Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Deep Exploit@Black Hat Europe 2018 Arsenal

1,400 views

Published on

Fully automatic penetration test tool using Machine Learning.

Published in: Technology
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Deep Exploit@Black Hat Europe 2018 Arsenal

  1. 1. Deep Exploit - Fully automated penetration test tool - December 6th,2018 Black Hat EUROPE 2018 Arsenal Presented by Isao Takaesu
  2. 2. Deep Exploit Perimeter Network External Firewall Web Servers DNS Servers Internal Firewall Database Server Web Server Internal Network Internal Computers Exploiting the servers on perimeter && internal networks. What is Deep Exploit?
  3. 3. Command Line Arguments Parser User’s Instructions ML Model A3C of Reinforcement Learning Penetration Test Framework Deep Exploit Target Server Trained Data RPC API Save/Restore Receive Result Send Commands Training Servers Testing Training Train : Train how to exploitation by itself. Test : Execute the exploit using trained data. Overview
  4. 4. Train : Train how to exploitation by itself. Test : Execute the exploit using trained data. Overview Command Line Arguments Parser User’s Instructions ML Model A3C of Reinforcement Learning Penetration Test Framework Deep Exploit Target Server Trained Data RPC API Save/Restore Receive Result Send Commands Training Servers Testing Training
  5. 5. ・ ・ ・ Numerous Trials (about >10,000) Learn how to exploitation while trying numerous exploits. ・ ・ ・ Worker thread Parameter Server ・ ・ ・ … ⊿w=gradw ⊿w=gradw ⊿w=gradw ・ ・ ・ Worker thread Worker thread send recv recvsend recv send Target Host info OS type Product Name Version Exploit module Target Payloads cmd/unix/bind_ruby linux/x86/shell/bind_tcp bsd/x64/exec generic/debug_trap linux/mipsle/shell_bind_tcp mainframe/shell_reverse_tcp ・・・ … ・ ・ ・ Training Servers ・ ・ ・ ・ ・ ・ Train the Deep Exploit
  6. 6. https://youtu.be/8ht4y9tboNY Training Movie
  7. 7. Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Processing Flow
  8. 8. Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering 1. Nmap : identify open ports, products. 2. Contents exploration : identify Web products using found product contents on the Web port. 3. Scrapy : gathering HTTP responses on the Web port. By analyze HTTP responses using Signature and Machine Learning, identify Web products. Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Intelligence Gathering
  9. 9. Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering 1. Nmap : identify open ports, products. 2. Contents exploration : identify Web products using found product contents on the Web port. 3. Scrapy : gathering HTTP responses on the Web port. By analyze HTTP responses using Signature and Machine Learning, identify Web products. Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Intelligence Gathering
  10. 10. HTTP/1.1 200 OK Date: Tue, 06 Mar 2018 06:56:17 GMT Server: OpenSSL/1.0.1g Content-Type: text/html; charset=UTF-8 Set-Cookie: f00e68432b68050dee9abe33c389831e=0eba9cd0f75ca0912b4849777677f587; path=/; Etag: "409ed-183-53c5f732641c0" …snip… <form action="/example/confirm.php"> What are included the Web products in this HTTP response? Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Question
  11. 11. HTTP/1.1 200 OK Date: Tue, 06 Mar 2018 06:56:17 GMT Server: OpenSSL/1.0.1g Content-Type: text/html; charset=UTF-8 Set-Cookie: f00e68432b68050dee9abe33c389831e=0eba9cd0f75ca0912b4849777677f587; path=/; Etag: "409ed-183-53c5f732641c0" …snip… <form action="/example/confirm.php"> Deep Exploit can identify OpenSSL and PHP using Signature. But, this HTTP response includes more products. Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Answer (1)
  12. 12. HTTP/1.1 200 OK Date: Tue, 06 Mar 2018 06:56:17 GMT Server: OpenSSL/1.0.1g Content-Type: text/html; charset=UTF-8 Set-Cookie: f00e68432b68050dee9abe33c389831e=0eba9cd0f75ca0912b4849777677f587; path=/; Etag: "409ed-183-53c5f732641c0" …snip… <form action="/example/confirm.php"> Deep Exploit can identify joomla! and Apache using Machine Learning. Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Answer (2)
  13. 13. Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Open session between “Deep Exploit” and front server. Step 1. Intelligence Gathering Step 2. Exploitation ・ Execute exploit to target server using trained data. ・ Open session between “Deep Exploit” and target server (=compromised server). Step 3. Post-Exploitation Step 4. Generate Report Exploitation
  14. 14. Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Pivoting and execute the exploit to internal server. Step 1. Intelligence Gathering Step 2. Exploitation Step 3. Post-Exploitation ・ Pivoting and execute the exploit to internal server via compromised server. Step 4. Generate Report Post-Exploitation
  15. 15. Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report If detect new server, repeat Step1-3 in new server. Step 1. Intelligence Gathering Step 2. Exploitation Step 3. Post-Exploitation ・ Pivoting and execute the exploit to internal server via compromised server. Step 4. Generate Report Post-Exploitation
  16. 16. Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report ・ Generate the report of penetration test. Generate Report
  17. 17. Server-A IP: 192.168.184.132 Deep Exploit IP: 192.168.184.145 Connectable Directly connect Scenario 1. Single target server https://youtu.be/mgEOBIM4omM ・Demo movie Demonstration
  18. 18. Server-A IP: 192.168.184.132 Deep Exploit IP: 192.168.184.145 Server-B IP: 192.168.184.148 (Only permits Server-A to connect) Connectable Connectable Connect via Server-A Scenario 2. Exploitation via compromised server (=Server-A) https://youtu.be/DsBNOGBjJNg ・Demo movie Directly connect Demonstration
  19. 19. Server-A IP: 192.168.220.145 Deep Exploit IP: 192.168.220.150 Server-B IP: 192.168.220.146 (Only permits Server-A to connect) Connectable Connectable Connect via Server-A Scenario 3. Deep penetration https://youtu.be/s-Km-BE8NxM ・Demo movie Server-C IP: 192.168.220.152 (Only permits Server-A to connect) Connectable Connect via Server-A Directly connect Demonstration
  20. 20. https://github.com/13o-bbr-bbq/machine_learning_security/tree/master/DeepExploit ・Source codes & Usage Deep Exploit resource
  21. 21. Another tool : GyoiThon [*] The GyoiThon is specialized in intelligence gathering of Web Server. It can gather target server information using several functions.
  22. 22. List of functions
  23. 23. List of gathered information Info category Example Product name/version WordPress/4.2.20, Apache/2.4.29, Jboss/4.2.3, OpenSSL/1.0.2n CVE number from NVD CVE-2017-15710, CVE-2016-0705, CVE-2017-14723 Open ports/certification [80/http, 443/https, 8080/http], [Cert Signature: MD5] [Cert validity 2017-08-15 00:00:00 to 2018-09-16 12:00:00] Unnecessary comments/ debug message <!-- debug - http://example.com/admn/secret.php -->, “Warning: mysql_connect() … in auth.php on line 38” Web product’s default contents/admin pages /wp-login.php, /phpMyAdmin/setup.php, /mailman/admin/ Real vulnerabilities [!] Collaboration Metasploit. exploit/unix/ftp/vsftpd_234_backdoor, exploit/freebsd/http/watchguard_cmd_exec, exploit/unix/webapp/carberp_backdoor_exec
  24. 24. https://github.com/gyoisamurai/GyoiThon ・Source codes & Usage GyoiThon resource
  25. 25. Reference all source codes and document: https://github.com/13o-bbr-bbq/machine_learning_security/

×