12: Rumble with HD Moore

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

Chris Glanden 01:16

I’m here with one of the world’s leading cybersecurity experts, developer of the Metasploit framework, founder of the Metasploit project, and also known for his work in War Vox, Axe man the sonar project, and now focused on his most recent project, Rumble Network Discovery, referred to as the industry’s most famous white hat hacker, HD Moore joins me at the bar. HD welcome.

HD Moore 01:39

Hey, Chris, thanks for having me on.

Chris Glanden 01:41

So, I’m curious to know a little bit more about your hacking saga, would you mind telling me a little bit how you initially got into hacking?

HD Moore 01:48

Yeah sure, I grew up pretty poor. So, it took me a long time. But I finally built some computers out of dumpster parts, and my mom had a job as a medical transcriptionist, which doesn’t pay very much, but had the upside of having a lot of phone lines. So, she would, clock off work at 6pm, and everyone else would go to sleep around 9 or 10, and I’d plug in my, you know, ghetto 46 into as many phone lines as I could and dial the world as much. However, I could, and that was kind of the start of that. So, I start off with wardialing in freaking BBS’s, and when the internet became a thing started moving kind of internet space, and then I joined IRC, and the rest is pretty much history.

Chris Glanden 02:23

Nice, and at that point, I mean, it was still fairly new, right? There weren’t many people out there doing that. So, what inspired you? Who inspired you? Did you read a book? Did you see something on TV, like what really sparked your interest there?

HD Moore 02:35

It was a ton of stuff, you know, Legion of Doom, masters of deception, and kind of all the old school like freaking hacking, those bugs, for sure. I mean, it’s just amazing to me that you could explore the entire world from your living room, or from your basement or from your closet, like wherever you happen to be just, it was such an amazing thing to me that all it took was knowing the magic numbers of a phone number or later on an IP address to go all the way around the world and talk to some random system in middle of nowhere you’ve never seen before. So, for being a poor kid in Texas with you know, not a lot of access to anything else that was mind blowing to me. It just really sucked me in. Gotcha.

Chris Glanden 03:08

Gotcha. What are some of the hacks that you’re most proud of? Or particularly interesting ones that you can legally admit to?

HD Moore 03:18

That’s a hard one. There’s lots of really cool vulnerabilities out there, and I like them all for different reasons, right? I think probably the exploit I spent most of my time on, which is, in retrospect, really easy bug, but at the time was just kind of like when I finally was able to get remote code execution running on Windows properly, was the old Apache chunked encoding bug on the Win32 platform. I remember my first ex-wife was this crappy pile of like Perl scripts that shows 50 megabytes of data in the memory on the remote host and just jumped randomly trying to find it and that’s where it started off, and I finally got better at that, like, oh, wow, you can use that pop up read or you can use this or use that.

So that for me kind of like unlocked my brain- the ability to actually start doing RCE bugs and start moving to like keep exploits and all kinds of fun stuff, and SCH and all kinds of stuff back when exploits were easy, I guess compared to these days. These days they’re crazy hard. I don’t know how anyone does that exploit dev anymore. It’s all like heap grooming and mitigation bypass. I just like to write code, man. So, I don’t know. It’s a very different world today, and I have a lot of respect for folks who can keep up with the crazy hijinks required to do exploit dev these days.

Chris Glanden 04:19

Yeah, do you do any exploit dev right now still on the side at all?

HD Moore 04:23

A little bit. I mean, I play around with it. Anytime I get a new piece of hardware, I take it apart, I dump firmware, I go through bins, I do all that normal stuff, just for kicks. I’ve got a whole bunch of half disassembled stuff my workbench and kind of poke at it whenever I can and I like logic bugs though, the stuff that I find most fun is you know, information leaks that you can suddenly get take a whole bunch of different information leaks and build them up with something that actually turns into RCE or credential leaks or bypass. I like a lot of the logic stuff better I think because one it’s quicker to getting to what you want to do which is to get a shell in the thing. You’re not spending two weeks. You’re like grooming a heat trying to get things to work just right. I find this super frustrating.

So, for me, I wanted to do something great and I always cared more about like Data Access or logical access to an application, much more so than did I get root or not? That all seems secondary to what the goal of the thing you’re doing is, right. So, for folks who kind of do a lot of pen testing, root or even DA is not always the goal, it’s usually the goal is like, well, I need to get into the CDE, or I need to get access to this particular data on this particular server or this particular network, and that’s not always root, right? So be very focused on what your end goals are, and working on exploits and past exploitation that take you that goal, even though it’s not necessarily the sexy, remote, perfect, heap exploit. I guess that’s kind of where I get excited.

Chris Glanden 05:32

So, you’ve inspired countless security professionals in the world today, who has been the most influential people to you personally as you came up in the industry?

HD Moore 05:40

A lot of folks I mean, when I was growing up. There’s this huge, this giant generation in front of me that I always looked up to you that mostly weren’t very nice to me when I was a kid. Because I was like, the annoying kid, I was asking, like, hey, getting into, you know, send me that .sh exploits or send me this thing or Hey, where’s the latest TESO ware’s or whatever. Right? So, I mean, I grew up kind of looking up to the ADM crew, and LSDPL those four guys. Team TESO of course, w00w00, all those folks, right? So early on, there’s a lot of folks that were really influential and helped me kind of get into programming and kind of just get my start, like, Ted Newsham was a hero of mine, Dan Farmer, of course, for working on saving in the first. Early on, it was really nice working with him again, on IPMI stuff recently, or semi recently.

