Mr. Robot's Netflix 'n' Hack
Wiki ▸ Activities and events ▸ Mr. Robot's Netflix 'n' Hack
- Tagline: Let Mr. Robot teach you how to hack—and how to stop hackers from hacking you!
- Description: Watch an episode of "Mr. Robot," a TV show dramatizing the lives of rogue hackers in NYC with unparalleled technical accuracy, and then get an introduction to how the tools, techniques, and procedures ("TTPs") shown in the episode work in real life. After we watch an episode of the show, we'll discuss the tools used, get them installed on our laptops, and try them out. When we meet next, we'll show one another what we've learned, and continue with the next episode. By the end of the 10 week first season, you'll have gotten a hands-on tour of various tools in the Kali Linux penetration testing distro, and a better sense of how to separate fiction from reality in contemporary hacking dramas in pop culture. We'll finish by tackling a Mr. Robot themed hacking challenge so you can practice what you've learned, and maybe even join a hacking team.
- Facilitating: How to facilitate Mr. Robot's Netflix 'n' Hack
- See also: InfoSec, Mr. Robot Trains the Trainers, 🌐 GeekWire's "Mr. Robot Rewind" series (contains spoilers), Manisso/fsociety, Glossary.
Watch the Mr. Robot trailer to see if this is a show you might enjoy watching and learning from:
-
Tor, a commonly used privacy-enhancing and censorship circumvention internetworking tool
- Onion routing,
- "Onion services" (formerly known as "hidden services")
- "Deep Web" sites (how to search, check out The Hidden Wiki)
- OnionShare sets up an ephemeral Onion service for filesharing; read Secretly sharing files with OnionShare and Tor Browser.
- OnionScan, "a free and open source tool for investigating the Dark Web."
- RUDY attacks
- "Good at reading people" (social engineering…a blog post to maybe read, also a book The Art of Deception, see also: Freedom Downtime)
- "I left my keys in one of your cabs…"
- "Can I borrow your phone?" (also deleted the outgoing call log)
- "This is Sam from Bank of E fraud department."
-
pingis the "packet information groper" - Password cracking:
- Information gathering via social media sleuthing (kind of general, eh? was a specific tool shown?)
- Blackberry mobile phones (and their, uh, security problems)
- "Desktop environments":
- "DDoS attack" is a Distributed Denial of Service attack
- Understanding DDoS basics, read "What is LOIC and can I be arrested for DDoS'ing someone?"
- Deep Inside a DNS Amplification DDoS Attack, and later, an NTP amplification DDoS attack
- "DDoS protection" - really, really big pipes, see CloudFlare, Google's Project Shield, and Deflect.ca
- "DDoS as Direct Action," chapter three of The Coming Swarm, by Molly Sauter (PDF)
- DNS
- "fingerblasting"
- Historical sidenote: read about the
fingerProtocol
- Historical sidenote: read about the
-
astsuis not real, but!tracerouteis -
rootkit
- Blog post: Basics of Making a Rootkit
- "Redirect the traffic…" Gideon says.
- Using
ifconfig, a command line tool to configure a network interface. - "Routers" are just computers, but with dedicated operating systems with different network interface configuration commands, such as CISCO iOS (proprietary) or VyOS, a free software clone of Cisco's iOS, useful if you can't pay for an iOS license.
- "Redirecting," in the context of the episode's scene, may mean:
- re-route incoming packets that are part of the DDoS to a network black hole, if the packets can be identified as part of the attack.
- And if not, then he may mean "redirect" incoming visitors to a high-availability version of the hosted services, such as a read-only or otherwise low-resource use instance.
- The specific intent depends on AllSafe's and ECorp's specific setup, and it's not clear what's actually happening, except that this is the kind of chatter you might hear from SOC or NOC workers.
- Using
- "…and call Prolexic for help!"
- On the server's command line:
locatepsgrep-
more(kind of unlikely, Elliot is more likely to uselessinstead) kill-
rm(-norecycleis not real, is it?) - "Reconfigure the access to the directory" ->
chmod
- "Remember that hacker group, Omegz?" -> This is probably a reference to the real-life group LulzSec
- "I'll ask my IRC contacts…"
- IRC is Internet Relay Chat, an aging chat room technology that is still popular with techies and hackers.
