Offensive Ansible For Red Teams

you hi everybody thanks for coming along today I'm gonna be talking about offensive ansible for red team's people have asked me one of preparing for this why have you got it attack they'll learn fine well let's get to the good stuff first you know like how come he actually uses that as a tool to actually attack infrastructure so that's good so a little bit about me is that edward has likely said I'm a Red Team operator for a fortune 500 company I've been in intersect for a bit 15 years now and I've had a different sort of path into this area I had done everything from the tech writings security architecture OPSEC pan testing and everything else in

between previously bad programmer made every mistake in the book and developing so called new media when DVDs were a thing currently I am in a red team and I love automation occasional t-shirt winner doing some stuff for all their organizations like CERN and this is what I get in return so good stuff also like psych one not very fast but I'm there anyhow okay so I talking about today DevOps tolling on principles for offensive purposes so just to break that down a bit I think that red teams are changing and if they're not they should do if there's a lot more development my it's based on DevOps principles agile all of that sort of thing we need to

follow suit and I'll be talking about how those principles and some of the tooling things such as like ansible how they can be used for offensive purpose so as I recall it using it in a professionally evil manner full disclosure I used to get automation for most so some attitudes to it I remember being challenged one day by an individual where I work out what happened we automated you out of a job this is a miss doing OPSEC pam testing on the expectation that you could automate absolutely everything to do with good luck with that so join the red team and I find that I in order to actually break things and achieve operational goals I'm obviously having a t-bill

things a lot so that's everything from small tools to do enumeration right there up to spinning up some attack infrastructures so it's pretty good for that I'm not a programmer as such but we know enough to get by which is good enough okay why do I actually like all things DevOps from an offensive security perspective Automation is the big thing for me I have done a lot of stuff where it's some manual laborious activity where you're setting something up the hard way maybe that's good if you're learning something from scratch for instances will want to more depth later about high data set of an Active Directory in an automated fashion that's okay if you need to learn at once and

learn the principles behind it but if you're doing that again again again it just gets a bit boring and it's not the best use of your time so just they prove a point in here take a look at this one if you want to actually spin up maybe some stuff in a virtual box or if you're gonna do it with terraform and if a lot of mind will work to do in here potentially if you're downloading isel's and things like that's installing prerequisites adding Active Directory rules all of that lovely good stuff that's gonna take an age the stuff I'm gonna be showing you today is I'll be the slightly best in a local lab environment with VirtualBox

and vagrants and then been able to configure up the ansible it's largely machine time where you just tell it what you do what you want to do and offer oh go go grab your lunch coffee or whatever and come back with in a bit right under two hours for a specific setup that I've got for you here which will be pretty good but there's also other ways I've been able to speed that up in the cloud but today it's just going to be a local lab that I've got here and you can probably tell I like cats so you can okay speed and consistency I just want the thing done quick like for instance if you need to

spend up a machine in the cloud with terraform it's done like that even better than doing it locally which is really really nice people are human we all make mistakes and you've got a long list of tasks to do to spin up a server or a series of servers what's the chances may be overlooking something or thinking oh I'll do the third that's when you're going to get problems that you have the actually sit back just die debug things if you're doing the automated way with tooling such as ansible it's the same thing done over and over and over again which is nice and also this raises up to get on with the business of hacking or as I call it

hacker sysadmin we want to be learning new things we want to be achieving operational goals so ansible can help with all of this can be used for more exciting things beyond hacker sysadmin but let's see what we can do with it so what really is ansible it's the easiest way of explain it's an IT automation tool covers configuration provisioning application deployment etc whereby you actually have one mean machine that actually controls a bunch of other servers etc and I could call out the ansible controller its job is say right ok I've got a real estate here of X number of servers I want you to do these jobs for me in this order and just go

with it so it's pretty neat for that sort of thing Automation how does that differ from terraform been asked that quite a bit and there's maybe some crossover in some small areas but I'll show you more I think those limitations are later Tara forms actually to build the actual infrastructure that's just basically getting the raw machines up and running for instance later in a demo you be able to see where I've actually taken a bunch of ISIL files downloaded off the web and then using tool called vagrant locally it does that spinning up terraform sort of similar it will actually get your machine up and running but it's not necessarily configured how you actually wanted to do the tasks you

