Security Nation, S3 E3

How Security Pro Dave Kennedy Keeps His InfoSec Skills Sharp While Telecommuting

August 14, 2020

 

In our latest episode of Security Nation, Dave Kennedy, founder of the cybersecurity firms TrustedSec and Binary Defense, stopped by to discuss how he’s staying busy while working from home during the pandemic. Wrangling dogs and keeping his skills sharp on Red Team engagements are a major part of the story.

Stick around for our Rapid Rundown, where Tod talks about a fascinating attack he learned about at virtual Black Hat called EtherOops, as well as implications around election security that were discussed during the event.

Appears on This Episode

Jen Ellis
Vice President, Community and Public Affairs

Jen Ellis is the vice president of community and public affairs at Rapid7. Jen’s primary focus is on creating positive social change to advance security for all. She believes that it is critical to build productive collaboration between those in the security community and those operating outside it, and to this end, she works extensively with security researchers, technology providers, operators, and influencers, and various government entities to help them understand and address cybersecurity challenges. She believes effective collaboration is our only path forward to reducing cyber attacks and protecting consumers and businesses. She has testified before Congress and spoken at a number of security industry events including SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides.

Tod Beardsley
Research Director, Rapid7

Tod Beardsley is the director of research at Rapid7. He has over 20 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT Ops and IT Security positions in large organizations such as 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Today, Tod directs the myriad security research programs and initiatives at Rapid7. He can be uniquely identified at https://keybase.io/todb.

Dave Kennedy
Founder, Binary Defense and TrustedSec

David Kennedy is founder of Binary Defense and TrustedSec. Both organizations focus on the betterment of the security industry. David also served as a board of director for the ISC2 organization. David was the former CSO for a Diebold Incorporated, where he ran the entire INFOSEC program. David is a co-author of the book "Metasploit: The Penetration Tester's Guide," the creator of the Social-Engineer Toolkit (SET), Artillery, Unicorn, PenTesters Framework, and several popular open source tools. David has been interviewed by several news organizations, including CNN, Fox News, MSNBC, CNBC, Katie Couric, and BBC World News. David is the co-host of the social-engineer podcast and on several additional podcasts.  David has testified in front of Congress on two occasions on the security around government websites. David is one of the founding authors of the Penetration Testing Execution Standard (PTES), a framework designed to fix the penetration testing industry. David was the co-founder of DerbyCon, a large-scale conference started in Louisville, Kentucky. Prior to the private sector, David worked for the United States Marine Corps and deployed to Iraq twice for intelligence-related missions.

About the Security Nation Podcast

Security Nation is a podcast dedicated to celebrating the champions in the cybersecurity community who are advancing security in their own ways. We also cover the biggest events in security that you should know about. In each episode, host Jen Ellis (@infosecjen) sits down with a guest so they can share their stories, what worked, what didn’t, and what you can learn from their initiative so maybe we can inspire you to do something new, while Tod Beardsley breaks down the biggest security headlines of the week. 


View all Security Nation episodes

Podcast Transcript

Jen Ellis: Hi and welcome to this week's episode of Security Nation, the podcast where we talk to inspiring individuals doing amazing things. You see, I do know different adjectives.

Show more Show less

Tod Beardsley:

Look at that.

Jen Ellis:

I can use them sometimes.

Tod Beardsley:

Mixed it up.

Jen Ellis:

It's incredible. I'm your host, Jen Ellis. I'm the VP of community and public affairs at Rapid7 and it's been a long day, I'm quite tired. Also with me is my cohost, Tod Beardsley, who probably has more energy than I do. Hey Tod, how you doing?

Tod Beardsley:

I don't know about that, but okay, we'll take it.

Jen Ellis:

How is Austin?

Tod Beardsley:

God, Jen, our poor, poor state. Texas is not doing great as we're recording this, so stay tuned for that, I guess.

Jen Ellis:

All right, so moving swiftly on.

Tod Beardsley:

Yes. It's so sad.

Jen Ellis:

Yes, I do have an amazing ability to bring us down. Tod, we have a really cool guest this week.

Tod Beardsley:

We sure do.

Jen Ellis:

God damn it, I did so well, I didn't call him cool in the intro and there it is.

Tod Beardsley:

Well, got to put a nickel in the cool jar.

Jen Ellis:

He's kind of a legit security community royalty. We've had some good guests on this show so far, I like it. I feel like I just get to talk to really amazing people all the time, which is really nice.

Tod Beardsley:

Well, I have a surprise for you, Jen, because he's standing right behind you. Hey Dave.

Dave Kennedy:

I'm right behind you right now. I flew all the way out to London to say hi.

Jen Ellis:

So I mean, I kind of want to be like, Dave Kennedy requires no intro, but at the same time, that feels like a bit of a bullshit thing to do. So we probably should actually introduce you. So you are the founder and CEO of TrustedSec, and you also have done 1,000,010 other things. It's a very specific number, a million and 10. Would you like to tell us about maybe the 10, not the million? Just one or two new other things. You have at least one other company. You have an open source project, if not 15 open source projects. You ran a conference. Is there anything you don't do?

Dave Kennedy:

Geez, I don't know. I don't do well at, like, car mechanics.

Jen Ellis:

Okay, good to know.

Dave Kennedy:

I've learned just to turn it in. Yeah, that's it. You don't want me working on your car at all.

Jen Ellis:

That's good to know. Like, don't go looking for you at the Car Hacking Village, I guess.

Dave Kennedy:

No, no, I would probably somehow unintentionally blow the car up on accident.

Jen Ellis:

Oh my god. Do go looking for you at the Car Hacking Village. This sounds amazing.

Dave Kennedy:

I really want to be a car guy. I've really tried. I just can't do it. I don't have that part of my brain that's like, hey, I'm going to fix this car up. I just can't do it. Computers, no problem, but cars, don't have me do it.