- Guide to IRC for novices: IRCHelp.org
- VPN
- US Cyber Command
- Google (News) Alerts
- "…with a custom dictionary, my program can crack his password in two minutes." -> Generating wordlists
- Ashley Madison, a famous hacked site
- "Now Michael Hansen gets buried in my digital cemetary" -> Steganography, hiding data among other inconspicuous data:
- "Evil Corp's corporate mail server hadn't been updated since the days of Shellshock."
-
wget, a command line tool to get files over the Web - Shellshock, a severe and pervasive vulnerability patched in 2014. Read "Inside Shellshock," then try it yourself:
-
- "Doesn't even use two-step verification" also known as (2FA) - Wikipedia page
- What are secure "factors"? ->
- Something you know (knowledge; e.g., a password)
- Something you have (possession; e.g., a physical security token such as a YubiKey)
- Something you are (biometrics; e.g., a retinal scan)
- What are secure "factors"? ->
-
johnpassword cracker - Microwaving electronics:
- debatable way of destroying info on a hard drive (use a drill instead);
- microwaving can destroy transistors on chips;
- effective for RFID chips inside credit cards, passports, etc.
- "Who knows how deep these data dumps will get?"
- "Data dump" is data acquired from a breach; read Troy Hunt on how he verifies data breaches
- Also sign up for https://HaveIBeenPwned.org
- DO. NOT. RE. USE. PASSWORDS. Do use password managers like Bitwarden, KeePass, etc.
- Darlene is a "malware coder," writes exploits:
- "Use your AllSafe security clearance to hack the Comet(R) PLC…"
- a "PLC" is a Programmable Logic Controller, embedded devices that are typically used as sensors or controllers for SCADA devices (industrial control systems, see also "critical infrastructure," dams, power plants, heating and ventilation HVAC and so on)
- Read: Target Hackers Broke in Via HVAC Company, Hackers Find Celebrities’ Weak Links in Their Vendor Chains
- "Worm": an autonomously propagating malware (distinct from "virus")
- Fernando Vera (a drug dealer) "conducts all his transactions via IMs, emails, and text messages."
- Use Signal to protect IM/txt-style communications.
- Use PGP (aka GPG) to encrypt email communications.
- "timing his tweets to recent news articles" -> Google Dorking -> see also Exploit-DB's Google Hacking Database
- Using advanced search terms to filter search engine results to far more relevant pieces of information based on time, metadata (title, publisher, outbound and inbound links, etc.)
- Wired: Use These Secret NSA Google Search Tips to Become Your Own Spy Agency (PDF)
- Reference the GoogleGuide.com site
- Can "dork" using other search engines, such as GitHub! See GitHub dorks
-
Lockpicking
- Elliot's exploit against Fernando Vera uses C language code and references Andersson (AA) trees.
- DeepSound (again)
- "My album just dropped. … Check track 2 out!" - > social engineering to get Windows malware via autorun on CD
- Prevent viruses from using AutoRun to spread
- Real-life example: Sony Rootkit
- Webcam spying! Read about "RATs" (remote access tools/trojans)
- A (simplistic) overview of Remote Access Tools
- cover your webcam with tape (or a cam-cover) as an easy mitigation
- Understaffed/overworked IT departments:
- Security risks of old software, read "Malware Infection Vectors: Past, Present, and Future"
- Windows 98
-
Microsoft Outlook, a "personal information management" package that has become a notorious malware infection vector
- Virus scanners, e.g., Norton Security Scan
- Hackers can corrupt the integrity of digitized health and medical records
- Privacy concerns amount to breaches of confidentiality, read Google’s Handling of Public Health Data Should Serve as a Cautionary Tale, Report Says
- Voice changer (voice disguising software)
- Webcam spying via RATs, read "Meet the men who spy on women through their webcams"
- IPv6 address(?) in the URL bar
- "Hacking Europe" book on the bookshelf is an academic work about famous European hacker communities
- Onion site ("hidden service") used as an IRC server
- The now-defunct TorMessenger was a chat app that enabled access to such servers easily, if you know the
.onionaddress. (Nowawadays you should choose and configure an existing IRC and Tor client yourself. Instructions for Freenode on Tor. ) - This technique was used by Anonymous for some of their chat services
- The now-defunct TorMessenger was a chat app that enabled access to such servers easily, if you know the
- "And it's not enough to just focus your attention on the logs. We should also monitor social media traffic, as well as IRC, Pastebin, and set up scripts to keep going, 24/7" - places where data dumps often first appear
- "Never show them my source code"
- "Closed" versus "open" is a longstanding debate, and is primarily a political divide
- "Open Source" versus "Free Software," read Open Source Misses the Point of Free Software
- Facebook location check-ins (also Foursquare, Yelp, any location-based service) is how Tyrell follows Anwar to the Kiss and Fly club
- Seriously, audit your social media account's privacy settings
- Also, learn about EXIF data (metadata in some file formats, like images)
- Turn off location tagging for your smartphone camera - Facebook/Instagram photos have can embed GPS coordinates, reveals locations
- Real-life example: Fugitive John McAfee’s location revealed by photo meta-data screw-up
- Web tools: Jeffrey Friedl's Image Metadata Viewer, ImageForensic.org, EXIFData.com
- Command-line tools:
exif,ffmpegfor extracting metadata from video files
- "With a simple phishing scam I owned her password pretty easy."
