siesta time v0 2
play

Siesta Time v0.2 Implant, Infrastructure and Reporting Who m I ? - PowerPoint PPT Presentation

Jan 03, 2023 •200 likes •439 views

Siesta Time v0.2 Implant, Infrastructure and Reporting Who m I ? Spoke at R.T. Vill. Defcon27,Happy to beat Shellcon19!! Originally from Spain, Sevilla: otra servesa por favoh ! Most of my life/studies in Europe OSCP

  1. Siesta Time v0.2 Implant, Infrastructure and Reporting

  2. Who m I ? ● Spoke at R.T. Vill. Defcon27,Happy to beat Shellcon19!! ● Originally from Spain, Sevilla: “ otra servesa por favoh !” ● Most of my life/studies in Europe ● OSCP Certified, Aiming for CREST in the future :) ● Product Security in “big CRM” company for the last 3 years and half ● Si ! ○ The “before last” drink, “Salir de tranquis”, memes/gifs/paint! ○ Into the box/Complex problems/ Following white rabbits ○ Burning man/Rocio, “Feria de Sevilla” ● Meh ! ○ Not going out on Saturday night for 6AM hikes on next day ○ “Scratch” security (XSS and friends), “auditing”,checklists… ○ Coachella & Sparkling Ponies, Holy Week

  3. Why this? Disclaimers/advisory ● Personal career interest in red teaming/Offsec (educational) ● Implants+Infrastructure are key on red team ops ● Decided to build my own implant tool (control over ops) ● Strong web/high level programming knowledge(centralized frm.) ● This tool is not new… throwback,sliver,Cobalt Strike (not open source),empire (stopping support??)… But it is new in the idea of gluing all together to create a good Red Team tool/framework! ● Why “Siesta” “Time”? Sleeping is good my hax0rs (while automation happen) ● The tool is still in a very alpha stage, but will be growing! Tons of bugs and problems… Needs help to code! ● Not yet tested in “real” environments…but will be 

  4. Let’s figure out the start - Preparing ops. / Infra We got an engagement with limited time Start to register domains, start to configure the Virtual Private Clouds, Maintain accounts, share it between Operators... Prepare possible staging servers: ● Empire, MSFT, Cobalt Strike...to receive fast shells Prepare for possible detection! → ● Redirectors for Long-Hauls Implants ● Big quantity of them, it is difficult to keep them organized

  5. Let’s figure out the start-Developing for ops./Implant The implant development cycle... It needs to egress, how will it egress? (TCP/SSH/HTTP) It needs to persist (each method will be “compliant” with target EDR/HIDS), What if the egress doesn´t work for target ? Need to re-write, more time Do I have the code from the previous one? Can we recycle old code? Which are the abilities, how it will interact with OS resources? (Features like native libraries API’s (syscalls/C++ wrappers) vs “os.exec(cmd/bash)” Oh rayos! For how many platforms does it need to be compiled?

  6. Let’s figure out the start - It is working!/ AfterMatch! Sut! We have been detected, more redirectors/implants (extra time) Got my objectives, how I exfiltrate? More servers/techniques Now the Client/Blue team is asking us to make more noise! More time to craft another implant with different egress method abilities Reporting! → Have we saved all our actions? All commands from Interactive shells? What about the implants configurations themselves? Do we know what exactly triggered HIDS/EDR alarms? Time, time, time… we could have spent more time on LM for reaching more difficult targets… or at least for a Siesta...

  7. Can we do it better? Can we automate/recycle it? Is it possible to create a General working Red Team Infrastructure? ● Need a working strong design for ops Can we automate it to save time? Can we have a nice GUI? Consoles are too hax0rs for me (millennial style) ● Servers organization and deployment automation. Clicks save time. Could we have a battery of “modules” ready to test different implants and make the blue team “HIDS” to be correctly evaluated (purpling) ? ● Implant Modularity

  8. Objectives ● Help Companies’ Red teams to spend less time on building a clean and efficient C2 infrastructure and generate working Implants ● Modularity on implants for testing/recycling purposes ● Deploy staging servers that will provide operators gap to continue the Assessment while saving commands into reporting documents ● Generate reports with all jobs, errors and interactive console per user basics ● This will help defenders to be ready for real actors.

