Weaponizing Ansible

[Music] [Applause] probably alright so welcome to weaponizing ansible so this is just a talk I put together I'm kind of an idea I got in ansible not too long ago and I've been a lot of doing a lot of the PS attack stuff a lot of PowerShell stuff so my concept was why can't we do that with ansible so like I got mentioned in my name is Chris Graham architect over at Red Hat this is my little who in my picture right so I tell my intro was done so I don't really need to do that like I said I've been an architect for Red Hat for about six months now previously working with khaki and many

many other companies that I've been out there doing cybersecurity engineering works mostly supporting the SPAWAR and the government sector so kind of do a quick introduction for kind of the basics of security concepts we're talking about Red Team Blue Team I'd imagine 90% of you guys are pretty familiar with what those are already for those that are obviously a Red Team guys are the guys that are going and offensively attacking these systems your blue team guys are the ones trying to protect the systems so just wanted to cover those basics when I've given this presentation before we kind of gave it to a wide audience so I wanted B really to cover that whole thing and then who's

a target right targets can be really anybody they can be you they can be your laptops they can be a system they can be people it the whole point of like the the purpose of that understanding of would target is is it can be anybody out there so that's the really like the big thing to keep in mind it's not just a corporate network it's not just a corporate system it's your home systems it's again it's you social engineering is a real thing so keep those in mind and just be really aware of that so what are we all want as a pentester we want we much shells right shells are the best ansible can give us shells through

various means just like PowerShell can or really any other tool can so we want a shell so we're the two major types of cell we got buying shells we got reverse shells so buying shell it's kind of showing up here is a pretty basic setup there's some limitations with a buying shell though so talk about our bind shell it's our attacker come usually through the front door or some sort of front door we might have usually that's a firewall in that case attacking some horrible system and trying to execute commands on that well so that's that leaves a problem how many times can you get through the front door of a firewall it's not really gonna work out in many

cases a lot of times their predict present preventing a lot of those types of ports you may not have really easy access to those systems now maybe it's a web server and you happen to have that capability via a web injection or something like that but that's pretty uncommon usually so the next one is a reverse shell this is like the real key to this and the way that we're gonna probably use ansible in most of these instances the reverse shell allows us to take an attacker or our vulnerable system and have it report back out to us the real benefit here of the reverse shell is we're talking the other way if you've ever been on a corporate network

or in any sort of secured environment we all have access to some sort of outbound communication whether it's SMTP it's port 88 for HT HTTP 443 for HTTPS we can come across any of those ports and we don't really care how we're gonna get out but those are all allowed through the firewall so what it does is allows those internal boxes that already have some sort of vulnerability or compromised ation are than them to reach out and actually talk to the systems that I want them to talk to and not necessarily me having to try to break through some firewall to get in there take a little quiz so what is ansible who's familiar with ansible sure hands

alright so we've got a few people out there so hopefully you guys are fairly familiar with it you know it's it's pretty amazing I love it it's it's a really really awesome tool and we'll get into like why I like it a little bit later it's simple to use you know who's written PowerShell who's written bash it's not fun sometimes if you've ever written the ansible and for those that don't or have it bring that's why I'll show that to you it's really really simple if you can't follow it I don't know why you can't cuz you just gotta be able to read English it's really really simple or is it a hypothetical machine cable visit aeneas

at superluminal communication who's seen Ender's Game I know you all have or at least read the books I know John has so I'm a big fan of that I actually watched it the other night because it was awesome and then finally is it open source automation engine that automates soft provisioning configuration management and application deployment so for those that have actually used it that's exactly what it is Red Hat we support it it's out there free and available for anyone to download we've also got some paid for stuff you can get behind that will I'll touch on briefly a little bit later so it's all the above right it's all those things alright so how does ansible work

that is kind of the real question so we want to answer while all the things and what what can it do it can manage system States it's a full automation tool it can be a deployment tool we can go out and deploy web apps with it we can deploy an entire build with it we can provision systems with it we can do anything of that we it can be an orchestration tool as well so we can have it trigger from something like cloud forms or any other system Jenkins can trigger it for two web app deployments things things like that so we can use it for all those things the playbook so I kind of talked about boots