A lot of folk’s kind of from that era for sure that it looked up to you, and it’s not we’re like gods and later on getting to know Theodore better getting to other folks who do a lot of software development meeting Marty Roche in the snort field. Like with the smart project back then before it became Sourcefire. It was just really cool, kind of like growing up among those folks. But I always felt like the noob, the young kid in those scenarios, I was like, just a couple years younger than everybody else, and also, like I was just behind the curve and where I wanted to be. So, it was frustrating, but it’s also cool, kind of watching them all do amazing things and try my best to make a dent in the world to.

Chris Glanden 06:53

Yeah, and I’m sure it carved that path for you, whereas if they didn’t come before you it’s like, it’s unchartered territory at that point, and you got to have someone to be able to follow, I think, to be able to steer you in one way or another. So, you created Metasploit in 2003. How did that project come about?

HD Moore 07:12

It was a lot of stuff happening at the same time, like, early 2000s is when all the old school like hacking groups like TESO, LSD, etc., right kind of disbanded, or at least gone completely private, and folks were less willing to share the exploits that I’ve worked on publicly anymore, because there’s a huge commercial demand for them, like even doing security testing, you live and die by available exploits. Like if you went into a bank, and they said, okay, I have this vulnerable server, how come you couldn’t break into it, you couldn’t just tell them why didn’t have an exploit because it wasn’t cool enough. I got to know the right people in RCE. That’s literally how things work back then, either wrote it yourself, or you had a buddy that gave it to you.

So, it was right around the time when we went from being really kind of underground focused and friend based and community based to being much more commercial. It was around that timeframe is when Core Security launched their impact product, the first commit commercial pen testing tool that actually had exploits in it. That was kind of an inspiration to me as far as like having a clean tool kit you could use. So, at the time, I was working at a MSP where I was running the red team and our tools was a big hodgepodge of all kinds of stuff. We had a bunch of scripts, we wrote ourselves, it’s a slightly modified tools from the places, and back then what drove me crazy was like, hey, but this exploit but it’s a bind shell and I need a reverse shell, or this one’s hard coded for this, but I just change out the target. But that breaks the character set, and therefore I can’t use it, because you have to re encode the whole shellcode again from scratch, and there’s also a time frame when windows shellcode was absolutely terrible in 2001, 2002. I mean, the smallest shellcode was from Windows for remote shell was by a gentleman named high speed junkie out of Japan, it was like 730 bytes, it was huge, and of course, I think Halvor had like a 380 by one. He’s having to share it publicly then.

So, the shellcode itself, exploitation techniques and coding mechanisms. It was all pretty early on as far as like building exploits. So, the idea behind Metasploit was how do we standardize all the tools that my team is using? How do we make it so you can just swap out payloads reliably and quickly, which meant building out new encoders, new shellcode encoders, new nopsled generators, things like that?

So, we’ve kind of just took the challenge of building exploits and broke it down to as many small pieces as possible and made those modules and then you kind of build them, put them back together again, like Legos to build whatever exploit you want. So, you’ve got your actual attack here, then you’ve got your nop encoder, you got your payload, you’ve got your obfuscation tools at the protocol level, all kinds of stuff. So, it started of being an internal toolkit. The company worked for decided, they didn’t have they want to know part of it. They didn’t simply like the fact I worked on it; they wouldn’t admit to our clients that they weren’t there because they thought it was shady.

So, we had a lot of financial services customers back then. So, I didn’t get a lot of support from my employer at the time, which is fine, because I was going to do it anyway. So, I ended up spending nights and weekends for the next 15 years on Metasploit. until a couple years ago, I said, I took a break to say; spend more time on other things, but that was a lot of fun. I felt it was really cool. Because the cool thing about Metasploit, the thing I’m most proud of is like yeah, the code is pretty much crap most of the time, most of the code is absolute garbage. It started out being this big bucket of perl code that no one liked that ever, they thought it was a script kiddie tool. But what we did is anytime a new technique came out that we thought was cool, we’d implement that to Metasploit and then it’d be preserved as this functional historical artifact you can actually still use. So, if you have a cool way to do shellcode evasion, great. You encode protocol evasion; we’ll actually build that into the protocol stack and how you can use it with every single exploit that’s used that protocol.

So, it’s a great way to take the knowledge of the security community and build on it and make it something that you can actually just re-use and building on making better, I guess, and we did the rewrite in Ruby made a little bit better made it cleaner. But with the acquisition by Metasploit, we had a much bigger team a lot more funding, we can actually support a lot more of that stuff, and we had to showcase more and more of the community’s really cool research. So, for me, it was also kind of a living museum that was also useful of all the cool work the community was doing.

Chris Glanden 10:41

So, you still have Metasploit- now I’m used to seeing Metasploit in Kali Linux, and you still have a commercialized version. I also see with SANS and other infosec courses, even OSCP, you always see Metasploit within the curriculum. In terms of education, is it still important to teach tools like Metasploit, or should courses be more tool agnostic?

