 I'm really excited about this. Yes, we are going to start a little bit early, but heck, you guys read the program. We're going to cover a lot in a very short amount of time. Real quick anecdote. I'm a big fan of social engineering toolkit and all the stuff that you guys do. Funny thing, when I'm back home, I do a lot of security awareness talks for other attorneys. And this spring I did a live demo. It was crazy and did a live demo of social engineering toolkit. And who is in the audience but the Chief Justice of the Missouri Supreme Court. So you've been terrifying a lot of powerful people for a long time and I'm really excited to see the new stuff. Let's give them a big hand. Wow, it's Sunday and you're all still here. So a round of applause for you. I'm sure everybody's experiencing delayed reactions, headaches. So we have a lot of like shrieking and loud noises throughout our presentation just to kind of keep it fresh and content here wise. Just kidding. Just a quick intro. I'm Dave Kennedy. You know, I started Trusted Second Binary Defense, which is my company's. And you know, it's funny is I just saw somebody here that I used to work with in the military and it's funny how you kind of see all the people that, you know, you kind of grow through in this industry with as well as a whole bunch of new people that are coming into the industry. And I got to get a hug yesterday. I'm a big hugger guy. But I got a hug yesterday from somebody that was just coming into the industry saying, you know, hey, I'm so passionate about what I'm doing, learning from all of this and I'm learning from everybody else. And that's the biggest thing that, you know, when I was coming into DEFCON, I think DEFCON 8 or 9 was my first DEFCON. And the thing that I came into and I learned about was just learning from other people because everybody is so damn smart in this industry. And no one knows everything else that the other person knows. So it's all about that and that community. And DEFCON is such a great place for that. And I mean, I have to give a round of applause to everybody that makes DEFCON possible. The goons that, you know, cleared up all the traffic flow after the first day, you know, giving their nights and, you know, their nights and nights and nights and nights over and over again. Let's give a round of applause for everybody at DEFCON. So I authored the social engineer tool kit, a couple of other tools. I'm actually going to be showing one today called the pentastase framework which I added a new module in for a pivoter that Jeff wrote that we're going to be releasing today. But we'll get into that. Jeff? This is Jeff's first time presenting at DEFCON. So can we give him a round of applause for getting up here and having balls? All right. Well, as David already introduced me, I'm Jeff Walton. I'm a senior security consultant at Trusted Sec. One of the things I do like to do a little bit on the side when I get time is to actually write some tools and create some things. I've authored a tool called SHIPS that's pretty popular. And recently I wrote a tool called PIVITER. So that's kind of who I am. So Dave's going to talk a little more about kind of the history of pentesting and stuff like that and what we do at Trusted Sec. So real quick, when we come up with acronyms for tools, it's kind of funny. SHIPS was actually going to be CHIPS because one of our guys ate seven bags of chips one time and one sitting. So we're going to, in his honor, name CHIPS after this specific tool. But unfortunately we couldn't come up with a good acronym for CHIPS. So it ended up changing the SHIPS, which kind of sounds piratey. So it sounded pretty good. But PIVITER was one of those ones where, you know, it sounded kind of cool. And I think what was your original name for proxy, something or other? So this is, that mic's not hot. So this is kind of funny. Actually Dave seems to have a habit. I come up with very boring, rather restrictive names for my tools that pretty much say what they actually do. I originally called this thing proxy kit and like every other thing I write, Dave immediately renamed it, which is awesome because Dave's names are really better. Sweet. All right. So we'll get into the talk here. Look a little bit about the history of how attackers kind of move and kind of our challenges as pentesters in the past. You know, if you look at pentesting in general, right, and may hear a pentester, like a whole bunch of people, it's awesome. The first thing that we do as an attack is we go after an infrastructure. We try to find an exposure, whether that's social engineering or going after, you know, a specific attack on a web application or whatever it ends up being. We end up finding a flaw. We compromise that. And then we get access to one system, right? And we get access to that one system. And that one system, if we have elevated rights, we have the ability to kind of move over into other systems, right? And then from there, we try to go after a couple other things and get a little bit more information here, a little more information here. It's like a puzzle, right? We kind of put together a little puzzle until we get access to the stuff that we want access to. The lateral movement thing is a big, you know, talk right now. It's been difficult for us, I guess, in the industry unless you're using something like pro versions, like Metaswhite Pro, for example, has a VPN functionality where if you compromise, you can, you know, tunnel and pivot through a interpreter session, or, you know, like Cobalt Striker, those ones have an ability to tunnel if you have administrative over rights, right? So all of these different things are concepts that we use every single day and then attackers use every single day to go after specific targets and then from there move across the network. So to kind of talk a little bit about that, when you look at lateral movement, you compromise one system, right? And there's like random Chuck Norris things throughout this whole presentation. There's no relevance to them whatsoever. But if