149: Mini-Stories: Vol 3

There's some really incredible scam artists out there, and I mean top-tier ones, and those ones really intrigue me.

One of my favorites is a guy named Victor Lustag.

Well, that's not his real name, but that's the name he was famous for.

This guy was going around scamming people in the early 1900s.

And there was one scam he did where he got $32,000 in liberty bonds together and went into a bank to trade them in.

And the bank offered him $10,000 in cash and some farmland.

And he took that deal and signed all the paperwork.

But just as he was about to leave, he did some sleight of hand and switched the envelopes and walked out with the cash and the farmland and the liberty bonds that he walked in with.

The bank did not like this and called the cops on him who caught him in Kansas City.

But he convinced them that if they pressed charges, then the story would get out and it would be terrible for the reputation for the bank.

Customers wouldn't want to use a bank that's this careless with the deals they make.

He was so good at convincing them of of this that the bank dropped the charges and gave him $1,000 to not tell anyone and keep the story quiet.

But the most brazen scam that Victor Lustig did was when he went to Paris.

The Eiffel Tower was built for the 1887 World's Fair and some thought it was going to be a temporary structure and by 1925 it was needing repairs.

Victor leaned into this and called five scrap metal companies to come meet him at a fancy hotel in Paris and he said he was a deputy director with the French government and even had fancy stationery to prove it.

And he told them that the maintenance of the Eiffel Tower was becoming too high, and they were looking for a company to dismantle it and purchase the scrap metal.

But he also said this deal needed to be hidden from the public to avoid controversy.

And one of these companies was eager to take the deal and ended up paying Victor a large sum of money.

And yeah, as soon as Victor got the cash, he immediately fled the country and left France.

He sold the Eiffel Tower.

But he kept a close eye on the news back in France to see how much trouble he'd be in.

But the news never reported this.

I guess the guy he scammed was too in Paris to report it to the police.

So Victor thought, this was such a great scam.

Why not do it again?

So he goes back to Paris to try it again.

I mean, why let all that fancy stationery go to waste, you know?

So he called five new companies in to pitch them, too.

But one of them saw right through the scam and called the cops.

Victor saw the cops were coming for him and he narrowly escaped, this time fleeing all the way to the United States.

Amazingly, when he got to the United States, he scammed Al Capone

and later tried to make counterfeit money, which is how he got arrested by making fake money.

But funnily enough, when he was arrested, he was put in the same prison as Al Capone.

What a wild guy Victor Lustag was.

These are true stories from the dark side of the internet.

I'm Jack Reeseider.

This is Darknet Diaries.

This show is sponsored by Delete Me.

Delete Me makes it easy, quick, and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable.

DeleteMe knows your privacy is worth protecting.

Sign up and provide DeleteMe with exactly what information you want deleted and their experts will take it from there.

DeleteMe is always working for you, constantly monitoring and removing the personal information you don't want on the internet.

They're even on the lookout for new data leaks that might re-release info about you.

Privacy is a super important topic for me.

So a year ago, I signed up.

DeleteMe immediately got busy scouring the internet looking for my name and gave me reports of what they found.

Then they got busy deleting things.

It was great to have someone on my team when it comes to protecting my privacy.

Take control of your data and keep your private life private by signing up for Delete Me.

Now at a special discount for my listeners, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknet diaries and use promo code dd20 at checkout.

The only way to get 20% off is to go to joindeleteme.com slash darknet diaries and enter code dd20 at checkout.

That's joindeleteme.com slash darknet diaries code dd20.

This episode is sponsored by my friends at Black Hills Information Security.

Black Hills has earned the trust of the cybersecurity industry since John Strand founded it in 2008.

Through their anti-siphon training program, they teach you how to think like an attacker, from SOC analyst skills to how to defend your network with traps and deceptions.

It's hands-on, practical training built for defenders who want to level up.

Black Hills loves to share their knowledge through webcasts, blogs, zines, comics, and training courses all designed by hackers.

For hackers.

But do you need someone to do a penetration test to see where your defenses stand?

Or are you looking for 24-7 monitoring from their active SOC team?

Or maybe you're ready for continuous pen testing where testing never stops and your systems stay battle ready all the time.

Well, they can help you with all of that.

They've even made a card game.

It's called Backdoors and Breaches.

The idea is simple.

It teaches people cybersecurity while they play.

Companies use it to stress test their defenses.

Teachers use it in the classroom to train the next generation.

And if you're curious, there's a free version online that you can try right now.

And this fall, they're launching a brand new competitive edition of Backdoors and Breaches, where you and your friends can go head to head hacking and defending just like the real thing.

Check it all out at blackhillsinfosec.com/slash darknet.

That's blackhillsinfosec.com/slash slash darknet.

So, what should we call you?

Evil Mog is fine.

Okay, we'll call you Evil Mog.

How do you get that name?

Where's that come from?

All right, so it's funny.

I'm a glider pilot, and so the first aircraft I ever flew was CF or CG Mog.

It also happened to be a Final Fantasy character.

The problem was I had that as my gamer handle for years.

And then I met Matthew Agorman at DerbyCon, and he had the same initials.

And so we decided to deconfliction.

And because he had the name, I figured I'd change mine to be polite.

And so I became Evil Mog, and that was my IRC handle from thenceforth.

IRC, I remember those days.

