SlideShare a Scribd company logo
1 of 39
Download to read offline
Automated PenTest Toolkit
Adam Compton, Senior Security Consultant
Austin Lane, Security Consultant
Who Am I?
• Adam in 5 words:
• Father 5 years
• Husband 16 years
• Hillbilly 39 years
• Pentester 15+ years
• Programmer 20+ years
Automated Pentest Toolkit
Who Am I?
• Austin Lane:
• Developer 7 years
• Security 4 years
• Metalhead for life
Automated Pentest Toolkit
Overview
• Penetration testing often begins with a simple routine.
Recon &
Discovery
Test Simple
Services
Test Default
Creds
Common
Exploits
Dump
Creds/Info
Pivot &
Continue
Automated Pentest Toolkit
Overview
• Penetration testing often begins with a simple routine.
• This routine can be slow on large networks.
Automated Pentest Toolkit
Overview
• Penetration testing often begins with a simple routine.
• This routine can be slow on large networks.
• Much of this routine can be automated.
Automated Pentest Toolkit
Overview
• Penetration testing often begins with a simple routine.
• This routine can be slow on large networks.
• Much of this routine can be automated.
• So we wrote a tool to help with the automation.
Automated Pentest Toolkit
Typical Pentest Routine
• Run Nmap (or port scanner of choice)
Automated Pentest Toolkit
Typical Pentest Routine
• Run Nmap (or port scanner of choice)
• Review ports and services
• Port 21 -> test for anonymous FTP
• Port 80 -> identify web service and check for flaws/default creds
• Port 445 -> enum users/shares, ms08-067?, …
• ...
Automated Pentest Toolkit
Typical Pentest Routine
• Run Nmap (or port scanner of choice)
• Review ports and services
• Port 21 -> test for anonymous FTP
• Port 80 -> identify web service and check for flaws/default creds
• Port 445 -> enum users/shares, ms08-067?, …
• ...
• Run Responder / Metasploit / CrackMapExec / …
Automated Pentest Toolkit
Typical Pentest Routine
• Run Nmap (or port scanner of choice)
• Review ports and services
• Port 21 -> test for anonymous FTP
• Port 80 -> identify web service and check for flaws/default creds
• Port 445 -> enum users/shares, ms08-067?, …
• ...
• Run Responder / Metasploit / CrackMapExec / …
• …
• Take over the DC/database/etc..
Automated Pentest Toolkit
If it is not broken…
• Repeatability
• Consistency
• Can be tedious and slow
• Manually parsing through data can be prone to error
• Automation can help
Automated Pentest Toolkit
Why Not Use <insert favorite scanner>?
PROS
• Plenty to choose from
• Useful in specific scenarios
• Some are OpenSource / cheap
Automated Pentest Toolkit
Why Not Use <insert favorite scanner>?
PROS
• Plenty to choose from
• Useful in specific scenarios
• Some are OpenSource
CONS
• Can be fairly resource intensive
• Can be expensive
• How easy to add a new
check/tool?
Automated Pentest Toolkit
Automation via Scripting
• Kali already has LOTS of popular tools and scripts
• Automation methods:
• Bash
• Python (or scripting language of choice)
• Metasploit RPC
Automated Pentest Toolkit
APT2 – Automate the standard stuff
• APT2 is a framework
• Modules
• Event queue
• KnowledgeBase
Automated Pentest Toolkit
APT2 – Automate the standard stuff
• APT2 is a framework
• Modules
• Event queue
• KnowledgeBase
• Run Nmap and parse output
Automated Pentest Toolkit
APT2 – Automate the standard stuff
• APT2 is a framework
• Modules
• Event queue
• KnowledgeBase
• Run Nmap and parse output
• Create events based on ports/services
Automated Pentest Toolkit
APT2 – Automate the standard stuff
• APT2 is a framework
• Modules
• Event queue
• KnowledgeBase
• Run Nmap and parse output
• Create events based on ports/services
• Modules respond to events to perform specific tasks
Automated Pentest Toolkit
APT2 – Automate the standard stuff
• APT2 is a framework
• Modules
• Event queue
• KnowledgeBase
• Run Nmap and parse output
• Create events based on ports/services
• Modules respond to events to perform specific tasks
• Modules can create new events
Automated Pentest Toolkit
APT2 – Automate the standard stuff
• APT2 is a framework
• Modules
• Event queue
• KnowledgeBase
• Run Nmap and parse output
• Create events based on ports/services
• Modules respond to events to perform specific tasks