so this is what a playbook this is essentially for those that I got kind of refer reference twos this is our PowerShell script this is our bash script this is what it is it's just a gamma file in this case this one's a might be a little bit more unique to follow but it's just a very quick example of what our playbook looks like and I'll show you the actual offensive playbook we'll use a little bit later too it's not gonna look all much more complicated than this it's really really simple to follow so in this case we're just doing an archive right here we're just gonna unzip that file so we're gonna go out when I download that file

that might be a local source might be a remote source we don't really care we're an unzip it we're not unzip it to that destination so it's pretty simple to follow is that seem complicated in anybody out there so that's really all the playbook is so what's required for ansible ansible is a very very lightweight capability so it's built on a managed host client type system so we don't have or completely agentless I don't require any sort of application to reside already on the target system with the exception of Python Python 2.6 is really preferable especially for the latest versions really you can go back to Python 2.4 but it's not so great you get limited on

that especially a lot of the modules that are out there and then the target systems as we kind of make mention here they can be SSH Irwin around there's also a couple other solutions we can use SFTP I think SCP is capable of supporting that communication as well if I remember correctly so we mentioned SSH to win RM well when our end exists on Windows boxes yes ansible can manage Windows boxes in fact there's a last look I saw there about 50 ish modules that we support natively to manage Windows systems everything from creating users modifying group policy really anything you can do you know as a system administrator we want to do all those

things so don't like PowerShell ansible it works so yeah it's covering those the whole workflow and ice cream so the workflow we so we design a playbook here from the control host we can then push all of those cook those plates out to the manage hosts that are out there really simple three-step process just to let you do those things let you do all of the management efforts that we've already talked about so why would we use on ansible offensively this is why you guys are all here right we want to know how we can do this so we talked about PowerShell power still has been massive lately big living off the land ansible does the same thing especially I think

in 7.4 of rel we actually just launched it ant was learning natively there so you don't have to go out and download it you spean like the extra repos you have to go down download from that poll all that fun stuff you don't have to do that anymore it's already there so it's gonna become more and more native already but anybody is managing a large Linux systems probably already got ansible installed because that's just the way of business nowadays and everybody out there and I promise you everybody is moving danceable I'm on engagements almost weekly it seems like for a new ansible engagement so we want to live off the rate or live below the radar we

want to live off the land we want to have that legitimate traffic I think everybody's pretty familiar with living off the land for those that aren't the concept is really about trying to look like legitimate traffic look like the system administrator so we're doing things like power shells out there today our shelf right it's great so we're doing things exactly power so does we want it like those same tools that system administrators are utilizing are the same tools we want to utilize it's really really easy for us to get ourselves caught up into the well let's play with Metasploit let's do this thing let's create this really crafted unique attack let's use Empire they all create

these really cool attacks but a lot of them might not really be what looks like legitimate traffic to us especially if we're doing real ids/ips stuff what we're doing really auditing our networks to try to figure out what's going on and ideas as an IPS those are getting really really good at catching those malicious crafted packets so we want to do things like a system administrator ism as a hacker or an offensive guy I'm using their accounts to do their stuff anyways so let's look like them and we're doing on the same things work we're uploading files we're downloading files we're executing files we're creating users we're deleting users that's all we do that's all a system administrator does -

so why can't we look like that so I mentioned just a little bit earlier this is just kind of like a complexity screen let's talk about the complexity of PowerShell this is just something I grab it's pretty hard to read compared to what you guys probably just saw earlier with the ansible stuff it's pretty hard to follow not that there's anything wrong with PowerShell I love PowerShell jerod hike wrote the PS attack stuff and PS attack is awesome and I really really love it but so I kind of wanted to to kind of open the doors for everybody to start doing that with ansible bash who's bash scripters everybody's bash scripters especially if you're on a

linux box bash is no more friendly let's be honest here's our kernel panic right how many times have we written bash scripts and cause these things to happen this is a again kind of looking the complexity of our bash scripts they're not pretty either not exactly hard to read but then again for some people not exactly easy to read talk about that playbook that yam will file and it's a whole lot easier to read doing similar stuff and you know they're not a one-to-one admittedly that was a whole lot of work to try to write a PowerShell script and a bash script to do all the same stuff it's a whole lot of work but

