BG - Force Multipliers for Red Team Operations - Raphael Mudge

I don't like limited Mobility okay well I'm losing my voice so it probably helps if I use the microphone anyways good morning everybody my name is uh Rafael Mudge I go by armage hacker on Twitter real quick what I'd like to do before diving into the content of this talk and what's about I just want to get a feel for you just so I know how much background to give how many of you uh know what arm is most you okay great how many of you um have used it before okay fantastic well that makes it a lot easier um I see a few of you don't so that's cool don't worry I'll make sure you're taken care

of too one thing I like to do when I'm giving a talk to a really cool conference like bsides Vegas or Derby con I like that one a lot too I like to give out stickers so I've got some Armitage stickers up here I'm gonna just take one pass it around everybody Lov stickers Mr soal and with that out of the way let's go ahead and dive right into this talk I've been working on Armitage now for about coming up two years okay and something I've never done is I've done this in bits and pieces but I've never actually gotten up in front of an audience and said here's the crackpot thing I think I'm trying to achieve

okay and I've never gotten up in front of an audience and said on top of what I'm trying to achieve what I've done and what I'm going to do next and I've always been afraid to do that because I don't want to promise something and not be able to deliver it but it's just uh my personality but I really feel like it's time to start sharing where I want things to go and what I'm trying to do and you know invite your ideas and feedback into that process so we're going to talk about today is force multipliers for red team operations don't worry if you don't know what a force multiplier is I'm going to

explain that so there will be a little bit of military jargon in this talk but I will Define all of it and what I'm interested in is how a team of hackers works together okay and I've been interested in this problem since I used to work as a researcher for the Air Force and I've been interested in this problem since uh 2006 you can't see it very well but in the background here's a picture of a bunch of guys in uniform Cadets two in a an event from 2007 um playing a war game where they were actually trying to uh conduct the Cyber part of a simulated kinetic war and I wrote a public paper on this

exercise and the photos from the public paper so I can talk about it um but what I noticed um during the event was is that military style command and control never evolved in this team of hackers okay you never had people actually taking orders taking a role taking a job and supporting each other as a team and from that time I had this inkling that there was a problem there waiting to be explored waiting to be solved I just didn't know what it was until later and we're going to talk about that so here's what we're going to do I'm going to introduce myself and introduce kind of the problem statement a little bit further and we're going to

talk about Force multipliers and what I mean by that phrase really it's just jargon for Synergy which itself is jargon for uh things that work really well together but we're going to talk about what force multipliers are for a team of hackers and then I'm going to um take this problem and I'm going to scope it okay because one thing I learned as a researcher is I can never solve a problem for every possible use case in every possible way so what we do in the research world is we take Define our problem scope it to where we're going to solve it solve it there and then use those Lessons Learned to expand out so

we're going to scope this problem of how red teams can work together and then we're going to talk about three Force multipliers um collaboration distribution and automation strangely enough there're the things I've either worked on am working on or will work on soon so it's not an exhaustive list but it's just how I see the world right now and we'll go from there it's going to be a lot of fun and a lot of stories um just a little bit about me um I'm a US Air Force veteran so I was active duty as I mentioned I worked as a security researcher at that time so if I use the word cyber a lot that's why but

I was just a crackpot academic just a person meant to sit in an ivory Tower and do whatever people do there um I have participated on a number of red teams since uh 2008 so had a lot chance to like learn from some of the best been a lot of fun so you'll see some of that coming through in this talk I've I have worked as a penetration tester on like a uh on a DOD type red team so did the kind of like longer term stuff as well really like doing that kind of work but what I primarily am what I primarily love doing is I'm a developer I write code and with that I actually started a

company this year uh strategic cyber and I make software for red teams if you want to learn more about that you can go to uh Advanced pent test.com or get a comic from me afterwards but that's about all you'll hear about that in uh this talk so the question how do we organize a red team okay that's problem I'm interested in and what I've got here is a picture of uh the small unit tactics manual this is a a book it's like a Football Playbook for the Army if anybody's ever read it it's got pictures of here's where I put these army guys here's how their fire covers each other and how a platoon can support each other

