Skip to content

Mr. Robot's Netflix 'n' Hack

0xACAB edited this page Jan 16, 2021 · 232 revisions

WikiActivities and eventsMr. Robot's Netflix 'n' Hack

  • Tagline: Let Mr. Robot teach you how to hack—and how to stop hackers from hacking you!
  • Description: Watch an episode of "Mr. Robot," a TV show dramatizing the lives of rogue hackers in NYC with unparalleled technical accuracy, and then get an introduction to how the tools, techniques, and procedures ("TTPs") shown in the episode work in real life. After we watch an episode of the show, we'll discuss the tools used, get them installed on our laptops, and try them out. When we meet next, we'll show one another what we've learned, and continue with the next episode. By the end of the 10 week first season, you'll have gotten a hands-on tour of various tools in the Kali Linux penetration testing distro, and a better sense of how to separate fiction from reality in contemporary hacking dramas in pop culture. We'll finish by tackling a Mr. Robot themed hacking challenge so you can practice what you've learned, and maybe even join a hacking team.
  • Facilitating: How to facilitate Mr. Robot's Netflix 'n' Hack
  • See also: InfoSec, Mr. Robot Trains the Trainers, 🌐 GeekWire's "Mr. Robot Rewind" series (contains spoilers), Manisso/fsociety, Glossary.

Watch the Mr. Robot trailer to see if this is a show you might enjoy watching and learning from:

Mr. Robot Season 1, extended trailer

  1. 🌐 Season 1
    1. Week 1 (S01E01)
    2. Week 2 (S01E02)
    3. Week 3 (S01E03)
    4. Week 4 (S01E04)
    5. Week 5 (S01E05)
    6. Week 6 (S01E06)
    7. Week 7 (S01E07)
    8. Week 8 (S01E08)
    9. Week 9 (S01E09)
    10. Week 10 (S01E10)
  2. 🌐 Season 2
    1. Week 11 (S02E01)
    2. Week 12 (S02E02)
    3. Week 13 (S02E03)
    4. Week 14 (S02E04)
    5. Week 15 (S02E05)
    6. Week 16 (S02E06)
    7. Week 17 (S02E07)
    8. Week 18 (S02E08)
    9. Week 19 (S02E09)
    10. Week 20 (S02E10)
    11. Week 21 (S02E11)
    12. Week 22 (S02E12)
  3. 🌐 Season 3
    1. Week 23 (S03E01)
    2. Week 24 (S03E02)
    3. Week 25 (S03E03)
    4. Week 26 (S03E04)
    5. Week 27 (S03E05)
    6. Week 28 (S03E06)
    7. Week 29 (S03E07)
    8. Week 30 (S03E08)
    9. Week 31 (S03E09)
    10. Week 32 (S03E10)
  4. 🌐 Season 4
    1. Week 33 (S04E01)
    2. Week 34 (S04E02)
    3. Week 35 (S04E03)
    4. Week 36 (S04E04)
    5. Week 37 (S04E05)
    6. Week 38 (S04E06)
    7. Week 39 (S04E07)
    8. Week 40 (S04E08)
    9. Week 41 (S04E09)
    10. Week 42 (S04E10)
    11. Week 43 (S04E11)
    12. Week 44 (S04E12)
    13. Week 45 (S04E13)

Week 1 (S01E01)

Week 2 (S01E02)

Week 3 (S01E03)

During post-show discussion, we brought up:

  • Cree.py - geolocation OSINT tool
  • TrackIMEI Using a SIM card/IMEI number to track the location of a mobile phone

Week 4 (S01E04)

Week 5 (S01E05)

Week 6 (S01E06)

Week 7 (S01E07)

Week 8 (S01E08)

Week 9 (S01E09)

Week 10 (S01E10)

🚧 TK-TODO

Week 11 (S02E01)

🚧 TK-TODO

Week 12 (S02E02)

🚧 TK-TODO

Week 13 (S02E03)

🚧 TK-TODO

Week 14 (S02E04)

Week 15 (S02E05)

Week 16 (S02E06)

  • Signal is used to make an encrypted VoIP call.

