BSides Rochester 2016: Jared Stroud & Bryan Harmat: RedOps: Scaling & Automating Your Pwnage

what's going on everybody so before we kick this off uh we wanted to give you guys shout out we didn't really think that this many people would come to our talk so super pump that you guys showed up uh hopefully it doesn't suck but uh regardless thanks for coming out we really appreciate it so to kick this off cool so my name is Jared stad I'm an RIT Computing security Master student uh spara alumni CCDC alumni and I would describe myself as a startup Enthusiast to whatever that means to you uh so I'm Brian uh and then the same thing uh basically and I have cool shoes that I'm rocking today so so to go through a little bit of the

agenda that we had set up for today we're going to talk about uh where the background for our talk came from uh some previous work has been done what the motivation was that uh led us to this talk uh then we're going to dive in into two devops tools anible and salt stack and talk about how uh their functionality can uh help you scale and automate your red operations but first uh so trigger warning we have a lot of buzzwords in our talk hope you guys get super pumped if you're not then uh I mean I guess you can leave if you want our talk like hopefully will be pretty cool uh but just devops in

general that it comes with a lot of buzzwords so just a heads up and for anybody who's about the whole like I'm going to take a drink after every buzzword uh about four slots from now you're probably going to be on the floor so I wouldn't recommend doing that so so we keep saying this word devops and this big old devops hype train that hype a bunch of people keep shouting out but we're going to establish like a ground basis of what we mean when we say it so really at the end of the day it's whatever tool allows you to automate uh something and be reliable against a variety of environments so whether that's spinning up several different

nodes in AWS to using the same kind of infrastructure but putting it over in a different cloud provider there's are these tools that allow you to replicate reliably deploy code push out tests just continuously um so some of you guys might think of like uh Jenkins an Sal obviously we're going to talk about today uh we don't mean it in the like philosophical way where it's like it's a cultural thing and it's how many scrum meetings you do so uh just to kind of have a basis it's really just uh making sure that whatever you're doing is reliable across different infrastructures so going on to the motivation uh Brian and I both uh do some malware analysis as like side

projects and hobbies so we always really like when we see malware that's using the in inherent environment and sis Adin tools to move laterally through a network so it's not doing anything anything super crazy but it's using uh tools that are already there something that's already there for the advantage why bring the guns into the place when you can just use their guns right that kind of idea uh has anybody seen uh Chris Gates and Ken Johnson's talk called devoops all right so a couple people um for those of you who have not it's actually a pretty cool talk they uh talk about how uh people like mess up a lot of things when doing Dev op stuff so

for example pushing API keys to GitHub or uh leaving their dogit directory publicly accessible for their website so that you could just pull it down so uh we thought that it would be cool to also like build on like another devops talk based off of that kind of stuff so that was another motivation for our talk yeah and also competitions how many CTF players do I have in the house nice how many CCDC alumni or attack defend people just in general for these competitions yeah nice so if you're not familiar with CCDC it stands for Collegiate cyber defense compet ition and it's basically when a bunch of college students go and sit in a room

and there's a group of professional red teamers and they make us have a super bad time to an inherently vulnerable environments so the whole idea behind some of these attack defense ctfs though if you're not familiar with them is that you'll have an infrastructure it'll be vulnerable in some way shape or form whether it's just like super simple things like default creds exploding a web app or some kind of custom Network surface that you have to actually create an exploit for and then take advantage of the machine once you get onto the machine you need to find some kind of token and replace it with your flag so that the corresponding scoring engine can give you points so at the end of the

day the only thing that really matters about this is speed but to continue some of the things that we talked about all of this living off the land mentality is uh going to become really interesting with devops tools because these are already inherently trusted tools within an environment they're not going to flag AV they're not going to flag your nids or other network controls that you have and they're allowing for remote code execution so if I said something to the effect of you have something on your box that calls back to me every 10 to 15 minutes and then runs any command I give it this sounds kind of like a botn net right I could be talking about a devops

