> 01:09:19.870]  creation, click and it'll bring you right there all inside the browser tab. These next two,
[01:09:19.870 --> 01:09:25.450]  I love these two, I love these extensions. So that little fox icon has nothing to do with
[01:09:25.450 --> 01:09:31.750]  Firefox. It's called hack the form. And simply what it does, and if I had video, I would show
[01:09:31.750 --> 01:09:36.850]  it to you. So I'll show that next week. There's a thing in HTML called hidden input. So anytime
[01:09:36.850 --> 01:09:42.390]  you see a little input window, a lot of times when you're typing stuff, there's other info
[01:09:42.390 --> 01:09:47.270]  that's being dynamically it's encoded into the page, but it doesn't render and you visually
[01:09:47.270 --> 01:09:53.010]  can't see it. So let's say, you know, you're typing in, oh, I don't know, like, maybe like,
[01:09:53.010 --> 01:09:56.790]  it's a directory listing for different restaurants. But when you type in the restaurant name,
[01:09:56.790 --> 01:10:01.770]  it's breaking down, like, what font you're using, what's capital and what's lowercase,
[01:10:01.770 --> 01:10:07.510]  things like that. And with JavaScript stuff, in particular, if you have a password screen,
[01:10:07.510 --> 01:10:11.550]  there's a lot of stuff that's not rendered on the page that's showing behind the scenes. Because
[01:10:11.550 --> 01:10:17.290]  if you saw those things, be able to reverse engineer the password. If you ever are on an
[01:10:17.290 --> 01:10:23.710]  input thing, you click the hack the forum button, and it will show what the inputs are in real time
[01:10:23.710 --> 01:10:28.890]  as if it was rendered in the browser without that privacy shield turned off. So I've literally had
[01:10:28.890 --> 01:10:33.010]  challenges where they make a base website, and it's like, tee hee, haha, people don't usually
[01:10:33.010 --> 01:10:37.570]  do this anymore. There's a JavaScript login password instead of trying to do like, brute
[01:10:37.570 --> 01:10:43.330]  force attack and scripting. I just click hack this forum, literally shows the password in the
[01:10:43.330 --> 01:10:48.070]  hidden forum part of it and the copy paste of that password into the password and yo dog,
[01:10:48.070 --> 01:10:53.330]  I heard you like passwords I got in, things like that. The one to the right of it, which I actually
[01:10:53.330 --> 01:10:58.710]  need to place it differently on my browser, it's called I am not a human. It's simple. A lot of
[01:10:58.710 --> 01:11:05.810]  websites respond differently if they think you're a bot. So besides chameleon, which I'll get to
[01:11:05.810 --> 01:11:13.990]  near the end, if you show up, for example, Amazon.com, you click on that button, Amazon will
[01:11:13.990 --> 01:11:19.410]  show you a ton of developer information that users don't normally see, just because it thinks you're
[01:11:19.590 --> 01:11:24.690]  a bot that's looking at developer information. So sometimes by advertising yourself as a bot
[01:11:24.690 --> 01:11:29.430]  through the browser, you will get browser information for whatever you're doing reconnaissance
[01:11:29.430 --> 01:11:34.690]  on or bug bounding or you didn't even know what that was there or that could be rendered on the
[01:11:34.690 --> 01:11:41.730]  page and you can toggle it on and off. To the right of that is .git. If that website has any
[01:11:41.730 --> 01:11:46.590]  git repos, it will search for them, bring them all up. You can download each individual one because
[01:11:46.590 --> 01:11:50.590]  there's some web challenges where you have to find the hidden git repo and in that git repo
[01:11:50.590 --> 01:11:56.790]  is a flag. This will find it almost instantaneously. To the right of that is a code injector.
[01:11:56.790 --> 01:12:00.890]  So this is another place where you can put in scripts similar to the man in the middle, but
[01:12:00.890 --> 01:12:05.590]  instead you're doing code injection directly on the website. I also have another code injector.