HD Moore 10:58

I think it’s good, especially if you…… A lot of time you’ll see Metasploit hasn’t aged well. Things like particular types of shellcode, or exploit techniques, like you’re not going to do an SCH overwrite these days. Because all the mitigations prevent it from being useful. Like you really don’t use pop-pop read style of return addresses anymore. It’s all the tooling around that doesn’t really work anymore. All the stuff we did an offload database is no longer relevant because the ASLR changed all the base addresses.

So, there’s a lot of stuff that really stopped being useful in Metasploit. Although. there are a lot of things that are still useful that for example, you can take an exploit that’s 10 years old, and still bypass modern today, IDs systems just by tweaking a couple options, like the evasion capabilities, the protocol levels, like we implemented SMB, from scratch, both in Perl, and then again, in Ruby, just like the impact folks did in the Python side for core impact and for immunity canvas, and in doing so it gave us a lot of ways to Mangle the protocol and tweak things in ways that was really hard for anybody to decode properly on the wire.

So as far as innovation toolkits, if you’re building a defensive tool, like Metasploit, is still really useful for testing your system for showing like, making sure you can decode protocols properly detect attacks properly, and because it’s open ended, because you can plug almost anything into it. If there is a technique in there that you want to reuse, whether it’s a particular type of payload or exploit or evasion method, or you want to use a meterpreter payload, we want to use it for fishing instead of for an exploit. It’s all there for you.

So, I feel like even though parts of Metasploit definitely aged out of it are less useful these days, they’re still kind of a historical archive. But the rest of it still is useful for day-to-day stuff, like all the discovery, network protocol discovery, enumeration, and information gathering stuff, and login and brute forcing in Metasploit, that’s relevant forever. There are protocols just don’t change. So even today, there’s a lot of really cool stuff in Metasploit that actually inspired me to go work on Rumble in the first place. A lot of the discovery models we didn’t notice, we never really made it anywhere else. Like all the Network discovery stuff we did for identifying secondary network interfaces. I’ve never seen another tool do prior to Metasploit, and very few even after that. So that was one of the reasons why I really wanted to go after Rumble and tackle Network discovery as well.

Chris Glanden 12:48

Got it, so yeah, I noticed that you’re really focused on Rumble now, could you explain this initiative and its focus?

HD Moore 12:55

Sure. Yeah. So, one thing working on security products and pen tests for last 20 years, the very first thing to do in every single network is okay, what do you have? Give me your scope? What’s your IP space? Okay, now that I know your IPS, what’s actually on your network? What are your devices, and those two components never really got any easier? Like, even in like 2021. Now, like, you still have to do a lot of work to figure out what someone’s networks actually are, and so, what was driving me crazy was; okay, we go into this new pen test, we’re doing a new customer, we don’t have credentials, anything, we need to quickly figure out what’s on the network, what’s connected what these devices are, there weren’t really any good tools for it. What we saw is that on the IoT side, all the tools for doing discovery are based on authenticated discovery, you had to give them your Active Directory credentials, your SNMP, your SSH or a Cisco CLI credentials. On the security side, everyone’s using their vulnerability scanning tools as their inventory.

So, the way you figured out what was on the network, we ran Nessus against it, well, what if you couldn’t run Nessus against that segment, while you knew it’s there, even if you don’t have a good inventory of it. So, it’s this weird kind of corner case, where if you’re trying to do unattended data discovery with network, you really have no good tools for it, because everything was designed to either be credential based or security scanning based, and the screening tools were really terrible at providing inventory, and an IT tools are really terrible at telling you anything about a device they couldn’t authenticate to, and there’s definitely lots of scenarios we don’t want to sling your credentials around the network. I mean, there’s a lot of fun tools out there like Responder, Flamingo that is running on a device during a pen test and someone runs Nessus’s against it you capture Nessus’s credentials like the there’s lots of ways to shoot yourself in the foot when you’re doing authenticated scanning.

So, the whole idea behind Rumble is like let’s give people a really quick way to drop an agent or use this UI scanner and quickly identify the entire network with a very low amount of traffic so active scan based but without knocking things over, and that requires doing a custom scan engine, our own syn scanner our own protocol application pros fingerprinting, etc. So, it’s been a lot of fun. It’s about two and a half years so far with Rumble. We’re actually have three employees now. We’ve got a fourth on the way we’ve got the hiring plan for the year, we’ve got a bunch of customers. So, we’re doing well. We’re actually paying our bills now, which is nice after two years.

Chris Glanden 14:51

Nice. That’s great! So, what are your future plans for the company? Where would you like to ultimately take it?

HD Moore 14:57

Well, it’s I mean, there’s definitely two parts to it. One is like what’s impact’s one of the industries in the community and part of that has been really focusing on making sure even though the core of the software is closed source that all of our fingerprints are mostly open source. So, we have, I guess a little less than half these days of our fingerprints and Rumble are actually part of the open source Recog project. Recog is fun, because it’s a project that’s technically is run by rapid seven, it started off being the fingerprints for the next best product. We’ve run into Metasploit fingerprinting system. When I worked on a project sonar, we shoved all the internet scan data into it and use that to basically expand the fingerprint coverage, and then now that I’m working on Rumble, we use the same database and contribute back to it for Rumble fingerprinting as well, which is cool. It’s basically just a big XML library of like matching Regexes to device signatures.

