 Good afternoon, guys. I guess I didn't suck last year because I got upgraded to this room. My name is Andrew Gavin. I'm with Verizon Business and I have with me Michael Bauchamp and Charles Smith from NTNET security. And we're going to talk today about how you can use OpenDLP to through Metasploit with existing Metropeter sessions that you might have popped. So without further ado, we'll get going. Just a brief before I get going, everything that we say up here is our own. We're not here representing our companies or anything. And if you use what we talk about today to get in trouble, that's not our fault, so don't try to blame us or anything. So what we're going to do today is to briefly go over what OpenDLP is. I've given talks about this before, so I'm only going to take a couple minutes on that. And then Michael and Charles are going to talk about the limitations of using OpenDLP for pentesters and how they got around that. They basically built this new middleware to integrate between OpenDLP and Metasploit and it's really awesome. So we've got a few demos for you and we hope you guys like this. So just a brief recap of OpenDLP. It's a data discovery tool and it is written in Pearl and C for the different components released under the GPL. So it's free and open source. And what we're going to talk about today is just strictly the Windows agent scanner. OpenDLP has support for agentless scanners for file systems and databases but that's not what we're going to talk about today. So just to show you what it does, I'm not going to talk to these slides here. I'm just going to show you the, to walk through it. There's the mouse. So the first thing you want to do is you want to create a profile. This is the old way of doing it, by the way, not the cool new way. So we'll just name this DEF CON agent second type. And we want to scan. The scan type is a Windows file system agent. So the user name is developer. And what's the password? One, two, three, four, five. Okay. So the same password as my luggage. MS home. So we've got some dummy stuff in a directory here. We don't want to do a full scan because that might take an hour. So just documents. We'll scan for some fun regexes. So Amex, Discover, and this mouse. Mastercard, SOCH visa. And we have to fill out our basic auth credentials. So DDT and open DLP agent. Fill out that garbage. And we submit our profile. So this is what we can reuse all the time. And what we want to do next is just start a new scan. And just fill out the name of the scan called DEF CON. And we want to do the DEF CON agent. And then the IP address is 56.102. So we'll start that. So now in the background what it's doing is it's pushing all these files over SMB to the Windows system that we want to scan. And it's going to start that off as a service. And it's going to run at low priority. It's going to limit itself to a percentage of that target system's memory. So it's not going to totally destroy and crush the box when you're scanning it. Every so often it's going to call back to the web app with results over a 2-way trusted SSL connection. So you can securely transmit results. And this should quickly finish. Oops. To view the scan. So it's running right now. It should finish in a little bit. When it's all done it's going to send a message from the agent to the web app. And the web app is going to automatically uninstall it as a service. It's going to delete all the files that it had, like its binaries and its DLLs and things like that. So if we just wait here, here it's done. And you can see that it's found what it thinks are social numbers, credit card data, all in these plain text files data at rest. So you could click on these files and it would open that file and you could verify whether it's actually a social number or whatever. So with that, I'm going to hand it back over to Michael. He's going to talk a little bit. So under the current implementation, you know, we found that we had, A, we had to have passwords and, you know, necessarily we may not through a PIN test. So what we've tried to do is set this up so that we didn't have to have domain admin all the time because you have to set up a profile per password. So let's say we don't have domain admin now. For each system we have, each password we have, we'd have to set up a new profile and, you know, generally we're just lazy. So that's not the way we want to go. So the goals of this project were to be able to scan machines for sensitive data both with and without credentials. We wanted the tool to have minimal impact on the user so that they aren't really knowing that these things are going on. Even if we have permission, you know, we're not trying to kill the machine. The tool must clean up its deployed files so that we don't have a lot of residual files sitting around and minimize risks of leaking data. So if we don't need to, don't pull the files off of the actual system. And, you know, just not necessarily, you know, a hard requirement, but we wanted to do this with an open source kind of tool and give it back to the community. So what we found is, you know, we pretty much had the tools we wanted. We had OpenDLP. We've been using that. We use Metasploit often for pen tests. And, you know, with these tools, why go learn something else? So is there a way we could make these things work together and give us some ability to do the tasks at hand? So OpenDLP was just about the solution. You know, as we said earlier, you know, we had to provide credentials during a