>>I'm here to talk about [indiscernible] how people got caught and talk about some things about the history, various people who have been using tour or sometimes itemizing systems and have gotten busted still, in all of these cases, none of it was tour directly, all bad ‑ ‑ all, I'll cover what they screwed up. To save a little time, how many of you have been to my website? Okay, fair enough. My name is Adrian Crenshaw, I am likely to get something wrong, like if you ask me about the newest relay that people are talking about with tour I'm only this much up on it, so I probably contact get it for you but I'm interested in learning on it. I'm also senior information security consultant, and they were kind enough to fly me out here and also a cofounder of derby con. Executive general warning I'm taking this from two perspectives how to keep people anonymous and how to be anonymous people, I want anonymized, I think all secrets should be known if would probably be a better place but people with more power are better at keeping secrets than others. But I'm interested in like I chest game, how to keep it, it's just an intellectual interest for me. I am not a lawyer, some of the things I'm going to talk about is legal stuff, any legal advice I give is not legal invoice in the definition of legal advice. If something has the word I understand in it several times it means that they know that they're lying but they don't want to be called on it. I don't like lawyers, if there was such a thing, I believe I have one, so I won't say I never need one. Anyway, be careful what you say, most of the people out there I think are techno meanies like me to just like encryption bull some people are university administrators, but groups do exist that are bad, so be careful where you web certain, if you do E certain, I highly recommend automatically downloading. Let's just say I have a friend of mine who is in research, I this is his flame is Bob who actually to give a talk at DEF CON on dark notes and he was looking through this and there was a picture of himself right next to a bunch of child porn, because there are some disturbed people out there, so be careful where you surf, but most of the stuff I think is fairly innocent. We're going to talk about how it works. Tour' is sometimes referred to as a dark net and it uses proxies and multiple levels in description. I like the term cyberspace, I think it sounds cool and dark net means something different. That's a piece of IT space to say that anybody who is touching it, we know it has to be illegitimate, so we shun them, it has two meanings, that's why like dark net better. This is the onion router, the most popular one out there. It doesn't have as big a base as tour does. This started off as a Navy research project back in the day, eventually, the EFF took over and then it became it's own 5013 C. This is for privacy, this is so you can surf the web and not have you know who you are than host something and not be able to shut it down. They can cost it via a hidden service, hidden services don't have a website, they can be other hidden service, anything old thing cull do over TCP.
But mostly with the anonymous sites, we are talking about Human Services in this talk but how you access it, you have a proxy in your local machine and you can put in web browsers to it and it just generally functions all the time, hopefully. It's hard to get that configured right if you do it from your own browser, which is why extremely recommend that you use the tour browser bundle that has all of this for you. But yeah like I said before it's layers of encryption. The data you send out is the same way, I say that here because some other dark nets are different, you're out tunnels and in tunnels can be different, but tour is basically bidirectional. It has directory service which can be a simple point of failure, but it used distributed hash tables for some of the hidden service stuff, I need to look at the tech manual more to understand where they use which one for what. A few years back, the serves kept a lot of people from accessing tour directly, so they need to use some sort of tour bridge node, but it is generally come posed of multiple levels of encryption. What they do is they have three levels of encryption, one first of the first who that gets stripped off, there's another one inside of that which is the second who then another one for the third hop, at that point, the exit point which is that last node decrypts and send it is on. It's still going to be encrypted but the people in that exit point can see the traffic they're sniffing about using HTTL, they can see that stuff.
This is different, say you want to the host something, I want to start up a site, Polyester Road because I'm going to sell zoot suits, from like the '70s for like lounge lizards, so I wanted to go ahead. I'm Bob, I want to stat Polyester Road, I can send that to the DB and have it known what my points are and that's advertising for my onion address, usually it's semi random, it's mostly random, you can brute force and make it kind of an especially signed name if you want. Have you ever been Slick Road's website, the first few characters, there is a way to brute force and assign a name that you want close to but you can't do the entire thing because it's a little bit too long for you to do it. The GPU systems are coming out with those names. Alice finds out about the it, she finds out the introduction point, and she sets the boundary point so that Bob can talk back to her, sends that information to introduction points and they can start talking about how they're going to communicate and eventually set up a channel and start moving data back and forth. I know I'm going through this all of fast, but really it's better to read the website on how to works, but we both agree who we're going to anonymously, and hosting it and people don't know who is hosting it and that's a good idea.
