Going into the Underground by Michael-Angelo Zummo from Cybersixgill

okay

kept like switching up here

um

thank you

yeah I'm so glad thank you that's all they've changed awesome yeah

um

I'm excited to introduce our next speaker Michelangelo Zumo Michelangelo is a um he'll be giving his presentation titled going undercover in the underground practical guide on how to safely infiltrate and engage um you're welcome to ask questions throughout and without further Ado thinking what thank you hey thanks for everybody for coming I'm Sumo I know there's a lot of talks that go on right now so I really appreciate all of you that have decided to come to my talk my talk is very practical so I plan to leave you with something that you can actually do on your own that's just a dark web talk I don't encourage you to do so but I am going to

provide you some tips on how to protect yourselves and then for the Enterprise Enterprises and the companies in the room I'll show you how you could automate this and make your team's lives a lot easier when trying to extract threats that we're commonly coming across in the underground so I'm Zumo uh I presented at B-side St P last year I'm pretty new to Florida I've recognized a few faces I think some of you were at my talk uh in Saint Pete if you were raise your hand I thought I saw a couple people someone over here maybe but maybe I'm wrong uh but my talk last year was all about threat hunting and one of the

questions that I got out of all the conferences I went to last year was well how do you even start how do you get access to these underground sources and how do you extract intelligence from them too to actually perform the threat hunting that I was teaching about last year so that's where this talk this talks about I am going to show you a little bit of threat hunting still so that again you can apply some of this to your own work in your daily activities but this is mostly going to be about how do we get started so the agenda and and based on your questions we might even talk about more than just what's on here but I'm going

to show you how to set up your dark web environment or your underground environment using tools like tails for example OS system uh you can also use Virtual machines my go-to is Tails we're going to talk about how to find those sources we're going to talk about how to get access to those different sources and then creating your own Persona safely by disassociating it from yourself protecting yourselves while you're online and engaging with these type of threat actors how to communicate with them and basically we're just going to model our Persona based on what threat actors are already doing and then we're going to just do some thread hunting and if we have time he's

going to give me a a hands up at 30 minutes if we have some time I got something very cool at the end for you so first what is the dark web I know like dark web is one of those terms almost where like when you hear AI or ml you're like oh okay but really the dark web is just anything that is not indexed by your search engines sources that require a special browser to get access to tools like Tor i2p or zero net when we talk about the dark web we're really talking about the underground because all of you some of you might be familiar with like response Bridge forms just went down there's a new forearm

call that thing is called like poem forums now or something that's kind of taking its place it looks exactly like breached and breach looked exactly like grade forms those weren't dark web forms those are clear that you could access that with Google you know it's very easy to get access to but they're underground uh because the types of threat actors you're dealing with on those sources types of data that's on there types of threats that we're extracting every single day every single minute from those types of places so when we talk about dark web we'll really talk about the underground which includes those clear web sources it of course includes the deep and the dark

web and it also includes messaging platforms like telegram QQ Discord even you see a lot of fraud on those types of platforms where threat actors are selling credit cards vulnerabilities zero days things like that so we when we're today you're going to hear me say the underground a lot and that's what I'm referring to again I'm trying to leave you with something practical something you guys could actually do on your own so because of that I have to give you some precautions um these sources are inherently bad now there are some sources that are hosted on tour that are no criminal activity on but the source I'm talking about are malicious you have threat actors that

are on there trying to exploit you trying to exploit your companies trying to exploit anybody that's on there that's stupid enough to click on a link that they don't want to work so because of that I need to cost you all if you do try this on your own as you can see here I have an example of a threat actor that was sharing a tool himself and it just said hey by the way you need to be careful when you're downloading tools from other threat actors cracking tools and things like that because threat actors are loading malicious programs into these tools and while you're trying to take advantage of others they're taking advantage of you

