Cleveland bSides 2012 - Dave Kennedy - Keynote

together but most importantly uh Debold for really putting this together I mean Dave Des Simon where you at right there without him guys this wouldn't have happened at all and uh Carl and the whole team at Debold you guys killed it nice job awesome uh about me I'm a founder and principal security consultant at a newly found uh consulting company called trusted SEC who if you were following yesterday I got dosed heavily by CNN and MSNBC and Fox News and a bunch of other people um um I I found the uh first things on the Yahoo breach so basically all the news agencies picked it up but um I'm a business guy penetration tester exploit writer creator of the social

engineer toolkit author of um metasport the penetration testers guide and I'm on the uh the backtrack development team the social engineer podcast and the ISD podcast a little introduction when I started writing this I was trying to come up with a topic for uh this one specifically and this is the first time I've ever given this presentation so if it sucks just you can tell me I'll be okay I'll cry a little bit but um this presentation is really around when I'm going and I'm doing penetration tests you know there's certain things that I do religiously that always work for some reason and so you know these are what we call the tricks of the trade or our

secrets for pentesting things that we've developed or I've developed over the period of time or other people develop that aren't widely known and so I'd like to show you guys it because I like to be open with everything I do on penetration test and show you guys what I do and show you different types of ways of you know stopping it or what you can actually do to to prevent against it and so this talk is really about the secrets that I that I use on a pentest it's really everything that I do um you know for different for different types of techniques and attacks um again some of these you might have already seen from like the social engineer

toolkit but really understanding what's happening behind the scenes and and we'll get into that so starting off Technique One is the social engineer toolkit has anybody here used the social engineer toolkit before a couple people what good um so the social engineer toolet its Flagship is the Java applet attack which um lately was a huge insane advanced persistent threat malware that was found in the wild that was a zero day applet um and so all the news agencies reporting of this new news Advanced you know the most advanced you know payload they've ever seen before and uh talked about how it was infecting multiple operating systems Linux OSX you know windows and uh I started looking at the the thing I'm

like oh this is pretty cool maybe I can put it in the set lo and behold the applet was the my in my tokit was the advanced persistance threat that they were talking about and the reason I knew that is the parameter names in the um applet that they put on FSE secure if you look at the parameter names my mine is I like hugs so in the parameter names I like to put funny things in there that you know kind of distinguish it and i' like hugs so it made perfect sense and so I started looking around and all these news agencies reporting on it and so that's the that's the applet but basically what

the apple does is when you use a social engineer toolkit it goes and it clones a website what whatever website you want to so a Gmail or your company name or whatever right and it clones it rewrites it and puts a bunch of bad stuff in it and when the user goes to the website it makes it look very legitimate in nature and then when they run the applet it executes malicious code on their computer now what you may not know with that whole process is set actually uses multiple methods for infection and so I'll go into those and talk a little bit about it so let's walk through the first stage [Music] let me zoom in a little

bit can everybody see that okay so this is the social engineer toolkit we're going to go into the social engineering attacks we're going to go to the website attack vector and we're going to select the Java applet attack and we're going to do a cycloner and I may not have internet connection one second my um hot spot died on me be up in a second so when I connect the internet what it'll do is it'll actually go and clone a website so anyone I want to and I usually use Gmail as kind of my go-to one because it always

works there we go so let me back out of this real quick and then I'm going to clone Gmail and so what's happening right now is it's going out it's pulling the website bringing it back and it's rewriting all the parameters in Gmail so that when a victim goes to it it it actually causes um the victim to be compromised and so in this attack we'll use the reverse TCP interpreter which is just a back door into a system and I'll talk a little bit about the pros and cons of this so we'll do encoding to try to escape um and evade antivirus and what it'll do is it'll go ahead and take a binary do a bunch of

stuff to it encode it and then I do a little bit on top where I auscap the binary a bit more it's dynamic in nature so every single time you get a different type of uh binary so it's a lot harder for anivirus to actually go and detect and then what'll happen is once it's done we'll go over to our attacker

machine it's almost done

here and it is almost done still uh one thing it also does too and it that's not supposed to happen thing with live demos I stop patching sorry here we go so what's actually happening in this situation is when it's actually rewriting the binder it doesn't it does a technique too called digital signature stealing where if you look at Microsoft payloads for example like when you uh Microsoft relases a service pack or a patch or a hot fix it actually signs it with a digital certificate and so what you can do is you can actually take that certificate steal it import it into your binary and even though the signatures mismatch a lot of times antivirus guys

