‘Mr. Robot’ Rewind: Hacking a DEF CON CTF in the lights out season 3 premiere

Spoiler alert: With a purpose to analyze the technical element of every present, I’ve to debate the episodes in element. To keep away from spoilers, please cease studying for those who haven’t already watched “Mr. Robotic” Eps3.0_Power-Saver-Mode.H.

Welcome again to Mr. Robot Rewind, an article sequence the place I describe the hacks from the “Mr. Robotic” TV sequence and analyze their technical accuracy, or “hackuracy.”

LATEST IN A SERIES: Corey Nachreiner, CTO at Seattle-based WatchGuard Technologies, is reviewing episodes of Mr. Robot on GeekWire. The present airs on USA Community on Wednesdays at 10 p.m. Be a part of the dialog on Twitter utilizing #MrRobotRewind, and comply with Corey @SecAdept.

After a lengthy hiatus, the present is again and the first episode began with a plot dash. Not like season two, which explored characters (not all the time plot) at a sluggish, typically plodding tempo, season three lined many plot factors in its first episode. Extra importantly for this text, the premiere episode additionally contained fairly a few hacks to investigate.

So let’s soar in. I’ll begin by dissecting three “hacks” from this episode, I’ll level out a few Easter eggs you will have missed, and we’ll wrap issues up by speaking about some wider present theories, in relation to the predictions I made in (*3*).

As soon as Elliot wakes from his submit gunshot coma (six days later), he instantly picks up the place he left off … making an attempt to cease the Stage 2 hack, which might destroy an E Corp constructing and the paper monetary data it incorporates. In spite of everything, the “good” Elliot we all know didn’t join mass homicide.

Nevertheless, Elliot doesn’t have entry to the Darkish Military’s servers or E Corp’s backdoored community anymore. He wants web entry to hack his means again in, however the place do you get that in a blacked-out metropolis with no electrical energy? After discovering Darlene at his residence, he learns of an underground hacking membership that apparently nonetheless has entry to electrical energy, and a quick fiber community connection, so he visits the membership with Darlene.

Earlier than persevering with to the precise hacks, there are a few technical discrepancies with the premise of this membership having web entry. Keep in mind, the total metropolis has had a energy outage for a lot of days. Most photographs of the metropolis present the whole lot darkish, together with the skyscrapers. Sure, you might use turbines to supply some electrical energy in particular locations, however for web connections to work, it’s not nearly powering your personal computer systems and routers. Each routing hop between you and what you need to connect with on the web would wish energy too. So, this presumes your ISP additionally has turbines to maintain issues up. This additionally presumes the E Corp’s servers, which Elliot is making an attempt to get to, even have energy. The episode has already proven some E Corp buildings (particularly the one housing the paper data) fully blacked out. It appears form of unusual that one little hacker hangout in New York not solely has the energy it must get its computer systems up, however that each community hop in between can be up and working throughout this wide-spread energy outage.

Because it’s technically attainable for many people to have backup turbines, I’ll give this a cross. Nonetheless, if one ISP has the backup turbines to supply web, why wouldn’t lots of them? In any case, this isn’t a massive deal in the scheme of issues, so again to the hacks.

It turns out that the hackers at this underground hangout are collaborating in a DEF CON CTF contest. Let’s unpack what this actually means.

Initially, DEF CON is a well-known hacking conference. Tens of 1000’s of hackers round the world attend this convention to find out about the newest hacks and analysis, to work together with their friends, and to take part in enjoyable hacking contests and occasions.

Does the present get DEF CON proper?

At first blush, not fairly … however there’s extra to the story. When most individuals consider DEF CON, they consider the principal convention, which takes place in Las Vegas, not New York. This convention receives droves of attendees, not simply 50 hackers in a membership. This membership scene is nothing like the actual DEF CON.

Nevertheless, DEF CON has turn out to be so standard that it has spawned sub teams, like DEF CON 201 in New York. It wouldn’t be that uncommon for a native group of hackers to often meet utilizing the DEF CON title. In actual life, these hacker meetups don’t actually look as cinematic as the present portrays, with neon lights, loud EDM music and cheering crowds. Nonetheless, native hacker teams do meet for enjoyable and hacker video games.

