Its a video about finding vulnerabilities. You can't find vulnerabilities without reverse engineering and looking at the underlying code/machine instructions. Otherwise you are just a noob who uses templates based on other peoples work.
Great format. This is so clearly described and spoken that I listened to it a SECOND time, as a “podcast”. Thanks for going that extra “kilometer” and describing what’s on-screen.
When you showed your "Fuzzer" i totally lost it. Haven't had such a good laugh in years in this topic. But if i think about it some more, it is just about perfect. Easily accessible (but not perfect) entropy to cause spasms in badly written code. Being more or less available on any machine with and OS (no, Windows is not an OS, it's malware) means you can do preliminary tests even in absence of your "fav tools".
I didn't get the joke :( was the netstar + grep somehow the fuzzer? Bc it looks it's only returning a specific line of Info from the previous, full, netstat cmd. Not seeing the usefulness unless 'conn' is supposed to be significant and understood as the grep string prior to beginning
@@antiquark6253 piping /dev/urandom into a program was the fuzzer iirc. Urandom generates a never ending stream of random bytes. And like a thousand monkeys with a thousand typewriters, it will eventually come up with a sequence that breaks the program under test.
@@DasIllu oh I see now, the multi tiled terminals had me confused to what he was referring to, but I never thought to use nc that way. Very cool trick thx for illuminating that
@@DasIllu Nothing about a thousand monkeys here tho. It's just flooding the buffer with bytes until segfault, that's where he got a hint that there might be a buffer overflow (segfault means you're writing crap into memory where you're not supposed to write to as allowed by the kernel so the kernel kicks you out). The actual content of the input stream doesn't matter as it's just random bytes.
hell I really appreciate what this guys are doing, because I don't understand 70% of what they are talking about. There is soooo much to learn and it seems scary 🤯
Incredible work. I'm blown away to see this entire research from start to finish, including the thought process. Well done. I hope to one day be able to do what you do!
Regardless of the exploit, it's pretty disturbing that stock router firmware is spamming DNS requests to arbitrary commercial domains, just to blink an LED light...
keep up the great work. sometimes people feel like so many things are common sense and dont explain the things that help people understand stuff. thank you for such a detailed video
i have been trying to get into this for the long time. i feel like i don't understand programming which makes hacking so difficult. i love your moto at the end. i love the training at the end you talked about. i need to spend a lot more time getting a better understanding of programming so i can understand how to do what your trying and make money ethical hacking.
The chances are slim to none unless you get a degree lol although they hire people who don’t have one, they are talented ones who just moves to action when others thinking how to get into this 😂
It's shocking how it's making unsolicited DNS queries for random domains for completely unrelated companies. Concerning. If I was watching the WAN and saw these random requests coming from a router, I'd be concerned it was compromised in some way, not operating normally with stock firmware...
Ghidra makes it easy to reverse engineer. You would think there would be standard practices on operational flow that prevents the behaviour. Standard Libraries for dns handling.
conn-indicator needs to know when it has network connectivity, and the programmers chose this way to verify it. This is normal, and in this specific case quite benign in our opinion, as the DNS domains it is trying to query are well known. The mistake here was to make their own DNS parser (why TP-Link? WHY???). They could have used a shell script and standard utilities for checking connectivity, and a separate binary for controlling the LED lights! If this makes you worried, then have a look at what your phone, Windows or MacOS computer is doing for the same connectivity checks, without any user program running or any kind of user interaction, you will be VERY surprised 🙈
I have no clue wtf your saying half the time but, I still watch hoping something will stick. something better than nothing, right? I love hearing the actual thought process of the hack as if you're going threw it for the first time. I like this very much.
Hi. I’m Japanese, and I could understand your video because of your very smart and cool presentation. Thank you for uploading this video! (I’m sorry about being not good at English.)
We're not affiliated with TryHackMe and have not developed any courses or tutorials for them :-) Our courses are developed and taught by us privately, check flashback.sh/training
Nice presentation. You touched on a couple points that are just outside my full understanding. Specifically, at the segmentation fault, what makes a memory address "unmapped". Is it unmapped because it is outside the allocated stack frame? Anyway, really nice work! Thank you.
Hi Matthew, glad you liked the video! You are correct. When a program starts, it allocates ("maps") memory ranges for the stack, the heap, libraries, the executable code, etc. These regions are not contiguous in memory. For example let's say a stack of 0x1000 in size, mapped in memory starting from 0x10000, which means its range is 0x10000 to 0x11000. Then we have a heap of size 0x1000, which is mapped at 0x12000 to 0x13000. In this example, if we try to access memory at 0x11001, it will cause a segmentation fault, as that memory is not mapped to either the heap or the stack. This was exactly what happened in the example in the video, albeit with different (more realistic) addresses.