will oh it's sign by Microsoft it's good they don't even check if it's valid or not so a lot of times it just doesn't even scan it you're good to go and you get on AV that way so it does that it Imports the digital Signature Signs it with the Microsoft shirt um and then actually if you if you right click on the metas binaries you hit properties you'll get another tab there that actually says you know signature and it'll show Microsoft signature there all right so now we're now we're in

business as minus loads all right we're good so we're going to go to the website and what you're going to see here is a website that looks just in every way shape or form as uh Gmail and I have like 30 VMS running so it's going to take a second um but what's basically Happening Here is you have a site that looks just in way every shape or form and you notice here what

happened we used a standard payload for actually going through and actually doing it so antivirus is going to pick up on

it so in this case we obiously to randomize everything the parameters and all that good stuff and the problem we ran into with the binary dropper is antivirus signatures are going to continuously move themselves up there's my mouse they're gonna continuously write stuff for my toolit every time I release vers so it's it's a NeverEnding process right and that's kind of where metas went is originally they did a lot of encoding and things like that but they kind of gave up on the front because every time they release a new version they just update their signatures to protect against it and so in this area you know when we actually do it it it it

causes a bunch of issues and so the reason why this is bad obviously is because we have AB signatures that that trigger all the time we have direct interaction with the file system so a lot of times you're not going to be able to um it'll be detected and you have multiple points of evidence on the actual victim machine itself and so if you look over here nothing actually popped up which is good because because my um antivirus actually protect against it Security Essentials the next

situation is Shell Code EXA has anybody here used sh code EXA before few people so show code EXA came out a while ago from uh Bernardo delli he uh I think he's Italian and um basically what show code exec was it's a binary and it's just a static binary right so if you do a scan on or things like that it's not going to initiate any type of of external connections or ports or anything like that because it doesn't really do that what happens with shell code exec is it reads in alpha numeric Shell Code straight into memory then it executes the back door and then it sh shoves a shell back all in memory so

things like antivirus and things like that typically don't detect it because it's not really doing anything malicious it's just reading an alpha numeric show code and actually going through and doing it so if you look at what it's actually doing and we'll go ahead and do a quick demonstration of generating alpha numeric showell code so here's just a quick script I wrote in Python that just calls metas sploit and if you notice here I'm generating an interpreter shell on uh 1821 168 22518 Port 443 regenerate the alpha Mir Shell Code and basically here here's all of the the flags that you give um msf Venom and msf Venom is built into Metasploit and what it does it'll

print out all of the alpha numeric characters for me so basically you have your alpha numeric Shell Code right so if I run this it'll go ahead in load metas sploit msf Venom it'll create the payload for us it'll turn it into an alpha numeric type format and then we're all set so this is what alpha numeric Sher looks like right there right and so set also uses this method as well to drop binaries onto the system again so when you run the Java applet there's an attack method that you can use instead of using a interpreter reverse TCP use Shell Code exac and what it does is I've Rewritten Shell Code exac so that every single time it it

gets compiled and it's it's a basically a different version every single time to help Escape you know antivirus and it's actually pretty good at it in most cases antivirus doesn't pick it up just to show you a quick example doing the same thing as before and then when we get to the payload selection we're going to select option number 14 which is the alpha numeric Shell Code and then we're going to select The Interpreter verse TCP and what it's doing now is what you just saw it's creating the alpha numeric Shell Code it's saving it into memory and then it's generating the dynamic binary Shell Code exact all right so then it's going to go

and do all that stuff it's going to load metas sploit it's going to have everything ready to go and then we're going to go ahead and do the demo

and one thing that set also does too is it's agnostic to um operating system so as the AP FSE secure thing came out it attacks Linux it attacks OSX and it attacks uh Windows as well so none of us are impervious that's a great thing with Java it's platform independent right so in this situation again we're going to go ahead and do

it so again we get to the Gmail page

and you notice we got threat detected again right well why is that may know why why would we why would we get a threat detected in Shell Code exact it's a binary right so again we're touching dis so in this method even using Shell Code exec we got picked up by AV so you have to do your own infuscation on Shell Code exec because again they're sitting there looking at my open source code writing signatures for it and all of a sudden you have an issue here don't worry we have a fix for that we'll get to in a second um so instead of using these methods that set uses these are kind of like the the

fallbacks there's a method that um that came out by Matthew Graber who basically came out with a technique called Powershell injection and so what happens with Powershell is powershell's installed by default on Windows Vista and Windows 7 right and pretty much everybody's using it now on Windows xp2 because it's getting heavily integrated into every aspect of Microsoft so if you have a newer operating system you have Powershell installed and so when I saw this I'm like oo this is perfect right and so I rewrote the Java applet to detect if power shells installed in the victim machine if it is it enumerates whether it's 64 um 64bit or x86 and then based on that specification it uses