Throughout this meetup, hackers are collaborating in one thing known as Seize the Flag (CTF). These are contests or challenges that pit hackers in opposition to one another in pc safety challenges. For example, one contest may power opposing groups to guard their servers, whereas attacking their enemies. The servers would include some piece of knowledge or “flag” the different workforce must declare first to win. Different contests may problem reverse engineers to be the first to seek out a flaw in some community service and exploit it.

In any case, CTF challenges are very actual, and a extremely popular exercise at many alternative hacking and pc safety conferences and occasions. Whereas the crowds is probably not as dense, nor cheer as loudly, the CTF scene in this episode was fairly true to life.

Again to the scene. On this act, Elliot performs two hacks. First, he wants entry to certainly one of the CTF computer systems for an web connection. Nevertheless, nobody will simply let him use a pc whereas the CTF is working, so he must shortly win the CTF contest. Second, when the crowd is distracted, he can use that pc to tug off the actual hack, which is to regain entry to the backdoor on an E Corp server.

Elliot learns that this CTF problem is basically for hackers to seek out a flaw in a networked minesweeper recreation. With the proper exploit, they’ll take over the server working this recreation, thus capturing the “flag” on the server. Sadly, the present doesn’t embrace any readable screenshots correlating to this recreation or the hack. You solely hear Elliot’s explaining to a contestant, what he ought to do. Mainly, Elliot tells the contestant that the recreation’s weak spot includes its save and cargo mechanism. That is the place an attacker can inject malicious code into the recreation. Nevertheless, to guard the save mechanism, the recreation makes use of a distant, server-side “key” to encode the save information. The attacker should first reverse this key in order to determine out learn how to craft correctly encoded save information. Apparently, profitable the minesweeper recreation provides Elliot the board structure information he must reverse the recreation’s easy save encoding mechanism, which Elliot does, thus profitable the CTF in two minutes.

Is that this hack practical? Sadly, the present didn’t show any screens which may have helped us analyze its technical accuracy on our personal. Nevertheless, certainly one of the present’s consultants did share that this problem is predicated on real minesweeper CTF event from the previous. The truth is, somebody who accomplished the actual problem wrote this write-up, which mainly describes Elliot’s resolution. Briefly, the CTF hack — although not truly proven in episode — is totally practical. The one query is likely to be might anybody actually have figured the complete factor out in two minutes, after solely seeing a code excerpt for 30 seconds? That is likely to be a stretch, however the hack itself is legit.

As soon as Elliot gained the CTF problem, he used the Web-connected pc for a couple of minutes whereas the crowd was distracted by the victory.

In the event you keep in mind final season, the Darkish Military leveraged the Femtocell hack to realize inside entry to E Corp’s community, which they used to put a backdoor on E Corp’s UPS methods for the Stage 2 assault.

Most backdoor malware makes use of one thing known as a command and management channel — additionally known as a C&C or C2 for brief. This community communication channel beacons out to an attacker’s community deal with, giving them the distant community entry they should management their backdoors from exterior the sufferer’s community.

In keeping with Elliot’s voiceover, the UPS backdoor’s C2 is at present set to beacon to a Darkish Military pc, which he not has entry to. Elliot desires the C2 to come back to his pc (the CTF pc he’s on). He mentions that the UPS backdoor was set to make use of a hard-coded (unchangeable) area title for its C2 channel.

As you most likely know, domains are straightforward to recollect names that time to community IP addresses — the numbers computer systems use to seek out one another on a community. If a backdoor C2 pointed to a hard-coded IP deal with, it might not be straightforward to get that backdoor to speak with a new pc, since public IP addresses (IP) are solely assigned by your ISP. Nevertheless, if a C2 makes use of a area title, you’ve gotten a likelihood to get that title to check with a new IP deal with.

The Domain Name System (DNS) is the protocol we use to lookup and assign domains to IP addresses. Organizations known as “Registrars” handle the enterprise of promoting domains, and letting their prospects change the IP that domains level to. On this case, the Darkish Military owns the area title the C2 factors to, and thus controls what IP maps to that area. With a purpose to get the backdoor’s C2 to speak together with his pc, Elliot must hack a DNS registrar and alter the area info for the Darkish Military area.

Sadly, you don’t see or hear how Elliot hacks the area registrar in this episode. In the event you watch intently, you do see a display exhibiting a Chinese language DNS registrar, however no element about how Elliot hacks it. Is it attainable, or practical? Certain. There have been actual assaults in the previous the place cyber criminals first pwned DNS registrars to realize management of essential domains, similar to this recent Brazilian bank heist.

