Presentation from Shmoocon Firetalks 2015

1. COLLABORATIVE
SCANNING WITH MINIONS
Sharing is Caring

2. @sixdub
• Former USAF cyber guy… New to private sector!
• Pentester / Redteamer for the Adaptive Threat Division (ATD)
of Veris Group
• Really geek out over various aspects of Infosec
• Studying adversarial tactics
• Red team operations
• Malware RE
• Breaking things
• Active developer on the Veil-Framework
•OSCP… and some others
•Volunteer EMT in Fairfax County

3. Collaboration as Tradecraft
• Huge emphasis recently on tools that work in
team environments
• Been lucky enough to witness this change in Red
Team Exercises
•In terms of scanning/enumeration, still see
individualized Nmap used and a lot of the same
issues

4. Kind of Like This...

5. Distributed Scanning
• What is it?
•Using a client server architecture to execute network scanning
• Benefits
• Efficiency – execute multiple jobs across multiple servers
• Covert – originate from many different places/countries during your scan
• Disposable – tear down scan nodes after finished with scanning
• Viewpoint - different results from different places

6. DNmap
• Developed by Sebastián Garcia and presented by
many others
• Awesome:
• Uses SSL for
encryption
• Python / Twisted
• Working PoC
• Not as awesome for me:
• Only .nmap output returned
• No client authentication to
server
• Not easily adapted for teams

7. *http://raidersec.blogspot.com
DNmap Diagram

8. Lack of Client Auth
>openssl s_client -connect <server>:<port>
...Starts the Client ID:1:Alias:Hacked:Version:.6:ImRoot:1
...Send More Commands

9. What I Wanted
• Just a little bit picky :)
• Distributed
• Team Interface -
SYNERGY!
• Automation
• Scheduled jobs
+ + +
• Secure
• Built in
management
capabilities

10. My Creation - Minions
• Collaborative distributed scanning proof of
concept
• Django Backend
• Bootstrap & JQuery front end
•Uses modified DNmap for distributed scanning

11. Mobile Friendly

12. Features
• Execute and schedule distributed scan jobs
• Create and manage scan profiles
• Query and retrieve previous scans
• Download all forms of scan output
• gnmap, xml, nmap (zip is nice)
• Implements different layers of security

13. Changes to DNmap
• Pythonic? Hardly…
• Added ability to poll for new output files and parse to
SQLite
• Added ability to retrieve -oA output forms
• Changed the way the jobs and trace file work
• Added client authentication using certs

14. Use Cases
•External penetration test
•Large scope or late nights
•Internal penetration test
•Single operator - multiple nodes
•External red team
•Throw away scan nodes - hide attribution
•Internal red team
•Compromise and “zombify” internal systems

15. Extra fun things
• Using Linode for your scanning nodes
• Kudos to Ken Westin for the inspiration (see references)
• Future:
•Parsing of Nmap XML output to make scans more queryable
•Smart detection and optimization of Nmap scanning (RTT
Timeouts)
•Rewrite of distributed scanner backend
•Better UI and utilization of the Bootstrap CSS

16. Lots of Nodes (100 to be exact)

17. Demo
Kali Scanning Nodes
Ubuntu Server - Minions Server
192.168.89.173
Nodes
192.168.89.174
192.168.89.175
DNmap SSL C2
Scans
Jobs
File
Targets

18. Questions & Contact
• Hit me up!
• justin[at]sixdub[dot]net
• @sixdub on twitter and github
• sixdub on freenode - #veil and
#armitage
• Blog - Sixdub.net

19. References
http://www.tripwire.com/state-of-
security/vulnerability-management/distributed-
nmap-port-scanning-dnmap-megacluster/
http://raidersec.blogspot.com/2013/01/distribute
d-port-scanning-creating-nmap.html