[01:12:05.590 --> 01:12:13.270]  If you do the control shift B, sorry, not control shift B, the control B for bookmarks,
[01:12:13.270 --> 01:12:17.570]  you can change the tab. There's another injection for right there just in case you're in the bookmark
[01:12:17.570 --> 01:12:22.810]  area, but it's always good to have a script injector. And actually both of these, the blue
[01:12:22.810 --> 01:12:27.490]  one and that black one next to each other, there's a code injector and script injector. They each have
[01:12:27.490 --> 01:12:33.630]  different tool uses. So I put both of them on there. I also have a JavaScript injector. So all three
[01:12:33.630 --> 01:12:39.250]  of those are injector apps. Probably you only really need one of them, but I put it so that
[01:12:39.250 --> 01:12:43.730]  when you download the profile, whichever ones you don't want to use, you can delete. So that little
[01:12:43.730 --> 01:12:49.290]  playback looking icon is called tweak. It's grayed out. It's left to that little circle
[01:12:49.290 --> 01:12:54.450]  with the IP. And what it simply does, and it's really powerful, is it allows you to mock and
[01:12:54.450 --> 01:13:00.730]  modify HTTP and HTTPS requests, which is really useful if you're doing CTF stuff. Finally, the last
[01:13:00.730 --> 01:13:09.270]  of the recon stuff, the IP and the circle, it uses DNS Linux to search for the IP of the
[01:13:09.270 --> 01:13:13.490]  website that you're on. And it does the reverse DNS, the IP range, all of that shows you visual
[01:13:13.490 --> 01:13:19.190]  maps of where all that stuff is located. And then to the right of that, the one that says IMP will
[01:13:19.190 --> 01:13:24.970]  show you what your current IP address is, which is really useful if you're using Tor or VPN, so that
[01:13:24.970 --> 01:13:31.850]  you know if it's like working or not. So it's like in my VPN, you guys, oh, that's my ISP.
[01:13:32.190 --> 01:13:36.150]  Or maybe someone's like doing weird things, like let's say attacking defense, and they're affecting
[01:13:36.150 --> 01:13:41.210]  your ISP on your side, you'll be able to click on it. Just really good to know what your current ISP
[01:13:41.210 --> 01:13:47.170]  is at any time that you want. The right of that is a really useful tool called Lightbeam. This is
[01:13:47.750 --> 01:13:52.870]  a depreciated extension by Firefox. And essentially, as you browse websites, you ever see
[01:13:52.870 --> 01:13:57.590]  any fans of... it's always sunny in Philadelphia, so you probably remember the whole Pepe Silvia
[01:13:57.590 --> 01:14:02.130]  skit that turned into a meme where he goes completely paranoid at his job. So he has the
[01:14:02.130 --> 01:14:07.810]  whole newspaper clippings, and he has the string yarn connecting all this stuff. That's what Firefox
[01:14:07.810 --> 01:14:14.210]  Lightbeam does, but it does that with you visiting websites. So as you visit websites all the time,
[01:14:14.210 --> 01:14:18.730]  it will show you a visual graph of all the websites that you've visited, how those websites
[01:14:18.730 --> 01:14:23.770]  relate to each other, and to the other websites like other Google Analytics and other data mining
[01:14:23.770 --> 01:14:29.050]  stuff of what's connected to it, and where, and what those are connected to. So it gives you a
[01:14:29.050 --> 01:14:35.070]  topology map of where you've been surfing, and where those websites have been. Final couple of
[01:14:35.070 --> 01:14:40.110]  extensions here on this bar, and then we have two more to look at, and we're done, is NetSpeedTest,
[01:14:40.110 --> 01:14:43.970]  which just basically at any time lets you test your internet speed. You click on it,
[01:14:43.970 --> 01:14:48.730]  it's right now estimating my base speed right now. It takes a little bit, a couple of seconds,
[01:14:48.730 --> 01:14:52.490]  if it... probably by the time I'm done talking it will load, but I'm not going to read you this
[01:14:52.490 --> 01:14:56.250]  stuff. But it lets you know your uptime, downtime speed. Again, a lot of times when you're,
[01:14:56.250 --> 01:15:01.270]  especially in attack and defense, if your speeds are off, that means something wrong is going on.
