130: Jason's Pen Test
Join us as we sit down with Jason Haddix (https://twitter.com/Jhaddix), a renowned penetration tester who has made a name for himself by uncovering vulnerabilities in some of the world’s biggest companies. In this episode, Jason shares his funny and enlightening stories about breaking into buildings and computers, and talks about the time he discovered a major security flaw in a popular mobile banking app.
Sponsors
Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.
Support for this show comes from Arctic Wolf. Arctic Wolf is the industry leader in security operations solutions, delivering 24x7 monitoring, assessment, and response through our patented Concierge Security model. They work with your existing tools and become an extension of your existing IT team. Visit arcticwolf.com/darknet to learn more.
Listen and follow along
Transcript
I used to work for this company and I worked on the overnight shift and they had a parking garage, but the best parking spots were all assigned to management.
Not only that, you had to have a special parking garage badge to get in, so I always had to park far away.
And what really bugged me is that I was on the night shift, and there were only three of us on the night shift.
So it's like the whole parking garage was empty.
Well, one day I brought my skateboard to work and was just rolling around in the parking garage during my break.
And I rolled up to the mechanical arm that blocked you from getting into the garage.
And to my surprise, it opened as I rolled up to it what i waited for it to go down and i tried again and it opened when i got near it again what i discovered was that there was a little electronic eye which detected when a car was trying to exit the parking garage and it would lift the gate to let the car out well i pinpointed exactly where that eye was and just tried to do something like take my shoe off and place it in front of the sensor and sure enough that was enough to get the gate to lift up until I moved my shoe.
Well, naturally, I hopped in the car, drove up to the gate, got out of the car, took my shoe off, put it on the exit sensor, and it raised the gate.
I got back in the car and was able to get through the gate and grab my shoe on the way through and just park wherever I wanted.
These are true stories from the dark side of the internet.
I'm Jack Resider.
This is Darknet Diaries.
This show is sponsored by Delete Me.
DeleteMe makes it easy, quick, and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable.
Delete Me knows your privacy is worth protecting.
Sign up and provide DeleteMe with exactly what information you want deleted, and their experts will take it from there.
Delete me is always working for you, constantly monitoring and removing the personal information you don't want on the internet.
They're even on the lookout for new data leaks that might re-release info about you.
Privacy is a super important topic for me.
So a year ago I signed up.
DeleteMe immediately got busy scouring the internet looking for my name and gave me reports of what they found.
Then they got busy deleting things.
It was great to have someone on my team when it comes to protecting my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for my listeners, get 20% off your Delete Me plan when you go to join DeleteMe.com/slash Darknet Diaries and use promo code DD20 at checkout.
The only way to get 20% off is to go to joindeleteme.com/slash darknet diaries and enter code dd20 at checkout.
That's joinedeleteme.com/slash darknet diaries code dd20.
This episode is sponsored by my friends at Black Hills Information Security.
Black Hills has earned the trust of the cybersecurity industry since John Strand founded it in 2008.
Through their anti-siphon training program, they teach you how to think like an attacker.
From SOC analyst skills to how to defend your network with traps and deception, it's hands-on, practical training built for defenders who want to level up.
Black Hills loves to share their knowledge through webcasts, blogs, zines, comics, and training courses all designed by hackers.
For hackers.
But do you need someone to do a a penetration test to see where your defenses stand?
Or are you looking for 24-7 monitoring from their active SOC team?
Or maybe you're ready for continuous pen testing where testing never stops and your systems stay battle ready all the time.
Well, they can help you with all of that.
They've even made a card game.
It's called Backdoors and Breaches.
The idea is simple.
It teaches people cybersecurity while they play.
Companies use it to stress test their defenses.
Teachers use it in the classroom to train the next generation.
And if you're curious, there's a free version online that you can try right now.
And this fall, they're launching a brand new competitive edition of Backdoors and Breaches where you and your friends can go head to head hacking and defending just like the real thing.
Check it all out at blackhillsinfosec.com slash darknet.
That's blackhillsinfosec.com slash darknet.
In this episode, we're going to hear some stories from Jason Haddocks.
I've always been into computers.
I think I had my first computer when I was 11 or 12.
I think my parents got it for me for Christmas.
So 486, kind of just taught myself because I was curious about how it worked and a little bit of programming, HTML, and stuff like that.
Any dark stuff you were looking into back then, or anything that was, you know, maybe your parents wouldn't be happy you were seeing?
Yeah, yeah.
So,
I mean, when I was, when I was in my early, early 20s,
a friend of mine wanted a fake ID and we were all, you know, very young and impressionable at the time.
So I went out and a friend of mine was selling fake IDs and I bought one.