you look at lateral movement in an organization, it's about compromising a system, getting information, whether that's credentials or, you know, clear text credentials with MemeCance or something and then spraying across the network and going to other systems to get access to them. And so in that case, you know, we look at that and say, well, it's difficult in a lot of cases to escalate our permission sometimes. For example, let's just say you have a, you know, an organization that doesn't run administrative over rights or you compromise, you know, a network service account. Something that you have the ability to target and you have access to a system, but maybe there's not enough information on that system to get you to another one to move laterally in the environments. That's been experience of mine and Jeff's at almost every pentest that you run into you that you target an individual and organization that has very limited permissions to actually go about that. And so, you know, when we look at that, when you look at what we do as pentesters, it's really about thinking outside of the box, right? We have to come up with creative ways to navigate security restrictions or mechanisms that are in place to stop us from attacking different things. And in most cases we do, we get crafty. I mean, maybe we find that our one exploitation method that we got into wasn't successful, right? And then we go to another avenue that may have been successful. And then from there we may go to other systems that may get us, you know, the types of information that we need. But it requires us to think outside of the box. Okay, the focus has really been around just getting domain admin rights, right? And I see someone taking a picture of that screen. I apologize. Don't Google clock and forget the L. But when you look at a lot of the types of attacks that we do, the types of methods we do, it's mostly around getting domain administrative over rights, right? If we get DA that's it and that's kind of how we, you know, target our test. But that's not really what we're seeing out there as far as attackers. Attackers want access to those types of products that make us unique in organizations. Like, for example, you know, everybody's always worried about PII and credit card data. That's great for like the retail space, right? But for manufacturing, that's less of a concern. I mean customer information is always a concern. But manufacturing is focused more on, you know, how do we make the product? The chemical compounds are, you know, who our suppliers are and how much we pay for those types of products and the vendors between those. So those are the advantages. We're kind of at a disadvantage and we're not really simulating how attackers go after an organization to really try to attack those different types of areas. So for me, looking at this, we have to evolve to a different type of framework, a different type of way of attacking organizations. It's not to say that what we're doing is not right. It's just we need to think a little bit differently in our mind sense of going in. It's not about smashing and getting root and then using root to get access to it. It's about how do we go after an organization and figure out what makes them tick, what makes them unique and how do we target them to go after them in a way that is beneficial? And how can we do that with the types of techniques that the attackers are using and what we can use in our own arsenal? That's where we'll talk a little bit here in just a second about Pivotr and the release of Pivotr and what that actually does. So for me, if I'm a sophisticated attacker, I'm going to go after what makes a company unique. If you look at kind of the history of breaches, and you saw and I hate to mention the specific breaches because we've all been, we've had it hyped in the media, but it's a specific point. When target happened, you had executives that were fired. If you look at the past maybe five breaches in the past year and a half, you notice they've all blamed them on sophisticated hackers and it's like a crux of like, hey, we got targeted by sophisticated hackers even though we've neglected security for the past 10 years and we haven't given security any light of day, we still got targeted by a sophisticated attacker, now that's okay, right? And by the way, the sophisticated attacks are like four lines of bash. So does anybody here know how to write a couple lines in bash, a little four loop in bash? You are all APTs. Congratulations. Sophisticated attacks are bullshit. It's all about everybody being targeted. We're all getting targeted, as a matter of if we've got target or not and how often your security program is up to say well if I'm ever targeted by an attacker that I might actually be to North Korea, China, Russia, it's just a sophisticated attack so it's okay. It's not okay. And we need to be building defenses against those and I'll talk a little bit about what a targeted attack looks like in some of the areas that we struggle with sometimes when we're doing our pentest. So this one was a fun one. You know, we get to go on red team engagements and you know you have the traditional pentesting like hey, we want an internal external engagement. It's like hey, I want you to do a full scope red team engagement. And there's different maturity levels of that. Customers that really want a red team a lot of times are like I want you to do a red team engagement but literally you have to do it between like 3 and 4 p.m. on Tuesday and you can't break anything and you only talk to one person. And so in cases like that it's not really a red team. But in this case, this customer is actually pretty awesome and I wanted us to do an attack against them aside from like breaking windows and punching people in the face. You couldn't do that apparently. We asked if we get busted can we punch people in the face and run away? No, okay. Cool. I wouldn't really punch people in the face. I'm a hugger. I would hug them. But the whole purpose was this. They had spent a lot of time on R&D and