pen test. We may not have the credentials. We may have the hash. We may not have the domain admin. Even if we get the, you know, can get a hash dump, we may not be able to get the domain admin if they haven't logged into that system. While we can use the system accounts, also it's kind of cumbersome. And, you know, we keep going back to the, you know, we're kind of lazy and we want to do this the easiest way possible. So no credentials, you know, it's not a problem. You know, Metasploit can do this for us. We go and we break a system. We have metterpter session running and we can basically use the metterpter session to download our deployed files, execute, install services, delete services. You know, anything that we needed to do for OpenDLP we can do through the metterpter session. So, you know, it was just generally, that's a great method. Then we had RPC. So because of the Metasploit RPC we could communicate to the system under test with OpenDLP and control everything that we could from the console. Well, most everything you can from the console. Why Metasploit? Well, it's this tool we had heard of and it was pretty cool. So, you know, we're seeing it has an RPC interface, like I said, you know, has many routines to elevate privileges. We could download, upload files, execute applications on the target. You know, deploying services was crucial so that we didn't have to also distribute like sc.exe to these systems and now we're a little bit closer towards having a fully open source capable offering. And for now we'll turn this over to Charles who did most of the implementation and let's go. Thanks, Mike. So as you can see OpenDLP and Metasploit together satisfies those goals Mike was just talking about. We can deploy with Metasploit without any kind of credentials. And there's an added benefit that whoever's using OpenDLP to deploy has no knowledge of any of the credentials for those popped boxes. So there's an extra layer of security there. We have one profile which can deploy to hundreds of interpreter sessions all at once if you want. And the big thing is there's no changes to Andrew's agent. That code remains the same. It doesn't care how it's been deployed. And here you can see the typical OpenDLP setup as it is now. The pen tester here hits OpenDLP by his browser, which then deploys with SMB. Periodically the agent running on the target posts back results to OpenDLP and will even tell OpenDLP when it's finished and it'll be uninstalled by SMB. Well, we've gone and removed this SMB and replaced it with RPC communications to the Metasploit RPC server. We can do all the exact same things over this RPC. So I will send a command that tells this to create a new directory on the target and then a Metasploit RPC will use an interpreter session to create that directory, copy files into that directory, start a service, run the sc.exe executable and start the service. And the agent still posts back with HTTPS here. So that's unchanged. So to do this, I created a Perl module called Metasploiter.pl. And I modified a bunch of the OpenDLP web pages, the web app pages to include all this integration, creating these directories and uploading these files, just like it's done with SMB currently. I also created a Ruby module that's installed in Metasploit. But I'll go over that a little bit more later. Right now we're going to concentrate with an interpreter deployment. Since OpenDLP is written in Perl, I figured I should probably learn Perl. And I did. And so then I created this module. And it's pretty much, it's a standalone module actually. It's not tied to OpenDLP. It encapsulates the RPC functionality into a request and response interface. I send a interpreter right. And I, inside the code, I continually pull and wait for the response before I return. So it's synchronous. It's a general use class. And I hope you guys will actually take a look at it and use it because you can use it for a lot of different cool stuff. But because it's general use, it left a lot of code still in the web app pages because I have to use it to create directories and all that. I just can't say, hey, start. But it does parse all the responses for you and everything. And so here are the highlights of this new module. I can use it to log in and acquire credentials. I can get the current Metasploit version, list of the sessions and details about each session. I can interact with sessions with interpreter reads and writes as well as synchronous writes, upload and download files, create and change the remote path, change the local Metasploit path, remotely execute applications on the target. And I can check if I'm connected to an Armitage console. So this is a quick sample of the code. I don't know how well you can see that. But I wrote code here that will authenticate with the RPC. You just give it the IP address and port, log in and password. And it also works over SSL. And I have set it up so that if it's successful, it will return zero. That way you can choose how you want it to die. And Metasploit or the RPC is all over HTTPS or HTTP, which means that once you log in, you get an authentication token back. And we hand all this inside, but that authentication token is only good for a short period of time before it expires. So we also have the ability to acquire a persistent token. And as long as you continue to pass that in your transactions, your login won't expire. We can also create a list sessions method, which will list all the sessions on the Metasploit system. And get