Scripting Myself Out of a Job - Automating the Penetration Test with APT2 - Adam Compton

uh next up we're going to have Adam Compton from Rapid 7 who's going to tell you how to script yourself out of a job yeah pretty much dashing and daring courageous and caring faithful and friendly with stories to share [Music] all froming along their all [Music] right ask me later so no um so yes my name is Adam Compton I'm from Rapid 7 I am a senior security consultant there uh today's presentation is going to be on automated pentesting toolkit uh scripting your standard activities during a pentest things of that nature uh co-presenter co-author is Austin Lane from Rapid 7 as well he's in Texas at the moment and not here so he's not invisible or something so don't

worry about that so so one slide on who am I um Adam in five words uh I don't like the big slides but yeah so my family my children I've been doing pen testing and programming for a good number of years and as such as with any that you do a long time you tend to get frustrated with repeating the same processes over and over and over again thus the the decision to make uh this tool in this presentation well we'll go and go ahead and start out uh give a little background here most pen testing often follows the exact same um basic framework basic process you start out with some sort of uh Recon you

do some simple testing test some creds things of that nature and eventually you're hopefully going to exploit a system get on dump some other information upload a different shell whatever and then you're going to get to something interesting you're going to Pivot keep moving on through the network a lot of this is very common and you're going to do the same things Network to network whether it's going to be running in map whether it's going to be um running responder something like that you're going to follow the same process throughout and yeah there's going to be the outliers things that are unique to a particular customer or unique to a particular network but the this tool

isn't going to or this toin tool isn't going to be focused on those outliers it's more on the commonality among all vulnerabilities penetration testing um that same routine that we just talked about like I said it's very repetitive and it does tend to be slow on very large networks I'm talking not like your one class C or two Class C networks I'm talking when the customer gives you a Class B and says here here's 65,000 possible IPS go and have fun and hack it and you're like wow that's going to take a while to go through all of that especially for the what some people call the low hanging fruit or the common things that you're going to find on most

Networks you're really wanting something to help you out with that um so what uh can you do you can automated a lot of that repetitive part can be automated there are some solutions out there already who have they say they automated in fact if you look at it it's just a shell script of running one command after the other I guess in a fashion you can consider that an automation it from my point of view that's not really the type of automation I was looking for thus continued on so we wrote a tool to help with that and keeping it's ap2 I know the skart looks a little odd there but keeping with my tradition of naming my naming new

products and tools after acronyms that already exist I went with AP on this one um it's automation pen autom at penetration testing toolkit so aptt so I think that's right might one too many T's in there but yeah you get the point so going back your standard um why can this be automated because it's repetitive routine usually start out with running in map finding some open ports finding an interesting system Services you start reviewing those uh ports looking for anything nice oh found Port 21 does it have Anonymous FTP oh I found Port 445 is there anything I can do with there open shares does it have MSO 8067 something of that nature you're going to go through each one of these

looking at it trying to figure out what can you do next what's going to be the next juicy thing that's going to get you further down into penetration testing at some point you might get some uh pull out some not better tools like responder metlo crack map at Z something like that to help get you a little further into the network um maybe maybe get you some creds or some da accounts something like that and eventually you're going to take over the main controller the database whatever the target was for that penetration test um it's not always going to be can you get domain admin it's going to be sometimes can you get access to this one piece of

data or this one table in this one database they don't really care about the rest oh yeah it's a great finding if you can get those stuff but you're going after your target but yes the Homer Simpson happy dance couldn't find an animated one I really really tried to find an animated one I couldn't not find it so the question is we've been doing this for a long time with the same process over and over and if it's not broken then why am I trying to fix it well mostly for a few reasons that I've encountered over the years one is repeatability if I run an engagement uh penetration test this month and 6 months later the customer

asks for it again whether it's me or somebody else on the team who's doing that same penetration test we might do it in a different order we might use some other tools which is fine we might but the problem is is if we forget to run a tool or a particular attack technique that the previous person did or what have you then the customer starts to question well why didn't you find it this time or why did this other person do it this way it's that repeatability you want to be able to reproduce the same sort of test Time After Time consistency follows along with that if two people on your team perform the same assessment you should