  9. Tool Infrastructure - What it should be, and what it is Hive → The Operation Server, the center of all infrastructure Operators → Connect to Hive per user basic, interact indirectly with implants and stagings Redirectors → Redirect jobs directly from implants or SaaS’s Bichito → The main implant, with the objective of persist and keep himself hidden Stagings → Short-lived server, for post-exploitation and interactive sessions Reports,logs,…

  10. Tool Infrastructure - Hive and Operators The tool is installed using a script: ● Create DB ● Compile client and Hive ● Use a config.txt with VPS/Domain data to deploy Hive with terraform Client.go → LocalHost golang server running on operators devices. It will automatically log into Hive using saved credentials (compiled into binary). Will refresh GUI JSON data and send Jobs to Hive. In the same time will feed Electron Gui with front-end data, and receive Jobs from it. (It will act like some kind of client side redirector) Electron GUI → Operators will interact with Siesta Time through this. The GUI will be requesting/sending JSON data to client.go server Client.go <-> Hive.go → “ Cert Pinning HTTPS + Basic Authentication” to Request/Post JSON to Hive. Session are identified by Client-ID so every action is mapped with an Operator login

  11. Tool Infrastructure - DB (Inside Hive) Implants → [Redirector1,Redirector2...], Network Module, Persistence Module VPC → AWS/Azure…, AMI, Region, Keys Domain → GoDaddy/NameCheap…, Keys SaaS → Analytics,fronting…, Keys/Credentials Job → Hive/Bot, Name, Time, Status Staging → Droplet/MSF…, VPS, Domain, AccessLog/SessionLog Redirectors, Reports, Logs...

  12. Tool Infrastructure - Implants Operator Trigger the Job “Create Implant”: ● Select VPS/Domain/SaaS tuples of redirectors ● Select Persistence/Network Module ● Redirector Compilation with target Network Module (Handler) ● Implant Compilation for platforms: OSX, Linux and Windows (x64,x86) ● Deployment with Terraform Operator sends Jobs to Hive, the ones for Bichitos got redirected to the Redirectors Bichitos uses Normal Network protocols or SaaS to communicate with redirectors SaaS: Software as a service, Gmail,Instagram, twitter...

  13. Tool Infrastructure - Stagings Operator Trigger the Job “Create Staging”: ● Select type of Staging: Droplet, MSF, Empire… ● Select Domain and VPS ● Hive use terraform to deploy and install scripts/services ● Hive install staging service that reverse SSH tunnel Staging Servers to Hive Server SSH Tunnels let Operator client.go to connect to them through Hive Droplets are used to drop target executable implants . Server hits are reported/Canaries! (TO-DO) MSF for example are used to start interactive sessions. All is logged for Reporting!

  14. Implant (Bichito!!) Behaviour-Flow Implant will first Load Persistence Module (TO-DO) Next will try to connect to Redirectors: ● If a redirector is not reachable will try next and re-order ● Implant network module will be used for this ● Get Jobs and process them ● Send back results This will be a repeated behaviour between respTime, if it is not able to connect to Redirectors Implant will die on TTL

  15. Demo:Gmail API Egress Give me one string… and you will be my C2!

  16. Demo:Reporting

  17. Future Work (a lot) – Working on it ● Security Bugs, Performance Bugs, Native Functions (avoid bash/cmd) ● More Modules for Implant, more SaaS (having a big module battery will be dope) ● More VPS, domains (now just AWS/Go daddy/Gmail working) ● More Detailed reporting (XML?) ● More Stagings (Cobalt Strike?) ● Full GUI Client, Whole user/op management… ● Killchain Generator/Attacks - HTA, Macros (Now just droplets) ● Obfuscation → Choosing between obfuscate or not, etc... ● Root/Persistence, do ever a company test herself with rootkits? ● Google Analytics to egress, bypass TLS fingenprints...