And, you know, back then it was like 120 bucks or something like that for a fake ID.
Yeah, I got it eventually.
It took a long time for him to get me one.
And then when I got it, it was really crappy.
And I was really upset.
And I figured, hey, I could probably do a better job than this if I just learned it because I figured I knew computers and I knew stuff like that.
So
I just started Googling.
Back then, it wasn't like really Google, but I just started looking on the internet for like resources.
And so, one of the resources that I fell upon was Shadow Crew, which was probably one of the first darknet forums that was mainstream before the Darknet actually existed.
It was still the regular web, but it was forums.
And I started learning how to do everything to do with fake IDs.
I bought printers and learned how to make my own and probably a couple from my friends, but it involved asking a lot of questions with kind of the underground, then,
which was Shadow Crew.
Okay, yeah.
So, Jason was on Shadow Crew.
And if you aren't familiar with Shadow Crew, just go back and listen to the episode just before this called Gollum Fun.
While Jason was on Shadow Crew, he was focused on making fake IDs, but he really didn't sell that many.
I mean, I would say I only sold a handful.
It was more of like an obsession for me, like to do it better than what I got.
Let's say maybe like three or four, like really good ones and a whole bunch of failed ones for my personal use like just from my friends really like i wasn't a distributor even on the forums or like rated but i had shared a couple with like people and they were like oh these are getting really really good um and mine usually passed so uh it wasn't rocket science right it was just like having access to the printers the templates like understanding you know all that kind of stuff um so yeah it wasn't like i was a criminal enterprise that was making a lot of money or anything like that it was just that that uh i found it really interesting like um like you could fall into anything like you could fall into a video game or you could fall into some kind of obsession uh you know like you know finishing a project i just i had to figure out how to do it and i did so then one day he goes on the shadow crew's website and sees it's been shut down The picture that they put up there with the dude behind the bars and said the Secret Service is coming for all of you.
And a whole bunch of your, you know, and then the indictment came out and a whole bunch of people who I really only knew their screen names, but, uh, you know, had been arrested in multiple countries.
Whoa, this really spooked Jason.
People were getting arrested for selling fake IDs on this site, and he was one of the people selling fake IDs there.
The bust happened, and then the next day I gathered.
So, you know, in the process of, you know, printing stuff, you have three, you know, usually three different printers.
You have laminates, you have stencils, you have
powders, you have all kinds of crazy stuff, you have inks.
And so as as soon as I had it, I just dumped it in a black trash bag, a couple black trash bags, put it in my trunk, and drove.
He was driving as fast as he could to another city, far, far away.
His plan was to just throw it all into a dumpster nowhere near where he lived, just to get rid of everything.
And
on the way to do that, I actually got pulled over.
Jason's heart was pounding so hard.
He didn't know why the cop pulled him over.
Maybe it was for the fake IDs, and all that evidence was in the trunk of his car.
The cop walked up to his window and said he was speeding.
This was somewhat of a relief, but Jason was still really worried.
And I just thought he was going to like ask me to pop my trunk and like see all my stuff in the trunk.
But the cop didn't.
He just gave Jason a ticket and let him go.
Close call.
So Jason continued to drive to the next town, this time going a little slower to get rid of his stuff.
Dumped it in the next city
in a dumpster with some lighter fluid and like lit it all on fire.
Yeah,
that was probably one of the scariest moments of my life.
And like I said, it scared me straight.
Hmm.
That's interesting, eh?
That intimidating post that the Secret Service put up on Shadow Crew's site was enough to make Jason quit the fake ID scene forever.
It's kind of hard to leave something like that behind.
With Shadow Crew, it was like he was let into some inner circle of people, almost like a family.
And it's hard to build up something like that and earn that trust just to walk away from it all and start over somewhere else.
Well, by this point, Jason had enough knowledge of computers that he knew he wanted to make a career of it.
He really liked the challenge of hacking into things, too.
So he took some classes and then got a job fixing computers and then became a junior penetration tester.
He did that for two years and then got another job doing penetration testing at HP.
This is where he was tasked at hacking into companies to see if they were secure.
So I started there as a staff penetration tester, did
probably
a couple hundred pen tests for the Fortune 500.
A lot of couple hundred, that's a lot.
Yeah, I mean,
I'd say I've probably done over my career, maybe 300 pen tests or a little bit less than 300 pen tests, probably probably um
over over the years but uh
yeah i mean we we did one week assessments you would uh you had one week for the assessment one week for the reporting um it was really easy for hp to get those contracts because they already had these big ins through their it group with these companies like they were selling them printers they were selling them enterprise software and then everybody at that time needed if they were subject to any kind of compliance they needed a pen test for compliance um to satisfy compliance.
