lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d68885cff84739d6e564ca4409959ae08cee67ec
hpr-knowledge-base/hpr_transcripts/hpr4276.txt
Lee Hanken 7c8efd2228 Initial commit: HPR Knowledge Base MCP Server 
- MCP server with stdio transport for local use
- Search episodes, transcripts, hosts, and series
- 4,511 episodes with metadata and transcripts
- Data loader with in-memory JSON storage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00

323 lines
22 KiB
Plaintext
Raw Blame History

Episode: 4276
Title: HPR4276: PWNED
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr4276/hpr4276.mp3
Transcribed: 2025-10-25 22:23:47
---
This is Hacker Public Radio Episode 4276 from Monday the 23rd of December 2024.
Today's show is entitled, P-Owned.
It is hosted by Operator and is about 21 minutes long.
It carries an explicit flag.
The summary is, I share how I got P-Owned and or allowed myself to get P-Owned.
Hello and welcome to the episode of Hacker Public Radio with your host Operator.
This one is going to be interesting.
It's about how I got completely owned of myself more or less.
This was a mistake of one opening RDP to the Internet.
Number two, I had a strong password on that account and then because my son kept logging
or kept doing stuff on my computer, I had to set the time out and then make it a password
that I could remember.
That was my fault because I had connected the two together that, hey, I had RDP open
on a weird port.
I thought that was good enough and then I thought the username being, you know, internet
was good enough and then I didn't realize that once I changed that from a complex password,
even if they were fuzzing, it would be pretty easy to find, you know, not yours as the
password for that account.
So I've been an InfoSec for, you know, ever professionally or 20 years, 15 years, and
even before Antibirus was a thing I was manually removing viruses for people's computers.
So I've been around this world.
It's not a matter of if it's win and it's, you know, going through those exercises and
having that defense and depth where one thing can get compromised, but it's not going
to blow everything up.
So I fully expect my password fault to get compromised at some point in time.
So that's why I have protections in place and there's dependencies across the board for
each thing.
There's barriers, there's the layers of depth to that security.
So although it's not great, it's still not completely getting completely owned from
like the bank all the way up.
So it started when I got, it's actually getting suddenly going to a security conference.
And I got a, you know, MFA prompt from Uber and I thought, yes, we're here to have it
logged into my Uber, you know, that's kind of weird.
And then, you know, a little bit of time goes by, maybe like 10 minutes and I get an email
saying that, you know, my wife's credit card was added to my Google Play account.
And I was like, that's not great.
So now, you know, we've got Uber, somebody try to log in about Uber and then somebody
adding my wife's credit card number to my Google Play account, which can be done with
like a tablet could have been my wife playing with the, she got a watch for my son to
track his movements.
I was like, okay, maybe she used it to buy something and maybe she's using my account somehow
and I'll try to get her not to not do that.
But I was like, okay, it could be her doing something with my account, which I don't let
anybody mess with my Google account.
But I thought maybe it could be something.
So anyways, I kind of started to work backwards from there, you know, called Kathy, said,
hey, go home, turn off the desktops, I've turned off the server, I've turned everything
off, I'll start working backwards from there, I'll try to follow up here at the conference
and then head home because I knew I wasn't going to be happy until I knew exactly how we
got compromised.
At first, I kind of thought it was Kathy, so I said, hey, you know, go home, turn your laptop
off, I turn my desktop off and other services off just to make sure.
But I assume it was my wife's computer because my son gets on there and runs stuff and
you know kids, they'll just run whatever.
So kind of wrongfully assuming it was her, I started working on hers, I didn't see
anything.
Usually the approach my approach is is, you know, I disconnect, if you have like an advanced
IR team, some people will say, don't disconnect, you want the actor on there, you can catch
them while they're red-hit, no, 90% of people do not have the qualifications to handle
an attacker live on the wire without like whatever.
So I would say most times out of not to disconnect the service or if you don't know, you know,
unplug the cable and then start going from there.
So I had her turn everything off.
I started resetting passwords for Uber, Amazon, Google, Google my Gmail and I had her reset
her password because I wasn't sure what was going on.
I was pretty sure.
I had a sick feeling that was somebody's last pass, but I was kind of hoping it was my
wife's because then I can blame her or whatever.
All of the scary thing is that I sometimes run the browser as my user on her workstation
and it has last pass on it without prompting for master passers-code.
So in essence, if you got access to my wife's computer, you would have access to not only
her last pass, but my last pass and that would give you access to kind of everything.
Now Google, I have all my Google accounts under MFA, my bank, I have under MFA.
So really there's not a ton of impact there.
