SlideShare une entreprise Scribd logo

Wielding a cortana

Télécharger en tant que PPTX, PDF
Will Schroeder
Will Schroeder

These slides were presented at BSidesAustin 2014, and cover Cortana attack scripting, its background, and five implemented use cases.

Technologie
1  sur  44
Will @harmj0y Veris Group Wielding a Cortana
$ whoami • Security researcher and penetration tester for Veris Group • Co-founder of the Veil-Framework #avlol o www.veil-framework.com o Shmoocon ‘14: AV Evasion with the Veil Framework o co-wrote Veil-Evasion, wrote Veil-Catapult and Veil- PowerView • https://github.com/HarmJ0y/ • http://harmj0y.net
tl;dr • Cortana? wtf • OK that’s cool, what can I do • Cortana use cases: o grabcreds.cna - auto hash dumping o safetynet.cna - saving shells o veil_evasion.cna - #avlol :) o user_hunter.cna - find DAs o beacon.cna - graphical beacons*
Cortana? wtf • Raphael Mudge’s DARPA cyber fast track project • Allows for the scripting of Armitage and/or Metasploit itself o Some of this functionality is restricted to Cobalt Strike - marked by a * • Doesn’t seem to have publically caught on o Which is dumb, since it’s incredibly useful
Cortana: Why Use It • Allows for the easy customization of an already existing, powerful tool • Many standard pentest actions can be automated and manipulated in useful ways • Lets you minimize the time spent doing repetitive tasks
Cortana Background • Cortana is a set of extensions to the Sleep language that allows for the control of Armitage/Metasploit • Sleep = Java-based scripting language heavily inspired by Perl and written by Raphael o http://sleep.dashnine.org/documentation.html o http://www.fastandeasyhacking.com/download/corta na/cortana_tutorial.pdf
Sleep 101 • “Sleep is primarily a glue language and was designed from the ground up to be embedded in Java applications…[it] brings the power of Perl to the Java platform.” • Much of the backend of Armitage is actually written in Sleep https://today.java.net/pub/a/today/2005/07/14/sleep.html
Cortana 101 • Interaction with Metasploit is baked in through utilization of MSF’s RPC interface • You can send commands to a Meterpreter session, interact with the backend database, launch modules, etc. • m_cmd($1, “sysinfo”); • host_info($address); • exploit("windows/smb/ms08_067_netapi", $addr);
Cortana 101 • Triggers can be set up to asynchronously fire on various actions/events: o new sessions o meterpreter/shell commands o new hosts/services/routes/etc. • Lets you perform contextual actions and automate a lot of post-exploitation
Cortana 101
Cortana 101 • The user interface for Armitage can be easily modified: o new program menus o new meterpreter action menus o changeable host icons • Lots of examples at: https://github.com/rsmudge/cortana-scripts https://github.com/HarmJ0y/cortana
Cortana Use Cases
Use Case #1 • On each meterpreter session that comes in, we always like to grab all credentials we can from the box: o hashdump o run mimikatz o see if a user we want is logged in • ASPNET? Guest? SUPPORT_*? no thx
How Can Cortana Help? • grabcreds.cna o on session_sync { … } o m_cmd($1, "wdigest"); o on meterpreter_wdigest { … } • On each host that comes in: o run hashdump and mimikatz o filter out account names we don’t want o dump creds to the database o check users found against a designated list o announce results on the team chat*
grabcreds.cna
Use Case #2 • Losing shells sucks • Our standard procedure is to inject additional sessions (or beacons*) for fallback in case our main working session dies o and not to just one C2 server ● This becomes tedious when you’re dealing with A LOT of shells and various handlers
How Can Cortana Help? • safetynet.cna o on session_sync { … } o launch("post", …) • automatically runs a payload inject module against each host o injects a “safetynet” payload • Problem: o we want to inject two payloads, one from the existing process context and one into explorer.exe
Sidenote: smart_payload_inject.rb • Existing payload_inject.rb only allows for injection against predefined process IDs • smart_migrate.rb allows for “smart” migration into explorer.exe • Combine the two -> easy injection into a specific process name, explorer.exe default
safetynet.cna - interface
Adding From Existing Listeners*
Custom Safetynet Payloads