It didn't occur to me until watching this video, but AI would be amazing at reverse-engineering like this. Renaming functions and variables and creating comments based on context is already so close to how AI models interpret code.
I feel like half of the hacking attempts at this point are *most likely* made by AI botnets that are programmed to execute these types of attacks using rogue / zombie ip's that operate on virtual machines that can't be traced.
More and more places blocking ICMP these days. Moreover, even if they wanted to ping a well known CNAME, it would still require a DNS query, so just doing the query is more efficient, since it's only checking for connectivity.
It seems almost impossible for a regular person to be able to protect themselves over someone accessing their computer or phone. After having all of my data stolen from a big tech company it has been so difficult to feel safe.
I won the last 3 years WASP competition, but my method for doing this cannot be disclosed because of the damage it will cause, here is a sample of what i know: bluetooth follows the standard made by cisco on their routers where you make one the master the rest just follow. the same applies in Bluetooth yet here the clients that connect allow you root access to them as the technology defined.
If the CPU used by a server had as its lowest-level language a managed language, say for instance a Lips CPU, where there is no memcpy and other such potentially bug-infested C code behind the Lisp code, then how would you find a vulnerability?
So, if we reduce everything, it is basically as many other vulnerabilities: The software does not check the size, it assumes that it will be as intended, in this case placing it into a fixed size variable. So an input validation error?
I have a Question for Experts what I can not extract from that what is. My Provider had a Damage in a Knot where a Car crashed in.... first the internetconnection was lost, a few Minutes....after That it was ok for a few Minutes.... then it crashed again and was a longer Time out of Order. Since that I can not connect my Handy and my TV but every other Device works as usual. One Thing is that my Handy and the TV dont find the Port anymore... How is that possible?
In our course :D But honestly, if you don't know the basics of assembly, scripting and Linux command line, you will get lost. The best book to learn reverse engineering ("Reverse Engineering for Beginners") is completely FREE: beginners.re/ Once you master the basics, come to our course and we will teach you how to find and exploit vulnerabilities in real embedded devices!
I do not understand, so you need to hack the router physically before you can do all this right? If true, how when you don't have access to routers in other places.
I love how this video starts by explaining what LAN is, and 2 minutes later it's binary reverse eng
Yeah it goes from basic concepts to insanity and no time at all
0-100 really fast
A fun roller coaster indeed
Its a video about finding vulnerabilities. You can't find vulnerabilities without reverse engineering and looking at the underlying code/machine instructions. Otherwise you are just a noob who uses templates based on other peoples work.
Great format. This is so clearly described and spoken that I listened to it a SECOND time, as a “podcast”. Thanks for going that extra “kilometer” and describing what’s on-screen.
When you showed your "Fuzzer" i totally lost it. Haven't had such a good laugh in years in this topic.
But if i think about it some more, it is just about perfect. Easily accessible (but not perfect) entropy to cause spasms in badly written code.
Being more or less available on any machine with and OS (no, Windows is not an OS, it's malware) means you can do preliminary tests even in absence of your "fav tools".
I didn't get the joke :( was the netstar + grep somehow the fuzzer? Bc it looks it's only returning a specific line of Info from the previous, full, netstat cmd. Not seeing the usefulness unless 'conn' is supposed to be significant and understood as the grep string prior to beginning
@@antiquark6253 piping /dev/urandom into a program was the fuzzer iirc.
Urandom generates a never ending stream of random bytes. And like a thousand monkeys with a thousand typewriters, it will eventually come up with a sequence that breaks the program under test.
@@DasIllu oh I see now, the multi tiled terminals had me confused to what he was referring to, but I never thought to use nc that way. Very cool trick thx for illuminating that
@@DasIllu Nothing about a thousand monkeys here tho. It's just flooding the buffer with bytes until segfault, that's where he got a hint that there might be a buffer overflow (segfault means you're writing crap into memory where you're not supposed to write to as allowed by the kernel so the kernel kicks you out). The actual content of the input stream doesn't matter as it's just random bytes.
Excellent documentation and walk through. I love your stuff.
Can't wait to see the detailed analysis of Part2.
Waiting for part 2! Amazing work!
hell I really appreciate what this guys are doing, because I don't understand 70% of what they are talking about. There is soooo much to learn and it seems scary 🤯
Incredible work. I'm blown away to see this entire research from start to finish, including the thought process. Well done. I hope to one day be able to do what you do!
Glad to see you back :)
w8 for second part. Thanks!
Regardless of the exploit, it's pretty disturbing that stock router firmware is spamming DNS requests to arbitrary commercial domains, just to blink an LED light...
I’m thinking about making a similar video but mine are done in documentary format‼️
keep up the great work. sometimes people feel like so many things are common sense and dont explain the things that help people understand stuff. thank you for such a detailed video
This is what I have been waiting for a long time
i have been trying to get into this for the long time. i feel like i don't understand programming which makes hacking so difficult. i love your moto at the end. i love the training at the end you talked about. i need to spend a lot more time getting a better understanding of programming so i can understand how to do what your trying and make money ethical hacking.