- Historical example: AOHell
- In modern-day, read "Highly Effective Gmail Phishing Technique Being Exploited"
- PhishTank is a public clearinghouse cataloguing known or suspected phishing sites.
- Phish5 is a commercial service that lets you easily create phishing campaigns to target users of your own domains for educational purposes.
- BeEF, the free software Browser Exploitation Framework, can be used to launch one-off phishing attacks against "hooked" Web browsers.
- KingPhisher is free software that operates entire phishing campaigns and offers its own phishing toolkit.
-
Android device "rooting" in order to install commercial phone spyware:
- Identity theft, financial blackmail, "carding" (credit card market), doxing
- Apply a credit freeze to your personal credit line
- Krebs On Security: Peek Inside a Professional Carding Shop
- IdentityTheft.gov - US government recommendations/resources to "recover from identity theft"
- Read Crash // Override's "Prevent Doxing" guide
- Incident response (IR), and digital forensic examination reports
-
MD5 hashing algorithm
- hashes (also called digests) are used in digital forensics extensively
- ForensicsWiki is a Wikipedia-like site for digital forensics tools and standards
- SANS Digital Forensics Blog, a regularly-updating industry blog
-
MD5 hashing algorithm
- Gideon Goddard's phone shows location services are disabled, a better-than-average privacy practice:
During post-show discussion, we brought up:
- Cree.py - geolocation OSINT tool
- TrackIMEI Using a SIM card/IMEI number to track the location of a mobile phone
-
Linear Tape-Open (LTO) is old-school tape cassette storage
- "Open Standard 9" doesn't actually exist (yet)
- "the circuit board, if installed behind a thermostat, it lets us plant an asymmetric backdoor and then create a VPN in the Steel Mountain intranet."
- "the circuit board" would be a Raspberry Pi, and LifeHacker has a good guide to getting started with a Raspberry Pi
- HVAC, again
- "I see six [security vulnerabilities] walking around right now."
- Physical reconnaissance and surveillance, read:
- Surveillance cameras, read:
- "own the facility's SCADA network," taking control over the building's control systems (like IoT, but bigger)
- Cyberwar: How a Cyber Attack Left Thousands of Ukrainians in the Dark
- Read, Hackers exploit SCADA holes to take full control of critical infrastructure
- OWASP SCADA Security Project
- Internet recon sites like Shodan, Censys can find any Internet-connected device
- "the distro," slang for "distribution," i.e., the file (payload) being distributed
- FTP server, an older way of transferring files across a network
- Unlocking a car door wirelessly
- These cars use Passive Keyless Entry and Start (PKES), aka "Smart key"
- Security Now! Episode 508, "Exploiting Keyless Entry" show notes (PDF)
- See Atmel microchip manufacturer pages on "Passive Entry/Passive Start (PEPS)" and "Remote Keyless Entry (RKE)"
- "Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars" (PDF)
- Starting a car using its Controller Area Network (CAN) Bus
- Daemon
- Breaking into a motel room
- "Hollywood hacker bullshit," Romero and Mobley are watching "Hackers" (1995)
- "Rabbit virus," also called a fork bomb
- Trenton prepares the HVAC exploit for Steel Mountain
- Trenton's exploit is written in the Python programming language, a language popular with attackers (see the book, "Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers, and Security Engineers")
-
tar, a command to create a single file ("archive") out of many
- "Error 404 Not Found", a well-known HTTP status code
- Getting rid of mobile phones to avoid being tracked by Law Enforcement Officers (LEOs) through cell tower dumps or by an IMSI-catcher (a "Stingray"), or other hackers via VoLTE vulnerabilities
- Employee access cards, usually RFID technology activated by proximity
- Windows malware via autorun on CD, again! ;)
- Copying an employee badge through RFID skimming aka "cloning":
- Articles:
- Tom's Guide: "Hackers Could Clone Your Entry Card from Your Pocket"
- Computer World: "No building access card? No problem if you have new Def Con tools"
- Tastic RFID Thief, the tool inside Mobley's messenger bag used for copying a proximity card's radio-frequency identification (RFID) or near field communication (NFC) signals.