• Modules can create new events
• Runs until event queue is empty
Automated Pentest Toolkit
How Does This Help?
• Multi-threaded event queue is fast.
• Simple to create new modules for nearly any tool/script.
• Ready to go:
• Get Kali (or your favorite distro & tools)
• Clone the repo
Automated Pentest Toolkit
So, What Can It Do?
• Identify services & operating systems
• Screenshot web applications, X11, VNC, …
• Analyze FTP and file shares
• Brute force accounts
• Run Metasploit modules
• Compile hashes -> John the Ripper/HashCat
• “ls /usr/share” – If it is listed here, a module can probably be
made for it
Automated Pentest Toolkit
Anatomy of a Module
• Inherit from base module (typically ActionModule)
• Has standard properties:
• Name
• Description
• Requirements – Which tools need to be installed?
• Trigger – Which event does this module listen for?
• Safety Level – Scale of 1 – 5 (5 = safe, 1 = dangerous)
• ”process()” is the primary method
Automated Pentest Toolkit
Are There Limitations?
• Tools need to be non-interactive
Automated Pentest Toolkit
Are There Limitations?
• Tools need to be non-interactive
• Multi-threading is tricky
• lot of traffic fast
• modules can have limits defined, depend on the author
Automated Pentest Toolkit
Are There Limitations?
• Tools need to be non-interactive
• Multi-threading is tricky
• lot of traffic fast
• modules can have limits defined, depend on the author
• Brute force with caution
• you might break some things
• safety levels are your friend
Automated Pentest Toolkit
Are There Limitations?
• Tools need to be non-interactive
• Multi-threading is tricky
• lot of traffic fast
• modules can have limits defined, depend on the author
• Brute force with caution
• you might break some things
• safety levels are your friend
• Nonstandard ports and service names may throw off modules
Automated Pentest Toolkit
Some numbers…
• 30 servers with FTP
Automated Pentest Toolkit
Some numbers…
• 30 servers with FTP
• Manual testing: ~10 seconds per server
Automated Pentest Toolkit
Some numbers…
• 30 servers with FTP
• Manual testing: ~10 seconds per server
• 5 minutes to check all of them
Automated Pentest Toolkit
Some numbers…
• 30 servers with FTP
• Manual testing: ~10 seconds per server
• 5 minutes to check all of them
• APT2 – ~1 second per server, done in 40* seconds
• *Assuming ideal conditions
Automated Pentest Toolkit
Let’s extrapolate!
• Grab open ports from .gnmap, ~30 seconds
• “grep 80/open scan.gnmap | cut –d ‘ ‘ –f 2 > iplist.txt”
Automated Pentest Toolkit
Let’s extrapolate!
• Grab open ports from .gnmap, ~30 seconds
• “grep 80/open scan.gnmap | cut –d ‘ ‘ –f 2 > iplist.txt”
• Pick a tool for the service, ~30 seconds
• EyeWitness, Nikto, SSLScan, etc.
• Multiply if the tool only accepts 1 IP
• +1 minute because you have to read the help menu
Automated Pentest Toolkit
Let’s extrapolate!
• Grab open ports from .gnmap, ~30 seconds
• “grep 80/open scan.gnmap | cut –d ‘ ‘ –f 2 > iplist.txt”
• Pick a tool for the service, ~30 seconds
• EyeWitness, Nikto, SSLScan, etc.
• Multiply if the tool only accepts 1 IP
• +1 minute because you have to read the help menu
• Now repeat for each service!
Automated Pentest Toolkit
Let’s extrapolate!
• Grab open ports from .gnmap, ~30 seconds
• “grep 80/open scan.gnmap | cut –d ‘ ‘ –f 2 > iplist.txt”
• Pick a tool for the service, ~30 seconds
• EyeWitness, Nikto, SSLScan, etc.
• Multiply if the tool only accepts 1 IP
• +1 minute because you have to read the help menu
• Now repeat for each service!
• APT2 removes the baseline time
Automated Pentest Toolkit
Demo Time
Automated Pentest Toolkit
Development
• Open source – Available on the Rapid7 Github account at
https://www.github.com/MooseDojo/apt2
• Future plans
• Import from more than just NMAP
• Responder -> John the Ripper -> secretsdump.py (**partially there now**)
• Lots more modules
• Python 3 ?
• Pretty Reports
• ?
Automated Pentest Toolkit
411 & Questions
• Adam Compton
• @tatanus
• adam_compton@rapid7.com
• adam.compton@gmail.com
• Austin Lane
• @capndan
• austin_lane@rapid7.com
• austin@coffeesec.com
• https://www.github.com/MooseDojo/apt2
• QUESTIONS???
Automated Pentest Toolkit

