 Hello everyone, my name is John Hammond, and I am so excited to share with you guys a project that has been a labor of love For such a long time now. It's a project myself and my roommate Caleb have been working on for two years realistically, I guess the two years ago since I started kind of the living document of CTF Katana as a reference for some players that has got a lot of traction on my GitHub repository in One year since we started the code more so than that now over a year since we started the actual Repository for the software project of Katana that will attempt to automatically solve some basic beginner Capital flag challenges. So finally it is open source and available and free and ready for your use So I want to show you guys how you can download it get started with it all right now in this video So here we go Let's get my face over to the side on the screen And I'm gonna fire up a web browser because you can find this online on my GitHub repository if you go to github.com Slash John Hammond you can find all of my repositories. You can find the original CTF Katana Which is the living document for notes and guidelines back in February of 2018 of Some things you can try and do and work on for a capital flag challenge But now we also have Katana itself forward slash Katana The automatic CTF challenge solver that is written in Python 3 We're gonna have a stream probably later on Caleb and myself Showcasing this and doing things with it and exploring it and talking about it So hopefully we can answer any of your questions fingers crossed But we do have a couple notes in here that yes, this is meant to be an automatic capture the flag challenge solver with the disclaimer incredible disclaimer that This may suck this might not work. This isn't going to solve everything. There's no way this could solve everything This is something to try something to maybe help you that might Use a utility that you hadn't thought of to use or you might otherwise forget to do that is really the whole thesis of Katana and what it's always meant to be and admittedly it is not heavily maintained at the moment This was something that we were really really passionate about once we got starlin it once we wrote it once we were in the weeds But then life gets in the way as you know it always does It's funny if you actually take a look at the insights here if you go look at the contributions and things here You can see February 2019 we kind of kicked it off and there was a lot of development in those first couple months and then it peered out to Hey, I started a new job. I'm traveling Caleb's traveling We get a little bit more into it and then it fades in and out and become a little bit of a roller coaster So now we have got it to a point where we're happy with it the framework I hope is cool. It's really helpful for you guys. It's extensible You can hopefully solve things and add things in a quick and easy way But we make a note It is not heavily maintained because we will not always be readily available for things that need to be fixed or things That need to be changed or bugs or errors You might still find a couple bugs and errors or Python exceptions that are thrown out and rose and raised so Anyway, another disclaimer Katana will run Potentially bad and evil things will do malicious stuff because you are acting as a hacker or offensive Adversary in a capital flag scene typically so it will do Offensive things do not ever ever ever use this whatsoever at all against anything that you don't have the permission to test and operate on because Katana will Automatically recursively do things that could very well be bad So okay, this is the repository. I want to get it spun up And I want to show you guys how you can do it in a clean new virtual machine So I'm gonna fire this up in 1804 instance that I have running or 1904. Yeah, 1904. Sorry, and we have get installed here So I can get clone this I'm gonna make sure that I can actually you know what let's just type it Because it is public. It should not ask you for any credentials You should just be able to go ahead and download Katana and once you have it Downloaded you can go ahead and install it with everything that's already mentioned and discussed in the read me If you don't already have some of these packages, you'll want to go ahead and install them or update them These are just kind of convenience things and I'm showing this on Ubuntu for your use In case you are running on Ubuntu. I am and I figure that hey That's a pretty common one actually use and maybe you could use it in Cali, etc But we do not Venture out to offer your support for those other distributions. These are just what we developed on I wrote a new bunch to Caleb wrote an arch There were some comments to do that But I will show you the Docker container that will go ahead and do this very very easily soon Okay, now let's paste that in and fire it away. So There are obviously a lot of dependencies for what Katana uses because it needs a lot of different Python libraries and it also depends on some external tools or some of the regular utilities You might use in a capture the flag competition like bin walk like forensics foremost Exive tools steg solve z steg j steg snow, etc in tons of them in tons of them so Installing each of them is a little bit tougher to do when you end up running it actually on your own system Depending on you're gonna need to actually figure out the package manager or repository stuff to get all those tools Put them in your path so Katana can actually use them I have my machine already configured that way like my personal physical laptop. So does Caleb I'm sure a lot of other people already do that do capture the flag, but from a beer new machine While this is going through and installing a lot of things. It's not going to have all those things already set up It needs and pie it needs APK tool tons of these other external dependencies that Katana might use you might have to go through the process of actually tracking that all down So I'm gonna let this finish installing just so you can see the rest of the normal setup on a physical machine And then we'll roll into the docker container Okay, so the apt install command just finished running that took about five minutes on this virtual machine Now that that has been set up and created you do however need to go ahead and create a Virtual environment that you're gonna