Installing Safetynets
Use Case #3 • Armitage/Cobalt Strike are great, but sometimes we want specific gui modifications • Say we want to have a Cobalt Strike workspace containing only hosts with active beacons* *http://www.advancedpentest.com/help-beacon
How Can Cortana Help? • We can grab the active beacon list o @beacons = call('beacon.list'); • We can setup ‘heartbeat’ callbacks to periodically perform actions o on heartbeat_5s {…} • We can modify our gui in useful ways o filter host_image { …change a host’s gui image …} o bind Ctrl+B { open_beacon_browser(); }
Graphical Beacons
Use Case #4 • psexec in Metasploit is great, but the standard exe templates = no good • Veil-Evasion does a great job at generating AV-evading executables :) • But generating each time, reconfiguring paths, etc. is a pain
How Can Cortana Help? • veil_evasion.cna o filter user_launch { … } o exec(SYSTEM COMMAND); • Invokes Veil-Evasion to generate a binary, intercepts psexec calls in Armitage, and substitutes this in for a custom EXE • No more caught payloads :)
Sidenote: swing >_< • Exposed Cortana functions are great, but didn’t quite cover exactly what we wanted • Luckily, Cortana scripts can integrate various java/swing GUI manipulations • And guess what? Armitage has examples. And it’s BSD-licensed
Armitage Backend
Armitage Backend
veil_evasion.cna - Main Menu
veil_evasion.cna - Main Interface
Use case #5 • What’s the usual goal for a smash-and-grab pentest? • Find out who the domain admins are • Find where they’re logged into • Find a set of credentials that gives us SYSTEM on their box • psexec, pop a box, mimikatz, profit
Situational Awareness 101 • Manual process on the domain side: • net user /domain • net group /domain • net view • net view <hostname> • net sessions <hostname>
Netview.exe • Rub Fuller (@mubix) released a tool at Derbycon 2012 called Netview, which “enumerates systems using WinAPI calls” • Can find hosts, shares, and logged on users across a network • Two API calls really interest us: o NetServerEnum – enumerate (from the DC) domain systems of a certain type o NetWkstaUserEnum – get users logged onto a system
Metasploit • Most of this type of functionality already exists in Metasploit (of course): • smb_enumusers_domain o uses NetWkstaUserEnum (through railgun) to get users logged into a particular machine • local_admin_search_enum o checks a range of IPs to see if the current user has admin access, and grabs the logged in users with NetWkstaUserEnum as well
Metasploit • • enum_domain_group_users o runs “net groups GROUP /domain” against a host and parses the results • computer_browser_discovery o queries the default domain controller for all hosts of a particular type using NetServerEnum
user_hunter.rb • New Metasploit module, drawing from existing functionality • Takes a username, userlist, or domain group to query against the local DC • Takes a host list, or runs “net view” to try to enumerate all machines on a domain
user_hunter.rb • Runs NetWkstaUserEnum against each target host to determine the users logged into the machine • Compares this against the target user list, throwing a specific user.hunter note into the database when it finds a match • point -> click -> be told where DA’s are
How Can Cortana Help? • We can interact fully with the msf database o @notes = call("db.notes")["notes"]; • We can setup ‘heartbeat’ callbacks to periodically perform actions o on heartbeat_5s {…} • We can modify our gui in useful ways o filter host_image { …change a host’s gui image …}
Cortana – user_hunter.cna • Cortana script that periodically polls the MSF database for our user.hunter notes • Modifies the host icons of any systems with found users o i.e. any systems where a DA is logged into! • Also adds an option to launch the user_hunter.rb module from any meterpreter session
Demo
Recap • Cortana is awesome, contribute! o https://github.com/rsmudge/cortana-scripts o https://github.com/HarmJ0y/cortana • Many standard assessment actions can be automated and manipulated in useful ways • The less time you spend doing repetitive actions = the more you can spend pwning the client
Questions? Will @harmj0y will@harmj0y.net harmj0y on Freenode - #veil and #armitage Get the cortana pack- https://github.com/HarmJ0y/cortana