More Related Content

What's hot

BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
Micro control idsecconf2010
Micro control idsecconf2010Micro control idsecconf2010
Micro control idsecconf2010idsecconf
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
 
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration DisastersBSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disastersinfodox
 
Open source tools for optimizing your peering infrastructure @ DE-CIX TechMee...
Open source tools for optimizing your peering infrastructure @ DE-CIX TechMee...Open source tools for optimizing your peering infrastructure @ DE-CIX TechMee...
Open source tools for optimizing your peering infrastructure @ DE-CIX TechMee...Daniel Czerwonk
 
Property-based testing an open-source compiler, pflua (FOSDEM 2015)
Property-based testing an open-source compiler, pflua (FOSDEM 2015)Property-based testing an open-source compiler, pflua (FOSDEM 2015)
Property-based testing an open-source compiler, pflua (FOSDEM 2015)Igalia
 
Why internal pen tests are still fun
Why internal pen tests are still funWhy internal pen tests are still fun
Why internal pen tests are still funpyschedelicsupernova
 
Networking Architecture of Warframe
Networking Architecture of WarframeNetworking Architecture of Warframe
Networking Architecture of WarframeMaciej Siniło
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
Debugging multiplayer games
Debugging multiplayer gamesDebugging multiplayer games
Debugging multiplayer gamesMaciej Siniło
 
Practical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbgPractical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbgSam Bowne
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Sam Bowne
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceAlexandre Moneger
 

What's hot (20)

BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
 
Micro control idsecconf2010
Micro control idsecconf2010Micro control idsecconf2010
Micro control idsecconf2010
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
 
Packers
PackersPackers
Packers
 
Oscp - Journey
Oscp - JourneyOscp - Journey
Oscp - Journey
 
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration DisastersBSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
 
Open source tools for optimizing your peering infrastructure @ DE-CIX TechMee...
Open source tools for optimizing your peering infrastructure @ DE-CIX TechMee...Open source tools for optimizing your peering infrastructure @ DE-CIX TechMee...
Open source tools for optimizing your peering infrastructure @ DE-CIX TechMee...
 
Property-based testing an open-source compiler, pflua (FOSDEM 2015)
Property-based testing an open-source compiler, pflua (FOSDEM 2015)Property-based testing an open-source compiler, pflua (FOSDEM 2015)
Property-based testing an open-source compiler, pflua (FOSDEM 2015)
 
My pwk & oscp journey
My pwk & oscp journeyMy pwk & oscp journey
My pwk & oscp journey
 
Why internal pen tests are still fun
Why internal pen tests are still funWhy internal pen tests are still fun
Why internal pen tests are still fun
 
Networking Architecture of Warframe
Networking Architecture of WarframeNetworking Architecture of Warframe
Networking Architecture of Warframe
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
 
Debugging multiplayer games
Debugging multiplayer gamesDebugging multiplayer games
Debugging multiplayer games
 
Practical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbgPractical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbg
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
 
Logstash and friends
Logstash and friendsLogstash and friends
Logstash and friends
 

Similar to DerbyCon - APT2

Real time system_performance_mon
Real time system_performance_monReal time system_performance_mon
Real time system_performance_monTomas Doran
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonKenneth Kwon
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Jose Luis Soria - XP2014 - Designing a Release Pipeline
Jose Luis Soria - XP2014 - Designing a Release PipelineJose Luis Soria - XP2014 - Designing a Release Pipeline
Jose Luis Soria - XP2014 - Designing a Release PipelineJose Luis Soria
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
Cooking a rabbit pie
Cooking a rabbit pieCooking a rabbit pie
Cooking a rabbit pieTomas Doran
 
JavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrimeJavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrimeNishant Das Patnaik
 
Monitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisMonitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisBrendan Gregg
 
Functionality, security and performance monitoring of web assets (e.g. Joomla...
Functionality, security and performance monitoring of web assets (e.g. Joomla...Functionality, security and performance monitoring of web assets (e.g. Joomla...
Functionality, security and performance monitoring of web assets (e.g. Joomla...Sanjay Willie
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
Austin Python Learners Meetup - Everything you need to know about programming...
Austin Python Learners Meetup - Everything you need to know about programming...Austin Python Learners Meetup - Everything you need to know about programming...
Austin Python Learners Meetup - Everything you need to know about programming...Danny Mulligan
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Hacklu2011 tricaud
Hacklu2011 tricaudHacklu2011 tricaud
Hacklu2011 tricaudstricaud
 

Similar to DerbyCon - APT2 (20)

Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptors
 
Real time system_performance_mon
Real time system_performance_monReal time system_performance_mon
Real time system_performance_mon
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Jose Luis Soria - XP2014 - Designing a Release Pipeline
Jose Luis Soria - XP2014 - Designing a Release PipelineJose Luis Soria - XP2014 - Designing a Release Pipeline
Jose Luis Soria - XP2014 - Designing a Release Pipeline
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
 
Cooking a rabbit pie
Cooking a rabbit pieCooking a rabbit pie
Cooking a rabbit pie
 
JavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrimeJavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrime
 
Monitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisMonitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance Analysis
 
Functionality, security and performance monitoring of web assets (e.g. Joomla...
Functionality, security and performance monitoring of web assets (e.g. Joomla...Functionality, security and performance monitoring of web assets (e.g. Joomla...
Functionality, security and performance monitoring of web assets (e.g. Joomla...
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 
Austin Python Learners Meetup - Everything you need to know about programming...
Austin Python Learners Meetup - Everything you need to know about programming...Austin Python Learners Meetup - Everything you need to know about programming...
Austin Python Learners Meetup - Everything you need to know about programming...
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
 
ethical Hack
ethical Hackethical Hack
ethical Hack
 
Wm4
Wm4Wm4
Wm4
 
Wm4
Wm4Wm4
Wm4
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Hacklu2011 tricaud
Hacklu2011 tricaudHacklu2011 tricaud
Hacklu2011 tricaud
 

More from Adam Compton

Becoming a Pentester
Becoming a PentesterBecoming a Pentester
Becoming a PentesterAdam Compton
 
A HillyBilly's Guide to Staying Anonymous Online - SecureWV
A HillyBilly's Guide to Staying Anonymous Online - SecureWVA HillyBilly's Guide to Staying Anonymous Online - SecureWV
A HillyBilly's Guide to Staying Anonymous Online - SecureWVAdam Compton
 
BSidesKnoxville 2019 - Unix: The Other White Meat
BSidesKnoxville 2019 - Unix: The Other White MeatBSidesKnoxville 2019 - Unix: The Other White Meat
BSidesKnoxville 2019 - Unix: The Other White MeatAdam Compton
 
2018 DerbyCon - Hillbilly Storytime - Pentest Fails
2018 DerbyCon - Hillbilly Storytime - Pentest Fails2018 DerbyCon - Hillbilly Storytime - Pentest Fails
2018 DerbyCon - Hillbilly Storytime - Pentest FailsAdam Compton
 
2018 HackerHalted - Hillbilly Storytime - Pentest Fails
2018 HackerHalted - Hillbilly Storytime - Pentest Fails2018 HackerHalted - Hillbilly Storytime - Pentest Fails
2018 HackerHalted - Hillbilly Storytime - Pentest FailsAdam Compton
 
Bsides LV - Hillbilly Storytime - Pentest Fails
Bsides LV - Hillbilly Storytime - Pentest FailsBsides LV - Hillbilly Storytime - Pentest Fails
Bsides LV - Hillbilly Storytime - Pentest FailsAdam Compton
 