- "xCARD PROGRAMMER - v1.05" is not real, but the GeZhi HID Cloner V3.0 made by GeZhi Electronic Co is real! (HID is a contactless access key card brand name.)
- Article: Understanding the confusing world of RFID tags and readers in access control
- Same or similar tech is used instead of magnetic strips on credit/debit cards, see How to Disable Contactless Payment on Your Debit Card
- Do-It-Yourself electronic projects to make your own low-cost RFID cloner, more at ProxClone.com
- Offensive Security: Clone RFID Tags with Proxmark3
- FuzzySecurity: RFID Tutorial (Part 1)
- RFIDIOt, a collection of Python utilities to work with RFID and NFC
- Articles:
- Steel Mountain, Incorporated is probably a reference to the real-world Iron Mountain, Incorporated
- Digital reconnaissance using public information, called open-source intelligence ("OSINT")
- Read, "This Is Almost Certainly [FBI Director] James Comey’s Twitter Account"
- OSINTFramework.com, a collection of various OSInt tools broken out by category.
- Maltego, a proprietary graphical tool for digital reconnaissance
-
recon-ng, a free software command-line tool for digital reconnaissance
- Covert ear-piece, usually connects using Bluetooth to a nearby smartphone
- Sold as exam or test-taking cheating devices, for example by GSM-Earpiece
- Sold to law enforcement and security services, for example by EarHero
- Creating a fake or "cover" identity for fictional tech billionaire, "Sam Sepiol"
- Editing Wikipedia with fake information, see Wikipedia:List of hoaxes on Wikipedia
- LifeHacker: How to Choose (and Maintain) a Cover Identity
- FakeNameGenerator.com, automatically generated yet realistic-sounding fake names, addresses, passwords, and more
- On "fake news" and spotting hoaxes:
- How Fake News Goes Viral: A Case Study
- Fake Or Real? How To Self-Check The News And Get The Facts
- Snopes.com, a famous fact-checking site for debunking popular hoaxes
- Kali Linux, the penetration testing Linux distribution Romero is using
- "I spoofed a TXT," Mobley says, using the Social-Engineer Toolkit (SET)
- "It's a palm-print scanner." A form of biometric access control device.
- Real life vendors:
- "There's one door, manually locked. It's a fire code thing, and I think you can pick it."
- Elliot carries a covert "lockpick card" set
- Wire splicing, placing a device directly on the cabling of another wired device
- Related terms: wire stripping (removing the insulation off electric cables), wire snipping (cutting cables to custom lengths), and wire crimping (attaching connectors to the ends of wires). Some tutorials:
- See also: DIY.org's "Hardware Hacker" projects.
- News article: A rogue Raspberry Pi helped hackers access NASA JPL systems (news source)
- Dark Army's IRC chat room:
- IRC commands are written starting with a
/(a "slash-command"), see Wikipedia's List of Internet Relay Chat Commands - IRC rooms, called "channels," are prefixed with an octothorpe (
#). - Freenode is a famous and free public IRC server.
- Darlene uses
/join #da7Q_9RnPjmto try joining the room after she was ejected ("kicked"), but she was subsequently banned. - "MOTD" is a UNIX initialism and idiom for "Message of the Day."
- IRC commands are written starting with a
-
SSH, the Secure Shell program, is an encrypted remote login tool, offering command-line access to remote systems attached to a network.
- The
-loption specifies a login (user) name; Darlene is using therootuser (sometimes also called the "superuser"). - No passwords were being asked for, so Darlene has configured SSH for key-based authentication. GitHub has a good guide for setting up SSH with key-based (aka. "password-less") logins.
- On Windows, you may need to install PuTTY. On macOS/*nix systems, SSH is usually pre-installed.
- Complete reference guidebook: SSH, The Secure Shell: The definitive guide, 2nd Edition
- Secure Secure Shell, a guide for the "paranoid" SSH user.