protecting research and development and intellectual property for their future products. And why that's important, manufacturing companies, the sustainability of them really depends on whether they're still competing. It's very disastrous especially if it's other countries competing against them or other different types of competitors. So the R&D piece where they do the research on the next type of product line right. A lot of times that's the most important piece of the sustainability long term of an organization whether or not they can still compete. I came from a company that really had a tough time diversifying themselves in the market that they're in and had a tough time in their next product lines and are still trying to do. In this case a customer wanted us to target it and go after them in a way that actually compromised them in any way I wanted to. The first thing I'm like I'll go after phishing because that's the easiest. Phishing is always great. With phishing, obviously creating a scenario or something that's believable is one of the most important pieces. What I started to do first is looking at what I can do to compromise them. I started looking at their outside and I found a file upload vulnerability that allowed me to pop a web shell. You don't have a squad to do anything with network service. You can't escalate permissions. You can't grab Kerberos tokens in a lot of cases. You're really restricted to usually the iNet pub directory or whatever the directory is running in. Sometimes you can find a web back in fig files sensitive data that you can use that maybe tunnel and piggyback to a SQL server or something like that. A lot of cases you're pigeonholed in that environment that you can't move in different directions. I was kind of at a dead end pivoter yet. That would have been really nice by the way, Jeff. Thank you. I had to do a little hard work here. What we ended up doing is using that website and creating a sub-website of that website to be like a survey type thing. We had a user in the password field and stuff like that in there. We started thinking if I go and I can create a website that's on the customer's domain and I can send emails to a customer with that domain in there, it's probably pretty legit. We went on to a couple of folks and we ended up compromising someone in the sales organization, which salespeople are phenomenal, they're great. You can have salespeople do anything you want to, especially if you're going to give them money, that's the best. They'll be like can you disable your antivirus so you can open up this Excel macro document that says virus.xls? Sure, no problem. I'm still going to get the sale. We used that and we compromised it on into. VPN is two-factor and their OWA is not. So you have access to full OWA access but you don't have access to VPN, which OWA is like for a hacker, is like the best piece that could ever happen because you already have established lines of communication and trust. So if you have trust already and you already have communication where someone's talking and sending emails back and forth, it's really easy to send your OWA as a mechanism for those. And what's funny about like two-factor for example, you may have heard of phone factor, right? It's a two-factor authentication solution. There's also a couple other ones too. Does anybody got the ones where it'll actually call you and ask you if you're logging in or it'll give you a push notification if you want to allow it to log you in or not? Do you know how bad that is from a security perspective? How many times have I been on a pentest one time? Like literally, I went into a pentest one time, broke in and logged in with my username password and it's like, please wait while we call you and I'm like, oh crap. And I'm like, uh-oh, I'm busted. There goes my whole fish, there's two days worth of work and all this other stuff. And all of a sudden you log in and you're sitting there and you're waiting on the screen so you're like, okay, I'm screwed. And all of a sudden you log in and you're like, that was weird. It will error, right? Unless you teach them, right? But in most cases, like two-fact authentication if it's not implemented properly is also a problem. So just saying from a caveat. But anyways, they didn't have two-fact or no-by-way so it didn't make a difference. So what was interesting is, for familiar with the tool that I wrote called Unicorn, it does PowerShell injection and it does native X86 shellcode injection through PowerShell and then it gives you a PowerShell command that you can push on any system that you have remote command execution on and it just gives you a shell. That's why it's called Magic Unicorn. It has ASCII art that has a red Unicorn. It's pretty awesome. But anyways, so with Unicorn there's also another attack that has Excel injection for macros. And what's great about macros is they're kind of like the thing in the past because they're usually flagged. But in this case, with a lot of the macros, you can do straight PowerShell injection. What's great about PowerShell too is it's usually a whitelisted application so things like bit nine aren't going to pick it up so you have the ability to get remote code execution on a system that has application whitelisting that has next generation stuff because it's all in memory which is great. So something comes in via an e-mail whether it's incoming or a web gateway and if it doesn't look right or it's a certain type of file pattern it'll actually virtualize it in a sandbox and it'll look to see all the registry calls if it's doing C2 communications anything like that. In this case they had something like that so when I sent the macro I got the initial stage but it just stopped and it wasn't working. Anyways, so we ended up writing some bypass sandbox technology and it's extremely complex. It took us multiple months of exploit research and development to get around it but we're going to be releasing it today which is awesome. Just kidding it wasn't hard at all it's three lines of python code. Took about 