And so they would just go with the people they already had a contract with, which was us.
And so I got exposed to a ton of the big, big banks, a ton of big tech companies,
big enterprises.
I pen tested a lot of stuff.
Yes, compliance.
I believe to be PCI compliant, it requires that you have to have a penetration test.
And PCI is payment card industry.
So like MasterCard, American Express, they won't let you process their credit cards unless you're PCI compliant, which means you have to have an auditor that comes to your company and analyzes your security practices and conducts a penetration test.
I guess HP was one of those auditors and offered this service, which is where Jason really honed his skills as a hacker.
Now, for the most part, Jason focused on network hacking.
There's a few types of penetration testers.
There's physical penetration testers, where they physically try to get into a building to see what they can access.
But there's also application pen testing.
This is where maybe a software maker gives their application to you and you try to find a bug with it.
And then there's network penetration testing.
And this is where you try to break into a network using a computer over the internet or whatever.
You might try attacking it from the outside world, or you might be actually given permission to come into the network and see what you can get to from inside the company.
Like, for instance, the people who work in marketing shouldn't be allowed to just see everyone's passwords, right?
And someone should test that to see if it's truly secure.
Jason did a few physical pen tests, and there's one he told me about, which is actually hilarious.
Okay, so you know, when you work somewhere, you get to know the security mechanisms that they have in place.
Well, Jason worked for this place for a while, and he was pretty familiar with the layout of the office and knew exactly how the doors worked in the building.
Well, later on, when he went to work for another company, he was given the task of breaking into this previous employer.
And since he already knew the place well, he knew exactly what to bring.
Okay, we need to get into this this building yeah let me pack you know some equipment for this and
yeah
and what do you throw what do you throw in your bag yeah i mean you throw your lock picks you throw your usb keys that have malware on them and you throw your blow-up doll
yeah a blow-up doll he knew there was a certain door that had a magnetic lock nobody was allowed in or out unless the magnet was disengaged well to get in you need your badge which disengages the magnet but to to get out, you didn't need your badge.
You could just open the door by pushing it from the inside.
So how does the magnetic lock disengage for people leaving?
Well, it unlocks when it senses someone leaving.
And it had a little electronic eye and could see when something got near the door on the inside, and it would unlock the door.
This was one thing he noticed, but he also noticed something else about this door.
The gap, the small, small gap between the door and
the ground, you could slide something under there.
So when he was given this assignment, he packed a blow-up doll and went right up to the door, pulled it out, which it was deflated and flat, and he put it on the ground and slid it under the door.
The whole doll was on the other side of the door, except for the part that you put your mouth on to blow it up.
So he laid on the ground and began blowing up the doll, which was inflating on the other side of the door.
That's exactly what it is, just face on the pavement blowing up the blow-up doll.
Yeah, for sure.
And then you hear the click of the door and you jump up and grab it.
Yeah, we had two people with us.
So the other person would apply some slight pressure as soon as it unlocked, walk through the door, do the same thing.
It was a man trap door, two sets of doors.
So did the same thing on the other one
and then walk into the physical premises.
And then once you're in there, you have access to everything.
I love this because to me, this is something I never would have expected someone to bring on a physical pen test.
And to take pictures of it and to put it in the report must have been hilarious.
And there was this other physical pen test that he did that also had an interesting bit to it.
His objective in this one was to break into the building and see if he could get into the server room.
It was him and two others on this assignment.
Now, these server rooms are typically more secure than the rest of the building.
It usually has a different kind of key to get in, and cameras pointed at the door and more security layers.
Well, step one was to get into the building, and there was a locked door to get into the building.
So they simply waited until someone was going in, and they just went in right behind them and just tailgated them right in through the door.
That worked.
They got in the building.
They scooped the place out and they figured out where the server room was and they didn't see an immediate way in, but they had some ideas.
It just wasn't going to be easy.
Like the blow-up doll trick was not going to work here.
And you could try picking the lock to get in, but that takes a while.
maybe 10 minutes or longer.
And it's just too much time to be standing there, probably on camera, trying to force open the door.
So they got an idea to just hide in the office somewhere and wait for everyone to go home for the night.
And so they ducked into a little room and just waited for a few hours.
Until everybody was out and then the objective was to get into the server room.
And the server room was segregated from
some of the other offices,
basically with a locked door.
We didn't have the correct technology to clone a card.
We weren't successful to clone a card of an employee to the right type of employee to get into the server room.
So we were kind of at our limit of
trying to reach the objective for the test.