We were young then.

Did you do any stupid things when you were young on IRC?

Yeah, so I was kind of stupid and was doing a fair bit of, you know, online piracy, freaking,

you know, a little bit of other various things.

And, you know, back then, it was fairly easy to trace people because, you know, young, dumb, and stupid.

And so, you know, I get this kind of stern knock on the door.

A stern knock sounded urgent and menacing.

He opened the door and saw the police were standing at his front door.

And they're like, We know everything you've been doing.

You have a choice.

You either stop now and play good, or you're gonna, you know, we either put you in juvie, but Canada's prisons are kind of crap for kids.

So they're like, or or we can just get a technology ban on you that'll last till you're 30.

You'll never get a job in technology.

I'm like, yes, sir.

I'll be good, sir.

Here we are, sir.

And, you know, kind of off we went.

Okay, so hold on a second.

I've pirated and I've done some freaking.

The cops never came to my house.

It sounds like you might have done more than that or went over the house.

I might have done a little bit more than that.

Just a little bit.

See, remember back when the early credit card numbers had a specific way of validating that they were legit?

I was publishing bogus credit card number generators that only sort of worked half the time on local BBS systems.

Did they work at all?

Because I can't even imagine this work.

They wouldn't work for authorization, but they'd work for input validation on websites to like, you know, hey, let's go pop on to, let's say, the early porn sites, for example.

They'd get you enough to get your free trial, and then they'd mysteriously error out.

When I was a teenager, I didn't understand how credit cards worked at all.

Like in my head, it just seemed like 16 random numbers.

And if you knew those 16 numbers, could you buy stuff?

So I thought, okay, let's test that theory.

And as a teen, I went to a website, put in 16 random numbers just to see what happened.

I thought if it worked, I'd have no idea whose number I just used.

And I could just say I typed the wrong number if they asked me.

But no matter how many 16-digit credit card numbers numbers I put into a website, it never worked.

Every one was an invalid number.

Apparently, it's more complicated than just that.

There's that whole LUNS check, right?

There's some math behind it.

I'd looked up because I didn't have the generator quite right.

Like some of the checksums didn't match, but most of them kind of did.

It was enough they could pass like a cheap regex, but that's about it.

Eva Mogg loved flying planes when he was a kid and signed up for junior glider classes taught by the Canadian military.

I was a cadet back when I was younger, from 12 to 19.

I got my glider license before I learned how to drive a car.

From there, he joined the military and taught other kids how to fly gliders, but his other passion was computers, and the military was offering to pay his training to learn more about computers.

So I had an option to go back to school, went back to SATE as a network engineer, did six months of like CCNA, MCSA,

Linux LPI 1, level 2, level 3, that kind of stuff.

And that's what kind of restarted my career when I was in my early 20s.

So he spent four years in the military and then went to work for IBM.

So basically, I got the phone call from a friend to go over to Afghanistan.

And he said, there's this company called Network Innovations.

And basically, what they do is they run the morale, voice, and internet services for the Canadian forces.

So what that means is you have soldiers calling their families back home from like the big super fobs or the small little remote outposts.

And so he's like, hey, do you want to go over for six months?

And I'd already released from the reserves at this point.

I said, yeah, sure, let's go over.

I had nothing else to do and I wanted some money.

So, and it was all tax-free.

So I deployed over.

Well, there, so hold on.

It's not just like going over to France.

Afghanistan, there was an active war zone, wasn't it?

It was.

Yeah, it was totally.

Regional Command South in 2008 was hot to say the least.

I wanted to go do something useful.

I always kind of did.

And my parents were like, you're not going over.

I'm like, sorry, I'm going over.

I want to pay off some debts and I want to go do something good with,

you know, for the folks that are over there.

You know, there's a little bit of pre-deployment training, nothing much.

Just here's the, you know, here's how to wear a gas mask.

Here's how to put on a bulletproof vest.

And then here's a whole whackload of vaccinations.

Then all of a sudden there's some kid from the styx out in the middle of an active war zone.

So even though he was military trained, he was in the war zone as a private contractor.

And his job was to go to forward operating bases, or FOBS, to work on the network there.

There's satellite, there's microwave.

Basically, these people need to be able to contact family or else they're going to go nuts.

I mean, it's like being stuck out in the middle of the bush for six months.

So my world was just...

morale voice.

The Canadian forces handled all the tactical and all the operational.

My entire mission was making sure people could call their families.

These FOBs were often on the front line of the war zone in Afghanistan.

It's dusty, war-torn, and weathered.

Computers don't like these kind of environments because they're delicate and fragile, not rugged and battle-ready.

So he was constantly being sent to troubleshoot computers and networking equipment that was breaking in war zones.

Oh, I'd set it up as well.

Like, say, for example, we'd have a new site and they're like, hey, we need to get, you know, FOB whatever the heck back online.

They'd send me out in the back of a convoy with a little Pelican case with, say, here's a tiny little BN terminal, which is a small mini satellite.

Or in the case of a larger FOB, here's a bunch of Pelican cases with an auto acquire satellite dish.

You'd go roll out, set up the SATCOM dish, hook it into a couple of laptops and a router and a switch, a little tiny

PBX system, et cetera, and then

do a couple phone call tests to make sure everything works.

That was all she wrote.