  18. Thanks - Proud to be part of Shellcon ● Please don't let me down! Let’s commit together! ● CFC → Call for Commits! ● Thanks to all sources, previous devs/red teamers with similar ideas ● To all those golang developers that post in stack overflow ● We are here to help defenders! Let’s not forget that ● Questions :) ● Repository: https://github.com/rebujacker/SiestaTime

  19. Image Slide 4

  20. Image Slide 10

  21. Image Slide 12

  22. Image Slide 13 12 10 8 Column 1 6 Column 2 Column 3 4 2 0 Row 1 Row 2 Row 3 Row 4

  23. Image Slide 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

THE CITY HISTORICS DISTRICT LA SIESTA RESORT &amp; SPA HOIAN LA SIESTA TRENDY HOTEL HANOI

THE CITY HISTORICS DISTRICT LA SIESTA RESORT &amp; SPA HOIAN LA SIESTA TRENDY HOTEL HANOI

THE CITY HISTORICS DISTRICT LA SIESTA RESORT &amp; SPA HOIAN LA SIESTA TRENDY HOTEL HANOI LA SIESTA DIAMOND HOTEL HANOI LA SIESTA CLASSIC HOTEL HANOI 8 years consecutively, Hanoi Elegance Hotel Group on earning the prestigious

659 views • 40 slides
THE SIESTA RESEARCH PROGRAM Prevention Research Center seminar Douglas M Teti Professor of Human

THE SIESTA RESEARCH PROGRAM Prevention Research Center seminar Douglas M Teti Professor of Human

THE SIESTA RESEARCH PROGRAM Prevention Research Center seminar Douglas M Teti Professor of Human Development and Family Studies, Psychology, and Pediatrics Sept. 27, 2017 SIESTA, SIESTA-K, SIESTA-FF Study of Infants Emergent Sleep

765 views • 43 slides
Siesta Key Transportation Study Phase1 1 Overview Sarasota County Strategic Plan 2020

Siesta Key Transportation Study Phase1 1 Overview Sarasota County Strategic Plan 2020

Siesta Key Transportation Study Phase1 1 Overview Sarasota County Strategic Plan 2020 Project Scope Outreach Strategies and Projects to Address Existing and Future Mobility Challenges Next Steps 2 2 Siesta Key

671 views • 17 slides
S tandalone T herapy for select A cute Ischemic Stroke Patients (SIESTA-I trial) Siddhart Mehta,

S tandalone T herapy for select A cute Ischemic Stroke Patients (SIESTA-I trial) Siddhart Mehta,

S afety and Efficacy of I ntravenous E ptifibatide as S tandalone T herapy for select A cute Ischemic Stroke Patients (SIESTA-I trial) Siddhart Mehta, MD; Javaad Ahmad, MD; Mohammed Hussain, MD; Jaskiran Brar, MD; Harina Chahal, MD; Mohammad

655 views • 19 slides
Fireball Fireball http://www.fireball-dft.org/web/ SIESTA SIESTA Fireball Fireball

Fireball Fireball http://www.fireball-dft.org/web/ SIESTA SIESTA Fireball Fireball

Fireball Fireball http://www.fireball-dft.org/web/ SIESTA SIESTA Fireball Fireball atomic-like Numerical basis set atomic-like Numerical basis set atomic-like Numerical basis set atomic-like Numerical basis set Precomputed

668 views • 29 slides
Alternatives Public Workshop March 10, 2015 Siesta Key, Florida Financial Project Number 434491

Alternatives Public Workshop March 10, 2015 Siesta Key, Florida Financial Project Number 434491

SR 758 at Beach Road Intersection Improvement PD&amp;E Study Alternatives Public Workshop March 10, 2015 Siesta Key, Florida Financial Project Number 434491 1 52 01 Workshop Format Informal Open House Continuous looping

460 views • 17 slides
Is Your Gut Microbiome Making You Fat? Andrew N. Goldberg, MD, MSCE, FACS Department of

Is Your Gut Microbiome Making You Fat? Andrew N. Goldberg, MD, MSCE, FACS Department of