And so
what we had noticed is that the ceiling tiles, if you look at any building, their ceiling tiles
allow some space to run wiring and air conditioning up above.
And there was a small table outside of the door of the IT.
uh server room which had some flowers on it and so we were like we wonder if we if there's any gap to try to crawl over the wall boundary
i was
probably the lowest on the totem pole at this point with the company i was working at and so they convinced me to climb up into the ceiling tiles i climbed up um pulled myself up through you know the the beaming part into the the crawl space
above the door divider and crawled over and i've been pretty careful to keep you know, on the metal kind of divider parts that hold the ceiling tiles on.
And those are more stable.
They hold a little bit of weight.
And, um, but on one of them, once I was over into that area, I put my knee down on the wrong area and promptly fell through the ceiling into the server room, um, flat on my stomach, knocked the air out of me.
Uh, I kind of thought I was going to die.
It's like catch my breath, kind of make sure nothing was broken.
Luckily, nothing was.
Um, did anybody like shout like, you okay over there?
Yeah, I mean, yeah, I mean, like, after, I mean, I think the response was, oh, shit.
Like, as soon as they heard, you know, the cracking or the tile crack through.
And
I can't really remember because I was falling and still on the floor, kind of dazed, but I'm sure one of them cared about my safety at the time.
So,
and then
they were wondering if I could open the door from the inside, which I could.
Reached the objective in the end, which was nice.
So, yeah.
He was okay, bruised, shook up a bit, but okay.
And he was was lucky he didn't fall onto any server racks or sharp objects.
He landed just on the empty floor.
And he was also lucky he didn't land on any computers and like pulled out cords or caused an outage or something.
Anyway, after that, he was able to get into a bunch of those servers and prove how someone can get into their servers.
If you step back and look at it, he essentially walked in off the street and got into the computer room and gained full access to their main systems there.
And he only broke a few ceiling tiles doing it.
The customer was happy to have this report.
It wasn't a big deal to replace the tiles.
And this showed them the importance of having walls up in the ceiling to prevent people from getting in that way.
Now, even though Jason has done a few physical pen tests, the majority of pen tests he's done have been network-based.
That is, trying to get into the main website or network by just using a computer.
And one time, he was tasked with hacking into a bank.
Yeah, absolutely.
So we were contracted to do a pen test on a large bank, a worldwide presence bank.
And we had a big contract with this bank.
And when I say we, it was me and one other tester at the time working on this project.
And one was the network and web portion of the penetration test.
And the other was their new mobile app and their mobile application.
He was tasked with examining the mobile banking app to see if he can get any customer information or sensitive information from the app itself.
Have you tried using these mobile banking apps?
Do you get a weird feeling about it like I do?
Something about having my bank details in my pocket doesn't sit right with me.
It seems silly since pretty much everything else is in my pocket, but throwing my bank account in there too, I've always been very hesitant of this.
It's kind of the same feeling of like when I was doing online shopping for the first time and I was asked to give my credit card into a website.
I was like, no way am I doing that?
Well, years later, that's the main way I shop now.
But my favorite definition of the term information security is to enable business to be conducted safely in a hostile environment.
The internet is a hostile environment.
And clearly, if a bank wants to come out with a mobile banking app, they better have someone securing this app so business can be conducted safely.
Well, this is what Jason was tasked with doing.
He was going to act hostile to the app to see if it exposed any data it shouldn't.
We started doing recon on them.
We had found a whole bunch of web servers and stuff like that, and we had their mobile apps.
So I understand what recon is for a physical pen test, right?
We're going to Google Maps, we're looking on LinkedIn, seeing what kind of employees there are.
But what kind of recon is there for a web app pen test or a mobile app pen test?
Absolutely.
So
this is kind of my specialty, I would say, instead of the hacking scene.
I'm kind of the godfather of
reconnaissance.
um for web applications and i've written multiple talks about it so uh basically you have to think about a company as especially a big company like this one like a bank um They have hundreds, you know, if not bordering on thousands of publicly exposed web servers.
And you know of the one, you know, of you know, www.bank.com, right, that you log into and maybe a couple other ones.
And so you have to basically find them.
And so the act of recon for
a bank or any big web entity is basically finding all of their assets that are connected to the internet.
So there's a number of methods that you can use to do this.
You can use search engines to find other sites of theirs that are online.
You can do things like searches for their privacy policy in terms of service.
You can brute force subdomain names.
So if you're looking at www.bank.com, you can check to see if admin.bank.com exists with the DNS registrars or just trying to resolve it.
And if you get a response, that means it resolves.
You can go to that webpage and possibly check out sites like that.
So you can brute force different names if you have a long list of different names that could exist, which we did.