we do that on the back and we'll Python with the modules and so all of that you might do through a batch gripper like a big giant one-liner or something like that is just gonna handle via unarmed that's you know on tar or whatever so demo time live demos kill presentations don't they but so I've actually done this in a PowerPoint presentation style here but I'm gonna live demo for you guys anyways just because well that's more fun so let me see if I can get these screens over there for you guys

see if I'm gonna be visible that'll be the next cool question I'm gonna show a few and we can walk through the the presentation for afterwards - yeah there's no easy way to hold this thing answer alright let's try this all right so I don't know if anybody can really see this and I can pull up on the slide day but this is what our annual file looks like this is our actual offensive Gamble file so we can definitely do that and so we talked about our Rochelle so this is right here we're just gonna grab the reverse shelf all we're doing in that case we're actually just going out we're downloading the file and pulling

it into making it executable and I'm being told they can't see very well so let me see if I can

all right that's right because I have it in a bigger picture so the first one we're just talking about that's just getting using the get URL URL module in this case we're just pulling down the file like I mentioned so we're just going out to any website out there in this case it's the attacker IP that's gonna be my Kali box in the demo and it's just gonna download the file it's gonna put in the home directory you put it wherever you want you know I don't really care where it goes it's gonna work either way and then we're just gonna change the permissions on it we're gonna allow it to be executable you can

do this in a few different ways using the mode is really simple for that the next thing we're gonna do is we're actually gonna execute this we haven't really talked about what this is yet but it's a reverse shell so we're actually gonna download this executable and then we're gonna execute it we're using no hop and exit here the big reason is every time against what connects out it actually creates a new connection for every command it's making now that's just the way that I guess was built to be able for scalability reasons and we want to know how but every time I were to do that I would lose that connection so if I didn't know up in a background

that we would end up losing the shell which is not really bueno and then finally we created this last one to go in and create a user for persistence it's just in a hacker user it's very simple very straightforward I'm not overly special we can create any user we want in this case we also gave them real access because well we don't want to use their with no permissions that's no fun we're also assuming in this case that I have some sort of root permissions on the Box already we don't have to have that in in the playbook I've got built actually at the bottom of this right here where you don't see is it says

ignore errors so I can actually connect in as a regular user I can connect this as any unprivileged user as long as I can execute a file they can run these top two and I can still get a reverse shell back so anything's possible it's really come down to your your idea what can you do this is a very basic concept of something fairly malicious right we're getting a full reverse shell meterpreter shell in this case and it's anything that we want it to be so feel free if you explore what's available out there so come and continuing through the demo this is kind of our setup so on the Kali box and I can't show the screen

very well because apparently I'm trying to deal with trying to blow that up as I'm pretty so will heat down this way so what we did we just set up the Apache server on the cally box and they'll use MSM venom to go and create a executable which is using meterpreter already interpreter reverse shell for those that aren't familiar MSM venom is just a piece of the Metasploit framework let's just build binaries we can push that out into all kinds of shell code anything we want to create our exploits and just have a reverse shell in this case we're just doing a binary that's going to call back to our Kali box on four four four four four

just because it's easy for the demo reasons it could be port 80 it could be anything you want definitely create any sort of XCOM shell module or shell that you wanted to create here there's also those windows does linux anything you want so you want to build a snowman sure we like building snowman alright so this is the playbook running this is the output of actually running that offensive at Gamla playbook to do that we're just gonna run an throwback playbook offensive offensive all gamal that can be any any name you want but that's just the name of the PlayBook in this case so the first thing we see we see the playbook going out we see a

create do the gathering of facts that's just trying to reach out and find some information about the box it's gonna pull all kinds of information I feel free like delve into the module setup module it gives you an insane amount of information about a box anyway so we talked about in the that power spur in the ammo file we're gonna go ahead and download that reverse shell so that's the very first task which is get reverse shell executable we're actually gonna go down and pull that out you see a change in this case because it's saying we actually did something if other if it didn't do anything it might just say okay for those that aren't