So, if you’re doing any kind of cool, like networking operations work or port scanning work or anything where you want to quickly look up what type of devices based on its webpage title, or based on HP server banner, or SMB OID, you can use the record databases for that, and they’re under a really wide-open license. It’s great. So hopefully, we’ll help the whole community get better at doing the fingerprinting by doing that, and convince people there’s more need for doing just basic inventory across the networks. On the commercial side, we really just want to help our customers quickly identify what’s on the network and be able to search their network quickly.

So, we have a search-based interface. So, folks and say, Okay, I’m scanning my network, every day for a couple months. Finally, every SolarWinds Orion box like that, and that’s when things would quickly be replaced, or for the zero-login vulnerability. Finally, on a domain controller no matter where they are, and if you’re a large university, you may have 80 different domain controllers on different labs, all part of different domains. Because you’ve got so many different units across the organization. We try to help folks who are doing lots of m&a. So healthcare, for example, you’ll have like a big hospital by a bunch of clinics, when they go into those clinics for the first time, they don’t have credentials or anything, they can’t log in any devices they want to do. So instead, they’ll like RDP into Windows box using like temporary system, or you send a Raspberry Pi in with the Rumble agent on it, use that to do all their initial discovery and then build it up from there.

So, I think there’s lots of really cool stuff we can do to help kind of push the industry forward on asset inventory discovery, and really making network connected asset information more visible to everybody. Another part of that is just identifying topology and topology problems. Like for example, because we take all these really cool techniques for like multi host, we can pull the MAC address of a device like 15 different ways across multiple hops.

So, we can often tell people like what the MAC address of the device is, even though we can’t directly query the device. So, an example there would be, you’ve got a subnet full of like Windows machines, and they all have firewalls enabled. So, most tools are going to tell you jack squat about them, because they can’t measure them, they can’t really ping scan, they might get ICMP. That’s about it. But Rumble will actually say, Oh, look, there’s a printer on the same subnet, and it’s got default SNMP, let’s dump the ARP cache to the printer and use that to match the MAC addresses back to the windows host, again, then sees the MAC address of each of those windows hosts and look at the hardware model, and for the hardware model, we also have been manufacturing data on it, and based on this particular prefix of the MAC address, we know it’s actually an Intel NUC.

So, going from like almost no knowledge about a device, knowing that it’s an Intel Nuc manufacturing last whatever possibly running windows, just by querying a secondary system on the same subnet. I think it’s one of the cool things that we do. So, there’s lots of really cool research going into that. I feel like we take the same approach to shellcode and exploits and vulnerability research. But we apply that towards device fingerprinting and asset inventory.

Chris Glanden 18:02

There’s definitely a need for that, for sure, and I guess with that infrastructure, you can pull in different vulnerabilities from different systems to and kind of aggregate everything together.

HD Moore 18:10

Yeah, and we’re trying to stay away from vulnerability detection or vuln scanning. It’s really just about like presenting a database of facts, the customer like, here’s your stuff, and we have a free tier, right. So, every small business less than 2.6 assets, every home user, we’ve got a free binary for command line scanner. So, we’re trying to do our best to take care of like folks who can’t afford a commercial inventory tool through a free tier, and there’s very few differences between our free version and a paid version besides number of live assets across the network. So, it’s great, we’ve got something like 3000 users in the free tier today, scanning every possible weird home network ever. We get everything from like clinical to healthcare and oil and gas, everything else in the platform. So, it’s really cools to see the stuff that comes in. And, of course, the more folks using it the better the fingerprints get.

Chris Glanden 18:51

Very cool. So, you mentioned Solarwinds. So here a BarCode, we’ve been using SolarWinds for our DMS (Drink Management System), and I just heard the news. So, my question to you is, how screwed are we?

HD Moore 19:04

I don’t know. I take a lot of these APT style reports with a grain of salt. Like, everyone’s making stuff up there all just doing attribution without a lot of evidence, like none of us have to go through court like you can’t prove any this junk Right. All you can do is have lots of people pointing fingers, different directions and pick who you believe. It is what it is, I feel like Yeah, it looks like the evidence points to their supply chain getting hacked.

So, modifying the binary of application, and a lot of us would like to say we would all do better if we were there in their shoes, but we don’t know how they got in the first place. Right? For all we know it was an employee that just walked in and set them up.

So, it’s hard to say. Make sure you can respond to incidents like you can do your best to avoid them. But you also have to make sure that when something does happen, quickly, get on top of it, figure out the damage, see what data left your business, things like that.

Chris Glanden 19:48

You got to be ready for it! You certainly have offensive security ingenuity in your DNA and mentality for uncovering unorthodox attack methods. I’m curious to get your current Thoughts on bug bounty programs. Are the good guys catching up to the bad guys? Or will it always be an unfair race?

HD Moore 20:07

It comes down to incentive, right? There’s still a lot more money to be made in being evil than being good, right. But there’s also a lot more risk, and so the good thing about bug bounty programs is, as much as they annoy the heck out of a lot of people with people constantly hammering your email address, I found a critical vulnerability, you don’t have DQM enabled, I know that it’s cool. Like, it’s not a big deal.

So, there’s a lot of folks on the bottom of the bug bounty that are given the industry a bad reputation. But on the other side of it, it’s amazing. Like, he told me 20 years ago, or 30 years ago, these days, because I’m getting old, that someone actually paid me money to hack the fortune 500 company, I didn’t get a letter in advance from the company give me permission, I could just like, straight up, like start banging away on some company servers, and that was totally cool, and I wouldn’t go to jail. like holy crap, that makes a huge difference to the industry. Like, imagine, like all the early hackers not worried about getting, you know, raided and bust and thrown in jail for the early exploration.

