 And then I'm going to show you the main folder of Hive because half a bunch of stuff that are interesting. Well, first of all, you have there the binary of Hive. Hive is running as a service. And we have different things. We have the SQL database where everything is literally. And then we have different folders. We have implants. We have a stay-in where we are going to save all creating implants. And inside that folder, there are going to be the compile implants. It's going to be also the terraform plans. Sorry? Oh, yeah. Well, it's a video. I don't know if. Yeah, sorry. I did not think about that, but you are right. I don't think you may not see as much. That's OK. We're going to play mainly with the graphical interface. I am running right now the process of Hive because I want to show that when you go to create an implant, the interface is what is. Do you see the button like the interface of just a time? More or less? OK. So this is a form for creating, for crafting implants. OK, so we just put the name. We can put the time to die. We can choose. This is the network model, right? So we can choose between the difference that I have already. The ones that are working already are HTTPS Go Paranoid and Gmail. So there we are going to pick up how the implant is going to address, literally. We will have in the future other models that we can pick up there. But right now, HTTPS Go is the one that is working. And now here, we can just add. That's the different domains we have already like saving or just a time framework. And we can start to add as many as we like for creating the implant. So right now, I'm going to add two different ones. Each row is a VPC and a domain for this network model. That means that we can provide him different VPC servers for Amazon Azure because it can be interesting if we want to have like five or seven different credentials for Amazon or Azure because we can make our implant to maybe address to China, to US, or maybe use Azure and CloudFare, whatever. It is like we can put a lot of diversity here in the implant, right? And domains. I'm going to use my ST-time 1, I think, or my ST-time 7, and ST-time 8. So we just click Create. And what's going to happen in the background, the job from the electron UI is going to be sent to the client and client is going to send to Hive. And now you're going to see, if you see, sorry, because I know it's very small, that Hive is going to start to compile everything. At least six compile goals going over there that start to compile the implant for the different platform that I already have aware, right? And that is going to generate the binary inside Hive. Sorry, if you don't see the source code, you can check it later in the GitHub. But literally here, this is the string of the plan go. And when I send the job, Hive is going to choose between the different option. I'm going to feed in the strings differently to create the plan, OK? So this is a plan for AWS. We will have in the future plan for other like VPCs. We will see. And these are used the OSXSEC for compile go. And I know, guys, what you're thinking, crafting a string in OSXSEC is literally a common injection. I need to fix all the security vulnerabilities, literally, so OK. This is the cross compilation of Golem. We have the tags, and we have the parameters. The parameters is the JSON configuration, because if we use an Edward module to use like ports and domains, we need some parameters. While we are going to use Gmail, it will need like credential JSON and token JSON. So in this compilation, we'll Hive into the implant all the parameters. And the modules add the tags of Golem as to compile some class versus others one. So in that way, we can have modularity, right? So this is all the platform that are like compliant right now. We could do more maybe in the future. And you can see on the top that it's always using like Golem and coding for JSON. So everything is JSON in the tool. I use JSON and coding because I'm in base 64. It's not enough for all the information I need to send to them. Also because I kind of know web technology, so it's easier for me. And this is the function that we generate the infrastructure. I was talking about the strings I am generating. There is a lot of comments for all the debuting I was doing recently. So now I'm going to show you, this is the register battery option of the graphical interface. Here, we can like just add more credential for different Amazon servers. Like right now, Azure is not working. But for example, you choose Amazon AWS. We have all the information. We need for one instance of Amazon AWS. And we can choose the region. We can choose the MEI we're going to use and everything. I have right now two created. And then the domain, similar way. Now I have Godaddy and Gmail. We need to put the access key and everything for the domain. And for Gmail, similarly, for the JSON and Crescent. These are all the domains I have. You can see that the ones that say active, they say no. That's the one that we can still use for creating new implants because we wouldn't have to spend some domains. The graphical interface is going to detect that we have used them. So it will not let us to create implants with already working domains because we are going to kill all redirectors in that way. We have the Gmail. I'm going to add here, because I want to do a POC here. So my first Gmail account, these all Ardumi Gmail account have created just for the demo. The third one is not working intentionally. So now I'm going to just add the credential JSON and token JSON. So you understand a little bit how this works. The connection with Gmail is an OAuth connection. So I just create my OAuth app in Gmail. I just get my credential JSON and token JSON. My implant and my redirector are going to be totally fine for regressing with it and sending all the payloads that I need. So I'm creating this domain. We will use this domain later. And here I'm showing a little bit how the electron UI is sending the job to the client go. And