Its a video about finding vulnerabilities. You can't find vulnerabilities without reverse engineering and looking at the underlying code/machine instructions. Otherwise you are just a noob who uses templates based on other peoples work.
Great format. This is so clearly described and spoken that I listened to it a SECOND time, as a “podcast”. Thanks for going that extra “kilometer” and describing what’s on-screen.
When you showed your "Fuzzer" i totally lost it. Haven't had such a good laugh in years in this topic. But if i think about it some more, it is just about perfect. Easily accessible (but not perfect) entropy to cause spasms in badly written code. Being more or less available on any machine with and OS (no, Windows is not an OS, it's malware) means you can do preliminary tests even in absence of your "fav tools".
I didn't get the joke :( was the netstar + grep somehow the fuzzer? Bc it looks it's only returning a specific line of Info from the previous, full, netstat cmd. Not seeing the usefulness unless 'conn' is supposed to be significant and understood as the grep string prior to beginning
@@antiquark6253 piping /dev/urandom into a program was the fuzzer iirc. Urandom generates a never ending stream of random bytes. And like a thousand monkeys with a thousand typewriters, it will eventually come up with a sequence that breaks the program under test.
@@DasIllu oh I see now, the multi tiled terminals had me confused to what he was referring to, but I never thought to use nc that way. Very cool trick thx for illuminating that
@@DasIllu Nothing about a thousand monkeys here tho. It's just flooding the buffer with bytes until segfault, that's where he got a hint that there might be a buffer overflow (segfault means you're writing crap into memory where you're not supposed to write to as allowed by the kernel so the kernel kicks you out). The actual content of the input stream doesn't matter as it's just random bytes.
Incredible work. I'm blown away to see this entire research from start to finish, including the thought process. Well done. I hope to one day be able to do what you do!
hell I really appreciate what this guys are doing, because I don't understand 70% of what they are talking about. There is soooo much to learn and it seems scary 🤯
keep up the great work. sometimes people feel like so many things are common sense and dont explain the things that help people understand stuff. thank you for such a detailed video
i have been trying to get into this for the long time. i feel like i don't understand programming which makes hacking so difficult. i love your moto at the end. i love the training at the end you talked about. i need to spend a lot more time getting a better understanding of programming so i can understand how to do what your trying and make money ethical hacking.
The chances are slim to none unless you get a degree lol although they hire people who don’t have one, they are talented ones who just moves to action when others thinking how to get into this 😂
I have no clue wtf your saying half the time but, I still watch hoping something will stick. something better than nothing, right? I love hearing the actual thought process of the hack as if you're going threw it for the first time. I like this very much.
We're not affiliated with TryHackMe and have not developed any courses or tutorials for them :-) Our courses are developed and taught by us privately, check flashback.sh/training
Hi. I’m Japanese, and I could understand your video because of your very smart and cool presentation. Thank you for uploading this video! (I’m sorry about being not good at English.)
I really love you guys videos. But there is something no one talks about and is how to set up a lab to test. Can you guys make a video about how to set up qemu or anything else to mount firmware for testing?
Regardless of the exploit, it's pretty disturbing that stock router firmware is spamming DNS requests to arbitrary commercial domains, just to blink an LED light...
It didn't occur to me until watching this video, but AI would be amazing at reverse-engineering like this. Renaming functions and variables and creating comments based on context is already so close to how AI models interpret code.
I feel like half of the hacking attempts at this point are *most likely* made by AI botnets that are programmed to execute these types of attacks using rogue / zombie ip's that operate on virtual machines that can't be traced.
It's shocking how it's making unsolicited DNS queries for random domains for completely unrelated companies. Concerning. If I was watching the WAN and saw these random requests coming from a router, I'd be concerned it was compromised in some way, not operating normally with stock firmware...