tool they're really analogous with the same thing uh we'll dive into that in a second but to kind of uh talk about the objective here is that we want to automate these attack defense ctfs to an extent we know that there's going to be an infrastructure that's inherently vulnerable right we're always going to have some kind of Def creds that we're going to be able to get on some boxes with and we want to be able to do this fast some of the ways that people are trying to automate this now everyone that competes in these usually have some kind of subset of Python scripts or shell scripts that allow them to you know automate some of the simple things

that they're trying to do these don't really scale out well especially when you continuously add more machines to an environment or you go from one competition to another so that's where this whole devops mentality of run once but run everywhere um and accomplish the same goals can really be advantageous to these competitions just uh one quick note about that is that uh like we're talking specifically on going back to Red teaming at competitions as opposed to like from a pentesting perspective so when you're pentesting you might not get default credits to stuff probably like you most likely won't so uh that's where like we're coming from with that so but for the pentest people in the house

didn't forget about you so uh if you're trying to automate say like a my seal dump across the uh entire network or it's my SQL but then they have no SQL databases or they have kind of a plethora mixed masch of these Technologies you can use these kind of devops tools to chain things together so when you hit a machine that has uh redus or mongodb or MySQL or postgres whatever the case may be you can run these series of tasks depending on what they have so you can kind of on the Fly make your own tools to uh get some of the lwh hanging fruit so while our talk is mainly uh related to just automating uh these red

team attacks ctfs uh definitely want to make sure you guys are still thinking uh in the realm of how this could be used for pentest engagements so with that we're going to dive into anible so out of curiosity Has anyone used anible here nice cool got some hands so anible are really attractive for a number of reasons first off uh it's completely agentless so all it operates completely over SSH to the remote nodes so if you have SSH access to a remote host you can automate anable to run something called A playbook which talk about in a second onet host uh the best practice mechanism relies on you having SSH keys on the remote host but

there's nothing stopping you from just having passwords that you try against the host so if you put this in a for Loop you can now run these ansible commands uh basically as a Brute Force mechanism to then launch other evil things which we're going to dive into uh additionally Red Hat just bought anible in 2014 so this is going to become more of a prevalent tool that I believe you'll be seeing out in Industry uh it uses like I said before uses completely SSH for communication and it can actually be installed with Pip the python package manager so if you just do pip install ansible you now have anible on your machine so a simple anible architecture

kind of looks like this you have your one anible master node so to speak and you have these things called playbooks that I keep alluding to so the idea here is to have repeatable task execution to accomplish the same goal regardless of what your infrastructure is if it's a developer machine not a problem production servers or entire data centers as long as you have some kind of access via SSH to these machines you can execute uh anible playbooks so going into targeting uh based on what your needs are anel inventory is how you go ahead and specify the hosts that you're looking for in an infrastructure so off to the left here we see a format where you have

just the brackets you specify what kind of category these hosts are so you could say database servers uh web servers whatever the case may be and then you can just list underneath them IP addresses or fully qualified domain names Additionally you can pass in anible Port which would be a different SSH port for that machine passwords and usernames so uh like I said before if you don't have keys on the remote host it's not the end of the world you can still access them uh just by doing a command line argument to provide the password so this kind of allows you to break down oh the database servers I have these scripts or these sets of

tasks I need to do to accomplish um uh again on those machines so this like I said before can just be changing a banner or D jumping the excuse me dumping the database entirely so finally to the thing that I keep talking about anible playbooks can be described as executable documentation they're in a PR easy to read yaml format uh as of the time of this presentation they have 200 plus core modules which allow you to do a variety of tasks against uh an environment and uh it's just they execute sequentially so you list what you're trying to do and it'll just go through and then execute it in that order you can also just specify oh

only run the MySQL commands against these hosts or kind of chop it up however you'd like it to be these playbooks can be platform independent uh however what is said in theory doesn't necessarily translate to practice there are some caveats that you need to be aware of so definitely test this before you just kind of go out and think that everything will work super fine so as I said before it's an a yl format and you can specify the options of what you're running against with tags so let's see what one of these playbooks looks like so this is the typical structure uh it's a pretty small Playbook and at the top here you see you specify the hosts