It's mostly credit cards and having to reset passwords and, you know, defacing or whatever.
So in that regard, you know, I think they were after, like I said, buying gift cards
or whatever.
They didn't seem that sophisticated.
I'll tell you why.
So with that said, I told her to set it off and then I started kind of the IR process
remotely.
And then I said, okay, this isn't working.
I'm not finding a smoking con.
I'm just going to have to go home.
So I told my mom not to worry about coming because she's driving down from wherever I
go from up north to watch the kid for a few hours so that I could go to this conference.
I said, don't worry about it.
I'm coming home.
If I can't figure this out, I got to come home and figure out why I got popped.
So my way home, I kind of started to think about it.
It's like, look, this, you know, the facts at the time where, you know, PayPal was logged
into.
My Amazon was logged into and my wife's credit card, which is shared between the both of us,
was used in something.
So I said, okay, that has to be, oh, somebody's a last pass and I was hoping it was hers
in that mine.
So I'm working on her laptop.
I've seen you think suspicious, you know, kind of cleared out the temp files and kind of
looked around what I use, I like to use is auto runs.
Well, you have stuff like malware bytes running in the background, I let that run, but
I was doing my own manual IR, use auto runs to kind of look if you know what you're looking
for.
Like I said, I've been doing antivirus before antivirus.
So you know, you kind of know what to look for.
You look for DLLs or something loading that's not normal.
You can actually filter Microsoft services when you run auto runs, so that kind of helps,
but even then I don't have a whole lot running because I run a deep bloat and I get rid
of all that crap.
Second thing is to run, if you're not on the internet, that's fine.
If you are connected to the internet and you want to see something beginning out, you can
use like TCV view, that'll tell you how like the real connections and you can see who
is and be like, oh, Microsoft, cool, Microsoft cool, I mean, still could be, you know, an
attacker coming from Microsoft, but in general, you know, you see Microsoft just probably
just windows updates.
If you see some weird, you know, other country, then you know that might be some reverse
connection or a reverse shell or some persistence.
This being set up on the system.
So you know, after looking at her left up for a while, I said, you know what, this doesn't
smell like anything is going on here.
I don't, you know, they haven't been doing anything else, whatever they were working on.
They've, you know, whatever passwords they've gotten they've kind of played with.
I might come back later.
I don't know.
I have to assume that everything is completely breached until I know exactly what they did
and how they came in.
So the second step I said, all right, well, I know it has to be last pass, so that means
a workstation somewhere.
Now, there are instances where I've logged into my last pass on someone else's machine
and I have forgotten to close it.
I'm at a grandparents house or whatever and I log in, but I usually, 99% of the time,
I try to be like, okay, I can't leave this computer, you know, this system with it logged
into the last pass and I usually use incognito mode just to make sure that happens.
So moving forward, my, you know, my standard procedure is what I'm on a system, start it
in incognito mode and that will prevent any kind of sessions from dangling around after
you've left the system and you can still kind of mostly do everything you need to do.
There's some persistent cookie issues in some places where you'll have to re-off, re-off,
re-off, but in general, like, you know, incognito mode, which has nothing to do with actually
being incognito, will actually help you from getting any persistence connections, whatever.
By the full last pass is two weeks for a session, which is very high.
I set it for like, I think two hours because if you're not told in a home within two hours,
I don't want you in my last pass, so I want you connected and if you're not connected within
two hours, I don't want you, I want to re-off.
So that was a change I did make.
So dialing into the workstation, wind up stairs, the same thing, look to the workstation,
look to auto runs, look to kind of the remote, trying to stuff, trying to beacon out, didn't
see anything running, nothing else crazy, just windows updates trying to beacon out.
I had blocked everything internally, but you can still see stuff trying to beacon out
if it's, you know, some kind of third party thing or remote access.
If it's doing its persistence, so I said, don't see anything other, we're there, you know.
These guys didn't seem like they knew exactly what they were doing, you know, they didn't
dump like every single thing, that was, you know, kind of some of how last pass works,
you can do a full export, but you have to like, click an email alert, it's an MFA, essentially,
and then you have to confirm that you want to dump it, and then it'll dump it, and then
you have to put in your, finally, you have to put in your master password to get that
dumb, and that's pretty much everything.
But you'll get, not only will you get an alert, they have to know the master password,
which nobody has a theory.
So what they should have done and could have done, and probably should have done is put,
you know, just a password logger on there, and blog, you know, I used to just Defender,
and I pretty much run as limited user, so you can't really put a password logger, at
least you can for non-limited accounts on a user's space, but they didn't put a password
logger password, a key logger on there or anything, they could have used that to potentially,
but I don't type my master password a whole lot, and I don't want to make that a habit
of doing that on a Windows system for that exact reason.
