Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Heybe Pentest Automation Toolkit - BlackHat USA 2015

1,247 views

Published on

Heybe Penetration Testing Automation toolkit. Presentation from BlackHat USA 2015 Arsenal

Published in: Technology

Heybe Pentest Automation Toolkit - BlackHat USA 2015

  1. 1. HEYBE – Pentest Toolkit Bahtiyar Bircan bahtiyarb@gmail.com http://github.com/heybe BlackHat Arsenal USA 2015 – 6 August 2015
  2. 2. 2 Pentesting Recap What is Heybe Toolkit? Flashlight Crowbar SeeS Network9 ( DepDep) Agenda BlackHat Arsenal USA – 2015
  3. 3. Penetration Testing Recap 3BlackHat Arsenal USA – 2015
  4. 4. Pentest Types 4 Internal Pentest External Pentest Web Application Tests Database Test Social Engineering DDoS Tests Active Directory Wifi Tests … BlackHat Arsenal USA – 2015
  5. 5. Some Problems During Pentests 5 Very large networks Limited time Forgetting to save results Scan reports Screenshots Non standard Nmap parameters Non-standard nmap report names Bruteforce unusual applications BlackHat Arsenal USA – 2015
  6. 6. HEYBE Toolkit 6
  7. 7. What is HEYBE Toolkit 7BlackHat Arsenal USA – 2015 HEYBE is toolkit for everyday pentest usage Automates common test phases Provides standardized reports and outputs
  8. 8. Developers 8 Gökhan Alkan  TUBITAK Cyber Security Institute  Email: cigalkan@gmail.com  Github: github.com/galkan  Twitter: @gokhan_alkn Bahtiyar Bircan  Barikat Akademi (www.barikatakademi.com.tr)  Email: bahtiyarb@gmail.com  Github: github.com/bahtiyarb  Twitter: @bahtiyarb BlackHat Arsenal USA – 2015
  9. 9. WHY? 9 Automate and speed up boring/standard steps More time for fun like SE Standardize test results Save results for reporting BlackHat Arsenal USA – 2015
  10. 10. HOW? 10BlackHat Arsenal USA – 2015
  11. 11. HEYBE Toolkit 11 Code available on Github https://github.com/heybe https://github.com/galkan/flashlight https://github.com/galkan/crowbar https://github.com/galkan/sees https://github.com/galkan/depdep First published at Blackhat USA 2014 BlackHat Arsenal USA – 2015
  12. 12. Modules 12BlackHat Arsenal USA – 2015
  13. 13. Penetration Test Phases – Heybe 13BlackHat Arsenal USA – 2015
  14. 14. Flashlight 14
  15. 15. Flashlight (Fener) 15 Information Gathering & Recon Tool https://github.com/heybe/fener 3 Different Recon Methods Active Scan Passive Scan Screenshot Scan BlackHat Arsenal USA – 2015
  16. 16. Flashlight (Fener) – Active Scan 16 Leverages Nmap for active port scanning Custom config file for scan parameters Ports NSE Scripts Save scan results with standard report name Multithreaded Nmap scans Ping Scan Service & OS Scan Script Scan BlackHat Arsenal USA – 2015
  17. 17. Flashlight (Fener) – Passive Scan 17 Stealth network recon Passive traffic capture Arpspoof MitM support Traffic saved in pcap file Valuable information extracted from traffic Hosts Ports Windows hostnames Top 10 HTTP hosts Top 10 DNS domains BlackHat Arsenal USA – 2015
  18. 18. Flashlight (Fener) – Screenshot Scan 18 Used to quickly discover web applications in network Save screenshots of discovered web apps Standard screenshot filenames Used for Offline examination Pentest report BlackHat Arsenal USA – 2015
  19. 19. Flashlight (Fener) – Usage 19 Active Scan • ./flashlight.py -p 1 -s active -d 10.0.0.27 -v Screenshot Scan • ./flashlight.py -p 1 -s screen -d 10.0.0.27 -v Passive Scan • ./flashlight.py -p 1 -s passive -i eth1 -k 30 -g 10.0.0.10 -v Filter Results • ./flashlight.py -p 3 -s filter -f /root/Dump/dump4-browser.pcap -v BlackHat Arsenal USA – 2015