Week 17 (S02E07)

Week 18 (S02E08)

Week 19 (S02E09)

Week 20 (S02E10)

  • Cantenna (an antenna made out of a can) to boost radio signal (like Wi-Fi network) range.
  • "For impersonating an NYPD officer. All cell carriers have a law enforcement hotline. Instead of hacking the carrier, if the situation's urgent enough, you can just ask them to track a blocked call for you."







  • "Can you ping that phone for a current location?" Probably referring to a so-called "SMS ping," one type of invisible-to-the-user Short Message Service (cell phone txt message) message more broadly known as "silent SMS".




    • Reverse address search features provided by Spokeo and other free/freemium data brokers

Week 21 (S02E11)

Week 22 (S02E12)

  • 33 Thomas Street in Manhattan, the site of the NSA's "Project X," aka Titanpointe, an illegal domestic spying hub
    • Field of Vision: Project X, a documentary short narrated by Rami Malek and Michelle Williams produced by Loura Poitras and Henrik Moltke

Week 23 (S03E01)

See also Mr. Robot Disassembled: eps3.0_power-saver-mode.h.

  • Elliot and Darlene visit "the only hackerspace with a fiber connection"
  • The number "1984" are painted on the wall, a common reference to George Orwell's 1949 novel of the same name warning about a dystopian future society where electronic surveillance controls people's lives and their thoughts; is this the name of the fictional hackerspace?
    • Hackerspaces.org is a crowd-sourced directory of information about hackerspaces around the world.
  • At the hackerspace, they find "a CTF tournament. Capture The Flag, it's like the hacker olympics. Teams around the world compete to solve challenges: reverse engineering, protocol exploitation, forensics."
    • Most CTFs happen virtually, not in large party venues like those depicted on the show.
    • CTFTime.org is among the most prolific continually-updated directories of public CTF competitions.
    • awesome-ctf provides a listing of "awesome" tools and resources for CTF competitions and competitors.
  • Darlene learns that "we're fucked. All the machines are taken. They're in the middle of a final round of the qualifier for a CTF." A few moments later, we learn that the CTF they're competing is the famous DEF CON CTF:
  • "The backdoor had a hardcoded C2 domain pointing to a listener on Tyrell's machine. All I have to do is hack the registrar and change the name server configs. Once I hijack the domain, I can shut down their access before the dark army notices."
    • C2 is an abbreviation for Command and Control, a generic term describing infrastructure used to send instructions and receive telemetry from targeted and/or compromised devices.
    • A "registrar" refers to an organization, usually a company, responsible for reserving domain names with a given top-level domain registry, which is also usually a company.
    • The registrar is responsible for asserting the correct IP addresses of the reserved domain's own name servers; if these are changed to attacker-controlled name servers, the attacker can direct any requests for the reserved Internet name to whatever IP addresses they like.
    • rwwwshell, the classic "reverse World Wide Web shell,"
    • shred is a secure file deletion utility that helps prevent forensic recovery by overwriting the file data itself instead of simply unlinking the file from the filesystem like the simpler rm command does
  • Using the New York State Police (NYSP) National Crime Information Center (NCIC) portal to lookup the vehicle identification number (VIN) of the FBI car:
  • Shodan.io, "the search engine for Power Plants" and other connected devices

Week 24 (S03E02)

See also Mr. Robot Disassembled: eps3.1_undo.gz.

Week 25 (S03E03)

See also Mr. Robot Disassembled: eps3.2_legacy.so.

Week 26 (S03E04)

See also Mr. Robot Disassembled: eps3.3_m3tadata.par2.

  • "The audio's useless. He's using a goddamn voice protector!" Also known as "speech protector," "noise generator," etc.
  • Darlene entertains herself by downloading a pirated movie from BitTorrent using Deluge
  • "We know you posted the F Society video — with a court order, we got the Vimeo connection logs for the account you used, which led us to your IP address and then your home address. That’s why you’re sitting here."
    • Article: The Mr. Robot Hack Report: Don’t Fear the Rabbler - The Verge

      This is a really common way to find someone after they’ve done something illegal on the internet! Cops do it all the time[…].