uh so dubdub dub going back to the anable inventory file you specify the remote user that you want to run as and then you can specify some variables for what you're trying to accomplish later on with these tasks so up here we see we have a GitHub repo and we also have a a pin document that we can download code from and then run it if we uh so choose and a directory where we want to store things on the remote hosts so we see going through these tasks you see this naming tag this name tag is more of a descriptor which will actually fire back to you when you run these uh if the

status was complete and what you ran uh so so the package is going to install git uh git URL pretty intuitive right you know it's going to go download something says where to save it and what permissions to save it as you can schedule tasks with Kon etc etc so everything that you probably have some kind of shell scripts for that you've used in these attack defense scenarios you can take and port to anible fairly easily or build up pretty robust tasks with anible so when you run these guys uh the really nice thing about ansvil is that you get visible feedback almost immediately so in these attack defense ctfs from a red team's point of view it's not just

about oh I got on the box got a root shell I won you have to usually keep track of what you're trying to do and when you did it so a lot of tools don't necessarily have a reporting mechanism and it can kind of be a pain to sit there and be like uh what did I do like an hour ago to Team Six right well if you divy up your inventory file in a way that you specify what team uh corresponds to what IP address or what domain names uh anible can just immediately provide that feedback along with what time that he executed on so it's kind of a nice way to keep track of

when you're doing things so as we see running this against the remote Host this is what it looked like from the remote host aspect this downloaded the Pacman script an OTE who am I uh to wall see that I'm root so it's pretty straightforward uh in terms of how you can execute these uh modules speaking of modules these are what goes in the anible anible tasks and if you're already thinking of like hey I have some super secret sauce things that anel might not already have tasks and uh for you can actually make them yourself and all they are are simple Python scripts so if you already have Python scripts and incorporating these into anel is

going to be super easy and that's another uh attractive feature of this is that it is all in Python so this is right from the anel documentation but it's really just any task that you're trying to accomplish on a system uh and get immediate feedback for so these usually aren't very like large functions it's usually like really small things like changing some setting in a config file uh adding users dropping SSH Keys whatever the case may be this is typically what you see with anible modules and uh they kind of just like allow you to perform some basic tests that being said nothing stopping you from running some kind of python crypto locker and then running this

against remote machines and making the blue teams have a super bad time so now that we've gone through all of that we kind of have a nice warm fuzzy feeling of what ansible is and some of the capabilities of it we're going to talk a little bit about some of the offensive operations so to speak that you can do in these kinds of environments so once again they are geared towards the competitions that college students compete in so uh pentesters this is uh a little bit outside of your normal day-to-day operations so how many people here have read uh black cap python awesome so you guys are familiar with the GitHub uh botn net there where

you just immediately establish some kind of agent on the hosts and then you have it pull from GitHub and execute some kind of tasks well using the uh Crown module uh corresponding with the git module you can set up to schedule the pull from a git repo so this seems you know uh pretty easy because you can't necessarily guarantee how long you can be on a box when you walk into these infrastructures you don't know what other teams are going to do and you need to uh maximize the amount of surface that you get on uh or excuse me the surface area of boxes that you go to rather than staying on one box and

securing it you might lose use a foothold in another machine so you have to move fast right so this allows you to immediately schedule a task so that whatever you put in this repo will execute on the post machine so that way you don't need to worry about you actually maintaining access through SSH or anything like that you can just update that repo from your machine it'll pull down and execute whatever that case may be so if you lose SSH access not a problem that cron drop still executes and you're still going to be able to spawn another shell and still have access to the machine that way so we have a nice uh anable Playbook that

actually accomplishes this on a GitHub repo that we're like sharing some of these tasks uh at the end of the end of the talk so just like before when you run this that green gives you that immediate feedback uh saying that yes this executed okay where you see yellow that's where things change so that's where a file was updated um a file was uh deleted whatever the case may be and anytime you run any uh bash command it'll always pronounce change because it's going to redirect to a standard out by default unless you specify it to go to a file or something like that so once again you can immediately know if these tasks are executing successfully against

your environment or someone beat you to it so for the blue teams uh so going to like CCDC because I know that ansible was used successfully at the nccdc region this year anible by default does not log on the master node but on all the end noes that it's logging into it does leave some nice little traces of the tasks that it's Comm uh executing at as so we see that we have it highlighted red anel pyen G URL we saw this in a previous slide this was obviously downloading the pman script uh to be ran later also at cron tab we see in this really terrible to read dark blue up here we have anible and then scoring