[01:15:01.270 --> 01:15:05.130]  It's kind of like how they say if you hear your fan kick on, you're being hit by malware or a
[01:15:05.130 --> 01:15:14.590]  miner. A lot of times, F3 goes on with... people are screwing around with your network speed when
[01:15:14.590 --> 01:15:18.950]  they modify something on your network. So that's just a great way to know what's your speed going
[01:15:18.950 --> 01:15:23.490]  on. To the right of that is Network Monitor, just shows all the different types of requests,
[01:15:23.490 --> 01:15:28.190]  information. The right of that is Chameleon, which allows you to change your user agent to
[01:15:28.190 --> 01:15:33.270]  all different types of browser and operating system types. Always very useful. And then
[01:15:33.270 --> 01:15:38.710]  finally is SimpleLogin. So anytime you have to deal with a CTF or a recon, it's also just good
[01:15:38.710 --> 01:15:43.790]  for private stuff in general. You create an account here, you can also sign with an API key.
[01:15:43.850 --> 01:15:47.850]  And what SimpleLogin will do is it'll generate endless forwarding emails. So you can hit
[01:15:47.850 --> 01:15:52.410]  generate a new email, it generates it, you put it in that to sign up for the account. And let's
[01:15:52.410 --> 01:15:58.090]  say they start spamming you about Cuisinart food vacuum cleaners and stuff, you can kill that
[01:15:58.090 --> 01:16:02.490]  account and it doesn't know what your email is because that was simply a forwarding address.
[01:16:02.490 --> 01:16:08.030]  Spins up endless email forwarding address. All the way to the left. So if you look at
[01:16:08.030 --> 01:16:14.090]  what I have with the presentation, you can see the full browser. All the way to the left,
[01:16:14.090 --> 01:16:20.570]  there is a little eraser icon. There's a reason why quarantine that all the way to the left.
[01:16:20.570 --> 01:16:27.870]  This is the forget button. What this does is if your browser is really screwed up or compromised,
[01:16:27.870 --> 01:16:32.050]  especially in red team blue teaming, they've screwed your browser up, you've downloaded some
[01:16:32.050 --> 01:16:39.050]  or there's some malicious cookie that you just can't modify or get rid of,
[01:16:39.050 --> 01:16:42.630]  and you're about to be screwed, or they're pulling information off your browser,
[01:16:42.630 --> 01:16:48.730]  you hit that button, it closes Firefox, it opens it again, and everything about this is gone.
[01:16:48.790 --> 01:16:53.650]  You will still have the extensions there. But your bookmarks will be gone, your cookies will
[01:16:53.650 --> 01:16:57.890]  be cleared. Everything that you were doing with that is gone. It's essentially a giant reboot
[01:16:57.890 --> 01:17:01.150]  button. And that's why it's quarantine all the way to the left. I didn't want to put it with
[01:17:01.150 --> 01:17:05.110]  the rest of these icons and you're like trying to figure out your network speed and up, I click the
[01:17:06.350 --> 01:17:10.350]  nuke button and it killed everything. So I put that button all the way there.