2/13/2018 Is Your Gut Microbiome Making You Fat? Andrew N. Goldberg, MD, MSCE, FACS Department of Otolaryngology-Head and Neck Surgery University of California-San Francisco Disclosures Siesta Medical Minor stock holder sleep apnea device

814 views • 13 slides
Is AHI the Optimal Outcome Measure in OSA? Andrew N. Goldberg, MD, MSCE Professor Department of

Is AHI the Optimal Outcome Measure in OSA? Andrew N. Goldberg, MD, MSCE Professor Department of

Is AHI the Optimal Outcome Measure in OSA? Andrew N. Goldberg, MD, MSCE Professor Department of Otolaryngology-Head and Neck Surgery University of California-San Francisco Disclosures Siesta Medical Minor stock holder sleep apnea device

442 views • 17 slides
E N G A G E W I T H D R A W W I T H D R A W B A L A N C E E N G A G E There is an appointed

E N G A G E W I T H D R A W W I T H D R A W B A L A N C E E N G A G E There is an appointed

E N G A G E W I T H D R A W W I T H D R A W B A L A N C E E N G A G E There is an appointed time for everything. And there is a time for every event under heaven A time to give birth and a time to die; A time to plant and a time to

626 views • 16 slides
HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1

HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1

HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1 Health, Safety, and Environment ( HSE ) is crucial for any Oil &amp; Gas and Construction business 2 Main Main accident kinds for the latest three

317 views • 13 slides
THE SOFTWARE Custom camera control software allows extra cameras to be added as needed allowing

THE SOFTWARE Custom camera control software allows extra cameras to be added as needed allowing

Time Slice systems - - also known as bullet time, stop time, or time freeze implement a camera array that ranges anywhere from 24 to 150+ cameras to create an effect of stopped time or extremely slowed time. Although the process was pioneered

197 views • 5 slides
W HAT IS TIME SERIES D ATA ? W HAT IS TIME SERIES D ATA ? A value over time W HAT IS TIME

W HAT IS TIME SERIES D ATA ? W HAT IS TIME SERIES D ATA ? A value over time W HAT IS TIME

T IME S ERIES D ATA P APERS C OVERED Interactive Visualization of Serial Periodic Data John V. Carlis and Joseph A. Konstan Visualizing and Discovering Non-Trivial Patterns in Large Time Series Databases Jessica Lin, Eamonn Keogh,

764 views • 32 slides
? Same time Same time Same place Same time Same place 2 different painters Our story really

? Same time Same time Same place Same time Same place 2 different painters Our story really

? Same time Same time Same place Same time Same place 2 different painters Our story really begins here The Wise Man Grard Mari Professor of Art History at Sciences-Po The art guru who told fascinating stories Myself Coline Debayle

1.14k views • 57 slides
Time and Timers The time Epoch The Current Time Sleeping and Waiting Timers

Time and Timers The time Epoch The Current Time Sleeping and Waiting Timers

CPSC-313: Introduction to Computer Systems Time and Timers Time and Timers The time Epoch The Current Time Sleeping and Waiting Timers Reading: R&amp;R, Ch 9 Current Time UNIX Time Zero : 00.00 (midnight), January 1,

244 views • 7 slides
Time of Arrival (ToA ToA) ) Time of Arrival ( Used in GPS. Need synchronization.

Time of Arrival (ToA ToA) ) Time of Arrival ( Used in GPS. Need synchronization.

Time of Arrival (ToA ToA) ) Time of Arrival ( Used in GPS. Need synchronization. If round-trip time is used, then accurate clocks are only needed at the anchors. 9/8/05 Jie Gao, CSE590-fall05 1 Time Difference of Arrival

830 views • 54 slides
International Time Use Community &amp; Policy-Relevant Time Use Research Time Use Research

International Time Use Community &amp; Policy-Relevant Time Use Research Time Use Research

International Time Use Community &amp; Policy-Relevant Time Use Research Time Use Research Kimberly Fisher Secretary International Association for Time Use Research Centre for Time Use Research Early Time Use Developments Earliest