have in hand whether that's actually a fishing server record the c2 channel whatever okay so I would say that the two tools are actually very very complementary another question I've been asked is that ye fixated on ansible leo there are other tools such as puppet and chef I'm not gonna disagree with any of those tools I'll be really honest folks I haven't used them a whole lot but the big thing I actually I would say that about ansible why I actually like in comparison to those other tools it's agentless and what that really means is that if I want to control a couple of hundred maybe a couple of thousand servers I don't need to install

anything specific on those boxes if they're Windows I can communicate over a Windows RM and then on anything that takes SSH in the next slash Macworld that will actually work integration perspective although it's Navy independence of tools such as terraform and vagrant for getting that raw machine up and running it works very very well with that I think it's just a great handover you've built the raw machines and I actually that's configure them to go to war everything is defined in simple text files we call a me llamo yet another markup language something like a scummy number some people have actually said that it's a declarative language mmm I'm gonna disagree with that I would

say it's procedural well it's largely on the basis that you tell it what you want and you don't need to be worried about what's going on behind the scenes so if you have issued a command to talk to X number of servers in the background it's running maybe a lot of pipe and stuff after it's made an ssh connection or it's running powershell if you're in a Windows world it isolates you from all of that sort of stuff it's got a series of module there's hundreds of them thing is doc sensible calm it will just mention hundreds of different modules that you can actually utilize really really good source of information so with that out

of the way what's what is that that makes ansible work there's loads of terms and not going to cover all of them but the basic sort of building blocks first of all is what we call rules and that's really like a collection of tasks that have a common purpose friends since you may actually have a rule where you've got a lure the commands in there that are used to actually create a domain controller or you've got another rule that's actually going to be able to spin up a single server and installation obviously there's going to be a lot of individual tasks associated with that but logically they're grouped into rules so you can see on screen here and hope it's

reasonably easy to see if I can remember to turn this on I've got one idea in here about a power play but rules common member server MS sequel that looks incredibly simple it's not just all of it that's it that's what they call a rule and that points to a load of tasks in the background so you can see where a given rule has a lot of support files and default files variables handlers that will actually trigger specific actions such as restarting services and things like that tasks and variables so there's a lot of stuff underneath the hood there the tasks this is the bit right call it procedural what you've actually got in here is in this case this is actually

taken from a rule to spin up sequel server installation it's just telling you okay well resource name is sequel set up wearable I find all the files that I actually need and it's pulling these from a load of variables so these can all be customized according whatever way you want okay so there's loads of different types of tasks that you're going to actually have and stunning up an installation in here so that's just one of them reel it into sequel server playbooks is where aim you get to sort of put things into action all of those roles and their associated tasks you grip them together and it's what they call a playbook and say right I want you

to go off and perform this role or this series of rules against the series of machines that I'm actually gonna tell you about think of it as like a play because how you would have like a sort of do is used in sport quite a lot but highlight them to the key moves to win a game and done the right way will actually see in here today a playbook that can actually be used for offensive purposes think of them as the links between us them a list of servers and all the rules that need to actually get implemented so moving along making use of ansible on the red team talking about it from three perspectives

first of all attacking with ansible sort of talk about accessing data lateral and what I would also called vertical movement as well I'm gonna show you how to actually spin up an ad lab by the way the examples in here today are a bit attacking when those and things like that it's not so that's exclusively designed to be used for Windows is talked about earlier there but access over as this H etc you could use this against a Linux real estate and so it's just a nice little example today and also we'll be talking briefly about high ansible can be used in the cloud as well again I'm talking my building a local lab but as

red team's we do use ansible quite a bit to configure a complete attack infrastructure so let's talk a bit attack in here so we've got a bit of a scenario in here where assume that I've got root access to a Linux server not picking one or right Retta where I've got root access to assume that somehow I've got access to it what I want to do is can I actually utilize what I've got in here take any of these so we've got a domain controller member servers business catch-all term for a file server web server or a bundle of loaded stuff in here and then obviously at Windows 10 workstation so that's our starting point

so let's take a look what we can actually do now if I'm on that Windows are sorry that Linux box I want to find out what on earth have I got something we would actually do in a red team is that one we've got a certain level of access we want the understand where are you at what do you have what can you do with what you have where do you need to go so like we're doing a bit of a situation wrapping here in this case I'm just doing a whit chancel I'm there low and behold there's user slash bin slash ansible also interesting some other key files in here there's a configuration file I will be talking about that file