Recommandé

PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the EmpireWill Schroeder
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys AdminsWill Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
Pwnstaller
PwnstallerPwnstaller
PwnstallerWill Schroeder
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 

Recommandé

PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the EmpireWill Schroeder
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys AdminsWill Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
Pwnstaller
PwnstallerPwnstaller
PwnstallerWill Schroeder
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
How to do everything with PowerShell
How to do everything with PowerShellHow to do everything with PowerShell
How to do everything with PowerShellJuan Carlos Gonzalez
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeilFramework
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The EmpireRyan Cobb
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the SleeveWill Schroeder
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conWill Schroeder
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the GapWill Schroeder
 

Contenu connexe

Tendances

Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
How to do everything with PowerShell
How to do everything with PowerShellHow to do everything with PowerShell
How to do everything with PowerShellJuan Carlos Gonzalez
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeilFramework
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The EmpireRyan Cobb
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 

Tendances (20)

Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
How to do everything with PowerShell
How to do everything with PowerShellHow to do everything with PowerShell
How to do everything with PowerShell
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackers
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 

En vedette

Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conWill Schroeder
 
MICROSOFT CORTANA
MICROSOFT CORTANAMICROSOFT CORTANA
MICROSOFT CORTANAKANISHK
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with PythonWill Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
Multi-talker Speech Separation and Tracing at AI NEXT Conference
Multi-talker Speech Separation and Tracing at AI NEXT ConferenceMulti-talker Speech Separation and Tracing at AI NEXT Conference
Multi-talker Speech Separation and Tracing at AI NEXT ConferenceBill Liu
 
Deep Learning for Speech Recognition in Cortana at AI NEXT Conference
Deep Learning for Speech Recognition in Cortana at AI NEXT ConferenceDeep Learning for Speech Recognition in Cortana at AI NEXT Conference
Deep Learning for Speech Recognition in Cortana at AI NEXT ConferenceBill Liu
 
15 Things You can Do with Cortana on Windows 10
15 Things You can Do with Cortana on Windows 1015 Things You can Do with Cortana on Windows 10
15 Things You can Do with Cortana on Windows 10Aniket Kanitkar
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have MissedWill Schroeder
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossNikhil Mittal
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Cortana : A Microsoft Virtual Personal Assistant
Cortana : A Microsoft Virtual Personal AssistantCortana : A Microsoft Virtual Personal Assistant
Cortana : A Microsoft Virtual Personal AssistantSushil Kumar Sharma
 
64 bit computing
64 bit computing64 bit computing
64 bit computingAnkita Nema
 

En vedette (16)

Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
MICROSOFT CORTANA
MICROSOFT CORTANAMICROSOFT CORTANA
MICROSOFT CORTANA
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
Multi-talker Speech Separation and Tracing at AI NEXT Conference
Multi-talker Speech Separation and Tracing at AI NEXT ConferenceMulti-talker Speech Separation and Tracing at AI NEXT Conference
Multi-talker Speech Separation and Tracing at AI NEXT Conference
 
Windows 10 with cortana
Windows 10 with cortanaWindows 10 with cortana
Windows 10 with cortana
 
Deep Learning for Speech Recognition in Cortana at AI NEXT Conference
Deep Learning for Speech Recognition in Cortana at AI NEXT ConferenceDeep Learning for Speech Recognition in Cortana at AI NEXT Conference
Deep Learning for Speech Recognition in Cortana at AI NEXT Conference
 