They set up this comm shack inside a 40-foot-long cargo seed container, and he'd go base to base, setting up or fixing the networks inside there.

And there was never a dull moment.

you know i roll it on site i'm in the middle of doing a repair all you hear is the siren and then this crappy british voice they use because they all have the same recording rocket attack rocket attack and that's all you're hearing you know so you just you bunker down in between a set of hesco barriers which are basically just a bunch of gravel um some concrete a bunch of chicken wire all around enough to give you a bit you just you know hunkered down in place and you sit there chillo wait till the shelling stops you get up see if if there's any damage and get back to repairing the equipment was it so what kind of damage had to this equipment

thankfully it missed us but it went one landed in the poop pond that was terrible um one landed and took out like a recreational facility he says the equipment in this area would only last six months because it would get full of dust and just not last very long because of the harsh desert environment And one day he got word that one of the comm shacks got rocketed at another base.

One of the rockets landed, it took out the

satellite dish, it took out one of the comm trailers, and it took out a bunch of the cabling.

These guys were down for about a week.

His orders are to travel there and get it back online.

Traveling to these fobs takes days or weeks to get to them.

I get out there.

And thankfully I was smart and I pre-sent all the gear I needed on a convoy ahead of me.

There's this

broken down, destroyed crater effectively where the old piece was there's like i i come up and there's guys basically giant bulldozers and like heavy equipment moving the old gear out the gear inside is just completely toast

meet up with the local sergeant who's like hey we're putting your new gear down right where the old one was dropping this new sea container in

what do you want to do with this old thing i'm like oh take out back salvage it destroy it we don't really care use it for training you wire up the new satcom you are calling on to your folks out of the UK going, hey, do you see my bird?

Yeah, we're locked on.

Here's the activation.

Boom, new terminals are online.

You've deactivated the old accounts.

You do a couple plugins, test the new laptops.

And then there's already a lineup around the block of folks who haven't gotten their email in like a week and a half, right?

And so all of a sudden, you start running them all in.

They're all nice and happy.

You run down to the chow hall.

Yeah, you munch whatever warm food they've got.

You stick around for a day or two for troubleshooting, and then you

call your boss on the Defense Service Network.

Hey, can you guys get me a helicopter out?

They're like, sorry, man, all the birds are tasked.

So find you, you head yourself down to the talk, the tactical operations center.

You introduce yourself.

Like, hey, when's your next convoy out?

If you're lucky, they send you out on a combat patrol, which are way faster and less annoying than a convoy because it's one or two vehicles and it's a little more comfortable.

If you're not lucky, you're crammed into the back of this armored personnel carrier that's hot as balls, wearing body armor and the heat, and yet take your eight hours to go, you know, 100 kilometers to get back home.

I also, I don't know why, but I'm picturing of you like climbing up a tower, adjusting, you know, getting a spanner on a satellite dish, adjusting it, and getting like shot at from up there and being like, hey, it's coming from that hill.

Give me cover.

I mean, that kind of has happened.

Not nearly as extreme, but have you ever tried to repair 200 pairs of Cat 5 in a sandstorm from 100 feet up in the air?

100 feet in the air?

What's up there anyway?

I was a Calm Tower.

I had to go, there was this one bridge spot because most of the stuff at CAF was all underground, but we had this one spot that was basically all hooked up to a tower

because of the way this one extension went.

And so.

We had an outage.

Someone drove a piece of equipment through the cables.

And so I had to go up and resplice all this outdoor cable.

And I'm up on this tower, and all of a sudden, it's a sandstorm.

And I'm like, oh no,

I can't work on this cable with gloves on because you just, it doesn't, you know, you ever tried twisting and terminating cable with gloves, just doesn't work.

So I'm like getting plasted by sand in this whiteout condition trying to terminate because I'm not going to try and clide down the tower.

It's not going to happen.

I'm hooked in there, ready to rock.

You know, I got 30, 40 cables done before the sandstorm ended and then finished off the rest of the job.

So one of the things we did, in addition to making sure people call their families back home, is we ran a video teleconference unit.

And so people could see their families back home.

We found out one of the guys coming back out of Afghanistan or coming out of a fob, his convoy got bumped.

Now, bumped is a polite word for saying hit by an IED.

Thankfully in this case, nobody died.

Thankfully, like thank whatever data you believe in, but it really shook this guy up like shook him up some seriously fierce yeah so i mean let's let's highlight there was a lot of deaths there and

thankfully because you were seeing that around weren't you well the worst thing we had to do is every time somebody died we had to kill all of the communications in theater including all the forward operating bases and the super fob it was known as a calm lockup procedure We had a cell phone on.

The second somebody got like confirmed casualty, I got the phone call, I hit the buttons, and then I got to release it once they released, once they notified the families.

So why is there a lockout?

It's so that people don't put things on social media or get out to the news articles before they can notify the families.

Okay.

It was one of the worst things ever because being on that phone call, you're like, shit.

Yeah, you feel all sorts of terrible feelings.

And then you have to go act like a professional, cut the comms off.

And then when people are like, hey, the internet's not working,

like, you got to give this nonchalant comms lockout, but still be like sympathetic about it.

And when you say comms lockout, everyone in theater knew what you were talking about.

But it was one of those,

it was a weird, solemn duty I had to do.

You know what I mean?

Yeah, I mean, you weren't the one telling the families.