- The
- Standard industrial control systems do operate some prison's doors:
- Finding nearby Bluetooth devices
-
btscanner(manual page), a tool to extract as much information as possible from a Bluetooth device without pairing with it -
btscanneris included in many penetration testing distros, including Elliot's choice, Kali Linux - Blog post with links to various Bluetooth tools
-
- AllSafe uses Windows 8(?) for its office desktop computers
-
Multifunction printers can do more than you might think! Privacy issues and network vulnerabilities:
- "Tracking dots" (aka Printer steganography) are used to link a printed document with the device that printed it:
- Is Your Printer Spying On You?
- Incomplete list of printers which do or do not display tracking dots
- Seeing Yellow - How to find printer dots (more instructions), and how to complain about it.
- Tracking Dot Decoding Guide
- Article, Government Uses Color Laser Printer Technology to Track Documents
- Real-life example: How the NSA tracked down and arrested the alleged Russian hacking story leaker, Reality Leigh Winner
- Printers are often a vulnerable device on corporate networks, read Exploiting Corporate Printers and Printer Exploitation in Corporate Environments
- Real-life example, "Rooting a Printer: From Security Bulletin to Remote Code Execution" by Tenable Security.
- Hacking-Printers.net wiki is a great resource.
- PRET, the Printer Exploitation Toolkit is penetration testing framework targeting networked printers.
- "Tracking dots" (aka Printer steganography) are used to link a printed document with the device that printed it:
- Angela uses an iPhone :)
- Check out Apple's iOS Security Guide
- Sprinkling USB thumbdrives in the parking lot
- Plugging in USB devices can unleash malware
- Article, BadUSB
- Not shown in the show, but similarly, check out Poisontap
- Avast!, a low-end anti-virus and anti-malware software suite:
- Read about "bind shells" and "reverse shells," the basics of getting remote control over a computer.
ncis often used, although Elliot is usingsshin this screenshot. - Relatedly, police departments are not immune:
- "You just pulled code from Rapid9 or some shit? When did you become a script kiddie?"
- Rapid9 is not real, but is a reference to the famous Rapid7.
- A "script kiddie" is hacker lingo for an unskilled techie, like a "noob" or "newbie."
- "Malware detection must have caught it," Elliot says.
- There are ways to make malware evade anti-virus/anti-malware detection. See, for instance, Veil-Framework.
- Hackers often test exploits against VirusTotal.com to see if evasion is successful.
- An ICS is an Industrial Control System: "I can run circles around an ICS given the right white papers and some time," Darlene says.
- She might also mean an "IDS" or "IPS," an Intrusion Detection System or Intrusion Prevention System, respectively.
- Terry Colby is wearing an ankle monitor as part of electronic home monitoring ("house arrest") - which make & model?
- Service provider, Guardian/Shield Ankle Monitoring Service
- Ankle monitors are overwhelmingly used to control the movement of oppressed groups. Articles:
- "Shit. WPA2, borderline unhackable. Getting that handshake, it could take days."
- Wikipedia article: Cracking of wireless networks
- Elliot is using a Pwn Phone to run
wifite, an automated Wi-Fi cracking tool that usesaircrack-ng,reaver, and other tools under the hood
- "Discoverable" Bluetooth devices can reveal device names
- Cop cars use "dedicated 4G," which is a cell (mobile phone) technology, and Bluetooth-enabled endpoints in the cab
- PoliceOne.com, a popular forum for law enforcement officers: Police Mobile Computers
- PoliceMag.com: A Guide to Understanding Law Enforcement Field Technology
- News article: Tech in police cars cause cops to crash their vehicles due to distracted driving
- Bluetooth hacking, with related terms "Bluejacking," "Bluebugging," and "Bluesnarfing"
- Elliot uses a Windows virtual machine to attach to cop car's laptop's Bluetooth keyboard
-
ftp
-
Metasploit Meterpreter, a famous exploitation toolkit
-
"View source" functionality in Web browsers ← "I got into web design by ripping off sites I liked."
-
Netscape Communicator, one of the earliest commercial Web browsers first released in the late 1990's
- Check out the evolt.org Browser Archive, copies of every version of every Web browser ever released
- Windows 95 (or Windows 98?)
-
2600.com, a famous, long-running hacker periodical (Wikipedia article)
- View the 1999 version of the 2600.com website using the Internet Archive's Wayback Machine.
- In a similar vein, check out Phrack and its Wikipedia article.
- Atari 2600, a 1980's-era video game console
-
Deepsound, a Windows audio CD/DVD steganographic utility (again)
- Pets are "microchipped," meaning small electronic chips implanted (microchip implants) under their skin
- "You got root on my box, and found the IP, then you joined their channel with my handle."