[01:17:11.150 --> 01:17:16.810]  Finally, last two things about this and I swear to God we're done. A lot of people probably know
[01:17:16.810 --> 01:17:22.750]  the whole F12 that when you're on Chrome and Firefox, when you hit F12, you can inspect the
[01:17:22.750 --> 01:17:28.070]  current code on there. Like right now I'm in Firefox as a console debugger. Stuff by default,
[01:17:28.070 --> 01:17:31.850]  it's really good for like when you're making websites. A couple of the extensions, which is
[01:17:31.850 --> 01:17:36.550]  why I skipped some over them, use this and interface with this. So the first one that I've
[01:17:36.550 --> 01:17:42.870]  added here is FirePHP. And simply what that thing does is that those are those little bug icons. So
[01:17:42.870 --> 01:17:48.910]  when the little bug icon lights up, let's you know there's PHP you can exploit and edit. You
[01:17:48.910 --> 01:17:57.070]  can also go into the URL tab and hit the little button to enable and turn it on. So it can look
[01:17:57.070 --> 01:18:02.770]  at it up like yes, you can read it. And what it will do is you can start looking at and potentially
[01:18:02.770 --> 01:18:08.790]  if it's super insecure, start editing the PHP right there without having to use a red teaming
[01:18:08.790 --> 01:18:14.670]  application to go to URL and pull their PHP out manually and then look at it on your code. And
[01:18:14.670 --> 01:18:24.030]  you can do it right here on the F12 tab. Same thing with the HTML validator, which will allow
[01:18:24.030 --> 01:18:29.210]  you to go through the HTML code and see if there's any exploits line by line through the code of the
[01:18:29.210 --> 01:18:33.430]  website that you're currently looking on. So it's really good to use in conjunction with the WP scan
[01:18:33.430 --> 01:18:38.330]  and the pen testing box and everything else. And then I put both hack bars in here
[01:18:39.710 --> 01:18:44.510]  offhand. So I know I already have the script injectors, but let's say you're in the F12 thing
[01:18:44.510 --> 01:18:48.090]  and you for some reason don't want to move your mouse all the way up to do the script injection.
[01:18:48.090 --> 01:18:56.790]  You can do both of them right here. SQL, XSS, LFI, the other one has LDAP, WAIF, things like that.
[01:18:56.790 --> 01:19:02.190]  And then lastly, also in F12 is its own cookie editor. So again, if you don't want to go into
[01:19:02.190 --> 01:19:07.410]  web mode, you're right now in the debugging mode, you can do the cookie editing right there.
[01:19:07.410 --> 01:19:11.710]  And that's all the F12 stuff. So yeah, a couple of modifications in the background. Again,
[01:19:11.710 --> 01:19:18.170]  it loads JSON and markdown files directly in browser. One or two privacy things and search
[01:19:18.170 --> 01:19:23.130]  stuff are enabled. Most of its extensions. Again, you probably need all of these extensions. It
[01:19:23.130 --> 01:19:28.190]  depends on what your threat model is. I just put this together because it covers every single thing
[01:19:28.190 --> 01:19:32.870]  you would need to do for red teaming. So whether you are going to load your own Firefox profile
[01:19:32.870 --> 01:19:37.170]  instance, and download individual extensions, because you only need five, or if you take the
[01:19:37.170 --> 01:19:42.470]  profile and you take some of them off or put them back on, it's all up to you. I just put everything
[01:19:42.470 --> 01:19:47.310]  there so you can edit it all if you want. And to use a modified quote from Fear and Loathing Las
[01:19:47.310 --> 01:19:54.970]  Vegas, when you start an extensive red teaming browser extension list, you tend to try to push
[01:19:54.970 --> 01:20:00.610]  as far as it can go. Before I end the talk, the last thing that I want to tell you about this is,
[01:20:00.610 --> 01:20:05.510]  you'll notice in that bar underneath, there's a bunch of bookmark files. And these have different
[01:20:05.510 --> 01:20:11.890]  things. And first of all, because I made it and it's under GCG 201, there's a link to our Medium
[01:20:11.890 --> 01:20:19.330]  blog. So that's my accredited to our group. And you click on it, brings up our page, tells you
[01:20:19.330 --> 01:20:24.230]  when the meetings are, things like that. That's all that bookmark is. But then there are four
[01:20:24.230 --> 01:20:28.250]  folders. Other bookmarks are just random bookmarks for things. It also has bookmarks for some
[01:20:28.250 --> 01:20:31.890]  extensions you might want to look at that I just simply didn't include because I didn't think they
[01:20:31.890 --> 01:20:38.030]  were that important. But the three main ones here is you have an Hacker OS bookmark tab, which will,
[01:20:38.030 --> 01:20:44.130]  if you've never had to do pre-made OS for penetration testing, it has all of them here.
