 Okay, so basically the title says it all. I wrote a Python script that does some cool stuff and we'll talk about it for the next 20 minutes. The obligatory, you know, about me slide. Bottom line is this is a recon village, so my name and Twitter handle are up there. You guys don't care who I am, but you guys can look me up if you want to. I'm pretty approachable. So basically I did a lot of network defense for the last couple of years doing enterprise ties and networks. We ran into a lot of issues. So you get a lot of syslog data, you get a lot of sourcing data, you get PCAPs, you get NetFlow data, and the problem is you get inundated with all this data and there's nothing really out there to do anything with it. There's a lot of enterprise solutions that are getting better, but they're really, really expensive, really high learning curve and you can't play with them at home because a lot of these guys don't want, we're not walking around with licenses for these half a million dollar software. I came across specifically focusing on Internet of Things devices, and that's like the new hotness right now. And I'm a big fan of Raspberry Pi's and cheap, affordable, approachable programming and tools. So cable labs posted a story a couple of years ago basically saying that NetFlow detection systems that seek to identify devices communicating with known command and control systems. So this is one of their primary means of detecting bot nets and malicious activity on the Internet using NetFlow traffic analysis. So kind of my two cents, my plug to it, somebody else is more important than me, it's supporting my concept. But then you have this little diagram down at the bottom, so what I like about this is you have your bot nets, you know, everybody kind of thinks that you're like, as an attacker you're going from attacker to the attacked. But what I noticed doing a lot of NetFlow traffic analysis is the real issue that we have is the devices on your network at home that have the ability to reach out to the public Internet and be compromised that way. So you don't have to have a vulnerability on an Internet of Things device like a fridge or whatever in your house. There can be a vulnerability on the database server in the cloud 100,000 miles away and that's how the attacker is actually getting access into your home network. And the only way you're going to detect that is through network traffic analysis. It's going to pass all your checks, it's going to be allowed through your firewall and it's pretty hard to see with normal SysLog type stuff. So I wrote a basically a Python script, it's an open source, it's all on GitHub and it basically aggregates a whole bunch of black lists, so Firehole IP manages a whole bunch of databases that are updated pretty regularly depending on which ones you want. Some of them are huge, like gigabytes worth of data, some of them are really small. But the key here is that we're looking at IP addresses. So the next slide I'll go into NetFlow. It aggregates all these black lists, does open source intelligence gathering using showdan, virus total and some other APIs and then it kind of builds a threat intelligence dashboard that you can use to kind of see what's going on on your home network or your small home, small office network. And then at one point I had integration for text message alerts so I'd get text message anytime my computer or a device on my network talked to a malicious IP address. I took it out because I ran out of free API rules. So feel free to add it back in if you want but you're going to have to pay for API service for SMS. So for anybody that doesn't know, NetFlow is basically based on the five tuple. It's a Cisco proprietary protocol but there's a lot of free and open source similar protocols that use the exact same byte orders. But it captures the source destination IP address, source destination port and the average size of the bytes for the session. So with that information you can see who you're talking to, who's talking to you and how much traffic is going back and forth. So that's NetFlow in a nutshell. The bottom left is the actual like parser that I used where I broke out the actual bytes of the packets which is all being stored into a SQL database in the back end. And once again going back to the beginning so there's not a whole lot of options out there but there are some options so I'm sure you guys are familiar with like the commercial options like SolarWinds, McAfee's got a lot of products, really expensive. Then you have all the free options so you have Elk and Security Onion which are really great but they don't run on a Raspberry Pi or if they do run on a Raspberry Pi they run like crap. So if anybody's used massive databases or anything like that on a five dollar computer and has good success please let me know because I think everybody here in here would be interested. So Elk is kind of another option so Lassa Search, Log Stash and Kibana. Kind of the backbone of Security Onion. Once again it doesn't work very well because of the data size and the database accesses on a Raspberry Pi. And then more reasons why I think my Raspberry Pi project was pretty neat but basically the recommended guidelines for a lot of those open source softwares are you know 8 gigabytes of RAM, at least a dual core preferably a quad core processor and then you're going to need to power it too so like a lot of people don't consider that as like a cost but I've lived in a couple of different places around the country and I've experienced like electricity bills higher than you can possibly imagine. So anything I can do to not plug something else into the network and run it 24 hours a day, seven days a week works for me. So to summarize a lot of that what I just said you know I'm looking for low cost, low power, easy to configure, integrates intelligence and has a cool black hacker like interface. So we end up with the Raspberry Pi, specifically the Pi Zero W because they're like 5 bucks every couple of months, 10 bucks not on sale. And then they got this Pi Zero stem so if you haven't played with that it's awesome, integrates the solders right onto the board, allows you to use it as a storage device and power and it's pretty cheap, it's like a dollar 50 or something like that from a lot of the Raspberry Pi type stores. So we take a Raspberry Pi, Zero W, Python, intelligence all for about 15 bucks plus 10 minutes worth of soldering and you have your own threat intelligence dashboard for your home network. And then to go into like the science behind it so and I use science loosely because it's not, I mean it's data science but it's not like data science. This is the kind of process that I was working with so first we collect the raw data, we get all our NetFlow traffic in and we parse it and we make sense of it and then we put it into a database, use SQLite as the database of choice because there's no extra services, you can copy paste it, you can