Tod Beardsley:

Yeah, I did auto shop in high school, but computers were not really in cars then. And especially in the old cars that we had. So mechanically easy, but today, impossible.

Jen Ellis:

Did you enjoy doing auto shop? I can totally see this being a thing.

Tod Beardsley:

I did. Yeah. I could tie on a distributor cap. That's about as far as I got. So, pretty fun.

Jen Ellis:

I totally see this. I wish I had seen in it in real life. Weirdly though, I'm sort of like putting you in "Grease," which I think is weird.

Tod Beardsley:

There was a lot of singing.

Jen Ellis:

The sleeves of your T-shirts are rolled up and you've got like, a pack of cigarettes in there. That's how it looks to me.

Tod Beardsley:

Absolutely true.

Jen Ellis:

You're like pulling out your comb and combing back the sides of your hair.

Tod Beardsley:

Alas, I don't own a comb today.

Jen Ellis:

This, for anyone who knows you, is highly believable. Yeah. So Dave, thank you for joining us. It's lovely to see you or not see you.

Dave Kennedy:

Oh, thanks so much for having me on. It's always good to hear from you folks. Jen, I know we go back years and years and years together and thanks so much for having me on here. I'm very humbled to be on.

Jen Ellis:

I missed the fact we haven't had the opportunity to do something fun together for a long, long time, but you are a busy, busy man. Like it's insane how busy you are.

Dave Kennedy:

It is. When I first started running my own company at TrustedSec and I started a second company, Binary Defense, I'm kind of a glutton for punishment, I think. And then on top of that, I was running a conference, and then on top of that I had open source projects and running all these companies and doing the media and all that other stuff. It's a lot, but I really try to balance my family time. That's number one, most important for me. Obviously, this whole situation has been really unfortunate, but a very positive thing out of it is that I've spent more time with my family and my kids than I ever have in our entire marriage. I've always been on the road traveling. And so that's been really great.

Jen Ellis:

One of the things that I think is quite interesting about COVID is that there's a legion of people in the security community and presumably in other communities as well, who were actually just kind of like, I don't have to travel, no flights for me! I'm kind of one of them, even though it does mean that I am living in my brother's attic. Yeah. So he may not be doing the happy dance, but I'm pretty good with the fact that I haven't had to get on a plane recently. It's been delightful, let me tell you.

Dave Kennedy:

I really think that I will probably not travel nearly as much, maybe only a couple handful of times a year now, based off of this. And I really do enjoy working from home. I got a routine. I work out, I'm eating healthy, like all these things that I've always wanted to do, but you know when you're traveling, you're like, "Well hey, we're going to go to this awesome restaurant that has amazing steaks." Things have really changed quite a bit for me in my lifestyle. And I really, really enjoy being home.

Jen Ellis:

Yeah. I mean, every meal becomes much more of a thing for sure. And I ended up doing meetings where every meal is a meeting. That's not a good lifestyle. Cause you do like, "I'm going to have a big breakfast and a big lunch and a big dinner." That's not a good way of doing things. And I did see the other day that your home office is pretty lush.

Dave Kennedy:

Oh yeah.

Jen Ellis:

So yeah, I can totally see the appeal.

Dave Kennedy:

I have screens everywhere, I got a standing desk. It definitely works for me. I stand all day long. I enjoy that. The only things I get is when the dogs are barking. They have an amazing knack that as soon as I get on a podcast or I'm going on the news, they instantly go into terror mode where they're just screaming and howling and tearing apart each other. So that's always fun obviously to navigate, but it's been great.

Jen Ellis:

So it's something for us to look forward to.

Dave Kennedy:

That's right.

Tod Beardsley:

With me, it's the same thing, except children.

Dave Kennedy:

The children are really well behaved. They know not to bother dad, when he's in his room and he got the door shut, but my dogs on the other hand, do not recognize that yet.

Jen Ellis:

I mean, that's just a question of training, Dave. Like you just need to get on it. What have you been doing all this time?

Dave Kennedy:

I'll zap them if they come in the door. Just kidding.

Jen Ellis:

Yes, no, please don't write in. We promise you that Mr. Kennedy is not abusing his dogs.

Dave Kennedy:

Totally a joke. Just a joke.

Jen Ellis:

What else have you been up to? Cause I know that you are a man that keeps busy. That's kind of the theme of your life. So what have you been doing?

Dave Kennedy:

You know, for me, what's been nice about this work from home is that it's allowed me to get on more engagements. One thing I don't want to do is lose my technical abilities and my skills. So I always try to hop on engagements throughout the year that are exciting, that are fun, where I can learn from my other teammates and keep things...

Jen Ellis:

And when you say engagements... I'm sorry. I tend to interrupt people to just get clarity for people who don't know, what kind of engagements are you talking about?

Dave Kennedy:

Red team engagements. We're going after customers and trying to simulate more of an adversary going after the organization. More the harder, challenging engagements where you might have to come up with something new or unique that hasn't been done before, really to try to flex that brain. I find when I'm in a red team, what happens, my routine at night, by the way is, every other night I go downstairs and I go and I play video games. Then, the kids are all in bed for a couple hours. But when I'm on a red team, I'm like frantically coding until like 2:00 a.m. And I feel like I've accomplished amazing things as I'm going through and doing all this.

Dave Kennedy:

And I feel like my brain has been worked out, versus shutting off your brain when you're going on these games. So for me, red teaming is really about using the skills that you've historically built up over your career and really being able to apply them for a really challenging situation. For me, getting on engagements, it's just so much fun. I really enjoy it. And it kind of gets you out of the day to day running companies type of role and staying technical with what you're doing.

Jen Ellis:

I'm really interested in the fact that you're coding on red team engagements, because a lot of people tell me that really, a lot of the sort of standard nonsense works, and so they don't really have to do the creative stuff. The fact that, in and of itself, you're spending time, as you say, exercising your brain, coming up with these creative things to do, how much does that really come up on engagement?