later and one of the dangerous defaults has actually got actually I'll tell you and I by default when you install ansible the configuration file has logging turned off you have to explicitly turn it on so if there's any defenders in the room that's a good thing to actually take a look at first other bits and pieces as well I'm looking for a host file I'm not talking about at C hosts or anything like that I'm talking about a list of hosts that are specific to ansible so this controller is controlling a bunch of machines technically it's called an inventory and that files stored in a file called hosts not always in at C ansible hosts it

could actually be in any node other number of locations on the machine so do take a look for that and I'm gonna hone in on the host file in here to see what goodies that it'll actually show me in here an inventory file is just a list of boxes that a given controller has control over and yes you will see them nicely grouped up together into different sort of functional areas great thing about this is that whenever you want here she attacks something or indeed use it for so-called legitimate DevOps purposes you can in your attack construction at different parts of that inventory you can do all of them Red Team scenario not always good but

you can be more specific focusing on maybe some subgroups or individual machines within those subgroups so this is a roadmap to us as it says in here spoiler alert the very very nature ansible is they allow it to be doing a lot of admin configuration deployment stuff this is actually going to actually have complete roots life system access to anything in that real estate so already alarm bells are ringing in here at the main controllers mmm interesting but maybe that's just too obvious I don't necessarily always want to actually go ask it to demean controller maybe I actually want to go after some dealer because that's more sometimes rather a lot more relevant to a red team

goal you're after data and so um for today's purposes in here we are actually going to show you how we can become a dummy an administrator on this thumping some hashes oh but again there's a load of other things people have asked me is that okay is it ansible it's actually vulnerable in here or what you know what other attacks have you got but it's not like a Metasploit point should click go it's not an attack framework it's a management and configuration framework for machines and my view in this one is that if you actually have a really good handle on how to actually do stuff at the command-line antiderivatives together and shell scripting allosaurus good

stuff well then ansible is the way to make all of that actually happening and just a really interesting talk earlier there from yo Keem and normally talking about how they actually had some scripts that actually pull down additional components malware all that sort of stuff this sort of stuff as well is going to be very very good i will be showing you a demo of hyatt actually can do a number of tasks so interesting you can as i said talk about using play books which is just what you say right here's a list of servers here's a playbook relating to a series of roles who often do you can also do ad hoc commands which is

interesting there be fun to do a better set rep once you're actually on understate someone liners for instance then here I'm sure you can see it at the bottom ansible all now and I'm pointing it to my hosts file in here - ends for module and setup this will return pretty much everything known to man and woman about this box except the patches I'll get to that later so it's going to tell you about everything to do with processors it's sort of what that operating systems got installed all sorts of stuff in here very very useful if you want to see if there's any other wider bigger issues as well and in here system info and there's

nothing really new in here but this is not an exploit framework it's a way of actually launched in some specific commands system info might even if I actually had the ability maybe just do sort of Nebat SSH based access or windows RM access straight into that I could do a bundle of like PowerShell commands locally on those machines that's probably gonna ring anon alarm bell with that with the defenders what I'm actually seeing in here is that the answer the controller it's actually known to be an administrator it needs to be able to do these things and perhaps there's nibby mm-hmm I sort of there's not going to be as much stuff raised on on dashboards if it

sees that oh here's a command from the controller to another machine in here to do something well yes as expect that you're gonna be transferring files and configuring things this looks normal so I would prefer to do it this way because we're working off the land and here as quietly as possible okay so scenario in here that I want to show you today is that you want to be able to create a user with elevated privileges again here isn't the add-on here is that you know you're not always gonna won't be going after to me in admin but for today I'm interested in it and a cop we want to move laterally so we could move to older machines in there

or we could decide you know what we want to go further up the food chain and go for Jimmy and admins all of us or stuff so breaking things dying what do I actually need to do in here by the way no surprises I came last in art class for choice of graphics and things so bear with me in that what I want to do in here is a malicious binary night there are umpteen different c2 frameworks you could utilize for this and yes meterpreter may actually pop things and dashboards not really too concerned about that today it's just good for a really quick demo use whatever c2 framework of your choice in here but the point is we are actually