run Katana out of again I'm making sure you use the latest Python version at least three point seven in this case and you'll create a Environment virtual environment folder I pull from system site packages because we just installed debuffs I've actually had some issues where it's been trying to pull debuffs and it hasn't been able to but anyway We're just using the V and V environment or library module to create a virtual environment You should be able to do that because we installed that just fine And they'll activate it and actually install all of the dependencies for Python through PIP So that takes a lot more time as well. We can go ahead and slap these in though Now that's activated it and it will go ahead and compile and create Everything that it needs for Katana itself to work as a module I'll again pause the video because it takes a little bit of time for this to happen And I'll get back to you once the process is done Okay, that took about a minute on this virtual machine And now Katana should be installed and accessible and able to be used within this virtual machine You can typically invoke Katana in two ways if you have it installed as a module just as we just did now You could run Katana just like that as a command or you could also specify it as a module for it to run In our case we need to specify some arguments for this actually work with it needs to know the flag format that this CTF is going to end up working with or end up asking for so that can be specified with the attack F argument And we can just say kind of a regular expression right here. Let's just say flag is kind of the opening Header or prefix for all the flags and inside curly braces. We can have match anything So I use a period for any character Asterisk for as many of them as possible and I use a question mark to make that lazy because I want to find Just up until the first occurrence of that ending or closing curly brace. So let's run that But this will also yell at us now that it has ran previously It has created a results directory and Katana won't want to run if there are already results that Katana had previously From an earlier runtime or execution process because it doesn't want to clobber those So if you want to clobber those on your own Then you can run Katana with tack tack force and that will remove the results directory that was saved previously And now use it for just this runtime's results You may or may not want to do that depending on your actual Work that you do to her how often you use Katana for a CTF if you're using it with a CTF You might want to have it running and working alongside you just on and available And you'll see how that works once we get moving here, but let's run tack tack force But it will tell me hey, we're missing some dependencies and it will allow us to actually it'll still run Katana It'll work with us But it knows these are the dependencies that are missing and we won't be able to actually use those Because they're not available on our system. This does make things nice and easy for us though Because we're now working inside of Katana Katana has a couple commands or things we could actually use in this case, I actually just want to exit out because I want to Show you that syntax that we could just kind of copy and paste and steal from This read me here. Now the Katana has been installed. We can run it We can use tack tack force to remove the results directory specify flag format and here I'm supplying a target or what I'm actually trying to evaluate and have Katana work against in this case This is just some base 64 encoded rendition of that flag syntax So I can copy and paste this in and Katana will automatically detect. Hey, that's base 64 It'll decode that base 64 and it'll give us this flag and then it'll tell me hey We solved it as a quick notification that works nice and easy for us I could do the exact same thing if I want to specify this as a module So I'll say Python attack M and that will again run the same way But now it will kind of display out and work just as that if you wanted to do something again We saw in that help output. We have a couple options that we can run we actually also have commands like target and Target will allow us to view or add or kind of queue some new things that we're actually searching for Between that what we're trying to actually have Katana work through and run. So let's actually check out target List or LS as a quick shortcut. We had this that we supplied as a target Katana tells me it already finished it already ran through it and every single target that you run is going to have a unique Hash or its representation of how you're actually going to denote and reference that target again in your use of Katana If it found a flag it'll display it there for us But I want to show you this hash and how we can use it because we have those other options We can say targets just as we saw before we could view a specific hash I could paste that in or we could even just tab complete it and it'll show options if you had multiple targets And we could check out some of the JSON results or actual findings that kind of occurred when we were looking at this Specific target, so it tried to run the base 64 unit determined if it was base 64 It actually decoded successfully and found a flag through that it also tried to run a Caesar cipher And it looks like that's all it ran through because it already found the flag right away We could if we wanted to check out the solution for that target you could see Solution is an option Target solution and then again the hash and if we have multiple steps Maybe it was a base 64 to base 58 encoded thing We could then see all of that syntax or we could check out target flags again I'm gonna get it and see what flag came from that so that's just that simple target command that you run in the Interpreter of Katana you can hit control C or control D to break out of it You might hit control C again if you hit control D or just type exit to cleanly exit But that will close out Katana for us So okay, that was some quick usage, but I want to show you now the Docker image the Docker container if you don't have these dependencies like we saw and Pious snow J-Stag and some of those other things. I guess it's NP to people yell at me for that If you don't have these dependencies and you don't want to bother with them You can work with this Docker container This is all