1 00:00:00,083 --> 00:00:01,375 All right. 2 00:00:01,375 --> 00:00:02,834 All right, hey, everybody. 3 00:00:02,834 --> 00:00:03,834 Welcome. 4 00:00:03,834 --> 00:00:04,834 Welcome. 5 00:00:04,834 --> 00:00:05,834 You have made it. 6 00:00:05,834 --> 00:00:06,834 We made it. 7 00:00:06,834 --> 00:00:11,417 Today we are going to talk about man in the middle attacks on doing it 8 00:00:11,417 --> 00:00:14,834 on an IPv4 network using five. 9 00:00:17,292 --> 00:00:19,125 I'm Scott Behrens. 10 00:00:19,125 --> 00:00:22,292 I work at Neohapsis and I'm an adjunct professor 11 00:00:22,292 --> 00:00:25,042 at DePaul University. 12 00:00:25,083 --> 00:00:29,999 BRENT BANDELGAR: And I'm Brent Bandelgar, I also work with Neohapsis. 13 00:00:32,999 --> 00:00:39,250 We have to give the hats off to the principal at Neohapsis. 14 00:00:40,834 --> 00:00:44,417 SCOTT BEHRENS: Well, we are going to touch 15 00:00:44,417 --> 00:00:49,042 on something that came out a few years ago, which is known 16 00:00:49,042 --> 00:00:51,626 as a SLAAC attack. 17 00:00:51,999 --> 00:00:55,876 We have systems like Windows vista and Windows 7. 18 00:00:58,999 --> 00:01:02,999 Alec Walters developed a guide to exploit this fact. 19 00:01:02,999 --> 00:01:04,584 It's called a SLAAC attack. 20 00:01:06,292 --> 00:01:09,751 One of the observations we made when we were playing around in the lab, 21 00:01:09,751 --> 00:01:12,999 it was difficult to follow the steps he outlined. 22 00:01:13,209 --> 00:01:14,876 We ran into a lot of issues. 23 00:01:14,876 --> 00:01:18,999 What we did is how we updated the attack to make it easier to use 24 00:01:18,999 --> 00:01:22,959 and a one click install sort of approach. 25 00:01:22,959 --> 00:01:26,250 BRENT BANDELGAR: Right and here we have our Blain vanilla 26 00:01:26,250 --> 00:01:28,375 legacy network. 27 00:01:28,375 --> 00:01:34,125 It does only IPv4, it has DVP, and there's no IPv6. 28 00:01:34,125 --> 00:01:36,709 We have Windows Host and Windows 7. 29 00:01:38,792 --> 00:01:45,584 What Alec Waters put together the evil router in the red. 30 00:01:45,999 --> 00:01:52,999 There's two nodes, the evil router and the evil DNS are intercepting traffic. 31 00:01:53,292 --> 00:01:57,083 They are doing they are running an IP version 6 network which 32 00:01:57,083 --> 00:02:02,709 is in the blue and then passing it through their packages and their DNS. 33 00:02:02,959 --> 00:02:06,250 Again, this is their own host and then it's resending that 34 00:02:06,250 --> 00:02:09,626 out over the IP version 4 network. 35 00:02:09,709 --> 00:02:11,918 SCOTT BEHRENS: This takes advantage 36 00:02:11,918 --> 00:02:14,999 of is those advertised as IPv6. 37 00:02:18,834 --> 00:02:22,999 Yes, I want to route over IPv6 and we take advantage of the fact 38 00:02:22,999 --> 00:02:27,083 and run them through our interface, for example. 39 00:02:27,083 --> 00:02:29,501 BRENT BANDELGAR: And then back out to IPv4. 40 00:02:29,834 --> 00:02:31,667 Completely transparent to the user. 41 00:02:33,209 --> 00:02:38,709 Here's the guide presented by Alec Waters. 42 00:02:39,083 --> 00:02:42,542 It's not affected because it doesn't have an IPv6. 43 00:02:45,999 --> 00:02:49,709 We just got a copy on Windows 8. 44 00:02:49,999 --> 00:02:52,334 We couldn't get it to work properly. 