The chances are slim to none unless you get a degree lol although they hire people who don’t have one, they are talented ones who just moves to action when others thinking how to get into this 😂
@@M4D4F4K4. i am hopeless. i will figure something out.
It's shocking how it's making unsolicited DNS queries for random domains for completely unrelated companies. Concerning. If I was watching the WAN and saw these random requests coming from a router, I'd be concerned it was compromised in some way, not operating normally with stock firmware...
Ghidra makes it easy to reverse engineer. You would think there would be standard practices on operational flow that prevents the behaviour. Standard Libraries for dns handling.
conn-indicator needs to know when it has network connectivity, and the programmers chose this way to verify it. This is normal, and in this specific case quite benign in our opinion, as the DNS domains it is trying to query are well known.
The mistake here was to make their own DNS parser (why TP-Link? WHY???). They could have used a shell script and standard utilities for checking connectivity, and a separate binary for controlling the LED lights!
If this makes you worried, then have a look at what your phone, Windows or MacOS computer is doing for the same connectivity checks, without any user program running or any kind of user interaction, you will be VERY surprised 🙈
@@FlashbackTeam As a Linux user, no idea how it does the check, likely it will not be google.
Found Your channel from @liveoverflow
Great Content 🙌🙌
Hyped for the second part, hope it comes soon!
Excellent documentation we want 2part😊
Awesome stuff! waiting for the 2nd video.
Nice video, added this to my watch list, will comeback and share my thoughts, for the time being its time to work.
I don't think I've ever said "Oh my God you can do that?!" so many times while watching a video haha. Amazing stuff
I have no clue wtf your saying half the time but, I still watch hoping something will stick. something better than nothing, right? I love hearing the actual thought process of the hack as if you're going threw it for the first time. I like this very much.
Hi.
I’m Japanese, and I could understand your video because of your very smart and cool presentation.
Thank you for uploading this video!
(I’m sorry about being not good at English.)
Can't wait for part 2! :)
It should be out very soon. We are on the last stretch in recording.
Love your voice, is so soothing for teaching/learning. Thanks!
You are a legend people. Proud of taking your courses.
We're not affiliated with TryHackMe and have not developed any courses or tutorials for them :-)
Our courses are developed and taught by us privately, check flashback.sh/training
Wooowww amazing!!!! But how did you run MIPS executable on PC? Or you we're was on target via ssh?
I appreciate every video in this channel, This is very useful. Thank you, guys.
This is the most realistic and valuable hacker video I have ever seen
Crazy ammount of research, good job
This is what we are looking for, nice job . Keep it up. Happy hacking
Best hackers from pwn2own 😊
Awaiting part 2!
Nice presentation. You touched on a couple points that are just outside my full understanding. Specifically, at the segmentation fault, what makes a memory address "unmapped". Is it unmapped because it is outside the allocated stack frame? Anyway, really nice work! Thank you.
Hi Matthew, glad you liked the video!
You are correct. When a program starts, it allocates ("maps") memory ranges for the stack, the heap, libraries, the executable code, etc.
These regions are not contiguous in memory. For example let's say a stack of 0x1000 in size, mapped in memory starting from 0x10000, which means its range is 0x10000 to 0x11000. Then we have a heap of size 0x1000, which is mapped at 0x12000 to 0x13000.
In this example, if we try to access memory at 0x11001, it will cause a segmentation fault, as that memory is not mapped to either the heap or the stack.
This was exactly what happened in the example in the video, albeit with different (more realistic) addresses.
Amazing video. Subscribed
So awesome that you guys share this knowledge, really, keep up the great work!
lmao i love these videos you two are relatable yet much smarter...ive learned quite abit watching you guys thanks💯
It didn't occur to me until watching this video, but AI would be amazing at reverse-engineering like this. Renaming functions and variables and creating comments based on context is already so close to how AI models interpret code.
Catch up, Ppl been doing this ever sense chatgpt hit the streets
AI has not catched up to thinking like this.
@@maktiki Lol , Yes it did, There plenty of Plugins that do just That Already
I feel like half of the hacking attempts at this point are *most likely* made by AI botnets that are programmed to execute these types of attacks using rogue / zombie ip's that operate on virtual machines that can't be traced.
@@azurescenss 💀🧢
Amazing work... !
Thanks so much, we are learning! 😍
After the first 30 seconds, I subed and liked the vid.
Your thumbnail is shokingly un clickbaity for sucha good video...
Can't wait until the second part pops out. I really want to hit the ground running with this kind of exploitation
The jump scare at 1:21
Waiting for part 2!