based on different kinds of uh objectives you might have in a in a battlefield situation what does that look like if somebody were to write this book for our field for what we do okay I think that's a really interesting question I haven't seen one if anybody else has let me know I'd love to read it one that's written by somebody who does it though not a bureaucrat um but my perspective isn't even in answering that particular question um my interest is in the tools that we're using and how they prevent us from answering this question and how they can better help us answer this question um I really love this quote it's from a futurist Marshall mclen

there's people are actually Scholars on his work I am not um but I've always loved this quote and it's we shape our tools but then our tools turn around and shape us means it's really easy when we've got a tool set that that tool will Define our thinking about what's possible and so as a developer as a person interested in this field I'm interested in how do our tools limit our thinking and prevent us from answering that question how do we organize a team effectively okay and this is actually the question that started um this whole long roller coaster it's been the past two years of my life so what is a force multiplier this is the um DOD definition

but basically the whole is greater than the sum of the parts Synergy a force multiplier is something that when added to what we already have our tactical assets it's magic dust and sprinkle on it and make a combat Force more effective okay that's what it is a force multiplier is a feed capability gives us Synergy here's a military example is the uh awax the Airborne warning control system it's this funny airplane with a little Dome on top and what it does is it gives um n battle manager gives them a view of the airspace it gives them okay here's the missiles that are out there here are my assets here are the enemy's assets and here's what I'm

tasking to go after different objectives okay this great quote um I think this from the Indian Air Force actually is talking about how the awax gave them a grand coordination of the air battle the ability to manage it like a video game right like we've all played Command and Conquer you have right Josh yeah you know like that kind of ability to play General and just say hey smart thinking human being in this jet go there and do what I want you to do but I'm still going to kind of task you that's pretty powerful right however keeping with our definition of synergy and a force multiplier let's take away those Jets let's take away those tactical

capabilities and just put this thing in the air to be your only asset it get shut down pretty quickly wouldn't it yeah that's something about Force multipliers are it's very important they are useless without tactical capabilities okay here's another one just outside of um outside of uh the military side is social media um I grew up with the Internet or I should say I watched the internet and I kind of grew up at the same time and I've watched social media rise and it just kind of blows me away because there's a lot of people out there who are social media gurus experts and they're saying Get on social media now and build a community right well no

social media is a force multiplier when you have a community but if you don't have one the effect is zero zero times a multiplier is still zero right and I use this example because sometimes when people see what I perceive as a force multiplier a synergistic capability they get really excited like it's a silver bullet to solve all problems and that's really dangerous because if you don't have those underlying that underlying Foundation First a multiplier is just useless so now that we've kind of defined a force multiplier let's take it back into the realm talking about which is red team operations we as a community are rich wealthy in intelligent people producing amazing capability to

circumvent different kinds of security measures and we do it to try to figure out how we can be attacked so we can better protect ourselves right and I'm interested in taking all that all this stuff all these tools and how do we glue that together into something uh useful so let's scope things just a little bit further um this was what my March and April looked like like literally the whole two months is I spent um two months going around like a Carney H going to different events and hacking into college student computers with something called the Collegiate cyber defense competition I was um VPN into the Rocky Mountain CCDC for day I was at Northeast