- "Getting root" means to "acquire access to the
rootuser on a UNIX-like operating system," since that user is by definition granted all privileges/rights to a system. (In a Windows context, this is called "getting System" and Meterpreter has a command by that name,getsystem, because the most privileged user account on a Windows computer is theLocalSystemaccount.)- It's less common to get root (or System) privileges directly; often you must first find some other vulnerability to exploit, then "escalate your privileges." This is called privilege escalation ("privesc" for short):
- Windows Privilege Escalation Methods for Pentesters
- Windows Privilege Escalation, Part 1: Local Administrator Account and Part 2: Domain Admin Privileges
- FuzzySecurity Tutorials: Windows Privilege Escalation Fundamentals
- Basic Linux Privilege Escalation
- Standalone tools to check for privilege escalation opportunities:
windows-privesc-check,unix-privesc-check
- It's less common to get root (or System) privileges directly; often you must first find some other vulnerability to exploit, then "escalate your privileges." This is called privilege escalation ("privesc" for short):
- "Box" is just a slang term for "computer."
- "The IP" refers to the Internet Protocol address, literally the equivalent of a computer's "home/mailing address" that anyone who wants to send messages to the computer usually needs to know. Here, Cisco refers not to his box's IP address, but the IP address of the Dark Army's servers.
- "Their channel" is a reference to the IRC chat room that the Dark Army uses to communicate, seen in an earlier episode. In IRC, chat rooms are called "channels," and hacker slang usually uses the two terms ("chat room" or "channel") somewhat interchangeably.
- "My handle" means "the username (or screen name) I use." Here, Cisco just means that after Darlene hacked his computer, she impersonated him, using his persona to communicate with the Dark Army directly.
- "Getting root" means to "acquire access to the
- Guessing the combination lock of the vault by looking around.
- Look to "characteristics of bad passwords."
- Deepsound (again!)
- "AirDream Advanced Metering;" research by reading PDFs/tech manuals/white papers (this is the part that takes the most time…)
- Dark Army is following Darlene
- (Evading) physical surveillance - https://protectioncircle.org/2016/06/14/surveillance-evasion/
- "Using the backdoor we planted; I installed the patch four weeks and I've been monitoring it daily." […]
- "Phone home"
- "Reroute (AirDream's) traffic"
- Chain of custody with the dat file - see handling instructions for digital evidence
- "Airgapped your network"
- "Implemented a honeypot"
- Vendors, such as Canary
- Are Tyrell's GNU/Linux terminal skillz legit? (Pretty much.)
find-
/opt/2/task/2/fdinfo- <--
filedescriptorinformation (look up "file descriptors") - <-- Read about the GNU/Linux Filesystem Hierarchy Standard for what is in the
/optdirectory (see also LSB, the Linux Standard Base, a related standard)
- <--
ls -l
- "The ASA Firewall", meaning the Cisco ASA series device, is a high-end Cisco product that provides network security solition
- Angela tells Elliot about a doxxing threat
- Faraday cage - radio frequency blocking
- WTF is up with that shit about time paranoia?
- Managing time (programming concept of multiple threads)
- Time-sharing
- Timers, and "time-outs", like:
- "Security token" (Gideon's phone)
- Hacking a Smart TV
- Two-factor authentication schemes, such as: time-based one-time password (TOTP)
- Enterprise ticketing systems "osTicket"
- Free software "Request Tracker"
- Wikipedia maintains a huge list, of course
- Elliot "hacks" himself -> people search sites, FamilyTreeNow, getting real estate deeds and other legal documents, basically "self-doxxing"
-
ProtonMail
- Running Windows 8.1 in a virtual machine; VMs can be "suspended"/paused, then resumed later
- DeepSound, but reading instead of writing data this time
- Shared folders on a VM (
/home/VMShare) http://virtuatopia.com/index.php/VirtualBox_Shared_Folders- Used extensively for development as part of Vagrant
-
gnome-openis GNOME's graphical shell "open this file" command.
- "Vintage" technology!
-
Super Nintendo Entertainment System
-
NEC POWERMATE 433D
-
Floppy disks
- "Pentium 90," probably means an Intel Pentium-branded PC, which earlier on ran at ~90Mhz
-
Super Nintendo Entertainment System
- Gideon: "They hacked us, you know that, it's been all over the news. Normally a company could get through this, but we're a cybersecurity company!" Similar situations in real life:
- Angela compulsively refreshes "Google News"
- Gideon uses Thunderbird, apparently on Windows.
