automated pentest toolkit apt2 - derbycon 2016

Download Automated PenTest Toolkit APT2 - Derbycon 2016

Post on 15-Apr-2017

244 views

Category:

Internet

3 download

Embed Size (px)

TRANSCRIPT

Automated PenTest Toolkit

Automated PenTest ToolkitAdam Compton, Senior Security ConsultantAustin Lane, Security Consultant

1

Who Am I?Adam in 5 words:Father5 yearsHusband16 yearsHillbilly39 yearsPentester15+ yearsProgrammer20+ years

Automated Pentest Toolkit

Who Am I?Austin Lane:Developer7 yearsSecurity4 yearsMetalheadfor lifeAutomated Pentest Toolkit

OverviewPenetration testing often begins with a simple routine.Recon &DiscoveryTest Simple ServicesTest Default CredsCommon ExploitsDump Creds/InfoPivot & ContinueAutomated Pentest Toolkit

OverviewPenetration testing often begins with a simple routine.This routine can be slow on large networks.

Automated Pentest Toolkit

OverviewPenetration testing often begins with a simple routine.This routine can be slow on large networks.Much of this routine can be automated.

Automated Pentest Toolkit

OverviewPenetration testing often begins with a simple routine.This routine can be slow on large networks.Much of this routine can be automated.So we wrote a tool to help with the automation.

Automated Pentest Toolkit

Typical Pentest RoutineRun Nmap (or port scanner of choice)Automated Pentest Toolkit

Typical Pentest RoutineRun Nmap (or port scanner of choice)Review ports and servicesPort 21 -> test for anonymous FTPPort 80 -> identify web service and check for flaws/default credsPort 445 -> enum users/shares, ms08-067?, ...Automated Pentest Toolkit

Typical Pentest RoutineRun Nmap (or port scanner of choice)Review ports and servicesPort 21 -> test for anonymous FTPPort 80 -> identify web service and check for flaws/default credsPort 445 -> enum users/shares, ms08-067?, ...Run Responder / Metasploit / CrackMapExec / Automated Pentest Toolkit

Typical Pentest RoutineRun Nmap (or port scanner of choice)Review ports and servicesPort 21 -> test for anonymous FTPPort 80 -> identify web service and check for flaws/default credsPort 445 -> enum users/shares, ms08-067?, ...Run Responder / Metasploit / CrackMapExec / Take over the DC/database/etc..Automated Pentest Toolkit

If it is not brokenRepeatabilityConsistencyCan be tedious and slowManually parsing through data can be prone to error

Automation can helpAutomated Pentest Toolkit

Why Not Use ?PROS

Plenty to choose from

Useful in specific scenarios

Some are OpenSource / cheapAutomated Pentest Toolkit

Why Not Use ?PROS

Plenty to choose from

Useful in specific scenarios

Some are OpenSourceCONS

Can be fairly resource intensive

Can be expensive

How easy to add a new check/tool?Automated Pentest Toolkit

Automation via ScriptingKali already has LOTS of popular tools and scripts

Automation methods:BashPython (or scripting language of choice)Metasploit RPCAutomated Pentest Toolkit

APT2 Automate the standard stuffAPT2 is a frameworkModulesEvent queueKnowledgeBase

Automated Pentest Toolkit

APT2 Automate the standard stuffAPT2 is a frameworkModulesEvent queueKnowledgeBaseRun Nmap and parse output

Automated Pentest Toolkit

APT2 Automate the standard stuffAPT2 is a frameworkModulesEvent queueKnowledgeBaseRun Nmap and parse outputCreate events based on ports/servicesAutomated Pentest Toolkit

APT2 Automate the standard stuffAPT2 is a frameworkModulesEvent queueKnowledgeBaseRun Nmap and parse outputCreate events based on ports/servicesModules respond to events to perform specific tasks

Automated Pentest Toolkit

APT2 Automate the standard stuffAPT2 is a frameworkModulesEvent queueKnowledgeBaseRun Nmap and parse outputCreate events based on ports/servicesModules respond to events to perform specific tasksModules can create new events

Automated Pentest Toolkit

APT2 Automate the standard stuffAPT2 is a frameworkModulesEvent queueKnowledgeBaseRun Nmap and parse outputCreate events based on ports/servicesModules respond to events to perform specific tasksModules can create new eventsRuns until event queue is empty

Automated Pentest Toolkit

How Does This Help?Multi-threaded event queue is fast.