Dave Kennedy:

It depends on the organization you're going after. And every organization is unique in their maturity level and security. When you're going after a company, they're still at a very immature state in security. Yeah, absolutely. The same type of tools and approach that you would use for any organization works, but when you're stuck in a situation, what really got me into security early on, I used to be in the old IRC days with remote exploit, which eventually became offensive security. And I was on the backtrack development team and exploit DB development team, and all those different ones there. The big enticing thing for me, was a lot of things hadn't been done yet. And still to this day, a lot of things still have not been done yet.

Dave Kennedy:

And when you run into a situation where your back's against the wall and you're frustrated, and you can't figure things out, and there's not a tool out there to help you, there's not an exploit out there to help you, you have to figure out a different way. You have to be creative as an attacker. That mindset has really helped me throughout my entire career to excel myself, both in my knowledge and in the positions that I'm in and in what I do. I literally can't stop. And this is probably a problem, actually. I'm sure too. I literally can't stop thinking about something where I'm stuck in that corner. My brain just keeps going and going and going and going. I remember, gosh, it was probably six or seven years ago, I was working on a... I think it was a new version of unicorn.

Dave Kennedy:

I was trying to do a different type of allocation of memory so that I could get around some certain detections at the time or whatnot, and I couldn't figure it out. And I remember I woke up at three o'clock in the morning. My brain was thinking while I was sleeping. I woke up at three o'clock in the morning, wrote the answer down on paper, went back to sleep, and the next day, coded it. It's that type of drive, I think, that is so exciting. And that's why I have fun in those engagements, where you're into something that you haven't seen before, and you have to create something unique or new because of a specific challenge.

Jen Ellis:

Yeah. And I mean, I think your willingness to sort of jump in and create tools and actually also to then make them available to the community is something... It's kind of a hallmark of who you are and how you approach things. It's one of the things that's helped you build the reputation that you have within the community and it's something we appreciate. So why don't you give us an example?

Dave Kennedy:

I was on an engagement recently, and this was, I can actually tell you the exact date based on the commits. It was on April 17th, I was in an engagement. And we were going after a customer. And this is actually kind of a funny story because it was a red team engagement, and we're supposed to start the engagement on a Monday. We're doing some OSINT, we're looking at it, and I had a little bit of extra hours to burn. I was on with a couple of my other teammates and the people on the red team going after this one organization.

Dave Kennedy:

And we just start finding some crazy stuff. Like we already got around their authentication mechanism. We're able to authenticate. This is before we're even supposed to start the test. So we notify the customer, like "Hey, can we start a little bit early by any chance, does that work for you?" And they're like, "Yeah, sure. We don't care." And so we started on a Thursday and by Friday, we had full access to everything. We completely compromised the entire organization in and out, had access to all their sensitive data, their segmented network, everything by Friday. So it was a one day... This red team was supposed to last like five weeks, by the way.

Dave Kennedy:

Yeah. Oops.

Jen Ellis:

I mean, writing reports does take a while.

Dave Kennedy:

It does. It definitely takes five weeks to write a report for that.

Tod Beardsley:

But that was probably an amazing report.

Jen Ellis:

Yeah, where they had a lot of pictures that they drew themselves, by hand.

Dave Kennedy:

But what's interesting about that one, for assessors, where we get a lot of our excitement from is obviously the hacking part, but it's also when customers are like, "Damn, you guys are good," like that. When you get assurance like, "Wow, you all are better than I thought you were." Things like that. That's awesome for us. It's great camaraderie for the team, that we're doing the right things. And so we get on with the customer, and I'll talk about how we got around them here in just a second, but we get on the customer the next day. And it was like, totally stone cold, no emotion whatsoever. We were like, "Hey, we broke into everything before we were even supposed to start the engagement." And the customer's like, "Oh, that doesn't sound good. Okay, thanks. Appreciate it."

Dave Kennedy:

Like, wait, we just did this righteous hack, in one day, and this is all we got. We're all ethical, and we're like, ah, man. I think that could have been so much cooler, but what ended up happening was, because of COVID-19, they shifted their workforce to work from home very quickly. And they removed two-factor authentication from their VDI environment, which is not a good idea, by the way, just throwing that out there, for everybody out there, do not do that. Right?

Jen Ellis:

Not recommended.

Dave Kennedy:

Not recommended at all. So we were able to leverage one of the Microsoft endpoints to do brute forcing against the user accounts. And we were able to find the traditional ones, you know, summer 2020, winter 2020, the big and hot ones right now. I'm not going to get into politics, but whatever candidate you want, 2020 exclamation point. All those become very important for brute forcing.

Dave Kennedy:

And we got a handful of accounts. I think we got like eight with our first round of series of those. And we logged in to each one and none of them had access to the VDI infrastructure except for one. And so we were able to use this one user who was a regular user, and they're in finance, to log into the VDI infrastructure. And then from there, we were directly on the internal network. There was little to no network segmentation, the VDI instance, basically it was a full-fledged operating system that we had in the organization.

Jen Ellis:

Ouch.

Dave Kennedy:

Yeah. Oops. Oops. Oops. So the problem with that, though, is that we were running under the context of a regular user account. They were running very specific EDR products and things like that. So we don't want to go super loud the first day, especially as we're trying to become more of an adversary trying to compromise. So more living off the land, more exploratory and understanding the network infrastructure and architecture, things that wouldn't trigger... An EDR, by the way, is an endpoint detection response, and living off the land is using what's built into the operating system to not cause any type of notice of certain things happening.

Dave Kennedy:

Like being able to leverage enumeration tools, things like that, I would stay away from things like net user, who am I, or command.exe, those types of things, but other applications that can query the domain to extract users and groups, to understand how their network architecture is designed and systems that are connected to it, file shares, group policy settings, all those things become really important as you're starting to kind of understand the infrastructure.