45 00:02:52,542 --> 00:02:57,999 SCOTT BEHRENS: It might be difficult to see in the next screen shot. 46 00:02:58,083 --> 00:03:02,125 BRENT BANDELGAR: We have some IPv6, routers 47 00:03:02,125 --> 00:03:07,125 but the Windows 8 no longer sends the DNS service setting 48 00:03:07,125 --> 00:03:09,999 through SLAAC alone. 49 00:03:09,999 --> 00:03:12,083 SCOTT BEHRENS: It tries to make 50 00:03:12,083 --> 00:03:16,083 a request and doesn't get a DNS and then falls back to IPv4, which 51 00:03:16,083 --> 00:03:21,792 is known as happy eyeballs and we will touch on that presentation later on. 52 00:03:22,209 --> 00:03:24,918 BRENT BANDELGAR: There are some other issues. 53 00:03:26,375 --> 00:03:28,876 First off, there's a lot of configuration files that you have 54 00:03:28,876 --> 00:03:30,751 to go through and edit. 55 00:03:31,125 --> 00:03:34,125 So these steps were very detailed but there's still a lot of things 56 00:03:34,125 --> 00:03:35,999 to go through. 57 00:03:35,999 --> 00:03:40,334 A lot of IP addresses and ranges to keep track of, lots of flags 58 00:03:40,334 --> 00:03:42,542 to go through. 59 00:03:42,709 --> 00:03:46,125 SCOTT BEHRENS: And it used a lot of old and deprecated packages. 60 00:03:47,083 --> 00:03:49,709 They said it was held together with string and sticky tape 61 00:03:49,709 --> 00:03:52,292 and that's pretty parallel to what we experienced when we were 62 00:03:52,292 --> 00:03:54,626 playing with this in the lab. 63 00:03:54,999 --> 00:03:57,999 And, you know, because of that, we went back to the blog post 64 00:03:57,999 --> 00:04:00,999 and we are like, are we the only ones having problems getting 65 00:04:00,999 --> 00:04:02,751 this working? 66 00:04:02,751 --> 00:04:05,209 And we were reading through the forums Duncan couldn't get 67 00:04:05,209 --> 00:04:08,999 it to work and Vox couldn't get it to compile. 68 00:04:10,167 --> 00:04:13,834 It was something that we thought could be an awesome weapon 69 00:04:13,834 --> 00:04:17,250 for penetration tests or things like that. 70 00:04:17,542 --> 00:04:19,709 BRENT BANDELGAR: All right. 71 00:04:19,709 --> 00:04:21,501 To make that feasible SCOTT BEHRENS: Yeah so what we decided 72 00:04:21,501 --> 00:04:23,209 we needed was ... 73 00:04:27,459 --> 00:04:29,417 BRENT BANDELGAR: It's up. 74 00:04:29,417 --> 00:04:31,125 SCOTT BEHRENS: Check that out. 75 00:04:31,125 --> 00:04:32,999 I got that from freebanners.net. 76 00:04:34,334 --> 00:04:36,751 Automation domination, right? 77 00:04:36,751 --> 00:04:38,667 BRENT BANDELGAR: Yeah. 78 00:04:39,918 --> 00:04:40,999 Oops. 79 00:04:40,999 --> 00:04:42,999 SCOTT BEHRENS: And really what this does is it's one Bash script 80 00:04:42,999 --> 00:04:44,876 to rule them all. 81 00:04:45,542 --> 00:04:49,083 Coming up with the defaults for the configurations, moving 82 00:04:49,083 --> 00:04:53,542 all the old deprecated packages, we came up with the one click install 83 00:04:53,542 --> 00:04:56,999 that takes care of all the dependencies and configures 84 00:04:56,999 --> 00:05:00,209 your host and we made some adjustments so it does work 85 00:05:00,209 --> 00:05:01,999 on Windows 8. 