So after finding all the domains, the next step is learning what you can do with those domains.
Where are they hosted?
What kind of applications are running on them?
Do they have any default credentials or known vulnerabilities?
A vulnerability scanner can pick up some of this, but it's also good to kind of look through every domain individually and see if anything pops out at you.
Jason was on this engagement with another person on his team, and they decided to split the work.
Jason was going to look at the mobile app, while his coworker would continue to look at the domains they found.
So for the first week, I was just kind of
looking at the app, trying to figure out how it worked.
And at that time, there was a new feature of the mobile app for this bank that you could take a picture of a check and deposit it.
Oh, yeah, I've seen this feature.
Instead of running down to the bank to deposit a check, you can just take a picture of it on your phone and the app will deposit the check into your account.
This feature always seems suspicious to me.
You just need a photo of the check, not the actual thing?
And you have to enter the amount you're depositing.
What's stopping you from depositing the same check twice or entering in whatever amount you like?
There's lots to test here, and there must be a whole slew of new attack vectors when a feature like this rolls out, right?
I was looking at this app and I was capturing the traffic that went from the mobile app to the servers that took care of the processing of the image of the check.
Okay, that's a good place to start.
When you send the bank a check pic, where does it go?
I was proxying the web traffic between the phone and the web server with an interception proxy like Burp Suite.
And so it's a common tool for web hackers.
It just lets you see the traffic between websites and your browser, websites in your mobile phone.
And so what it did first is it took the image of the check and then turned it into a binary representation of the image and then sent it across an API,
which at the end was uploaded, was reconstructed and put on a server.
The server that it went to was an AWS storage bucket.
This is Amazon's cloud storage.
So check images were being sent to this storage place.
And as Jason continued to watch the traffic, he was able to identify exactly which storage bucket on AWS these checks were stored in.
So you could just visit the back end and there was a whole bunch of images of checks just in this directory.
And so that is a little bit more of a privacy breach, right?
Like
are you talking about an open AWS bucket that anybody can visit?
Yes.
And because this was the first iteration of this feature and that was when AWS was still in its young years.
Yeah, absolutely.
It was an open AWS S3 bucket of check images.
Whoa, this is bad.
An open AWS bucket means the entire contents of that storage bucket is available for anyone to see.
Like they can see everything on there.
Now, in some cases, this is fine.
Like, for instance, darknetdiaries.com is hosted on AWS, and the whole bucket is open and visible for anyone to see.
But I don't have any private data on there, there's no user data, there's no back-end database, everything is supposed to be visible to the world.
But I don't think it's a good idea for a bank to store all their cash checks through the mobile app in an open AWS bucket.
Anyone can see all the cash checks.
Jason was looking at these checks and just couldn't believe it.
There was about 2 million checks in this instance.
So
lots of checks.
And each one has your address printed on it and your account number, which is considered somewhat private data and the banks are supposed to protect that.
If you've ever seen the GIF of like when Tiger Woods would score like a, you know, like a good swing or something like that on a golf course, like he does like the little like, like closes his fist and it's like a little like fist bump in the air or whatever.
Like that's my default pen test move.
Like when I find something critical.
In this case, it exposed, you know, names, addresses,
account numbers, and, you know, transaction history for, you know, users using this feature.
So it was, it was a decent size finding.
It wasn't like the most critical ever, but it was a decent size finding.
And
really the first thing is you get kind of hot and sweaty and you're like, all right, sweet.
I think I have something.
This is really great.
You get a little nervous because
if you've been a pen tester for a long time, you know that like they're probably monitoring the network.
And,
you know, at any given time, you could lose access to something that's good.
So the first thing you do is like take many screenshots of the traffic that you have and the vulnerability.
And take, and so you have images for your report at the end.
So sort of doing all that, sort of making sure I gathered all the evidence, you know, in case I needed to prove out that it actually existed in case they ghost patched it or something like that.
So yeah, I mean, those are, those are the feelings.
But when you, when you hit a bank like this, especially one that has like a big, big name, like it's it's pretty exhilarating.
And
yeah, I mean, that's, that's the whole reason you get into pen testing is to find big finds like that.
Okay, so that's a big deal.
He'll want to tell them about that for sure and get them to lock down access to that.
But he wasn't done testing.
This mobile app was for iPhone.
So he grabbed the app off the phone and moved it to a computer to analyze.
One of the first things he looked at was the plist file.
This lists the properties of the app.
And here you might find things like server names or information where data is stored on the phone.
But as you look through the plist file, he found some hard-coded credentials, a username and password used to authenticate to something like an API or database.
We had found a server that had a default install of Apache and the manager console was open to the internet, so slash manager slash HTML.