session list will return that list as an array of hashes. And this code here just walks through that array and prints out the IP address and some info about the host. I have a method get Metasploit version, which will get the current Metasploit version, obviously. You can change path. I have a method called send and wait, which will send a command and wait for a response. And get command response will get that response. And then you can release the persistent token to log out. And this is what the output of that little application looks like. And this is just a subset of the code that's in there. You can see you can do a lot of really cool stuff with this if you want. So this isn't perfect. There's a bunch of... I mean, it's pretty slick, but right now it uses interpreter to deploy. And interpreter sessions have no way of authenticating a user against the current session. That means you can't have two people accessing it at the same time because the way interpreter works, you send a request and it outputs its output into a buffer. If two different people send a request, the response to that, the output gets put in the same buffer. So the first person who reads from interpreter gets all of that output. So if I send a PWD and somebody else cats a file, the first person that requests a read gets all of that data. So really the only way right now to keep from having this error, this problem, is to be like, hey, guys, I'm using session 3. Don't mess with it right now. And that's not exactly ideal. The other thing is the RPC is a command interface only. You can't transfer files over it. Basically, what you can type into an MSF console are the only things you can send and receive from your host to the RPC server. So you can upload files but they have to upload from the Metasploit box to the target. Likewise, when you download, they download from the target to the Metasploit box. What this really means for users of open DLP is you can't just click on a file and download it like you can with Gav and stuff. So this is a problem because in addition to those original goals, we really want this to work with Armitage. Because Armitage is just neat, gooey for Metasploit you guys might have heard of. It's used by a lot of pen testers. I think we even use that maybe. So it doesn't play nicely because even though Armitage has a nice deconfliction server, we totally screw that deconfliction server up. Our reads will pull stuff that's meant for Armitage. And Armitage doesn't really like not receiving its responses. So as a stop gap measure, I created a little method that we'll check to see if Armitage is currently using the RPC connection that we're connected to. And it just returns true or false if it does. But still, all I can do is display a warning in open DLP saying, hey, you're connected to Armitage. You might want to consider telling people not to use it right now. So that really wasn't ideal. That's not what we wanted. So what I did, I needed a solution for that. And the solution was to build a post module in the Metasploit. Because that offloads all the deployment to Metasploit. It does all the work. I can just say, hey, start it. And I created this module called it openDLP.rb written in Ruby. And it's installed in the Windows Gather directory. I also created a Perl module which interfaces with this Ruby module. The Perl module is obviously installed on OpenDLP. And the only purpose of it is to connect to the Metasploit Ruby module. It's not a general use class. It's very specific. It overrides the Metasploit or Perl module I made before. But it actually only uses a narrow subset of that. All the interpreter stuff is not used at all. It's strictly communicates directly with this new post module. So the first way we decided or I decided to do this was I wanted to use the regular RPC module .execute command. But it didn't work. I mean we could start the module but we couldn't tell when it had finished the execution and we couldn't get any output through the RPC. This is a limitation of the RPC and we thought of other ways to do this modifying Metasploit and such. But really the easiest way, again we're lazy, was to create a new console. And because I create the console I get the ID. It's mine. It's tied to a user. And it's got this nice little busy flag. So if I start the the post module just as if I would from a Metasploit MSF console, then I can tell when it's finished execution and I get all that output. And this has the added benefit of being able to hack around and let us download files as well. Because I can control the output in Ruby I'll read a file off the off the target system. Base 64 encode it and throw it in some headers and then print that all to the console and that allows me to fake it to be able to transfer files over the RPC. So it can work just like Gavin's stuff. And so this post module has six different actions. I can deploy, which will create a directory on the target system, upload the open DLP files, execute the archive, write a configuration file, and install and start the service. I can independently start and stop the service with this module. I can delete the service, uninstall it. I can remove all the installation files and again I can read a file off the target system. And this is the post module that's installed in Metasploit. So I created this new Perl module to interface with this. And this module does all the work of creating a console and executing the post module inside. It's really easy to use. You set the module name, the