SecureWV - PentestFails
SecureWV - PentestFailsSecureWV - PentestFails
SecureWV - PentestFailsAdam Compton
 
Infosec Europe 17 - PentestFails
Infosec Europe 17 - PentestFailsInfosec Europe 17 - PentestFails
Infosec Europe 17 - PentestFailsAdam Compton
 
Bsides Nashville - PentestFails
Bsides Nashville - PentestFailsBsides Nashville - PentestFails
Bsides Nashville - PentestFailsAdam Compton
 
Bsides Knoxville - OSINT
Bsides Knoxville - OSINTBsides Knoxville - OSINT
Bsides Knoxville - OSINTAdam Compton
 
Bsides Knoxville - PentestFails
Bsides Knoxville - PentestFailsBsides Knoxville - PentestFails
Bsides Knoxville - PentestFailsAdam Compton
 

More from Adam Compton (13)

Becoming a Pentester
Becoming a PentesterBecoming a Pentester
Becoming a Pentester
 
A HillyBilly's Guide to Staying Anonymous Online - SecureWV
A HillyBilly's Guide to Staying Anonymous Online - SecureWVA HillyBilly's Guide to Staying Anonymous Online - SecureWV
A HillyBilly's Guide to Staying Anonymous Online - SecureWV
 
BSidesKnoxville 2019 - Unix: The Other White Meat
BSidesKnoxville 2019 - Unix: The Other White MeatBSidesKnoxville 2019 - Unix: The Other White Meat
BSidesKnoxville 2019 - Unix: The Other White Meat
 
2018 DerbyCon - Hillbilly Storytime - Pentest Fails
2018 DerbyCon - Hillbilly Storytime - Pentest Fails2018 DerbyCon - Hillbilly Storytime - Pentest Fails
2018 DerbyCon - Hillbilly Storytime - Pentest Fails
 
2018 HackerHalted - Hillbilly Storytime - Pentest Fails
2018 HackerHalted - Hillbilly Storytime - Pentest Fails2018 HackerHalted - Hillbilly Storytime - Pentest Fails
2018 HackerHalted - Hillbilly Storytime - Pentest Fails
 
Bsides LV - Hillbilly Storytime - Pentest Fails
Bsides LV - Hillbilly Storytime - Pentest FailsBsides LV - Hillbilly Storytime - Pentest Fails
Bsides LV - Hillbilly Storytime - Pentest Fails
 
SecureWV - PentestFails
SecureWV - PentestFailsSecureWV - PentestFails
SecureWV - PentestFails
 
Infosec Europe 17 - PentestFails
Infosec Europe 17 - PentestFailsInfosec Europe 17 - PentestFails
Infosec Europe 17 - PentestFails
 
HackCon - SPF
HackCon - SPFHackCon - SPF
HackCon - SPF
 
DerbyCon - Legion
DerbyCon - LegionDerbyCon - Legion
DerbyCon - Legion
 
Bsides Nashville - PentestFails
Bsides Nashville - PentestFailsBsides Nashville - PentestFails
Bsides Nashville - PentestFails
 
Bsides Knoxville - OSINT
Bsides Knoxville - OSINTBsides Knoxville - OSINT
Bsides Knoxville - OSINT
 
Bsides Knoxville - PentestFails
Bsides Knoxville - PentestFailsBsides Knoxville - PentestFails
Bsides Knoxville - PentestFails
 

Recently uploaded

Power of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfPower of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfrajats19920
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...vmzoxnx5
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)ICT Watch - Indonesia
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...ICT Watch - Indonesia
 
Tari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T ShirtsTari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T Shirtsrahman018755
 

Recently uploaded (6)

Power of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfPower of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdf
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
 
Tari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T ShirtsTari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T Shirts
 