And so
we used credentials that we had found hard-coded in the mobile app, which happens all the time.
People hard-code credentials and mobile app P-lists, even to this day,
and used it just as on a whim, right?
Like, I normally wouldn't have tried this, but I just tried it to make sure on this manager console to see if maybe the admin was the same of the service or whatever, and it turned out it was.
So, we used these hard-coded credentials that were in the mobile app that we were able to reverse out on this website and got into that.
web admin access to the server had been obtained.
Amazing.
Now, this web server was running something called Tomcat, which, as an admin, you could upload stuff to it.
So, Jason just uploaded a payload using Metasploit to it, which gave him command line or operating system level access to this web server.
It's one thing to be able to log into a website as an admin, but you gain a whole new level of power when you can get into the operating system as an admin, which is what he was able to do at this bank.
And then, once you have a foothold like that, we were able to start scanning internal, some internal IPs that connected to that server on more internal IP space of theirs, so inside their company,
as well as see a whole bunch of transaction data and customer data on this server that we had exploited.
So it was a second really big finding.
It had,
I can't really talk about too much of it because it's, you know, a lot of the stuff's covered under NDISO, but it had, you know, client names, transaction data, a whole bunch of stuff on there as well.
So we had two ways to really breach kind of customer data on their network.
This was quite the report they submitted to the client.
The bank was pretty happy that Jason found on these problems and they got the entire mobile development team on the call and had Jason explain to them exactly what he found and how to fix this.
They were surprised, but they all agreed this is very important stuff to fix.
We have one more penetration test story from Jason and and you're going to want to hear this one, but we're going to take a quick break first so stay with us.
This episode is sponsored by Vanta.
In today's fast-changing digital world, proving your company is trustworthy isn't just important for growth, it's essential.
That's why Vanta is here.
Vanta helps companies of all sizes get compliant fast and stay that way with industry-leading AI, automation, and continuous monitoring.
So whether you're a startup tackling your first to SOC2 or ISO 27001 or an enterprise managing vendor risk, Vanta's trust management platform makes it quicker, easier, and more scalable.
Vanta also helps you complete security questionnaires up to five times faster so you can win bigger deals sooner.
The results?
According to a recent IDC study, Vanta customers slashed over $500,000 a year in costs and are three times more productive.
Establishing trust isn't optional.
Vanta makes it automatic.
Visit vanta.com/slash darknet to sign up for a free demo today.
That's vanta vanta.com slash darknet
jason haddix has pen tested hundreds of websites in his professional career and one stands out as particularly interesting okay so this one's one of the one of the ones that um uh is interesting my um a buddy of mine had taken on some pen test contracts and he had taken on one too many
um
and uh and he basically had hit me up and said, hey, do you want to do a moonlight test, right?
Moonlight tests basically, I already have a job, but he can give me a contracting gig on testing a site.
And I said, yeah, sure, why not?
And so he forwarded me the info for this site and it turned out to be
a pornography site, but not just a pornography site.
It was a site that had a store for items related to like sex toys and stuff like that.
It had private cam access to view live kind of
workers doing their thing.
And then also like pre-recorded videos.
It had messaging systems for you to chat with the cam people and all kinds of stuff.
So it was a big site.
So he sent over the contract and I took it.
The funny parts about this are like, you know, first thing I did was I had to go to my wife and be like, hey, you're going to, you might see some weird stuff on my computer if you like walk by.
Like it's for work, I swear.
Like,
because there's just a lot of, you know, graphic stuff and the, and the nature of testing the site.
So I had to give her a disclaimer up front.
But yeah, so I went through kind of my normal methodology starting out and I registered to the website.
And the client had really set a goal of getting access to this one account on the site.
And so that was, that was the goal of a majority of of it was to get access to this one account, which had a private picture in it.
And if you could access a picture, he would have considered that a success because no one was ever supposed to have access to that picture.
So this was a user account or a camgirl account?
It was a camgirl account with messages and pictures associated to it.
So the way this site worked is like you could watch live cams and then pictures that you had taken kind of like patreon or you know any of those other services you could pay to access specific pictures too.
And so he had set up a picture in the picture section that he wanted us to access and it would show that we had unauthorized access
for one of his.
I don't know if it was a real or fictitious cam girl.
So it sounds like
security so that nobody steals our, nobody gets unauthorized access to the paid content.
To the content.
He was really worried about that.
It's kind of a funny objective because it's not like make sure our stuff's secure.
It's, hey, make sure no one's stealing
going around the same wall.
I guess you could see it either way, right?
You could see it like he wanted to protect the integrity of the of the workers and he cared more about the workers than the um
or like the the content creators or uh or you know more than the users of the site.