going to get a malicious binary transferred on to our Red Hat books and that can actually be used in a play book transfer that all the way down onto a given target machine in that inventory and then that seems somehow more safe because it's expected to be doing that sort of stuff and then it's gonna be calling back home I love amateur pad or listener okay okay so I'm not going to show you all of that stuff today we're going to focus on really the stuff a bit ansible itself so let's get the better but generating the motors payload so here's an interesting playbook that can be find on that box and I can be find white because I put it

there obviously you're just gonna have to be very very careful you're gonna need to do some sitrep in there to see well you know what sort of things are actually there you don't obviously want to go in and create a play book with comments rattled on it pull in this box that's not very wise so I've used some bits of obfuscation in here to make this kind of normal in this case I would have developed this offline SSH the the file or secure copied over to the Red Hat controller box and then we can start there so I'm I've told that I don't want to gather all that setup information takes too long moving along Leo and I if I want to put

some militia binary on device such as a Windows box ideally you want that to be something that's not going to be monitored for antivirus or other endpoint protection controls again you're gonna need to spend a bit of time investigating that but for today's purposes created a folder in here called software packages slash library mmm maybe there's some deployment packages in here so hopefully that looks kind of normal but you know take a look at your own sort of specific environments and try and plan then damage but this one when copping my one of us creating this demo I actually did something pretty lame use cert you tell on the actual victim boxes I'm gonna know because common files like our

common apps I got probably will ring a bell on a defense of dashboard somewhere so I thought right okay when copy and let it do all the hard work for me its so-called expected behavior and so we should be good so I'm picking an Oracle 9 ok so some thing called client setup I obviously if someone's gonna be that interest that you're gonna gag grab of that binary you're gonna strip it die and see what it is and if this interpreter sort of axion here you're gonna find it pretty cool alright quick nice we are so again there's other things that were taken into consideration here nibby of actually encrypt that that binary you've done a

few other things the obfuscated code that sort of stuff and then once it's actually on we want that to be activated no she activated it I want the actually get enhanced privileges and I'm gonna go for the kill in here with Adam Ian admin a kind night I had actually thought about specifying a command in here to actually define the accounts and design at their relevant group but maybe not the wisest thing to put it in here because this is actually going to be put on that victim ansible box and if anybody stumbles upon it and sees creds sitting there that's really really bad stuff so far right ok do this with actually an answerable

ad-hoc command my can there's gonna be partial logging on your Windows environment hopefully but again I'm creating them and here the knowledge that I've gained so far in here that this is actually expected behavior you may actually have processes running on that to mean controller there may be going to be doing a partial command to import a bunch of new users and sign them members of groups obviously you're gonna be looking ident here for anything with an enhanced level of privileges such as to me an admin again but the point is in here it's better to do it this way then actually have something that will actually be quite visible inside the actual playbook and also stuff like that can be really

really easy showing up in ansible log files I will talk about log file stuff later so well so so those are the two ad hoc commands to create the demeanor I started to create the user and then H they give them the main admin probes so my I want to take that playbook and let it go my actually being specific here in that playbook that I want it to run with those nice new creds that I've actually got because that will hopefully return me a reverse shell in the context of that user that a special event here again more obfuscation and here sis DB utils obviously you should actually have a really really good handle on what

accounts are actually in your inventory a your Active Directory and seem like this should actually be pop monoid swoosh it but again I'm blending in here okay so demo time sequence will not be shortened there's some stuff later actually show you is that because it depends and dying loading thousand things can take a bit of time and they were speeded up so to speak this one isn't okay so up at the top we've actually got our a session on the console controller down in here I've got the meterpreter set up it's already fired off the commands on here to set up user and sanam sysadmin cribs nice plan that playbook it's transferring that file on to the given machine in this

case the domain controller that's activating it and look see down in here we've got a meterpreter session okay so hopefully they'll pop up yeah there we go you can see it's in the context of this STD utils let's confirm that yep that's good and pretty Liam but it'll work in this kiss get system now I'm gonna do a hash dump night that's just for real demonstration purposes you may want to do that a bit more stealthy I using volume Shadow Copy or something like that but in this case that was quick it was actually easy again it's all done to what you actually know about your target environment suitors so that's just one way of actually how do

you actually use ansible for an offensive attacking perspective in there as I said it's really don't see your own imagination and what you actually need to achieve your operational goals so putting that inventory to work for you there's loads of other things that we could have done in here we could have actually set up a cron job on that ansible controller to pull down key data from boxes on in the inventory let's say that parts of that inventory were maintaining daily sales figures maybe and you have points that actually opens credit cards you get the idea if anything interesting is stored in those boxes we could actually have something that will actually pull all that off and