86 00:05:02,999 --> 00:05:06,667 And it's been currently tested on LTS and we have tested 87 00:05:06,667 --> 00:05:10,792 on a variety of the Kali flavors and you should be able to run 88 00:05:10,792 --> 00:05:15,083 the script and run all the man in the middle things. 89 00:05:17,876 --> 00:05:20,542 Before you get started, you will need to know the interface 90 00:05:20,542 --> 00:05:23,834 of your attacker host that you want to run it on. 91 00:05:23,999 --> 00:05:27,959 And you will also need an extra IPv4 on the network you are attacking 92 00:05:27,959 --> 00:05:29,999 to do translation. 93 00:05:29,999 --> 00:05:33,292 SCOTT BEHRENS: You want to test in your own isolated lab first. 94 00:05:33,751 --> 00:05:36,459 It's a relatively aggressive attack. 95 00:05:36,459 --> 00:05:39,751 You are basically going to route everything through your host. 96 00:05:39,751 --> 00:05:41,999 If you imagine doing this on a relatively flat network where you 97 00:05:41,999 --> 00:05:46,209 have 100, or 200 or n number of hosts, you will routing a lot of traffic 98 00:05:46,209 --> 00:05:48,292 through your host. 99 00:05:48,292 --> 00:05:49,459 You have to be careful. 100 00:05:49,459 --> 00:05:52,999 We suggest you test it on a couple of hosts first. 101 00:05:52,999 --> 00:05:55,999 And another thing I wanted to mention, that might not have been totally clear 102 00:05:55,999 --> 00:05:57,999 in the slides is that this attack only works 103 00:05:57,999 --> 00:05:59,918 on a local network. 104 00:05:59,918 --> 00:06:00,959 You know, you need to be on the same subnet 105 00:06:00,959 --> 00:06:03,501 as the victims that you are targeting. 106 00:06:03,501 --> 00:06:04,999 BRENT BANDELGAR: All right. 107 00:06:04,999 --> 00:06:07,667 Let's go ahead and see how the installation looks. 108 00:06:07,667 --> 00:06:10,083 The reason we are showing you this is just because of how little time you 109 00:06:10,083 --> 00:06:13,999 actually how little time you actually need to get it running. 110 00:06:14,792 --> 00:06:16,999 Literally we invoked the command. 111 00:06:17,542 --> 00:06:21,375 And within a couple of minutes or less than a minute, it's going 112 00:06:21,375 --> 00:06:26,167 to pull down a number of packages, such as taking it to do the standard 113 00:06:26,167 --> 00:06:29,250 by nine, the server, the standard DOHV server 114 00:06:29,250 --> 00:06:33,250 and that's pretty much everything you need to start setting 115 00:06:33,250 --> 00:06:36,250 up your IPv6 overlay network. 116 00:06:37,209 --> 00:06:41,667 SCOTT BEHRENS: When we originally set this up, and before, 117 00:06:41,667 --> 00:06:46,125 you know, RTFM done bind here, I ended up writing a DNS revolver 118 00:06:46,125 --> 00:06:51,667 to do a super hack job and at the end of the day it was one line of work and 119 00:06:51,667 --> 00:06:55,584 in a bind, so just a lesson to everybody. 120 00:06:55,584 --> 00:06:56,999 Please read your manuals. 121 00:06:58,999 --> 00:07:00,334 (Laughter). 122 00:07:00,334 --> 00:07:01,751 BRENT BANDELGAR: Yeah. 123 00:07:01,751 --> 00:07:02,751 So it's ready. 124 00:07:02,751 --> 00:07:03,999 SCOTT BEHRENS: Right. 125 00:07:03,999 --> 00:07:06,083 And so although it went relatively quick. 