  20. 20. Flashlight (Fener) – Demo Videos 20 Heybe - Flashlight Active Scan : • https://youtu.be/Li6skbC42C8 Heybe - Flashlight Filtering • https://youtu.be/9wft9zuh1f0 Heybe - Flashlight Passive Scan • https://youtu.be/98Soe01swR8 Heybe - Flashlight Screenshot Scan • https://youtu.be/qCgW-SfYl1c BlackHat Arsenal USA – 2015
  21. 21. Crowbar 21
  22. 22. Crowbar 22 Brute Force Tool https://github.com/galkan/crowbar Supported protocols: OpenVPN Remote Desktop Protocol (with NLA support) SSH Private Key VNC Passwd Reporting Debug Logging BlackHat Arsenal USA – 2015
  23. 23. Crowbar - Usage 23 Brute Force RDP Servers • ./crowbar.py -b rdp -s 10.0.0.14/32 -U users.txt -C pass.txt Brute Force OpenVPN • ./crowbar.py -b openvpn -s 10.0.0.29/32 -p 443 -m ovpn-config.ovpn -k ovpn-ca.crt -u test -c test –v Brute Force SSH Servers • ./crowbar.py -b sshkey -s 10.0.0.0/24 -k sshkeys/ -U users.txt -v -d Brute Force VNC • ./crowbar.py -b vnckey -s 192.168.2.105/32 -p 5902 -k /root/.vnc/passwd BlackHat Arsenal USA – 2015
  24. 24. Crowbar – Demo Videos 24 Heybe - Crowbar OpenVPN Bruteforcing • https://youtu.be/4QZAWGsveSM Heybe - Crowbar RDP Bruteforcing • https://youtu.be/i_byBBlpZoE Heybe - Crowbar SSH Bruteforcing • https://youtu.be/IOSUpAFaL6E BlackHat Arsenal USA – 2015
  25. 25. SeeS 25
  26. 26. SeeS 26 Social Engineering Tool https://github.com/heybe/sees Send targeted SE mails in bulk HTML mail body Multiple attachment Local/Remote SMTP server support BlackHat Arsenal USA – 2015
  27. 27. SeeS - Usage 27 Sending e-mail with html body • ./sees.py -c config/sees.cfg -m config/user.bbusa --text --html_file data/html.text_link -v Sending e-mail with attachments • ./sees.py -c config/sees.cfg -m config/user.bbusa --html_file data/html.text --attach data/sample.docx -v Demo video • https://youtu.be/6sNu8gJoT3k BlackHat Arsenal USA – 2015
  28. 28. Network9 28
  29. 29. Network9 (DepDep) 29 Post-Exploitation Tool https://github.com/heybe/depdep Discover sensitive files in network shares Works with Windows SMB shares Can search sensitive information within file name and file contents BlackHat Arsenal USA – 2015
  30. 30. Network9 (DepDep) - Usage 30 Discover sensitive files in windows shares • ./depdep.py -f config/depdep.xml -v 1 -w 1 Demo video • https://youtu.be/XxnU3C-pZSg BlackHat Arsenal USA – 2015
  31. 31. Summary 31BlackHat Arsenal USA – 2015
  32. 32. Summary – Detailed 32BlackHat Arsenal USA – 2015
  33. 33. Summary – Detailed 33BlackHat Arsenal USA – 2015
  34. 34. Referenses  Source Code : • https://github.com/heybe • https://github.com/galkan/sees • https://github.com/galkan/depdep • https://github.com/galkan/sees • https://github.com/galkan/kacak • https://github.com/galkan/fener • https://github.com/galkan/crowbar  Youtube Demo Links : • Playlist https://www.youtube.com/playlist?list=PL1BVM6VWlmWZOv9Hv8TV2v-kAlUmvA5g7 • Heybe - Flashlight Active Scan : https://youtu.be/Li6skbC42C8 • Heybe - Flashlight Active Network Scan https://youtu.be/EUMKffaAxzs • Heybe - Flashlight Filtering https://youtu.be/9wft9zuh1f0 • Heybe - Flashlight Passive Scan https://youtu.be/98Soe01swR8 • Heybe - Flashlight Screenshot Scan https://youtu.be/qCgW-SfYl1c • Heybe - Crowbar OpenVPN Bruteforcing https://youtu.be/4QZAWGsveSM • Heybe - Crowbar RDP Bruteforcing https://youtu.be/i_byBBlpZoE • Heybe - Crowbar SSH Bruteforcing https://youtu.be/IOSUpAFaL6E • Heybe - Kacak https://youtu.be/ctP8QHDMYQM • Heybe - NetworK9 https://youtu.be/XxnU3C-pZSg • Heybe - SeeS Social Engineering Demo https://youtu.be/6sNu8gJoT3k 34
  35. 35. BlackHat Arsenal USA – 6 August 2015 Bahtiyar Bircan bahtiyarb@gmail.com https://github.com/heybe

×