upload it, you can share it, you can do whatever you want with it. And then you do the analysis on the data. So that's where the fire hole, IP reputation comes in, show-down queries, virus total queries and anything else that you can possibly imagine. It's pretty modular and it's really easy to just add your own stuff. Results may vary of course but and then visualize the data. So a whole bunch of database queries is pretty boring to look at and we know we're in the 21st century so we want something with like colors and stuff. So I use Folium which is an awesome Python library to build maps and graphs and anything that you can think of like data-wise. Some Flask because it's a really great, I don't know, low resource intensive interactive web dashboard so I was told to use Django by some other people. Django is great but it's a little bit more involved just set it up and manage it. Flask I can turn on, turn off real quick and the Alexa uses Flask and I was programming for Alexa at the same time. And then JavaScript. And then I share the information. So after you have all the information, what do you do with it? So we have a whole bunch of disparate people running these servers all around the world. That's where I got into Twillow which was my SMS notification. So you can do SMS notification, email notification. You can push your results back to Firehall. So another thing that I was working on was modifying it from looking at IP addresses that are bad to looking at patterns of behavior. So you have your malicious ports, like if you see Telnet, 444, like your standard botnet type ports, you can start taking the people scanning your public interface for those ports on the public internet and feeding those back into these threat databases so you can kind of build the bench and share that information with the wrestling community. So this is a similar slide, just a little bit more detail. So we have the raw data ingest so if you guys aren't running like custom firmware on your router, it's pretty easy to set up. So you can get your own NetFlow exporter. I run it on my LEDE router, so it's just an open WRT router running, I think it's like RFlow or InFlow. It saves all that in NetFlow version 5 because it's a lot less fields to parse through and then puts it in a database. Does the analysis, visualizes it and then sends it right back out to the community for sharing that information. So this is the code, pretty exciting stuff. On the left, NetFlow collector, on the right, it's the IP databases and stuff like that and I'm pulling down from the internet. And then we do some geolocation too so if you haven't played around with the IP geolocation, it's fairly accurate down to about the city level. It's kind of hard to spoof your IP locations but it's not impossible. So it gets me pretty decent results. And then ShowDan because I wanted to play with ShowDan. ShowDan has a great API if you haven't played with it. The free version gives you about three queries a second. So I was able to basically run a thousand, one and a half thousand or about 1500 results a day and it takes about 10, 15 minutes. So right now the bottlenecks are not the Raspberry Pi, it's these free APIs that are charging us. And then Virus Total has a really, really slow API. Everything came to a screeching hall. It was like two or three queries a minute. I talked to some Virus Total engineers while I was here. They said they'll speed it up. So if you want free API access to Virus Total, talk to somebody around here and maybe they'll give it to you. I don't know. Results may vary. Finally the first slide with like a picture of the actual thing. So this is the map that I built. It's black because that's what hackers do. And kind of like I was talking about the ShowDan restrictions. So each one of these dots is based on the color of the dots based on the density and the number of IP addresses from a given area. And then you can zoom in further to actually see the details. So what it does is it takes the ShowDan results that you have and puts them into a little iframe. So you can click on any of these dots and you can get like a rundown on exactly what's running, what open services are on that, who owns it sometimes, the DNS resolution if there is one. What I was pulling in from Virus Total is they maintain a database of the last 100 DNS resolutions for a given IP address. And then they can also do malware analysis. So if you have an IP address associated with a piece of malware, you can get that information out of Virus Total and you can actually see what malware may be running on these potential botnet or scanning systems out on the public internet using APIs. And then the flask, so I don't know why I hid my IP address because it's home.evilbotnet and it resolves to the IP address. But this is where I'm running it right now. This is using the flask. So it's basically a interactive web interface so you can run number of queries. I added ports, services so you can kind of basically a database manager if you will. So you can view the raw data if you're into that kind of thing. So as I'm going through this, right, so the next step obviously is that you have to like hack back or go back after the people that are going after you. My employer won't let me talk about that so I'm not going to talk about that. But the potential is there, right? So a lot of these devices, I'd say 50% scanners and like script kitties on the internet. I get a lot of stuff from like University of Michigan, Showdans scans me a lot and a whole bunch of stuff from like DigitalOcean. So DigitalOcean must have really loose like hacking rules. I know AWS will kick you off really fast if you do any kind of like scanning without authorization. But you can take that information, like I mentioned, you can push it right back up into the databases that you're pulling information from. So the chart in the middle is actually a chart from VirusTotal and you can, or sorry, IP abuse database and really easy way, like one line of code just to shoot that information right back up to them, basically confirm that these IP addresses are bad, good. But it's a good way to contribute back to the community. And potentially if you felt like it, you could write a search bloat integration and build your own exploits and weaponize the system if you wanted to. So that's basically it. As I mentioned, I didn't mention it before but I'm not a full time programmer by any stretch of the imagination. So I did this as a way to learn how to program and I learned a lot throughout the process but it's buggy as hell and it'll have a lot of bugs in it. It's all up online so github.com slash evilbotnet. Please contribute, download it, tell me if it works, tell me if it doesn't, build your own, rip it off, do whatever you want. But I really had a lot of fun building the project, talking about the project and I think it works well for my situation. So I guess I have five minutes for questions.