familiar with ansible the next piece for an executed reverse shell so that's running that shell maje or that use that shell module to run an OLAP command just to create that executable and actually to run the next few I apologize and then finally we created our most shooter so we created that attacker account we gave it wheel access because we happen to have permissions if we didn't have permissions because of note the ignore errors there we might get an error but that's fine because the shell is still gonna execute just gonna execute us regular user so make it so number one finally this is the actual result of running that executable we made it happen it happened

it worked so we actually have a full mature creole chef meterpreter shell at this point in many cases that might be some sort of permissions that actually have some power you might have root there but if you don't we we built with MSF than an actual meterpreter shell callback so it's not just a regular shell so at that point I can then continue to use meterpreter to privilege escalate if I need it to maybe I can't maybe I can because there's maybe a kernel exploit available but it doesn't matter the point is I got a shell and even as a regular user you might go to find some sort of other exploit on the system and meterpreter doesn't already

have finally we're kind of going over the the user that was created so down here at the bottom we created our attacker account you can see there that attacker account was created and it does have real access so this user is a full fully privilege user in this case it can go ahead and install boxes it's it's full sudo permissions right so it can go ahead and escalate itself to root it can perform any sort of suite of commands if you want to try to put in the logs that the attacker did that I'd rather say of the root doing it it makes a little bit better and a little harder to client so there's more right we can always do more

with Hanceville especially when it comes to attacking like I said earlier this is a very basic example we can do a lot of stuff we can deploy netcat do some netcat listeners we can deploy anything that you can imagine again it's an automation engine right we talked about that a little bit earlier it can connect to all these boxes it can do stateful it can check the state of the systems it can deploy systems it can do anything a system administrator does so that really kind of leads us to that the capabilities of ansible and I talked a little bit earlier about how you know anything's possible and that's really what it boils down to as any automation

engine you can do really anything that's out there if you can come up with the idea in your head you can do it through command line you can do it three instable so we did demo this for a single box or showed you as the demo for a single box in many cases especially as pen testers and kind of what brought my kind of idea when I came across danceable started playing with it is persistence persistence is hard it's really difficult to deal with thousand systems out there when you're coming into an engagement and they've got five six seven hundred boxes and you've got to exploit them and then keep track of them and you only get back to them many times

you lose connections things like that at least this allows us to then deploy across the entire enterprise if we have an app permissions that have that and user user propagation is huge so if I can go and say alright let's deploy this shell to one box or I can deploy the same exact thing using full agentless communication across a thousand boxes assuming I have permissions hey you're there is no better way to propagate throughout a network than using ansible in this case alright so we're gonna talk about defensive stuff here don't uninstall ansible because it's horrible it does evil things to you you wouldn't go out and do that the PowerShell write PowerShell is a really really awesome

for system administration so don't go out and uninstalling ansible if you have it today it's really really good it was built to do a lot of things so the key being is it's also a defensive tool you know we're gonna use it off offensively in this case but we can definitely use defensively as well we've used it for a few different things in particular which you stick deployments you can deploy a host based protections patching you do full patching you do this a lot for a lot of customers and then we have ansible tower I'll talk a little bit about that for those that aren't familiar with ansible Tower so Stig's everybody loves figs we're in Charleston

I'm gonna guess about at least 50% of this audience probably works for the Defense Department in some manner so if you guys aren't familiar with Stig's they're disses recommendations for doing security hardening they're fun not not at all yes do yes deploy your Stig without any questions and it will totally work when you're done yes assitive reduction yeah so we can deploy snakes in fact I've actually been helping develop a lot of the rel 7 snakes today using ansible so there if you guys are familiar of ansible galaxy it's a place out there that we can go ahead and we deploy or put out really just linked back to github any sort of roles and play books that

we've created and there's a group mind point group that we actually contribute as Red Hat employees and then we also have some of our own personal repos up there as well that allow you to go out and download those so if you go out and you can install the role and rel relics and relevant are already fully out there where else Evans still being developed but it's about 50% done we've actually completed full automation of deployment for all of your cat ones and about half of your cat two so far so and that's fully automated SRO scripts please let them die use ansible it's so much better I promise you you will make your life