configuration string, which we get from open DLP. We just base 64 it and set that the source path, which is the path on Metasploit where the open DLP deployment files are located. The remote path is the installation path and the session ID is a session you want to work. We want to deploy this too. And this is probably going to be really hard to read, but it works just like the previous module. You log in and authenticate, but now you can, you set the module name, and in this case it's windows gather, open DLP, and check to make sure it exists. Then we set the source and remote path, the configuration string and the session ID, and just call deploy open DLP. It handles creating the directories, installing the service, and everything. And it returns zero if it was successful. And we can download files just as easily. To get the contents of a remote file, I call the method read file. It returns zero if successful, and then call get file data to get the contents of that file. So to add support for Metasploit, I had to change a lot of files in open DLP. And although I created the interpreter-based deployment first, the post module is obviously better because it's less code and it deploys without messing up your interpreter sessions without any kind of concurrent access problems. But I left them both in open DLP because honestly I didn't want to lose the interpreter-based deployments code. The Metasploiter Perl module is really useful and I wanted to share it and give it back to you guys. Even though it's not as efficient and doesn't work as nicely. So I could go over all the code changes I made, but I have a feeling most of you would get up and walk out right now. And you can just download them and diff them and see all the coolness there anyhow. So I'm just going to go through the GUI changes and I'm going to make it kind of quick. So I had to update profiles because now our profiles have to contain login information to the Metasploit RPC server. Just the host and port, user and password. And again, open DLP deployment files have to be on the Metasploit box. So you have to copy them off of Open DLP and stick them in a directory on Metasploit. Because I can download files with the new POST module, but I can't upload them the same way. So those have to be there and that's the path that you're going to deploy from. And then I also have a latency in timeout which you can more or less ignore. And here's what the new profile page looks like. And you can see all of this here is the new Metasploit stuff. And then after here we get the installation path and from there down it's the same. And I have both the meterpreter deployment here as well as the POST module. They look identical. I also made changes to the start scan page because the way Gavin stuff works you have a profile and then you have to put in the IP addresses manually which is if you only have system credentials you have to put in a new IP address for every profile and you have to remember that too. A domain works a little better but you still need to know those IP addresses beforehand. Well deployment with Metasploit uses sessions. And those sessions aren't like IP addresses they can change. If a box uses connection and you have to repop it the session ID is going to change. And we can't use it by IP address either because you might have several different exploits running on a particular IP address but only one of them is suitable to use deployment for. You have to be able to get system with that exploit. So instead I created a new page which will list all the current sessions and allow you to pick and choose which ones you want to deploy to. Again we're lazy and this makes it a lot easier. So when you start a new scan now you and you choose either a Metasploit agent or the post module agent you'll get a little screen like this with a get sessions button. And you press that get sessions button and you're redirected to this landing page where it shows you all the currently open sessions on the Metasploit system. And you just choose the ones you want and press start scan. And this brings me to the start verify page. This is the page that does all the work down inside. This is where everything where the deployment happens where directories are created, where files are copied and the services are started. I just load the configuration parameters out of the profile and deploy to either Metasploit or post module based on bridge. And then I'll display a detailed output so you can determine if if it doesn't deploy correctly you know why. And it ends up looking a lot a lot the same as Gavin's stuff. You see here I guess you might not be able to see but it found two sessions and it tried to deploy to both. It started attempted to start and then it started. I changed the view results page again with the IP addresses the session IDs can change unlike the IP addresses session IDs can change. So when you go to look at your results if the session ID is changed you now have an orphaned results in your database and no way to get those files and view them. This is because the files stay on the target system they don't get copied into open DLP. There's got to be a way to reconcile the orphan scan with the session it belongs to the new session. So I created a page here in view results it checks to see if the session is currently active and if it is if the IP address matches. If neither of those conditions are met it'll give you a little warning message and a button that will allow you to update. I can show you