Simple to create new modules for nearly any tool/script.

Ready to go:Get Kali (or your favorite distro & tools)Clone the repoAutomated Pentest Toolkit

So, What Can It Do?Identify services & operating systemsScreenshot web applications, X11, VNC, Analyze FTP and file sharesBrute force accountsRun Metasploit modulesCompile hashes -> John the Ripper/HashCat

ls /usr/share If it is listed here, a module can probably be made for it

Automated Pentest Toolkit

Anatomy of a ModuleInherit from base module (typically ActionModule)Has standard properties:NameDescriptionRequirements Which tools need to be installed?Trigger Which event does this module listen for?Safety Level Scale of 1 5 (5 = safe, 1 = dangerous)process() is the primary methodAutomated Pentest Toolkit

Are There Limitations?Tools need to be non-interactiveAutomated Pentest Toolkit

Are There Limitations?Tools need to be non-interactive

Multi-threading is trickylot of traffic fastmodules can have limits defined, depend on the authorAutomated Pentest Toolkit

Are There Limitations?Tools need to be non-interactive

Multi-threading is trickylot of traffic fastmodules can have limits defined, depend on the author

Brute force with cautionyou might break some thingssafety levels are your friendAutomated Pentest Toolkit

Are There Limitations?Tools need to be non-interactive

Multi-threading is trickylot of traffic fastmodules can have limits defined, depend on the author

Brute force with cautionyou might break some thingssafety levels are your friend

Nonstandard ports and service names may throw off modulesAutomated Pentest Toolkit

Some numbers30 servers with FTPAutomated Pentest Toolkit

Some numbers30 servers with FTP

Manual testing: ~10 seconds per serverAutomated Pentest Toolkit

Some numbers30 servers with FTP

Manual testing: ~10 seconds per server

5 minutes to check all of them

Automated Pentest Toolkit

Some numbers30 servers with FTP

Manual testing: ~10 seconds per server

5 minutes to check all of them

APT2 ~1 second per server, done in 40* seconds*Assuming ideal conditions

Automated Pentest Toolkit

Lets extrapolate!Grab open ports from .gnmap, ~30 secondsgrep 80/open scan.gnmap | cut d f 2 > iplist.txtAutomated Pentest Toolkit

Lets extrapolate!Grab open ports from .gnmap, ~30 secondsgrep 80/open scan.gnmap | cut d f 2 > iplist.txtPick a tool for the service, ~30 secondsEyeWitness, Nikto, SSLScan, etc.Multiply if the tool only accepts 1 IP+1 minute because you have to read the help menuAutomated Pentest Toolkit

Lets extrapolate!Grab open ports from .gnmap, ~30 secondsgrep 80/open scan.gnmap | cut d f 2 > iplist.txtPick a tool for the service, ~30 secondsEyeWitness, Nikto, SSLScan, etc.Multiply if the tool only accepts 1 IP+1 minute because you have to read the help menuNow repeat for each service!Automated Pentest Toolkit

Lets extrapolate!Grab open ports from .gnmap, ~30 secondsgrep 80/open scan.gnmap | cut d f 2 > iplist.txtPick a tool for the service, ~30 secondsEyeWitness, Nikto, SSLScan, etc.Multiply if the tool only accepts 1 IP+1 minute because you have to read the help menuNow repeat for each service!APT2 removes the baseline timeAutomated Pentest Toolkit

Demo Time

Automated Pentest Toolkit

DevelopmentOpen source Available on the Rapid7 Github account at https://www.github.com/MooseDojo/apt2

Future plansImport from more than just NMAPResponder -> John the Ripper -> secretsdump.py (**partially there now**)Lots more modulesPython 3 ?Pretty Reports?Automated Pentest Toolkit

411 & QuestionsAdam Compton@tatanusadam_compton@rapid7.comadam.compton@gmail.comAustin Lane@capndanaustin_lane@rapid7.comaustin@coffeesec.com

https://www.github.com/MooseDojo/apt2

QUESTIONS???Automated Pentest Toolkit