I mean, it’s sort of like, I feel like bug bounties are great in terms of getting a lot more testing and a lot more systems a lot quicker. But they’re also an amazing tool for making the community level up and become much better at security and hacking going forward. So, I have no idea where we’re going to end up, we’re going to have like, so many awesome hackers out there in the next few years just because of bug bounties. Like I’m very enthusiastic and optimistic about it as much as the low-end folks trying to report DQM bugs to me drive me crazy.

Chris Glanden 21:26

Yeah, it’s crazy. I mean, I saw they had like, a million-dollar bounty out. I mean, you hit you hit one of these, and you’re set, you’re good. So that’s another incentive that, you know, was unheard of, I guess even when bug bounty programs started rolling out, they never had that level of incentive. So you got what, Bugcrowd..HackerOne now… Do you find one platform better than the other or is it just a matter of preference?

HD Moore 21:48

Definitely, so they’ve got two customers, right? They serve both the bug bounty testers and they serve the customers that are running the program to them. So, they both have their ups and downs, like disclosure. I was an advisor for bug crowd for a while. I really liked what they do. I like the team. I like how they approach things, and I feel like they do a much better job of taking care of the bug bounty folks. Sorry, the bug bounty programs are much more of a white glove, I believe, I feel like they are much more hands on with the customer that’s running the program, where I feel like hacker one is much more hands on with the actual bug bounty participants.

So, I think they’re going to be in the middle, it seems like the direction, the current trajectory is that both clubs are moving towards having similar standards for how they treat bug bounty investments and how they treat bug bounty programs themselves. So, I feel like it’s good that there’s more than one option out there. There’s also cobalt and everybody else in the space, too. So, I’m glad it’s not just one big player. I’m very glad there’s at least two big players and even better 3 or 4.

Chris Glanden 22:44

Absolutely. What other ways can you think of that aspiring pentesters can get legit legal experience?

HD Moore 22:51

Well, it’s hard because pentesting is not generally a professional you can walk straight path into. You kind of have to zig and zag into it coming from other backgrounds, already have to be good at something else first to be good at being a pen tester. You already have to know how web apps have been developed, or you have to know networking stuff is done. Like I was trying to walk through with one of my daughters, like, how to start doing bug bounty programs. She got really excited to go hack all the things like okay, cool, let’s do it. She likes K-pop, too.

So, it’s like K-pop slash bug bounty time and so we are going through it all. She’s like wait, wait, what so we spent time in like Wireshark, doing things and then IP address stuff, and it didn’t occur to me like how much stuff you have to know just be able to even like really get your feet in the door for bug bounties. Because you have to know so much stuff, just to get to the point, you’ve been testing a web app, or you can just type things in your browser, right. But if you want to get good at it, and you actually want to be able to do more than just a web app, you have to understand all the other technologies, DNS, IP addresses, TLS.

Everything else that is involved the process, I feel like for folks who really want to go after security, whether it’s defensive/ offensive, you really need a good strong understanding of low level TCP IP protocols, things like DNS, you’ve spent a little bit Wireshark and knew what every packet does, basically, you have to write some code in some languages and it doesn’t have to  be good code, but like write some Python, write some Ruby, write some Goat…go write something, be able to automate something, because so much of your work is going to be like, well, if only I could get this magic number by trying 1000 times, you can’t rely on BURP to write it for you, you have to be able to just write your own code here and there.

So those two things, I think, are the basis for a strong security professional background, which is really understanding how things work at the low level, and understanding how to script up and automate things, and of course, if you can also go into reverse engineering, you can also go into deep web application testing, SQL databases, container security, there’s a billion different ways to specialize these days. That’s probably a big difference as well, from kind of when we were growing up and getting into this is, in early days, there was no real specialization.

There were some people who were better like x25 versus something else, or this exploited that exploit but these days, there’s so many different kinds of niche categories you can focus on. You can be the best, you know, container security person in the world. You can be the best SQL database expert in the world or Postgres or MS SQL, or the cloud, but AWS only like, there’s lots of areas, we can go really, really deep these days and differentiate your skill set, where previously you kind of had to be good at everything in building a job in this space.

Chris Glanden 25:09

Yeah, I agree. What are your thoughts on certifications? Do you think their certifications are still valuable or do you think practical hands on experience is best? What certs would you recommend as being some of the best out there for pentesters?

HD Moore 25:22

It’s kind of depends what if you’re, there’s some jobs where you need a certification because your clients request it. You need to have an OSCP or CISSP or something like that, just to be able to be considered for that job. So, I can’t really fault anybody for getting a certification that their employer requires it. It’s just been plugged in. It’s not going to help your skills in any way. Probably not. But it’s going to help you get the job you need to build your life and make that your career, right.