way better so yeah go out check ansible ansible galaxy and download those Stig's they're available just it's a really quick search query it just has a nice little search engine you just put in keywords and a pop up what you need and you want to deploy those and automate your full deployments now keep in mind you will break things because it is a Stig and the Stig likes to do all the bad things to your networks third a cat right so we're talking about host base protections HP SS I know a lot of people hate it I was the HP SS admin I hated it too I still like it though it does a lot of

really great things it's also really powerful you know it provides a lot of whitelisting analyze your your host based firewalls so we can deploy those this is actually a really common one that we at get asked when we go on engagements is can we deploy that with an school can we deploy VSS can be updated HP SS can we configure HP SS the answer is yes Windows systems and Linux systems I don't care either way I can deploy those with an instable then we can deploy those across the enterprise and that applies to any sort of application right we're talking about HP SS in this case or any sort of hips or local firewalls we can do those but it

does apply to any sort of application so go out deploy those applications with ansible and fully automate that life patching aliens did it we did not crash them they aliens did it so patching we definitely get this a lot especially in Oracle we spend a lot of time patching Oracle databases so we've fully automated those we've gone out the patching process is really simple just like I mentioned anything a system administrator can do we can do better kind of so definitely go out we can pack we can do full automated deployment pack for patch deployments it can include web applications we can do system patching opera or application patching anything that we really can think of we can automate it again a lot

of those are done through command line anyways so we can go ahead and patch with those as well and finally ansible power it's a shameless plug I'll be honest this is our sold product that we sell from from Red Hat for managing ansible for those that aren't familiar tower acts as the it's kind of like a centralized management engine if you've dealt with ansible especially in a non tower style environment you run into a situation where a lot of you have a lot of people collaborating and they're all working out of a single github repository ideally or they might also be working out of some sort of shared just directory and that becomes a nightmare

especially when you're all trying to edit files you're trying to keep track of version control things like that centralized credentials nobody wants to store all those in a plaintext password file that's horrible don't do it please please don't do it it makes me cry so it allows us to actually centralize all that stuff we can run jobs we can run scheduling instead of running trying to run all your aunt's will tasks via cron we can run that all through power again it is a paid product so I'm not gonna hype it up too much it is I like it but tower and wall decor is really the the value here it just provides a nice little GUI that lets you

do that so how can we defend ourselves from ansible being used against us this is kind of like one of the key things that we probably want to make sure we talk about we talk about using ansible for an offensive use well all the bad guys want to do it as well especially you know as a bad guy we walk in and we see PowerShell and we are excited if we can see we use PowerShell to our own advantage we're really excited if we can do ansible to our advantage gonna be really excited as well so there's a few things we can do to kind of protect ansible ansible has got a pretty low attack surface already being

the that it's really relying upon Python so as long as pythons there we can use ansible but that's really it doesn't have much of an attack surface itself so but there are a few things we can do to help protect there the first being ansible fault ansible vault allows us to encrypt our play books we can encrypt passwords inside of stuff anything like that so what this does is allows us to if I create a a playbook and that playbook has a set of instructions that go out there that might require a password many cases a lot of applications require password to execute maybe I'm using something with WebLogic whatever it requires a password to escalate we can encrypt the actual

password in the file in the animal file and then use that password across all of our animal files or our play books or we can encrypt the entire play book maybe for some reason we want to encrypt at all we can keep those that entire playbook encrypted and if we use tower tower can manage these credentials for us or ansible vault can manage those as well next thing we want a hardened SSH SSH is a giant giant hole that we run into all the time especially when it comes to dealing with any sort of attackers that are coming in SSH is it tends to be a front door all the time we use it as system administrators all

the time so it's definitely something that we run into there so we want to make sure we're hardening it we're wanting to do make sure that we're using SSH keys we're not using passwords SSH is really really bad at trying to protect against stuff like brute force and we'd all know passwords all suck because we're all using password one two three and then the next time we have to change it we're using passive one two three four and we all know that so we're all we want to make sure that we prevent those things from happening by using our CH keys we're also wanting to use strong as HP's make sure using a large large

bit edge or large level of entropy so that we're using strong keys and then we want to make sure that route can't login root is the root of all evil as well but it's also kind of like the basis of what we need to do all of our work but we don't want to allow it to SSH that builds kind of that CIA levels into us by letting us SSH as ourselves and then we can escalate privileges as needed for ballistic counts so we have all kinds of privileged accounts and we want to protect those as much as possible oh I need to we want to protect those so every layer of security it comes into play here everything from the