15 Things You can Do with Cortana on Windows 10
15 Things You can Do with Cortana on Windows 1015 Things You can Do with Cortana on Windows 10
15 Things You can Do with Cortana on Windows 10
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a Boss
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Cortana
Cortana Cortana
Cortana
 
Cortana : A Microsoft Virtual Personal Assistant
Cortana : A Microsoft Virtual Personal AssistantCortana : A Microsoft Virtual Personal Assistant
Cortana : A Microsoft Virtual Personal Assistant
 
64 bit computing
64 bit computing64 bit computing
64 bit computing
 

Similaire à Wielding a cortana

Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!
Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!
Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!Puppet
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introductionMostafa Abdel-sallam
 
Understanding salt modular sub-systems and customization
Understanding salt modular sub-systems and customizationUnderstanding salt modular sub-systems and customization
Understanding salt modular sub-systems and customizationjasondenning
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
DjangoCon 2010 Scaling Disqus
DjangoCon 2010 Scaling DisqusDjangoCon 2010 Scaling Disqus
DjangoCon 2010 Scaling Disquszeeg
 
Dynatrace - Red Hat workshop : Monolith to Microservices
Dynatrace - Red Hat workshop : Monolith to MicroservicesDynatrace - Red Hat workshop : Monolith to Microservices
Dynatrace - Red Hat workshop : Monolith to MicroservicesSteve Caron
 
StackStrom: If-This-Than-That for Devops Automation
StackStrom: If-This-Than-That for Devops AutomationStackStrom: If-This-Than-That for Devops Automation
StackStrom: If-This-Than-That for Devops AutomationDmitri Zimine
 
Large-scaled Deploy Over 100 Servers in 3 Minutes
Large-scaled Deploy Over 100 Servers in 3 MinutesLarge-scaled Deploy Over 100 Servers in 3 Minutes
Large-scaled Deploy Over 100 Servers in 3 MinutesHiroshi SHIBATA
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraftenigma0x3
 
Open Source Cyber Weaponry
Open Source Cyber WeaponryOpen Source Cyber Weaponry
Open Source Cyber WeaponryJoshua L. Davis
 
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapFelipe Prado
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 

Similaire à Wielding a cortana (20)

Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!
Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!
Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introduction
 
Understanding salt modular sub-systems and customization
Understanding salt modular sub-systems and customizationUnderstanding salt modular sub-systems and customization
Understanding salt modular sub-systems and customization
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
DjangoCon 2010 Scaling Disqus
DjangoCon 2010 Scaling DisqusDjangoCon 2010 Scaling Disqus
DjangoCon 2010 Scaling Disqus
 
Ranger BSides-FINAL
Ranger BSides-FINALRanger BSides-FINAL
Ranger BSides-FINAL
 
Dynatrace - Red Hat workshop : Monolith to Microservices
Dynatrace - Red Hat workshop : Monolith to MicroservicesDynatrace - Red Hat workshop : Monolith to Microservices
Dynatrace - Red Hat workshop : Monolith to Microservices
 
StackStrom: If-This-Than-That for Devops Automation
StackStrom: If-This-Than-That for Devops AutomationStackStrom: If-This-Than-That for Devops Automation
StackStrom: If-This-Than-That for Devops Automation
 
Large-scaled Deploy Over 100 Servers in 3 Minutes
Large-scaled Deploy Over 100 Servers in 3 MinutesLarge-scaled Deploy Over 100 Servers in 3 Minutes
Large-scaled Deploy Over 100 Servers in 3 Minutes
 
Rakuten openstack
Rakuten openstackRakuten openstack
Rakuten openstack
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraft
 
Open Source Cyber Weaponry
Open Source Cyber WeaponryOpen Source Cyber Weaponry
Open Source Cyber Weaponry
 
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 

Plus de Will Schroeder

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfWill Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 

Plus de Will Schroeder (10)

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 

Dernier

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 

Dernier (20)