So, more power to people no matter what sort of cert they get and help them get a job. Outside of that, though, practical certs like the OSCP. You’ve got like, all the SANS… They call it like the GPEN cert as well. There’s not that many that are practical, though. So, I feel like if you’re a kind of an autodidact, if you learn well, by teaching yourself, you’re almost better off doing anything else. Anything other than a certificate. Certificates aren’t really going to help you learn anything more than you learn yourself, I guess. But I would say go after CTFs, go after bug bounties. Go get real world experience as fast as you possibly can. There are no gates anymore. The fact that you’ve got bug bounties and so many programs that are available for just jump right into means you don’t have to [inaudible 26:27], you can go straight into trying to hack the Fortune 500 companies tomorrow, and just using whatever you happen to currently know.

Chris Glanden 26:31

Yeah, just get your written consent and off you go.

HD Moore 26:34

You don’t need that. That’s a great thing. The cool thing about bug bounty program. So many companies to say, yeah, here’s our scope. That’s it. There’s no like permission letter you have to get. It just blows me away. We grew up working with the people kicking down our doors, right? It’s a different world now.

Chris Glanden 26:47

Yeah, exactly. Exactly. So obviously, there is an ethical line there were maybe these young pentesters want to just get on a site and start hacking away. Obviously, that’s not the way you want to go. Do you know of any sites, or I guess what would be the first step for someone maybe coming out of high school or coming out of high school? And I think they’re actually teaching these courses in high school now. But young kids really that want to just start getting to it? What would be your advice where to get started?

HD Moore 27:14

I mean, hack the box like all those CTF sites in which people are pretty good there. They’re kind of like, you can go look up, answerboards, if you get stuck someplace, which is kind of nice thing about them. There’s a good answer to it. Bug Bounties are awesome too, when you want to go off to the real world, just because it’s so easy to get into it, the requirements are pretty low. But you really want to start off with kind of a pre canned environment that you know there’s a right answer to a given problem. The problem with like breaking into real world computers is there is no right answer. Hopefully, if the company does everything right, you can’t get into it, right.

So, it’s one of those things where when you’re first starting out to build up your confidence, it helps you start off with a CTF first or go into vulnhub.com grabbing like one of the VM images of that, reading up on the guides for asking other folks or getting involved like, early on having surround yourself with peers who are also at the same stage of learning as yourself helps a lot. So, a lot of forums and have the site, for example, are great for kind of learning from your peers getting a feel for how to solve the problems, and then just talking to people who are in the industry, doing the kind of work you want to be doing like, hey what do you recommend or what was something that you learned a whole lot by working on.

Chris Glanden 28:16

Organizations are in desperate need of a solid IoT vulnerability management approach. What would be your top recommendations?

HD Moore 28:24

I’m a little bit biased but I think first you should at least know where they are, at least know how many devices you have in the first place and what networks they’re on. Like, if you see a whole bunch of like Apples TV in your corporate network, like maybe you want to move this to a different segment, maybe you want to put your ps4 in different VLANs. Like one of the most surprising things about working in Rumble has been as we do all this work, and we start measuring inventory of all these different companies, internal networks, how many consumer devices are sitting in corporate lands these days, like these aren’t sitting in wireless guest networks, these aren’t sitting like separate from the main production systems, you literally have like the main file server for the company with a ps4 plugged in next to it, and that’s just reality these days.

So, I mean, I think segmentation is definitely a big challenge, and the way to address that is 1) figure out do I have a ps4 plugged in next to my domain controller and 2) if it is let’s move it someplace else. Like that kind of stuff. It’s little things like that. But just getting a handle on your inventory, I think is really important.

Chris Glanden 29:13

You continue to stay very active in your business and developing Rumble. I’m just curious to know how has COVID affected you or disrupted your day-to-day professional workflow.

HD Moore 29:22

I was born to be locked into a room for all my life. This is great. Now this is this is where I’m from man! Like my day-to-day work perspective, it’s been obviously hard, hard on the family, hard on everyone else having to limit our movements and stay inside especially with a city that’s running out of hospital beds right now, so things are pretty chaotic.

So, I’m just really grateful that we have our health and you know, we do our best and we’re able to work from home. So really grateful that I got the option to work out of here and not on the road. Not having to, you know, put myself and my family at risk all the time. Definitely some impact with customers though. Like we saw, budgets freeze, a hiring freeze especially around March through July or so last year, everything basically froze up. One of our largest customer segments was universities, and universities didn’t really have a lot of funding available starting fall last year, because they didn’t know how many students would still have, or which campus would be open.

So just watching our customers be substantially financially hit by COVID, in the shutdowns has been rough, and we do our best to take care of folks. We gave out a bunch of free licenses to folks who are helping with the pandemic, PPE suppliers, healthcare providers, we have extended free licenses, discounted licenses wherever we could to make things work. We have some folks saying, Hey, we got to cancel our subscription, and like, it’s okay, we’ll cover you for a few months, like just come back whenever you’re ready to talk again. Like, there’s a lot of folks who have been kind of chasing the ambulance and COVID and trying to, like, Chase more money out of customers as a result of it, and we’re just doing our best to, like, take a step back. We don’t email our clients, and Hey, because of COVID…, no, no, we’re here to help you out and not to add more noise to your buffer.

So, in general, I feel like we just tried to be really empathetic with our customers and realize that we’re having a really hard time and do our best to support them wherever they happen to be wherever they are, and just grateful that we’re able to continue focusing on developments and building the business. Even though we’re stuck in home.

Chris Glanden 31:09

What changes have you seen or anticipate COVID will introduce to the threat landscape?

