Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
COLLABORATIVE
SCANNING WITH MINIONS
Sharing is Caring
@sixdub
• Former USAF cyber guy… New to private sector!
• Pentester / Redteamer for the Adaptive Threat Division (ATD)
of ...
Collaboration as Tradecraft
• Huge emphasis recently on tools that work in
team environments
• Been lucky enough to witnes...
Kind of Like This...
Distributed Scanning
• What is it?
•Using a client server architecture to execute network scanning
• Benefits
• Efficiency...
DNmap
• Developed by Sebastián Garcia and presented by
many others
• Awesome:
• Uses SSL for
encryption
• Python / Twisted...
*http://raidersec.blogspot.com
DNmap Diagram
Lack of Client Auth
>openssl s_client -connect <server>:<port>
...Starts the Client ID:1:Alias:Hacked:Version:.6:ImRoot:1
...
What I Wanted
• Just a little bit picky :)
• Distributed
• Team Interface -
SYNERGY!
• Automation
• Scheduled jobs
+ + +
•...
My Creation - Minions
• Collaborative distributed scanning proof of
concept
• Django Backend
• Bootstrap & JQuery front en...
Mobile Friendly
Features
• Execute and schedule distributed scan jobs
• Create and manage scan profiles
• Query and retrieve previous scan...
Changes to DNmap
• Pythonic? Hardly…
• Added ability to poll for new output files and parse to
SQLite
• Added ability to r...
Use Cases
•External penetration test
•Large scope or late nights
•Internal penetration test
•Single operator - multiple no...
Extra fun things
• Using Linode for your scanning nodes
• Kudos to Ken Westin for the inspiration (see references)
• Futur...
Lots of Nodes (100 to be exact)
Demo
Kali Scanning Nodes
Ubuntu Server - Minions Server
192.168.89.173
Nodes
192.168.89.174
192.168.89.175
DNmap SSL C2
Sc...
Questions & Contact
• Hit me up!
• justin[at]sixdub[dot]net
• @sixdub on twitter and github
• sixdub on freenode - #veil a...
References
http://www.tripwire.com/state-of-
security/vulnerability-management/distributed-
nmap-port-scanning-dnmap-megac...
Upcoming SlideShare
Loading in …5
×

Minions

2,708 views

Published on

Presentation from Shmoocon Firetalks 2015

Published in: Technology
  • Be the first to comment

Minions

  1. 1. COLLABORATIVE SCANNING WITH MINIONS Sharing is Caring
  2. 2. @sixdub • Former USAF cyber guy… New to private sector! • Pentester / Redteamer for the Adaptive Threat Division (ATD) of Veris Group • Really geek out over various aspects of Infosec • Studying adversarial tactics • Red team operations • Malware RE • Breaking things • Active developer on the Veil-Framework •OSCP… and some others •Volunteer EMT in Fairfax County
  3. 3. Collaboration as Tradecraft • Huge emphasis recently on tools that work in team environments • Been lucky enough to witness this change in Red Team Exercises •In terms of scanning/enumeration, still see individualized Nmap used and a lot of the same issues
  4. 4. Kind of Like This...
  5. 5. Distributed Scanning • What is it? •Using a client server architecture to execute network scanning • Benefits • Efficiency – execute multiple jobs across multiple servers • Covert – originate from many different places/countries during your scan • Disposable – tear down scan nodes after finished with scanning • Viewpoint - different results from different places
  6. 6. DNmap • Developed by Sebastián Garcia and presented by many others • Awesome: • Uses SSL for encryption • Python / Twisted • Working PoC • Not as awesome for me: • Only .nmap output returned • No client authentication to server • Not easily adapted for teams
  7. 7. *http://raidersec.blogspot.com DNmap Diagram
  8. 8. Lack of Client Auth >openssl s_client -connect <server>:<port> ...Starts the Client ID:1:Alias:Hacked:Version:.6:ImRoot:1 ...Send More Commands
  9. 9. What I Wanted • Just a little bit picky :) • Distributed • Team Interface - SYNERGY! • Automation • Scheduled jobs + + + • Secure • Built in management capabilities
  10. 10. My Creation - Minions • Collaborative distributed scanning proof of concept • Django Backend • Bootstrap & JQuery front end •Uses modified DNmap for distributed scanning
  11. 11. Mobile Friendly
  12. 12. Features • Execute and schedule distributed scan jobs • Create and manage scan profiles • Query and retrieve previous scans • Download all forms of scan output • gnmap, xml, nmap (zip is nice) • Implements different layers of security
  13. 13. Changes to DNmap • Pythonic? Hardly… • Added ability to poll for new output files and parse to SQLite • Added ability to retrieve -oA output forms • Changed the way the jobs and trace file work • Added client authentication using certs
  14. 14. Use Cases •External penetration test •Large scope or late nights •Internal penetration test •Single operator - multiple nodes •External red team •Throw away scan nodes - hide attribution •Internal red team •Compromise and “zombify” internal systems
  15. 15. Extra fun things • Using Linode for your scanning nodes • Kudos to Ken Westin for the inspiration (see references) • Future: •Parsing of Nmap XML output to make scans more queryable •Smart detection and optimization of Nmap scanning (RTT Timeouts) •Rewrite of distributed scanner backend •Better UI and utilization of the Bootstrap CSS
  16. 16. Lots of Nodes (100 to be exact)
  17. 17. Demo Kali Scanning Nodes Ubuntu Server - Minions Server 192.168.89.173 Nodes 192.168.89.174 192.168.89.175 DNmap SSL C2 Scans Jobs File Targets
  18. 18. Questions & Contact • Hit me up! • justin[at]sixdub[dot]net • @sixdub on twitter and github • sixdub on freenode - #veil and #armitage • Blog - Sixdub.net
  19. 19. References http://www.tripwire.com/state-of- security/vulnerability-management/distributed- nmap-port-scanning-dnmap-megacluster/ http://raidersec.blogspot.com/2013/01/distribute d-port-scanning-creating-nmap.html

×