14 minutes. Most virtualization technology the way that it works is that they virtualize it in a sandbox environment all you need to do is say if I'm in something that is this pattern then don't do anything. In this case this specific sandbox technology which worked for two of the main three I think. If they're using less than one CPU or less than two CPU cores so they use one CPU core. Anybody here have a computer that has one CPU core? Sir I'd like to talk to you because you probably couldn't hack you. Sorry I thought it was ice for a second. Thanks. You got to do it. Deep Kentucky. I got to do it. I got to do it. That was easy I thought it was going to be a warm ice that would have been terrible. So in most cases they're using less than one CPU core or less than two CPU cores. What you say is if I'm using in this environment then don't do anything. When it comes in it says am I making any registry changes or anything else just shut itself down and quit. It's all good. It's cool. Then it passes it off to the end user. I built that into PowerShell and when it actually executed it checked to see if it was in a specific CPU core and it got passed the virtualization technology which was great. About 14 minutes. So stupid. Anyways so we ended up compromising one of the boxes one of the people and I spent probably a good 20 minutes going through a lot of them but it was great as I already had a established communication path into the environment so I had a shell which was great. Now what was interesting is the customer did a great job at network segmentation and so we spent a long time trying to get to the R&D information which was difficult to do and I couldn't find a way to get access to it but I did find their physical access system that allows you to print badges. So we ended up finding their internet site and it's like you can see on the right. So walked into the building, picked up a badge and walked into the facility. So I addressed the part, you go to this company and it's all like a suit and tie type thing and so I wore a suit and everything and I go to this R&D place which has R&D center of excellence. It's this big area with smoke glass windows and everything and they spent a lot of time and money on this. So I badge in and hit my little pin to walk into the wrong place because you have all these people like jeans and t-shirts and here I am in a suit. I walk into this R&D thing and they're having this massive meeting of 50 people and everybody stops talking and looks at me. At that point you're like oh shit, do I walk in and do something or do I back out and pretend like wrong room guy, sorry, one of those things. I'm like ask or why not. So I walk in and I walk around the side and they start talking or doing whatever and the worst thing happened, I wasn't paying the suit, you know, whatever. So I'm walking and all of a sudden I see this trash can, I fall over a trash can, a metal trash can, it was like mustard everywhere all over my suit, people are picking me up off the ground, I honestly sprayed my ankle, it was terrible. It's one of those things that you never want to have happen in real life and it happens in real life and you're like that was really me that did that. So they're picking me off the ground and they're like are you okay, are you okay and are you okay? They're like what are you doing with this next week? It's called the implant device, a tap device which I've been working on for about a year and what it is is if you're doing like physicals you have a place to drop something, if you use like an intel nook, if you ever heard of nooks they're like a small, tiny little thing, you can put an LTE card in it, I usually put like 128 gigs of cell estate memory in it and then I put like 8 gigs of RAM and then I use SSH instance out of the network and it tries to find different ways out. You use the LTE network first and then it uses the regular network second and Jeff actually wrote some software that will be releasing that actually does a full transparent, reverse SSH VPN into the environment. So you can actually create a tap interface off of your device through an SSH tunnel onto the network itself and then you have a full VPN tunnel into it. Now it doesn't work. This is like a full tap interface that you can actually VPN into the environment through an SSH tunnel itself, through an LTE network and do whatever you want and you can also deploy this on any Linux machine itself. It doesn't need to be a tap device to be implanted, you compromise a Linux box, you deploy a tap, it will find a port out, it will establish that reverse SSH connection and then you SSH VPN into that environment itself. So it works out really well with the operating system there. It keeps all of your tools up to date so if you want to keep all of your tools local on itself it will actually use the reverse SSH tunnel out of the network to update the tools for you. So you don't have to worry about outbound filters on the network itself for tools and updates. So I'll go ahead and release that this coming week here shortly. So that's a new tool that you should see in the GitHub repos on Trusted Sec this week. So the mustard if Jeff had written Pivotr earlier. So we can blame Jeff for this one and me having a sprain ankle and still I think it's bothered me a little bit but anyways we'll go ahead and introduce Pivotr. Well it all started actually around this time last year when Dave was talking to me about some of these engagements he'd been on and some of the trials he'd had. Specifically is there anything like SSH for Windows that wouldn't need privileges and I thought about it a little bit and I said yeah that seems kind of doable what you're describing is really a socks proxy but a reverse proxy you know. And you know we could implement that. Of course I didn't get around to doing it until I started doing more of my own external pen test engagements and needed it myself and suddenly it was a lot more important to me. Yeah like Dave said. What I had been finding on a server is mostly bigger companies now