🚧 TK-TODO
🚧 TK-TODO
🚧 TK-TODO
🚧 TK-TODO
- "Pirating" (illegally downloading) movies using a BitTorrent client (uTorrent, in this case, but a "better" Free Software client is Deluge, shown in S03E04):
- TorrentFreak.com - Popular, long-running BitTorrent news outlet.
- Signal is used to make an encrypted VoIP call.
-
Cantenna (an antenna made out of a can) to boost radio signal (like Wi-Fi network) range.
- "For impersonating an NYPD officer. All cell carriers have a law enforcement hotline. Instead of hacking the carrier, if the situation's urgent enough, you can just ask them to track a blocked call for you."
- Many companies offer a red carpet for data collection to government law enforcement agencies, including:
- "Can you ping that phone for a current location?" Probably referring to a so-called "SMS ping," one type of invisible-to-the-user Short Message Service (cell phone txt message) message more broadly known as "silent SMS".
- Reverse address search features provided by Spokeo and other free/freemium data brokers
- 33 Thomas Street in Manhattan, the site of the NSA's "Project X," aka Titanpointe, an illegal domestic spying hub
- Field of Vision: Project X, a documentary short narrated by Rami Malek and Michelle Williams produced by Loura Poitras and Henrik Moltke
See also Mr. Robot Disassembled: eps3.0_power-saver-mode.h.
- Elliot and Darlene visit "the only hackerspace with a fiber connection"
- The number "1984" are painted on the wall, a common reference to George Orwell's 1949 novel of the same name warning about a dystopian future society where electronic surveillance controls people's lives and their thoughts; is this the name of the fictional hackerspace?
- Hackerspaces.org is a crowd-sourced directory of information about hackerspaces around the world.
- At the hackerspace, they find "a CTF tournament. Capture The Flag, it's like the hacker olympics. Teams around the world compete to solve challenges: reverse engineering, protocol exploitation, forensics."
- Most CTFs happen virtually, not in large party venues like those depicted on the show.
- CTFTime.org is among the most prolific continually-updated directories of public CTF competitions.
- awesome-ctf provides a listing of "awesome" tools and resources for CTF competitions and competitors.
- Darlene learns that "we're fucked. All the machines are taken. They're in the middle of a final round of the qualifier for a CTF." A few moments later, we learn that the CTF they're competing is the famous DEF CON CTF:
- "The backdoor had a hardcoded C2 domain pointing to a listener on Tyrell's machine. All I have to do is hack the registrar and change the name server configs. Once I hijack the domain, I can shut down their access before the dark army notices."
- C2 is an abbreviation for Command and Control, a generic term describing infrastructure used to send instructions and receive telemetry from targeted and/or compromised devices.
- A "registrar" refers to an organization, usually a company, responsible for reserving domain names with a given top-level domain registry, which is also usually a company.
- The registrar is responsible for asserting the correct IP addresses of the reserved domain's own name servers; if these are changed to attacker-controlled name servers, the attacker can direct any requests for the reserved Internet name to whatever IP addresses they like.
-
rwwwshell, the classic "reverse World Wide Web shell," -
shredis a secure file deletion utility that helps prevent forensic recovery by overwriting the file data itself instead of simply unlinking the file from the filesystem like the simplerrmcommand does
- C2 is an abbreviation for Command and Control, a generic term describing infrastructure used to send instructions and receive telemetry from targeted and/or compromised devices.
- Using the New York State Police (NYSP) National Crime Information Center (NCIC) portal to lookup the vehicle identification number (VIN) of the FBI car:
-
Shodan.io, "the search engine for Power Plants" and other connected devices
- Another similar tool is CenSys.io.
See also Mr. Robot Disassembled: eps3.1_undo.gz.
- Elliot uses Rootkit Hunter (
rkhunter) via Kali Linux to search for a rootkit on his own (Linux Mint) system when he suspects he's been compromised:
See also Mr. Robot Disassembled: eps3.2_legacy.so.
See also Mr. Robot Disassembled: eps3.3_m3tadata.par2.
- "The audio's useless. He's using a goddamn voice protector!" Also known as "speech protector," "noise generator," etc.
- Elliot looks like he's using a Rabbler brand noise generator, model NG3000
- Darlene entertains herself by downloading a pirated movie from BitTorrent using Deluge
- "We know you posted the F Society video — with a court order, we got the Vimeo connection logs for the account you used, which led us to your IP address and then your home address. That’s why you’re sitting here."