There is node ideas in tour, they're just general clients that use tour, these relays and these are people who hand traffic on to the next person but they're not necessarily exit point where is it sometimes get tricky, in the United States, it's legal to have an exit point, Austria had some problems because contraband was going across, but you can get exit points meaning bad stuff is going through the system? You generally are not at fault for it. There's always bridges, remember I mentioned those directory services before that shut down, bridges are basically core nodes that are not advertised in the directory, so the only reason you can get them is think of the pathway or the website and they would email you certain bridges they could use. The idea is none of the bridges are listed in one place so you can get on if you can't get on the directly, that was the idea of the berms and they're slightly more trusted nodes for the first hop. It might be your first hop and your last hop and if I'm watching traffic I can kind of figure out who you are. And this is a guy not giving a talk now, they were doing a type of ‑ ‑ if I understand what I read about it, they were adding some tags to the data. But the guard node, I don't know how the process for that worked but they could become more than one [indiscernible] if you can control multiple nodes in the networks you can [indiscernible] there are also introduction points which I mentioned other points, you get a web browser, you get tour up and run, you use the tour browser bundle, you download it, unzip it and just use it, set up your own tour service, it's more complex, I have links in slides, I have a three‑ hour class I did, and it covers the same thing in ITP.
Okay. Applications, there's tons of stuff out there, I wasn't to give a quick shout out to tails, tails is essentially a live CD, you can also do it [indiscernible] that there's a lost things add‑ ons to tour that make it more secure, and since the plug‑ ins are not going to be there, other authorizations, generally, every time you sit down to start, that kind of thing, it's what you do as long as you get the memory fast enough, you are generally okay. Do you know what a code rude attack, if they can hit you hard enough and past enough, they can pull memory out, they pull it out and mount it and suck off all the data, if they do that fast enough, they can [indiscernible] so the amount of time it takes is probably ‑ ‑ it would probably be okay. And we're talking anti‑ forensics, also. You don't want to look it up, trust me.
This other tool that is out there scallion, if you look at the silk roads one, I think I have this up, they brute forced the part of it, oh, crud, I don't have ‑ ‑ let me bring this up real ‑ ‑ yeah. Notice how they brute forced the first part of it because they actually have Silk Road as one of the characters but the rest is random. I have to mention the security concern because it lessens the [indiscernible] but will be able to tell you better, but let's get back to the slides.
But there are always tools out there, if you want to know more about hidden services, go visit the public Internet site on onions where you will find various ones lited. There are pros and cons, a big pro is anything you can do here you can make it work, like this over tour perfectly feasible and three levels of proxy, it gives you a lot of anonymity, the downside it it's slow, a lot footer than it used toking but yet never going to be as fast as just using the public Internet, it can't be. Because you have all of these extra hops you are going into. You have to trust your exit node, they didn't want the country they were in to spy and you want to get out of the country, without the French people spying on you, you might use tour but using the top 3 without encryption, whatever your exit point is it's going to be sniffing your traveling and people did things like that and I mentioned the great fire wall of China blocking 80% of the relays a while back and so those were all issues but it is the biggest point [indiscernible]. Before all right. What does the traffic look like? Ports for your proxies and you're using manual rapport, using your tour browser bundle, this is a hidden service, use the tour browser bundle or tail. Usually, there are some 80, I'm not sure if that's still current, there's a lot more detail on my website and there are ways you can detect it also, saying is this IP address part of tour, part of tour directory, you can query them and find out. There's a little onion icon in the top left‑ hand corner instead of the normal one. Oh quick shout out to ITP I don't know if anybody got busted on it, not because it's more secure but it's used less, and having different people doing different kinds of research in this kind of community is important I think and that's another big player out there, tour pretty much is the 800‑ pound grill gorilla when it comes to dark net.