here see the session IDs are mismatched says the session has died and you won't be able to download files. If you click update session ID it'll give you a list of sessions that currently have a matching IP address. Then just click the update database with new session ID button and it will update the database in the session ID with the session ID and you'll be able to now download files with that results again. I also had to change download file for the interpreter based deployment because files can't be downloaded with the interpreter based deployment you can't get it all the way to the OpenDLP web app. What I do instead is I use that path to OpenDLP files on Metasploit where the deployment files are located and I create a path under there using the IP address the session ID and the profile name and store the file there so you can get it off the Metasploit box later. Again the post module deployment doesn't have this restriction and this is what it looks like for a interpreter based. The path in green if you can read it is where it will save a file to. I made some changes outside of the Metasploit functionality because I was doing a lot of work on this and had lots of failed scans and I had to go through and clean up the database manually sometimes because I get so many failed scans in there. So I modified the delete scan page so that I can select multiple scans to delete at once and I can also delete scans that haven't completed yet and this is useful if you put in invalid credentials for the patchy credentials to connect back to open DLP and it just sits there and continues to run and it's an orphan scan. Now you can delete it and this is what that looks like. You can now you have checkboxes and can delete multiple scans at once and if you click this display in complete scans button it'll show the incomplete ones as well and I made a little sidebar as well which will allow you to manually manage the agents installed on remote systems. You can start, stop and uninstall agents outside of the normal open DLP workflow. This is useful if you start a scan again but you had incorrect credentials or it didn't work but left installation files still on the box and now you can go through and clean those up remotely without having to use Metasploit to do it and that looks like this. It just shows you the session IDs open and you can pause, resume or uninstall and this is also useful if you have like 50 scans running on somebody's network and you only want them to run at night you can grab them all and pause them all or delete and uninstall them all in one fell swoop and that's what it'll even tell you if it was installed or not when you try and uninstall it and that brings me to the live demo so we have I've already created a couple of profiles here and this is the post module on all the Metasploit stuff we are going to use SSL on this and do a limited subset here so that it completes pretty quickly yeah oh yeah the uh in the profiles the uh the username and password here which were for domain are now blank you don't need those don't use those at all so to start a new scan I'm going to choose a post module deployment and I'm going to call get sessions here and this shows two sessions and if you can see here these are the same sessions open in Metasploit I'm going to select both and start a scan and this will take just a couple of seconds and here we go we have two successful deployments and um we can view the results here post one has started and both systems are currently running and I can open up you can see that the agent is currently running now I can go over here to uh the manage agents if I want get those sessions and pause that agent and he's been stopped actually it looks like he may have already finished yeah they both completed so quickly I couldn't show you that but now with the post module I can view these results and download them just like a windows agent scan and I can also if I want to make sure that there's no more Metasploit installed on those boxes I can try and uninstall the agents again and it'll tell me if they're if they were installed on there or not you forgive me for how slow it is I'm running four virtual machines and here we go it tells you that open DLP service wasn't installed and I can run through here with the uh interpreter deployment and deploy in the same way and here we go you'll notice that the logs are different because of the different deployment type but that they both did deploy and start correctly but the difference here when you go to view this is second to complete ah all right now it's completed now if I want to grab that allow.txt file it has downloaded it to the interpreter or to the Metasploit box so it's downloaded allow.txt on session 15 to open DLP which is the directory for the deployment files with the session ID and the IP address and I can show you that right here and here we've got the meta reg is the name of the profile session ID and then we've got the allow.txt and I can also show you here I have this old profile and this one has a different session now I can just click update session ID here and it'll give me a list right now there's only one with that matching IP address I click update the database and again I can view these files now and so this is where you can get the new open DLP Andrew released this yesterday yeah yesterday this was released and you can download it and play with it right now source code and binaries are there as well as a virtual box and this is us thank you for your time