my go-to tool when I'm accessing sources when I'm maintaining my PreSonus is using tails tails is a it's a very light OS it's uh has Amnesia so every time you power it down it erases itself um you can put it on a a small thumb drive eight gigabytes is all you need uh it provides you secure Computing anywhere so you can plug it into whatever device really and Boot It Up they have it for even mobile devices now uh and it's going to protect you it's going to protect your network it's going to protect all your other devices because as soon as you unplug that it wipes itself as long as you don't store any of the

data any of your own data or connect it to real live data or real personas then you should be okay but it's not Magic you still need to be careful and not log into other sites when you're also like log into your official accounts when you're also logging into underground sources I have a video because I'm using their their device the videos aren't working but I have don't worry I have a backup so I want to show you of the startup you guys see that okay so this is just startup of tales it's again it's very simple it's very light lightweight and when you log in you can see I'm logging in here it's it's got very minimal resources on

it and it's all about just maintaining uh your anime animated uh so that you can protect yourselves against these threat actors reporters use this when they're overseas when they're Behind Enemy Lines trying to communicate with the outside world some like when there's human rights issues going on and stuff like that this is what tails is for protects you when you're engaging in malicious activity or suspicious activities things like that so let's go back into my rotation here

all right so finding sources finding sources especially on tour or or the dark web it's not exactly you can't exactly Google these sources there are some that are indexed and you can get quick links to again breach forums raid forms when that was around the new poem form same thing you can find those sources easier uh but finding source is really it requires you to have an end with threat actors to communicate with them and figure out what where are you guys going where are you guys selling data where you got Sharon malware exploits all that kind of stuff that's where you find the real sources where the real threats exist and I have a couple examples here of

different types of sources we have forums this is cracks form this is this form excuse my language is a real pain in the ass uh because it's a high maintenance Forum where you need to be active to really kind of get the threats out of there uh but again you can access this on Google it's very simple you have credit card markets these come and go every single day seems like uh these are just marketplaces where threat actors are selling your compromise cards have sort of miscellaneous marketplaces where they're selling everything from fake IDs to narcotics by the way I was previously Marine Corps intelligent for National Security I also worked in law enforcement uh taking down dark web

narcotics dealers things like that so there are a ton of these markets and they come and go all the time as the FBI and other agencies are taking them down but when they get taken down another one is in their place initial access Brokers for the Enterprises in the room you're probably very familiar with these this is one of those threats that is on everybody's Minds nowadays these are marketplaces that use Steeler programs to infect your users machines and as those users are logging into their accounts or they're just stealing them directly from the browser it captures their account details and then sells them for very cheap on these markets we call them initial access Brokers because it

provides that initial access into your network for sometimes as low as a dollar so I have an example I'll show you later but think about like the Uber breach those breaches breaches like that started from marketplaces like this where any threat actor can go in put in a domain find Uber and account to Uber and buy it for a dollar and then they can see what kind of damage once they've accessed and then you have messaging platforms as I mentioned earlier telegram they said there's tens of thousands of these I mean more than that but tens of thousands that my own company's monitoring already where we have threat actors against selling zero day exploits selling fraudulent items uh credit cards

things like that but again finding these sources is not it's not like you can just Google you need to stay up to date and it when it comes to dark web sources you need an exact onion address to get access to that Source otherwise you're not going to be able to access you're not even going to be able to find it and because it's a dark web they're constantly changing these addresses so once you're in it's not like you're done you're good you're going to be able to collect intelligence from that Source all the time no you need to stay up to date as that site changes its address you need to be aware of it so that your

collection uh remains constant as I mentioned some of those sources are actually indexed by other websites out there but when it comes to those it's really just about those narcotic sites uh child exploitation sites those are the ones that you can Google and you can find a place like hidden wiki the shadow Wiki or dark eye where they maintain links and tell you whether or not a source is up or down but those hacking sources somehow I'll show in a little bit places like ramp forms it's a very prominent Chinese and Russian hacking form you can't you're not gonna be able to Google that you need to be in with the threat actors to know how to get to that