Stig's everything from user accounts configuring SSH all of those types of things are definitely things that we need to keep track of and we want to make sure that we're not limit or letting users get additional access we want to make sure that the user has women permissions we want to disable any additional access they might have disabled any sort of root access that they may be got into and just segregation of permissions so that whole like lease privilege kind of concept if the user only needs to do X Y can they do Y we want to make sure that we separate those duties as much as possible protecting service accounts is huge as well and and then that allows us to

really take advantage of like that become options so how ansible is actually able to execute as permissions so we actually build that in when we do ansible ansible is able to connect as a unprivileged user and then escalate to a privileged user once it's across the wire so we want to just keep those things in mind and then finally coming up to like a quick cue oh if i can get over there a quick Q&A session we've got a bit of time here I went way faster than I've ever presented this probably because it's always been on webinar format so I want to open the table up for questions anything that anybody's done we can also go through the demo a

little bit more if people want to kind of see some different things there yeah in the back

ah sure so it's kind of a tough one from like a Miss configuration perspective the the big thing is the way that ansible is installed it's not installed on the target system so we talked about it's a client list environment so we don't have like an SSH server listening on that we don't have an Ansel server an agent listening so you as the attacker in many cases as I might be a manage node so the control control node might be my laptop I'm the one with ansible installed the target box probably does even have ansible installed so there's not really anything from a configuration standpoint that you can really do from like an agent standpoint where you can

come in to issues if you have an school out there and you maybe you have your own control node inside of the network and if that node were to be compromised there's definitely some risk they're associated with maybe your playbooks being compromised and now they have a look at the attacker might have a better idea of what your network looks like what kind of things are you already doing maybe you didn't use ansible fault and you're running plaintext passwords inside of your playbooks please don't do that please don't do that so that's probably the biggest misconfigurations we could run into but yeah losing losing protection of your your actual playbooks is probably the biggest risk or your roles best case for

that is you want to use something like a get repository and have those all starting to get authentication control all that kind of fun stuff that'll be your best bet to try to protect those but that's really the best you can do from like a Miss configuration perspective is ansible concern

so the if the vault is gonna have to be decrypted so when when we talked we showed that decrypted or that encrypted file right it's just a es 256 but we uses base but so to actually execute that playbook I'm gonna have to provide the fault password to open the vault so then the vault can be crypt at that file or that password and that actually is going to happen prior to going to the client or the managed toast so that it happens on the the control host level so when I type ansible our ansible playbook and then the playbook I want to run I then have to also specify a fault password so fer that to execute

otherwise it's gonna fail out because it won't be able to read the vault password so that's gonna happen at the user level for you or the administrative level does that answer the question so all the community yes so if you were if you happen to be on the box that the actual compromised a box and saw the execution happen you're going to be the limitation is gonna be whatever system protections are in place there to protect that password it's still gonna be in play but the the communication is still gonna go across SSH it's good Oh give me the communication methods gonna be encrypted but yeah if you happen to have that the compromised box and watch the playbook

run you could potentially get that out of memory when it's executing but it's not going to be something that's in like the history command or anything like that

yeah so for in that case especially we're trying to do with a reverse shell or any sort of shell type stuff we're gonna have to ensure that we have a listener available for each one otherwise you end up with a thousand listeners and it's not going to be pretty or you're not gonna get callbacks right and this isn't gonna go out like I guess you could go out and you can actually set up a cron job to execute that that shell every time in this case we just happen to run at one time but then I could also turn on a cron job on that box to execute and continue to make that callback so I got that kind of