    • Court orders aren't even required in some cases. Many sites provide a metaphorical red carpet specifically for law enforcement requests as discussed in S02E10.

Week 27 (S03E05)

See also Mr. Robot Disassembled: 3.4_Runtime-Error.R00.

  • Elliot logs in to his to work PC running Windows at E-Corp.
  • "I need to check my monitoring server." Elliot uses Kibana and Logstash, and accesses the raw logs over SSH via PuTTY: Screenshot of a Kibana dashboard.
    Screenshot of PuTTY. Screenshot of a terminal cd'ing to Logstash's directory.
    • Kibana is a popular and open-source data visualization tool.
    • Logstash is a popular and open-source data ingestion and processing utility.
    • PuTTY is a popular SSH client for Windows.
  • Edie proves a difficult mark: "I've hardened my install, further than the standard configuration, including a restrictive host-based firewall ruleset and whitelisting to block unauthorized apps from running. I think I know your culprit, though. Fred over there uses GoToMyPC all the time." And then she locks her screen! Edie contests Elliot's social engineering premise.
    And then she locks her screen!
  • "Log data from the Dark Army's backdoored machine. They're using this guy's account, Frank Bowman. He's a member of the code signing architecture team. This is what they're doing: they want to sign their own firmware and bypass my patch. If they do that, they'll blow up the downtown recovery buidling. My only chance to stop it is to get to the hardware security modules, the HSMs. They're on the 23rd floor."
  • "I'll tailgate someone." Also known as piggybacking.
  • Angela accesses the code signing machine on floor 23 of the E-Corp building.

  • A sign reading "There's no place like 127.0.0.1" in the geeky code signing architecture team's office.
    • 127.0.0.1 is the conventional IPv4 address of "this computer," or "self," or "localhost, or, as Dorothy would say it, "home."
  • Irving and Angela use call-and-response code words to authenticate their audio calls: "Marlinspike." "Moxie."
    • Moxie Marlinspike is the famous hacker and programmer best known for creating the Signal Protocol (double-ratchet aglorithm) store-and-forward end-to-end encrypted messaging system.

Week 28 (S03E06)

See also Mr. Robot Disassembled: eps3.5_kill-process.inc.

Week 29 (S03E07)

See also Mr. Robot Disassembled: eps3.6_fredrick+tanya.chk.

Week 30 (S03E08)

  • ProtonMail, a popular web-based e-mail service with built-in support for OpenPGP.

Week 31 (S03E09)

See also Mr. Robot Disassembled: eps3.8_stage3.torrent.

  • Using the Volatility memory forensics framework: Several terminal windows show the Volatility framework being used.
    Closeup of Elliot using Volatility, :robot: screenshot 📷
  • Elliot crafts shellcode to be executed via Python(?) by discovering a vulnerability through fuzzing using American Fuzzy Lop (AFL) and inspecting the crashing program with the GNU Debugger (gdb): Elliot using American Fuzzy Lop (AFL) fuzzer and the GNU Debugger.
    Closeup of a GDB session depicting a program crash (segfault).
    Exploit shellcode being written.
  • Dark Army Command and Control (C2) operator station loads Elliot's exploit:
    Screenshot of the Dark Army's C2 user interface.
  • Elliot logs in to a server with a new SSH key (ssh-add) to view the keystrokes, and thus username and password, of the compromised Dark Army operator: Elliot adds an SSH key identity and views the loot.
    The password of the Dark Army operator is revealed in a cleverly named file.

Week 32 (S03E10)

See also Mr. Robot Disassembled: eps3.9_shutdown -r.

Week 33 (S04E01)

Week 34 (S04E02)

Week 35 (S04E03)

Week 36 (S04E04)

  • Darlene and Elliot use Signal to communicate with one another.
    Still of a TV DVR showing Signal on screen during an episode of Mr. Robot.

Week 37 (S04E05)

Week 38 (S04E06)

Week 39 (S04E07)

Week 40 (S04E08)

Week 41 (S04E09)

Week 42 (S04E10)

Week 43 (S04E11)

Week 44 (S04E12)

Week 45 (S04E13)

Clone this wiki locally