kind of explained described in the Docker directory inside of the repository go check this out Inside of this file. We have a inside this folder We have a Docker file which you could just simply run Docker build that just with keep in mind this takes a long time Because it's trying to okay grab all of these dependencies that you just saw work in our virtual machine even compile some of the other things that are necessary for the libraries and Go grab those other external dependencies that we don't even have in our virtual machine But you might want for a capture the flag competition. So we could do that with Docker. I'm gonna do this on my own physical machine now I'm gonna actually pivot to that. Let's CD Docker I'm sorry get into the Katana directory first and We have this Docker file here. So let's go ahead and Docker build Katana just like this and This is gonna take a bit of some time, but we'll go ahead and let it run Okay, so now the Docker image has successfully been built I do want to actually show you what this Docker file Sets up and builds and uses here. So I'll drag this over Let's like set that syntax to bash. So it's a little bit more color-oriented We're gonna use Python 3.8 to go ahead and pull this down from We grab all the same dependencies that we had used previously and we go ahead and install again Those other things like z-stag j-stag and pipe and p to snow Etc. Etc. And then we go ahead and grab the repository and stall everything This also works with a Katana.sh script the Katana.sh script is kind of handy Caleb put this together This will actually determine it. Hey Depending on since you've built this Docker image, let's go ahead and reach out to the github repository and see if there are any changes Because you may be running an old out-of-date version of this Docker instance or of this Docker image If that's the case it says, oh, we found some changes that the github has that's a little bit further ahead in the development We could actually pull this down and let you run with that copy of Katana It's not gonna end up running it and making it persistent It can't update Katana and keep it within that Docker instance You have to go rebuild that Docker image But at least for that quick temporary on-the-fly thing if you know hey You have an out-of-date rendition of Katana It will go ahead and pull that down for you or it'll say oh We have the updated most up-to-date and latest version of Katana then it won't Bother it'll say you're up to date But you will get notified. Hey if we have a newer version you can rebuild your Docker instance with just that same command that we ran earlier also Excuse me. It's running Katana, and it's also checking with some arguments here the katana.ini file so Katana works with I and I configuration files which help specify some of the arguments or parameters or settings that Katana might use For its own operations, so I'll show you some of these here in the examples director. We have a couple of them Here is a simple Example.ini where we just specify okay the manager that's working in the background of Katana needs to know what flag format this CTF Might end up using we also have a couple I and I files that are used for a for a specific case Like okay, maybe working against Pico CTF for a CTF Dnses, but I'll get into that in a later video I do want to just talk about how we can also specify other arguments for the monitor and how we can monitor Specific directories that you're working with inside of Katana or with Katana So maybe if you're working through a CTF and you download a file Katana will identify Oh, you downloaded this it'll automatically rip through it And if it finds a flag it'll even automatically submit it for you. So that's kind of neat and kind of cool So those are those I and I files will get more in depth on those soon I do want to show you this monitor functionality Let's go take a little another look at that read me though to see how it works Because when you run this instance, you can make it interactive and in terminal mode That's the IT arguments the tack V directory It's gonna end up sort of mounting one position in your file system to a position in the actual docker container So Katana in the docker instance works out of this forward slash data Directory and that's where it's going to look for targets automatically and store results in a results directory Automatically, so if you make any changes, you need to know Okay, that has to all work with that data directory that you might make So we could go ahead and test that if we wanted to let me Make a New I guess directory here in a new shell. Let's make directory temp Timo apparently that works just fine Timo So what we could do is we could docker run Let's actually make a data directory. Actually, let's let's see how it works without it I'm gonna end up using my present working directory Just as with some command substitution to specify that to slash data inside of the docker container We'll say tack IT for interactive in the terminal and then Katana as our instance name It knows that okay, this is the absolute latest one But we don't have that configuration file this data directory or this directory that we're working in needs to have a Katana dot I and I file so let me go ahead and create that I'll just say Katana dot I and I Manager the simplest rendition we can have sort of a flag format can equal Flag with anything in there Great Now if I were to try and run that one more time Katana is up to date fantastic It's gonna want to monitor that targets directory and it's doing that automatically. We actually have that command monitor We could check out monitor LS to see what we're monitoring right now We don't have anything in there because we don't have that actual directory created So let me stop Katana and let's make that directory targets Great, he's in there now when I run this from the current directory It should be able to not give us that warning. It won't tell us. Oh, we actually don't have the excuse me the targets directory, but because the Results directory is in there. We can't Run just yet. So let's say force can equal true inside of our katana that I and I file You could specify tack tack force as other arguments But the way that this docker instance works this docker container works is because the Command arguments that are being supplied it because they're already defined in that docker file