find Rel ly the same findings at least for the the more common ones yeah somebody might be really good at reverse engineering somebody might be really good at knowing Network architecture and they're going to focus on some of those areas of course but the commonality in there should be the same uh because it can as I said before it can be very tedious and slow you're going to be trudging through if you have 5 days to do a large Network you're probably going to be late on Wednesday early on Thursday before you actually get to do anything interesting because you're still going through all the mundane stuff that you're doing on every engagement and manually parsing through

all the data is prone to human error as I know well myself you're going through You tab through a output too fast you're not looking at it you have your reg X wrong something and you just happen to miss one of the findings thus you tell the customer hey you're fine and then later you just happen to go back and look at the data and like oh no they weren't because they had this issue and I didn't report on it but okay uh could have done all X Y and Z it's to help you get through that without missing as as many issues potentially and again automation can help with all of these steps to standardize to rep rep

repeatability and I just realized that's probably misspelled but still uh let's move on before people focus on that so why not use your favorite scanner of choice up here whether it is I was going to say next pose but I've heard that other one too once or twice I don't know where but yeah still um but still it doesn't matter which product you're talking about there are plenty to choose from whether it's on the web application front whether it's on network in general um if it's on mobile devices there's lots of different tools Frameworks out there to use already and they're again they are they can be very useful and very powerful in specific circumstances being from Rapid 7 I run

expose on a large number of targets and on some of them the way the network is architected and all that I'm spending more time trying to fix certain little issues to get it to scan right than to do the uh testing or I might be doing a mobile app and nextos doesn't Target mobile app something like that uh there might be other things out there but yeah they're very useful in certain scenarios but they're not a general solution in a way and I'm sure my employer is going to yell at me for saying that but still um some are open source or some are cheap some are not so um but yeah so you can there's plenty to

choose from they can be very useful and some are cheap or open source great things to all have in your tools however some of them can be fairly resource intensive if you're going to deploy a small box onto a network uh say you're doing a you're not going to be on the network you're shipping the bo something like that or VM or something like that some of these tools require fairly intense uh resources to be able to run properly which might not always be available to you um oh go back some of them can be fairly expensive T 20s 30s of thousands of dollars and even when they are open source how easy is it really to add a

new tool to the repertoire to add a new check to it it some some of them can be fairly easy but not all of them most of them are going to be closed source and it's going to be really hard to get it in get the check added in it's going to go through you have to contact the vendor to get everything added in all that so that is why I wouldn't always say that your favorite scanner is always going to be the best choice yes don't get me wrong use it please use your favorite scanners they do work well but don't just rely on those because they're not always going to be the best

solution so if you're going to automate some of this what's going to be the way I would recommend doing it automate it with scripting whether it is in bash python do it through met exploits RPC library to automate some of the stuff whatever the case is um I chose to automate write the tool in Python but it uses everything else in the process as well and this time I ended up using us c as the base VM you can run this on any well when I get into it I'll describe more but it doesn't really matter which Linux baced OS you run it on yes it requires Linux but I've been building it on Cali

because most of the tools and scripts I typically use already are there so I can leverage that and I think most pentesters tend to use Cali anyway um and if you don't it will still work on there might just need couple of tools added in or what have you as you need to progress through it so go ahead and start talking about the tool in more um formal fashion AP is designed to automate as I said the common stuff the manual stuff the repetitive stuff the standard stuff it is a framework toolkit it is a tool that has modules and you can write those modules and add to it so sure it's a framework um it's a buzz word I threw it

in there it is consisting of a primarily an event ceue that has tells each module when to execute and how to execute it has a series of modules that do each of the checks or calls out calls out to each of the different tools that can do the checks and a knowledge base to store all the data there's two knowledge bases technically one that is a actual knowledge base and one is just the flat files that you can look at I'll show that later as well during the demo how does it work first you either give it an IP range to start scanning itself which it uses inmap to do or you can run inmap and feed the output into