this is literally what we're going to pass to the Hive. And Hive is going to process all that data for at the domain, for example. Here is all the job logs and the error logs as well. This is very interesting for demo reporting because everything we are doing right now, everything is getting like safe. So for generating the report later on, you are going to see that everything is safe. So I'm showing a little bit here. The database is used as SQL database. And everything you see there, Hive is using a connection used to transfer all that on JSON and send all that JSON back to the graphical interface. So here we are going to see in a while that the implant is currently created. You see, it took like a total of five minutes to create the implant. And there in my Amazon account, I have the first red director already created. I'm going to call him red one. And then in a different region, I have my next red director already. I'm going to call him red two because we're going to play with this when the implant is running. So you can see that it's correctly performing, right? OK, this one is finished. Let's go to the stagings. OK, so we have seen we can create implants. But stagings are very important because they will let us do things like, for example, dropping our implants, but also interacting with our session faster. So right now, I have used three staging servers that works. The droplet that is an appache with less encrypted HTTPS certificate. I have the Empire handler with HTTPS less encrypted certificate. I have Metasploits as well. We're going to create a droplet. And we're going to create an empire. I'm going to create a Metasploit. But unfortunately, Empire Metasploit, all the shell scripting to the load, all the dependencies take a time. Similarly here, we need to choose a domain and a VPC for the droplet. We will put the port, and we'll put the path for dropping our implant, and we'll just create the staging. And then similarly with Empire, we'll choose Empire, we'll put the port, and we'll just create it. And in a time, I will set that in five or six minutes. We'll do the staging number here increasing to the number we are created once it finished to deploy. Again, I'm showing the job. I showed this before, so let's go a little bit ahead. I'm going to start showing a little bit of things. So here in the source code, literally, Hive received that option, right? Received like, ah, OK, create me the droplet. And these are the shell scripting that I'm just doing for installing the Apache to sell, sign in the certificate with lesson script, test the empire that is just creating all the dependencies. I'm going to show you things because I have been telling that the staging is running as a service empire, and Metaspray is also tunneling. We are going to see all that a little bit in internals as well. So let's see which one is our droplet. I think it's this one. At this empire, OK, we will interact with this later and test the droplet, right? Perfect. So let's see, let's go ahead a little bit. Yeah, I'm showing here why the domains that are now not active because we have used them for the empire and the droplet and everything, OK? So let's go to the droplet. Here I'm showing a little bit how the staging folder works. And this is similar to the implants. We do see the high-hp receipt to create a staging. This is the Defconn empire that I have just created. It has inside used the Terraform binary, the plan for deploying the redirector, the keys, and all the service that I am installing in the target, the staging server. This is the plan of Terraform that my hive has created, and there is, with all the parameters, the keys, and everything. So now I'm checking if the droplet is working. It's still not, so I'm going to advance a little bit. Let's see when it's prepared. OK, I think now it's going to appear. It takes a time. Now we have the droplet already created. So now in the job log, say that it's created successful, so use Refresh, and we have here the droplet. So this is all automatic. The operator doesn't need to know all this process. I'm showing you guys. So now we need to check which is the path, because in that path, we can drop all the implants we have created. So let's you check which is the right path. I'm checking. The interesting is not the path we grow when we create the staging, right? So we are going to put, like now, Defconn, that is the one that we have in the parameters there, Defconn 27. And this will be the right path for dropping our implants. We can change these. These use because if we want to put a long hash to, like, hide our implants, and anyone is using, like, messing with them, right? And we will now drop the implant we just created before. So we go to implants. We check which kind of attack we want to perform. Right now it's just working drop implant. Obviously I say HTA, because in the future we may like to automatize the creation of HTA for, like, dropping somewhere. We choose the architect, we choose the operating system, put the name for the file we want to, like, use. We perform the attack. And then in a while, when we see in the job logs that is successful, we will have our drop implant in the staging server. So now we can just, like, you know, we can just send a phishing email or whatever and combine someone to do a lot of the implant, installing some house. It's a very basic attack, but it's one of the most basic ones that the red teamers could use. So now in the video, I use advances because empire is taking a time. I want to show the empire right now. Okay, so now we have working the empire. I'm gonna show you how we can connect through the operator. So we just go to the handlers. On the staging server, now we have list our empire over there. We use interact with it and client go. And that's the reason why I have a client go because I can do like this. I can just open a num terminal and we have over dead empire handler. We can just, like, go ahead and interact with anything that is dropping on that empire handler. And