Ghidra makes it easy to reverse engineer. You would think there would be standard practices on operational flow that prevents the behaviour. Standard Libraries for dns handling.
conn-indicator needs to know when it has network connectivity, and the programmers chose this way to verify it. This is normal, and in this specific case quite benign in our opinion, as the DNS domains it is trying to query are well known. The mistake here was to make their own DNS parser (why TP-Link? WHY???). They could have used a shell script and standard utilities for checking connectivity, and a separate binary for controlling the LED lights! If this makes you worried, then have a look at what your phone, Windows or MacOS computer is doing for the same connectivity checks, without any user program running or any kind of user interaction, you will be VERY surprised 🙈
Nice presentation. You touched on a couple points that are just outside my full understanding. Specifically, at the segmentation fault, what makes a memory address "unmapped". Is it unmapped because it is outside the allocated stack frame? Anyway, really nice work! Thank you.
Hi Matthew, glad you liked the video! You are correct. When a program starts, it allocates ("maps") memory ranges for the stack, the heap, libraries, the executable code, etc. These regions are not contiguous in memory. For example let's say a stack of 0x1000 in size, mapped in memory starting from 0x10000, which means its range is 0x10000 to 0x11000. Then we have a heap of size 0x1000, which is mapped at 0x12000 to 0x13000. In this example, if we try to access memory at 0x11001, it will cause a segmentation fault, as that memory is not mapped to either the heap or the stack. This was exactly what happened in the example in the video, albeit with different (more realistic) addresses.
More and more places blocking ICMP these days. Moreover, even if they wanted to ping a well known CNAME, it would still require a DNS query, so just doing the query is more efficient, since it's only checking for connectivity.
I won the last 3 years WASP competition, but my method for doing this cannot be disclosed because of the damage it will cause, here is a sample of what i know: bluetooth follows the standard made by cisco on their routers where you make one the master the rest just follow. the same applies in Bluetooth yet here the clients that connect allow you root access to them as the technology defined.
If the CPU used by a server had as its lowest-level language a managed language, say for instance a Lips CPU, where there is no memcpy and other such potentially bug-infested C code behind the Lisp code, then how would you find a vulnerability?
So, if we reduce everything, it is basically as many other vulnerabilities: The software does not check the size, it assumes that it will be as intended, in this case placing it into a fixed size variable. So an input validation error?
I have a Question for Experts what I can not extract from that what is. My Provider had a Damage in a Knot where a Car crashed in.... first the internetconnection was lost, a few Minutes....after That it was ok for a few Minutes.... then it crashed again and was a longer Time out of Order. Since that I can not connect my Handy and my TV but every other Device works as usual. One Thing is that my Handy and the TV dont find the Port anymore... How is that possible?
It seems almost impossible for a regular person to be able to protect themselves over someone accessing their computer or phone. After having all of my data stolen from a big tech company it has been so difficult to feel safe.
I do not understand, so you need to hack the router physically before you can do all this right? If true, how when you don't have access to routers in other places.
In our course :D But honestly, if you don't know the basics of assembly, scripting and Linux command line, you will get lost. The best book to learn reverse engineering ("Reverse Engineering for Beginners") is completely FREE: beginners.re/ Once you master the basics, come to our course and we will teach you how to find and exploit vulnerabilities in real embedded devices!
I love how this video starts by explaining what LAN is, and 2 minutes later it's binary reverse eng
Yeah it goes from basic concepts to insanity and no time at all
0-100 really fast
A fun roller coaster indeed
Its a video about finding vulnerabilities. You can't find vulnerabilities without reverse engineering and looking at the underlying code/machine instructions. Otherwise you are just a noob who uses templates based on other peoples work.
@@Tobias-t3k and youre a stooge who can figure out what a basic sentence means
Great format. This is so clearly described and spoken that I listened to it a SECOND time, as a “podcast”. Thanks for going that extra “kilometer” and describing what’s on-screen.
Excellent documentation and walk through. I love your stuff.
When you showed your "Fuzzer" i totally lost it. Haven't had such a good laugh in years in this topic.