they have a security team they're doing good things they've got platform baseline security configurations in place. It's not like 1990 anymore where you installed all of the SQL server management tools and stuff on every web server and stuff like that so you could count an enterprise manager being there once you got on a box. What I tend to find is I'll get on a fully patched server 2008 R2 box with support libraries for whatever web application they're running. Typically though that web application is still their 5 or 7 year old ASP app that they wrote in house and usually I can take advantage of that. Certainly as I mentioned there are tools on the Linux Unix side like SSH dynamic port forwarding that can kind of do this and certainly as Dave mentioned in the display pro you've got that VPN functionality. That's not available to everybody so I wanted to get something out there that others could use and also I find there's a lot of times when I don't necessarily want to use Metasploit for one reason or another. So I kind of came up with some basic objectives. I wanted to have something that would be relatively small payload as long as I'm dropping on a server that's got the visual C run time installed I can get it down currently to about 13k today it's a little bigger it's about 70k binary out there. I do believe that we can get that a little bit smaller as we work on it some more. I definitely wanted something that didn't need any elevated privileges because it tended to be a case that I end up as IIS user or maybe I'm a local user on the machine I usually don't have any good escalation path I may not even have a good shell I might be working with some lousy web shell or something like that that's not very interactive and finally I wanted to go ahead and do things like port scans with some efficiency. So got a few slides here that just kind of show how you use the tool. First thing is I went with environment variables to set things up. If you've ever used something like Tsox you know that it basically acts as a library wrapper around whatever command line tool or whatever application you want to execute. Of course those tools aren't designed to use input. David I don't think we have the picture but that's all right. I'm going to do interpretive dances here in a second so we'll be fine. So anyway a lot of times those tools don't have any ability to take the input information that I needed so I thought the easiest way would be to go ahead and communicate with environment variables. I went ahead and also the other piece to this that we'll introduce in a minute the connection broker uses those same things and what that broker does is it will be listening for the incoming connections from both the service proxy component that you drop and any application that you run when it makes connections outbound. The next step is somehow on our victim we need to go ahead and start the service proxy. Again it doesn't need any special permissions. It's not doing anything like trying to bind low ports. It doesn't need to usually have any firewall rules open because we're going to go out on and all the connections are going to be outbound so we're not listening. And finally our last step is we go ahead and start our application. Anybody who's used Linux is probably somewhat familiar with using LD preload. What that does is basically it says load this library first so when the dynamic linker comes along and gets a call to a function like connect that would normally be in the sockets library it comes across mine first and runs that which does a graphic over to the broker and then basically performs the connection and side effects that connect would normally perform within the program. So if you've ever seen a Sox proxy before maybe you've used Sox cap or something like that on Windows or T Sox on Linux. Usually there's two pieces. There's a Sox proxy out there someplace and then you have your Sox application wrapper. Basically I cut a third piece out and moved the connection broker away from the proxy server itself so that it can do all the listening locally on your machine and we can have a single connection back from the proxy server to that connection broker which will allow us to basically multiplex all our traffic into that single socket so we don't see multiple firewall events and stuff that would typically give us away if we were opening a lot of separate connections out. So once we have the proxy connected up we'll read the environment and make sure those connect events get host by name and a few other things like that. Actually go over to our broker. Our broker essentially listens to those messages, accepts those proxy connections and then creates a simple message that it can send down its existing socket over to the proxy. And finally it uses a fairly simple protocol to do that. It's basically a fixed size protocol that you'll see actually I've got, oh boy we're losing the image again. Anyway typically in a SOX proxy what we had in the past was one connection to the proxy server meant one connection to the remote host. Obviously that wasn't going to work in this case so I had to come up with some other method of letting the proxy server keep order as far as where replies needed to go and things like that. So I decided that basically the process ID and the file descriptor within that process should be unique enough and in addition to that we have a simple command. It's just an integer type value that's enumerated and usually those are something like connect, close, get host by name. So as I was implementing it I did run into a few surprises even though we know Winsock basically evolved from BSD sockets the status codes and return values were different so I discovered I had to do a little bit of mapping on the windows side before I fed those values right back to the Linux programs I was running as I was debugging and trying to figure all this out at first it led to some interesting chaos that I think exercised some code paths and some things like netcat that never were intended to be hit mainly because things