Efficiency in Pentesting - Developing Your Own Toolset

um so what we're gonna have is pulling this up here sam ferguson he's gonna talk about efficiency and pen testing developing your own tool set he's gonna talk about developing your own tools and scripts for your personal arsenal and efficiency and he's going to actually go through sample scripts that's great uh just really quick before i bring them in just want to thank palo alto networks and all they've done for the b-side ct this year as well as cloud knocks it also had a raffle um as well and our other sponsors polarity bishop fox mc3 and marabellus and uh just big thanks to them and at this point let me bring salmon

alrighty oh there i am hey how are we doing all right let me see if i can get this screen share going where do i do that here it is okay let me get this going then we'll get started all right everyone see the screen are we good everything look good on user end

awesome cool all right well hello everyone uh my name is sam ferguson and i'm gonna be talking about efficiency and pen testing how to develop a bit of your own tool set uh or as i like to call the alternate title how to make a b-side ct speech in under an hour so let's get started a little bit about my background uh i'm a senior at ball state university which is in muncie indiana i study computer technology and i have a focus on security it's my passion it's what got me into this major it's what i really like i've done a little bit of intern work in security architecture and software security and part of the reason i'm actually here

at b-side ct is that i'll actually be going out to hartford to work for cvs health as a part of their itldp program when i graduate so really excited about that really excited to see uh what the state of connecticut is like but for now uh we'll get into the kind of meat potatoes of this presentation so the whole point is talking about developing your own your own quote unquote tools and you'll see why that's important later uh but why exactly would you want to develop your own tool set or work on things when there's already tools out there that do most of the things that we're looking for well the thing is not all tools are

designed to be efficient you know they're inefficient with things like user inputs maybe there's a lot of options a lot of flags you have to set when you're running it through the command line maybe it requires a lot of data from other tools that you have to pull in and there's not a built-in way for it to do that or maybe there's too much user interaction that's required you know it's something that is not a difficult task but it requires you to kind of keep your eyes on that tool that's running and to be able to have to enter certain inputs at certain times and that takes time away from you doing something else and you know this can be really

frustrating for tasks that are repeated if you have to do a one-off script every once in a while no one no one's really bothered by looking up a couple flags that they need to remember to add in or you know pulling down data and putting it in but if you're doing this you know daily or quite often when you do your pen testing it can be really really annoying and we don't want to have that happen they just get frustrated by the way things go so how exactly can we fix this well we can make our own tools we can make our own scripts and how exactly do we do that how do we start

so to begin that we're basically just going to use some tools just start working with various tools you know you might read some documentation on certain tools that you'll use for your pen testing process and realize you know hey these two would work really well together or hey there's this part of this that i definitely want to make more efficient right off the bat but i would say that only accounts for maybe five to ten percent of uh situations so most of the time it's really going to come from putting in the work using your tools practicing with it whether you're an aspiring pen tester if you're an actual pen tester you know going in

and doing your normal daily work and you'll kind of realize after time oh yeah you know this tool right here like this process is so inefficient it's not done in the best way and i could save time by doing it somewhere else and so from there you pretty much have to figure out what exactly about that tool is inefficient what is the root cause you know root cause analysis is really important especially when you're doing some form of scripting or developing applications because you might develop something for what you perceive to be the problem when in reality it's actually another problem so you want to be sure that you're figuring out what exactly is really making

this process of using this tool difficult and inefficient and what's making it take up so much time and once you figure that out you'll be able to start planning out your tool and what your tool needs needs to do so you're going to figure out okay well so here's the inefficient part of it you know this is our inefficient aspect now what exactly do i need to get this tool to do in order to make it efficient to put it in a state where i'm happy using it where it's not taking up as much time where it's optimizing the entire time that it has to complete its task and then pretty much from there it's as

simple as going ahead and building it but you might be like me when you first saw us and go hold on wait wait wait a minute i'm not a developer a coder i don't know how to write code like i i work with maybe maybe you're an infrastructure or systems person and it's just not something that you do quite often or maybe you know you're a student and it's like well i'm more in an information you know computer engineering computer technology degree you know we don't really touch much code or develop anything well don't worry as you saw earlier i'm right there with you i do not code very much it's not a lot of what i do

but i use it sometimes and really for developing things on my own it hasn't been that much of a problem because the only requisite knowledge you need is to understand programming knowledge you basically should be able to go through some code in whatever language and at a high level generally understand what it's doing or be able to piece together what it's doing you know you might need to google search a certain set of functions or certain keywords that are in the specific to that program but as long as you know things like control structures you know your for loops your while loops your if-then statements things along those lines and just understand how code reads and

how very logical it is if you can do that then you're gonna have absolutely no problem developing the script another problem is that another problem you might face is well i don't know exactly how to do all these specific details you know i only know a little bit uh but we're in the it field where you know we know the fundamentals the basics of everything but then everything else goes to our wonderful friend google so if you have a problem if you are considering hey i need this part for my tool i need it to be able to do this well how do we solve that oh we can just go to google look it up you know

do you need regex for a valid ip address do you want to check the input to make sure it's a valid ip you could google it probably find it you need to pass an output from one tool into another not sure you can probably google it and find out how to do that in some programming language and the awesome thing about scripts is you can write in pretty much whatever language you you're most comfortable with especially if you're just developing it for yourself now i personally prefer to use bash and python because python is a very simple language uh you've probably been exposed to it at some point or another really really easy to use and it works on any platform as