the tool and it will progress from there as I'll talk about later I want to add additional inputs to it whether it be whether it be uh nesses NEX pose uh burp whatever the tool of your choice I want to add additional inputs so you can feed those outputs directly in and let it take off running um stop so what does it do once it reads in the uh inmap file where it runs inmap itself based on the ports it finds on the services it finds it starts building up an event queue every port it finds it fires an event saying hey there's a port 21 is identified if it finds a new host say hey new host 1.2.3.4 was found so

forth new service new web service was found it adds this all to a queue then it goes through that queue looping off popping them off and saying hey is there any modules listening for this event and if one ansers yes for example Newport 21 uh the anonymous FTP module might listen for that and say hey I'm listen for 20 Port 21 so it'll take that and start running and doing its check can it authenticate can it validate that it's Anonymous FTP if yes then it itself will fire an event out saying hey found valid Anonymous FTP this FTP server has creds of blank blank what what have you then there might be another module later that's listening

for valid creds for FTP which will log into that server with those creds and then do um file share searching for interesting files which is in there I the this is how it chains together and you're not scripting it out saying I want to run this tool then this tool then this tool it's all event driven where depending on which events are encountered which services are found it makes its own decision as it's going through as to which mod modules need to be run and when um as I was saying modules can create their own new events based on what they found what kind of data they gather for example as I was saying the

anonymous FTP module if it couldn't log in anonymously it wouldn't fire a new events ain't Anonymous FTP it would just say thank you and close out and let a next module run but if it did find Anonymous FTP it would fire that event which as I said something else may be listening for and this process keeps looping and looping until there's no more events in the event queue and the program terminates one thing to say every time one of these modules runs its output of whatever command or process it is running is logged into a proofs directory so you can look at the actual output of it if there's additional information you want to scrape out of it

or pull out or look at for whatever reason and that'll be demonstrated in the demo in a moment so how does this help well one I've also added multi-threading to it and I hope it's thread safe but so far it appears to be thread safe I think I've added all the checks in but it uh is thread safe I believe it is multi-threaded it you can set how many threads you want each module how many modules at a time to be running I think the default is either 10 or 20 and it'll process through a large Network fairly quickly with that new modules are fairly easy to create um I don't know if if I

have time to go over that here in this presentation if not it's all going to be on the wiki um on the how-to all that and I can if you get talk to me later I can probably share out some videos on it as well it basically consists of taking the template module changing out some of the description at the top and then putting in the command you want to run then it's up to you ever how you want to parse that output to do additional features such as reading out user list or something but that is going to be the meet of the module it's fairly straightforward fairly easy right now to get it to running it is fairly easy to

go you just uh get R yourself a copy of Cali or Linux Dro of your choice you clone the repo and it's good to go you might ask well I might not have all the required commands or tools installed that's fine each module has a list of the required commands that it needs to run and if those commands aren't available on the system it outputs a command output saying sorry I cannot run because this tool is not here then it just moves on to the next module and continues on it's fairly fault tolerant in that way um but to get full functionality you'll want to look for those kind of outputs and then add those

tools into your drove of choice so that you can have full functionality uh and oh yeah that's what I said and of course if it doesn't have a module for your favorite tool it's easy to create them make one do a pull request it'll get it into the main um body of the tool later on and you can use it on your own up until then anyway so what can it do like I said before it starts out it identifies Services operating systems ports things of that nature any web app X11 anything gooey it tries to screenshot so that you can take a look at it later um it looks for FTP and other file shares if it can authenticate

to them whether anonymously or not it'll connect to them search for that part is partially working but it'll search for interesting files based on regex things of that nature if it finds any it downloads them it can Brute Force certain accounts uh based on what modules have been created in the tool it will run the appropriate Metasploit module capture the output of it keep the sessions alive things of that nature um it does it doesn't rely on metlo but if you have metlo on your system it will definitely make use of it if you have it there um it can compile a list of hashes throw those into John the Ripper or hashcat crack them store that back into