There is a Goon named Bob and he gives a great talk, Bob Rice on bit point, so I recorded it once, go check that one out but essentially, by the coin is a quick currency that is used for proof of work, this is not bit coin work, but this is proof of work to you. It really came up as a way of stopping spam, let's say the idea is if you want to send me a message, you've got to do some work before you can extend to me, this way if you're a spammer it's going to discourage you, I'm not discouraged from sending emails but if it takes more than a second for spam to calculate it slows them down massively from being able to use spam campaigns, so an example is this one for most security people. This is really fast to take a password and patch it to of to the hash value, however taking a hash value and turning it back into the password is much more difficult, so a proof of work example might be you can only send an email to me if you boat force my password it's a 4 character password and here's my hash and a four character password you should be able to do that fast but it's still a little time and it's not a nuisance, but it might be to others, by the coin uses a similar kind of system of proof of work, also in big blocks that they communicate through passing on bit coins to say I now assigned these bit coins I own to this particular address. But watch Bob's talk on it, it's a innate, if you want to send stuff anonymously, it's the way to go. There are alternate stuff out there, like doggy coin and I don't know how many others.
But check out Bob Rice's talk sometime. I burned through that in 12 minutes because want to get to the good stuff.
Basically, we're talking about how people got deanonymized, and the first thing I want to talk about is the Harvard bomb threat. Here's what he said, there is a bomb placed in the science center, 204, be quick or they'll go off seen. He sent this on December 16th. Well, they had to figure out who this guy was. Apparently, he used his gorilla mail. I sent my own message using gorilla mail and one thing it does is it uses your originating IP address, that's not mine, I modified it some, but it can originate [indiscernible], so Let's say you did it from home, your IP address would be in that mail and you can look in the header this guy did use tour, it had a server IP address, that was a step in the right direction, of course. However, all nodes are public and it's easy to figure out is this machine tour or not, you just look it up, and you justifying out if it was a node a lot of times they have tour in the name of them, so it's easy to correlate who was attacking. Well, what they did is they looked to see who was using tour during the time that the email was sent. And they found this one particular individual, now this guy had been using a bridge, but [indiscernible] it would have been advertising directly he probably would have got away with it but if he just walked to the local coffee shop and used tour he probably would have gotten away with it however, he used it through the university network. He was one of the few people on tour at the time, I don't know what Harvard does with anonymity, but he was using tour but when he found out he was one of them, he admitted to everything and apparently he put to the in to get out of a final, and so he sent that in just to get out of a final. Oh well, more details, there's great write ups, also, court documents out, these slides by the wear are very close to the exact version should be on your DEF CON and I have them online.
>> [Off mic].
>> And he did it from ‑ ‑ well, the Harvard network, I think maybe his dorm room, I don't remember the exact location.
>> [Off mic].
>> [Off mic].
>> So lesson learned from this, don't be the only person using tour at a given time, use the bridge, if you had used the bridge, probably wouldn't have been caught. Don't admit anything. That would have gone a long way. And correlation attack or bitch and we'll talk more about a correlation attack here in a second. Essentially what a correlation attack is you watch the traffic and see what's going on. Everything is encrypted but if you see a 5 Meg request, which would be a big request but still and then go out and you watch this node and this node, you can tell these two are evil, especially are the goatee, Ralph looks like my evil computer, but anyway, these guys were sniffing it, so this one and this one, this was a similar attack, someone controls both of those nodes and he says I saw 5 meg come in this way and out that way and I saw a 8 meg come back, see go out that way, come back this way and you can see them both. Now, grant, the encryption there, the message don't look the same because they have extra crypto keys in the middle, I'm pointing here, why am I doing that? Yeah, like this guy right here. So I mean, the traffic doesn't look the same, it's different feeds but this was actually the size and the timing of it they have a good idea that this might be who it is. Now, in this case, the correlation attack was who was using tour at that particular time.