But um, no, no, absolutely.
You could see it in the dark way of just like he's trying to protect his bottom line for sure.
Yeah.
So, yeah, so I started creating account, just my own account to be a content creator on the sites.
i uploaded some just random photos uh into the photo storage area um there was the store as well so i purchased an item i sent some dms and i'm this whole time i'm capturing all this web traffic through a proxy and seeing what what calls get made um and then just noting down kind of how each one each one happened so the the first thing that i noticed was that um was that when you set up your account and it's common for some sites to not really care about this was that the password policy was pretty much whatever you wanted it to be.
So for this site, when you basically signed up to be a user or a creator, it was five characters minimum and no special characters or numbers required.
You could just make it whatever you want as long as it was five characters.
Okay, so a five character password minimum is pretty weak, but that's only a suggestion to improve at this point.
It's like a theoretical issue.
And it would be nice if he could demonstrate how that's a real problem.
If he had a list of user accounts, he could try to brute force their passwords and see if anyone had a five-character password.
But he didn't have that.
Next, what he did was he tried to see how the site handled password resets.
So he initiated one.
What the site did was it reset his password and then emailed him this new password.
But he noticed.
The password that the site created for him was a five-character password.
And every time he'd reset the password, it was always five characters.
Well, to a hacker like Jason, he started thinking how he could use this to his advantage.
You know, basically, you could start a password reset for any user on the site, any email address.
And I had, he gave us the email address for the account he wanted us to target.
And then you could brute force the five characters.
that it was using because it was minimum five characters and the password reset would only set us send a five character password.
And you could brute force that in about 15 minutes.
And so I went through every character in about 15 minutes.
There was a small rate limit required, but it wasn't overly complex to bypass the rate limit.
And eventually, right away on the test, broke into the account with the image that he wanted to through the password reset and the weak password policy.
What's the tool you use to do that?
I did it in Burp Suite, which is an interception proxy.
But what you're doing is you're going to the website, logging with that email address, and then typing in a random five-character password, and then again and again and again.
Yep.
So every
combination of one
zero or zero zero zero zero zero through nine nine nine nine nine and trying every
trying every combination between
that number and basically keep on trying over and over again once I did the password reset because it reset it from what they had they had chose originally.
So
and so that was the first really easy one and so burp i didn't know burp suite did that uh it's just keep trying passwords yeah so you can in burp suite they have a tool called um intruder and intruder basically can capture a web request and then you can highlight a section you want to edit and load um and load a uh a list or a rule to try
a whole bunch of different requests.
And so basically I captured the request for a regular login or yeah, regular login
and then highlighted the area where the password was and then told it to try everything between 00000 and 99999.
And I just ran all of those requests, added a small little wait in between each one.
And then eventually, you know which one hits when there's a different response type from the server.
So you just wait until you see the different response type from the server.
Well, that was easy.
He was able to gain access to the account that he was asked to try to get into.
And this is fascinating to me because by and large, this is the top thing I get people asking me to help them hack.
I am constantly getting hit up on my DMs of people wanting me to help them hack into something.
And I'm like, oh, what are we going to do?
Hack into a bank or free someone from prison?
And they're like, oh, no, sir, I need you to hack into my girlfriend's account on social media.
There's always a ton of people who are trying to get into someone else's account.
And here's a rather easy way to just get into anyone's account on this porn site reset their password then brute force it it's just a five character password and it'll take 15 minutes to do imagine taking over the accounts of the top earners on this site i mean what's interesting is that like uh password complexity is a is a really like touchy top topic for websites right like your bank obviously has password complexity and makes you add special characters and a minimum number of characters and stuff like that but content sites that
basically
don't deem like access to
your account
super private, or they deem it private, but they want the least amount of friction for users to get into their account.
Sometimes they choose this on purpose.
And when we talked to the guy on the out call, which is several steps ahead because we did many mother things to this site,
but when we talked to this guy on the out call,
he knew that the password complexity complexity was weak and he had kept it weak on purpose because it offered less friction for his users to get into their accounts.
So it was like a purposeful thing.
And so he ended up having to change the complexity of the password requirement for users and for content creators, and then also had to change the flow for the forgot password as well.
So it wouldn't just set one.
It would give you the link like normal sites do and then.
send you to a page to change your own password to something you want to set it to.
Okay, so if you can reset the password and take over any user account on this site, which user should you take control over next?
We found our guy's admin account as well.
It was literally admin at
the company.com.
And we reset his password and logged in to his account, which had super user access as well.
So we could see pretty much the back end of the site as well from a management point of view,
which was really interesting because he had way more functions available to him than anybody else.