remember, we are in our, like, operator device. We don't interact with the staging at all. We just click a button from the graphical interface. We have our empire shell from num. This is using reptile over a process that is running in the staging server. And now, in the end of the video, you start to create the metasploit. But I just got this video because metasploit take a time to create. So I just go to the next one and show you that the metasploit is working as well. We have three staging here because I have the metasploit already created. And it works, as you can see, with ST time three, I think nine. So then I just go to the handlers, go to the metasploit and use interact and I have the metasploit handler over there. The same as empire. Just clicking a button, I have the num shell and the metasploit working already. As a service in a staging server that I can kill whatever I want to kill it. I'm doing a little bit of internals here, so just show you a little bit what's going on inside the staging server. So I'm gonna SSH into the empire. I'm gonna show you the service I created for it. Let's see if you can see it more or less. Okay, so that one is the service. It's literally the metasploit handler running as a service and everything that is been typing the handler is saving in a log file. And we'll use it later on for the reporting. So if you can see very well, but it's usually like the command for running the empire handler, it's not anything else. And then I'm going to hide because I have another service that is with the remote tunneling with the staging. So the operators can connect to it with a minute. This is here. Okay, so in Hive, each time we create a staging Hive, it's gonna create a cell service in Hive and the name of the service is gonna be the same. Name and it's just doing remote tunneling to the staging and opening a new port on Hive, so operators can just connect to Hive and interact with the staging in invisible way without interacting directly with the staging server. Okay, so let's go to the fun part. The implants, okay? Let's test first the implant we did create before because, okay, you are saying, okay, you have been telling all the features but we want to see how the shells came back, right? So remember, we have the droplet, we have the empire, we have the metasploit. So now, let's run one liner into this Linux box and with this one liner that is literally just downloading the implant, Hiving execution permissions and executing it, I just like, we let it be cheat or run. And this is in the bugging mode. If you can see, sorry for that again, but this, literally we can see that the implant is starting to flow. It's just like reaching back the first redirector. The first redirector is ST time. ST time seven and we see the authentication header. Is it like the implant ID or that process implant ID and the token that we generate on the creation on the implant. And this way we can check for relying attacks and all that. So our implant is kind of more or less secure. We're gonna see that we just got one big cheat over there. And then we just go to the ID that is correspond to the infection. We have all the checking information and we have also the redirector that is attached to that infection. And we can do here different things now, right? We have the interact bottom that literally, that is an X term that is sending jobs to Hive. And this is the job console I was talking about. Right now I just have exec that is running a shell into the implant which will change that in the future but that's the modularity of the tool, right? We send the job, we receive it but I want to show you guys more interesting thing. So, you know, we can send jobs, we receive it, that will be logged in the Hive. But we want to do post-exploitation, right? So we just open our like empire handler, we go to orbit Cheeto and we say, okay, I want to inject a shell. So let's just inject empire. And this is working through the redirectors, okay? I send the job, let's inject the empire. I am the same user interface and I just wait and without directly interacting with the staging, I do receive the empire shell. And I can just do my post-exploitation session as much as I like without problems. When I finish with the post-exploitation session, I can just kill the staging and that's okay to go. If the blue team say, okay, this server was doing weird thing, it's already doesn't exist anymore. But my implant is still silent on the machine. This is like the log for the normal jobs that we can send to the Vichitos. And I am testing now, you see my redirector, I'm gonna kill it and see how the implant is transparently swapping from like the first redirector to the second one I did create for the implant. And it's gonna continue working transparently. Here the regular saying, what is my redirector? What is my redirector? At least four times. And now it's swapping to the next redirector. And I can still work with it, sending jobs. It's gonna work without problem because it's still half a redirector attached that you see it has changed to ST times eight when it was ST times seven before. And now let's go to the, a little bit, what I think that is the meat of the talk. We are gonna do the same, but using Gmail. And particularly we're gonna use Gmail draft for doing the same, okay? So literally hit me one string and you will be my redirectors. So every company around there, if it provide you an string, you can use a grasp with it, okay? So this is another implant that I did create before because I was not to spend all the time for creating another implant, right? So we have here, DevCon Gmail is literally using two accounts. Gmail, the one that we add with the credential JSON and token JSON, another one. It's gonna just been checking out with the first Gmail account. We can see the same, we put it on a liner, it's gonna download the binary, it's gonna execute it, but instead of connecting with the GTTPS to the redirector and my domain, it's literally sending emails to Gmail, okay? It's