126 00:07:06,083 --> 00:07:06,083 One of the other things that the script really does it prompts you 127 00:07:06,083 --> 00:07:08,626 for two points of input and it has to be the interface that you are going 128 00:07:08,626 --> 00:07:10,542 to run the attack on. 129 00:07:10,542 --> 00:07:14,876 So here although it scrolled pretty fast, the attacker specified 0 and you need 130 00:07:14,876 --> 00:07:19,999 to identify a free IP address on the network that you are targeting. 131 00:07:19,999 --> 00:07:22,501 BRENT BANDELGAR: Right and at the end it starts 132 00:07:22,501 --> 00:07:27,375 up all the relevant services and the kernel modules that you need. 133 00:07:27,751 --> 00:07:30,292 SCOTT BEHRENS: It's not persistent. 134 00:07:30,292 --> 00:07:31,083 So, you know, once you have actually set this up, 135 00:07:31,083 --> 00:07:32,584 you will need to the run the script again 136 00:07:32,584 --> 00:07:33,999 if you reboost your host or switch networks 137 00:07:33,999 --> 00:07:35,999 or something like that. 138 00:07:35,999 --> 00:07:39,209 BRENT BANDELGAR: It's two line fixes to make it persistent. 139 00:07:39,209 --> 00:07:41,584 If anybody is interested, we can talk later. 140 00:07:41,626 --> 00:07:43,542 SCOTT BEHRENS: Yep. 141 00:07:43,542 --> 00:07:43,709 BRENT BANDELGAR: So now we see what this looks 142 00:07:43,709 --> 00:07:45,125 like on the client side. 143 00:07:45,125 --> 00:07:49,918 On our own Windows 8 host. 144 00:07:49,918 --> 00:07:53,709 First off, we see that the it's received our IP version 145 00:07:53,709 --> 00:07:57,167 6 addresses and the IPv6 didn't. 146 00:07:57,209 --> 00:07:58,209 That's paused. 147 00:07:59,417 --> 00:08:00,667 Unpause. 148 00:08:00,999 --> 00:08:08,999 We will fire up our Wireshark and load up Google in another window. 149 00:08:08,999 --> 00:08:12,501 We see it will be going over IPv6 on our configured prefix. 150 00:08:12,501 --> 00:08:13,834 SCOTT BEHRENS: Right. 151 00:08:13,834 --> 00:08:16,501 BRENT BANDELGAR: And then we pull up the flow to verify that that 152 00:08:16,501 --> 00:08:18,999 is our HTTP request. 153 00:08:18,999 --> 00:08:20,125 SCOTT BEHRENS: Right. 154 00:08:20,125 --> 00:08:21,125 Cool. 155 00:08:21,125 --> 00:08:22,834 BRENT BANDELGAR: All right. 156 00:08:26,083 --> 00:08:29,999 SCOTT BEHRENS: So, yeah, we can see that the traffic, you know, 157 00:08:29,999 --> 00:08:34,626 transparent to the victim, all the traffic is running over IPv6. 158 00:08:34,626 --> 00:08:38,125 BRENT BANDELGAR: And this is what it looks like on the attacker side. 159 00:08:38,125 --> 00:08:40,167 SCOTT BEHRENS: We have the attacker. 160 00:08:40,167 --> 00:08:41,501 He's run the one click install and on Kali waiting 161 00:08:41,501 --> 00:08:44,334 for that request to happen. 162 00:08:45,876 --> 00:08:49,459 We see the request come in and at this point, now we are kind 163 00:08:49,459 --> 00:08:53,334 of seeing a combination of the IPv6 traffic and we're also seeing 164 00:08:53,334 --> 00:08:56,834 us do the translation back to IPv4 so we can actually get 165 00:08:56,834 --> 00:08:59,292 out of the network, right? 166 00:08:59,292 --> 00:09:00,999 We are taking advantage of the fact that we don't have 167 00:09:00,999 --> 00:09:03,999 a full IPv6 tunnel out to the Internet here. 168 00:09:03,999 --> 00:09:05,999 BRENT BANDELGAR: That was the IPv6 request coming 169 00:09:05,999 --> 00:09:07,999 in from the client. 