DerbyCon - APT2

  • 1. Automated PenTest Toolkit Adam Compton, Senior Security Consultant Austin Lane, Security Consultant
  • 2. Who Am I? • Adam in 5 words: • Father 5 years • Husband 16 years • Hillbilly 39 years • Pentester 15+ years • Programmer 20+ years Automated Pentest Toolkit
  • 3. Who Am I? • Austin Lane: • Developer 7 years • Security 4 years • Metalhead for life Automated Pentest Toolkit
  • 4. Overview • Penetration testing often begins with a simple routine. Recon & Discovery Test Simple Services Test Default Creds Common Exploits Dump Creds/Info Pivot & Continue Automated Pentest Toolkit
  • 5. Overview • Penetration testing often begins with a simple routine. • This routine can be slow on large networks. Automated Pentest Toolkit
  • 6. Overview • Penetration testing often begins with a simple routine. • This routine can be slow on large networks. • Much of this routine can be automated. Automated Pentest Toolkit
  • 7. Overview • Penetration testing often begins with a simple routine. • This routine can be slow on large networks. • Much of this routine can be automated. • So we wrote a tool to help with the automation. Automated Pentest Toolkit
  • 8. Typical Pentest Routine • Run Nmap (or port scanner of choice) Automated Pentest Toolkit
  • 9. Typical Pentest Routine • Run Nmap (or port scanner of choice) • Review ports and services • Port 21 -> test for anonymous FTP • Port 80 -> identify web service and check for flaws/default creds • Port 445 -> enum users/shares, ms08-067?, … • ... Automated Pentest Toolkit
  • 10. Typical Pentest Routine • Run Nmap (or port scanner of choice) • Review ports and services • Port 21 -> test for anonymous FTP • Port 80 -> identify web service and check for flaws/default creds • Port 445 -> enum users/shares, ms08-067?, … • ... • Run Responder / Metasploit / CrackMapExec / … Automated Pentest Toolkit
  • 11. Typical Pentest Routine • Run Nmap (or port scanner of choice) • Review ports and services • Port 21 -> test for anonymous FTP • Port 80 -> identify web service and check for flaws/default creds • Port 445 -> enum users/shares, ms08-067?, … • ... • Run Responder / Metasploit / CrackMapExec / … • … • Take over the DC/database/etc.. Automated Pentest Toolkit
  • 12. If it is not broken… • Repeatability • Consistency • Can be tedious and slow • Manually parsing through data can be prone to error • Automation can help Automated Pentest Toolkit
  • 13. Why Not Use <insert favorite scanner>? PROS • Plenty to choose from • Useful in specific scenarios • Some are OpenSource / cheap Automated Pentest Toolkit
  • 14. Why Not Use <insert favorite scanner>? PROS • Plenty to choose from • Useful in specific scenarios • Some are OpenSource CONS • Can be fairly resource intensive • Can be expensive • How easy to add a new check/tool? Automated Pentest Toolkit
  • 15. Automation via Scripting • Kali already has LOTS of popular tools and scripts • Automation methods: • Bash • Python (or scripting language of choice) • Metasploit RPC Automated Pentest Toolkit
  • 16. APT2 – Automate the standard stuff • APT2 is a framework • Modules • Event queue • KnowledgeBase Automated Pentest Toolkit
  • 17. APT2 – Automate the standard stuff • APT2 is a framework • Modules • Event queue • KnowledgeBase • Run Nmap and parse output Automated Pentest Toolkit
  • 18. APT2 – Automate the standard stuff • APT2 is a framework • Modules • Event queue • KnowledgeBase • Run Nmap and parse output • Create events based on ports/services Automated Pentest Toolkit
  • 19. APT2 – Automate the standard stuff • APT2 is a framework • Modules • Event queue • KnowledgeBase • Run Nmap and parse output • Create events based on ports/services • Modules respond to events to perform specific tasks Automated Pentest Toolkit
  • 20. APT2 – Automate the standard stuff • APT2 is a framework • Modules • Event queue • KnowledgeBase • Run Nmap and parse output • Create events based on ports/services • Modules respond to events to perform specific tasks • Modules can create new events Automated Pentest Toolkit
  • 21. APT2 – Automate the standard stuff • APT2 is a framework • Modules • Event queue • KnowledgeBase • Run Nmap and parse output • Create events based on ports/services • Modules respond to events to perform specific tasks • Modules can create new events • Runs until event queue is empty Automated Pentest Toolkit