that's the subject of the email that he's sending. And if we go to the email account, we can check that in draft. We have used the draft, the subject is the idea of the implant, and the body will be the JSON where we send the payloads. And what the blue thing is gonna see, oh, my employee is connecting to Gmail, nice. So I think that this could be silent, this is use a model of a lot we can create. And I'm gonna do the same that I did with the GTTPS go. I'm gonna use interact with it, I'm gonna type some commands in the command line of 60 time, and I'm gonna interact and send my empire shell. And everything is working through Gmail, don't forget about that, and it's totally transparent for the operator again. So let's interact with it, let's get our empire game, and let's just inject the empire shell. We have seen this already, so let's go, so let's inject it. We choose the staging server we want to use for the injection. And this is just a launch, it's not a real injection yet, but we can change that with a model. So here we are gonna reserve our staging through Gmail. Here we have, we just see the show, the implant is still running using Gmail, but we are like just processing or post-exploitation session with the staging server. I am gonna go back to the Gmail account so you see what's going on there, right? We can see in the subject that's just JSON the implant is sending back to the, is sending, the implant is sending this to Gmail, the redirector we have deployed is connecting to the Gmail as well, and then the redirector is sending back the job to Hive. So these are the two hops from the implant to the Hive. So they could maybe cancel the offer to Gmail account, but they still will be working with the next Gmail account we can provide. And I am not using a crazy technology, I use the Gmail APIs that Google is providing for like, you know, querying the draft and modifying the draft. So yeah, these are the implants. Persistence of unfortunate, I don't have it yet, but let's go with the important part that we all love, right? The reporting thing. We forgot about this, but let's make clear, like this is the most important for the blue team, and it's important that everything we're doing, we're reporting it, and we're like recording, we need to know what we have done, right? So I'm gonna show the last video, but I think it's maybe the most important one and it's the shorter. So let's go to the reporting, we have done a lot of things. We have created implants, we have created droplets, we have sent command, we have interact with two shells, we have like, add new domains, we have done a lot of things. So let's just create that report, Hive is gonna receive this job, it's gonna timestamp what we are doing, and once the report is created, we can just download it. And right now it's very primitive strings, but in the future we may create a more clean report with XML or something so we can see things better. So now I create the report, I'm gonna list that report, that is called Blue Team Help. We download the report, and it will download directly to the folder of the operator, and we can just like, watch it, and it's not very organized right now, but those are all the commands we have been sending to Hive, and it's per user basic, and most importantly, we have all the interactive shell over there that is per user basic as well, so for every interactive session we have, we can see what we have been doing. Everything is recorded in reports, okay? So you say for exfiltrate data from the internal company outside, right? For the moment I don't have models targeting exfiltration, but we can create a new staging server that instead of being called empire, handler, or like droplet, which we'll call himself exfiltration. I was thinking about why not use Facebook or Instagram for like doing stenography or image, and then exfiltrate everything, we could add a new staging for doing that. I just need the help for the comic to the GitHub because there is a lot of work there, right? But we can do it, and we could have this framework for doing everything, right? So the EPA, I think it led you to do most of the things, like I did choose draft because I did not want my implant erroneously like sending an email or something like that. That would be really fun, right? And drafts are kind of the same as message, but they just keep static there, and we don't call Gmail send. The information's gonna stay there, but maybe Gmail is providing you more APIs that I don't know that could look like more interesting thing. I mean right now the fact you are using Gmail in terms of network regression, the blue thing is what I just seen that there is a computer that is connecting to a Gmail. And if they do deep packet inspection, okay, they do the packet inspection, they are gonna see how many Gmail from the company. Maybe they can query now the Cheetos thing, that's the reason why the Cheetos may, now they can detect the Cheetos by maybe querying that stream, but we can create a new model that uses Gmail but in a different way, right? And then blue thing will detect our first implant but the second one that we use half, maybe not. We can, as a red thing, we can use a new very cool thing. We can have successful operation or blue thing to detect, but then we can help the rest of the blue things to detect that well. We don't need to be selfish on our operation, right? That's how security industry works. So future work, I mean, this is a very baby project, has a tons of bugs, tons of security vulnerabilities, I need to fix a lot of them. But you know, the more things we have, the more strength we can give to the framework. I have seen a lot of things to add in the future, obfuscation, new kill chain attacks. I mean, using Google Analytics to address, it will be cool, right? Like how many embed device use Google Analytics and how many string word analytics is providing to us? We can perfectly agree with it. It's just, I need to study the API, that's all. A lot of things to do and I really ask