engine that being said this is an open source tool there's nothing stopping you from changing these values but just so you know by the default this is what's going to be left on a machine when you run set tasks so now we've talked about like super basic way to get on the machine make sure that you can come back to that machine in a little bit uh while you're trying to move throughout the network but really at the end of the day you need to be really really fast right you can't uh risk other teams getting on these boxes before you and just like firewalling you off so anille has a lot of ways that you

can optimize it we're going to talk about a few of them here so some of these optimization facts uh allow you to basically uh skip a lot of core things that anel would do that would be advantageous to system administrators but not so much advantageous when you're just trying to move fast and execute things across the machine in a competitive environment so sssh pipelining basically limits the numbers of SSH connections but will maximize uh the the commands executed over them so it cuts down on overhead of how many connections to a given machine Forks obviously more threads uh depending on the tasks that you're trying to execute and what your machine can handle you can

have uh multiple SSH connections to multiple machines by default it's only five but you can and scale it up to whatever your machine can support but the the most uh tedious one is this Gathering facts so when you run in command against the remote host it does this thing where it basically profiles a system and understands what certain variables are so what is the underlining packaging system what is the underlying uh kernel uh this that and the other thing and that kind of gets passed into some of the tasks depending on the variables and task that you're trying to execute that being said some of these uh take a very long time to accomplish and

you just need to know the underlying packaging system if you're trying to do the platform Independence Way you don't need to do this like long tedious task right so you can go ahead and disable this or fine-tune it so that way you don't spend all this time on a machine so to give you kind of a an idea of how long this uh took with a uh simple way to figure out the up time of the machines against two machines this happened in about 46 seconds so that seems super long to me just to get up time on some remote machines to run that against right 46 seconds to get up time of two machines so this is before the

optimization so after we went through and we said I don't really care about this Gathering facts I want as many Forks uh as possible and uh I don't really care or I want SSH pipelining we're able to get it down to just point a little bit under a second so that was uh reliable too we tested this three times so once again this is definitely curtailed more towards the CTF side of things because you do lose some some of the inherent functionality that sis admins would use this tool for but uh now we're going to talk a little bit about devops with devops and that's where things get super buzzwordy so apologize in advance everybody but uh

Brian's about to take over and talk about salt stack and why this is advantageous but uh we were able to bootstrap salt on three machines uh from scratch point it to our Master uh salt Master which Brian will talk about in a second in just under uh 2 minutes and 25 seconds so this was a pretty fast overall uh and we'll talk about why this is important in a second I think uh there are a few slides like um down the road where I actually like listed the like bootstrapping command so um like I'll show you those guys uh in a bit but there's like one command you can run that only uses python to pull down uh

and the URL Li to which is a default python module you don't actually need to pip install anything additional uh so does is it pulls down the boot strabbing script from Salt's website and uh it will execute it so that uh it will install the salt minion on the nose to point back to your master and you can push out um like different tasks do it using salt so yeah we can talk about that in a bit but that still means that there isn't there is still support for those old dirty bash tricks that everyone has right so if you compete in this competition you start collecting a series of scripts that you've use from A

to B and you collect them just in case they could be useful again so it's super easy to Port these uh to anible and use them in a variety of ways uh once again we have these kinds of stuff up on uh the GitHub so that way we can show you guys like a skeleton key of how you might be able to use these in these attack defend uh environments uh so anable is pretty cool um but I'm a big fan of using salt for this kind of stuff um and there are a couple of reasons for that uh mostly it's architecture-- wise which um I'll get into in a bit uh but a little bit of

a background is that I as I mentioned it's agent based so uh how it works is the uh agents on the salt minions will check in with the master to see if there are any tasks that are assigned for it and if there are then it will execute them and it ex uh checks in on a fairly uh regular basis so like a few every few seconds by default um so another interesting thing is that the master minions run as root by default so during competition events it's useful having root on the box with salt minions cuz your on the box um so by default the master runs his roote but if you're actually using this in an Enterprise you