Nope, but I was killing the comms and telling all the other soldiers, hey, I can't call, you know,

family back home.

Like, sorry, man, comms are offline due to a comm lockout.

Yeah.

And now they're saying, well, oh, does that mean there's a confirmed casualty?

And now you got to answer these questions.

Yeah.

And then my answer is like, I have no idea, man.

I just work here.

IEDs are super scary.

You're just driving along, listening to tunes, telling jokes to the other soldiers, and then out of nowhere, boom.

Your truck runs over a mine and blows up your vehicle.

It often kills people, and it's certainly enough to freak anyone out.

And while this IED didn't kill anyone, one guy was really messed up from this.

He wasn't injured.

He was just shocked, really badly shocked.

Getting hit by an IED,

even if nobody gets injured in the process, is enough to send someone to spiral.

Because you get that whole mental, oh my God, what if this had been me?

What about this, you know, the possible guilt, all that kind of thing?

And the guy was in really rough shape mentally.

They originally asked, could you get us some extra phone minutes and phone time was how the request came in and you know us being us we've got yeah here's a couple you know here's a couple hundred minutes go hard and we're like hey is there anything else we can do and his guy's like well he's doing pretty rough

evil mog starts talking with people trying to figure out what more he can do and that's when he found out this soldier was about to be a dad His kid was due to be born any day back in Toronto.

And this gave Eva Mog Mog an idea.

And I'm like, dude, we got to do something for this guy.

So thankfully, they had people on the ground in Toronto.

And I'm like, hey, can you go spring over to CFB Trent and go grab one of our spare video teleconference units and get it out to the hospital?

I'll do whatever it takes to requisition bandwidth.

Just get me the stuff out there.

I figured out we had some spare bandwidth available.

So I like slowed down everybody's video teleconference and voice services and their Wi-Fi a bit and opened up an entirely new channel because all we had was six megabits for a thousand people almost no bandwidth whatsoever and so I was like hey you know line this up I'm going to reserve you bandwidth for like the next you know four or five days he learned that the wife was already checked into the hospital and was starting to give birth right now so he's calling Toronto to try to figure out how to contact the wife at the hospital and so then we had to go contact their visitor unit say hey do you guys have you know enough bandwidth for us to go get you video teleconference and thankfully they had a really decent tech there he's like well actually we can make some things happen what do you guys got for uh equipment were you talking to the tech at the hospital yeah

wow okay

you're trying to coordinate this from halfway across the world it's kind of interesting exactly yeah

so so you're saying all right here's the equipment i have here's what you have let's make a final you know a common denominator we can get we i think we can connect these two things exactly right and so they were running on Tanberg.

We were running on Tanberg and we made the gear all work out.

I popped onto the load balancers on our side.

And

so

yeah, tell me about the tech side.

So did he put like a computer on a cart and then wheel the cart into the room?

No, it was a TV on a cart with a Tanberg video teleconference unit.

Which is which is meant for like doctors and nurses.

It's not meant for patients.

Yeah.

Yeah.

He just threw this on the thing.

They wheeled her in.

They plugged her right in next to the woman's bed there.

We swiveled the webcam over.

He managed to get us a public IP so we could do remote control of it.

And then, yeah, we just set up the communication channels and off we went.

It was actually running rather well.

Okay.

So you're like, oh, okay, cool.

You got it set up.

All right.

I'll be right back.

Let me get the guy.

Yep.

I talked to Steve.

Steve called

the guy's unit commander.

Unit commander called a section leader.

They pulled him out, said, look, you're to report to building 026 Bravo on Kandahar Airfield.

show up here.

We're like, hey, man, we got a surprise for you.

Wheel him back out there,

plop him down in one of our spare rooms that we had rigged up into this 40-foot C container, plopped down a chair, made it comfortable.

You know, said, here's our little care package.

Here's some Kleenex.

Call us if you need anything.

And do you remember his face when he saw his wife?

We weren't even looking.

We gave him his privacy.

Yeah.

I remember how he was afterwards, though.

After he saw his wife, he walked in, he was all doom and gloom.

This is going to sound stereotypical, but that thousand-yard stare, like you've seen some shit.

And then the guy, you know, right afterwards,

I saw life in his eyes.

Yeah.

So that's how I knew we did a good thing.

Yeah.

I mean.

How do you think you impacted his life?

I mean, from what I've been told, the actions taken in the first couple of days after a major incident are the most critical.

And I think by giving him that level of support immediately, I think I changed the guy's life way for the better.

I mean, they were talking originally having to discharge the guy.

From what I heard, he stuck around

another five, six years before he finally just released and went off and doing something.

I can't even remember what he's doing now.

But I think I've, you know, changed the life for the better.

So I'm good with that.

Yeah, I mean, it's also very possible that you saved his life because i could have

there's you know coming out of ptsd you can or you know getting affected that badly by it you can easily end your own life exactly so i mean i like to think we saved a life there um and you know no matter what i do in life i think that's the coolest thing i've ever done

To me, this right here is the quintessential Darknet Diary story because of where I found it.

I went to DEF CON and I was invited to the Microsoft party and I sat down at a table to chat with people and that's where I met Evil Mog.

And he was there telling us the story and I was so captivated by it that it made me cry.