bring it back to me if you want it to be a bit more stealthy and you can actually put some of those machines to work for you potential one on there things such as a sharp point if you want to use that to enumerate I'm your Active Directory installation interesting and again I hear something out in here none of these types of things are actually new at all just think ansible it's just the way I say automate a lot of this stuff I could have actually like an we'll see Morgan a type but all the stuff in manually I would have to go off to each and every individual machine I could have watched something together with Bosch or

something but this is pretty neat allows me to set up an entire playbook on off you go also what I was doing in there I was issuing those ansible commands from the ansible controller I it is possible that you could actually talk to those victim machines controlled by ansible directly from your own tak infrastructure I would say maybe not the best operationally but perhaps there are no firewall rules in place that would restrict me from doing that I can that's something you're gonna find out from your own sort of reconnaissance activities so and that's obviously something as well that you'd want to take a look at if you're actually examining logs on a box that is

controlled by ansible you want to see well word that that connection come from well you take a look at the IP address of the machine name well that's not the answer book controller that's the sort of stuff it should be popping up on defensive dashboard okay some things in here probably have already covered again cats are busy here so they're keeping under the radar before you do any of this know exactly what it is in here that you're looking at have you any appreciation for the types of activity conducted on earth it's what's what do you know about except that so-called normal behavior I mentioned previously there but not using a cert util on those

victim boxes get ansible to do the dirty work for you and use a module called wind copy it's so called seen as normal perhaps in that sort of context and a little bit blending in as well so he's soft not playback I actually had it was actually going to have no creds in it the language is pretty neutral the functional which was interesting at the fenders in here I can apologize about the graphics folks my god hopefully there's no hoodies in here okay a few of the things that are sort of normal like sort of activities for blue teams in here baseline what a so-called normal behavior that is a very sweeping term and I apologies if that's

actually sort of simplified like that but you really really do need to understand what is normal behavior if you've got an inventory that's actually control with ansible you know where where is the ounce of a controller what sort of activities does it actually do does it normally do software installations or does it normally to users on two systems what is it so just understand what you're actually doing with it so anything outside of that should stick I'd file integrity monitoring so if anybody's creating accounts or tampering with files good stuff they actually have on board their turn on logging on your ansible controller as I said by default it's turned off which is pretty bad so

you're gonna want to take a look to see in there ansible is actually configured with a log file and then go after those log files and examine see if there's any telltale signs in there and obviously in a Windows environment too you're going to need to take a look at your partial tech logs and you're going to be looking as well for so-called ansible related traffic which is really SSH and when RM by the way like was any of that traffic coming from something that's not designated as a controller and again you could maybe restrict that with some firewall rules so moving on to learning 9 we're going to set up a local lab in here

it's all gonna be based in VirtualBox you could actually use terraform all that sort of good stuff but again this is local if you want to be able to maybe model an environment that's going to be so-called see if you want the model up in that attack before you take it into your real attack environment a maybe you want to try it some new cool privilege escalation type stuff all of us or stuff having built some personal labs and things at home this is a long process it's good to learn to do it once but it really is a waste of my time doing this sort of thing I will actually be publishing some stuff up and it get

hub great all my own personal stuff later stand by for that how they actually do all of this but you know this is really cool in the sense that it's making use of those freely available windows isel's the trial versions that allows 480 days it's technically free so it is instead of your time so that's an interesting way to learn some stuff so you can see and here my lab setup it's just based again on they surprise surprise those cm3 machines that we were attacking earlier at the main controller a member server and a workstation I'm the really good thing about this is that if you're dealing with there's a hundred need a trial version business

with Microsoft so what we can actually do for instance with vagrant locally and we can say right hold everything bring it all down destroy those boxes and I bring them back up again and off it'll go and get you fresh installation and we're all rocking and rolling which is good okay so building out our boxes I'm actually gonna skip past the demo of this one in the interest of time in here today vagrant is something you would use locally to spin up a little boxes if you're doing this in the cloud you would use terraform good thing a bit vagrant if anybody's interested in it you can actually pull down a load of pre-built boxes from vagrant quite a google lot

and it'll take you to it I've actually used these in some of the demos today it's quick and handy soidiers so I'm just gonna skip past that that's the vagrant file that this e tells it okay well what machines do I want built with whatever networking requirements they've got so on this kiss sir private network running inside VirtualBox on machine which interns at their ten-year-old Toshiba laptop that still actually works so demo in here I'll just screwin through it very very quickly I'm not going to go through all of it in here I will show you how will actually check on that and said right vagrant up go create me the raw basic machines in here so it's