Dave Kennedy:

And we were going through. When you open up Internet Explorer in a company, it almost always points to their intranet page. It's just a normal thing. An intranet page is our great treasure troves of information, because normally it's just a complete disaster and mess of data. And so we started going through and combing through all the different areas on their internet site, and we found web.config file that contained a SQL server username and password, that was actually the SA account. Yeah. So, hey, that's great, right?

Jen Ellis:

What's an SA account?

Dave Kennedy:

The system's administrator account, so essentially like the God mode of SQL server. It allows you to control everything through SQL.

Dave Kennedy:

Yep. Route for SQL. This is MS SQL, so we're talking that the SA account itself allows for authentication, and then what ends up happening with that is if you can authenticate with an SA account, even if... There's a stored procedure called the XP command shell store procedure, which allows for direct operating system querying. So essentially if you can compromise a SQL server with SA permissions, you have the ability to compromise the full server and break out of just SQL to the full command line operating system. And then from there, full remote code execution. Yeah, it's a lot of fun.

Jen Ellis:

That sounds no bueno.

Dave Kennedy:

No. The best part about it is, even if you're stealthy and you're like, oh, I'm going to disable XP command shell store procedure, which, on 2005 and above, it's automatically disabled, but you can reconfigure the XP command shell store procedure, and then reenable it directly through SQL. So you can still do remote code execution, even if it's disabled. Right. So fun stuff there. So we find this web.config file and it contains these SQL strings there. Now the problem is that again, we're trying to stay low and slow. We're not trying to set off alarms or to cause any issues whatsoever. And so what I started looking for was legitimate applications or tools, especially ones that are code signed or things that I could do, that didn't require me to install something. Because if I have to install something, I have to be an administrator for that.

Dave Kennedy:

And I was an administrator and I didn't want to do privilege escalation techniques because again, I don't want to trip up any alarms. And so I'm looking around and looking around and I just cannot find anything. If you look at the Microsoft tools, for example, you have to install a SQL driver. Again, administrative permissions. Even old stuff that I used to use, like SQL EXEC and things like that. You know, it's funny, there was a tool that I used to use called SQL EXEC, in probably around 2006, 2007. Real shady tool out of China. You could barely see any English in everything. It worked really well. But the problem is I never knew that it didn't require admin rights because back in 2006, everybody had admin rights.

Tod Beardsley:

Everyone's admin. Right.

Dave Kennedy:

Yeah. So I'm like, "Well hey, I'm sure this works on userland because it always worked for me." No, no, it didn't. So it requires admin rights. So I needed to figure out a way for me to be in this person's computer, on their network, without triggering any alarms, to connect to a SQL server without being able to install anything at all. So I looked around, looked around, and I could not find anything. I was Google hacking, I was asking friends, all of our assessors couldn't find anything.

Tod Beardsley:

Which is crazy, by the way, because it's just another application. There is no real reason for needing admin rights to be able to just talk SQL. It's just a wire protocol.

Dave Kennedy:

Very legitimate intention right there. Right. Just because they had a misconfiguration where they exposed the web.config, doesn't mean that querying SQL with the username and password as a non admin, that's not a bad practice. What I ended up doing was I wrote my own tool called Quick SQL, and I released it the same day, but Quick SQL is a Python module. I byte compiled it into an actual binary where it wraps the Python interpreter into a single standalone executable. At that time, it was a brand-new tool. Obviously it wasn't being flagged by anything antivirus-related from an EDR perspective. It looked fine. You know, it's not doing anything malicious. It's literally connecting to a database and executing commands.

Dave Kennedy:

So I ended up uploading that executable directly to that system that we had compromised, and then used Quick SQL to authenticate to that remote SQL server with the SA username and password. And we fully compromised that SQL server with that username and password, with full administrative level rights. And so we had full access to that server, and then from there, once we were in the server infrastructure, it was game over. We were able to move laterally across the network until we got access to everything we needed. It was that one web.config that was the total downfall of an organization, and all within one day. And I was able to code it in one day.

Tod Beardsley:

And you kind of alighted over the part of... Oh, and also I released it.

Dave Kennedy:

Yeah, yeah. Everything I do, I try to open source and give to the community because I know if I'm running into that situation, other folks also will be running into that situation and hopefully can use it and to help them out of it. Even if they're not as good at coding or don't have the time to go and do it, anything I could do to help out people, I'm definitely all about.

Tod Beardsley:

Yeah. And it's all hackery, and I think that when you release things like that, you're setting an expectation of like, "Hey, I wrote this on a gig and here it is." And maybe you can make it good or something like that. Right. Rather than like, "Oh, I wrote this thing and then, oh, maybe in six months, I'll release it after I do a bunch of boring testing and documentation work." I think that quick iteration is kind of the heart and soul of really hackery in general and security hacking in particular.

Jen Ellis:

I don't know if you know this Dave, but Tod quite likes open source.

Tod Beardsley:

I like open source and I like rapid prototyping. Those two things are two tastes that taste great together.

Dave Kennedy:

Absolutely.

Jen Ellis:

I mean, you also quite like open source. How many open source tools have you made, or how many tools have you made and then open sourced? Might be a better way of putting it.

Dave Kennedy:

Oh, probably over 100.

Jen Ellis:

Good Lord. That is very impressive. Do you still... Maybe I shouldn't ask you this question. Do you still contribute to Metasploit? I feel like this is the kind of question where you're like, no, not so much. And I'm going to be like, oh, that's awkward.

Dave Kennedy:

I'm a huge fan of Metasploit and definitely, if there's issues that I see, I definitely will contribute or write modules for. You know, I wrote a lot of the post exploitation modules, the PowerShell exploitation modules, the MSSQL payload modules, and a few of the different exploits. There's some in there for IEE and a few others. So definitely all about Metasploit. A huge, huge fan, and have been ever since I got to first meet HD and fanboying out when I first met him.