CCDC midatlantic CCDC VPN into Pacific Rim CCDC um I was at something called the information security Talent search which is an offense and defense competition at RIT it's great events been going on for 10 years now and um some other stuff and of course uh National CCDC as well for those of you who don't know what CCDC is it is a defense only uh competition for college students a team of a team from the University will go to this event they'll end up being dropped into a network that's the same as all the other schools get and they've got to uh for a weekend keep their services up and running to achieve some sort of business

objective they have to actually respond to injected events for example at one event midlan CCDC um they have a guy playing CEO and he'll take the team captain in the room and he'll chew him out it's really hilarious to watch he'll be like listen I don't care about security I want profit what are you doing for me security person to give me profit so they do stuff like that it's pretty cool and um of course they're scored on their ability to stop the red team okay it's really great for me because you got 10 different teams 10 different levels of network Defenders and by the way they get better by Leaps and Bounds every year it's amazing um I

have a lot of respect for the students um but it's a pretty intense event okay one hour of competition time is supposed to represent a week of real life so I just want to give you a taste of what life looks like for us at CCDC um this is just a couple outakes from Pacific Rims CCDC uh this year and hopefully you can see this I'll just play through it real quick here I'm vening into students desktop they had access to and they're trying to go to Facebook and I'm like dude no Facebooking during CCDC you're supposed to be working red teams everywhere and then I was trying to tell him type the password I have it already and here I'm

uh it's hard to see again but I'm keylogging a guy who's I'm watching his desktop at the same time he's sshing into one of his servers and talking to somebody else on IRC on the red team and we're just talking about this guy and kind of having a good old laugh about it because this is what we like to do we like to get passwords and use them another one student writing to uh their judge in the competition I started just writing stuff like red team rules I love red team they are the best ever you know it's what I like to do I like uh we haven't been hacked you know that like that kind of stuff of

course I like send them good websites like fasteasy hacking.com that's just um kind of like a little bit of just um what it looks like at uh CCDC sometimes we have a lot of fun as a red team but here's why I like CCDC as a laboratory for exploring these questions okay anybody can say if you give me a bigger gun I will be more successful right well CCDC solves the Tactical question because at CCDC the students are running outdated systems okay and we're able to take today's tools the benefit of several years of security research beyond what the students are running and turn them around against the student networks okay what's great about that is

in terms of a tactical situation we have what we're going to get right so whether we're success uccessful or not is going to fall on how we use what we have because there's probably no magical Discovery it's going to come along and at least revolutionize this game because we're playing an old game and I like that because it lets me to say okay here are the questions I'm interested in how we work together how we organize ourselves and the things that support us and how can we do that most effectively so let's um go back to 2008 and let's talk about how we used this advantage or even squandered it first um Northeast CCDC 2008 2009

this is what it looked like there be student networks okay and we did do some clever stuff but I'm just giving you kind of the general flow um basically somebody with core impact would just be getting into all the student systems and the other people would be maybe using metas later getting into those same systems and we would just get a lot of access until the students just start getting us patching and kicking us out boom but that's what it looked like get into systems got into a system yay I got in accomplished something that was it and here's what it looked like um typically CCDC events are three days some of them are two but on Friday we'd

get a lot of access get into everything sometimes multiple times just staying there um because everybody's breaking into the same system same way way no coordination um Saturday by the time students head patch we'd be getting kicked out and we'd have to start going after the harder targets and Sunday we'd probably have nothing maybe one or two systems and we' just delete them to kind of recover um a sense of self-esteem after we'd been owned by college students so with that we're going to go into collaboration and we're going to continue this story you know what the situation looked like 2008 2009 2010 um I'm a programmer so I like do right um I wrote some scripts to log

into all the Enix systems right at the beginning of the event with default creds and persist in them six ways to Sunday and what was really cool about that we had access the whole weekend because we focused on persistence and Saturday we had one access across quite a few teams left and it was a Cron job that was phoning home downloading a shell script and running it as root we could do every want every hour and so what we started doing is like we're like well I got nothing everybody's like yeah I got nothing well hey why don't we just set up netcat listeners and when that Crown job phones home we'll each get a

shell and every hour on the hour we'd get shells and everybody be really happy because working as a team and suddenly we're having fun we weren't doing anything really useful but it was kind of cool that we were working together because keep in mind now this is my third time with this team and we're like this is kind of fun and that led me to ask man that is kind of fun wouldn't it be cool if there was a way for us to actually work together in this way all the time what would that look like was really interested in that so I um started out to develop uh armage and that's kind of where Armitage came