[01:20:44.130 --> 01:20:49.910]  It has different versions of Kali Linux, Power Security, Black Arch, guides to how to modify
[01:20:49.910 --> 01:20:58.190]  your MacBook. Let's say you're loading this browser on a MacBook to make it CTF ready,
[01:20:58.190 --> 01:21:04.990]  has listings for Windows options, things like that. The Privacy tab not only gives you guides
[01:21:04.990 --> 01:21:11.010]  of how to do better web privacy stuff, but also gives cool listing tools for if you were more
[01:21:11.010 --> 01:21:17.390]  privacy conscious as the link right here for SecureDrop, a link to an XFS cleaner,
[01:21:17.390 --> 01:21:22.170]  CryptPad for sharing notes, cryptography advice, things like that. But the two big ones here are
[01:21:22.170 --> 01:21:29.110]  the Pentest links, which to me is a curated list of online tools that you can use that are not
[01:21:29.110 --> 01:21:34.190]  extensions that you'd be able to use for this, such as the Crocodile Hunter from Electron Chair
[01:21:34.190 --> 01:21:41.690]  Foundation, which allows you to track certain extensions in real time, has an NFT scanner,
[01:21:41.690 --> 01:21:45.890]  if your challenge has to do with NFTs, because I've seen a couple of those challenges pop up,
[01:21:45.890 --> 01:21:51.210]  Browser Leaks, which allows you to test the actual Firefox browser that you're currently in, stuff like that.
[01:21:51.210 --> 01:21:56.110]  And then probably the most important tab is a Learn page. This has tutorials for all sorts of
[01:21:56.110 --> 01:22:02.370]  things. It has documentations for different versions of Linux like Debian. It has a free and
[01:22:02.370 --> 01:22:08.750]  open source programming book directories. It has networking books, cryptography books. By the way,
[01:22:08.750 --> 01:22:14.230]  one extension I forgot, you can not only right click images and it can stenography, look at the
[01:22:14.230 --> 01:22:20.550]  graphics of that image, but you can also right click highlighted text. Like let's say you find
[01:22:20.550 --> 01:22:27.770]  an encrypted key, like the actual encrypted key, all that crazy stuff. You can highlight that,
[01:22:27.770 --> 01:22:33.550]  right click it, and you can use different cryptological methods to attempt to decrypt it.
[01:22:33.550 --> 01:22:37.470]  So I forgot to mention that, but there's cryptography books in this browser listing,
[01:22:37.470 --> 01:22:46.010]  and it also has links to CTF resources, such as Hack the Box, and Hacker 101, Pico CTF,
[01:22:46.010 --> 01:22:50.450]  which is a great beginner CTF. And then all the way at the bottom, it has a bunch of really useful
[01:22:50.450 --> 01:23:00.470]  tutorials on how to do a lot of intermediate to complex CTFs and security stuff, such as
[01:23:00.470 --> 01:23:10.770]  securing a shell account on a shared server, or how to set up VM instances so you can learn how
[01:23:10.770 --> 01:23:18.290]  to do password cracking all on your own time, how to use Metasploit, things like that, all in there.
