2. @sixdub
• Former USAF cyber guy… New to private sector!
• Pentester / Redteamer for the Adaptive Threat Division (ATD)
of Veris Group
• Really geek out over various aspects of Infosec
• Studying adversarial tactics
• Red team operations
• Malware RE
• Breaking things
• Active developer on the Veil-Framework
•OSCP… and some others
•Volunteer EMT in Fairfax County
3. Collaboration as Tradecraft
• Huge emphasis recently on tools that work in
team environments
• Been lucky enough to witness this change in Red
Team Exercises
•In terms of scanning/enumeration, still see
individualized Nmap used and a lot of the same
issues
5. Distributed Scanning
• What is it?
•Using a client server architecture to execute network scanning
• Benefits
• Efficiency – execute multiple jobs across multiple servers
• Covert – originate from many different places/countries during your scan
• Disposable – tear down scan nodes after finished with scanning
• Viewpoint - different results from different places
6. DNmap
• Developed by Sebastián Garcia and presented by
many others
• Awesome:
• Uses SSL for
encryption
• Python / Twisted
• Working PoC
• Not as awesome for me:
• Only .nmap output returned
• No client authentication to
server
• Not easily adapted for teams
8. Lack of Client Auth
>openssl s_client -connect <server>:<port>
...Starts the Client ID:1:Alias:Hacked:Version:.6:ImRoot:1
...Send More Commands
9. What I Wanted
• Just a little bit picky :)
• Distributed
• Team Interface -
SYNERGY!
• Automation
• Scheduled jobs
+ + +
• Secure
• Built in
management
capabilities
10. My Creation - Minions
• Collaborative distributed scanning proof of
concept
• Django Backend
• Bootstrap & JQuery front end
•Uses modified DNmap for distributed scanning
12. Features
• Execute and schedule distributed scan jobs
• Create and manage scan profiles
• Query and retrieve previous scans
• Download all forms of scan output
• gnmap, xml, nmap (zip is nice)
• Implements different layers of security
13. Changes to DNmap
• Pythonic? Hardly…
• Added ability to poll for new output files and parse to
SQLite
• Added ability to retrieve -oA output forms
• Changed the way the jobs and trace file work
• Added client authentication using certs
14. Use Cases
•External penetration test
•Large scope or late nights
•Internal penetration test
•Single operator - multiple nodes
•External red team
•Throw away scan nodes - hide attribution
•Internal red team
•Compromise and “zombify” internal systems
15. Extra fun things
• Using Linode for your scanning nodes
• Kudos to Ken Westin for the inspiration (see references)
• Future:
•Parsing of Nmap XML output to make scans more queryable
•Smart detection and optimization of Nmap scanning (RTT
Timeouts)
•Rewrite of distributed scanner backend
•Better UI and utilization of the Bootstrap CSS
17. Demo
Kali Scanning Nodes
Ubuntu Server - Minions Server
192.168.89.173
Nodes
192.168.89.174
192.168.89.175
DNmap SSL C2
Scans
Jobs
File
Targets
18. Questions & Contact
• Hit me up!
• justin[at]sixdub[dot]net
• @sixdub on twitter and github
• sixdub on freenode - #veil and
#armitage
• Blog - Sixdub.net