Timing correlation might be similar. Pain in my buttocks! All right. Let's see if this crash again or not I'll get myself together here. Shift F 5. Macintosh. Okay. So that was the attack I was mentioning before just looking at traffic. There is also the timing attacks that can be possibly done based on when the traffic is coming through and there's been some work on people trying to DDOS part of the network to know I've DOS'd that and I can put ‑ ‑ well, if I can force certain patterns in the traffic, you might be able to recognize that. (Lost audio).
Company, let's see. No, history buff, no.
>> [Off mic].
>> They had this party called Molanear, and it's a document that is a little bit like this, called an expert tracker along the way so you can kind of modify and put a pattern to the data, I could be misreading it. Somebody from NSA, if they want to talk it me about it, I would love to hear.
>> [Off mic].
>> Just saying the little hat here. All right. Another thing, this is not [indiscernible] remember how I mentioned how sometimes you can really screw it up if you set up the browser itself, if you set up tour in Firefox itself not using the browser bundle, there is a setting that says use it over the proxy, when you query polyester road.onion, they want see the traffic but they will see that you are trying to go to that particular site, that's why if are you going to set up yourself, you have to do something like proxy relay DNS but the tour browser by default does that. They can see who you're trying to visit based on the DNS queries. Okay. Next case.
You remember this from a couple of years ago, right? Hector Xavier Monsignor, I'm going to call him Boo because that is easier to remember. He got lazy one time and he got himself caught and started to collaborate with people so he wouldn't go to job. Last I heard, he got off exactly now, I think he's home free at that point, but anyway, he didn't use tour consistently, eventually, they found him, and I don't understand some of these people that do this, why don't you use ITP, and you can do it all over anonymous networks, because even if you use a cloaking, a cloak that hides your IP address from other people doing things, it still is a problem because the person who owns the service might look into your IP address and figure out who you are. There is actually a guy to lives in great Britain who was part of the anonymous movement at one time and he got pissed off at other people and he was on one of the IRC servers so he started dumping the IP addresses. So if you are using ITP and IRC, he probably wouldn't have got caught. He was speaking with such G, ends up it's Jeremy Hammond, but they didn't know that at the time. And Jeremy had been arrested or detained before, and various political groups he was involved with and they got a general idea for where in the world he lived and this narrowed down the suspect pool a whole lot and they finally got enough evidence to be able to get ‑ ‑ well, the marker was in the access. Because I was doing things like I was involved with the people, doing some of the things that he said made it very clear that he lived in the Midwest and there are only so many people that fit those kinds of qualities and already have a record, so they were able to narrow it down. Now, he did use tour consistently, from the records I read and he was never busted but this were able to use essentially time and sequential time and correlation attacks to figure out he was always online at the same time Hammond was and talking when [indiscernible] was talking to [indiscernible] he was in his residence. They were able to figure out well, seems likely that it is indeed him. A lot more details and technical articles, but there's a few lessons from this one. Lessons learned: Use tour consistently, if you use it part of the time that's going to cause a problem. Back in the day when you had to configure it for yourself, one thing that was really cool to do is get the cookies in tour, when you disconnect tour you go back and visit the site against without tour, you see that cookie and you know who that was. I have a future on my website that does that. If you are using tour browser, it's going to clear out that history every time you shut it down. But yeah, if you use tour consistently, don't give out a lot of personal information, don't release a bunch of stuff about these are the people I'm languaging out with, these are the people I'm involved in.
Also, correlation tactic is still a bitch, because when he was online versus when he was talking to Boo, they figured out who he was.
Case No. 2, by the way, the cases that kind of stick out, I'm following the program standard of 0. So Case No. 2, freedom hosting. Now, freedom hosting is a company that basically allowed people to ‑ ‑ hosting services inside of tour so they didn't have to set their own boxes for hidden services and they would basically use these people but they hosted a lot of different things amongst them some child porn related services, not the only thing they were about but some of the stuff they had, they also had length mat stuff like tour mail, but that's as to you have the stuff that particular group ran.