[01:23:18.290 --> 01:23:23.790]  So if you're ever lost, or you downloaded this, and you're like me when I started this beginning
[01:23:23.790 --> 01:23:27.710]  CTF, and you're like, I don't know really how to program in Python, and how do you do this
[01:23:27.710 --> 01:23:34.570]  subscripting stuff, that Learn tab has all the stuff in there. And yeah, quick recap, basically
[01:23:34.570 --> 01:23:43.270]  my talk has extensions, has a lot of reconnaissance, bug bounty, and even direct red teaming attack
[01:23:43.270 --> 01:23:50.090]  stuff, such as man-in-the-middle, IP scanning, script injections, things like that. And it has
[01:23:50.270 --> 01:23:57.290]  a ton of resources for learning on how to do red teaming and privacy and security stuff all built
[01:23:57.290 --> 01:24:04.170]  in. Next week, the day after, so the DCG 201 meeting is going to be on August 19th.
[01:24:04.170 --> 01:24:10.670]  That one's going to be in person at Helen's Pizza in Jersey City, New Jersey. All the information
[01:24:10.670 --> 01:24:17.070]  will be on our blog on Monday. The day after will be the live stream version of that meeting, and I
[01:24:17.070 --> 01:24:21.490]  will visually go over the same thing all over again, except I'll be clicking and doing this stuff in
[01:24:21.490 --> 01:24:27.570]  real time. And that day, you will see a blog post that will go over, it'll have the individual
[01:24:27.570 --> 01:24:32.050]  extensions and the links to them. So if you just want to download them individually, you can.
[01:24:32.050 --> 01:24:37.770]  And then it will have both a zip and a tar that you can bring in, go to about colon profiles,
[01:24:37.770 --> 01:24:42.410]  drag and drop that into a new profile, and it'll load up all this stuff as is. And you can just
[01:24:42.410 --> 01:24:48.890]  start literally hacking away at websites and doing bug bounties. So I wasn't planning for any
[01:24:48.890 --> 01:24:52.790]  questions or anything. I didn't know if anyone had any, but if you did, I guess you could say
[01:24:52.790 --> 01:24:58.030]  that now unless we're out of time. Otherwise, thank you for listening to me ramble about extensions
[01:24:58.030 --> 01:25:03.130]  for a while. I cannot wait till the tool drop next week. And when you do it, definitely send me
[01:25:03.130 --> 01:25:07.610]  feedback. Tell me if things aren't working. Tell me if certain extensions have stopped working.
[01:25:07.610 --> 01:25:12.270]  If you have a better idea of how to do something or a better extension or a better modification,
[01:25:12.270 --> 01:25:17.510]  tell me that. Not only will I add that in there, but I will credit you on the blog and stuff for
[01:25:17.510 --> 01:25:21.710]  any further modification that I've made if you've made any suggestions. So thank you for listening,
[01:25:21.710 --> 01:25:25.970]  and I hope everyone has a fantastic DEF CON, whether you're in person or virtually.
[01:25:26.410 --> 01:25:35.250]  And as Locklab used to say, stay safe and stay legal. And if Vegas floods again, do not
[01:25:35.250 --> 01:25:40.990]  try to surf the waves. I'm from New Jersey. I know the Hudson River. Just like the Hudson River,
[01:25:40.990 --> 01:25:44.510]  you don't know where that water's been. Thank you. I don't know if there's time for questions,
[01:25:44.510 --> 01:25:50.290]  but that's the end of my talk. Well, thank you for such an interesting presentation.
[01:25:50.470 --> 01:25:57.490]  And this is the last presentation of our event. Our space will be open through noon tomorrow,
[01:25:57.490 --> 01:26:01.510]  so you can come back and play around and throw the cow off the roof and hang out and talk and
[01:26:01.510 --> 01:26:07.750]  that sort of thing. I'll be there. And you can ask some questions tomorrow too.
[01:26:07.750 --> 01:26:13.910]  And also, we have fireworks for the grand finale, so go at it. Thank you all for coming.
[01:26:15.630 --> 01:26:18.010]  Woo! Thank you.