I mean, he would see that his passion for his reset.
That's strange.
I didn't do that.
Not if you do it at 3 a.m.
his time.
Is that what you did?
Yeah.
Yeah.
Yeah.
So you do it, you know, we waited until late at night.
So
yeah.
Tricky.
Yeah.
But that's what you got to do.
That's what you got to do.
Yeah.
He also found a pretty clever bug about uploading images.
This site allowed users, especially cam girls, to upload content.
And Jason made an account and uploaded an image and watched how the server handled it.
Well, it tagged him in the upload request.
And so he tried to upload another image, but this time tagging another user to see if that did anything.
And the server took that as another user has uploaded this.
So he found a way to upload images to other users' accounts on the site.
which is interesting.
I mean, you could deface someone else's account this way, putting all kinds of images and stuff on their account that others would see when they visited it.
We had found a couple of cross-site scripting bugs.
And then we had also
managed to
accomplish seeing the paid streams for the users without paying for them.
You could look at the source code of the HTML when you were attempting to look at somebody's paid stream.
And normally you would click a button and pay with your credit card to access the paid stream.
And there was a parameter in there called debug that was set to false.
And when you set it to true, you were able to access the stream
without paying for it.
And so
that was another way that we could bypass kind of like the paid nature.
So at this point, we could reset anybody's password and take over their account.
We had access to the backend admin site.
We had cross-site scripting.
We could view streams without paying for them.
We pretty much had everything that we kind of thought.
But then also in the store, we had been working on the store and towards the end of the week, we had found that there was an SQL injection bug that allowed us to dump the complete database, purchases, and credit card data for everything that had been ordered on his store that was associated to the site, which is not only just sensitive because you have credit card data, but also sensitive because these are very sensitive purchases of a very sensitive nature.
So
we had all that transaction data as well.
So that was
That was that test.
And, you know, there's
a lot of things I learned from that test about like that industry and stuff like that.
It was really interesting and cool.
Sounds like this site had a lot of security problems.
And you might not immediately think of why it's so important to secure a porn site.
But one of the other things that this site allowed users to do was hook up with each other.
And it's reminiscent of this scandal.
A major hack tonight is threatening to expose embarrassing information on millions of people around the world.
They all signed up for a website named Ashley Madison, which helps married people find people who want to cheat with them.
This was a news clip from CBS Los Angeles.
The site Jason worked on was a competitor to Ashley Madison, and he did this pen test just before Ashley Madison had their breach.
If it wasn't for Jason finding these security issues, this site could have easily been the story on everyone's nightly news.
And the reason why that story was so scandalous was because it was very embarrassing for a lot of high-profile people who were found to be users on the site.
In fact, I believe two people committed suicide for having their details exposed in the Ashley-Madison breach.
So it's wild to think how Jason may have really saved not only the reputation of this company by detecting these bugs before someone else did, but also potentially saving the lives of some of its users.
Maybe that's a stretch.
If you were a Jason at the early 20s on Shadow Crew and you looked into the future of Crystal Ball and you saw Jason doing that sort of stuff when he's older, I wonder what young Jason would have thought.
I mean, he would have thought it was pretty cool, honestly.
You know, it hadn't had years of professional experience, though, like to temper his excitement and do bad things.
So,
yeah, I mean,
it's an interesting perspective.
You looking back at that young Jason, young Jason's doing dumb stuff, but young Jason looking up at older Jason, older Jason's doing really cool stuff.
Yet, young Jason thinks he's doing cool stuff.
Yeah.
Yeah.
And it's weird to think that young Jason thinks young Jason is cool and old Jason is cool, but old Jason thinks old Jason's cool, but young Jason's not.
Yeah, that was a lot of Jason, but yeah, absolutely.
Absolutely true.
I'm lucky I have that perspective now, though, right?
And got paid well for that test.
So
yeah, I mean, it is really
like, I hate to be a shill, right?
But like penetration testing and security testing nowadays and having all of the protection we have and like being able to do it as a job is one of the most coolest fucking jobs that you can have.
Like,
um, I'll never get over it.
A lot of people talk about like, you know, like, oh, you graduate out of it.
I don't think I will ever graduate out of wanting to pop systems in some way.
So, yeah.
A big thank you to Jason Haddocks for coming on the show and telling us these stories.
You can follow him on Twitter.
His name there is J H A D D I X.
This show is made by me, the slow poker, Jack Recider.
This episode was assembled by Tristan Ledger and mixing done by Proximity Sound.
Our theme music is done by the Abnormie Breakmaster Cylinder.
The only dates I get these days are updates.
This is Darknet Diaries.