That mentioned, DNS registrars are main targets for hackers, which ends in most of them having higher safety than the common enterprise. The concept Elliot—irrespective of how nice a hacker he’s—can so shortly hijack a DNS registrar with little preparation or reconnaissance is a little too “Hollywood,” particularly since the present doesn’t show or clarify how this gorgeous important hack occurred. In the finish, this kind of hack is feasible, so it doesn’t rely in opposition to the present’s actuality. Nevertheless, it’s a little disappointing that they depart the technical particulars out.

In any case, we all know Elliot’s mysterious DNS registrar hack works, since he positive factors management of the backdoor’s C2 once more. The remainder of this scene performs out realistically. In a single screenshot, you see a software known as rwwwshell. That is a actual, albeit outdated, web-based reverse shell script, which is the kind of software an attacker may use to create C2 communication channel. As soon as Elliot positive factors entry to the backdoor by means of this shell, you see him use the shred command. That is the similar “safe” delete command we’ve seen him use in earlier episodes, and this command would mainly wipe out all the backdoor instruments on E Corp’s server, thus eradicating the backdoor.

On this episode, we meet a new character who I believe will turn out to be certainly one of my favorites; Irving performed by Bobby Cannavale. Irving is a used automobile salesman by day, however Darkish Military’s felony fixer by evening. After eradicating the backdoor, Elliot and Darlene are escorted out of the hacker meetup by a few Darkish Military thugs. As they depart, Irving pulls up in a cab and warns them that the FBI is following Darlene, in order that they soar in to shake the tail.

What follows is a theoretically practical social engineering automobile hack.

In the cab, Irving asks Elliot to get the FBI automobile’s license plate quantity. He then will get Darlene to lookup that license plate on a laptop computer he offers. The laptop computer is related to a website known as NYSP NCIC, which appears to be a New York State Patrol website used to lookup extra details about automobiles based mostly on a license plate quantity. Whereas I’m certain this isn’t the precise title of the New York police’s website, it’s fairly regular for police to have inside internet providers and databases that enable them to lookup automobile proprietor info based mostly on license plates.

This lookup offers Irving with the FBI automobile’s VIN quantity. Irving then calls OnStar, pretending to be a detective with a presumably legitimate badge quantity. In the actual world, OnStar does have important entry to a few of the computer systems in your automobile, giving them the capability to regulate many issues, together with unlocking your doorways, beginning the automobile, or setting off your alarm. Extra importantly, it’s additionally true that OnStar can disable a car’s engine, which is what Irving does to the FBI’s SUV, stopping it mid-chase.

Briefly, this little social engineering automobile hack is completely believable. The one query I might need is how Irving had entry to the NYSP’s site, which might certainly be protected by a VPN and require official credentials. Possibly Irving was a cop in the previous?

For the final hack this episode, Mr. Robotic is in management. Elliot returns to Angela’s home and falls asleep. Nevertheless, his alter, Mr. Robotic, wakes up as an alternative, and is upset that actual Elliot eliminated the Stage 2 backdoor. Angela and Mr. Robotic go to Tyrell, the place we see Mr. Robotic begin to determine out learn how to regain entry to E Corp’s community.

On this scene, we see Mr. Robotic go to a website known as Shodan.io. That is a very official website that’s standard amongst safety consultants and hackers alike. Utilizing scanning instruments much like nmap, Shodan’s servers crawl and scan most of the IPv4 deal with house, mainly looking for and fingerprint each system related to the Web. Shodan’s crawlers discover what community providers every Web units listens for, and likewise grabs all the header information that may fingerprint the software program or {hardware} these Web-connected units use. Shodan conveniently shops all this info in a database, permitting customers to seek for software program names, and discover any units on the Web which may use that software program. Hackers utilizing a new exploit in opposition to a specific piece of software program use Shodan as a software to seek out victims on the Web.