  • 22. How Does This Help? • Multi-threaded event queue is fast. • Simple to create new modules for nearly any tool/script. • Ready to go: • Get Kali (or your favorite distro & tools) • Clone the repo Automated Pentest Toolkit
  • 23. So, What Can It Do? • Identify services & operating systems • Screenshot web applications, X11, VNC, … • Analyze FTP and file shares • Brute force accounts • Run Metasploit modules • Compile hashes -> John the Ripper/HashCat • “ls /usr/share” – If it is listed here, a module can probably be made for it Automated Pentest Toolkit
  • 24. Anatomy of a Module • Inherit from base module (typically ActionModule) • Has standard properties: • Name • Description • Requirements – Which tools need to be installed? • Trigger – Which event does this module listen for? • Safety Level – Scale of 1 – 5 (5 = safe, 1 = dangerous) • ”process()” is the primary method Automated Pentest Toolkit
  • 25. Are There Limitations? • Tools need to be non-interactive Automated Pentest Toolkit
  • 26. Are There Limitations? • Tools need to be non-interactive • Multi-threading is tricky • lot of traffic fast • modules can have limits defined, depend on the author Automated Pentest Toolkit
  • 27. Are There Limitations? • Tools need to be non-interactive • Multi-threading is tricky • lot of traffic fast • modules can have limits defined, depend on the author • Brute force with caution • you might break some things • safety levels are your friend Automated Pentest Toolkit
  • 28. Are There Limitations? • Tools need to be non-interactive • Multi-threading is tricky • lot of traffic fast • modules can have limits defined, depend on the author • Brute force with caution • you might break some things • safety levels are your friend • Nonstandard ports and service names may throw off modules Automated Pentest Toolkit
  • 29. Some numbers… • 30 servers with FTP Automated Pentest Toolkit
  • 30. Some numbers… • 30 servers with FTP • Manual testing: ~10 seconds per server Automated Pentest Toolkit
  • 31. Some numbers… • 30 servers with FTP • Manual testing: ~10 seconds per server • 5 minutes to check all of them Automated Pentest Toolkit
  • 32. Some numbers… • 30 servers with FTP • Manual testing: ~10 seconds per server • 5 minutes to check all of them • APT2 – ~1 second per server, done in 40* seconds • *Assuming ideal conditions Automated Pentest Toolkit
  • 33. Let’s extrapolate! • Grab open ports from .gnmap, ~30 seconds • “grep 80/open scan.gnmap | cut –d ‘ ‘ –f 2 > iplist.txt” Automated Pentest Toolkit
  • 34. Let’s extrapolate! • Grab open ports from .gnmap, ~30 seconds • “grep 80/open scan.gnmap | cut –d ‘ ‘ –f 2 > iplist.txt” • Pick a tool for the service, ~30 seconds • EyeWitness, Nikto, SSLScan, etc. • Multiply if the tool only accepts 1 IP • +1 minute because you have to read the help menu Automated Pentest Toolkit
  • 35. Let’s extrapolate! • Grab open ports from .gnmap, ~30 seconds • “grep 80/open scan.gnmap | cut –d ‘ ‘ –f 2 > iplist.txt” • Pick a tool for the service, ~30 seconds • EyeWitness, Nikto, SSLScan, etc. • Multiply if the tool only accepts 1 IP • +1 minute because you have to read the help menu • Now repeat for each service! Automated Pentest Toolkit
  • 36. Let’s extrapolate! • Grab open ports from .gnmap, ~30 seconds • “grep 80/open scan.gnmap | cut –d ‘ ‘ –f 2 > iplist.txt” • Pick a tool for the service, ~30 seconds • EyeWitness, Nikto, SSLScan, etc. • Multiply if the tool only accepts 1 IP • +1 minute because you have to read the help menu • Now repeat for each service! • APT2 removes the baseline time Automated Pentest Toolkit
  • 38. Development • Open source – Available on the Rapid7 Github account at https://www.github.com/MooseDojo/apt2 • Future plans • Import from more than just NMAP • Responder -> John the Ripper -> secretsdump.py (**partially there now**) • Lots more modules • Python 3 ? • Pretty Reports • ? Automated Pentest Toolkit
  • 39. 411 & Questions • Adam Compton • @tatanus • adam_compton@rapid7.com • adam.compton@gmail.com • Austin Lane • @capndan • austin_lane@rapid7.com • austin@coffeesec.com • https://www.github.com/MooseDojo/apt2 • QUESTIONS??? Automated Pentest Toolkit