the knowledge base for other modules to make use of down the road and in general if you happen to look in the user share directory of or user bin or any of basically anything that's command line you can make a module out of and hopefully most of the auxiliary and the exploit commands in metlo um most of your standard tools will be incorporated into ap2 at some point right now there's about 30 some OD modules in there that gives you a good basis to build off of uh this is a fairly early release of it so please be patient it will get better as time goes on uh here anatomy of a module I promise

demo is coming here fairly soon they all inherit from a extender based module so it helps with u extending it and whatnot and they all have a name a description what tools are needed for it to be run uh what events is it listening for it's safety level I'll come right back to and process process is the function that does the stuff if you want to say it that way for each module it's the one that executes the command it's the one that calls out the medit to run some module it's the one that tries brute forcing uh passwords it's the one that does whatever that's the one that you're going to spend most of your time in safety level is on a

scale of 1 to five it defaults to four or five I need to check again which means that it shouldn't do anything bad to a network it's going to try stuff that is very Kid Glove it's not going to brute Forest accounts not going to do anything like that when you get oops when you get down to saf level one or two you might lock out a account you might do things of that nature and when you run the tool you can specify what's the minimum safety level you want to run at so if you're saying run it up down to safety level three there's safety level two module that module won't be run so most of your information

gathering and things of that nature are all going to be in the level five whereas things that might blue screen systems or easily lock out accounts are going to be one or two things of that nature and it's just a way to for you to have some confidence in what kind of attacks are going to be done to the systems are there limitations to it yes with any tool and any implementation there's going to be uh limitations first the tools that you include or modules you write need to be non-interactive if you can find a way to script them so they are not interactive great anything that requires a goey probably not going to be a good choice to write as a tool

here find a different way to do it um it's just for the sheer nature that this is an automated process which and by definition means you're not interacting with it so next multi-threading can be difficult uh it can be tricky because there's lots of traffic and some modules happen to have some conditions that you don't want to run multiple of them at the same time such as responder if responder is kicked off you don't want to run another instance of responder on the same network it may con bad things may happen it may air out it may give you false results things of that nature and the limits can be defined in each module if you so

choose and brute force with caution you may break things that's why use safety levels if you're not concerned with uh locking out counts breaking things sure go ahead fire it with safety level one and have fun with it otherwise stick to four and above maybe three and above it's all depending on what kind of network you're looking at and how risky you want to be and at the moment I'm having addressed this but I hope to at some point non-standard ports and ports and service names can throw off the modules for example if you're running uh let's say a common one taet but not let's say you're running it on Port 2000 for some reason the module

isn't going to detect it based on the port it may on the service name may not so things that are heavily non-standard or SSH on Port 22,000 or something it's going to throw it off or when things are common and standard thus the standard automation process of it work well this I'm hoping to address in the next couple weeks month to try to add more logic in there to help account for that but at the moment that is a limitation now for the demo if I can get this to [Music] work let's see come on

not this time because I'm doing a recorded one I cheat all right whoa whoa whoa stop go back all right let's get started with this uh move that over just a little bit so people can [Music] see yeah that's good enough all right so when you do a clone or get clone of this you're going to find a directory looks like that you're going to have a few common things in there first primary script is ap. python you're going to have demo. XML which is the go ahead and pause that so I can talk about it just a little bit hey go back ah I didn't add enough timing in there as I thought I did

pause so even pre-recorded demos don't go so well for me so yay for me I know it I know it so let's just step through this slowly here uh so the three main things you need to take a note of here is a2. py that is going to be the primary script you're going to run to get it started uh default.cfg is your primary config file there's going to be that's where default account not accounts um file paths and any configuration stuff it goes of course config file and all modules are going to be located under the modules directory you'll see demo. XML that's just an inmap XML file that I'm using for this demo and the rest of it is your standard

read me and things of that nature so let's get moving through here all right so yeah demo XML so first thing you're going to do is what did I do oh yeah going to run it with the dash you have your standard options here uh you have your verbosity you have your bypass menu That's to account for a menu that we're adding into it that don't always want so you Das B would bypass it completely and- F to provide an input file which I will do because I have demo. XML on there so let's go ahead and oh we're looking at the config file I guess I should have I just made this yesterday and I forgot it