source and then you have to go through the step of actually getting access to it here's another example of um in a forum post where threat actors often share the links to the sources that they are active on and in this case you have a threat actor that shared the telegram Channel where they're often selling data leaks sharing tools things like that that's how we identify these sources and then we get in see what types of threats exist on there and then extract all that intelligence from those sources for sources this is just one of the many barriers of actually extracting the Intel from these sources again the first barrier is finding them now you actually

have to register them this is where that Persona management is going to come into play but also you have to know threat actors to either invite you to a source give you an invite link sometimes you need to pay your way in the example here this is Genesis form oh I'm sorry Genesis Market this is another Marketplace uh initial access broker where they sell accounts uh I have a little bit of pride in this one because this is one that I gained an invite to through my personas I think like three years ago now this one has kind of dropped off a little bit Russian Market which we'll talk about is way more popular than this one is because

they sell things for a bit cheaper but this is an example where threat actors had to invite me to the source and I had to provide that invite code to actually get access and then once it got to access we're able to duplicate start extracting Intel from there I've mentioned ramp forms there's another form you need to be verified by admins on the site or you need to pay a hefty fee to get access to it um I would never encourage you to pay a fee to get access to a source because you never know if they're actually going to give you that access online so if you're sponsored by your company you're spending their money that's okay as long

as you're but don't spend any of your own money to get access to these City so pay a vendor or have your company do it for you uh because I've been burned plenty of times where I pay money and I don't ever hear from the threat actor again uh but again it wasn't my money so I didn't care um but there are sources like that that exist and these are the sources that everybody's trying to get access to because that's where the Intel exists that's where they're sharing these zero days and the the banking malware the cracking programs all that type of stuff that's where they're selling it and that's what we need to get in television

I mentioned crack swarm it's a pain in the ass it's because this is a forum which is actually a good design where they require you to actually engage in the Forum to be able to get something out of the form so forearms again they're like ready think of it I've read it I'm sure everybody knows what Reddit is there's topics you click on a topic you can see the thread right most of those forms you can click on any top they can see what Fred actors are talking about but in the in the in uh for cracks you can only see them if you're actually participating or providing something to the community of that Forum so

oftentimes I'm digging back into old like projects I did during my Master's I'm like you know breaking code and sharing that like oh here's how you hash something or something like that to make sure that I can maintain that access but it's a lot of work it takes a lot of work um to keep that status on the site and it's just another barrier that you actually you have to get around when you're dealing with these types of sources then you also have language barriers exploit form explains where many of you are familiar with that one it's a very popular one mostly Russian threat actors though some of them are actually kind and they also

Post in English for you so you don't have to translate it or paste it into Google or whatever but then you also have Chinese sources as well very difficult to extract Intel from and translation tools are great but if a threat actor has particularly bad grammar you're going to notice it you might still get the gist of things but you're going to miss that exact transition and then you have VIP sections within those forms themselves so sometimes getting access isn't all the access that you actually need you need to then prove your status you need to build a reputation to get access to the VIP sections where some of the top threat actors are actually communicating uh and

sharing the Intel that you're looking for now we're going to create our first Persona and there's some guidelines here you have minimum requirements you need to set up an email a burner email I use protonmail uh protonmail is actually a big head and a little they're kind of a pain because they want you to start paying but it is a great email burner email to use it's also a great email just to use personal if you want to set up something where all your spam goes um password managers do not make the mistakes that I've made over the years where you use the same password for all of your dark web forums and one of those forms gets taken over

and then they find out your credentials and they wipe everything on it or to take over all your accounts don't do that use a password manager uh your persona needs needs to be completely isolated from your real the real you cannot be logging into your Chase account at the same time you're logging into foreign

you know build a new language style don't write the same way on a form that you would in an email to your co-workers say slang terms come up with a new style uh because you don't want a threat actor to come to a talk like mine and be like you know what that guy sounds familiar and then all of a sudden they're digging into your profiles and they're like I think this is him set up pgp open pgp um this is a good way of gaining a threat actor's trust because of some of the top threat actors still use pgp to verify each other to gain that trust uh and sometimes they'll only share the

most sensitive information when it is encrypted and I got a tutorial for you because that's a little bit more of a challenge jabber is also a very common form of communication I'll show you that and then of course Telegram you've been on time so far so my first Persona this is me this is pitiful my proton address is pitiful at proton dot me like jabber's pitiful at xmpp.jp by on forums you'll see me as beautiful and this is real you'll actually see this uh my telegram is that pitiful here's my pgp fingerprint oh and that was it I thought I had another one this time but that's me this is my Persona you will actually see this