Powershell to inject Shell Code straight into memory without ever touching this period so we don't ever have to worry about being touched by an virus ever again sorry so again installed by everything in default and that's the power shell um command window is it it doesn't really look any different they they made it blue than the normal command shell I thought like you know' be kind of cool looking but it's blue it's different and so again it detects if if it's installed it deploys the the shell Cod straight into memory let's show you a quick demo of this and this is the fun part and what's cool about this is it's not just for the Java applet so if you go into

set you can actually go to the power shell attacks and it'll generate this for you so a lot of times what I'll do is if I find like SQL injection for example example and I'm able to get like Reena XP command shell re uh rebuild XP command shell DS to to get the XP command shell store procedure and Ms SQL a lot of times I can hack that web app drop power sh onto there and then I have full access into the machine it's compromis and all that good stuff right so that's my favorite

one so in this case here's a um and I'll release this on my website but if you go to the Powershell inject you can see this is just basically the code that that generates everything and all I'm doing is I'm taking msf Venom and I'm generating alpha numeric Shell Code I put it in a specific format for me so that it strips out all the the old characters and everything like that and then here's my actual po Shell Code and what it's doing is it's pretty easy it uh it Imports kernel 32.dll for the base memory addresses and then it uses virtual alect to basically allocate memory um to a specific process or stack right and so and then it also creates a

thread with it so basically here we have all of our Powershell code that's created here and in order to do Powershell there's a technique that um actually Josh Kelly where's he at Josh Kelly and I presented at Defcon 19 18 18 18 yeah two years ago um where basically what you can do with Powershell is you can take this command which would always be stopped like if I just took this command and I ran it it would say I don't have the execution restriction rights to be able to do that because you run into execution restriction policies Microsoft tries to protect against you know specific applications from actually running however if you take this string

and you convert into unic code first and then you base 64 encode it and you pass in encoded command parameter you're able to actually bypass that and actually execute whatever you want to so you're able to bypass execution restriction policies and run unfiltered on power shell so it doesn't really make a difference and it's cool about this is it doesn't require admin right so you can run on any level of user so here we do an influx of null bytes to basically get it in the right format we call the Powershell command we Unicode it and then we base 64 encode that command and basically it's just one big glob of of Bas 64 en coding and then

from there down here we call our actual Powershell command so right here we do no profile so it's not going to interact with anybody Windows style it's hidden um non- interactive and then we pass our encoded command with our Powershell generated commands and again you can all generate this in in set not just using the Java applo you can download as a payload too and so let me make sure I got my IP address here right 225 135 good so I'm going to do is I'm going to actually generate the Shell Code or the power shell command and it's look something like that just going to copy

that and then I'm going to create a listener oops [Music] and what this is going to do is I'm going to show you an example of just pasting it into a window on a Windows 7 machine 64-bit and I have a listener on this side that's running msf console so basically what happens is I'm going to execute the Powershell command it's going to run in memory never touching disc right so we don't have to worry about ab and then I'm going to get a reverse payload back to me that's now I have full access and compromise the actual victim's machine so if we go over to our 64-bit machine and I run Powershell over here we get our

shell so now we have full access to this person's computer we've circumvented any type of Av that you'd have to worry about now we have full access unrestricted to this machine right now I mentioned before doing this via SQL injection so let me msf console our L post so I'm going to create another metb listener in this time we're going to go ahead and do this and this is basically just a simple python script that I wrote that does a post to a vulnerable web server okay and in this web server there's an injectable parameter the login field that has SQL injection available on it okay it's running as essay so you have access to

the XP command shell store procedure and then what we do from here is we inject our Powershell straight into the XP command shell store procedure using SQL injection and we should get a shell back so doing it through web application attacks and the again never touching disc so where's my shell no all right so we're listening on 1355 that should work so you look over here we're getting our shell all through SQL injection and if I drop into a shell since oh path variabl is not loaded since it's running as um SQL Server 2005 a lot of times it'll install as system level permissions you can do it as local um Network Serv but it works on both