already man my memory is getting bad in old age so you'll see there's Metasploit um user password things of that nature in there there was a Threading and number of threads you're going to run run for this demo I am going to use metas sploit so I'm kicking up a msf console I'm going to set it up to use a msf I mean RP MSG RPC uh setting it with the username password that I had specified previously now over in the actual AP it will know to make use of that look at the output again so we're going to run- VV which is very for both B to bypass the menu set the safety level to one because

I live dangerously sure and I'm going to use my demo. XML file this is on a home hacking Network I have set up and things start scrolling by pretty let me move that Mouse out there so you're not seeing that there um so I loaded 33 modules and stuff is just scrolling and as I said before that's hard to see right there but let me pause it anytime a module can't run because it has the tool it needs isn't there or something of that it'll show up at the top up here such as module responder is disabled dependencies required responder and I just added in disabled because I'm still working on it you can disable

modules easily that way so there's any number if a module can't be run it'll show up up here so it's easy for you to find the ones that you need to install or update things of that nature so let's go ahead and keep going okay it loads up the inmal file parses it and anything in red down through here is typically going to be a vulnerability or some major finding you want to look at it found SMB security mode not being required a bunch of output done through here all of this is verbose and debug information you don't need all this on the screen at all the time it's just one of those things that for this demo I'm

showing it it's running get host and right there found an anous FTP it what is that one no session uh here in a second it'll find MSO 8067 a bunch of other little findings in there oh there it found uh the work Group which was work group in that case but there are other ones in there so it's all these things that you're going to be doing by hand but it's doing it and adding it to a knowledge base right here is an interesting little thing too the well it found that one was part of hacknet so that's what I was showing and the current number of active threads I said it to 10 for this demo so at any given

as it Cycles to there every few seconds it will tell you how many active threads there are and which modules are currently running so you know if it's stuck on a particular one or something of that nature there you go ms0 867 was found on 10101 133 uh VNC brute was U found V that system was found vulnerable to msf or VNC brute uh scrolling down through here lots of other stuff like I said this is the very verbose output put so lots of output in there you don't need all this was able to pull a user list off of a Linux system there's another one down here that it pulls off of a Windows

system there you go pulled users off of a Windows system because of no sessions keeps going on down through there yeah administrator test admin AC interesting looking accounts there let's see what else do we find here that's uh interesting it's a good one here somewhere you can see it's doing High address andb password checks it's doing yeah right there uh anything good good well I think it's going to jump down here to the bottom here in a second MSL 8067 it's checking it's running secret stump I imp packet secret stump because it was able to actually log into a system at this point um because it found test account with password of password um logged in with that user was able to

dump Secret using the secret stump command to dump that off uh lots of other little things scrolling down through here and there is an error which I just left in there just because this is not a final product at the moment it's definitely one for you to check out try and help make better and at the end it finishes and it does oh well it's gone but it does create a report file the report file isn't finished yet that is uh Austin is working on that and this is a very early version of that so let me just jump back here for just a second oh yeah there you go interpreter de capture the session

from the MSO 8067 earlier at this point you have new files in there log proof and reports directory let's go ahead and look in the logs there is a process log.txt which contains timestamped output of everything that this toour did as far as what if you don't even enable a VAR verbose it still output into this file so you can go back and see what was run against what system at what time so go down to directory let's go into reports next I believe yes there is the reports file I'm not going to show it because it's still heavily working progress um the idea is that it will give you a good HTML output that will show you what is

going on what kind of findings were found nice output here's the proofs directory like I said the output of every command is in here I packets secret stump files there let's take a quick look at that if I can do the star there you go you have the hashes out of that at the moment I don't have the John the Ripper module working properly but if it was it would have captured this R John on it got the output updated the knowledge space for other tools to continue on this was an easy one uh I'm also going to write one for hash cat if I don't have it in there already let's see what else are we going to look at here