Persona that's right actors know I have plenty of personas trust me but threat actors know that this is a security research they know this is not somebody that they Trust uh but if you went on to any of the forms I just showed you you will see my logo there uh and the stupid threads that I engage in how do I create them I model them also do is I use my own tool cyber six skills portal where we're collecting all this data every single day 10 million plus items a day tracking all these threat actors I use our own tool to quickly analyze and figure out what are threat actors doing today what communication

methods are they using so I'm able to pick a threat actor like Jack Lowe here from a cardigan Forum a form that does a lot of different things but their focus is selling credit card dumps compromised cars things like that and you can see Jack Lowe uses an xmpb or a Jabber he uses Telegram he or she I don't know who it is um and then you can see all their different aliases across forums here maybe I could highlight a food but it's this right here aliases on the bottom right so I look for threat actors like that and I say okay this is how they're communicating I need to replicate that I need to look like that so I can gain the

trust of threat actors and as you can see I'm able to to ensure that I am capturing as much information as possible I can search across all of those these different sources At Once by using their jabber using their telegram address to see all right where are where is the start actor using these communication methods and you see these are all different sources here alternate carvilla cracking Gap recacking these are all sources that this threat actor is active on using these different communication methods so that's how I model myself uh and when I'm building my own personas you can see here's an example of the same threat actor uh on a forum I forget what form this is but it's pretty recent

back in May uh where they were using even using Gmail or Outlook which always kind of again I come from law enforcement space after the military so when I was dealing with narcotics dealers if I saw they were using the Gmail or an apple or something I would just subpoena that information to figure out who it is um so it like it's it's hilarious when I see them using accounts like that but telegram Jabber there's like almost no way to figure out who that is unless they reveal some other details about themselves so we're going to set up our modes of communication by the way at the end of this there's going to be a QR code uh

there's gonna be two there's one to my LinkedIn there's gonna be another to my drive where a lot of the things you see here the presentation will be in there so you can take it um there's also gonna be tutorials in there as well so a lot of these things if you're taking pictures that's fine great but you'll have access to a lot of this afterwards so we're going to set up our modes of communication we got private messaging these are just the ways to communicate on the forums themselves the marketplaces they usually have their own messaging we're going to set up our jabber we're going to set up our Telegram and we're going to set up our pgp and I'm going to

talk about the pros and cons of all of these methods so first one telegram this is the easiest one relatively easy because again we do not want to have our threat actor telegram account on our personal devices right we don't want to use our real phone numbers to for our telegram account so you need a burner phone which is pretty simple I mean it's pretty easy to set up a burner account these days uh but as you can see here I'm having a conversation this is this is a real investigation I was doing uh where a thread actor was selling Steeler logs and that that bubble on the bottom is me talking to them um

but there are several pros and cons to telegram one it's easy to use and search through so you can find thread actors pretty easily and it's easy to go unnoticed if you join a group um there are these groups out there where again it's just a feed of dumps data dumps credentials malicious programs that they're sharing and you could just sit in there and consume all that information never have to say anything they won't even know you're there sometimes they do I guess they do their own versions of audits and they'll kick people out that haven't participated but you just join right back up it's pretty simple the cons are there are so many groups

out there and a lot of them are have similar names threat actors have similar names so when you search like uh you know if you search for pitiful on there you'll probably just find me um but there's a chance if you search somebody else's moniker you're going to have a thousand others with the same one and you're like man which one is this um so that's that could be the challenge with telegram and it's also very volatile again some of these sources that get brought up they get a lot of momentum you know the first couple weeks and then they die off and then you have to find the next one to extract into a

