PwnSpoof by Daniel Oates-Lee

hello thank you for uh coming today um i'm going to talk about a open source tool that we've built at punk security uh called pound spoof we have developed two different um open source projects i'm going to talk about the second project towards the end of this presentation but today we're going to talk about phone spoof and what it does so first of all who am i well my name's daniel oaksley i'm one of the co-directors at punk security i've been in working in it for over 25 years i started off as a developer moved into infrastructure support then fell into cyber security because i just kept hacking and messing about and breaking systems um currently working as a cyber security

consultant kind of specializing in devsecops devops and a little bit of pen testing uh the reason i put terraformer an automator down there is because i love automating everything mortal possible thing that i do so anything that i can do and i can repeat it i will most certainly do it so uh where did phone spoof come from how did we come up with this idea and what's it all about so it came from a delivery package uh that we were delivering to a government indus a government department and what they ask was is that they wanted to be able to teach their incident responders how to be able to pivot through web logs and

look for threats and we kind of you know they wanted to learn how to be able to use regex and real-time extraction inside splunk and they wanted to be able to uh leverage some of the geolocation functionality in it and we thought well how do we get these logs where do you where did it come from so we we sat down and we had a thought that had a think about it we we thought well this realistically there's three places that you can get log files from you can either get them from a real attack you can create something or you can try and spoof something so what are the um what are the advantages

of these well a real attack it's authentic but it's going to be full of sensitive information it's only going to be one time and by the time you've um there's going to be parts of the attack that might be missing it's not really scalable so we kind of dismissed that idea we then moved on to could we reproduce something could we stand up a test environment and could we build something out and we thought yeah we probably could you know you could spend ages building a vulnerable application you could stand up some clients start creating user activities but again it's not it's not very easy to do and it takes time and effort and then we

thought well we could spoof something um and that's kind of where we kind of ended up going towards so producing a real set of logs would involve like as i was just saying a proper web application a lot of infrastructure a lot of time and effort but if we start looking at how we can spoof the logs well what are the logs themselves they're just a flat file system there's an rfc that stipulates how the log files need to look and how they need to feel and it's very easy to just create a bunch of a bunch of text inside a log file and it's easy for us to manipulate and change but we decided that rather than just

creating a bunch of get requests we would try and make it look as real as possible so what we did is we broke it up into three parts you've got this part over here which is kind of the interaction with the website itself then you've got the user interactions themselves and then we created like this pat activity pattern so the interaction over here helps create things like the url the amount of data that was sent the reference headers trying to make it look as realistic as possible then we spent a bit of time on creating like usernames we spent some time looking at the geo um at the eye the the source ips and we've we've

we've done quite well with that we've gone and collected the geo location databases and then use that for figuring out where users might be located and spent a bit of time about uh well when do users normally use kind of websites and stuff like that so to match try and make the the pattern of life here this little bit of kind of artificial intelligence-y bit as realistic as possible what happens is we'll create the sessions and then we then sort the sessions and then output the information into a log file so what we've done inside the logs is we've created three different types of applications to be spoofed we've got a fake banking app we've got a

generic website and we've also outputted a wordpress server server we then set configured the python script to be able to output in iis nginx or apache log formats because obviously there's lots of different web services and people need to be able to collect the logs we created a lot of background noise so as i was saying rather than just doing url requests we've got requests for css files javascripts made it trying to make the the the log files look as as authentic as possible and then we started looking at making sure that we got like the reference fields all correct as well so when you're actually looking at these logs you could be mistaken for thinking that they were

accurate so what are some of the use cases for this um obviously there's there's training and this is phone spoof is now being used in a couple of universities across in america for um used by um by the lecturers for helping the students uh read some log files uh it's also used uh by jj davies for some of his training uh when he's training his sim uh threat hunters it's also been used in a couple of ctfs uh it's been used specifically in war games it's been used by b-sides up in newcastle as part of their ctf and digital over over uh dose and that actually was used last year and we're punk security are sponsoring it this

year and we're running another ctf with it so what we'll do is we'll generate a bunch of flags hide that information inside the log files and then ask you to go and try and hold them out but let's see if i can actually do a proper live demo and i'll show you what the python script looks like how quick it is to actually generate these log files and then how you can ingest them and what they look like inside splunk so let's just hope the demo gods are with me all right is that is that large enough for everybody yeah everybody at the back you can see that all right yeah cool brilliant all right just give me a second i'm just

going to log into so as i say phone spoof is a um it's a python script and i'll zoom out a little bit just so you can see this so we've got obviously we've got the beautiful ascii art up at the top because why not throw that back to retro styles and we've got a couple of arguments that you need to to use so obviously we've got the three different types of application that you might be interested in we created a banking app and it shows a user logging in and being able to transfer some data around sorry some money around we've got a wordpress site and we've got a generic app the minus out that was

that's used for where you're going to store your log files you can enable this minus minus iocs and what that will do is it will output on the screen that indicates a compromise say that you're running a challenge for the uh your kids or fellow colleagues or whatever you need to know what whether they've actually found the uh the threat actor you can also state the start date and end date of the log files how many log sessions there are by default we put in 2 000 users so it will generate 2 000 users worth of activities over a period of i think it's about three weeks by default uh you can also set the number of user

sessions you can customize your server fqdns if you want to i am also going to just quickly explain you can also add into this a uh um where is it now i think it's that one there yeah i think it's that far there you can go into burp suite and you can do a site map of your own website if you wanted to so you could make it look you know dump the the the structure of your own website out to help generate uh authentic logs for your users and then obviously you've got the server log types here so you've got iis you've got nginx or you've got lf uh cls which is uh generally apache