because honestly I don't remember I was I was high on PSE suda fed last night because of allergies so we'll see what I did and oh yeah we're looking at the Hydra output so the Hydra output so reason I saved all these files in the proof directory is also when you're doing your report I don't know how your companies want you to do the reports but uh rapid 7 wants us to do screenshots in there so if you have this output you can select it screenshot it put it in the report it's great proof great visual for the customer to see and what else we going to look at and you like I said everything's in

there everything from the ms0 8067 output the um CIS info output from the med exploit session it's in there all the outputs you want are in here and all these things chained together to get to this point uh all these are tools that I typically use on engage Ms you got your Anonymous FTP up there which also has a peal associated with it of that interaction so you can capture that output put it you take a screenshot of that put it in the report as well so you can say like oh yeah look you can capture creds over the wire things of that nature so what are we looking at here MSO oh the dump hashes yeah so it

dumped those out with the metas sprit module as well with mamic cats W digest I think next we're going to look at the knowledge base yes it is an XML file not a well formed XML file but it is an XML file which I probably will awick and make better later it contains the out the location of the output file for any vulnerabilities things of that nature what ports what host what users uh ports that are open other the versions that were found things of that nature so this is the the on disk version of that knowledge Bas so that it can reload it later and continue on and I believe that was it yes that is the end of the demo so

let's jump back over here and see if I can jump back into here without it going back to the beginning because I'm not a PowerPoint guy and no I can't let's jump through sorry about that I'm a hillbilly not a PowerPoint guy all right so now we're over to the development of it it is open source or should have been by this morning but I couldn't I didn't have access to GitHub this morning so soon as I get a chance and I get out of here and get back on the internet this will be a public repo it's at github.com moose Dojo ap2 go check it out download it um try it out tell me if it's horrible if it's

something that's reasonable something you want to work on is something that you have recommendations for me to work on things of that nature by this evening it will be a public repo like I said soon as I can get to the internet again future plans I want to import from more than just inmap whether it's burp it's nexos it's nesses it's whatever toy out there of your choice I want to be able to import from that even if you're running Saint and I don't know if anybody who still runs that but if you're still running that please if you want to write the module for that to import from it great just write it up

and do a pull request I want to do more attack chains such as taking output from responder which I have started passing into John throwing it to Hydra going into secret stump blah blah all down the path um I'm not sure what I meant by that but yeah multiple passes I I don't remember what I meant make the reports prettier and other things I have yet to think of I don't know uh there's lots of other things this can do right now it's focusing a lot more on the information gathering then on the exploitation that doesn't mean that's where its focus is going to be that just means that that's where I've spent the most time so far because

some of those tools were the easiest ones and those are the ones that's helping me out inner engagements if I can automate a lot of that information gathering stuff I'm happy with that for right now I'm going to be working on the other stuff as time goes on but if you want to focus on some other aspect of it and you want to help develop it please help out do whatever you want and um we be chatting about it if you want so questions my name Twitter Corporate email private email where you can find the tool out and questions I don't know how much time we have let me see oh yeah we have plenty of time I

flew through that sorry about that yes front row peanut gallery all right go ahead dat in datab is the data actually stored in a real database or ml files it's stored in an inmemory data structure currently um it's inmemory python constructed data structure but it is abstracted from the rest of the code so I can switch that out with a sqlite database or something like that if I so choose down the road if the current implementation finds to be faulty or the slow bottleneck portion of it or something like that but it is completely abstracted so it just has API interface to it so I can replace that with whatever I want right now it's just a

it's a funky little data structure construct it's hard to describe so multiple

passes if you if you feed the same uh inmap file into it multiple times right now it's going to run through the whole thing twice because the load knowledge base isn't implemented yet soon as the load knowledge base is implemented it will load the old knowledge base back in anything that's already been checked won't be checked again but like I said not published final product right now it's still working development but yes that is the way I intend it to work any other questions and I got light glaring my eyes so I can't see if there are hands anyone so is it if you're running it in a more dangerous mod expected to be deterministic like will it P run the