lot private messaging this is a very easy form again this is on the sources themselves and a lot of the threat actors use them uh they're frequently used again on all the major sources breached this I've made this presentation a few months ago reach was just taken down so I need to update this but no exploit The Hub all of them have their own private messaging and some of them even just have a chat box the cons are threat actors can save your conversations so they can use that to expose you later on I have seen and maybe some of you have seen it other threat Intel vendors get exposed uh through and threat hackers will literally create a post

saying hey threat Intel vendor I know you're on here here's all the chats I have with you here's the monikers and they alert them to all the other users that happens uh and as I mentioned threat actors can flag you to everybody else without even knowing so that threat actors won't trust you on that site and you're not going to get anything out of it I have some examples I believe these are some examples of private messaging but not the con of private messages I didn't have on there is you need to log into the source daily to know if you get a notification you could have it sent to your email but again you risked a little bit of

exposure there blinking accounts together which you don't necessarily want um but you need to if you message somebody you're gonna have to log in every day or however frequently you want to see have they responded yet because that's really the only way you're gonna know then you have Jabber jabber is pretty easy to create uh and to remain anonymous uh you don't have to link any accounts to it which is pretty nice especially if you're someone like me that needs to create a lot of accounts pretty frequently and you can communicate with Tas regardless of what server that they're using or what site that they're on if they're a threat actor on exploit but you're not in exploit yet

you have their job you you probably they're not going to trust you unless you actually have a profile on exploit but you can at least try cons are sometimes it's difficult to reach them because it's it's you know depending on what application you're using with Jabber I use pigeon you might not always have it on especially if you're using Tails or something you know tails is not always powered on you unplug it when you're done uh so you can miss messages and some jabber servers are inconsistent meaning sometimes they go down you can lose your chat history if you're saving it things like that this is an example I blurred out a lot of it because this was actually from one

of my sensitive personas where I'm communicating on jabber uh with the threat actor for a bank it was a French Bank a client of mine and they were selling this bank's data now it's communicating with the credit actor tried to figure out did they sell this data to anybody yet and if not how much were they selling it for and then whether or not we can acquire um so this is a real example um and you can see it's pretty pretty basic form of uh format some recommendations again this is going to be available in the drive if you guys access that later uh but just a little like setup because it does take a little

bit more setup than others there's a list of jabber servers I use xmpp.jp is the most consistent one that I've come across but there are hundreds thousands others out there that you can use and then the application that I use to communicate on jabber is Pigeon but again there's a bunch of other ones you can use uh whatever application that you want to use your job and you can even use on on a phone now bgp probably the most difficult one but also the most secure and meaning one you're the only one that has access to your keys as long as you are protecting them and only the recipient can decrypt that key or that message

um and the benefit of this is that sometimes you get the most sensitive information or the real Intel that you're looking for because threat actors really trust this this method of communication the cons are it's difficult it takes longer to communicate and if you lose your key you lose your messages don't be me use your password managers if you lose that key you are never going to decrypt those messages again and I have an example here as well to show you what communicating via pgp looks like

okay it's so small but so here I am copying a threat actor's public key because you need their key to be able to communicate with them so this is their public key I'm using Cleopatra I have a tutorial for this I am uploading their key to to create an identity for them or an account for them I am telling them I love them thank you for the dumps uh you know got dumps from them I am now going to encrypt this message with their public key using my secret key in their public key I am encrypting this message picking their account right now let's say hit next I've encrypted the message now I'm going to paste it to my

it's it's it's copy to your clipboard I'm going to paste it over this that's the encrypted message now so now you give this to the threat actor and they'll decrypt it with their private key and they'll see that I love them and I'm grateful for the dumps and then you do the same exact thing if they send you a message back they need your Republicans yes every time you have to do that every time you communicate with them

we go downtown we're at 30 I think now yeah yeah

all right let's speed it up a little bit all right so now we're going to put it all together we've we got access to the sources right we've created our personas quickly it's going to take you guys longer trust me so it'll be a long time still doing it but now we're going to kind of put it all together and we're going to figure out how do we extract the threats from these sources now so we're going to do some thread hunting all threat hunting is is a constant game of cat and mouse trying to find the threats before they've realized in your own networks I am a threat Hunter for underground so I am an external threat