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 

Wielding a cortana

  • 2. $ whoami • Security researcher and penetration tester for Veris Group • Co-founder of the Veil-Framework #avlol o www.veil-framework.com o Shmoocon ‘14: AV Evasion with the Veil Framework o co-wrote Veil-Evasion, wrote Veil-Catapult and Veil- PowerView • https://github.com/HarmJ0y/ • http://harmj0y.net
  • 3. tl;dr • Cortana? wtf • OK that’s cool, what can I do • Cortana use cases: o grabcreds.cna - auto hash dumping o safetynet.cna - saving shells o veil_evasion.cna - #avlol :) o user_hunter.cna - find DAs o beacon.cna - graphical beacons*
  • 4. Cortana? wtf • Raphael Mudge’s DARPA cyber fast track project • Allows for the scripting of Armitage and/or Metasploit itself o Some of this functionality is restricted to Cobalt Strike - marked by a * • Doesn’t seem to have publically caught on o Which is dumb, since it’s incredibly useful
  • 5. Cortana: Why Use It • Allows for the easy customization of an already existing, powerful tool • Many standard pentest actions can be automated and manipulated in useful ways • Lets you minimize the time spent doing repetitive tasks
  • 6. Cortana Background • Cortana is a set of extensions to the Sleep language that allows for the control of Armitage/Metasploit • Sleep = Java-based scripting language heavily inspired by Perl and written by Raphael o http://sleep.dashnine.org/documentation.html o http://www.fastandeasyhacking.com/download/corta na/cortana_tutorial.pdf
  • 7. Sleep 101 • “Sleep is primarily a glue language and was designed from the ground up to be embedded in Java applications…[it] brings the power of Perl to the Java platform.” • Much of the backend of Armitage is actually written in Sleep https://today.java.net/pub/a/today/2005/07/14/sleep.html
  • 8. Cortana 101 • Interaction with Metasploit is baked in through utilization of MSF’s RPC interface • You can send commands to a Meterpreter session, interact with the backend database, launch modules, etc. • m_cmd($1, “sysinfo”); • host_info($address); • exploit("windows/smb/ms08_067_netapi", $addr);
  • 9. Cortana 101 • Triggers can be set up to asynchronously fire on various actions/events: o new sessions o meterpreter/shell commands o new hosts/services/routes/etc. • Lets you perform contextual actions and automate a lot of post-exploitation
  • 11. Cortana 101 • The user interface for Armitage can be easily modified: o new program menus o new meterpreter action menus o changeable host icons • Lots of examples at: https://github.com/rsmudge/cortana-scripts https://github.com/HarmJ0y/cortana
  • 13. Use Case #1 • On each meterpreter session that comes in, we always like to grab all credentials we can from the box: o hashdump o run mimikatz o see if a user we want is logged in • ASPNET? Guest? SUPPORT_*? no thx
  • 14. How Can Cortana Help? • grabcreds.cna o on session_sync { … } o m_cmd($1, "wdigest"); o on meterpreter_wdigest { … } • On each host that comes in: o run hashdump and mimikatz o filter out account names we don’t want o dump creds to the database o check users found against a designated list o announce results on the team chat*
  • 16. Use Case #2 • Losing shells sucks • Our standard procedure is to inject additional sessions (or beacons*) for fallback in case our main working session dies o and not to just one C2 server ● This becomes tedious when you’re dealing with A LOT of shells and various handlers
  • 17. How Can Cortana Help? • safetynet.cna o on session_sync { … } o launch("post", …) • automatically runs a payload inject module against each host o injects a “safetynet” payload • Problem: o we want to inject two payloads, one from the existing process context and one into explorer.exe
  • 18. Sidenote: smart_payload_inject.rb • Existing payload_inject.rb only allows for injection against predefined process IDs • smart_migrate.rb allows for “smart” migration into explorer.exe • Combine the two -> easy injection into a specific process name, explorer.exe default
  • 20. Adding From Existing Listeners*