170 00:09:09,999 --> 00:09:12,876 SCOTT BEHRENS: And now we can see that the victim's traffic, we have 171 00:09:12,876 --> 00:09:16,334 the header's there and some of the cookies and the data as well. 172 00:09:16,334 --> 00:09:19,876 BRENT BANDELGAR: And that's being retransmitted out over IPv4. 173 00:09:19,876 --> 00:09:22,209 SCOTT BEHRENS: So basically in the ban of very quick, you are man 174 00:09:22,209 --> 00:09:26,918 in the middling your victim's traffic over clear text. 175 00:09:34,501 --> 00:09:37,250 (Applause) BRENT BANDELGAR: Thank you. 176 00:09:37,334 --> 00:09:38,626 Yeah. 177 00:09:38,626 --> 00:09:41,125 SCOTT BEHRENS: So, yeah, we really think the main focus 178 00:09:41,125 --> 00:09:44,334 is to improve the efficiency and, you know, it went 179 00:09:44,334 --> 00:09:46,918 from spending quite a of time in the lab 180 00:09:46,918 --> 00:09:50,083 to work and now it's two variables and about a minute 181 00:09:50,083 --> 00:09:52,459 of configuration time. 182 00:09:54,876 --> 00:09:57,999 (Applause) BRENT BANDELGAR: All right. 183 00:10:00,250 --> 00:10:04,042 Unfortunately not all is rosy in IPv6 land. 184 00:10:04,334 --> 00:10:08,083 We do have a couple of issues with the attack as it is. 185 00:10:08,083 --> 00:10:09,999 SCOTT BEHRENS: Yeah, and the hugest one 186 00:10:09,999 --> 00:10:12,751 is disabling IPv6 by policy. 187 00:10:12,751 --> 00:10:14,999 So if, you know, you are in an organization that has it turned 188 00:10:14,999 --> 00:10:17,999 off this attack just simply is not going to work and in general, 189 00:10:17,999 --> 00:10:20,000 you know, one of the things that's kind of nice 190 00:10:20,000 --> 00:10:21,999 about this attack. 191 00:10:21,999 --> 00:10:23,667 Any time you set up a new Windows host that it has this 192 00:10:23,667 --> 00:10:25,000 turned on. 193 00:10:25,459 --> 00:10:27,417 So unless it's explicitly turned off, you will have 194 00:10:27,417 --> 00:10:30,999 a good chance that have hosts that have IPv6 enables. 195 00:10:30,999 --> 00:10:33,959 One of the other things that we have to be on the lookout 196 00:10:33,959 --> 00:10:36,999 for are IPv6 network defenses. 197 00:10:36,999 --> 00:10:38,751 And these are specifies in RFC6105. 198 00:10:39,751 --> 00:10:43,042 There's also a guide that Cisco put out that talks about how to find 199 00:10:43,042 --> 00:10:45,999 of protect against first hop sort of attacks and they have 200 00:10:45,999 --> 00:10:49,999 a technology called RA guide, router advertisement guard. 201 00:10:49,999 --> 00:10:53,834 That basically stops when, we send out that router advertisement packet, 202 00:10:53,834 --> 00:10:57,959 that guard basically blocks that packet from hitting the other ports 203 00:10:57,959 --> 00:10:59,751 on the switch. 204 00:10:59,751 --> 00:11:03,209 BRENT BANDELGAR: And some of the other issues we have run 205 00:11:03,209 --> 00:11:06,709 into in the lab is different operating systems 206 00:11:06,709 --> 00:11:11,999 will implement RFC6555 differently, which specified that there's here six 207 00:11:11,999 --> 00:11:18,083 if it rolls back to IPv4, if the IPv6 is not coming back fast enough. 208 00:11:18,459 --> 00:11:20,292 SCOTT BEHRENS: It's interesting. 