owner I'm not reviewing logs I'm not looking for anomalies within our Network thank you um anything like that I am looking for threats from external sources so that's what we're going to do and the common threats you're going to come across are initial access fishing supply chain compromise valid accounts for sale Insider threats fraud data leagues and many many more but these are kind of the main ones vulnerabilities I would put in there as well so what's the problem with manual threat hunting it's time consuming you deal with barriers like captions these are these are the ways that sources try and keep you out especially if you're collecting information from them you're putting cues so if you're trying

to perform a threat hunt because your company's making you do so there is an incident now you gotta wait in lines just to get access to the source that might not even have the Intel that you're looking for here's another way this is like the impossible one to figure out and come up with these Like Crazy Ones this one I'll fail every time I'll get locked out okay uh and then you have sites that just they're not active anymore you lose everything that you had on that site to include your account and all the information all the communication you had with that threat actor so you have to search for e-source individually you possibly risk exposing

yourself or your company's assets uh and then you you add the risk by actually searching on those sources for the Intel that you're looking for so I'm going to use an example and this I hope racetrack's not in the room um anyone I thought I saw a hand go up I'm like oh God sorry uh but racetrack I'm sure you're all familiar with was hit by the clock uh back in by at least tens of gigabytes were made public on their league site which is not uncommon all other victims end up on the relief site I'm not picking on Racetrack but they're a good example for me um and in this in the data that they

shared they included employee tax information Financial records customer data rewards accounts and this one was kind of unique because klopp was getting annoyed that companies weren't paying the ransom so they're like okay we're going to reach out to your customers uh so they reached out directly to the customers to let them know that they had racetracks data uh and that just further destroyed the brand if anybody actually can so my job is to figure out well how did they get access in the first place and could we have told them before the ransomware attack happened so we're going to combine our Persona management we're going to get access to the sources and we're going to extract

that that sort of Intel and again one of the most common threats initial Access Data thumbs complete credentials coming from the underground so I look for Lee credentials and I'm pulling this directly from my data lake at Cyber six skill and I'm looking for any racetrack credential in the past month and you can see all these employee emails that were compromised by Steelo Steeler programs I blurted out I do want to protect people but as you can see all these are coming from racetrack in fact when I did this presentation so this was all from January time frame what else can I find well I can look across my entire data like all these sources at once instead of having to log

into each individual Source get put in a queue get blocked get banned or whatever the case might be and I could see that there was mentions of racetrack or racetrack.com or racetracks data on all of these sources just in a month's time frame you can see some of those sources had as much as 62 mentions within a month um and then you have again there's uh I think there's like 15 here or something like that uh I can't count that over there um there was 150 total mentions just in that month time frame I could go back two years to see what their exposure was I was I cared most about what was the most recent exposure they had uh but you

can see just a quick search I'm able to find the sources that actually have the data rather than wasting time logging into a source checking if the data there's not going to the next one so on and so forth I can also get access to the files that actually have these sources extract all the data and then during that process not only could I find the data that's for racetrack but I might also find other data belongs to other users or other organizations and let them know hey by the way in this dump that had racetrack credentials or data your data was also there and we can alert them of that before anything bad happens

this is very similar to like the Uber breach so racetrack was actually compromised through a vulnerability that they didn't patch uh but this is an example here where you could see somebody's account that was for sale someone that had access to racetracked at ulta.com had their login and password as you can see by the plus signs next to each of those whereas Steeler Steeler malware capture those details and then listed them for sale back in January uh for as little as a dollar thank you oh it's like a a way of signing in uh like um if you can this is the actual view of the source itself where you could see if we purchase this

from the market you have the actual files that you would what you you would reveal once you pay the fee you would get these files and then get the information that was leaked I have an example I redacted information I put my own stuff in here these are things that I buy all the time um where you can see if you purchase it it reveals the URL so it would have been racetrack.auxha.com and then you can see the username my very bad password of my dictionary password so on and so forth so the benefits of using a premium tool like like a cyber six skill for example is that again you save a lot of time by