would happen like you'd get a valid file descriptor for a connected socket but yet you'd be getting some return code that meant some sort and so behavior was rather chaotic. It turned out on the library side I really didn't actually need to implement too many functions because it was a relatively thin wrapper around the connect call most of the time or around the get host by name or get adder info type functions and those actually then just performed the connect to the broker piece otherwise in the usual way so I didn't have to reimplement the actual socket function like that I didn't have to necessarily get into all the flow control and pieces that would have been more complicated just a few other things before I launched into our demo here I did look around for some code on the internet before I wrote anything of course because you never want to reinvent the wheel and most people are better programmers than I am even though I did it for a number of years what I found typically with most of the open source socks proxies out there was they were implemented again with one connection in would be one connection out kind of at their very core so they didn't have a lot of internal housekeeping that I could leverage when I was going to have to route things back based on file descriptor and the PID number and things like of that nature or come up with some other strategy so I couldn't use a lot of that code or at least couldn't use it easily so I decided to go ahead and write my own thing which is maybe good and bad I don't know of course I made that up I decided of course to use linked list so I could keep the traffic flowing in basically always ready to read on the wire and also as far as connected sockets on the outside to remote host sort in a B-tree form in retrospect I really wish I would have used like a fixed size array and stepped over it like that it would have been a much simpler data structure and probably would have led to a simpler implementation although ultimately it does seem like the binary tree would have done well so I decided to continue to live with that for a while we'll see how things evolve I did go ahead and decided to video the demo for you guys today mainly because I'm a terrible typist and you don't really want to sit here why I make a whole bunch of typographic layers and things like that so we're going to do a little bit of pretending I've got a vulnerable web application here you may be familiar with this it's a software testing tool from a little while ago it's running on a public 172 IP on this DMZ that we're going to get to that's on another 172 space that my attacking PCs can't see directly first thing I'm doing here is taking advantage of this testing tool a little bit I'm essentially setting up a test that's going to call PowerShell and rig up a file drop it'll make the request back to an Apache server I have running so it's run or it's continuing to run here and we're going to see in a second that I actually get an error back from PowerShell it tells me that some extra stuff is being tacked on the end of the command line so you'll see me use PowerShell again just to manage the arguments that need to get passed certainly the next thing that happens is I go over and I'm going to look at my Apache log and I do see that that get request happened so I know my file drop was at least partially successful request happened hopefully it got written to the disk so the next thing we need to do is start getting stuff set up on our you'll see me actually go ahead twice here and set up the environment in two different tabs certainly I could set up the environment once and then back around the broker in this case I'm choosing not to do that because I want to run the broker with the debug flags enabled and probably run my library without them main reason not to run the library with them is it does introduce a lot of extra stuff on standard error that sometimes kind of confuses the output of whatever tool I'm using makes it difficult to work with but it's there so you can debug what's going on if something's not working the way you think it should however you do get a lot of good debug output from the broker itself that usually lets me know what's going on so I'll typically run the broker in a separate tab it is possible to do this tool with some shell injection and by a power shell reflective DLL injection loading and stuff like that in this case I went with a simple file drop just for the sake of the demo it's a lot easier to do that obviously and most of the time it works typically in terms of cleanup that's not all that hard because it's just one file I got to delete later so not too many issues there so we're getting ready here with the rest of the environment variables and I hope that's big enough that people can see it I don't know hmm yeah we can do full screen I got it you got it yeah all right do you remember I hope you didn't delete the videos right here excellent I think we're on to is it a little better I'm going to start interpretive dances so Dave's going to do is interpretive dances now you'll notice I don't know if we mentioned this before but I'm going ahead and stopping Apache one of the reasons I'm doing that of course is I'm going to go instruct my proxy to come back out on port 80 why because I already know it's open so I don't need to fool with you know any more guessing whether the firewall is going to let me out at this point we are ready to start the broker we've got our environment set up we'll get the separate second tab going and once I get this environment set up I'm actually going to pivot to a network that's surprisingly interesting to pivot to that I didn't imagine would be so interesting at first the 127 network turns out a lot of people tend to write firewall rules that trust local host a lot certainly when you open a new socket usually the source IP address will take the adapter that that network is native on so traffic will look like it's coming from local host and it will end up going to local host once we do this so now the next step here