long as it's got python intel installed super easy and of course bash if you're working the linux environmental law i know when i do any sort of ctfs or pen testing related items i'm pretty much always in a linux box so developing a bash script for it if that's the only place that i'm going to use that script then it's really easy to just build it in bash and then pretty easy to pipe in all the commands run everything that i need and we really don't have a problem from there so what does this look like when we actually take the time to develop this script when we build things uh well here's an example that i have

it's a little script i made called the mass map and for any of you ctf players out there uh you're probably gonna enjoy this because it would it will be pretty helpful for you so i do a lot of ctfs just online kind of the asynchronous ones so things like try hack me or hack the box i like to mess around with those to practice and learn and i was doing some scans uh using nmap as you do and i found that they were taking a really long time especially for systems where i had to go scan all 65 355 ports and i wanted to get the most information out of it i wanted to do an

intense scan so i was always running it with the nmap tac a option uh enabled and it would take a long long time and especially if you're someone running these on things like a virtual machine or maybe a laptop that doesn't have a lot of memory like i was uh it was really hard because you could pretty much only have that thing open or you might you know put your vo up to max capacity and it was frustrating but then i found this other tool called mass scan online and was reading through some documents some blog posts that people had written and i thought it was really cool because it the main point of it was that it scans

really really fast is really quick it actually claims i think it claims it can scan the internet in like eight minutes or something now obviously you need like a 10 gigabit like some stupid amount of gigabit uh network card and a really high speed connection but regardless the tool actually does scan fast it really does scan quickly the only downside of course is that it doesn't have the detail that nmap has um you know there's you can't use the service enumeration tool like you can find in tech a or attack sv and nmap and get the detailed information about what services are running on those ports which can be really useful for ctf especially if it's a time-based one you

need all the time in the world so i kind of thought to myself you know hey maybe i can put these two tools together and have them run efficiently so i started going through the process and thinking about what i needed to do in order to build this tool so the process was essentially this i needed to scan with mass scan and output the results to a text file because i went through mass scan and actually realized that their text file output format was quite nice and i need to format it into mass scan for a mask and output into a format that's usable by nmap and then from there let it ride and then profit so we got

quick example here just showing the mass gain output and then the nmap output of some ports these are from two different scans i'm just doing it for example sake so i did it and it seemed to work so here are some uh very hastily put together screenshots of mass map the script that i built uh and we'll kind of go through it here just a little bit kind of showing what's going on so basically we have some checks doing here making sure everything is good some error checking and all that stuff we've got the mass scan run which will basically run mass scan against a certain ip address and interface and it'll scan all the ports as you can

see it's got all the ports there then it will check to see if any ports have been found by just reading the maskin text file and then from there it'll run nmap by putting in uh all those ports into the nmap command and pretty much we're good to go from there and we get our output now obviously this is a decent amount of code it's a hundred hundred lines of shell script uh but i do wanna point out that i really only wrote like five lines of this thing like here binary check script checks to make sure all the binaries are installed i'm pretty sure i found that on stack overflow i just googled it and it was

like okay paste in change names to masking and nmap as long as they're good awesome ip address check here also found that on stack overflow checked for the valid ip good to go uh the interface check i'm pretty sure i made some sort of modification to it's been a while since i actually worked on it uh but i definitely got the basis for this off of the internet um so it was uh so that was no problem at all uh then go down through here the mass scan that command was pretty easy to write out the port checking pretty easy to write out this one so actually i'm gonna go back a slide you can see mass scan

outputs all of its files uh all of the ports that it scanned like this so all i'm doing actually in that command is i was like okay i can cut down all these ports here that are in that third field the cut command and then we'll get an entire list of all the ports that are open on that server but i was like okay the problem is nmap takes its input as a comma separated values type format so you know you have comma port comma port comma so i was like well how do i do that so i googled how to take multi-line to single line csv and i found this quick awk command also

online and threw that in and but bing we've got the script done so as you can see like a lot of this was not really a matter of i knew how to do how to write something in a certain coding language here shell script but you know of course in python another option it was really just i knew what i was looking for and i went out checked it out made some minor modifications because i could read and understand what was going on and then no problem at all i was pretty much done from there just a few little the custom items that i knew i had to set in myself but other than that that was pretty much

it so the process actually isn't as challenging as it might seem initially especially for those of you who maybe just haven't had a much exposure to code or maybe haven't worked with some of these tools too much but it's actually quite a quite straightforward process and something that's especially doable even for those with limited coding experience uh and that's pretty much all i've got for today i know this is quite a short talk uh but again i did not wake up this morning expecting to give uh my first ever talk uh so it was a great experience though so first of all shout out to the b-sides people uh for letting me do this this is super

awesome i've always wanted to give a talk but glad i got to do it um thank you guys of course for listening i got some information here uh i've got a blog page i try to post um somewhat often my uh mass scan kind of write up is or mass map script write-up is actually on there and for those of you who are in ctfs you can download that script on my gitlab uh gotta get that plug in there somehow you can connect with me on linkedin connect me with me on twitter uh i really like talking to pretty much anyone who's in the security field whether you're a student who's just getting started out

and wants to get into information security or you've been in the field for many years i'm always willing to give advice to new people coming in or seek advice from people who have been in the field for a long time but that's pretty much all i've got does anyone have any questions about the whole process or just any general questions at all i'd be more than happy to answer