accessing all these sources at once rather than logging into sources not finding the Intel that you need you can get that Intel right away without wasting all that time easily monitor those thread actors moving forward so now that you know what threat access are targeting you you can keep track of all of their activity and be alerted to that as soon as they post something new targeting you or somebody in your industry whatever the case would be so I promised a little something extra uh this is some research that my my colleague and I did uh just in the past few weeks um it's not just data leaks it's not just vulnerabilities and things like

that that are available on the Underground phone actors are sharing the actual tools that they're using to compromise you so my colleague and I downloaded one of these tools and it's actually an open source tool you might be familiar with it's called open bullet and this version is open mode too it's a web pen testing type tool but threat actors use it for credential stuff so I used our own data to get access to or we download the tool and then I use our own data to see why are threat actors using this tool and it turns out it's because they basically can copy and paste everything that they get off of the dark web the underground put in this

tool and then it's just push and play from there and I demonstrated that because I'm not very good at it but I was able to do it myself just shows you that any script kid he can basically you can do this and start collecting credentials or ways into your network again I have tutorials for this as well it's an open source tool um but the underground hosts all the pieces of information that you need to use this tool so you need to config you need combo list which is basically just text files of a username another text file of passwords you combine those polls and you see which ones gives you some hits and then you need a Target race track

Netflix whatever Amazon you know the typical places that threat actors are trying to get access to they're trying to take over their ex-girlfriend's Facebook accounts things like that that's what that's real I see that all the time and here here's an example this was just in a month time frame there's a hundred and one thousand results of threat actors sharing those three things or those two things the configs and the combo list for open Bowl that just shows you how prevalent this tool is in the underground and how frequently threat actors are using this to try and get access to your Networks so how easy is it well again something I can do so any threat actor

could do

so I opened up my attack box here this is Cali and right now we're gonna we're gonna start our instance the Logan bullet just in the command line here or in the terminal running some Cali commands to turn on uh open bullet it's very it's very easy to use I'm a gooey guy you don't see me playing around the terminal too much open Bowl comes with a GUI SAS which is great um as you can see there's a bunch of things on the left hand side a bunch of different tools you can use but the first thing we need is a config so we need to tell open bullet what to do so we're going to create an HTTP request to

a site in this case I use uh I use uh I forget the Tool uh the sites ball it's a Marketplace like testing site uh where you just test your online Market your online tool we build a config we need to now load in a combo list which again just a list of usernames and passwords I have three here to make it easy so you can put a thousand you could put 10 000 in there and then we're going to upload that to the tool you can see there's my word list we're going to create a job so we're gonna now load that that combo list into the config and we're going to Target that site

I press play it is now running that combo list over at that it's targeting that URL or that site and it's iterating over that combo list to look for Mass account so you can see the third account in the combo list came back as a success I got that is a valid username and credential combination so now I can take it I can go log into that site and get access to whatever information it's the e-commerce site so I can potentially get their credit card information um you know their physical address link it to their other accounts things like that and that's it that's how easy it is to use a tool like that that is a

real tool that threat actors are using every single desk so maybe next time I'll do something like a Steeler now only works on HTTP uses yeah it works on others as well HTTP was the easiest one for me to go foreign

actually so thank you very much

[Applause] if you have any questions if we run out of time and you have any more questions please reach out to me you'll also see a link to my our company website cyber6skill.com if you want to learn more so please take that um I'll get your request I'd be happy to talk to any of you about any of the questions you have or if you're just curious for more information this is the tutorial Drive so I have four files in there now with tutorials and the videos that you saw I will have to give you access so I will get your request I'll give you time to access to it so you can get those the

PowerPoint will be in there later today as well and at Future conferences I'll be at other conference as well we will add more tutorials to that so just keep it up keep an eye on them

thank you [Applause] thanks thanks

for the next time

[Applause]

foreign

foreign

[Music]

something like