persistent callback going on but otherwise yeah the answer would be yes you would need a listener for everyone any other questions out there

sure yeah and and we're seeing that a little bit I think happened with the PowerShell community right now doing a PowerShell scripts where they are signed by that today that's not really happening I don't know if that will be something that they push into the the upstream you know we're still open source communities so a lot of the these kind of ideas get pushed up into the upstream and then we incorporated them eventually I don't know if that's on the roadmap at this point in time but uh see we were going for that and that makes a lot of sense and that's why they built vault for the time being how Ansel is a fairly recent acquisition so a lot

of that's being molded especially as we look further and further into the future any other questions out there yeah oh so ansible tower provides an API yeah tower provides an API so if you have tower out there and you've got all of your playbooks and roles and stuff like that you can actually call back to that so you still do full DevOps with stuff like Jenkins Jenkins will you need to pull your product or you your code push to put the Jenkins Jenkins does the build successful building kicks off into the API of tower which then decides all right now you've built your artifacts it goes out pulls down your artifacts deploys maybe spins up a whole new

container for that or it spins up a new VM maybe a new cloud instance whatever you want and does a whole deployment for you and deploys your application entirely and it's all done via API and really yeah the API is pretty robust especially in our I do not off top my head sorry I don't know that I'll top my head all right so yeah we got a lot of extra time but so any other questions go ahead John yeah yeah so that's actually a really recent thing as of September officially cisco has been helping us develop some of their modules to handle cisco boxes network device management is a tricky thing if you can imagine doing

automation across network devices especially if you've been a cisco engineer done that to make a change and all of a sudden you've blown away something or lost a connection to something and it's not pretty so they've actually worked with a lot of us to help develop some of those and then there's a bunch of network modules out there to do that for Cisco I think we've got some Juniper stuff a few other things out there but all of our modules if you go to Docs I dance Qualcomm all the models for everything that we do is already out there and then there's a lot of modules that exist because this again this is a big open source community that's kind of

our our thing there so you can create your own modules you can write those they are all based in Python so you can write your own modules and do your own thing and then import those into your libraries and completely do that and push them upstream and if they're really cool we can do that and add those to the actual core repositories that happens all the time yep

yes so in that case we're using instable tower in many cases or in almost all cases at that point and so tower actually has a built in credential manager which will do that for you and it manages your vault passwords in a stored credential manager inside of tower sir so the bulk of what I've seen is it's being used very almost exclusively right now for DevOps because it's a fairly new product and when I kind of came up with the idea of let's build an offensive ansible cables solution I did a lot of googling because I didn't want to like do something that somebody else already done and the only thing that I came across is there's a

group called the name their product a taxable I kind of had that idea and I was like Oh that'd be a cool name and that's like googled it right and it ended up being the only group that does that in and it's not even offensive capability it's a deployment method for building essentially Callie on any system that was their idea behind that so there's nothing I've seen where it's being actively used offensively at least not in the offensive community today so that's kind of a lot of the reason I wanted to be able to present this to to like the community and say hey let's use this let's try to take advantage of this and do the best of our abilities today I

have not though I've just written a few like kind of for demo reason I am going to so you guys kind of saw where I talked about offensive all that that is ultimately one of my my products that I wanted to do it I'm actually wanting to build those so there playbooks today I'm wanting to build those into a module and actually have a sensible module that you can utilize and make calls but it'll be a list of play books that you didn't be able to just use tags to be able to call maybe I want a privilege escalate to a Linux box and it'll actually build out pull the tasks specifically that you want to run and target it that way so at

that point they will be released yeah

yeah by default that's what we do we can definitely run off of other protocols as well so we can do s s s s CP while that was was really hard to get out yeah so those are all going to be all built in it's not gonna it's gonna manage those from a connection perspective but you have to provide them the keys so there's a there's actually a big discussion we've got going on inside of Red Hat and inside in particular in the ansible community or we're trying to figure out how we can best automate key rotation and key management you use a lot utilizing ansible because it is kind of a new thing that we're trying to get