209 00:11:21,584 --> 00:11:24,876 The happy eyeball effect on ubuntu is different 210 00:11:24,876 --> 00:11:29,584 on Linux and there's room to figure out what those conditions are that 211 00:11:29,584 --> 00:11:33,125 actually trigger that fallback and unfortunately when 212 00:11:33,125 --> 00:11:37,999 the fallback happens it seems to then just prefer IPv4. 213 00:11:39,083 --> 00:11:42,459 If you are on a relatively latent network or your routing is latent 214 00:11:42,459 --> 00:11:44,999 for whatever reason and the hosts drop back to IPv4, 215 00:11:44,999 --> 00:11:47,792 there's a good chance that they will not actually route 216 00:11:47,792 --> 00:11:49,999 through your host again. 217 00:11:49,999 --> 00:11:52,999 So once again, we kind of suggest if you are going to run this attack 218 00:11:52,999 --> 00:11:56,542 on a production network or something, that you have some pretty you know, 219 00:11:56,542 --> 00:11:59,083 have a good network connectivity. 220 00:11:59,083 --> 00:12:00,334 Don't be doing this over a latent wireless network 221 00:12:00,334 --> 00:12:02,375 or something like that. 222 00:12:02,375 --> 00:12:03,709 BRENT BANDELGAR: Yep. 223 00:12:03,709 --> 00:12:06,459 Another issue that we are getting into is different operating systems 224 00:12:06,459 --> 00:12:10,626 will prefer will query their DNS servers in different orders. 225 00:12:10,999 --> 00:12:16,083 Sometimes they queries the IPv4 servers first, so we miss 226 00:12:16,083 --> 00:12:21,792 out on translating the IPv6 through our server. 227 00:12:21,792 --> 00:12:28,417 SCOTT BEHRENS: Yeah, there's room for improvement. 228 00:12:28,751 --> 00:12:33,083 We think one of the biggest things is to actually specify the target scope. 229 00:12:33,083 --> 00:12:37,292 Right now, it snags the whole subnet, and that's a little noisy. 230 00:12:37,292 --> 00:12:39,918 If you are on a pen test and you are just targeting a specific server, 231 00:12:39,918 --> 00:12:41,709 you really don't want to route everything, 232 00:12:41,709 --> 00:12:45,999 and so that's definitely something that we are going to try to work out here. 233 00:12:46,959 --> 00:12:50,209 We will also automate some basic network recognizance. 234 00:12:53,125 --> 00:12:55,999 That's just one left step that someone could either mess 235 00:12:55,999 --> 00:12:58,667 up or make it easier for everybody. 236 00:12:58,667 --> 00:12:59,792 BRENT BANDELGAR: We like to figure 237 00:12:59,792 --> 00:13:03,959 out if there's IPv6 countermeasures implemented on a network. 238 00:13:03,959 --> 00:13:06,834 For example, if being able to send out a router advertisement 239 00:13:06,834 --> 00:13:10,292 and then just waiting to specify a time and nothing comes back, 240 00:13:10,292 --> 00:13:15,709 we can probably assume that there's nothing that our stuff is being blocked. 241 00:13:15,709 --> 00:13:19,209 SCOTT BEHRENS: Yeah, that they have a protection enabled, correct. 242 00:13:19,209 --> 00:13:20,626 BRENT BANDELGAR: We would like to be able 243 00:13:20,626 --> 00:13:25,999 to automatically configure IP version 6 to look at v6 connectivity and 244 00:13:25,999 --> 00:13:30,083 the reason for that is sometimes clients will receive 245 00:13:30,083 --> 00:13:33,250 a quad A a legitimate quad A IPv6 address 246 00:13:33,250 --> 00:13:38,584 and they will not be able to connect back to that site. 247 00:13:38,751 --> 00:13:41,999 And so they will the happy eyeballs will kick in and they fall back. 248 00:13:41,999 --> 00:13:45,459 So we would like for that to be as easy as possible as well. 249 00:13:45,459 --> 00:13:47,292 SCOTT BEHRENS: Right, exactly. 