Jen Ellis:

Oh my god. I bet he fanboys over you just as hard. It's adorable.

Dave Kennedy:

Oh my god. I love that man.

Jen Ellis:

It is adorable. You coauthored a Metasploit pen testers guide, which is a great book for anyone wanting to get to grips with Metasploit for pen testing. Obviously I read it before I go to bed every night. Just a chapter.

Dave Kennedy:

I appreciate that Jen. Every night, I get a text message saying, how do I do that heap overflow again?

Jen Ellis:

It's always the heap overflow, always.

Dave Kennedy:

It's always the heap overflows that will get you.

Tod Beardsley:

They're tricky, especially with modern computers.

Jen Ellis:

The Social Engineer's Toolkit set, this is something else that was a Dave Kennedy brainchild. Is that still something that you work on?

Dave Kennedy:

It is. Yeah. So I try to keep all my tools up to date with features and functionality, granted I'm obviously running two businesses, I don't get to do that as much, but I just did a commit about a month ago for the Social Institute. I have another one coming out soon. I've just been working on some side issues and bug fixes and adding additional reliability to some of the attacks that are on there.

Dave Kennedy:

So yeah. With any open source project, you want to make sure that it's relevant, that you stay there, and that you continuously keep it relevant as you go through. The Social Engineer Toolkit was always one of those things that I think really kind of skyrocketed my name out there, because it's really one of the first tools that ever came out to help you with social engineering and exploitation. It was really the first of its kind. Social engineering really wasn't being applied very heavily into penetration testing at that time. It was kind of one of those things that skyrocketed social engineering into the industry. And I'm really proud of it and definitely want to keep it going. One of my oldest tools, by the way. Yep.

Jen Ellis:

Yeah. I mean, I very much remember when it came out and it was a cool thing and it's still a cool thing. When you go about doing this, and as much as I like to make fun of Todd, I do actually really sort of wholeheartedly agree with his point of, people can get into analysis paralysis when they're building tools and feel like, oh, it's not good enough. And I think, in the security community and I'm sure in other communities, but I particularly live in this one, there's a lot of imposter syndrome.

Jen Ellis:

Like a lot of people really feel like they don't have permission or they don't have the credibility to release something, or they haven't done enough to make it perfect. Like how do you get past that? Why do you feel like making these things open source is important and what would you... I'm firing questions at you without giving you a chance to answer, but what would you say to somebody who is working on a tool or has an idea for a tool, but perhaps feels a little shy about putting it out there?

Dave Kennedy:

That's such a loaded question for me because, when I came into the security industry, it was right around 2000, and I went to DEF CON and I remember seeing Fyodor and the Shmoo Group, with Bruce Potter and Zimmermann, and all these legends in our industry, and Mudge and all those guys, all these legends in our industry that we're standing on right now, because they were the exploratories. They're the true hacker culture that we started off with, with the openness and the sharing and the collaboration. When I came out of DEF CON that year at Alexis Park, that's really what I took back was community openness, and sharing to make the industry better.

Dave Kennedy:

They were really a lot of role models for me growing up. And I don't want to say it like they're super old or anything, you know, they're just heroes to me, kind of going through this industry. And granted, not all heroes are perfect. A lot of things changed from the industry from 2000 to now, that is amazing. We made a lot of progress in a lot of different areas, but community was always those things that I took back with me. And that's really the foundation of why we started DerbyCon. That's why I release all my tools. That's why I try to help others because I had others helping me. One of my biggest mentors in security was Muts from Offensive Security, Mati.

Dave Kennedy:

Mati and I became really good friends. I was deployed in Iraq for the military, and I was part of the remote exploit team. Mati was really just kind of helping me along, "Learn Python, do this, do that." I really got into Linux, and it was one of those things where Mati was really an inspiration to me, cause he told me about the open source tool piece. I'm like, "Hey, how do I learn Python?" He was like, "Well, is there something that you do that annoys you? Or is there something that you would like to see done that hasn't been created yet?" And I'm like, "Well yeah, sure." And he's like, "Well go and code it." And I'm like, "Well, what does that mean?"

Dave Kennedy:

He's like, "That's exactly right." You know, and that's where the whole try harder concept came from. He's like, "Go and figure it out. Do it, try harder to understand what you can do." My first tool that I ever wrote was a really popular tool called Fasttrack. And the stupid thing about that one was I automated db_autopwn. That was the first feature of Fasttrack. It eventually evolved into application scanning, automated SQL injection, remote code execution, all that other stuff. But the first iteration of it was automating db_autopwn. Which is just so stupid nowadays, but it was just a cool, neat thing that I learned new experiences from. For me, finding good mentors, good people in the industry that are willing to help you to make you understand, that's always been my drive for me, to help this community out.

Jen Ellis:

Yeah. Nice to hear you giving a shout out to Muts. One of your coauthors on the book, in fact.

Dave Kennedy:

That's right.

Jen Ellis:

So I feel like we've come full circle. So yeah. Hi to the Offensive Site guys, we do like that team. So yeah. Good mentors. Lots of people don't feel like they're in that circle. Like they find it hard to... Again, if you have imposter syndrome, how do you get into the circles where you feel like you're capable of getting mentors and that kind of thing? I feel like there's a certain amount of willingness to put yourself forward that you have to have, which can be hard for people, I think. Really hard if you don't know people who are willing to intro you.

Jen Ellis:

I was lucky because that guy that you mentioned earlier, HD, he made intros for me and some other people were nice enough to introduce me around and I got to meet people like you and others, many other people who've since done this podcast. And they've always been really kind to me and helped introduce me to people. I still remember what it was like going to my first conference and how alienating it felt and how much of an imposter I felt. Is there any advice that you have to people who feel like yeah, it's all well and good to say get good mentors, but I don't.