And my goodness, to be at some DEF CON party and to hear a story so moving that it makes me cry, that's one reason I started this show.

I imagined in my head while I was listening to Evil Mog tell me that story that I saw you across the room and I was like, over here, you got to hear this story.

And I brought you in to eavesdrop on these inner circles, to hear the untold stories that are only shared in intimate and private spaces that are all over the hacker culture, but are hard to find.

I love these chance encounters.

It's like finding a hidden path in a familiar landscape.

I hope stories like this fill you with the same great feeling I get when I hear them in person.

I have such a fun job.

I'm so grateful.

Okay, we're going to take a ad break here, but stay with us because we have a new guest to tell us a new story after the break.

This episode is sponsored by Vanta.

In today's fast-changing digital world, proving your company is trustworthy isn't just important for growth, it's essential.

That's why Vanta is here.

Vanta helps companies of all sizes get compliant fast and stay that way with industry-leading AI, automation, and continuous monitoring.

So whether you're a startup tackling your first to SOC2 or ISO 27001 or an enterprise managing vendor risk, Vanta's trust management platform makes it quicker, easier, and more scalable.

Vanta also helps you complete security questionnaires up to five times faster so you can win bigger deals sooner.

The results?

According to a recent IDC study, Vanta customers slashed over $500,000 a year in costs and are three times more productive.

Establishing trust isn't optional.

Vanta makes it automatic.

Visit vanta.com slash darknet to sign up for a free demo today.

That's vanta vanta.com slash darknet.

All right, so let's start out with who are you and what do you do?

Yeah, my name is Joe Sarkijan.

I work for Wolf and Company PC out of Boston.

I do penetration testing of all kinds, internal, external, Wi-Fi, social engineering, advanced security testaments, things like that.

So we have a client, not a big company, maybe like 20 people, and they contracted us to do, you know, your average assumed breach pen test, so to speak, right?

So we're on the inside, we're given access.

What would happen if somebody gets in there?

So we send them a remote Dropbox, you know, a little Raspberry Pi that we send them.

They plug it into their network, and then we connect to that remotely.

And it's kind of like we're sitting there in person, right?

We've got.

on the wire access at that point on a subnet that they put us on.

So I began the test.

test.

You know, typically, and here's the funny thing: you'll look at like, you know, pen test frameworks.

You should start here.

You should do this.

You should do that.

I would challenge you to find a pen tester that doesn't fire up Responder

the second they get on a network and try to get creds and be off to the races as soon as humanly possible, because that's what we do, quite frankly, on a lot of tests.

So that's what I did there.

Okay.

Responder.

is a pretty clever hacking tool.

It's free to get.

It's just a Python program.

And how you use it is you just start it and wait.

Now the thing about Windows computers is that they always want to try to join a domain and connect to shared drives on the network.

And so if a Windows machine wants to connect to a shared drive, it will try to get to that host directly.

And if it's there, it'll connect to it just fine or whatever.

But what does the Windows computer do if it can't find the shared drive that it's trying to connect to?

Well, it wants to connect to it very badly, and it will try another way.

It might ask the DNS server, hey, do you know the IP address for the server I'm trying to get to?

And the DNS server might be like, Yeah, I got that.

Here's the IP right here.

And then the computer might be like, That's the same IP I have.

And I already checked.

That one's not online.

So then, if the Windows machine still can't find that shared drive that it really wants to connect to, it then sends a broadcast message to all the computers on the local subnet saying, Hey, I'm looking for this shared drive.

If any of you are it, please respond.

And that's when Responder springs into action.

It sneakily says, why, yes, I'm that shared drive you're looking for.

That's me.

You found me.

I'm here.

And the Windows computer is like, oh, thank goodness.

I've been looking for you everywhere.

I'd like to connect to you.

And Responder is like, sure,

of course you can connect to me, but

you need to authenticate first, yeah.

And the Windows computer is like, oh, yes, of course.

Okay, here's my username and password.

Now, Microsoft takes your security seriously.

So it doesn't actually send your password over the network.

Instead, it sends a password hash.

And since Responder is this dirty little liar on your network, it snatches that username and that password hash and gives it to the penetration tester or hacker who's running the tool.

Saying something like, hey, someone just tried to connect to me using this username and this password hash.

Here you go.

Typically, Responder only works against computers in the same subnet as it.

So if you're in the same subnet, then yeah, Responder is an amazing tool at finding usernames and password hashes.

Now, a password hash is not the password.

It's a gibberish set of characters that you get when your password goes through an algorithm.

And the thing is, in some cases, you can crack this hash to get the password.

And a common method for cracking passwords is brute force.

Take the top 1 million most common passwords and hash them, and then see if any of those hashes match the password hash you just got.

and if so you found the password exactly so we use something called hashcat um we'll take that hash we will plug it into

this so so to crack that that's not on the raspberry pi because the raspberry pi doesn't have the uh gpu cpu cycles to be able to throw a billion passwords at that thing and try to figure out which one it is what's your um what's your method for for cracking it well that's the scary thing is our method is the same thing that any bad guy all around the world can do right?

We have an Amazon account, right?

And we can spin up Amazon EC2 instances.

So what we do is we spin up, you know, these like Tesla GPUs on an instance.

We have a couple of them.

And we will, you know, take that, you know, GPU power to just blow through password hashes as fast as we possibly can based on that power.