from that's his back story and I didn't know it was going to be armet first I I just wanted collaboration I actually wrote a functional spec cuz I'm a geek and I do that before I write software um for an IRC bot that would allow collaboration cuz I know IRC really well um but this is what armage looks like for those of you who um haven't seen it before all your mplate modules up here all your targets here everything you're doing opens up as a tab down here and whoops when I built armage the first version of it didn't have the collaboration I really wanted that but I knew it was going to take a lot longer

so um but I did sit down and said okay what are the needs for a red team collaborate well real-time communication um the ability to actually know what we did um data sharing meaning if Josh scans a host I'd like the benefit of what he found and session sharing meaning if um somebody breaks into a system I want to be able to actually jump on that system they broke into without asking them without action on their part because for collaboration to work it has to work without friction okay the more a tool tries to change the way hackers work the more resistant they are to it so here's um kind of the team concept we stage a server uh a centralized

attack server and you can have your Armitage clients connect to it and through that attack server you can actually work against a victim Network that's um kind of the idea and it's also nice because you can connect the client put up that event log uh uh shared chat room and everybody can look up on the projector and see where you got access and what's happened so far so it makes a great common operating picture and what I'd like to do real quick before I just go on Just for those you haven't seen it um I've got armage right now connected to a um to a team server two different clients and basic idea is something like this assuming my

VM doesn't need a reboot me try to exploit it I'm going to exploit it from this uh client go over here my teammate can be looking at their vent log and they can see that iron geek launched this attack and voila I see lightning bolts oh they compromise system and what's kind of cool is I can open up a command shell and work with that compromised host and at the same time through the one connection we have to that compromise host my teammate can do that too okay so we can work together because we're kind of deconflict that's uh what the collaboration stuff looks like so what's funny though about the collaboration stuff is the first thing

instinctively people want to do is have one server and everybody attack everybody um do everything from it that's really bad um what we found works is and what's become our Mantra has been decentralized attack mean have your attackers working on their own and once they get access send it to a Central post exploitation server remember these two things because I'm going to talk about why it's a big bad hack and why what needs to be done to fix it in the next Forest multiplier so decentralized Tech centralized post exploitation here's what that looks like have an access team and all they're doing is breaking into systems and sending that access back to that shared server and on

that shared server you have people waiting the wings saying oh cool a system popped up just like I showed you in that brief demo and they're just doing their specific job saying oh okay I see a system popped up I'm going to jump in and do that the nice thing though is through metas you can actually do something called pivoting which is use a compromised host to access other hosts use it as a hot point so your post exploitation server now becomes where you're pooling all of your pivots so now anybody on your access team can also use anything you've got pivot set up through and attack that way too so that's kind of been um what's ended up working for

us pretty well let me um give you a little bit more context um midlantic CCDC 2012 this red team was led by muik Rob Fuller did a really good job and here's how we organize ourselves um a number of people said this was the best run red team they'd ever seen and um the most smooth operating one and very effective um Rob split us up into three kinds of access teams a Windows team uh led by Georgia uh Weedman uh Linux team led by a good buddy of mine and a wireless access team they were working on doing this part we then had um a shell Sherpa that's my role I I don't have a cane but

I kind of want one and a little robe so I can herd my shells now what a shell Sherpa does is as soon as these folks get access my job is they actually pass the access to me first and what I do is I manage persistence and I make sure there's a strategy to stay on those systems and maintain that access and keep it however I do it and I've got a number of tactical tricks I'll talk about in a later talk but fun stuff um but what I also do is a shell Sherpa there's actually two of us so myself and uh Jerry Brunell who wrote a root kit called the G-spot um but what we do is

we keep that persistence and we make persistence or we make sessions available in that shared server okay and that shared server actually has multiple IP addresses so as soon as something gets blocked well we have quieter forms of getting back and we just make sure access is always available post exploitation team their job as soon as session pops up each person has specific roles and they're supposed to work on them and here's what we did at Mid-Atlantic at Mid-Atlantic the students were defending hospitals okay um one so far Larry pesy from paul.com actually made these custom drug dispensers was really wild like with Arduino devices that could be hacked into and and there was all this data

