Cortana Rise of the Automated Red Team Raphael Mudge @armitagehacker Overview ■ Background ■ Cortana ■ Distributed Bots ■ Post-exploitation ■ Behavior Modification ■ User Interface This work was made possible through DARPA's Cyber Fast Track program. What this talk is not Not a Cortana tutorial Some features are skipped entirely An exploration of the software agent programming paradigm D This is sad D Because it is fun Today's Goals ■ Demonstate what Cortana can do ■ Cover major functionality ■ Encourage you to try it. Introduction: Raphael Mudge ■ Formerly, IRC LaMeR ■ Developer, jlRCii IRC Client ■ Developer, Sleep Scripting Language ■ Developer, Armitage ■ Founder, Strategic Cyber LLC Introduction : jlRCii * a<> « gal *>* *** How talking In I Howls 1i:]>'lk: ir>t Ml U ral ■ [I'lJCU 1 ] Topic B#t fty |CnIcK«rH| on |Too Jal IS 0£rVJ:QB 1»»'J | ^ll.iyn *HL,ijlHlt:l' f ASuitt . .r.ih i»i mJiJJu ■■l*flt« jj ■ U - PLtA' • nil'HTFB. J Torrn- #vlo«4jn » but-nno frjrti loKr-N I funhox < ' but anjaL> ti«y guyi 1b go-lrig to- hIa a script that uLll r+w-alLht nil!!' .111 II-' w.nil In Eir» I £■ "■" una L would but 1 un h-avfi tu uu go ualk taa dog. . bow if ytH' dcml Kfc "" "E' gnjng to klofc iron yvu I«i iicwblo f J*li*CL r i*ri MLKMldlG I " Lwtfent i |CIiIcK*SI I Introduction : Sleep Perl inspired syntax Built on Java Extensible Small! (-250KB) Embedded in jlRCii Introduction: Armitage D * |Hadi aam ji-u -oaofl ^^^40£77mttggflgi^^^^^^^^^^^^^i4i Pro^'i" Fits 102 i 1 3 3-; LO L i: 32 C JfiG -1 . i » iV 1 I P>1hon» 20]0*S.2SOft43s00. MM 4Q777rt¥WWrfWf* 2010-02L4 22:21:13 OWO 40777YTW>IW"JW" (WW4T 2D10I04* 11L*.34 4404 40777Jt¥M¥f-iW- tec 20] O-W-29 L 2 33 21 C400 40777.lWww.rw. 2010 J5 LC raoni «iw 4Q?7T7iMflaWmr*-m r inaa-w ?s l*94-l4 C4ea 407 7 7 1'rwrrw. rw» t* | CC 7 7 n 2i>4 4W0' lOOWaflW-rw-ni. iQ.JvJ Inl0*i-14 »IJ:J4 -QS0O ltM444rt.r-r- L HiMttrt upload. Oftaaiy ] [ Rifriih InciKi '-pii: mr-.i r.u.,* rmrrunr dm im rip itt n-dnw -a . oa^H Armitage Collaboration Cortana: What is it? ■ A Scripting Language to: D Automate Metasploit Framework D Extend Armitage Cortana: What is it? The Software Agent Lense... ■ Cortana is a domain-specific language to develop "Agents" that conduct cyber operations... ■ Team server provides distributed communication ■ Metasploit offers capabilities and data model Cortana offers means to create long running agents that perceive context and respond to it. Cortana also provides tools to debug, understand, and assure positive control of agents Cortana: What it does ■ Metasploit Control ■ Data Management ■ Post-Exploitation ■ Team Server Participation ■ Modify Arm itage Behavior ■ Extend Armitage User Interface Cortana: Alternatives ■ Extend Metasploit Framework n Modules n Plugins ° RC files ■ Metasploit RPC Server ■ msfcli Distributed Bots ■ i Problem. . . ■ Jolly: It'd be nice if there was a way to know when new hosts/services pop up ■ Chris: I'm constantly running scans, I'll put the data where ever you like... ■ Me: I think I can help... ■ Chris: I don't want to import my scans every minute. Can we automate this? Background: Event Listeners on event_name { # do this stuff # $1 = first argument # $2 = second argument # $n = nth argument Data Events Hosts Reques Hosts Request N + 1 Do nothing Data Eveni Credentials Hosts Loots Routes Services Sessions S Host/Service Notify Bot Host Import Bot DEMO 1*4 , n Christ" 901 P. £ 4tt Post -exploitation ■ i Problem ■ I want to control sessions With multiple actors using them With assurance that the script won't lose control Background ■ Interacting with a Meterpreter session: on meterpreter_command { # $1 = session id # $2 = command and arguments # $3 = output } m cmd( session id, "command"); Background ■ Interacting with a process through a meterpreter session: on exec_command { # $1 = session id # $2 = command and arguments # $3 = output } m_exec (session id, "command"); Background ■ Interacting with a Shell session: on shell_command { # $1 = session id # $2 = command and arguments # $3 = output s_cmd(session id, "command"); A cool demo DEMO Behavior Modification Problem ■ I want to alter how Armitage does X n Use a different payload for certain attacks n Integrate a different executable with psexec n Modify Armitage icon display Background ■ Filters, hook an action and change the parameters filter some_fi # inspect $1, return @ : :er_name { $2, $3, etc Another cool demo DEMO User Interface ■ i Problem ■ I want to extend Armitage with new features D Integrate third-party tools D Expose Metasploit Framework features D Control Cortana capabilities Background ■ Cortana scripts may: ° Define keyboard shortcuts n Define popup menus n Create console tab interfaces Create table interfaces The last cool demo DEMO Cortana: What is it? ■ A Scripting Language to: D Automate Metasploit Framework D Extend Armitage Summary ■ Background ■ Cortana ■ Distributed Bots ■ Post-exploitation ■ Behavior Modification ■ User Interface This work was made possible through DARPA's Cyber Fast Track program. Where to go from here Twitter: @armitagehacker Email: rsmudae man.com Cortana is posted at: WWW: http://www.fastandeasvhackinq.com