into the security ro world with and finding best use cases SSH key rotation and management's gonna be definitely up there and it's something we're actively talking about with some of the even the engineers and developers available today

yeah yeah those are those are restored in the credential manager on side of answer or onset of tower yeah so those aren't just like sitting on the file system or something where they anybody can get to them they're stored in the credential manager in power yeah towers the paid for centralized enterprise management tool I don't know off the top of my head we don't deal with pricing where I'm at so but that's not to say that's not available so actually as of September like mid September we open sourced it when we bought an instable it was originally not open source and we open sourced that like I said around mid-september when ansible fest happened in San Francisco so you go out it's the

awx projects and you can actually download and build it yourself I'm not gonna say it's easy to build it's not pretty at all right now and there's also currently not an upgrade path to my knowledge if so if a new version came out I don't think there's an upgrade path available but we do that all through playbook so if you've ever deployed tower playbooks actually the ansible deploys itself in that case so that'd be your best bet if you wanted to play with tower you can definitely get a whole night awx awx project so I just download down and surveil on get up

so there's a little bit of support out there already most of it's not directly supported by Red Hat but there other modules that are out there generally speaking yeah yes so there's Android modules out there things like that to do that and then the limitation a lot of IOT devices is that they need to be able support Python to six or greater and a lot of those may not have a full version of Python a bill to support that which is the big limitation there yes sir yeah right beer in front end nugget you yep yes so that's all there yeah so we've got full integrated app integration we've got Active Directory Integration it supports sam'l authentication it's

not something that's super fun to set up it's fairly complex but that's the any store sam'l type deployment they can be kind of tricky but it supports really unique way that you can think of to authenticate we've it's for radius so any sort of two-factor style authentication is definitely available for the front end of Tower and it also it's also available on the way our API connects it does support some level of two-factor authentication there for API level connections I'm not exactly sure how that works off top my head though yeah

ansible pull I don't know if I don't know if I'm following what you're referring to Oh Siri yeah so that would be so similar to the way that I'm doing so you definitely do that from an attack scenario I see what you're saying now so that would follow very similar the way that I used the ansible to kind of use a get URL style thing to pull down the malicious executable file in this case so it could be the same thing if we're using ansible pool in that regard I've never used it but I would think that if you could pull down some sort of code from from like a git repo or something like that then I could then use it to

then pull down the code build the code execute the code all in the same box on that target since that's what I'm following right oh ok so alright yes so actually that's ansible a core I understand your question now all right yes so that's actually how ansible works natively so because we're an agentless system and this is where scalability really comes and I didn't really talk about that very well I don't think so scalability with ansible is really all about executing on the remote host so even though I'm executing from my laptop as a managed or a control host I push out the PlayBook to the the managed hosts and then the managed host is

what's actually executing every single one of those commands that's not occurring from my box so that makes it infinitely scalable in that regard ansible can easily scale up to tens of thousands of boxes with from my laptop I don't need any massive system because every command is executed locally on the manage note that's how so when that runs when that that uh that playbook I talked Ram every one of those commands were executing locally I wasn't pushing those commands to then I pushed at one time and then we do some serialization and parallelism that you can do as well so if you are talking 10,000 plus hosts I can have it serialized groups of pair

groups so I could say I'm gonna run 100 here and then five minutes later I'm gonna run 100 here and I'm gonna push 100 so you can scale it out across or you can do depending on how much of a network you have you have tower tower can support even further and even more simultaneously each tower can support roughly I think if I remember right it's about a 500 ish to 700 nodes per tower instance I saw another hand somewhere okay three minutes yeah so there's there's all kinds of air longing available and any sort of standard error standard output that you get from those commands there's gonna be kicked back to you ansible is going to default fail on any

sort of error that occurs but you can do stuff like verbosity and get more results back and then you can do stuff like ignore errors so like I mentioned when I created that user account if I didn't have permissions it could be ignore those areas but also some stuff like error handling as well so I could do stuff I could do a block so it's essentially a cache statement so if this fails do this else do this so we can do all of that as well and that gets into kind of how you handle blocks and error handling within ansible so we're coming up on the end of time so any last questions all right thank you very much

appreciate