HD Moore 31:13

I guess for us, the most obvious one has been universities are remote only and most businesses have almost all their desktops have included VPN connections, which is really interesting, not from our perspective, because the way that we scan devices is agent based, we have like at least one system running a scan agent that scans everything else from it authenticated, is that a lot of our customers have started scanning their corporate networks from their VPN, or scanning the VPN networks from the corporate environment, it’s been kind of interesting to see how that maps out.

One of the fun things we work on is topology matching, here’s how all your networks are interconnected. Used to be by your corporate side and a couple hubs and spokes kind of coming off them into one big grid. Now you have basically the corporate site normal regional sites, and then every single one of your companies or your employees home computers has two interfaces; their VPN connection and their home network connection, maybe their Wi Fi connection.

So, the amount of individual numbers connected back to your corporate network is just, it’s ridiculous, like a thousandfold increase a lot of companies for the number of interconnections back to the corporate environment.

Chris Glanden 32:08

Yeah, would you say most organizations out there need to rethink their infrastructure?

HD Moore 32:13

I think even folks that were sort of setup for remote work before have definitely had to upgrade their capacities change other new things. I mean, the good news is, it’s really pushing a lot of trends that should have been increasing anyways. Like kind of the beyond Corp model, where you’re treating all your internal users like directional users in the first place. Or just because you’re on an internal network doesn’t mean that you can improve his access to the system itself, go through all your standard application portals and kind of proxies and so on.

So, I feel like it’s a good opportunity for folks to really accelerate the screen programs are probably already in the path of doing it. I also feel like as someone who enjoys working from home and has tried to as much as I can for the last 20 years, like I think it’s great that more people don’t do that. Like, why do we need everyone driving back and forth downtown to go sit in a room in front of a desktop, right? I mean, it’s nice to see your coworkers once in a while on the person in the flesh. But I don’t know I’ve always been in the opinion that I’m way more productive. When I’m stuck in a box by myself somewhere.

Chris Glanden 33:03

I can trap myself in and I’m more productive. I work 24 seven now, and I don’t mind because I love what I do. But it’s like, alright, well hold on a second.

HD Moore 33:11

It’s really hard to take a break now for sure. I feel especially for about two years, it was just me at Rumble. So anytime a support ticket came in or something blew up, our server went down, it was just 24/7. So it was nice, to some extent being stuck at home because it means I don’t have to worry about be like being halfway to a meeting when something blew up, right?

So, I’m always available, always-on, but same time, that’s the path to burnout, you got to be really careful and start putting some limits in place or you’re not going to have a good time and a couple years, it was going to be completely wiped out, and all the joy in life is gone at that point. I’ve gone through that a few times in my life, and I’m trying to avoid it doing it for the third or fourth time.

Chris Glanden 33:43

I know the feeling, it’s a time struggle sometimes. Okay, so we talked about the threat landscape. Let’s talk about the bar landscape. When you visit a bar, what do you typically scanning for? As in what is your go to drink of choice?

HD Moore 33:56

I’m so random. I drink all kinds of stuff. Like especially, I’m trying to be healthier. I’ll tell you like low carb stuff. I’ll drink like basically champagne or vodka sodas or when I’m actually feeling like I deserveor deal with something a little more heavy, I love Belgian beers. I love scotch or whiskey. So, there’s lots of stuff between the absolute cocktails on almost anything. I’m not that picky of a drinker.

Chris Glanden 34:19

Nice. So COVID has had an impact on nightlife everywhere, and I’m sure under normal circumstances, the bar scene in Austin has got to be pretty insane. For out of towners like myself, what are some of the best places you would recommend there?

HD Moore 34:33

There are a few places that have really, really good selections of particular types of liquor. So Pasche Diamond on Fourth Street has an amazing scotch setup. They also have a really good abstinence setup. So, you want to try just weird liquor you’ve never heard before or like a bottle you haven’t seen in 20 years, and they don’t have bordello or anything like that. They do have, maybe absinthe’s that you never see in the US otherwise.

So, I love bars that just have like a really interesting selection. There are also a couple bars here that are sort of secretly you have to know the right thing and they’re kind of speakeasy style. So, there’s one in town that goes by the handle the redheaded stepchild that if you can find the code too is great.

So, there’s definitely a lot of a little weird kind of corner bars, Small Victories, another great local bar in town. These are all tend to like, kind of small, local places, but they did really interesting things with their cocktails with their mixers. Some of them who do a really good job of like nonalcoholic drinks. They don’t actually want to drink booze. They can make you a really awesome mocktail out of all. Like their hand made bitters, and things like that, too. So…

Chris Glanden 35:28

Nice. I love those secret bars and speakeasies. What do you see as a bar’s biggest vulnerability?

HD Moore 35:35

A Bar? Obviously, the patrons getting drunk and destroying the place.

Chris Glanden 35:38

Physical vulnerabilities?

HD Moore 35:40

Yeah.

Chris Glanden 35:42

I just heard last call. So, I have one last question for you. If you open a cybersecurity themed bar, what would the name be? And what would your signature drink be called? I mean, Rumble is a great name!

HD Moore 35:57

Hopefully there is no gastrointestinal connotation on that. Well, maybe it’s the Shellcode. That sounds nice, and maybe a beach themed tiki bar with the shellcode.

Chris Glanden 36:11

That’s awesome.

HD Moore 36:12

I do love shells!