So I usually keep that persistent connection, so that's kind of, you know, the give and
take of, if you type your master password all the time, and you're on a Windows system,
every time you type that password, you're exposing a potential risk, because if that system
is compromised at any time, and they've got a key logger on there, they're going to
have your master password, and then things are not going to go well for you.
So with that said, the less you type your password, the better, but you also don't want
it dangling around for long period of time on questionable resources or services.
So that's it.
You know, I'm not sure what's going on, my wife's computer seems fine, I'm not quite
ready to turn everything back on yet, because I haven't found the smoking con.
Looking around, I start thinking about, you know what?
The only thing I have that's Windows and whatever on the word stations is RDP.
And yes, I expose RDP to the internet is on a weird port, and you know, the username
was weird, it's like, well, not weird, but it's internet, and then you'd have to guess
the password, which was like super complex.
And I just had it auto log in with that super complex password, but at some point in time,
my son was using my computer, and I said, you know what, I'll just, you know, have it
auto log and I said, well, crap, I don't know that path.
And I don't want to put it on the fob, and then have to like plug in the fob every time
I want to log in.
So let me just make it like not yours, and that's the password to the account.
And that's what, essentially, that, that, that, you know, hindsight's 2020 is what
calls my issue.
So I had RDP externally facing, which I rarely used, which I don't even know, doesn't
even have any throttling on it or all, you can just brute force it to death by default,
at least with the, the scanner that they were using.
And the, the username was that internet, and the password was not yours, and they weren't
able to, I think it was like 160,000 or something.
And then what I found out is that it happened on the seventh, which was, I think, like three
days prior, something like that, yeah, they got in on the seventh, and then they waited
until like the 10th to use those credentials on stuff.
So they basically had been rushing, they possibly, they only logged in once on the seventh
for a short period of time, and then they logged out.
And I think what they probably did is they logged in on the 10th to like pull passwords
and stuff like that, and then they started using those passwords remotely when they could
have just done it on my box and had a much better success rate.
I guess, you know, they assume probably that I'll use that computer during the day, but
they didn't know that I wasn't, that was actually out, out of the office.
So I'm assuming they rummaged through on that day, on the three days later after they
got in, they came back, maybe they got pushed to a second guy, but I head up to five different
people fuzzing me from anywhere from 600 to like 20,000 different, different attempts.
So one of them got in, and that's kind of where we're at.
I went through my last pass, reset all the passwords for anything that I cared about,
put organized all my severity passwords, and then the last step is organizing and putting
them in like high, medium, low buckets, and then, you know, for the high ones, I would
force, you know, MFA, or a repassor prompt on the high ones, like stuff I care about,
like, you know, whatever, not big accounts, which I don't even have in last pass, but
for social media, or something that would be a pain to recover from, like my, like my
club, which has already forced MFA anyways, but that's pretty much where we're at.
It's not a matter, again, it's not a matter of when it's in, it's when it's defense
and depth, it's understanding what to do when there's an incident, and trying to hunt
down and figure out, okay, well, it's not matter, it's not something, something obvious,
it's something, oh, great, RDP, and as soon as I started dumping the RDP, I had like four
log entries that were like, you know, somebody from wherever, some Amazon logged in, and then
they logged out, and then that day, they logged in and logged out three days later.
So I knew that was the smoking gun, now the second question is, you know, what were they
doing, did they dump anything out, how many passwords they clicked, there's no way
to know.
So you have to assume that every single account is compromised, and it's not fun, but
you're better off assuming that then, you know, three weeks later, two days later, two
months later, oh, I can't log in to, you know, LinkedIn, or whatever, because I put it
in the, I don't care about it.
So with that said, you know, I think it's important to share these things, people are shamed
and, oh, I'm, you know, you're stupid, and you know, aren't you Mr. Information Security
guy?
No, it's not, it's not a matter of, I mean, obviously, it's a component to have externally
facing stuff.
The only time I've ever had another issue is when I put a way back, I put a remote
shell on my web server, and I just left it there, somebody just went to that address
using Google, got indexed it, went to that address, and they were able to like deface
the website or whatever.
This one was probably the worst compromise I've ever had, and again, I thought it was
important to share that story because it's not a matter of if it's when, it's the defense
and depth, it's understanding how these things are connected, what the risks are using them,
and I still would rather have all my passwords and password vault than have to manage, you
know, 200, 100 passwords manually, or even locally.
I don't trust myself enough to do that, and as far as sessions go, you know, across
whatever, you know, having that flexibility to use a phone, to log into stuff, to have
the layer, to share it, and want the family plan.