Going to be a lot faster than you know with Raspberry Pi or your local PC, unless your local PC has a ton of graphics cards in it, which ours is not.

So yeah, we do that all in the cloud, relatively cheap, not super expensive to get done.

And, you know, usually we get results pretty quick, you know, within the first couple of hours.

Okay.

Now,

what's your kind of success rate on getting one hash and being able to crack that single hash?

I'm going to go 90 plus percent.

That depends.

If we've been there before and they took our recommendations, it's going to take a lot longer.

It's going to be a lot harder.

But

a different question, which is kind of in the same realm, is like, suppose you have the entire, you know, AD database of hashes.

What percentage of passwords do you think you're going to crack out of that?

So we will probably get, on average, I would say, and again, whether we've been there first or not, and they're taking recommendations, we'll probably get 50 to 60% within the first like four hours.

So he's basically trying billions of passwords to see if any of them match this hash.

Of course, the longer that his hashcat tool runs, the more passwords are tried.

And so they might start with the top 1 million most used passwords and then try making slight modifications to those, like putting a 1 at the end or capitalize the first letter.

Maybe add in their own word list such as the company name or mascot or city or address or person's name or kid's name.

If no luck there, then try every word in the dictionary, but add numbers to the end of it and maybe mix it up a little bit and see if that works.

And just try tons of combinations.

And pretty much all the stuff I've listed so far probably only takes like a few hours or less.

Now after the tool has tried all this, it just then starts going through every single possible character combination in the world, such as AAA, AAB, AAC, AAD.

So this combination of finding a username and password hash from Responder and then trying to crack it in Hashcat could take hours or even days since it's about waiting and timing and maybe brute forcing the password.

So in the meantime, he's looking around the network to see what else is there.

A good place to start is Nmap.

Nmap is a basic tool that you can use to quickly scan the network to see what's there.

It'll basically ping every IP address in the network to see what responds.

And if any do, then it'll try to see if that host has any open ports.

Then Nmap will spit out a report saying, here are all the computers on the network that I found to be alive, and these are their open ports.

Exactly, yeah.

So we'll look for default passwords places.

We'll look for

null sessions

on hosts, right?

Can I access this host without a username or a password?

Can I just get in there maybe on a domain controller?

We still find this.

You're able to quote unquote authenticate to a domain controller as nobody and start enumerating the domain.

Now, if you can do that, you can get a list of users from a domain controller, right?

And then take that list of users and start password spraying against that domain controller with that list of users, common passwords, right?

And then maybe you get a hit on password 2023 exclamation point, right?

Or a company name 2023 exclamation point.

Crazier things have happened.

So there's a lot of stuff going on at once.

He's got these background tasks running to try to get more usernames and hashes.

And he's also trying to crack the hash he's got.

Yeah, I mean, to this day, I've been doing this, I don't know, about five years now.

To this day, whenever I see that first hash flash in yellow across my screen, when I'm on a pen test, I still get a shot of adrenaline, right?

It's just like, here we go.

Boom!

He cracked the password.

Yes.

But who is this user?

Are they just like a low-level user or are they a system admin?

He has to find out.

And to do that, he logs into a computer on the network to see what his access is.

And it's a normal user with no special privileges.

So now we have domain access as that user.

So typically what we'll do, we'll look for some basic, you know, privilege escalation opportunities.

And at the same time, we're looking for data, right?

So,

let's say we're kind of poking for both of those things, right?

We want to prove that risk that this basic user maybe has access to some data that they don't need access to.

And if a bad guy gets access to this account as that person, they also get access to that data, and that's something you need to work on.

So, as we're rooting through file shares, and you know, what does this person have access to?

We find this host,

and it's like a Windows 10 host,

and we have access to a couple of shares on this host and we're rooting through typically we're looking for things that are called like password.txt or like SSH this that or the other thing or SSN right we're looking for data that's going to prove a problem for the company so I'm looking through and I find this folder

called

I believe it's called like MPEGs

so I'm like that's interesting I don't typically find something like that you know when I'm like I just have a folder called MPEGs.

That's different.

So I'm just curious what's in here.

So I look in, there's, sure enough, there's a bunch of MPEG files.

I'm like, okay, that's interesting.

There's like maybe four or five of them.

So I download one of the MPEG files.

I get it locally and I'm like, oh, man, let's watch this file.

I open it and I see a camera feed.

And the camera.

is just on a desk facing at someone's kind of where they would sit, right, in front front of the computer, and I'm like, that's weird.

You know, why would anybody put a camera on their desk, right?

It's just strange.

What are they recording?

Doesn't make any sense.

So, all right, well, maybe there's something else to this.

So, I download the second one because they're going in order: one, two, three, four.

Download the second one,

it is the same camera, it is the same desk,

and this time the camera is underneath it.

And it was a

lady's desk, I found out later.

Um, the way way the camera was angled was, yes, at their, you know, their, their, the front bottom half of their body, let's put it that way.

Let's just say it was an inappropriate place to put a camera in an office if that lady wasn't aware of it.

Joe knew that what he was looking at was potentially going to get someone fired.

So he had to proceed with caution here.

So

I see this and now I'm like, oh God, like everybody, every pen tester has that like feeling that like sooner or later they're going to get this moment that is something like this.