seated throughout the network that actually played in a simulation so our job as a red team was to steal data and to change drugs such that we get patients killed we actually scored ourselves on how well we killed people in the simulation I know it's dangerous um here's something's really cool though working in this way as I've just described post exploitation team the actual people doing it was three guys okay between the three of them they achieved 70% of all possible Flags in the simulation so of everything we could possibly do to inflict pain across these 12 teams which is actually a very daunting task and especially in a chaotic environment like this we got we

hit hit 70% of it which means we worked really well together and we were focusing on the objective the goal achieving what we were out to do which was kill fake people so that's why it's really important to collaborate right and just to add to the context we also had a hardware team trying to figure out um Larry's Arduino stuff and we had a crack team and they weren't like the guys who were there to make make it a party although they were pretty fun they were um actually password cracking guys so they um we would take anything we discovered like on post exploitation side feed it to them they would try to actually feed that to these other teams

so they could develop more access so that's kind of how we worked and when we talk about automation we're going to talk about how automation enabled us to kind of wire this together a little bit too um I'm not the only person CCDC is not the only place that stuff's used um this is from October 2011 at a Department of Homeland Security exercise uh there was a red team trying to break into a uh a chemical plant a fake one defended by an active blue team and they're using armage to collaborate and here's uh that red team lead briefing the press off Armitage as a common operating picture so everything I've kind of just described does get used

elsewhere as well so collaboration the one I've spent the most time on because the one I understand best so far um it is a force multiplier why because it helps us make the most out of time on target right might get discovered might get booted out we can make better use of our limited resources capable red team members are a limited resource networks can be really big okay it also allows us to avoid duplication of effort very important when you're working in someone else's Network and you don't want to screw up and of course Time On Target also it allows us to give roles to even our junior members give everybody a place to play so we can actually grow them and

bring them up okay most importantly collaboration allows us to focus on the goals of the engagement by setting up process that works now I love collaboration I probably Soldier probably wow that's the greatest thing ever cool well where does collaboration fall short in the real world let's talk about that and talk about distribution I mentioned before this idea of decentralized attac right why do we do that we do it because it allows the attackers free reign to work use whatever tools they want um be as noisy as they want or quiet as they want whatever the vector is without exposing our post exploitation because as soon as our distance um gets caught we're done um if our post exploitation stuff gets

caught then in the real world got to move to a different server for your call backs I'm me an exercise just buy more addresses but neither here nor there with centralizing post exploitation for this to truly be effective I need access to multiple IP addresses in an exercise this is cake um I just do if ifig e01 through 128 and bind as many I IP addresses in my spaces I want as a shell Sherpa that gives me many options I can send Sessions to active control over a compromised host and if one of them gets blocked no big deal I can just keep sending them to the different IP addresses nobody's going to block all of

them but that falls apart in the real world first we have a data split between attack and post exploitation as a pentester I need to make reports I need to actually tell tell a story to my clients right it's a big pain but it's really important well if I'm working off multiple nodes one node for attack maybe several nodes for post exploitation because I'm constantly moving nodes um my data is all over the place really hard to consolidate and automatic report generating tools useless in this context um the access to multiple seemingly random internet addresses again in exercise really easy real life hard when I was pen testing I would do a lot of spear fishing I love spear

fishing if you look at my prodcts you'll know why um it works that's why but um here's the deal I would send out an attack right and my sessions would go to a system I usually used Amazon's elastic Computing cloud and every attack and even sometimes same one I would have to have multiple nodes and I would have to move nodes constantly to make sure that next attack didn't get caught even though they're spaced out sometimes several weeks at a time but I knew as soon as I used a node it would be burned okay that's painful from a management perspective armage is going to do no good in that context I got to connect like 10 armage clients to