Because of the whole posting the child porn anonymous had an opp document where they were attacking them and trying to hack the websites and I think at one point they dumped a bunch of information about who was using them. Just because anonymous doesn't mean the web application isn't vulnerable, and that's how they dumped a bunch of accounts from them. What is that?
>> Oh, on July 13th, the FBI found the hosting boxes and decided to insert some malicious Java script. And it existed in Firefox, version 17, extended service release, and a recent version of tour browser win doughs happened to be using that particular version of Firefox so it was vulnerable, now tour had only updated the panel, if all of the people had updated by that time they wouldn't have gotten caught because they weren't involved in this but some people don't if you date in a timely fashion, so they had this vulnerability, and they installed this malware, they installed Magnito, and it was a service in Virginia, and it would host the public IP address, some of the content you see, Mac addresses they were pointed that can narrow it down to your machine, the windows host name and in the site visit.
This one is kind of similar to [indiscernible] Snowden documents, coming across the egotistical direct project, this is a beautiful name, I don't think it's exactly the same exploit though. They exploit but not entirely the same project with the FBI, because I don't think the United States collaborated that much. There's a lot of cases in the past of law enforcement doing something similar like getting malware getting installed on machines and track them and see what they're up to. There was a NSA project, GB 8, what is great Britain equivalent's to the NSA? I may get this wrong so just pointing it out and if I get it wrong let me know after the talk. And CPAB is another example, Joe gave a talk that was really good, unfortunately, it was not recorded, so if you ever get to talk with him go check that out. He might even be here at DEF CON. The first time I met him was at DEF CON 2009. Anyway, freedom hosting, the box you will be able to take malware off the machines, and you can Figure out who is hosting or who the head guy is in charge of hosting and it ended up being this Marquez. They always traced him down because of the way he made the payment. Once they compromised the box and realized this is the IP address, they found out who was actually leasing the box and this tied him to it pretty quick.
Now, when they busted him he is said to have diced for his laptop to shut it down. If the machine was shut down, it has full hub drive in description, you don't beat it mathematically, you beat it through limitation or rubber host cryptography, he apparently though didn't get to it fast enough. A lot more details in an article on it. Lessons learns from this one: Don't host [indiscernible] that's one thing. You're not [indiscernible] in culture are you Beshear is jail bit, captain card, CP, child porn, actually, I gave a talk a few years back, at a security forum, it was some ISA appoint and I gave a talk on anonymous, they are one cohesive group, for home to want to go and do a particular thing and I used a bunch of in culture terminology, things that are offensive, people who do it for the lulls and control people, so I was using in term ‑ ‑ in culture terminology and in think what he said about me not getting invited about is I wonder if [indiscernible] talk was well researched and it was wholly inappropriate, if you get to know the guy, okay, maybe it was some what true. The next thing you can learn, patch patch patch. If these people had have kept up their patches, they would have been fine and dandy. I don't think they put the warning at the time, now if you have an outdated version, you will see a warning next to the onion that says, there's a newer version out you should really update, I don't think they were doing that at the time. Is anybody here from tour project here? I guess they can't answer that question now. I don't I think they were doing that at the time. Also, my standing is they tied the server to him via how he paid for them. and leaving encrypted laptops powered down when not in reviews would have helped a lot.
This is some kind of web vulnerability, let's say they had an injection, if you can connect to it, send your exploit to it, even if it's encrypted getting there, you can make it contact you outside of the tour network, depending on what fire walls are in place and so forth. This would be harder on tails because they have rules in place to keep you from doing that but it's just like my old box I set up to use tour for and I happened to have a command injection vulnerability, they can ping themselves or do a trace and have a good idea of who it actually is with the IP address.
That brings us to case 3, the silk road, who else knows about these guy, okay. Silk road is something that is ran by an gay named dread pirate Roberts and it allowed buyers and sellers to exchange less than legal goods, there is all sorts of things that they would sell on there. Here is some stuff in the court couples, Ectasy, opiate, all sorts of really, really fun stuff. This is Tommy C's stuff in here. So but it also said other things like various services, people would hire someone to attack a system for you, you could find counterfeit bills, and other things that you could have currencies, I'm a little confused about some of that. Also, they had a fellow that forged diplomas.