same way multiple times or get locked out one time but not another and obviously have a reactive Network designed to do that but in a typical case is that is that likely to happen if you're running it in like a safe level one well safe level two well let's go safe level five pure information gathering shouldn't be anything bad uh four you're probably checking some defa accounts like admin admin something like that nothing should really happen with that three you're going to start doing some a little more aggressive stuff but still no real brute forcing of locking out accounts all that two is where you're going to start doing password guessing uh dictionary attacks things of that nature where you might

start locking out accounts and at the moment if it locks out an account it keeps going well once an account is locked out it don't know if this is added in but not but once it can determine an account is locked out it should stop not processing that account but that doesn't mean it isn't going to move right on to the next one and lock it out then the next one and lock it out that's where safety levels come in and how certain you are with that and level one good luck it'll probably crash your network because those are the there are no modules at level one at the moment but those are the ones that it's like if

you run this like in Metasploit if you're think back to that if you run this it can give you remote code execution but if it's done inor correctly it'll crash your network that would be a level one so um be cautious with those you can run that in your lab environment things of that nature and if you find that my logic in this is flawed please let me know I'll try to address it in the code I will ask you to help address it in the code if you're so inclined to help out with it but at the moment there is no real um cut off in there saying that hey I'm starting to lock out accounts I need

to stop or something like that no it's like oh I like at that account that's fine okay let's go on to the next one and keep going so yeah one more picturing is like you had two identical networks that you were analyzing just like independently and you were doing it at an aggressive level one or two uh would you be pretty sure you're going to get the same result or could you encounter a race conditioner something in a module and get different results like is that something that's a goal try to right so the question is is if you're running whether it's on multiple networks or the same network multiple times something like that U

running it with the threading is there a case for a race condition where it might one module might muck with another module to prevent something from running there's always going to be a con a case where if you're running too many threads on a con congested Network you're going to have packet loss so that might interfere some way that way but just from one module running in another one there is also the possibility there that if one happened to lock out an account or happened to blue screen a device that the other one was hadn't checked yet yeah that's obviously going to interfere with that other application or the other module so but it should always do it the

same way every time so if you run it one time and that happens you run it the second time it should happen in the same sequence again for that particular network with that particular set of findings and uh IPS and ports and what have you did that answer the question or did I talk around it or did I just go and L field check check conc like there's some like random noise or something where mod Tak a little longer than it do to make they uh no there is no check to guarantee that things happen in particular order by design it is designed to say that whenever a mod an event fires every module listening for

that well it won't start immediately but they start it goes to the list say fire fire fire fire for each of those modules and they will start off running if something happens to delay one of those during execution then yes a different output could happen in that case but no there's no logic in there to force them to run in a particular order while waiting for this the only logic in there to anywhere related to that is to say that this module requires this event to get started and then it will fire another event that is the only kind of control structure in there to say what order thing should work in you're only going to module is only going to run

when its event is fired or popped off the queue and yeah that's the only control structure control associated with that process all right anything else anybody else front row again here you go microphone this is not good forgot mic my hand oh my God can you pause the program while it's m running and if not are the thread set up to where you could programmatically pause a scan no you can control C and kill it and but but as soon as I get the load knowledge base function uh cleaned up you will be able to say rerun it with the same XML file say load this this knowledge base and it will should go back and start back where it left off it

may have to rerun certain modules from the beginning because it died in the middle or something like that but yeah that's be the only way you can pause is to actually kill it and then restart it sort of close to where you were so I was just thinking I was just thinking of how to handle the client cence and what are you doing like oops stop yeah so that'll be the way that well hopefully the client isn't going to call you and saying what are you doing that's taking down my network because in those possible scenarios where that should where that could happen are the ones where you didn't reg regulate which safety level you're want running at you may be

running a little too aggressive or there's just that odd scenario on that customer yes that customer is very picky about something or what have you but honestly the solution there is control C and then restart it after the fact so yes yes no go take a break all right works for me thank you all very much have a great day