for help here. That's everything. Thank you so much for maybe this possible and make part of DevCon. This is more talk to show what I have done. It's more talk for call for commits. I would really like people to like, come into the Github, semi-albarol, you know, like this cool new module could be added. Let's do this tool. Amazing, right? Let's use it all together. And let's not forget that this, even if it looks very offensive, is for helping the blue team because it's our last thing to do. It's the most important thing to do and the last thing that we finish in doing. That's everything. That's the repository, everything is up. And question time. I'm gonna post the slides. The video I think is gonna be posted as well. I will use my Github account, my Twitter, everything is gonna be online. And the tool is already ready to use, has a lot of bugs, but you can use it and see, you know, you see something that is really horrible, we can fix it. You can add your domains, totally. You can add how many domains you like. That's, well, when you register a domain, you are kind of using that, right? You can, I have still no added subdomains to it, but because I have not seen as many potential like Salem because when you use a domain, they block that domain chain and then all the subdomains, we go ahead, right? But we could use that. Everything you think that could be added, we can do it. Right now, it's just adding your domain and that's all with your credits and you can change the IP for that domain. But we could think about new model for domains. We knew different ones, right? Yeah, you're welcome. I did choose Electron because I wanted to be close platform, kind of. Right now, it's just working on Linux, but also like, I know that with a web, a normal web page can be close platform as well, but I don't know, I like it to do things like the thing I did, like I can click a button and then, I mean, I could like, it's true, I could do that in the same way with a web browser. I don't like to choose Electron because I wanted to learn about that technology as well and I think it looks nice too, but everything I think can be perfectly made without just web browser. I don't use a technology decision. We can swap that. Is it like HTML, CSS? We can use like, change that to a browser. In fact, we can even create a new user interface that use a browser. There is no, we use like, need to send back, send and receive information from the client. So, thank you for the idea though. No, no, no, we can do perfectly with web technologies, everything, yeah. I don't feel there's a blocker for that. No. Well, all the ones that exist already, but I have no like, spending as much time with things like TCP IP because, I mean, it heave a lot of like, I mean, there is a lot of library of TCP IP and not gonna do better than them, but also because I do feel that most of the aggression nowadays is done through the HTTPS. So I say, okay, I start with HTTPS right away and the next network model I'm gonna create is gonna be like one step ahead that I do feel is using like software as a service, right? So every software as a service that you can imagine, we can use it. We can use Slack perfectly. Every, everything. A lot of Metacopino enterprise. Well, we can, yeah, we can not use, we can use not enter pricing. I mean, everything will heave you on a string. I thought about Gmail for one simple reason, because I did not have as much time. I was using Go and the Gmail API is amazing. You can do a lot of things through Go. Sorry? There's not a lot of people blocking it. Oh yeah, exactly. Also, for Tenors, Slack, Slack will work as well. Like, again, everything, every company or software as a service that heave you for free, the ability to like interact with it and pass it a string, it will be working for the Greshing. You will need to think a little bit better how you are doing it, but it's perfectly, like. You just need a place to. Yeah, you need a place to put information, yeah. Yes, I'll just. Can be an image is to, I was thinking about Instagram. How cool will be like use uploading, you know, the same photo of David Haussel for like in Instagram. Anything that's popular and has a good API. Exactly, that's the idea. And we can like work on it. I definitely am gonna be supporting this tool as much as I can and trying to get it very. Now I'm gonna focus a lot in book fixing because, I mean, everything works, but like sometimes the implant do something weird and the implant is very important that works good because if the implant fails, what's this about, right? So yeah. Yeah, I was wanting to talk about that. Like, I mean, ideally I should create my own like interactive console, right? But it's a lot of job. It's a lot of low level things that it still doesn't know. Like I know like basic Windows API, maybe OSX. Yesterday, they did a very good talk about Swift. We could like use that source code to create our like Swift implant and just use the Godland Swift library to do it. If it's exist, I think yes. So yeah, like the implant requires a lot of heads or like system programming. And I would love to have those people working on it to like having this, right? And now the models that did run jobs, they're very like, they're very like a simple, they're just calling Godland OSSSEC and any simple ADR is gonna detect that. But if we change OSSSEC for like the real, you know, Windows or like OSX APIs or Linux API for like use listing for LS instead of like calling LS in the shell, we just create our own LS copying some source code that is around there. And ADR we need to do better because the most we're blending with the rest of the software in the computer, the better, right? So that's the objective. But having this already made is useful because if the blue team won't ask to be detected, we just like swap the implant, we will choose this one that is the first one and they will detect it and we're like, oh, we detect something, that's nice, right? So yeah, good. Okay. There's no other questions. Thank you.