Dave Kennedy:

Yeah. That was really our goal for DerbyCon, was to create a community friendly feel where when you came in, you had people there that you could talk to that were open to talk to. I spent my entire time at DerbyCon just sitting, talking with people. My whole goal is just to be approachable. And we had to attract new to InfoSec, people that were brand new, that were brand new in the industry that could come in and give their own presentations of their own experiences. Because regardless if you're one year, two year, three years, or one month into InfoSec, your experiences that you have are unique to yourself. No one else has those experiences. So being able to overcome your fear of that, and being able to know that there are a lot of people out there that are willing to listen to you and your experiences and help you grow in the industry or learn off of you, it's just absolutely fascinating. Than any other industry that I've ever seen before.

Dave Kennedy:

We are very much a open community for people to come to. And don't get me wrong. If you look at Marcus' books, like Tribe of Hackers, there are different tribes in this community.

Jen Ellis:

Sure.

Dave Kennedy:

Different people with different experiences. But as one community, we are very accepting of one another. Don't get me wrong. There are A-holes and people that just aren't great people out there, but those are so far and few between of what the whole community has accomplished. So my recommendation for anybody out there that is concerned about, "Hey, if I release this will it look bad?" Ignore people that are negative to you. Focus on those that are positive to you. There's so many positive people here in this industry that are willing to take a look at it.

Dave Kennedy:

They're willing to help you and coach you, you just got to ask, you got to ask questions. You're never going to be in trouble for asking any type of question whatsoever. Don't feel like there's not a good question out there to ask. We're here to listen. We're here to help. We're here to make this industry better, to make the world a better place. I'm always happy to help and chat with some folks. So if anyone wants to reach out to me, happy to do that. Got to get over that. You just got to get over it and work with people.

Jen Ellis:

That is a lovely offer, particularly from a man as busy as you are. I think that's a lovely note to end on. So with that, I'm just going to say, Dave, thank you so much for coming on. It's so great to hear about what you're up to. I hold out hope that we will find new projects to work on together in the future.

Dave Kennedy:

Absolutely.

Jen Ellis:

If I can find a way of shoehorning it into all the other things that you're doing.

Dave Kennedy:

You've got to get out of London first.

Jen Ellis:

Thank you. It is great to catch up with you and good luck because I know you'll continue to build projects that we'll hear about.

Dave Kennedy:

Thanks so much. I appreciate you having me on.

Jen Ellis:

So, it's so nice to talk to Dave. What a nice chap. It's just lovely. So, Tod, what is going on with you? What is happening in the world right now? I feel like some things happened this weekend?

Tod Beardsley:

They did. I am remarkably un-hungover from the whole period of Black Hat and DEF CON. And that's probably because I didn't actually go, nor did anyone else.

Jen Ellis:

Presumably, you also didn't lose your usual amount of money at the poker table or...

Tod Beardsley:

Right, yeah. So, I guess a positive. I don't know. I actually like going to Vegas, and I have a good time there, and I like seeing-

Jen Ellis:

Oh, you're the one.

Tod Beardsley:

... my hacker friends. And yeah, of course. And sometimes you catch a show or hang out in the pool or whatever. So anyway, I miss it a lot and it made me sad, but it did in fact happen, and happened on the internet. And I saw a couple of things that were interesting.

Jen Ellis:

What did you think see, Tod?

Tod Beardsley:

I guess we'll just talk about them, okay.

Jen Ellis:

Yeah, let's do that.

Tod Beardsley:

So, honestly, there were good talks, right. I hated the format, but whatever. It is what it is. There was a presentation entitled EtherOops, and it's from a couple of guys from RMS Labs, and it is bonkers crazy. So when I read the description of this thing, I thought, Oh, this sounds neat. It sounds like it might be a packet smuggling attack. It's described as a packet in packet attack that we talk about, blah, blah, blah. I'm like, okay, cool. And I figured it would be, oh, well maybe it's something where if you're doing IP packet tunneling within IP, which is a thing for some reason, or you're doing IPv4 inside IPv6 or something like that. I figured it'd be something along those lines.

Tod Beardsley:

It was not at all anything like that. What EtherOops is, so when you have physical cable runs and those physical cables get older and get rolled over with office chairs and whatever, they develop faults over time, usually cramps or kinks in the wire, something that. And that can cause a tiny little electrical short in the cable. If this short happens to flip a bit in a Ethernet packet, which happens somewhat commonly in older cables, the beginning of frame header can go away. It doesn't register as a beginning of frame anymore. It's supposed to be, the value is D5. There's a few other it can be, but if it's not D5 then it's like, oh this is not an Ethernet packet. So it hits the wire, it goes over the wire, it gets corrupted, it hits your network interface controller, the network interface controller is like, oh, cool, Ethernet packet. Sends it to the CPU. CPU says, I don't see any Ethernet packet here, drop. And that's normally how things work in nature when you're using crummy old cables.

Jen Ellis:

In nature. I like that. So these are cables in the wild. Got it.

Tod Beardsley:

Yes. Uh-huh (affirmative). But what these guys figured out, is, well, what if we stuffed a whole nother Ethernet packet inside that Ethernet packet? What would that look like? And so what they did was basically you wait around for this fault in the cable to manifest on that outer Ethernet header. And then the CPU is like, I don't see anything. Oh, wait, here's my Ethernet header right here, let's go. And then it'll read the whole Ethernet frame.

Tod Beardsley:

Now, that's crazy, because it would require millions and millions of packets to send at your target, hoping that they have bad cables. Incidentally, you also have to already know the Mac addresses and the inside layout of the network, and then all this other stuff you'd have to know ahead of time. No problem, says the folks from RMS. They're like, well, you don't actually have to wait for these faults. You can make your own faults with an EMP generator. You can make an electromagnetic pulse. And then they go into this whole thing about here's how we made our EMP generator. It's just a little spark app thing. And you set it up near a longish cable, and then just pop, pop, pop, pop, pop, fire it off, while you're sending these evil packets in.