10 nodes and manage them that's painful right and the attacker if they get access from one note they've got to actually deal with this friction of passing a session elsewhere so there's a lot of limitations to this Con concept taken into the real world so distribution the ability to actually manage um a network of attack nodes would alleviate these problems so here's what I want it's not something I've done yet but this is the whole what I want going forward is I want the ability to manage not just one collaboration server I want the ability to manage 10 100 or thousand of them okay and you know of course botn Nets and things like that do this but I

want it you know in the tool set I use um what's painful about this is yeah there's engineering questions but those are actually easier to solve um the hard part are the soft questions which is if I've got a thousand nodes okay and I've got a team working with these nodes to do a pen test or maybe more realistically we'll say 10 um what's the right abstraction what does that look like what are the ways we could step on each other for example let's say we've got 10 nodes under our control right and Jeff start starts scanning and I'm like Jeff dude you just scanned from the note I was going to use for call backs you just blew it what are

you doing it's all right dude I would have done the same thing is there a way that the tool set the abstraction can help prevent that without hindering how we work and I don't know the answer to these questions they're open questions but distribution is a force multiplier because it enables all those collaboration benefits have enjoyed in the exercise environment and it really enables all of them to come even into the real world okay so this is something I want next maybe a year or two from now it'll happen but uh that's kind of like in the spirit of the long-term Vision here right now let's talk about automation because I mentioned that red teamers are

precious [Music] precious how can we actually delegate tasks to bots what can a computer do a computer should do what it's best right why would I want Automation in a teaming context well hacking is tedious I often joke that sometimes hacking feels like jiggling door knob over and over again and being surprised when door opens um sometimes though door might only be open for a certain amount of time the window of opportunity might be really small and as I know if you've ever watched me on the keyboard you'll know why I automate everything this is me I actually when people are staring at me I start making mistakes and make typos I screw things up I get nervous so humans

are slow and make mistakes and so what what can a computer do to help aid us and what we're doing to amplify our ability to work on a large uh Target well automation does sound cool but there's some pains to this um first if I'm going to have a solution to do some stuff on somebody else's Network a network I don't control they don't necessarily know what's out there that's kind of tough computers don't necessarily respond to unknowns very well right you know if sometimes if there's an unknown situation program usually breaks that's what hacking is all about looking for the cases the programmer didn't anticipate and messing with them so I think for automation to work

we need the ability to develop and change Solutions on the Fly it's just going to be a natural reality okay so okay great well if I'm going to have like custom scripts or whatever during the engagement there's some problems with that one if it was written during the engagement and it's not tested what if it's broken and I've got like some infinite Loop doing something really crazy like deleting the wrong files that could be scary so I think any kind of automation solution needs positive control the ability to say I don't trust this thing yet I need to be able to debug it and approve what it's doing and then once I trust it Let It Go

on its own okay so humans and Bots working in Tandem and of course need the ability to start and stop these capab abilities without taking down all of our collaboration stuff because that would be painful we we need to keep our axises where they're at the stuff just needs to plug in and go and also the other challenge too is that our axises our control of these compromis hosts might only be available through a pivot so whatever automation solution we have needs to talk to our sessions where they're at so with that um because this problem's been near and dear to my heart um through a DARPA cyber FasTrack effort I've been working on something called

Cortana for since November and I'm actually releasing this at Defcon tomorrow and I'll be talking a lot about it but in a different way um but you get the stories behind it so you get the better f um but anyways here's the way Cortana works I've mentioned there's this collaboration architecture got a team server that lets me talk to met exploit in a safe way for multiple users lets me access the database remotely and do all that good stuff well I can extend Armitage with Cortana scripts and add new features to it that's fine I'm going to talk a lot about that tomorrow but I can actually also write Bots Standalone headless Bots that have a series of scripts associated