ways uh but in this case we're running a system so we have full admin access into this machine we fully compromised it what's cool with SQL injection right is you piggy back the web application The Trusted connection with the web application you actually execute all of your code in the backend database server which usually resides on internal Network so you generally have a pretty good Foo hold into the

company so this method is my favorite by far obviously as you can see um it allows you to have full unrestricted access and has multiple applicabilities um I was just using it on a pentest recently where I was able to break in through a web application and I had command execution but I didn't have any ability to actually execute any binaries so I used the power shell command it injects into memory I have a full shell back and now I can start doing elevation privileges to actually go for and get good um good shells so what you saw originally was my binary getting picked up by Security Essentials right and actually security is probably one of the best ones out

there like McAfee you know semantic you know all those ones are getting pretty bad when it comes to just standard payload detections on mety so sh Cod exec works on those works on uh Avast and um kasperski and a few of the other ones out there some for some reason security centrals always gets nicked with my stuff I think they really like me um but what you saw though was binaries right that we had trouble executing right you ran into an issue where you have a binary that you want to get deployed on the system some and it's not working so there's a couple techniques that you can do to get around that and so scenario one you're using a

Metasploit and you want to basically get around and and offy skate your code so that it doesn't get picked up so there's a few ways of doing it and most cases um like with metas for example there's a lot of great um tutorials out there I think script junkie has a couple of them but basically you can rewrite the exe templates so that you know you're generating um completely Dynamic executables that don't get picked up in most cases I believe most of the antivirus vendors are picking up on the um readwrite um portions of sections of that actual payload itself so if you rewrite those or move them into a different um section or memory address

you get around it so the easiest way through that is you know creating a readwrite um rewrite execute process and having the actual metas code execute net so a lot of times what I'll do is I'll take a metas payload I'll generate Shell Code off of it and then I'll just create write a c C++ um dropper that just reads in the Shell code and executes it and then you just compile that as a binary and then you're all set usually takes a couple minutes so even better is PE cryptors now PE cryptors take an actual executable and they encrypt it right nothing new you take you take an executable and encrypts it in some way

should per form of ay skates in some way to where that payload will not run normally and when you upload it to antivirus vendors It generally doesn't get caught right and and a lot of the common ones out there people will will write signatures so that they can detect the variations of it and stuff like that well one of my favorite ones is one called Hyperion uh the guy uh Christian Ammon from NSE security.net wrote this and he he did a a PowerPoint I think it was I don't know six months ago but he finally released the proof of concept code Hyperion is awesome okay what Hyperion does is it takes a binary PE file and it encrypts it with aes256 or I

think it's uh uh 128 as 128 okay so now you have an encrypted password protected um executable with a random generated key okay well you might be asking well how do you decrypt that and do all other stuff right what Hyperion does is it makes the key something really simple and easy and when the executables actually run it Brute Forces its key then decrypts it in memory for you and you're all set so you have a completely Aus skated AES encrypted key every single time that's completely dynamically generated and it's completely new binary every single time super easy to do and it's funny if you watch it I'll show you EXO of it but it spikes the CPU up to

100% while it's Brew forcing its own key and then it drops a payload on for you it's awesome

da you guys are like that sucks so let me generate a payload actually I think I have one on my desktop hang on so we're going to take a payload called mu. exe because we all have creative names as hackers and I'm going to move this into the Hyperion folder and you have to compile it sorry so you have to have a compiler and so we have krypter here oops let me get back into full mode here so we have crypter and crypter is basically you just put it the infile and out file and it does everything for you so we're going to do crypter we're do m. exe and we're going to do hugs. exe as

the out file okay actually let me delete hugs I actually did that last

time so it's going to go through and do its stuff right now it's completely do multiple

of sorry do multiple passes and keys and when it's done you're all set now you have a new executable called hugs. exe so we see it there now if we run this hugs. exe where am I at I'll go ahead and uh that was a reverse shot just do this

all right so let's going to go ahead and do the listener now what I'm going to do is I'm going to get Tas manager up here and if you notice here my CPU is at about 0% 4 perish and we have our listener up over here I'm going to go ahead and run hugs adexe if you notice my CPU spiking up to 100% as it's brw forcing its own key so it's going through and it's trying to find every utation variation of that AES key until that actually goes and decrypts it now this can take anywhere from 20 seconds to 2 minutes depending on how far you do it but if you notice my CPU is done right it's