can change that and you can also configure it so that it uses some sort of external authentication like ldap um or active directory integration and so you can actually limit the commands that like different people in your organization are able to actually execute and what host they can do that but from a competition perspective that's not really too too necessary uh by default salt listens on 4 five 505 and 4506 and uh I read that in their documentation by default salt minions try to connect to a DNS uh to the host salt so uh when I first read that um I was like oh you could probably take advantage of that somehow like if you're

able but I mean if you're able to get on somebody's DNS server they're probably going to have a worse problem than that so uh so couple of like the terminology that salt uses is that it uses what's called a salt grain and so what those allow you to do is narrow down your target set so you can say I want all of the Ubuntu boxes or everything that is Debian based or anything running the Linux kernel or all windows machines things like that and then you can give them tasks to execute so that right there is an example of running who am I on everything that's Ubuntu uh so there are salt modules um two different kinds there are execution

modules and state modules so the execution modules are just a bunch of built-in modules that you can add to States uh so for example The Command Module is a built-in execution execution module um and with the state modules you can write them and they're files that uh basically can configure any of the hosts that are checking in however you want them to so we'll get into a couple of different ways that you can uh use those for uh and so the state modules are similar to anible books that's basically the same thing and they're also a yaml format so the syntax is very similar as well um and then there are salt formulas which are pre-written salt states that

are like pushed up to the official salt formula repo that people write so that if you want to enable RDP on windows boxes Somebody went through all the time and actually figured out how to use those so you can actually take those and build those into this um salt states that you're writing um and then there are what's called salt pillars which are also just salt State files like the yaml format that are just a bunch of variables so if you have a salt state that adds a bunch of users to um the machines what you can do is in the pillar files you can say like here this is the username I want this is the name

this is the uid this is the GID this is all the gcos information that you want to add for these users so uh it's really like fine tunable to be able to take advantage of salt pillars um and then uh so why you salt for like from a competition aspect why I really like it is that uh as we noted before it uses a polling mechanism so the minions check into the hosts there's nothing stopping you from running the master on ports 80 and 443 which will most likely be allowed outbound so once people figure out how to write firewall rules they'll usually block Ingress stuff in there's like not really any reason that that people need external SSH access to

their hosts so they'll probably block you off that way but chances are that they're still going to allow 80 and 443 out because everybody allows web out and uh people really suck at writing egress filters in general anyway so um yeah that's another cool reason why I like it uh so as I mentioned before there's bootstrapping so you can install uh if you just upload the salt minion executable to to a Windows box you can install it with one command and it will do everything in the background for you there's no additional configuration that you need to do you just say hey I want to point this at this master server and it will take care of everything else uh

and then that's the command that will download the bootstrap script for like NYX boxes and uh it will configure it and then point back to the master so uh so what would you do as a red teamer for an event any ideas no IDE Zer boot what zero boot all right all right good call all right any other ideas yeah add users add users good idea any other ideas Keys nice good call so uh uh what we did was we came up with a proof of concept with a few of these things so uh uh dropping SSH Keys uh adding users uh ensuring remote access is enabled like SSH and RDP and uh like installing stuff basically so if uh

you're dropping suid binaries if there's no GCC on the box you're probably going to have a bad time compiling that so uh you're going to want to install GCC in order to be able to do that um next so here's an example of what's called the top file so every time minions check in they look for this file uh and inside the top file is where you list all of the other state modules that you want the minions to execute so these are just a few modules that I wrote uh with the exception of the engine x one because that was a salt formula that I was using um that will like the wild card there

the star will say on every host that checks in I want you to install uh like these packages add these users and make sure these services are enabled and drw some Sid binaries so this is before I actually had Windows host in the environment then I had to uh um add that after and I I guess I just forgot to change that because probably going to have a bad time like dropping suid binaries on Windows but um so yeah next uh so here's an example just what I did for installing GCC so you can see at the top there uh you're using brains to actually limit uh what hosts that are checking in so this is saying that every