In a brief clip, you see Mr. Robotic kind the following search into Shodan:

org:”Evil Corp” product:”Apache Tomcat”

The “org” a part of the search limits end result to solely units owned by E Corp and the “product” tag limits the search to seek out a very particular community service, in this case, a internet Java product known as Apache Tomcat. In abstract, that is an correct portrayal of how hackers use Shodan. For example, for those who changed the group title with Google on the actual Shodan website, you’ll shortly discover all the public Google servers that use Apache Tomcat. ‘

So why is Mr. Robotic doing this? It’s all about reconnaissance. As he targets a sufferer, he must be taught what community providers the sufferer exposes. Mr. Robotic should already know a weak spot in Apache Tomcat. Maybe he has a zero day exploit for that software program. I presume he’s seeking to see if E Corp has Tomcat servers so he can leverage this exploit in opposition to them later.

By the means, if this Apache stuff sounds vaguely acquainted, not too long ago Equifax suffered a enormous information breach the place they misplaced the non-public data of 145 million of their U.S. prospects. Rumor has it the breach was resulting from an unpatched model of Apache Struts, which had not too long ago mounted a main vulnerability. Whereas Tomcat and Struts are completely different Apache packages, they’ve each had essential vulnerabilities in the previous. You must anticipate to see Mr. Robotic/Elliot hacking a Tomcat server in future episodes.

As all the time, this episode had many different technical Easter eggs buried in its visuals. Let me share a few.

Earlier than I finish this rewind, I can’t assist however touch upon a few of the predictions I made for this season, largely as a result of the first episode has touched on lots of them in a technique or the different.

One in all my predictions was that the Washington Township Plant (WTP) would contain one thing nuclear, and straight away we see a scene the place Protection Minister Zhang (whiterose) is strolling in a nuclear plant. Whereas I admit, there’s doubtless extra to this nuclear plant than meets the eye, nuclear vitality is certainly concerned in this story.

I additionally mentioned that Stage 2 wouldn’t work as anticipated, and the E Corp constructing wouldn’t get blown up by UPS units. On this episode, Elliot shreds the Stage 2 backdoor, in order that prediction is true on too.

Nevertheless, the one prediction I’m a bit fearful about is that “Mr. Robotic” will keep grounded in actuality. In that prediction, I mentioned that regardless of some trace in the direction of theories like parallel universes, the mysteries round Elliot and whiterose wouldn’t contain sci-fi.

I’m now questioning this idea, as the episode contained many overt and refined references to parallel universes or multiverse theory. For example, in the nuclear plant, you hear a scientist particularly referencing a number of universes. Extra importantly, in the opening credit score shot, we see whiterose standing subsequent to an uncommon contraption in the Washington Township nuclear plant. They don’t clarify it, however to my eye it seems to be like a giant particle accelerator, much like the Large Hadron Collider (LHC) in Europe. Whereas particle accelerators don’t instantly correlate to parallel universes, there are some (fictional) theories about parallel universes being created by these colliders. Lastly, Angela hints to Elliot that they’ll in some way flip again time to a level the place their dad and mom don’t die. This most likely doesn’t imply time journey, fairly, it might trace at an alternate universe the place their dad and mom by no means died in the first place.

I, for one, nonetheless hope that these are simply very well-crafted crimson herrings. Whereas multiverse theories and hypotheses are actual — in truth, a few of the concepts come from Stephen Hawking’s black gap analysis — they’re nonetheless very unproven, and nonetheless qualify as science fiction in my opinion. Whereas I do like sci-fi exhibits, to me, the great thing about “Mr. Robotic” is how grounded it’s in actuality. I assume solely time will inform if my “based mostly in actuality” prediction is means off, or proper on.

Whereas this episode had many “hack” associated scenes, many weren’t direct assaults on a corporation’s infrastructure. For example, “Mr. Robot’s” Shodan search was not a direct hack that you would be able to cease, fairly it was recon into the weaknesses of a corporation. Nevertheless, you may nonetheless be taught from it.

The truth that Shodan exists ought to remind you that each community service you placed on the web is uncovered to the world. Attackers can shortly discover it, moreover, instruments like Shodan will inform them the particular model of community software program you utilize. In the event you don’t patch your public community providers, attackers will be capable to see, and know to take advantage of its vulnerabilities in opposition to you. Ensure that to all the time patch public servers shortly, so even when attackers discover them on Shodan, they gained’t be capable to hack them.

With the first episode filled with hacks and plot motion, this season of “Mr. Robotic” already seems to be like it is going to be a wild journey. I can’t wait to see what the present throws at us subsequent, and hope you be part of me subsequent week to investigate the hacks of episode two. As all the time, I sit up for your feedback, theories and suggestions beneath.

Back to top button