661 views • 34 slides
DLVM DLVM A Modern Compiler Framework for Neural Network DSLs DLVM A Modern Compiler Framework

DLVM DLVM A Modern Compiler Framework for Neural Network DSLs DLVM A Modern Compiler Framework

DLVM DLVM A Modern Compiler Framework for Neural Network DSLs DLVM A Modern Compiler Framework for Neural Network DSLs Richard Wei Lane Schwartz Vikram Adve University of Illinois at Urbana-Champaign 1-2 years ago 1-2 years ago Deep

1.9k views • 169 slides
Secure and Efgicient Parsing via Programming Language Theory Neel Krishnaswami &amp; Jeremy

Secure and Efgicient Parsing via Programming Language Theory Neel Krishnaswami &amp; Jeremy

Secure and Efgicient Parsing via Programming Language Theory Neel Krishnaswami &amp; Jeremy Yallop parsing &amp; security types &amp; algebras staging &amp; speed speed &amp; correctness e : &lt; &lt; e &gt; &gt; Parsing

659 views • 48 slides
Staging User Feedback toward Rapid Conflict Resolution in Data Fusion Romila P Pradhan* , Siarhei

Staging User Feedback toward Rapid Conflict Resolution in Data Fusion Romila P Pradhan* , Siarhei

Staging User Feedback toward Rapid Conflict Resolution in Data Fusion Romila P Pradhan* , Siarhei Bykau , Sunil Prabhakar* *Purdue University, Bloomberg L.P. 1 Fusing data from multiple sources Data It Item S 1 S 2 S 3 S 4 Zootopia Howard

461 views • 23 slides
SOCIAL MEDIA AND MDIAS SOCIAUX THE STAGING OF ET MISE EN SCNE HISTORY DE LHISTOIRE

SOCIAL MEDIA AND MDIAS SOCIAUX THE STAGING OF ET MISE EN SCNE HISTORY DE LHISTOIRE

SOCIAL MEDIA AND MDIAS SOCIAUX THE STAGING OF ET MISE EN SCNE HISTORY DE LHISTOIRE Martin Grandjean | University of Lausanne DH2017 | Social Media and the Staging of History INTRODUCTION DH2017 | Social Media and the Staging of History

453 views • 23 slides
Uncertainty Evaluation Metric for Brain Tumour Segmentation Raghav Mehta 1 , Angelos Filos 2 ,

Uncertainty Evaluation Metric for Brain Tumour Segmentation Raghav Mehta 1 , Angelos Filos 2 ,

Uncertainty Evaluation Metric for Brain Tumour Segmentation Raghav Mehta 1 , Angelos Filos 2 , Yarin Gal 2 , and Tal Arbel 1 1. Probabilistic Vision Group &amp; Medical Imaging Lab, Centre for Intelligent Machines, McGill University, Canada 2.

187 views • 15 slides
Managing Your Relationship with Your Supervisor Brianna Blaser Tuesday, September 15, 2009

Managing Your Relationship with Your Supervisor Brianna Blaser Tuesday, September 15, 2009

Managing Your Relationship with Your Supervisor Brianna Blaser Tuesday, September 15, 2009 Managing Your Relationship with Your Supervisor AAAS International nonprofit organization dedicated to advancing science, engineering, and

664 views • 37 slides
Preview of 2020 Activities Grasse River Remediation Project April 2020 1 Topics to be Covered

Preview of 2020 Activities Grasse River Remediation Project April 2020 1 Topics to be Covered

Preview of 2020 Activities Grasse River Remediation Project April 2020 1 Topics to be Covered Presentation Slide Summary Project overview Work completed in 2019 What to expect during 2020 in-river work Monitoring Boating and

487 views • 23 slides
Multilingual Web Content for Mass Consumer Products Manish

Multilingual Web Content for Mass Consumer Products Manish

Multilingual Web Content for Mass Consumer Products Manish Kanwal | Adobe Systems Contents HTML/XML, Images and Multimedia Author Translation, Pushing

491 views • 20 slides

More recommend