I think and I guess we got to go to the next video Dave can you do that for me thank you computers are hard computers are hard so I'm going to go ahead and use the same injection technique actually to invoke my proxy basically I'm setting up another test here by all these commands we have at the end of this you know we have a blog post that we did in all this and all the source and all that good stuff so you know reproducing off this is a little bit difficult but we have all the commands on our website that we put a blog post on so once again I just did a really simple PowerShell wrapper there just to swallow the extra stuff that's going to come on the end of it so it doesn't confuse my application I do have something in the little toolbox that we'll talk about later that can substitute some IP addresses into the binary without having to recompile it just to simplify things a little bit I think we're into the next video here Dave so now I'm using LD preload I'm going to go ahead and use our desktop I'm going to hit the box on local host again reason for that essentially now even though I'm sure the firewall isn't going to let 3389 in now I'm going through my tunnel and I'm going to be coming from local host as far as that box is concerned I'm going to local host even if they are running a local software firewall on that box I'm going to likely be able to do that with PowerShell the other not PowerShell remote desktop the other reason I wanted to run remote desktop for you guys is just to show you that we can support more than just text mode protocols and actually feed a fair amount of data through this thing at a reasonable rate so this is just me playing around I'm guessing that maybe the application or the password that worked in that web application will also work on the desktop doesn't look like I'm being real successful just showing you again that I don't need to do anything else we're going to be able to continue this attack on other network hosts behind it so at this point I'm going to try some other attacks here I think we're playing the wrong video but that's fine let's play Dave we'll go with it this is just an example of scanning with Netcat I can't scan with in-map directly in-map wants to use raw sockets and things like that which are a little hard to work with unfortunately and we wouldn't be able to implement on the windows side without some privileges so you'll see what I did here is I'm just using the V and Z switches on Netcat and scanning for 445 pretty good way to find windows hosts I would like to point out the proxy of course can handle multi-threading in terms of making outbound connections on the remote side so if you want to speed up your scan instead of linearly stepping through every IP address you could certainly run multiple Netcat scans in parallel before you want to scan into blocks of 10 or something like that and run three or four wide at a time is what I'll usually do I'm going to continue to let you drive Dave rather than trying to figure out how to use your trackpad settings so I did find a box we're testing a web application here so chances are there's a database somewhere I'm just going to go ahead and see if my SQL is going to work I'm just getting my command there again in an actual attack scenario without having compromised that box I'd have to put a lot more footprint on it I'd have to be dropping down tools to interact with that database any other tools I wanted to use any kind of DNS recon I wanted to do things of that nature because those utilities probably aren't on that box for me so what Pivoters were really allowing me to do here for the first time is go ahead and attack those other VMs behind or those other machines on that DMZ that are behind that victim box turns out apparently that this database won't actually talk to me which is interesting I guess we'll go to the next video so there's a little situation with DNS that doesn't always work the way we would have hoped to to that end I wrote another tool that just helps me do some additional DNS recon while I'm using Pivoter and you can see since we still have those that I know about I'm going to do some things that typically work on a pen test typically a company of any size there's always an intranet so I'm going to look for that address and sure enough I got back that same address I had before which probably tells me that maybe that database there is actually to support another web app or something like that and finally I went ahead and looked up an outside address that's another thing I'll always do but certainly if we see different DNS resolution inside versus outside we know some things about how their network is set up as well again just to point out what's going on with the DNS here is I'm actually performing those DNS resolutions via the proxy so DNS is happening from the perspective of the victim box not my local Cali box here so I can see their internal DNS space the other thing I decided to do with the DNS resolution is I went ahead and even if you use the githost or githaterinfo family of functions on the Linux side they map back to the old githost by name function on the window side the reason for that is that falls back to wins so I actually end up getting wins information as well even when there's no DNS response anyway more to come certainly there's a lot more work to do there are some limitations with the tools I talked about DNS a little bit I'll show you slides back yeah so some work around DNS recon so this was and I know you can't read it so we won't dwell on the slide it's a really simple DNS resolver all it does is call githaterinfo and look it up it's not actually Pivoter aware in any way when you call it as you saw in the demo you actually just wrap it with the library the way you would anything else we talked to quickly about within map or rather with netcap and yes there's definitely more work to do we certainly want to wrap some more socks calls it would be nice to maybe do some interpreter integration just to make things easy I'd say overall the tools at that