I'm gonna focus primarily on DC b-sides in here obviously it's going to make sure that there's no port forwarding conflicts for things such as three three at nine and stuff like that so it's literally as good as that now why would say is that technically after this actually runs you've actually got a box you can start to log into but it's pretty useless to us right now it's actually not doing very much for us so this is where I've actually brought in here ansible yeah thanks very much for bringing up the boxes vagrant or terraform but now I want to configure that this stuff I've actually been working on for a while I've collected a

lot of stuff from a lot of different sources actually one of the things actually delay in me actually published and there's nothing github I want to make sure the right people get the right attribution whenever I actually publish all of this I saw lots of different things isolate it and I thought what if I bring all of this together do this and hopefully it will work for me so stand like that so we can see in here something that's going to actually run three play books so that's corresponding to three rules at the main controller a member server and a workstation concentrate primarily on the domain controller stuff in here it's gonna have three pieces associated

with it some software i've called it obviously at night didn't DM it correctly but prerequisites that it needs for a Windows server some stuff that's actually common for everything I'm standing up and then the really good stuff for domain controller so here's where I would call it's all procedural in here so reboots actually in here that we've actually follow setting up with the Mian in here this is actually quite long again when you can read that to your heart's content once it's available and I get repo so this is everything relating to the establishment of that do me and controller hide a I want it configured and in this case that is actually being communicated over windows RM

which all on that victim box be running a load of partial commands so this in there okay so I need to him that add an inventory which I've already got in here and no I actually want to say right go build that for me please while I go off and do something else more interesting hopefully this will actually yep so I'm Gavin that ansible a book called lab setup which is an amalgamation of those three other specific play books off you go and do this night if you're doing this box fresh we still have a load of stuff to download from the web they'll take a bit of time so this is a shortened sequence

so you can see and hear a lot of things change this false basically I've already done that Leo I don't need to reinstall that but this just to give you an idea of the steps that it's actually running through in here to set that all up so lots of interesting stuff to do with partial firewall rules all of that lovely good stuff so reboots all that sort of thing ensuring us a domain controller so always yeah it's just previously gone from the prerequisites and to everything else I need now to make that operational DNS forwarders because I want them to actually have web access to download other stuff and then and here's well for a bit of fun I've actually put in some

stuff to create some groups to play with and I are really nice sort of development of this would be to bring in a complete sort of inventory oh of users kind groups all that sort of stuff I've done some in here but that's a work in progress and you can see that's actually finished now I'm jumping into my VirtualBox in here all three servers are actually running and I'm just going to just go into recording to login to them so you can actually see that this is a workstation vagrants already logged into it it'll get kicked out in a second and what I can actually do in here is just hopefully interact with it we're about

to get the Windows desktop in here and we'll get a message really soon in here that it's actually join the dummy and and all of that lovely good stuff Rowand but for three machines in here I was on a 72 megabit download internet connection it was taking me roughly about two hours to configure that three machine setup so your manage may vary so you can see in here workstation b-sides hack lab dot local nice so it's all there so it is so hopefully now I will be able to see or demean controller as well and just take a quick look at our server manager and then we'll actually take a look just to make sure that Active Directory has

actually been set up there you have it it's all there we can see the two machines server b-sides and also the workstations as well and our users so we're all good there so you can start using that straightaway under stead if that x ID on you as in the trial rip it down obviously snapshot anything before on if you need any data off it alot lovely good stuff and you're ready to go so you can start your hack and slash research you can use that for any number of things you sharpen up your enumeration skills you want to try it some privilege escalation it's all there so it is so have a go at it so onto the last piece in here for

the Clyde everything I've done here so far has been locally in a nice isolated lab with ansible I can configure machines anywhere whether it's on a local box or something to stop on the Clyde so I would say that you know this is gonna be equally useful to swim or actually building infrastructure up in the Clyde to attack some systems coming in from the outside so to speak terraform I actually love it because you can actually spin up machines in less than a minute the raw machines so no messing around with local ISO files but obviously if you're going to a clone environment you're going to have to start paying for it as well the