250 00:13:47,292 --> 00:13:49,999 BRENT BANDELGAR: Another thing we would like to automate, 251 00:13:49,999 --> 00:13:53,083 is leveraging, the IPv6 hacker tools. 252 00:13:53,083 --> 00:13:55,292 There are a number of tools in there. 253 00:13:55,792 --> 00:14:01,083 There's a tool that will listen for the router advertisement responses 254 00:14:01,083 --> 00:14:05,459 and they will just this basically will display the list 255 00:14:05,459 --> 00:14:09,709 of IPv6 addresses getting handed out and MAC addresses 256 00:14:09,709 --> 00:14:16,209 and you can see which clients are being added on to the overlay network. 257 00:14:16,209 --> 00:14:17,792 SCOTT BEHRENS: It gives you a little bit more metrics 258 00:14:17,792 --> 00:14:19,959 and give you a better clue on actually what's going 259 00:14:19,959 --> 00:14:21,667 on with the attack. 260 00:14:21,999 --> 00:14:23,626 And we would also like to see this expanded 261 00:14:23,626 --> 00:14:25,250 to more platforms. 262 00:14:25,709 --> 00:14:29,999 We looked at the mobile stuff but IPv6 didn't seem to be there, right, 263 00:14:29,999 --> 00:14:31,709 on Android. 264 00:14:31,709 --> 00:14:33,876 BRENT BANDELGAR: No, Android is there. 265 00:14:33,999 --> 00:14:38,834 And IOS, they are in linear order and so their DNS servers 266 00:14:38,834 --> 00:14:41,751 will always go first. 267 00:14:41,999 --> 00:14:44,999 SCOTT BEHRENS: And so we ran into some issues with that. 268 00:14:44,999 --> 00:14:46,999 I think there's more search that could be done to figure 269 00:14:46,999 --> 00:14:49,250 out how do we get this across a broader array 270 00:14:49,250 --> 00:14:51,375 of operating systems. 271 00:14:51,375 --> 00:14:53,167 BRENT BANDELGAR: And, of course, we would 272 00:14:53,167 --> 00:14:56,209 like to get this ported to other attackers as well 273 00:14:56,209 --> 00:14:59,709 to unite people's needs and preferences. 274 00:14:59,709 --> 00:15:00,999 SCOTT BEHRENS: Right. 275 00:15:00,999 --> 00:15:02,459 BRENT BANDELGAR: All right. 276 00:15:02,459 --> 00:15:03,876 So here's how you can help. 277 00:15:03,876 --> 00:15:06,292 SCOTT BEHRENS: Go ahead and pull it off of here. 278 00:15:06,292 --> 00:15:08,417 There's one other we love people to help. 279 00:15:08,417 --> 00:15:10,751 So if you have ideas or have been working with similar stuff, 280 00:15:10,751 --> 00:15:15,125 feel free to forward the project and submit a pull request. 281 00:15:15,125 --> 00:15:15,999 We will be happy to add whatever you guys come 282 00:15:15,999 --> 00:15:17,250 up with. 283 00:15:17,709 --> 00:15:18,709 And one other note, be careful on running this 284 00:15:18,709 --> 00:15:20,375 on production networks. 285 00:15:20,375 --> 00:15:22,999 It's a pretty kind of aggressive attack. 286 00:15:22,999 --> 00:15:25,751 Test it out in your lab first before you totally blow it 287 00:15:25,751 --> 00:15:29,751 out of the water on somebody's network, right? 288 00:15:29,751 --> 00:15:31,209 BRENT BANDELGAR: All right. 289 00:15:31,209 --> 00:15:33,918 With that SCOTT BEHRENS: Well, thank you, guys.