with them connect to this team server and do the same things a human can do hacking side by side with us in the same way that Armitage allows multiple humans to work together that's pretty cool now there's a couple stories about it um Northeast CCDC 2012 let me um give you a story um new organizers this year okay the black team we call them the people who set up the network set up the targets didn't like red team for some reason they they kept calling it a conflict of interest if we knew anything which bothered me because I'm like I'm a red team guy I'm I'm a volunteer I'm a facilitator I'm not a competitor you're

supposed to give me all the advantages so I feel good about myself expect me to hack what anyway so Northeast CCDC 2012 here's what happened first red team was immediately firewalled off from student networks they didn't trust us we're trustworthy I I promise um but also the students had all patch systems there weren't any vulnerable systems they told me that the XP image uh that they had was broken so they just put a patch to buun system and it's place at the last minute wow So Okay cool so the only way we're going to get in is default credentials right right here's what happened the event starts does that firewall come down blocking us no the students have an hour of lead

time to change all their passwords patch Network now we don't like this to be a wash and it wasn't trust me um but we had to work harder that's for sure so after about an hour that firewall comes down down and we actually got into two teams with default credentials and our in we were still able to PS exact into some systems that was kind of funny but here's what happened we were looking for anything we needed targets and in the real world it's going to be the same way right it's going to be a lot of patch stuff and a little bit of opportunity so somebody was like you know everybody's doing scanning wouldn't it be nice if there

was just a way I could know what was different as soon as it was different and I'm like ooh ooh I'm building this thing for DARPA let me um try it out I'm like I can write a script that will automatically as soon as something's imported announce something in the chat room saying I see this IP address this port here's the banner I see this IP address this port here as the banner automatically as soon as new data is available and I wrote that and I wrote a bot from my system and that bot connected to the team server cool and then um there was a guy who knew more about nmap um his name is

Chris more about nmap than I ever will in my lifetime he's really actually really fun to watch I learned a lot from him and Chris he was constantly changing his IP scanning changing his IP scanning and he's like hey Raph I like the announcer thing but I'm lazy and I don't want to import every single scan I'm doing I'm busy enough I'm like okay I agree I'll write a bot for you so I gave Chris a bot he ran it it connected the same team server and what the bot did is automatically imported his scan every time changed back into the system so now we had a workflow supported by bots on one hand one bot announcing stuff that's

changing and that script actually literally like three lines of code and then um the other bot just importing stuff and not as relevant to this particular story but another guy was like hey I got a script it automatically exploits systems that match a certain profile can I have a bot that will actually as soon as something changes that matches that profile that it'll launch attacks from my local system sure it's now we have these three Bots working with us aiding the humans and aiding each other just kind of feeding each other and here's something that was really cool into the event we're looking up at the screen and up Pops a host and it's like Zimbra was in the banner Zimbra I

hadn't heard of it at the time what's Zimbra go look go to the website for it and like oh it's a web application it's like a collaboration site oh it just came up they didn't change the password cool we're in the bots made that possible small window of opportunity bot identified it we were able to jump on it same thing again later um we see Tomcat pop up guy name's will really good hacker from Rapid 7 he works on a Services team will comes back and he's like hey there's Tomcat I see Tomcat up on the board go after it will cool they didn't change the fall credentials yet either and this is how we were getting into stuff these

opportunities would come up and then boom we would just jump on it like rabid Wolverines and um that worked really well for us so that was pretty cool another example of automation this is from Pacific Rim CCDC and ists the offensive defense competition at Rochester Institute technology put on by spara any RIT people in here that's one I love RIT by the way so good people anyways here's what we did we um this is later on but um there's a really great program called Windows credential editor who here has heard of Windows credential editor few of you you have to download it it's awesome what it does it's an executable it will grab the plain text credentials of the logged in

user out of memory pass the hash is so 2011 pass the password's 2012 I'm telling you so here's what we did running Windows credential editor though it's not in met point it's not a module and it's kind of it's a bit of work to upload Windows credential Editor to each system run it get the output copy and paste the passwords into a chat room that's a lot of work let's be honest so I wrote a bot and what it would do is every 15 minutes it would sweep through all of our sessions run Windows credential editor on all of them parse out the username password and post it to our chat room and then what became fun is like

some people like at Pacific Rim CCDC or sitting on IRC like who keeps posting his passwords this is awesome keep them coming I'm going to keep PS executing in the boxes and that's what we were doing so again there's this is a cumbersome task that humans not going to want to do but it's valuable right and so a bot could do it and that was feeding our team and allowing us to work um another example from midlantic CCDC I don't have um a side for it but the crack team I mentioned the crack team right coolest name in terms of red team sub teams here's what we did I was able to write a bot that would hey when