Smart fridge 😂 01:32
Vamos 🔥🔥🎉
Vendor-supplied router firmwares that use ancient kernel and code is commonly recognized to be insecure. This is why I always use OpenWRT
Very appreciate your sharing
Thanks for sharing
Thanks this was very helpful! I wonder why they used DNS instead of ICMP? Surely DNS was never intended for such things?
More and more places blocking ICMP these days. Moreover, even if they wanted to ping a well known CNAME, it would still require a DNS query, so just doing the query is more efficient, since it's only checking for connectivity.
this is cool. what O.S are you using though
Thanks a lot!
Best series ✨
It seems almost impossible for a regular person to be able to protect themselves over someone accessing their computer or phone. After having all of my data stolen from a big tech company it has been so difficult to feel safe.
I won the last 3 years WASP competition, but my method for doing this cannot be disclosed because of the damage it will cause, here is a sample of what i know: bluetooth follows the standard made by cisco on their routers where you make one the master the rest just follow. the same applies in Bluetooth yet here the clients that connect allow you root access to them as the technology defined.
I feel like $20k is a paltry sum to pay hackers for a hardware (firmware?) Bug on a device sold to hundreds of thousands of people
If the CPU used by a server had as its lowest-level language a managed language, say for instance a Lips CPU, where there is no memcpy and other such potentially bug-infested C code behind the Lisp code, then how would you find a vulnerability?
thank you for your hard work!!!!
Isso sim é qualidade parabéns
verdade
Can you link the video you recommended that we watch on the beginning of the video?
Seeing my exact router in this vid is funny and terrifying
Thank you for this
TP-Link be like:
- Unit testing? Nah bro, we in China trust each other
what a nice research
So, if we reduce everything, it is basically as many other vulnerabilities: The software does not check the size, it assumes that it will be as intended, in this case placing it into a fixed size variable. So an input validation error?
At the end if the day all is the same. Find vuln get RCE :p
i watched the video, but i feel sad i am understanding very little. i didn't know you had a real world hacker course.
I have a Question for Experts what I can not extract from that what is. My Provider had a Damage in a Knot where a Car crashed in.... first the internetconnection was lost, a few Minutes....after That it was ok for a few Minutes.... then it crashed again and was a longer Time out of Order. Since that I can not connect my Handy and my TV but every other Device works as usual. One Thing is that my Handy and the TV dont find the Port anymore... How is that possible?
What toolsets(s) are you using ie caller??
At 6:50 you mention that you're using gdb while having a laugh for your buddy who uses a 'lame java's one, were you referring to ghidra? Lol
The best Pedro.
why does conn-indicator need to parse dns response?
can't it just receive response, ignore contents, turn on LED?
How would it know it received a valid response to its request if it doesn't parse it?
Which OS you are using?
Pedro prefers Debian, and Radek likes Ubuntu more.
Please release a course in hacking please i want to learn or atleast link a good course that is useful to learn deep hacking please!!
LETS GOOOOOOOOOOOOOOO i love yall
Part 2 when? :D
Amazing !!
Thats another lvl...
we're waiting for the part 2 for 2 week 😭😭
Just came here to find it but I will have to join the queue waiting for part 2 😅
@@huskytail 3month of waiting
im not interested anymore
i well unsubscribe they don't respect us ....
@@draxler.a I must confess I had even forgotten about it.
16:59 does offset to name point to start of length+string or can if point to another compression mode?
Anybody knows which code editor he is using there?
Watching this makes me feel mad and dumb. This is like an art that I just can't seem to get. How do you learn all of this?!
In our course :D
But honestly, if you don't know the basics of assembly, scripting and Linux command line, you will get lost.
The best book to learn reverse engineering ("Reverse Engineering for Beginners") is completely FREE: beginners.re/
Once you master the basics, come to our course and we will teach you how to find and exploit vulnerabilities in real embedded devices!
@@FlashbackTeam thanks for this, I will definitely check it out
Just another example of cops thinking they're above those they're supposed to serve
What knowledge should i have to understand this video ??!!
Excellent on how to also think it up. Not just run some tools.
The best
Why RUclips am recommended video this me not know but watch interesting brain capacity limited open to expansion thank you I will sub
I do not understand, so you need to hack the router physically before you can do all this right? If true, how when you don't have access to routers in other places.
This is not the attack. This is the research for the attack.
Where is part 2?
part 2 ??
soon. It takes a lot of time to record and we are super busy. Subscribe if you don't want to miss it.
looks like dns reading memory overflow
🖤
Where is the second part?
We are still working on Part2. You can subscribe not to miss when we release it.
@@FlashbackTeamok thank you :)
This is 💎
🤓🤓🤓🤓
Exploit machine language x000x
where is part2? ❤
We are still working on Part2. Will be released as soon as we have finished it.
Is it possible to hack any website without getting caught?
No mamen están cabrones