Linux box install GCC on uh and then you can see down here install Vim on Debian based os's and uh it's called Vim enhanced on like red hat based ones cuz enhan uh I don't know whatever um so yeah next one uh so here's how you would drop suid binaries so uh on your Sal Master server you would have a source file that that every time the minions check in uh they will make sure that they have this file on the box and they'll store it in temp. srcc uh and then there's the command to download I mean to compile and then change the owner and file permissions for the uh executables themselves so that it actually is an suid binary and

you can write a for Loop that says uh I want to install all of these I mean uh compile all these and put these at these locations so for each file you can give it like a full path uh to where you want to drop them uh so to make sure that SSH is running on W and red hat Bas os's this is literally all you have to do is say SSH and sshd and then if it's not running it will make sure that it's running it will restart it for you uh so one thing that you're going to want to do is cover Your Tracks and that's actually really easy to do um so

you can just configure a log level to be quiet in the salt minion uh configuration file uh and if you don't by default it runs as warning and so that doesn't actually list any commands that run successfully it will list stuff that you do not run correctly so what I did was I ran who am I but it spells who am I wrong and you can see at the bottom there it says who am I not found anybody sitting in the way back sorry the font was really small but this was a really small picture so going back to triggering everyone so the agile red team workflow so how you move within an environment and how you operate as a red

team so typically uh the whole idea behind being successful in these competitions was You' first get onto the Box You' persist somehow do stuff and then profit at the end depending on how long you've had that box for and how the scoring Service uh uh works so if it was checking in for a banner making sure that it was always uh your banner so uh that you would get the points for it right well the way that we're proposing now is uh using antile playbooks to quickly move whatever it is your secret sauces to all of these machines and then using uh salt stack for that long-term access to bypass erest filters doing devops for your devops buzz word yeah so

uh we're going in into about 15 minutes left and we're going to try to do a live demo for this we left 15 minutes because we're sure this live demo is going to be a live demo if you've ever been to them they usually fail so as we uh set this up do you guys have any questions that you want to shout out about the devops or uh anable and salt stack stuff in

general no questions want to do the watch yeah okay so I should probably zoom in on this before I do this

cool can everybody see that we we'll make it a little bigger all right cool all right so let's go ahead so you can see on the top there that's on the salt Master server and what that's doing is every time a minion checks in for the first time it will list its keys that you have to accept in order to be able to start pushing stuff to those uh boxes yeah so we're going to go ahead and run this uh anible Playbook which just goes out uses ansible to install salt stack on all these machines and then we'll call back to us so then we can execute whatever commands we want so all it's doing is executing that bootstrap

command that was using python uh to install the minion yeah so uh like we mentioned before it's actually pretty quick to run this but uh running it across like the three hosts two of them are Ubuntu and one is uh SOS and so the red hat based ones uh like we'll check in quicker that takes about a minute for everything to be configured and installed uh so that will show up under the unaccepted keys in a bit for the Ubuntu ones it usually takes a little bit more because it runs app get update to update all the repos uh Every Time The Script is started so uh that takes like two to like 2 and 1 half minutes

for those to complete uh but once those are completed the salt minions themselves after you accept the keys have to do some background stuff to like finish configuring themselves so uh even though like they check in and you accept their keys uh they still might not be uh yeah you can see the first one finished so that's the SOS box um it still might take a little bit for the hosts to be configuring so you can't send commands immediately it might take an additional minute and then after that next minute what you can do is then you can execute all of your state files that you want to send out to all the hosts so that would

be the stuff that you say add these users drop suid files um install GCC drop SSH Keys uh all that good stuff so uh it's important to note too that uh I mean the word key might have given it away but all of the communication between the salt master and the minions is encrypted so another bonus so that whatever you know custom thing that you have written uh typically what I've seen in these competitions they're not encrypted so if you just do TCB dump you can see what uh your competition is running against your machine and then better prepare yourself to defend against it um or just take over whatever IRC bot that they have if

you go to their IRC server so uh this kind of eliminates that from uh the scenario by just having Asault master that uh can execute commands over an encrypted tunnel so like we said there we see the three changed so that way we know that salt has uh successfully been installed on these machines so Dev Ops in pretty hard together right now we're using uh ANS to install salt stack feeling pretty good about it Brian right now is accepting these keys so that way he can issue out command oh nice sorry so he can issue out commands as Master to all the Min servers so now you can see that all the keys have been accepted so uh what I'm