you can also put some attack settings down here by default it'll randomize it and so it'll only by default unless you stay how many times you want somebody to be attacking you it will hide one attack inside this log file the default is also a brute force but you can either do brute force or a command injection attack so showing that the user's uh entering a command injection and you can also state the geolocation of your attacking group so obviously if you want to blame russia for something then you can just type in ru and away you go you can also edit the user agent that the attacker might be wanting to use so i'm just going to clear my screen again

and then what we're going to do is we're just going to um we're just going to quickly generate a log actually i won't i'm going to type this out down at the bottom all right so what we're going to do is in this case we're going to create a a wordpress output sorry we're going to create a wordpress one we're going to output the file into this area so we'll call it webapp.la and i'm not going to output the indicator but actually uh well i'll show you that indicate what what you get with the indicators of compromise we're also going to put in the server fqdn as as uh punk security dot co dot uk

and we're going to set the server log type to set it to engine x um does anybody want to stipulate where the attacker's geolocation might come from island right okay

i believe it's ie for ireland so what it'll do now uh it's now generating those two thousands two thousand users worth of activities it's randomly generating and they might be slightly out of order uh so it generates all the sessions first and then it will order the order those um order those sessions and it'll output it into the log file and that is it it's as quick and as easy as that something that would normally have taken you several months to build the infrastructure build the application is now just taking about 10 seconds to run and generate a log file now this log file will be unique every time you run it and the reason that we wanted that

uniqueness is when we're delivering our training for threat hunting it's you know the students don't just go oh yes it's this ip address and then share it amongst themselves they've actually got to go and do the work themselves so now we've done that we'll just quickly open up um my favorite

so there are other obviously there are other sims that you can input stuff into i'm just happy to use splunk because it's nice and easy for me to spin up oh helps if i can type password give me a second and is it inspect yeah oh it's just password i just set a quick docker image this morning just for the uh just for this so we go and ingest the log file just upload the log file and there it is there you go you can see it's 20 28 meg near it off uh click next we then state what kind of log file it is it's already picked it out so that's perfect for us

uh we'll create a new uh demo one yep so we're gonna use demo one preview next and then it'll be uploaded and now we can start going in and we can start carving this data up so we can start running things like um if we have a quick look over a period of time zoom out didn't mean to do that no sorry there you go you can see that it's um it started on the fifth on the on the 5th of march and it's gone all the way up to like the 20th and if you have a look down through these you can see that um splunk's done a marvelous job at identifying all these different areas

and you can see some of your client ip addresses and what have you and then you can start carving up your data so you can do it by account by the http status code oops there you go and you can start seeing that there's like quite a lot of success falls there's some redirects and there's some 401s we might be interested in going investigating those four ones and going further and deeper and one of the things that we were wanting to get people to understand is how to start searching around this and i'm not going to deliver a course about how to use splunk and reg exit it's something that we're looking to do later

on um yeah so there you go you can see that you can generate these log files really quickly chuck them into splunk and you start carving up the data and and playing around with stuff should we go back to the demo

yeah so we've covered off the actual um bits themselves what else we've what we've also done is we've also added in a bit of smoke testing into the script itself so if we find that the where we're looking for a certain number of sessions uh the say we it's estimated to be 100 sessions and we wanted 10 users then it's going through and it's doing some mathematical calculations to make sure that it's not randomly just not generating the correct amount of data um let's just have a quick look so yeah i've recorded this just in case stuff was going going to go wrong so this is a um a screenshot of of splunk again with

um showing you how those that pattern of life that we created kind of follows a standard pattern you know you've got users logging in the morning for the banking app and then they might do a little bit of spike of activity in the evenings but then die off overnight and one of the latest features that we've done is well this is a few months ago but um we've added inside splunk the ability for you to be able to go and collect that site map as i was just explaining on the roadmap for stuff that we'd like to do um we're busy working on at the moment we're trying to create a pip install so you can just go into python and you can

just download and install this without having to do any you know go to our github and go and download stuff we're also looking to add more applications into the um into like that area where it's got banking wordpress and generic website we're looking to put more stuff inside there we're looking to add some more attack types so rather than just the brute force and command injection we're looking to put some extra stuff in there but we're trying to be very cl which we're trying to be as realistic as possible about it because there's only so much that you can get in these some of these logs and we also want to do slightly better geographic geo lookups

and start developing some training packages for people so just do a couple of little powerpoint slides maybe a couple of videos explaining how to get the log files into a sim how you can start doing some regex lookups and stuff like that and what you know anything else that you guys can think of that phone spoof might be able to do we've been approached by gray logs as well and asked whether we can potentially get phone spoof to create windows event logs we've been investigating that and we think it is possible we're just trying to figure out the best ways of being able to do that and now i know i'm i'm at the end now but

um i'm also going to quickly talk about another project that we've also got um on on the roadmap but i'll i'll take some questions first if if anybody's got any questions or anything you'd like me to go back over again

now all right that's cool um so and another project that we've currently been working on and i'll just minimize that is a ransomware readiness audit tool called sm beagle and what this does is it runs as a low privileged user on your on on a on an endpoint and you can then collect information about your network shares and it will it will iterate through your network as a low privileged user dump out your file shares and your structures put them into an elastic stack so then you can better understand how and what sorry where all of your your network shares are and it's also been used by red teams as well to be able to go and hunt down and find

rogue file shares with passwords in and we've just ported that on to linux as well but i think that's that's it for me