terraform good first had basic sort of deployment of the machines my terraform if you're spinning machines up in the Clyde you can see and here this is actually a digital ocean droplet and there's full accreditation to this person in here a really really good source about doing all of the sort of stuff it's got a digitalocean droplet in here and then this section here called provisional remote exact like this is where there's a bit of crossover with ansible you said well why on earth would you actually need this little I put everything in here where it's going to be after you download and cobalt strike and I'm done I don't need any of that stuff that you're talking about an ounce

of all at all I would actually argue once that's good for getting basic stuff up and running what about the lifetime of your attack infrastructure you're not just gonna be spinning up a bunch of servers you're gonna want to near be take a look at that box over time to make sure it's probably patched or if there's been any intrusions and as well also if there's going to be any servers in there that are going to be serving up malware etc you're gonna want to be able to pull those log files down and understand well higher my I've actually been attacked I've actually had that doing some stuff prepping for this last week I'm just saying some stuff attempts

to brute force a web app which was which is interesting so we want the actually see those log files as well talked about earlier if we're actually using that inventory to go after some really useful data on that a test it we want to be able to pull all that back you can't really do that with terraform and Simba will be really really cool for that so when the box is doing its job I need some stuff brought back to me so that's where I would say that's you know like that's where ansible has the edge so you can take a look in here this one is something a craft that last night actually I bite we've got a web server

on our client infrastructure running nginx I like it because it's nice and lightweight compared to Apache I want to actually bring back those log files maybe I want to type that into an Elk's stack or if you've got several million quid to put on Splunk go for it so you can see in here it's bringing everything down from data state and I can I just say well para machine II and store that off which is really nice another really interesting thing I know I'm cutting on time in here because configuration templates they're nerdy words further called ginger - templates and it's nothing against people with red hair promise I like this stuff let's say that

you've actually got configuration files maybe for running an engine X web server where you need to do a lot of customization on impera machine bases you can copy that file over and then you can be really useful and do some bastard or sad or whatever it is you want to customize that if you actually use ansible templating it will say right I'm taking that file I'm moving it over and I will customize it for you at the same time that's the real time see ever saw this folks so in summary ansible is a DevOps tool red team's if they aren't agile and utilizing DevOps tooling right now they should be and the DevOps teams as well

know that or should know that this can be used for good but if you've got an answerable controller that's purely locked though and pretty configured it can actually be used as a weapon against an organization it could actually end up being the weakest link and also as you saw in there it can be used to automate some of the more mundane tasks Frias better you want to spin up at your own local Learning Labs so with that please don't shoot me this next slide brilliant I'm Mia Rizzo any questions any questions for Leo over there in the back I am I just did a good question cause you mentioned that like the ansible controller is important for like

blue teams to lock down it was wondering like as an attacker what's kind of the most like out of all the ways to configure sorry can you speak up a bit oh sorry so I'm out of all the ways to configure like these kind of keys to the kingdom bet to them infrastructure sir like for in regards to access management whether that's rotating keys or like provisioning them through like the service and I what's what do you not like isn't attacker the most like what gets in your way the most in terms of getting access to these not an attacker it's a double-edged sword of medic we all like to be able to compromise things

but sometimes when you compromise that's a bad thing to really if there's maybe some indications on here that I've been able to get past things and here maybe there's no network segmentation maybe there is no two-factor authentication to get SSH access to that ansible controller box those are some things maybe that we're lacking in there sure thank you yep any more I mean where we were back sorry just a question do you see other products and lower down civil being as Vaughn will disturb with attack I'm here see I didn't hear ansible itself is not a vulnerable product out of the out of the box it's high it's actually configured you could say that a

bit any software not specifically for provisioning automation configuration etc or what I'm recommending is that just like any other software when you actually deploy it do take a look about how you can actually lock down access to it's about you know like for instance if you're dealing with a real estate in there of God know so many servers do you have actually firewall rules to say I would only listen to you and you alone the logging stuff etc it's really as I think it was what Brian mentioned in his keynote speech earlier on there really should actually be some sort of pre-flight checklist things that need to be done before you let the server go

wild it's just that it's nothing really new in that respect all right it's lunchtime we are five minutes late so guys have fun and girls with the lunch thank you very much leo and give him a warm man