going to do is uh if I can spell sorry going to go ahead and hit the mute button uh so what you can do is salt and then the next thing that you uh type is what specifies the hosts that you want to say uh send information to so what I'm saying is that every host I want to basically send a test ping to tell me whether it's alive or not so that's actually pretty cool that those all worked on the first time was not expecting that so that's cool uh cuz usually it takes a little bit for those to finish configuring themselves in the background so now what I'm going to run well what I'm going to run and try

to like type correctly is applying all the states so um uh what this is going to do is every time all the hosts check in it's going to look through look for the top file and you can see that RDP was enabled and it's still running so on the Windows box it it was good to go uh so it might take a little bit more it probably take about another minute and a half to add all the users drop the suid binaries um drop the SSH keys and uh yeah does anybody have any questions yeah yeah I got one so if you guys run into a scenario where network based controls prevented SSH from um you know

from every system environment restrict to say like a subnet or where you like proxy around to try make this work so uh at penopoly which is an event that they run at CCDC which is uh so CCDC is primarily a blue team event except for the last day they run something called Monopoly where they allow all the blue teamers to just try to take over an environment and change the flag so there's always a music box and everyone goes to the music box to change the music for the entire room uh I'm not sure what team got it last year but they just started playing Game of Thrones music uh throughout the whole thing and

they were uh uh blocking subnets and stuff like that so that was one of the things that kind of like you know if we were faster we would not have this problem in listening to this like really daunting music just blasting through the speakers so that uh out of frustration that kind of SP sparked it too so you see that uh it just succeeded for all three boxes uh cuz green is good so that's cool to see um so now uh here do you want to try to in 91 uh so we dropped Jared's SSH key so hopefully this works um so he's gonna uh no uh try um bill so Bill add uh that box should have his s

and now we're in so nice yeah so once again theault Minions on all these boxes are running as root so these are as good as root shells if not better because it has this nice encrypted command communication it supports all these really cool salt files so that way if you're in an environment you're like hey I suddenly have all these windows machines but I need to do something I've never done with Windows the salt Community itself is pretty active so you can go grab a state file that could be for like a legitimate purpose of configuring some kind of service and totally use it to your advantage so there's a large community behind this for like devops and system

administration there's nothing stopping you from taking them tweaking them and using them to your competitive Advantage which is really what this is all about so we also dropped suid binaries compos one and threw it in the path and we called it watch doog D so you can see you just run that command and then you're root so uh even if they disable root login you can still have root on the box so yeah so all in real time you saw us do this three machines couple of minutes uh and this is continued access so we'd like to open up to any other questions that we have because this demo worked a lot better than what we planned

for yeah yeah I'll ask another one um so what about prent Sal prick it you absolutely can um so the one of the problems with uh some this is what comes to the trade-off with the SSH pipelining is that it's reported that uh when you're transferring like larger packages so depending on how big uh what you're trying to get from A to B is uh it can take more time so uh like at minute zero if kick that off and you have all these prepackaged and ready to go that by all means will work it might take a couple extra seconds but in the long run that could be advantageous if someone else is just going to start fire

Walling off subnets and uh whatever ports it may be yeah is there a reason why you guys didn't puppet or Chef awesome question so uh puppet uh is is puppet's really cool and so isn't Chef uh the reason that we didn't go with Chef is because the infrastructure overall to set that up and start managing it is a little bit more heavier uh whereas with salt and anible you can kind of walk into a competition and just have a laptop around this uh the chef server tends to be a little bit bulkier depending on what you're trying to do um but for a puppet I believe for the non-enterprise Edition there's a limit of how many

nodes you can have if I remember correctly um and also just for anible and salac both being in Python and both having that yaml format it's super easy if you have something that you want uh in the anel playbooks to be converted to long-term stuff for salt stack so that is really the uh like bare minimum there's no reason you can't use those tools uh we just chose to go with these

yeah absolutely all right well I mean if you guys have any more questions we wish wanted to kick it off if thought there be more but we'll be hanging around here if you guys have more questions thank you very much for coming to our talk appreciate it thank you

you