good if we go over to our shell here we got a new shell and you escape

a and what's great with Hyperion is the show U the source codee for Hyperion is 100% open source and so what I did with it is the stubbl loader for Hyperion is static so technically you can write signatures if you actually knew what you're doing so what I did is I wrote a polymorphic stub so that it's not the same every single time so you don't have to worry about it it's cool so again very cool concept it's easy to use you can write it yourself um you have the ability to to completely have a unique PE file every single time uh slight downfall again the slight uh the Stu that's used is um is is um

static so you can get detection on it so a lot of times I'm running into a pentest and I'll break in through a web application or something I'm able to drop a payload onto a system but they have really really tight egress controls right I'm not allowed to get to the internet in most cases at least in the DMZ side of the house so if I break in through say a file upload or command injection or rfis or lfis somehow I get command execution on the system I have the ability to drop payloads but I can't tunnel out so I can't get my stable connection to the actual U from the victim machine out of the firewall back

to me right so that's a lot of problems that you have as a as a pentester is get actually getting that connection back and so there's a tool that I wrote that I actually released on Monday and there's there's a couple things you can do um I already talked about that I went ahead of myself so there's a couple things you can do and so a few months ago I released a tool called egress Buster and it's similar to the metas sploit all ports payload uh but what this does is it it basically starts to um it has a server sitting on the outside of the internet publicly facing right and then it sends a bunch of

connections back um looking for a port that's allowed outbound and it does all um uh what is it 55,56 60 yeah 6556 4 three whatever so something like that I forgot that a little while ago um but what it does it sits and listens on the ports and it waits for a connection back and then it'll lets you know what reports your allowed outbound so a little while ago I released um egress Buster um od. 2 and a lot of people have actually been contributing to it uh Steve jerski is he in here Steve no he's GNA actually be talking a little about in his presentation how he's customized it for his needs um also um sub and acl's also

did one while he was on a pent test where it actually shows you what host it's coming from so as a consultant if you're hitting like you know a social engineering attack you know which one it's coming from um but what's cool about what I wanted to do differently is sometimes when you're doing a pentest you only have one shot and I should have put an Eminem picture there but um what happens is you know say you're doing a social engineering attack and you get somebody to click on a payload but you don't know any anything about it you don't know egress ports you don't know what you can do you only have one shot with this right and

as soon as that one person clicks you may have an exposure to where you're not going to be able to send another fishing email out you're not going to be able to call somebody in the phone to co them because they may know about it and so on Monday I released um egress Buster egress Buster rers shell which what it does is it sits there and when the payload is actually executed it starts sending packets all the way out of every single port on the firewall until it sees a connection as soon as it sees a connection it it establishes a reverse shell for you so it automatically gets out and you're allow you're basically

can execute any port that you want to so here's a demo of that and you can download it from the

website and if you don't know um python this is all written in Python you might be say well how are you going to you know run a a python script on someone's machine if they python installed U there's a cool tool out there called uh P installer and P installer there's there's two there's pexe and P installer I prefer P installer because it doesn't require you to do msvr T.D to be a part of the package so P installer is native it compiles your python code and wraps The Interpreter the python interpreter around the actual code itself and establishes it as an executable it's called bite compiling and so you have my egis Buster up there as an executable

now so you drop this payload on the machine let me get my listener real

quick uh eager sper listener and I'll just do because I have all ports open I'll just do like 44 but basically when you run this you specify the port so you do egress listener and then whatever Port range you want to and then it spawns listeners on all of your all of your socket so that you can sit there and listen for the incoming connections right so I'll just do like 44 just as an example exle and over here on the victim machine obviously use your imagination I just did a social engineering attack and someone clicked on it and all that stuff right so I'm going to run ebster and I'm going to go2 2

225. 135 and then I'm going to go on Port 44 so I run it and over here if you notice I got a connection established on Port 44 and now I have a full command prompt to this person's machine so I was able to Traverse their internet looking for a specific port and you know you would be you know a lot of times they'll block 80443 5325 things like that but they use obscure ports for connections to certain things like they use really high ports sometimes for connections to third party Services um or for different things that they need to do outbound so a lot of times you can get out on these ports and