Like if you find like the proof that somebody's stealing from the company or you find

pictures you shouldn't or, you know, whatever it may be.

And this was the first time that I had found something like that.

And I was kind of like just awestruck at first.

And my head starts racing like, what do I do about this?

And so.

The first instinct was pick up the phone and call my point of contact immediately.

Now, the problem with that is this is a small company.

I don't know anything more than this point of contact's name and the fact that I worked with him year over year.

I don't know what he does personally.

I don't know what he's into.

I don't know if he's the person that put this camera there, but he's the only point of contact I have, right?

So, he's the one I'm calling.

So, I pick up the phone

and

I get on the phone.

I tell him, hey, just so you know, I found

under-the-desk camera footage of, and then he cuts me off completely and says,

stop right there.

I'm calling HR.

And at that point,

I had

a kind of this wave of relief over me because at this point, I'm like, okay, well, he's probably not the one that put it there because he's wanting to call HR immediately.

So HR gets on the phone.

I explain it to them.

They say thank you very much.

And that's the end of the call.

It's interesting to stumble upon this as a security consultant, since it's not really a network security issue.

It's more of a see-something, say something issue.

Like, do you even put this in the final security report?

Joe went on to complete the pen test and he found some misconfigurations in Active Directory, which gave him administrator access, which pretty much gives him keys to the kingdom.

The network admin can reset anyone's password, see all shared drives, probably even read everyone's email.

So he put all this into a report and delivered his findings on the final call.

You know, basically, you know, it's the typical stuff.

Like you said, you know, we found this, we found that, you know, here's recommendations for fixing that.

Okay, great.

And we didn't feel like it was our place or appropriate to bring that up on that call.

However, I did end up talking to that client a month later.

And, you know, we were going over some remediation strategies for them.

And, you know,

basically they're like, hey, how's everything else going?

How you been?

Blah, blah, blah.

I'm like, I'm good, you know.

How about that other thing?

I'm just curious about that other thing.

This is a much more casual conversation.

I'm just curious.

Everything okay with that other thing we found?

And he kind of just gave me this look on the Zoom call.

He's like, Yep, yeah, that's been handled.

And I knew not to push, but I knew that whatever had to be done had been done.

At least it seemed like it had, and it seemed like it worked out for them.

I wasn't going to get pulled into court for

to testify for anything, which I was actually kind of ready for.

I'm like, oh, this might be the first time, but it just didn't happen that way.

So I got lucky.

Yeah,

as far as like your

success rate,

I mean, you're always going to find something, even if it's like a CVV level three.

But I mean, as far as just success rate of just like owning the whole network and gaining access to sensitive systems, getting, you know, half the users' passwords in the whole organization, that kind of thing,

is that fairly high?

Do you feel pretty confident?

Like, yeah, I'll probably be able to own this network.

It's

with no exaggeration, 95% of clients that we are able to do that with year over year.

And I think he can get to that point because of how many penetration tests he's done.

He's gone into dozens of networks and exploited hundreds of devices.

And after doing it over and over and over, you start to develop a pattern and know exactly where to look for weaknesses.

And once you do develop a pattern, pen tests start to become automatic since they repeat the same steps almost every time.

And so once he was done with one pen test job, he'd move right on to the next.

And this time, it was a bank.

It was a regional bank, and we were doing some more traditional audit work as well as pen testing.

Um, and I had one of our junior pen testers on that job with me.

So, this person was, you know, they came with a little bit of experience in the door.

They'd been with us for, I don't know, four to six months at that point.

So, they arrive on site and they're greeted by the on-site team.

They're shown where to sit and where to plug into the network.

And this was a simulated breach.

So, if someone got into the network who shouldn't be on it, what could they see or do while there?

So the two of them get all set up in this room.

And well, you already know what tool they're going to start up first.

That's going to be Responder.

So, you know, started doing her thing, you know, like doing little responder stuff, whatever.

And for whatever reason, this person's having a hard time with Responder.

Like their Python's not working, the tool's not working.

I'm trying to help them through it.

So, you know, I'm like, you know what?

It's a teaching moment.

I'm going to let them figure this out, right?

Like, I'm not going to give them the answer.

I'm not going to, I'm not going to coach them to it.

I want to see how they handle this.

Okay.

So they've taught me that Responder is their go-to tool for starting a network assessment.

But if that's not working for whatever reason,

what do you do next?

I have a 30-minute client call with another client that I need to take.

So I'm going to be over here.

I'm like, you know what?

You take the reins on this.

Like, it's the beginning of the test.

What can go wrong?

So I'm on the call and he's doing his thing.

And I don't know, know, like five, ten minutes go by, I'm on this call.

And I started noticing that there's a lot of like phones ringing in adjacent offices.

And I started seeing a lot of shuffling and people kind of like running around.

And I'm not sure what's going on.

I'm like, whatever.

It's probably nothing.

All of a sudden, I see our point of contact come flying down the hall in a panic.

He busts into the room.

He goes, what are you doing to our network?

And I'm like, I got to call you back.

So

I get off my call.

I'm like, I'm sorry, what's going on?

He's like, everything's down.

We can't reach anything.

The core, oh my God, nothing works.

We're like, okay.

So I'm like, to the junior guy, whatever you're doing, stop.

So he stops.

Maybe like five, 10 minutes go by and things kind of quiet down.