Chris Glanden 36:14

Would the Bar be on a beach like a tiki bar? Or would it be in Austin somewhere?

HD Moore 36:19

Well, I like Austin. It is probably in Austin someplace. I think beach-themed bars are great, but we would have to rebuild them every couple year with hurricanes

Chris Glanden 36:25

Is Austin becoming the new Silicon Valley 2.0.?

HD Moore 36:28

I hope not! I’ve been here since the 80s, and so, it used to be a really broke cheap college town full of hippies and great music, and it’s still got some of that, but it’s definitely getting more Metropolitan, more folks from out of state moving in.

Chris Glanden 36:42

Everybody from California is coming over. Right? Are you start to see that?

HD Moore 36:44

Yeah. The biggest downside for us really for locals is that property prices, have been shooting through the roof. Because if the cheapest house you can buy in California is a million bucks and you bring that money in Texas, you can buy a lot of houses for a million dollars. Like all the central areas are just getting packed, more of the local getting pushed out to the outskirts.

So, it’s hard for Austin to keep kind of its soul, because so many new folks are moving to the center of town, and that’s really where a lot of the culture was. It’s not bad, I feel things change over time, and you know, the only constant is change, right?

So, we have the single Austin hackers anonymous, we’ve been running for 13 years right now with monthly meetings. I think we paid 120 people per month showing up to it, and everyone has to talk. Like there are no lurkers. If you show up, you have to talk your first time, and usually using like 15 to 25 fire talks every single month back-to-back. I’m doing that for years. So, there’s also like, you know, Dc 512, there’s 2600 group, there’s a lot of other locals, the lockpicking group here is awesome. So, there’s a ton of like, hacker culture here in town. It’s amazing. It’s been a great group of people that hang out would have been go bar hopping with all that too.

Chris Glanden 37:48

Would not you see the evolution of this of Austin going this direction? When did it start becoming a major tech hub?

HD Moore 37:55

Really back in the 80s. There’s really two parts. There’s the hacker culture actually started before then, if you look at where a lot of the early like sneakers and stuff were like the Phoenix project and all that stuff was actually here in Austin, like Steve Jackson Gaines getting rated for what they thought they’re actually running, like for cyberpunk and stuff like that. That was actually here in Austin as well.

So, a lot of the early like old school like phreaking/ hacking stuff is actually based in Austin, Texas, and as a result, a lot of the old school like security kind of counterculture folks are still around. Like I remember going to to a meet up when I was a kid and seeing Minor Threat there who wrote Tone Loc, I’m like “Oh, my God!!”, it was really cool. So, that’s one of the heroes I met early on. I was like, I use your tool all day long, and even with Rumble, we have a visualization Rumble. That’s the Tone Loc tone map, that was based on that, like war dialing view.

So, I love it. So, as far as like the agriculture has been here from the beginning and having a big college campus here in town and ready for that, which is a great source of folks coming in and learning stuff and sharing it and just a really open friendly community. In general, there’s not a lot of jerks here, which is great. As far as the technology here, the big thing that triggered that was a thing called SEMATECH. Back in the late 80s, early 90s. It was a group of chip manufacturers like silicon wafer manufacturers that were trying to build a new plant and they went to San Antonio. San Antonio says, “Nah, we’re good. We don’t want you”.

So, they came to Austin, and Austin was like, “Yeah, sure”. So, they came applied materials that became Samsung, AMD, they’re all really got brought here because of that SEMATECH chip fab. That’s what we are called silicon hills. It wasn’t about technology was or wasn’t about like the software side of technology. It was about actual silicon manufacturing, and then eventually led to being the common (inaudible) collapsed in early 2000s. You see, we’re never at anyone’s headquarters, we’re always our second biggest office.

So, if you look at like where people want to be, and I don’t want to rattle off too many names here. But like, any big major tech company usually has a sizable presence here in Austin, because that’s where their employees want to be, and it’s got a huge amount of talent to hire from. As well as we’ll continue to progress to move here.

Chris Glanden 39:51

It’s rare that you can walk down the street and you don’t bump into another engineer.

HD Moore 39:55

I will walk around town for a meeting on the way out like one or two or three random hacker are like “Oh, hey, how’s it going? I have not seen you in a couple weeks, like see you at the next meeting!” It’s just the city. So yeah, and when the music seems great and peoples have been pretty friendly, so I think even if people move here from the East Coast or west coast, they try to adopt a positive attitude when they get here just a little less, pretty times a little more friendly, and they can do a benefit of the doubt. Just be nice to people in general. So, it’s definitely a kinder, friendlier city than most places have been.

Chris Glanden 40:20

Cool. Well, HD thank you so much for joining. I appreciate you sharing your knowledge with us, and I wish you all the luck with Rumble, and real quick before we leave, would you mind letting us know where our listeners can find you online with your social media footprint is?

HD Moore 40:33

Sure yeah, I mean, for all the Rumble stuff. It is rumble.run is the website for my personal stuff is HDM.io. Then on Twitter, it’s HD Moore or GitHub is HDM

Chris Glanden 40:41

Thanks, man. Next time I’m come down to Austin, let’s catch up for a drink.

HD Moore 40:46

Look forward to Chris. Hopefully the pandemic will be over soon and get back to having a little more fun, right?

Chris Glanden 40:51

Definitely. Thanks, man.