I see a new credential in the database a new hash or a new loot show up in metas spites database and those are things like captured uh Shadow files from Linux systems I was able to have my bot respond to that event and connect to a netcat listener was run by the uh crack team so the crack team as soon as we discovered something new it would automatically get fed to the crack team so they could go to town that's an example these Bots enabling like however we choose to organize ourselves and wiring it up so we've got a smooth process but flexible enough so we can actually build this stuff on the fly so automation Force

multiplier automation is great you know allows us to do a lot of post exploitation repetitive stuff very quickly it allows us to manage our information flow such as sending the passwords to the crack team um announcing New Opportunities like at Northeast CCDC um and handling different kinds of repetitive tasks like running wc. Windows credential Editor against systems and I say this it may sound like common sense as I describe it I'll be honest when I showed up with this technology at these events I had no idea that's how it was going to get used I really didn't so to me it was like it feels like common sense now but it just didn't hit me until I saw it why is this

Force multiplier it's a force multiplier because it allows our red team to scale now okay and actually um get more out the people we've got while delegating things to bots so our three Force multip liers collaboration distribution automation collaboration allows us to assign meaningful roles to our red team members right the open question what is the right combination of roles to organize team I don't know but at least we can now ask that question and experiment with it distribution it removes these limitations in the real world this stuff all works great in exercise environment but once we have the ability to manage and attack Cloud got to have cloud in my talks now um it makes that really open up to some

cool possibility in automation add automated actors to your team but the question is which task do we delegate to Bots and what is the right means of positive control still an open question it's bad enough figure out how to make humans work together how do I add automatic actors to it too so let me just show you real quick video this is um from Pacific Rim CCDC you may see all this stuff here and that big scroll bar session session session session session session a lot of compromise systems lots of them that's a lot to manage really quickly when time's limited so I um had a bot a script and what this bot would do is as soon as um

a session opened up it would automatically backd door these system six ways Sunday and here I'm telling the bot show me every command you're doing so I can see it and we had another bot bridging IRC with this team server so everybody on IRC could see what was happening too and what was kind of cool is those commands are just scrolling really fast no human's going to do all that that fast but it's kind of nice just be able to kind of have this all on the fly as other people are like working together like you can see here a guy who's dumping hashes while this is going on humans and Bots working together in kind

of a intense uh fastpac

situation so with that in T's talk I introduced the problem we talked about Force multiplier which is synergy um we scoped it to uh these Collegiate cyber defense competitions we talked about collaboration distribution and automation as Force multipliers and the purpose of those things and building those features wasn't to answer this question it was allow us to start experiment experimenting with the potential answer and that's what uh the work I'm doing is all about is trying to make it so we can actually ask this question and get a meaningful answer and maybe get that book written if you want to know more I recommend checking out my derbycon talk from last year dirty red team tricks one

I hope there's a dirty red team tricks 2 that's fast andeasy hacking.com dirty um Cortana I'm releasing tomorrow at Defcon um you can follow me on Twitter I'm armage hacker if you go to Advan pentest dcom trining I've got a seven-part free course on pentesting but look at part seven that's the team operations lecture so it's more of a practical guide and you can always email me I do respond rsud gmail.com with that um do I have time to take any questions I got like two minutes so I got time for a question or two any everybody's like H that was fun all right guys well if you got anything just back and uh see me I'll give you cards

give you comics and stickers thanks again