if you supply tack tack force or tack F as other arguments Then it's not going to automatically pull at this katana dot I and I file or automatically use this Monitor setup it with the monitoring directories. So that's kind of a bummer it's not That big of a bar because honestly if you're using katana as a docker instance You should probably already have a directory all set up for that specific CTF and have a configuration file Already set up and configured for that CTF You shouldn't need any of these other arguments because everything should be contained inside of a Specific organized directory with its own specific and organized configuration file So now we can run this because we've ran tack force We've included that in our configuration file and now it is running and waiting for us So we could a monitor and check out what we're actually listening We do have monitoring capability in this directory targets that is inside of on our File system this targets directory. So I'll move in there. We know our flag format is Flag which is kind of curly braces So what I'll do is I'll have katana waiting in the background and let's say some new file Just suddenly appeared in my file system. Maybe I downloaded it. Maybe it was created But either way katana will monitor it and go ahead and create it. Let's echo flag This is a flag. I'll use tack and so I have no new line in that case Now, let's go ahead and pass that to base 64. Go ahead and pass it to base 58 and Now we have this string. Let's go ahead and create something. I'll call it like something dot text and Katana will automatically find it cue it and then it'll start to track it down and find the flag base 58 base 64 We found it Awesome katana did that all for us and it's running inside that docker instance Some of the issues that you might run to when you're running with the docker container is that you won't have your new Flags automatically pulled and copied into your clipboard You also won't find those desktop notifications that it'll explain when you actually saw the challenge like we kind of Just did that's okay because we do want you to be built out to the position where you don't need to use a stalker convenience Image, but you can it's available. It's meant for you as the end user If you don't want to pull down all these dependencies and add them to your path Obviously, we would recommend that though. So let me activate this environment in Activate now I can run katana. I will specify that configuration file that I just made katana.ini and We could manually go ahead and add that monitoring capability because that monitor command in here We can just simply add something we can simply say monitor add and it needs to know whether or not we can recurse on that If it's a directory everything inside of that directory as well Which might be handy for when you're using a again specified and designated folder for your CTF Well, let's go ahead and monitor add a tag tag recursive And I'll specify an absolute path here home John Timo targets good and Now that monitor list that's already set up for me I can go and create that file Once more and because that already existed it didn't do anything new with it So let's just say a new file dot text down here Katana We'll go ahead and run spin it off and it should track down the flag relatively quickly for us you can see I have my notification just display up here and that is What you wouldn't get just that simple nicety if you if you were running it with the docker instance and docker container So, okay, that is the very very simple basic options Again, you could supply these targets as an argument You can add them specifically if you wanted to with the target queue or target add you could monitor directories of that Let me show you that a target add again. Let's target Flag let me do that actually let's say Let's let's use a shell it's the exclamation point to get a shell. Let's say echo flag This is Caesar and then let's pipe that to Caesar Oh, can I not do that probably With a with a subshell on that. Oh We just specify an argument to Caesar. That's probably why Caesar 13. There we go. Okay. Sorry Now that that is set up. Let's go ahead and target add just this and then okay Caesar will automatically find that because it has support for those you might be wondering What are all these units and things that are actually running and how is this all happening and for that? I would point you towards the documentation Katana does have docs and documentation that comes with the repository It's not already built If you wanted to go view these you could either build them yourself would simply make HTML using Sphinx Or you can go check it out at CTF hot the Katana dot read the docs dot IO That is publicly available and that will explain everything that we have written thus far in our documentation initiative This may have holes this may have gaps But I'll tell you a little bit about what you're installing and why the necessary binary external dependencies How to go ahead and set this up? Etc etc and it'll get to what this repel is the interactive case that you're working with some other command line arguments you specify and How you can go ahead and even write your own units or add things or modify things and how it all works behind the scenes With the manager monitor unit and target classes if you want to know about these specific units You can go into each specific section and learn more about if I go into cryptography Here we have a couple of cryptography units that are available and why they work the way that they work So you could explore and read about them etc etc Okay I've talked a lot and I think that's all that I want to showcase because now we have Katana installed Set up worked with the Docker instance working with bare metal on our host using some notifications getting things in our clipboard Adding files adding targets monitoring directories etc I do want to showcase how you can actually do this with a simple CTF that's running with CTF D on the internet or even Pico CTF So I will do that in the next video, but that's it. Here it is. Here's Katana Again disclaimer. It might not be everything that you want it to be who knows I think it does a few things and it does some some cool things And the things that it does do how I hope it does well in a good way, but All right enough me talking. I'm running out. I'll see you guys in the next video