I find that I was just doing a pen test last week where we hacked into a web application and we compromised the server there and we had full access we uploaded um egress Buster with it and we got establish back and it was like Port N um like 90 93 one or something like that it was just an obscure port and we started talking to the customer and it was a third party app that required any open it was a um a video teleconferencing uh solution that they had open up to any they didn't have specific IP blocks they could do to so all their firewalls across the board had 9301 open so we're able to pipe out of

that but something you never find is a pentester right because you don't know it's there and the cool part about this one is it'll do a thousand ports connections back in about a minute so it's very fast right so you know what ports you're going to get out in about a minute or so

so again um really easy to use um it's open source it's it's available on my website I did compile um the erress Buster version and obviously when I released this no none of the antivirus vendors found it so was zero out of 43 because it's all custom code um but you know a day later all the Anis vendors picked it up so just change like a print statement in there and you're good to go and then bike comp pilot and you're all set you don't have to worry about it so this is one that uh actually Ryan Elkins turned me on to wherever he's at you hear Ryan no not up front Okay so Ryan turned me on this one and before it

ever became popular um there was a small blog post that that uh some dude did I have his name in the next slide but what was really cool about this is as pentesters say we're doing an internal pent test okay and we have access to the internal Network how many of us and how many of us are pentesters here few good how many times have we been on a pent test where we've only had a domain user account and we can't get that dang admin account all of us pretty much right we've been in that situation eventually we get it after some heartache or we figure out another vulnerability somewhere else or it's a dead end but I

mean what do we establish null sessions dra you know grab all the user accounts brute force and we find a domain user account and then from there you know you have a domain user account right but it has very limited access and so this technique is 100% successful awesome to do all the time so this is one of my personal favorites so we're a domain user whatever and we need a local administrator account for the domain or for the domain computers and this came out of uh STI eek pentest the the pentesting group and here's a link there and I can share my slide so you can download it but it came out um earlier

this year and what they what what STI was doing is they looked at the the msdn Articles uh for this variable called C password um that's contained in group policy and so as a noral domain user account I have access to What's called the CIS fall share on domain controllers you have to right because that's how Group Policy is distributed to the computers it pulls its policy from this CIS fall share it pulls all its configurations from it all the information that you need for your domain right and so they started digging through the cisf fall share and found a guid out there and under the guid it was machine preferences group and there's this

awesome file here called groups. XML okay so you're always looking for groups. groups. XML so the contents of the file is this variable called C password equals and it's some encrypted string encrypted AES it's actually ases encryption right so real real good St encryption they use the right things Unfortunately they posted the static key on msdn and that works everywhere around the world so now you have the ability to decrypt the C password function which happens to be thecal administrator for everybody every computer on your domain sweet it's right there he just Googled it's right in there it's cool it's free so here's the guy the guys um over there released this um pref concept python

code um and basically you're just importing the cipher modules from the crypto libraries in Python it's actually a third party uh module you have to add which is the ases module and then you do B 64 um uh decode and basically here's the key right here you're going to decode it as hex and then you're going to take that password basic4 decode it which is going to give you the encrypted AES string and then you decrypt that key or that that string the C password string with that AES key so now you have the local admin password for the entire domain so if you look here there's a decrypted password after you print it out that's the one on on the demo site

so you can decrypt any admin password you want to now you know with whatever you want so expanding on that so some other guys um from root dance I think script duning a couple of guys are from there I'm not sure but what they found is they did more searches on on techet and found that there was multiple other variables that used the C password variable and so not only do you have local admin accounts but you have service accounts that their passwords are set you have scheduled tasks SQL Server passwords and a bunch of other stuff that you set through group so not only do you have the local admin you have multiple other ones as well

which is just awesome so here's a list of of other affected um areas you have um Services services.xml uh schedule test.xml printers. XML uh drives at XML and data sources at XML so there's a lot of information in that CIS file share that you can actually use to go and attack your targets so on that there's a ton more of these I just threw in some of the high Lev ones that I like to use on a regular basis there's one really really really really cool one that I can't share with you yet that desimon and I will be presenting at uh Devcon and this one is pretty epic it's going to be amazing seriously pry

cool anybody have any questions so for the Cod for the code and tools head over to trust te and go to the download section all the codes there um a special thanks again to all of our sponsors and especially to Debold thank than [Applause] guys all right thank you Dave um right now we're going to split the room here this side will be track one this side will be track two we're going to be starting here at