>> [Off mic].
>> I'm not sure what the deal is with that but anyway they were making some big bucks. $1.2 million ‑ ‑ billion, the FBI got a little interested in these guys, so they started looking around for the silk road on the public Internet it you can use Google operators to say give me everything from this time period to this time mered and you can find the earliest reference to the Silk Road and they found it on [indiscernible] a little druggy website, and this guy had posted on it a guy going by the handle Altoid on 1/27/2011 and here's ‑ ‑ well, I don't think I should have up what he said but essentially, he was advertising the Silk Road and he had these very flavorful word, I came across this website called silk road, it acclaims to allow you to buy and sell anything online anonymously, I wanted to see if anyone here had heard of it or could recommend and it gave information on how to visit it. And the way he wrote it, it sounds more likely advertisement, but that was the very first reference they could find to the silk road on the Internet. Then on bit coin, there was someone posting, and asking about it as well. And pointing out that Silk Road exists and seeing if anybody's actually used it.
Then also, bit coin talk later on he is strike again, using the name, Altoid, once again it sounds very much like an advertisement. Then later on Altoid on bit coin talk starting looking for an IP pro in the bit coin community and here's what happened, he said contact me at Rothubric@gmail.com. So yeah, that's the first mention of silk road of they could find in handling Altoid and to an email address Ross. So that was pretty bat. Also, a few other things to point out, he put his economic philosophy on sic road and they had interest in an institute and Austrian school of economics, so they had similar interests, sort of like Jeremy Hammond's personal life, well, same thing, and as I said, he was using the same things that Ross mentions, so that kind of narrowed it down to him possibly, that's not necessarily a firm thing but you get enough little pieces of evidence together and you can get a court order. Also, another thing he did that is kind of screwy, the Ross Albrich was asking for help on HTP code and he quickly changed his user name but the first one he used was Ross Albrich, I don't know why but that's what he did.
So guess what is the main subject of this point? That's about the [indiscernible] if I was [indiscernible].
[ Laughter ]
>> What is it, $1.2 billion. And the FBI takes notice.
Somebody who is connecting to a website and they found a hidden login from gmail, it becomes a death by a thousand paper cuts essentially, he had the IP of silk road was attached to a VPN server that was connected to an Internet cafe in San Francisco where he had connected it to his Gmail account before. There was a site that was some sort of experimental IP address. This is kind of fairly common on so web applications and you type in the right things and it brings up the standard optimization and the IP address belonged to the VPN. Eventually though, the FBI was able to find some servers and start getting hard drive images of him. How they caught him initially I'm not sure, I don't knew if they used a bug or exploited the box there's a story read about someone contacting Ross about wanting to tell a whole bunch of cocaine I believe it was and Ross [indiscernible] former admin.s and employees and the employee was going to buy it but he bought it at his own house and the FBI was able to land him on his own house so now they have someone who works for the silk road, they may have just followed where the drugs went, oh, you work for Silk Road and you work for us now and they got hard drive images and were able to start monitoring, and another big problem, let me see if I have it on here. I didn't update this slide, I don't think. Another problem they ended up having is he had order a bunch of fake IDs, and these got intercepted coming across the border, they all had his picture objecting it. Homeland security found these and they went to go talk that him and he denied having order them, I see a lot of documentaries on people escaping prosecution and generally denying anything is a good call, the next thing he did I don't understand though, that denying thing was okay, but he was said that hypothetically anyone could go on to a website named silk road on tour and purchase any drugs or fake identity documents the person wanted. Why in the hell wouldn't you say that? But that the that the brought him back to him and the roommates when the people showed up, the home security folks, knew him as Josh and not his real name, and also fake IDs with your face on them, what reason would other people have to buy those?