- Article: The Mr. Robot Hack Report: Don’t Fear the Rabbler - The Verge
This is a really common way to find someone after they’ve done something illegal on the internet! Cops do it all the time[…].
- Court orders aren't even required in some cases. Many sites provide a metaphorical red carpet specifically for law enforcement requests as discussed in S02E10.
- Article: The Mr. Robot Hack Report: Don’t Fear the Rabbler - The Verge
See also Mr. Robot Disassembled: 3.4_Runtime-Error.R00.
- Elliot logs in to his to work PC running Windows at E-Corp.
- Notice the absurdly long (24 character) password; since we hear him typing, this is probably a passphrase rather than a password.
- This Windows PC is connected to a Windows domain called
E Corp-USA.
- "I need to check my monitoring server." Elliot uses Kibana and Logstash, and accesses the raw logs over SSH via PuTTY:
- Edie proves a difficult mark: "I've hardened my install, further than the standard configuration, including a restrictive host-based firewall ruleset and whitelisting to block unauthorized apps from running. I think I know your culprit, though. Fred over there uses GoToMyPC all the time." And then she locks her screen!
- Since Windows XP, a host-based firewall has shipped standard with Windows, now called Windows Defender Firewall as of Windows 10. See Computer Hope's article, "How to enable or disable the Microsoft Windows Firewall" to learn how to enable or disable it.
- Whitelisting, also called allow-listing, prevents any application not pre-approved from running. In Windows, you can use the Local Security Policy Editor (by launching
secpol.msc) to tweak the settings of Window's built-in application allow-listing features, Windows Defender Application Control (WDAC) or AppLocker. - GoToMyPC is a popular Windows remote access tool; when installed by end-users in corporate environments it can pose a security risk because of the way it makes PCs behind corporate firewalls accessible to others over the Internet.
- As Edie gets up to walk Elliot over to Fred, she locks her PC screen immediately so that passersby cannot use her computer while she's gone, a pro move. Read 10 Ways to Lock Your Windows 10 PC.
- "Log data from the Dark Army's backdoored machine. They're using this guy's account, Frank Bowman. He's a member of the code signing architecture team. This is what they're doing: they want to sign their own firmware and bypass my patch. If they do that, they'll blow up the downtown recovery buidling. My only chance to stop it is to get to the hardware security modules, the HSMs. They're on the 23rd floor."
- Read: Hackers are selling legitimate code-signing certificates to evade malware detection (February 2018)
- Read: APTs, RATs and Code-Signing Attacks (April 2020)
- "I'll tailgate someone." Also known as piggybacking.
- Angela accesses the code signing machine on floor 23 of the E-Corp building.
- A sign reading "There's no place like 127.0.0.1" in the geeky code signing architecture team's office.
-
127.0.0.1is the conventional IPv4 address of "this computer," or "self," or "localhost, or, as Dorothy would say it, "home."
-
- Irving and Angela use call-and-response code words to authenticate their audio calls: "Marlinspike." "Moxie."
- Moxie Marlinspike is the famous hacker and programmer best known for creating the Signal Protocol (double-ratchet aglorithm) store-and-forward end-to-end encrypted messaging system.
See also Mr. Robot Disassembled: eps3.5_kill-process.inc.
See also Mr. Robot Disassembled: eps3.6_fredrick+tanya.chk.
-
ProtonMail, a popular web-based e-mail service with built-in support for OpenPGP.
- But see ProtonMail.
See also Mr. Robot Disassembled: eps3.8_stage3.torrent.
- Using the Volatility memory forensics framework:
- Elliot crafts shellcode to be executed via Python(?) by discovering a vulnerability through fuzzing using American Fuzzy Lop (AFL) and inspecting the crashing program with the GNU Debugger (
gdb):
- Dark Army Command and Control (C2) operator station loads Elliot's exploit:
- Elliot logs in to a server with a new SSH key (
ssh-add) to view the keystrokes, and thus username and password, of the compromised Dark Army operator:
See also Mr. Robot Disassembled: eps3.9_shutdown -r.
-
Slackware, a classic, minimalistic, and intentionally UNIX-like Linux distribution.
-
Bit.ly, a popular URL shortening service
-
Dropbox, a popular online file storage service
-
cryptsetupand the Linux Unified Key Setup (LUKS)
- Elliot uses PyLyrics to build a better password cracking wordlist based on his personal knowledge of Romero.
bruteforce-luks-
lsblk, "list block devices" Linux command
- Darlene and Elliot use Signal to communicate with one another.