point where we have that lump of enriched uranium on top of the tower in the desert with a bunch of explosives around it yeah we can make it go boom it's not fully weaponized yet typically on a pentest I'm still altering it now all the time but it does work and it does let us continue on and I guess I'll end it back to Dave here so I've been working on the set integration into it so the new version of set 5.7 should be out in the next week or so should incorporate Pivoter attacks as a default payload as well so when you're going into the interpreter doing your payloads it will automatically run an additional Pivoter tool on top of it so you can still do most of your pentesting work inside of metasploit inside an MSF council part of it additionally I don't know if anybody's had a chance to see the pentesters framework but I'm going to show you a quick demo of it this is a tool that I released about two weeks ago and the biggest issue that you have with most pentest distributions we all love cowling cowlies near to dear to our heart and it's awesome and amazing it's the best distribution out there we also roll our own in a lot of cases we roll our own tools in our own pentesting distributions that I had all the latest and greatest tools out there so I released the pentesters framework about two weeks ago which is a modular framework around keeping all of your tools up to date and right now there's over 46 modules that have been written for tools and what it does is it's literally a simple use I mean you can just type you know you get clone it from github I like it in my armpit it's good in my armpit so if I just get clone it from github it will go and grab the latest distribution for it every time you run it from there on out it will automatically update itself so you're running the latest modules whenever there's a new module added it will automatically go into there like for example just to show you how easy it is I don't know if you saw the empire tool from harm join the other guys out there really great talk within about an hour someone already written a module for that and it was already pushed to the ptf framework and then you could get that tool almost as soon as it was released same thing with this just run ptf so it checks for internet connection first it tries to update itself and if it's running the latest and greatest it's all set and then of course any tools got to have ASCII art but then it's just kind of like metasploit syntax right so I'll go ahead and show modules and you can see here all the different tools that are available and it's a big screen so you know it's kind of broken up you can see like air crack ng comics you know sequel map inception smb exec all of those are there and if you want to install it I'll do exploitation set just go ahead and run and it automatically goes and installs the tool for you now if you just want to keep it up to date as soon as you hit run again it automatically detects it's been installed and automatically updated for you now let's just say you want to do all tools there's an option here that will hit modules slash install underscore update all so it'll either install the tools for you or automatically update it for you so you have a common distribution point for all of your tools and I missed the slash pentest director or anything below but I've structured everything around the pentest directory so when you go to the slash pentest directory it's broken into the penetration testing execution center methodology so you know exploitation post exploitation you know reconnaissance those types of things intelligence gathering those are all structured in that type of framework and I've also added pivoter so you can search for pivoter it's in there as well so we just go and use this module go and run it takes a second internet slow and it's hard easy to go so a really easy framework the way that you actually add a module real quick if you go under modules I've created a whole I've created a whole framework around building modules that you don't have to require any type of coding whatsoever background you can literally create a module in about three minutes so let's just go to the exploitations go to set so the author of the module the description of the module so the description is going to be hey this is the social engineer toolkit install type it supports get SVN and file so file is if it's like a zip file that you need to go and pull it will automatically go and grab it and then unzip it and then extract it for you into that directory and then the repository location that needs to go to pull it and then any Debian dependencies right now I have Debian as the main support but I'm working on Red Hat as well so you should have RPM support shortly if you've installed something like after you've checked it out you may need to run like install.sh or things like that after commands will sequence through all the commands like so a complex one we need Metasploit Metasploit is an extremely complex one to install so it does all of the installation procedures for you to install Metasploit for you automatically after it's done getting everything out and installs all the dependencies and all those other things additionally it's pretty efficient it'll go and install all the modules for you if you're doing the update shell so it'll go through installing for you automatically which is great so Pivotr is now released you can go to github.com slash TrustedSec slash Pivotr it has the latest code base into it it also links to a blog that walks you through exactly how to set it up exactly what you need to do to route your traffic through Pivotr as well as to do ladder movement post exploitation hopefully it's going to be an evolution but one of the things that I know Jeff is doing is continuously updating it as it goes along and will continue to add different changes to it but if you go to github.com slash TrustedSec all the code is there and I really appreciate everybody coming out to the talk and hopefully you get some sleep here in the next three weeks thanks everybody