  • 23. Use Case #3 • Armitage/Cobalt Strike are great, but sometimes we want specific gui modifications • Say we want to have a Cobalt Strike workspace containing only hosts with active beacons* *http://www.advancedpentest.com/help-beacon
  • 24. How Can Cortana Help? • We can grab the active beacon list o @beacons = call('beacon.list'); • We can setup ‘heartbeat’ callbacks to periodically perform actions o on heartbeat_5s {…} • We can modify our gui in useful ways o filter host_image { …change a host’s gui image …} o bind Ctrl+B { open_beacon_browser(); }
  • 26. Use Case #4 • psexec in Metasploit is great, but the standard exe templates = no good • Veil-Evasion does a great job at generating AV-evading executables :) • But generating each time, reconfiguring paths, etc. is a pain
  • 27. How Can Cortana Help? • veil_evasion.cna o filter user_launch { … } o exec(SYSTEM COMMAND); • Invokes Veil-Evasion to generate a binary, intercepts psexec calls in Armitage, and substitutes this in for a custom EXE • No more caught payloads :)
  • 28. Sidenote: swing >_< • Exposed Cortana functions are great, but didn’t quite cover exactly what we wanted • Luckily, Cortana scripts can integrate various java/swing GUI manipulations • And guess what? Armitage has examples. And it’s BSD-licensed
  • 33. Use case #5 • What’s the usual goal for a smash-and-grab pentest? • Find out who the domain admins are • Find where they’re logged into • Find a set of credentials that gives us SYSTEM on their box • psexec, pop a box, mimikatz, profit
  • 34. Situational Awareness 101 • Manual process on the domain side: • net user /domain • net group /domain • net view • net view <hostname> • net sessions <hostname>
  • 35. Netview.exe • Rub Fuller (@mubix) released a tool at Derbycon 2012 called Netview, which “enumerates systems using WinAPI calls” • Can find hosts, shares, and logged on users across a network • Two API calls really interest us: o NetServerEnum – enumerate (from the DC) domain systems of a certain type o NetWkstaUserEnum – get users logged onto a system
  • 36. Metasploit • Most of this type of functionality already exists in Metasploit (of course): • smb_enumusers_domain o uses NetWkstaUserEnum (through railgun) to get users logged into a particular machine • local_admin_search_enum o checks a range of IPs to see if the current user has admin access, and grabs the logged in users with NetWkstaUserEnum as well
  • 37. Metasploit • • enum_domain_group_users o runs “net groups GROUP /domain” against a host and parses the results • computer_browser_discovery o queries the default domain controller for all hosts of a particular type using NetServerEnum
  • 38. user_hunter.rb • New Metasploit module, drawing from existing functionality • Takes a username, userlist, or domain group to query against the local DC • Takes a host list, or runs “net view” to try to enumerate all machines on a domain
  • 39. user_hunter.rb • Runs NetWkstaUserEnum against each target host to determine the users logged into the machine • Compares this against the target user list, throwing a specific user.hunter note into the database when it finds a match • point -> click -> be told where DA’s are
  • 40. How Can Cortana Help? • We can interact fully with the msf database o @notes = call("db.notes")["notes"]; • We can setup ‘heartbeat’ callbacks to periodically perform actions o on heartbeat_5s {…} • We can modify our gui in useful ways o filter host_image { …change a host’s gui image …}
  • 41. Cortana – user_hunter.cna • Cortana script that periodically polls the MSF database for our user.hunter notes • Modifies the host icons of any systems with found users o i.e. any systems where a DA is logged into! • Also adds an option to launch the user_hunter.rb module from any meterpreter session
  • 42. Demo
  • 43. Recap • Cortana is awesome, contribute! o https://github.com/rsmudge/cortana-scripts o https://github.com/HarmJ0y/cortana • Many standard assessment actions can be automated and manipulated in useful ways • The less time you spend doing repetitive actions = the more you can spend pwning the client
  • 44. Questions? Will @harmj0y will@harmj0y.net harmj0y on Freenode - #veil and #armitage Get the cortana pack- https://github.com/HarmJ0y/cortana