But if i think about it some more, it is just about perfect. Easily accessible (but not perfect) entropy to cause spasms in badly written code.
Being more or less available on any machine with and OS (no, Windows is not an OS, it's malware) means you can do preliminary tests even in absence of your "fav tools".
I didn't get the joke :( was the netstar + grep somehow the fuzzer? Bc it looks it's only returning a specific line of Info from the previous, full, netstat cmd. Not seeing the usefulness unless 'conn' is supposed to be significant and understood as the grep string prior to beginning
@@antiquark6253 piping /dev/urandom into a program was the fuzzer iirc.
Urandom generates a never ending stream of random bytes. And like a thousand monkeys with a thousand typewriters, it will eventually come up with a sequence that breaks the program under test.
@@DasIllu oh I see now, the multi tiled terminals had me confused to what he was referring to, but I never thought to use nc that way. Very cool trick thx for illuminating that
@@DasIllu Nothing about a thousand monkeys here tho. It's just flooding the buffer with bytes until segfault, that's where he got a hint that there might be a buffer overflow (segfault means you're writing crap into memory where you're not supposed to write to as allowed by the kernel so the kernel kicks you out). The actual content of the input stream doesn't matter as it's just random bytes.
Waiting for part 2! Amazing work!
Incredible work. I'm blown away to see this entire research from start to finish, including the thought process. Well done. I hope to one day be able to do what you do!
hell I really appreciate what this guys are doing, because I don't understand 70% of what they are talking about. There is soooo much to learn and it seems scary 🤯
Can't wait to see the detailed analysis of Part2.
Glad to see you back :)
keep up the great work. sometimes people feel like so many things are common sense and dont explain the things that help people understand stuff. thank you for such a detailed video
This is what I have been waiting for a long time
Hyped for the second part, hope it comes soon!
I don't think I've ever said "Oh my God you can do that?!" so many times while watching a video haha. Amazing stuff
Found Your channel from @liveoverflow
Great Content 🙌🙌
Love your voice, is so soothing for teaching/learning. Thanks!
w8 for second part. Thanks!
Nice video, added this to my watch list, will comeback and share my thoughts, for the time being its time to work.
This is the most realistic and valuable hacker video I have ever seen
I appreciate every video in this channel, This is very useful. Thank you, guys.
Awesome stuff! waiting for the 2nd video.
Excellent documentation we want 2part😊
i have been trying to get into this for the long time. i feel like i don't understand programming which makes hacking so difficult. i love your moto at the end. i love the training at the end you talked about. i need to spend a lot more time getting a better understanding of programming so i can understand how to do what your trying and make money ethical hacking.
The chances are slim to none unless you get a degree lol although they hire people who don’t have one, they are talented ones who just moves to action when others thinking how to get into this 😂
@@M4D4F4K4. i am hopeless. i will figure something out.
I have no clue wtf your saying half the time but, I still watch hoping something will stick. something better than nothing, right? I love hearing the actual thought process of the hack as if you're going threw it for the first time. I like this very much.
You are a legend people. Proud of taking your courses.
We're not affiliated with TryHackMe and have not developed any courses or tutorials for them :-)
Our courses are developed and taught by us privately, check flashback.sh/training
Hi.
I’m Japanese, and I could understand your video because of your very smart and cool presentation.
Thank you for uploading this video!
(I’m sorry about being not good at English.)
Best hackers from pwn2own 😊
This is what we are looking for, nice job . Keep it up. Happy hacking
After the first 30 seconds, I subed and liked the vid.
lmao i love these videos you two are relatable yet much smarter...ive learned quite abit watching you guys thanks💯
Can't wait for part 2! :)
It should be out very soon. We are on the last stretch in recording.
So awesome that you guys share this knowledge, really, keep up the great work!
Crazy ammount of research, good job
I’m thinking about making a similar video but mine are done in documentary format‼️
Amazing video. Subscribed
Thanks so much, we are learning! 😍
Awaiting part 2!