We check in with the point of contact.

He's like, yeah, whatever that was, don't do that ever again.

He's obviously upset.

Understandably, so.

So in the process of figuring out what happened, I'm talking to the junior tester and I say, what were you doing?

What kind of tests are you doing?

He's like, You know, I was running a responder, whatever.

Okay, cool.

Well, what else are you doing?

Well, you know, I figured I'd save time and I would run, you know, like a port scan.

Like, okay, what would you use for that?

And he says, Well, I always use mass scan.

And I'm like,

okay,

not nmap?

He's like, no, no, no, mass scan's faster.

Okay, so nmap is a basic tool to scan the network.

It's simple and efficient and usually safe.

And when you're testing a live network, you want to be as lightfooted as you can.

And Nmap is a gentle tool to scan the network with.

It just does like a simple knock on the door.

Is anyone home?

And it really just stops there, which is nice since you don't want to disrupt business or wreck any systems in your process.

Since after all, this is a bank which needs to continue their service to customers.

But mass scan.

is a bit beefier of a tool compared to Nmap.

It can make a map of your network, but it's designed to scan huge amounts of systems at once.

Like it shines really well when it's supposed to scan like millions of IPs at once or even the whole internet.

This network at most had like thousands of IPs.

Mass scan is just too powerful of a tool for this scenario.

But this junior pen tester was convinced that because it's a beefier tool, it's better for the job.

I'm like, oh, I'm aware mass scan is faster.

Show me the command you ran with mass scan.

So he shows me the command you ran with mass scan.

And when you run mass scan, you have the option of how many packets per second you want to run that at.

He had added like two or three zeros to the default, which means he was blazing across all of their submets, running MassScan and doing a port scan.

And that is what brought their network to its knees for five to ten minutes, is that he was careless.

And

if you want to kind of step back from that, I was careless as the quote unquote tester in the room at that point in time.

Okay, so this junior pen tester was absolutely flooding the the network with traffic.

They weren't told what exactly they impacted, but I'm going to speculate on what happened here.

He had a computer that was plugged in using an Ethernet cable.

So his next hop from his laptop would have probably been a network switch or router.

If he's sending massive amounts of traffic, it could easily overwhelm that next hop.

Just too many packets at once going through that and opening too many sessions.

It can fill up the session table.

memory or CPU on the device could just be maxed out and it just might not accept any more packets.

Essentially doing a denial of service on that next hop, if it was a switch or a router.

And what that would do is it cause everyone who's also connected to that device to not be able to reach anything beyond it.

Like the pipes are clogged kind of thing.

And if there are servers also connected to that switch, then those servers would be unreachable by anyone too.

The other option is if this mask scan tool was configured to scan IPs outside the network, the traffic might have traversed the firewall.

And this is a device that acts as a security checkpoint between the internal network and the outside internet, which does a little bit more inspection of packets.

And if every IP that Mascan was trying to hit was getting inspected by the firewall, that might be too much for the firewall to handle.

It just can't accept that much stuff.

Not only that, but it might have taken up all the bandwidth that that site had for internet access as well, making the whole internet go down for the site.

Either scenario, Joe realized it was them who took down the network.

And now they had a really big problem on their hands to deal with.

So we end up with like this big call.

He didn't necessarily like break anything.

He just slowed the network down to a crawl because he was shoving so much traffic through it that nothing else could get where it needed to go.

So the CIO, chief information officer on the call,

a lot of big muckety mucks.

And basically they're like, tell us why we shouldn't fire you from this right now, essentially.

And we had to go through the whole rigmarole with them and explain like, look, you know,

It was a typo on a screen.

We didn't do it on purpose.

We're very sorry.

We won't do it again.

Yada, yada, yada.

And luckily, like, they came around.

But I'm pretty sure we don't have pen testing work at the headbank anymore.

So yeah, that was, that was not fun.

We've had to change our procedures since that's happened.

One thing that I thought isn't explicitly taught to pen testers, but I believe is possibly the most important skill for them to have, is communication skills.

It's not entirely unusual to be put in a hot situation where there's some very stressed out people on the phone or in the room or people that are just really difficult to work with.

And the better you can speak their language, the more effective you're going to be at working with them.

If you're a pen tester and you find some awful, glaring security issue in the network, how do you explain the problem to the business leaders in a way that they will prioritize it and fix it?

They aren't ding-dongs.

They have degrees and are highly accomplished people, but they don't understand the details of cybersecurity.

So you need to have those communication skills to speak their language so they get it.

And that, to me, is a mark of a great penetration tester.

A big thank you to Evil Mog for telling us about this time in Afghanistan.

And also thank you to Joe for telling us about his pen test story that went all wrong.

They were able to keep working after that and provided value to the client despite a rough start.

I've got a t-shirt shop that I really want you to check out.

There are over 50 designs in there and I am positive you will find a shirt that you'll love in the store.

Please visit shop.darknetdiaries.com and treat yourself to something nice.

This episode was created by me, the one-eyed jack reciter.

Our editor is the encrypted kid Tristan Ledger.

Mixing done by Proximity Sound and our intro music is by the mysterious Breakmaster Cylinder.

I took a trip down to the Capitol in Washington, D.C., and a little bee landed on a flower next to me.

And I nodded at it and I said, That's a US bee.

This is Dark Net Diaries.