Tod Beardsley:

So what you get basically is you get to smuggle an entire Ethernet frame in, which means it's MAC address, it's protocol, it's port, it's everything. It's from end to end. So you can smuggle these over a NAT device. Normally you shouldn't be able to talk over NATS. That's what Network Address Translation does. You can smell them over firewalls, you can smuggle them past IDSs, everything. So it's basically all the internally networky things that's not supposed to be exposed on the Internet, you can pop through, if these weirdo conditions are met.

Tod Beardsley:

Now, this will never happen in the real world. This is not a practical attack by any means. Because either you have to be close by with EMP device, or you'll end up frying everyone's circuits. If you want range on your EMP, that means you have to have more power, and more power means you start frying electronics nearby. And so your EMP device has to be pretty low power, which means it has to be close. Or, you are in a position to replace a cable with a messed up cable, but not too messed up that it keeps dumping packets all the time. So you have your carefully constructed, sometimes faulty cable. But if you can do that, why not just.

Jen Ellis:

This is what you would describe a very targeted attack.

Tod Beardsley:

It is. It's insanely targeted. But I don't think that's what the research is actually good for. I like the research a lot. And it's a crazy security implication. What ended up happening for me anyway, was I consider myself a little bit of a network nerd. I know how protocols work and stuff. I felt galaxy brain happening in my head when I was listening to this talk. When I came in, I'm like, what are they even talking about? This would never work in the real world. By the middle, I'm like, wait a minute, what's going on here, what's happening, what I've been doing with my life this whole time? And then by the end, I'm like, ah hah, I get it. I understand how the differences between signal on the wire versus signal on the network interface versus the signal on the CPU. And that's I think a major level up. In the time that I've been doing networking, I've never really stopped and considered that.

Tod Beardsley:

So what this fundamentally is, it's one of these attacks that I love, where it's a 'Let's read the RFC, let's read the spec, and see what the spec says you're supposed to do in these failure conditions and then do that.' And you end up learning a ton about how physical networking works, how electronic signaling works, and also incidentally how EMPs work.

Tod Beardsley:

Oh. And I didn't mention the coop de Gracie of the whole thing.

Jen Ellis:

Yeah, that's how that said exactly, right? Yep. Yep. Tell me more about the Gracie, yeah.

Tod Beardsley:

Uh-huh (affirmative), the co-op de Gracie is, after all of this business, okay, cool, you get your one packet. You can send your one packet. What do you send? Okay, you can make a wish, but it's in a very tiny parameterized set.

Jen Ellis:

It's teeny tiny.

Tod Beardsley:

The wish they make is, I'm going to send this thing called an IPV6, a router advertisement packet. What's that, you might ask.

Jen Ellis:

What's that, Tod?

Tod Beardsley:

What a router advertisement packet is, so in normal networking where we all do DHCP, DHCP says, oh I just woke up and I need an IP address, so hey, anyone, can you give me an IP address? And somebody says, here you go. What router advertisement packets are, they are an unignorable, saying, Hey dog, here's your new router on IPV6. Oh, and by the way, I know I'm on IPV6, but I'm going to give you an IPV4 address for your router and your DNS server and your lookup domain, and all this other network configuration garbage that you can't ignore. If you're IPV6, you can't ignore this stuff.

Tod Beardsley:

This is bonkers crazy. This is not how normal networking works, where an anonymous source can just say, yep, here's all your new stuff have, have a blast. So yeah, these router advertisement packets are crazy. And that in itself is a finding for me, because I don't know that much about that initial writer discovery stuff that goes on in IPV6. I think that alone is a finding that you could walk into a penthouse with. Let's say you're doing an internal network assessment or something, you're able to just drop in on these networks, send out these router advertisement packets, and people will believe you. They'll be like, oh, this must be my new DNS address. So, once you do this, this basically gives you control over all of their DNS. And you can do things like set up web proxies and all this other junk over that. So, that was crazy.

Tod Beardsley:

But anyway, there was so much packed into this talk. So anyway, I want you to go look it up right now as soon as this podcast is over.

Jen Ellis:

I'm assuming that you're talking to the listeners and not me.

Tod Beardsley:

I am, yes. Well, also you. It's fun. EtherOops!

Jen Ellis:

You're so excited. It's adorable. I love it.

Tod Beardsley:

It's pretty cool. Anyway, it was the coolest thing I've seen in a while. And yeah, ultimately it's not that big of a deal from an attack point of view, except for this router advertisement over IPV6. The actual attack is just funny, but it does end up accidentally teaching you a ton about electrical engineering. So, pretty cool.

Jen Ellis:

Okay, so the conferences have gone through a hard time this year, for sure. And there's a lot of chatter about how unsatisfactory the virtual experience is and all that stuff. But this, the enthusiasm that you have right now, the fact that you learned a whole bunch of new stuff over something that is an area that you actually feel you're already pretty knowledgeable about. And it's not like you signed up for training. This is from a talk. That right there, that's what these events are all about. And I think it's super cool that you got that value out of it. That is really awesome.

Tod Beardsley:

Now, if this was the only thing, and is that worth $2,000 or whatever the price is, probably not.

Jen Ellis:

Yeah. I mean that is a hell of a price tag for a virtual conference.

Tod Beardsley:

There's a little bit of a trade off there. But yeah, this is the kind of thing that I'm actually really interested in. And the multi-track thing kills me. The fact that it's virtual kills me. Because I ended up working almost the whole weekend anyway, while doing this stuff. So, anyway, EtherOops, go check it out. I'm looking forward to my next real conference.

Jen Ellis:

Yeah, I know. Right, right, yes. It'd be nice to be able to see people again. Were there any other things that you saw at the events that grabbed your attention?

Tod Beardsley:

There was. I was involved in the voting village, so I saw that as I did it.

Jen Ellis:

That is convenient.

Tod Beardsley:

I ended up bingeing on a lot of the election content.

Jen Ellis:

Why is that? Is there a thing happening soon?