Can't wait until the second part pops out. I really want to hit the ground running with this kind of exploitation
Wooowww amazing!!!! But how did you run MIPS executable on PC? Or you we're was on target via ssh?
Smart fridge 😂 01:32
Vamos 🔥🔥🎉
Amazing work... !
Your thumbnail is shokingly un clickbaity for sucha good video...
The jump scare at 1:21
I really love you guys videos. But there is something no one talks about and is how to set up a lab to test. Can you guys make a video about how to set up qemu or anything else to mount firmware for testing?
Waiting for part 2!
Regardless of the exploit, it's pretty disturbing that stock router firmware is spamming DNS requests to arbitrary commercial domains, just to blink an LED light...
Best series ✨
Very appreciate your sharing
Thanks for sharing
It didn't occur to me until watching this video, but AI would be amazing at reverse-engineering like this. Renaming functions and variables and creating comments based on context is already so close to how AI models interpret code.
Catch up, Ppl been doing this ever sense chatgpt hit the streets
AI has not catched up to thinking like this.
@@maktiki Lol , Yes it did, There plenty of Plugins that do just That Already
I feel like half of the hacking attempts at this point are *most likely* made by AI botnets that are programmed to execute these types of attacks using rogue / zombie ip's that operate on virtual machines that can't be traced.
@@azurescenss 💀🧢
Thanks a lot!
thank you for your hard work!!!!
Seeing my exact router in this vid is funny and terrifying
At 6:50 you mention that you're using gdb while having a laugh for your buddy who uses a 'lame java's one, were you referring to ghidra? Lol
It's shocking how it's making unsolicited DNS queries for random domains for completely unrelated companies. Concerning. If I was watching the WAN and saw these random requests coming from a router, I'd be concerned it was compromised in some way, not operating normally with stock firmware...
Ghidra makes it easy to reverse engineer. You would think there would be standard practices on operational flow that prevents the behaviour. Standard Libraries for dns handling.
conn-indicator needs to know when it has network connectivity, and the programmers chose this way to verify it. This is normal, and in this specific case quite benign in our opinion, as the DNS domains it is trying to query are well known.
The mistake here was to make their own DNS parser (why TP-Link? WHY???). They could have used a shell script and standard utilities for checking connectivity, and a separate binary for controlling the LED lights!
If this makes you worried, then have a look at what your phone, Windows or MacOS computer is doing for the same connectivity checks, without any user program running or any kind of user interaction, you will be VERY surprised 🙈
@@FlashbackTeam As a Linux user, no idea how it does the check, likely it will not be google.
LETS GOOOOOOOOOOOOOOO i love yall
Thank you for this
The best Pedro.
Isso sim é qualidade parabéns
verdade
Nice presentation. You touched on a couple points that are just outside my full understanding. Specifically, at the segmentation fault, what makes a memory address "unmapped". Is it unmapped because it is outside the allocated stack frame? Anyway, really nice work! Thank you.
Hi Matthew, glad you liked the video!
You are correct. When a program starts, it allocates ("maps") memory ranges for the stack, the heap, libraries, the executable code, etc.
These regions are not contiguous in memory. For example let's say a stack of 0x1000 in size, mapped in memory starting from 0x10000, which means its range is 0x10000 to 0x11000. Then we have a heap of size 0x1000, which is mapped at 0x12000 to 0x13000.
In this example, if we try to access memory at 0x11001, it will cause a segmentation fault, as that memory is not mapped to either the heap or the stack.
This was exactly what happened in the example in the video, albeit with different (more realistic) addresses.
Vendor-supplied router firmwares that use ancient kernel and code is commonly recognized to be insecure. This is why I always use OpenWRT
Thanks this was very helpful! I wonder why they used DNS instead of ICMP? Surely DNS was never intended for such things?
More and more places blocking ICMP these days. Moreover, even if they wanted to ping a well known CNAME, it would still require a DNS query, so just doing the query is more efficient, since it's only checking for connectivity.
what a nice research
this is cool. what O.S are you using though
Can you link the video you recommended that we watch on the beginning of the video?