So I'm going to be kind of evaluating last pasts kind of sessions and how they stay persistent
and all that.
So I'm going to be evaluating that.
I think the two weeks is taking you from two weeks down to like two days or two hours,
I think that's going to make a big difference because that would have saved me from any issues
in theory.
So I'm going to kind of create it, set it up to so where if I'm not, if I'm idle after
two hours, re-author, re-authenticate for the master pass that way, if someone does
remote into my system, they need to put a key lawyer on there to get that master password,
which theory, you know, you can't do with normal user privileges, but these guys didn't
seem to be sophisticated attackers, I want to say Germany or something, it's where they
came out of.
But anyways, I will drop the indicators in there and kind of, that's kind of my approach
is, you know, just go through the motions.
That basic scan, nothing, what else could it be?
Well, it has to be last past because of these things.
Well, if it's last past, it has to be a workstation somewhere.
My computer, maybe a computer, I went to somewhere else, maybe a grandparents computer,
who knows?
I had no idea.
I bogged into last past, trying not to log into the last past all over, so I thought that
was fairly minimal risk there, I figured my wife didn't see anything, I said the only
other option is my computer and my desktop that I use for stuff that I realized, oh, let
me check RDP because that's the dumb thing that I left open that I soon would be obfuscated
enough for people not to mess with.
So anyways, if that was important to share, if you have any input, if you'd like to come
on and do, you know, your thoughts and stories about how you've been compromised, I think
it's important to share your approach and how you deal with the response and how to quickly
have a professional that understands how these things are connected to quickly figure
out what happened, find that smoking gun, I don't have logging, I don't have any kind
of thing, I'm actually standing up a supportable security operations center and that information
will actually go to the server, so the idea is that, you know, I have like a ubiquity
router that I can turn on stupid stuff that has a pretty high impact, but with this setup,
you know, I'd run an endpoint tools and I would have two, you know, agents on that system
that would report back in and I would get alerts like this, but this is just normal stuff,
like RDPing into a system from wherever else, I don't, you know, even if I had something
like Wazoo and Velociraptor, unless they were trying to do persistence, this is all just
normal stuff, like I have no reason to block anything in that situation, so it's one of
those things where, okay, if you want to do RDP, you know, put it on a VPN, you know,
VPN in first and then RDP, which I have, and I need to, you know, think about that,
I mean the VPN service, making sure it's, you know, stays up to date and make sure that
that's my only entry point into a third party, other services, so I do have other services
like Plex, I have Umbi and that was also a risk, but I knew it was based on last fast because
they were going across multiple accounts that I didn't, that weren't mine, so I have
Plex, I have Umbi externally facing and I also have, sometimes I'll have a torrent
client externally facing, but that's not often, but persistent services is Plex and Umbi,
and I think maybe that's pretty much it, so anyways, if you all have any questions,
want to reach out, let me know, but it happens, it's going to happen, and you know, it's
not a matter of if it's when and everyone we're human, we're all going to make mistakes,
this unfortunately is probably the worst mistake, I have a security mistake, I've ever made
probably in my entire life professionally and personally, so I think it's important
that I share it with you guys, and I'm old, 40 years old, and I have a child and I get
stressed out, and it's also important to have a security professional kind of do like
a yearly, you're accordingly, I mean, if you work at a corporation, these things happen
automatically, but do a review on yourself, have someone say, hey, here's my IP address,
can you do an external scan, see what you see, oh, shit, RDP, how did you find that
RDP port, it was on a weird port number, well duh, I just scanned all these 5000 ports
in like 8th of a second, you can scan the whole internet in some crazy amount of time,
like two hours, four hours, something like that, if you had the right bandwidth and had
the right scanner, so with that said, you know, it's unfortunate to have to share, and
it does feel, you know, bad to have to share, so you know, but I think it's more important
that I share it with the community, and that people know that, you know, it doesn't
matter who you are, it will happen, it can't happen, and you just have to plan and have
the defense and depth in place, and have the response in place to minimize the impact
of whatever that thing is, so anyways, let me know if you want to do anything with Jane
Bri or share stories, and hit me up, have a good one.
You have been listening to Hacker Public Radio, at Hacker Public Radio does work, today's
show was contributed by a HPR listener like yourself, if you ever thought of recording
broadcast, you click on our contribute link to find out how easy it really is, hosting
for HPR has been kindly provided by an honesthost.com, the internet archive and our
things.net, on this advice status, today's show is released on our Creative Commons
Attribution 4.0 International License.
Reference in New Issue View Git Blame Copy Permalink