Tod Beardsley:

There is. When this airs it'll be something like 85-ish days until the next major election in the US.

Jen Ellis:

I saw a headline today about how Russia i helping Trump again. I was like, this is great, where's my popcorn?

Tod Beardsley:

Back in my day, when the US were interfering with elections, we did it secretly.

Jen Ellis:

Have they no class?

Tod Beardsley:

I know. This is like, gentlemen don't read each other's mail thing.

Jen Ellis:

No, gentlemen don't talk about reading each other's mail, I think is the point. Be a little circumspect about this.

Tod Beardsley:

So, I know that our panel from the voting village is posted on YouTube somewhere. If you just look up I think probably my name and Casey Ellis's name and voting, you'll find it.

Jen Ellis:

Hello, Casey

Tod Beardsley:

Yes, your cousin Casey, your Australian cousin. I saw Krebs's thing. Not Brian Krebs, Chris Krebs.

Jen Ellis:

Right. The other other Krebs.

Tod Beardsley:

Yeah, the other Krebs. He's a director.

Jen Ellis:

He's the director of DHS CISA, yep.

Tod Beardsley:

He had a thing on election security, which was interesting for sure. This is a guy who is in those classified briefings and then also has to do a bunch of unclassified stuff. Which is, I don't know how you do that job, but good for him.

Jen Ellis:

Because again, I saw this as a headline, and it had a picture of him with the headline and it said, US officials now warning the logistics is a bigger threat than security for elections. I was like, doy. I mean, obviously.

Tod Beardsley:

He did. Yeah, he ended talking a lot about how analog backups is the thing. And I'm like, mmm, okay. Which is great, right, you should have analog backups for everything. But he was, I don't know, it seemed a little Pollyanna, where it's like, oh well, look, if all of our computers go away, we could just all pull out all our analog backups, and we'd better make sure we have those. I'm like, where do you think all this is coming from?

Tod Beardsley:

So, I've worked in an election in Texas recently and we have this thing called an e-poll book. And the poll book is the thing that you look up to see that the person who's standing in front of you is actually eligible to vote, right. It's all online. It's all over the network. It's a two-way communication thing and everything, right. It's a normal network app. If that e-poll book system goes offline, I have nothing. I asked around, I'm like, "So, let's say there's some failure here, I can't look things up on my poll book. And they're like, "Well, we'll try to fix it for probably about a half an hour, and then we will close the polling stage. And I'm like, cool. So, great. I don't know if that's going to be the plan in November here in Travis County, Texas. I hope not, because that would be a great way to basically kick your selected precincts offline.

Tod Beardsley:

And also, the logistics, as you mentioned, and as Chris Krebs mentioned, is difficult. Because let's say that you want to defend against this with a physical poll book. Well, in my county, anyone can vote in any precinct. It's not a very short list. So basically I would have a book of about a million and change voters that I would have to look up manually. This sucks. That's a terrible solution.

Jen Ellis:

That's quite the little black book there.

Tod Beardsley:

Yeah. Yeah. It's pretty fat. Now I've done elections years and years ago where we didn't have that, where you had to vote in your precinct and your precinct only. And a lot of places are like that, you have exactly one polling place where you can go to. That book is manageable. That book is a few thousand. But yeah, when you're looking at a million people that you have to validate, and you have to validate them all or else, oh no, voter fraud. Which never happens anyway, but whatever. But you have to do it.

Jen Ellis:

Well, there was data saying that virtual fraud was a thing now. Is that not a thing? Is that misinformation?

Tod Beardsley:

Voter fraud is not a thing.

Jen Ellis:

Interesting.

Tod Beardsley:

Election fraud's a thing. But voters going out and voting twice or voting when they're not allowed, it happens to the point of-

Jen Ellis:

But people voting under names that are not real?

Tod Beardsley:

It'd never happen.

Jen Ellis:

Dead people voting?

Tod Beardsley:

That's a 19th century problem.

Jen Ellis:

Okay. Do you see dead voters? That's what I really want to know.

Tod Beardsley:

Is that where we're going? No, generally not. Yeah, so anyway, Krebs's note about, Oh yeah, analog backups, that sounds great. It is a lot of paper, it's a lot of ink, and it's a lot of eyeball time, squishy, human eyeball time, not silicon computer eyeballs. I'm a big fan of computers and doing things that they do well.

Jen Ellis:

I mean, that's something I was going to say, is this as much because he painted a picture of a world where the computers have gone away, and you just couldn't get your brain past that? You were like, what you saying? Why would you say this?

Tod Beardsley:

Now, personally, I don't expect... And Krebs has gone into this too. He had said that the hacking activity, and the scanning and hacking traffic that they're able to see, which of course is not going to be the totality of it, but compared to where they were in 2016, he said pretty much straight out it's, oh yeah, hacking is down and disinfect is up. So, the tactic isn't so much let's go in and change votes or change voter rolls or knock polling places online. The tactic is let's get very targeted Facebook ads. And that's it, right. So that's cool. And that's probably enough that it'll work.

Tod Beardsley:

The kinds of attacks that we saw in 2016, the best attack ever was the Podesta attack where he got personally spearfished, a campaign manager for Hillary Clinton's campaign. So you're not going to see that ahead of time, you're not going to see a pattern leading up to that, it just happens that day.

Tod Beardsley:

So, I don't expect votes to be changed by a malicious actor after they've been cast. But I do expect to see them changed before they were cast. And that's the whole point of this interview.

Jen Ellis:

Yep. Yep. I hear ya. Okay. Fair enough. All right, well Tod, thank you. Thank you for taking us through all of this stuff. I appreciate it. It sounds like you had a very interesting weekend of viewing.

Tod Beardsley:

Yep. It was all right. Next year in Vegas, come on. I miss it.

Jen Ellis:

I know you do. All right, well thank you very much. And I look forward to our next thrilling episode. Hurray.