I won the last 3 years WASP competition, but my method for doing this cannot be disclosed because of the damage it will cause, here is a sample of what i know: bluetooth follows the standard made by cisco on their routers where you make one the master the rest just follow. the same applies in Bluetooth yet here the clients that connect allow you root access to them as the technology defined.
If the CPU used by a server had as its lowest-level language a managed language, say for instance a Lips CPU, where there is no memcpy and other such potentially bug-infested C code behind the Lisp code, then how would you find a vulnerability?
Please release a course in hacking please i want to learn or atleast link a good course that is useful to learn deep hacking please!!
So, if we reduce everything, it is basically as many other vulnerabilities: The software does not check the size, it assumes that it will be as intended, in this case placing it into a fixed size variable. So an input validation error?
At the end if the day all is the same. Find vuln get RCE :p
Thats another lvl...
I have a Question for Experts what I can not extract from that what is. My Provider had a Damage in a Knot where a Car crashed in.... first the internetconnection was lost, a few Minutes....after That it was ok for a few Minutes.... then it crashed again and was a longer Time out of Order. Since that I can not connect my Handy and my TV but every other Device works as usual. One Thing is that my Handy and the TV dont find the Port anymore... How is that possible?
It seems almost impossible for a regular person to be able to protect themselves over someone accessing their computer or phone. After having all of my data stolen from a big tech company it has been so difficult to feel safe.
i watched the video, but i feel sad i am understanding very little. i didn't know you had a real world hacker course.
why does conn-indicator need to parse dns response?
can't it just receive response, ignore contents, turn on LED?
How would it know it received a valid response to its request if it doesn't parse it?
16:59 does offset to name point to start of length+string or can if point to another compression mode?
This is so cool and amazing !
What toolsets(s) are you using ie caller??
TP-Link be like:
- Unit testing? Nah bro, we in China trust each other
I feel like $20k is a paltry sum to pay hackers for a hardware (firmware?) Bug on a device sold to hundreds of thousands of people
Why RUclips am recommended video this me not know but watch interesting brain capacity limited open to expansion thank you I will sub
Excellent on how to also think it up. Not just run some tools.
Which OS you are using?
Pedro prefers Debian, and Radek likes Ubuntu more.
Part 2 when? :D
Anybody knows which code editor he is using there?
Amazing !!
Where is part 2?
What knowledge should i have to understand this video ??!!
Where is the second part?
We are still working on Part2. You can subscribe not to miss when we release it.
@@FlashbackTeamok thank you :)
The best
looks like dns reading memory overflow
This is 💎
part 2 ??
soon. It takes a lot of time to record and we are super busy. Subscribe if you don't want to miss it.
where is part2? ❤
We are still working on Part2. Will be released as soon as we have finished it.
we're waiting for the part 2 for 2 week 😭😭
Just came here to find it but I will have to join the queue waiting for part 2 😅
@@huskytail 3month of waiting
im not interested anymore
i well unsubscribe they don't respect us ....
@@draxler.a I must confess I had even forgotten about it.
🤓🤓🤓🤓
I do not understand, so you need to hack the router physically before you can do all this right? If true, how when you don't have access to routers in other places.
This is not the attack. This is the research for the attack.
Watching this makes me feel mad and dumb. This is like an art that I just can't seem to get. How do you learn all of this?!
In our course :D
But honestly, if you don't know the basics of assembly, scripting and Linux command line, you will get lost.
The best book to learn reverse engineering ("Reverse Engineering for Beginners") is completely FREE: beginners.re/
Once you master the basics, come to our course and we will teach you how to find and exploit vulnerabilities in real embedded devices!
@@FlashbackTeam thanks for this, I will definitely check it out
DAYRIIN FIHA KHOBARAAAAA2
WLA
WAYLI
LA RAHOM MACHI KHOBARA2
🖤
Is it possible to hack any website without getting caught?