Also, one of the servers this they ended up getting control over it had frosty, and he's used frosty before as a handle, and eventually, they took down the site and landed a library and they got his password on his lap tap. In these particular Anson did a great write‑ up, and they did a lot of best courtroom document stuff I've read. Lessons learned keep online identities separate, if he had kept his interests to himself that would have helped and if he hadn't used tour in the same location he logged into his gmail that would help also, and not using the same handle in multiple places don't have information, I have no idea why he said you could buy this on Silk Road. I have a little bit of time for some demo, let me illustrate some of the things I was mentioning about possible ways of deanonomizing people. Let's say you are using tour and in try to convince you hey, go to this one particular website and download this Word document. It's after safe and good, go ahead and do that. Well, depending on how you're browser is he tell up, it may not respect the proxy settings. Now, I'm trying to connect to tour right here and hopefully it comes up within a reasonable amount of time, I should have had that up earlier already.
Okay. That's up, let's say I visited this particular site. Tracking doc and this is a little Word doc, I've embed an image in it. John is trying to show me a better way to do this. I'm dining all of the tour browser, I've got the Word document I'm going to open it. And it's a trap, yes, it's a trap.
And hi there, image, yes, I need to register, I know I'm sorry Microsoft. Hi there, and now I send you to a certain page I have set up for tracking, let me see if I can find real quick.
Yeah, let that password real quick. I notice I now have the IP address, the real IP address of whoever is accessing, I think. I hope it's one of their IP addresses. Anyway, that's hopefully what I got right there and I can do a correlation pack, over tour versus this. Another option that way, more professional than my little ghetto doc file is something called ‑ ‑ I'll get to it in a second. Honey docs and my friend, Kerry runs it, and I made a bunch of fake documents, I'm calling this one credit card.zip and if it downloads it gives you Excel files and Word docs, so I'm going to switch over screen where it is, and I can go in and see who opened it with their real world IP address except it's probably logging out by now.
Everybody close your eyes. Let's see. Not that long a password, you all can guess it.
And remember it. I feel bold! Do your thing. Okay. And there are various people who have accessed it. I asked people to access it over tour, that should probably IP address. How much time have I got now? 5 minutes. Okay. If I were to open this up and look at the documents in it, I would basically get more of the same thing, so you see OT like open the document and a few other formats but you get the idea, basically I'm marketing this tool as a much more professional way of doing it than what I had before.
But I can also do those things like where I showed with the log, I can go down ‑ ‑ another thing that you can do to mess around with people, I have an IP service set up, at this location, so this could be a condition to see how can hack my site first. Right here, this is Tilde it's a vulnerable script and in find it very very easy to write deliberately vulnerable PHP code, currently it's taken over by Jeremy Brewer, a better coder than me, but if the website has vulnerable, there are attacks you can do. I'll show you a few of them right now. I'm going to describe this one because of time. I'm doing this one in command injection attack and trying to get the IP address, I could sit there through my connection and see who is actually pinging me to figure out who they are. Another option might be ‑ ‑ yeah, tour is acting way, way slow in here right now. Lets me see. Open.
I'm looking for direct object references and I'm opening that one, too. So this demo may not work, I have videos of this online, essentially what I'm doing is using a vulnerability injection, I can have it trace the route to me and see the IP addresses along the path and hopefully figure out who someone is. However, tour on this network is running pathetically slow. Believe it or not, I did it earlier, but the idea is you do a command injection, you can get that remote box to contact you back and if anybody really wants to see it, I've got about 3 minutes, don't I? 2 minutes. Oh, questions, yes?
>> [Off mic].
>> This is a VPN server, it's not like a VPN turn them, I would get the IP or the VNP, it might get me close but it wouldn't be instantaneous. Yes?
>> [Off mic].
>> Shhhhh maybe, but I haven't really looked into it. In VIPS maybe, I know there's some control you can do over which nodes you hop through, yeah, it looks like my tour connection is not doing that well. If anybody wants to see this, I have videos on the website about how to did this, but you're injecting this and making the control box contact you back. You can also have it suck up files from another Word site you control and have it delivered that way as well. And I have had videos in the past working. Unfortunately, I am out of time and tour is going very slow for me. I thank you for your time and if you have any questions, I am around.
>> Thank you. Yeah, I tested all of those demos before and they were working earlier but something is happening right now.