Time
19 minutes
Difficulty
Intermediate

Video Transcription

00:05
Hello and welcome back to breaking stuff with Joe here on Cyber Eri on demand for those you have not seen our videos before a little bit about me and a little bit about this Siri's I'm Joe Perry. I'm the director of research here in cyber ery, which means that I get to spend a lot of my time creating new material, new security material, new training
00:23
as well as helping to sort of advance the front edge of what we understand about cyber security.
00:27
So one of the main things that I get to do here is making Siri's like this one the breaking stuff with groceries. In this series, we have generally between about 10 and 30 minute videos in which we explore different tools of cybersecurity. We'll go over three core objectives and pretty much every video what the tool is, what its for what it does,
00:46
how that tool can be used. So some basic commands
00:49
and then a general overview of that cool. Those were our three objectives, so that you get not only the basic information how to use it, which would be like a 32nd video each time, but also just sort of a familiarity with it. You can walk through it in our sandbox at the same time that I'm walking through it in these videos. So thank you for watching. And today we're gonna be talking about a PT, too.
01:07
So not get our very first objective. We're gonna talk about what is a PT too.
01:11
And what is it for? This is the advanced penetration testing toolkit there to tease. Therefore, it's t, too. That doesn't actually make that acronym any shorter, but it does make it a little bit nicer looking. So a P T. To the advanced penetration testing tool kit is a really interesting tool, especially as compares to a lot of our other breaking stuff with Joe videos.
01:30
In previous videos, we've focused on tools that have
01:34
a single granular task tools that scanning networks, pools and identify devices, tools and find exploits.
01:41
We haven't really looked at tools that do sort of the whole package, these overarching automation and framework kind of tools, like a PT, too. So what we're doing with this what this will actually does uses lots of different modules, and we'll explore those when we're doing our sort of familiarity building, but it makes use of a bunch of different modules,
01:57
and it performs or uses the results of an end map scan
02:00
and attempts to use those modules to automatically exploit and target the machines that are revealed by your end. Mops can. Now 82 doesn't have his extensive a module library as some, but it does. It is able to interface with your medicine debate database and with N map, and so it can perform a lot of the operations that are already in those just in an automated fashion.
02:21
So it performs this scan or it gets the results. Either way, it gets the resulting file. Oven end mops can.
02:28
It examines all of the hosts and all the targets and then unwrap scan. And then it looks through the database to find out if there are any known exploits they're associating with.
02:36
And we'll see again when we do the familiarity that you can kind of tune that search. But that's the core idea of what this is for and when it does. So
02:45
just in a nutshell. Automate your pendant
02:47
process. Uh, pretty straightforward makes a lot of sense, given the name so Now we're gonna go. We're gonna jump in or V M. We're gonna see it actually in use, and we're gonna complete objectives two and three. So thanks for watching. I'm Joe Perry. This is breaking stuff with Joe here on Cyber Eri on Demand.
03:05
So first things first as we would with just about any tool that we're going to be using. We're working out of our Callie bm here. First things first. We have to make sure we actually have it now. A PT too is a tool that doesn't necessarily come installed on Callie, so we're gonna have to pull it down ourselves. Fortunately, it's a pretty easy process to do. So we're just gonna go ahead. We're gonna run the pseudo
03:23
at,
03:25
stole a PT, too,
03:30
and it's just gonna run. It doesn't take terribly long. It's only about 309 kilobytes. Uh, you can see that I have
03:38
it has most of the the dependencies already installed, so it's a pretty quick install process that's a little bit slower. Just because the VM I'm working on doesn't have a ton of memory associated with it.
03:51
There we go. So now we have a P t to install it. And we contest that by typing a teepee to tak e h
03:59
and should there you spit out some help for us.
04:09
So what we're gonna do now is we're gonna actually go through, and we're gonna look at some of the ways that you can actually use it. We're gonna get an understanding of its actual
04:17
functionality, the actual use of this particular tool. So to do that, we're gonna go ahead. We're just gonna try running a B T too
04:25
a p t. Two by itself, with no options and see what we get.
04:30
You could see that it spits up a welcome message for us. Nice and pretty looking. Ask yogurt and then it keeps loading. You can see here that it has a problem loading these modules right out of the gate. It's not able for some reason, it's not able to load some of these modules, and we'll examine exactly why here in just a second
04:46
and then additionally you could see that it isn't able to connect to the Medicis played msgr PC
04:53
and
04:55
I think that's all over issues. They're ago, so you can see we've got a couple of areas that we want to work through, and they're not actually errors their you know, their reasons why this isn't working, but it's a useful way for us to explore all the things that we do with this tool. So let's just look at the very 1st 1 and we can see up here. Well, went too far.
05:11
We could see appear at the top that the first series of errors that got spat out our module and then some name is disabled.
05:19
And the reason it gives us is because the safety level is below the requirement, which is for now we don't really. We haven't looked at that yet. So what we need to understand about safety level is that the idea behind this is that a PT, too, isn't automated. We've talked what I've said that several times. A PT two is all about automation.
05:36
However, pen testing is not an easily automated process because
05:42
there's always the consideration of how safe am I being. Am I going to get caught? We're gonna take down my target unintentionally. Am I gonna mess up the network that I'm examining? And so part of a PT two's process is that it has safety levels that are built into it, that we can configure manual, and I'll show you how to do that. Here in just a minute,
05:58
we can configure manual and say This is the level of security that we're willing to work with
06:02
and you can see here we currently have a set of four that's by default. It goes from I believe it's 1 to 55 course being the most safe, which doesn't really do a ton of work just because of how safe and how date or how cautious you're being with the lower the number, the less safe we're gonna get,
06:19
and we can do some really, really dangerous tasks. But they are more likely to be successful
06:26
because more because, really, all the consideration is being paid to. Will this work rather than considering, isn't it? Is it safe is gonna get caught?
06:33
So it's our first year, so we need to figure out how we could mess with either. We can accept that those modules don't load or how we can modify that configuration value. The second error we got is that it's attempting to connect to medicinally and make use of the MSG. RPC, in other words, is attempting to make use of medicine modules
06:49
to perform its operations. And you can see down here it gives instructions because this again is sort of a built in error, not a built in error, but
06:58
something that's known at base configuration.
07:00
So the first thing we're gonna have to do is actually create the MSF counsel and then give it the following commands. So we're gonna go and we're gonna do that real fast.
07:15
MSF counsel.
07:23
I'll open a new tab here so that we can reference back to see what commands we're gonna want to type in.
07:34
All right, it's taking a little time to load. We might do a little movie magic and skip through the load process.
07:42
Alright, We skipped ahead just a little bit there. But now we finally have our medicine framework console loaded and you can see down here we have MSF will clear the screen up a little bit, make it a little easier to read.
07:54
Maybe
07:56
they're united type. And over here on the other tab, I went ahead and reloaded a bt too, so that we could see these messages again
08:01
and again, we're just going to directly copy paste these. We're not gonna do anything fancy. We're just going to set these configurations.
08:11
We can see that it successfully loaded. We have our user name and password for it,
08:16
and then we're going to run
08:18
this resource command.
08:20
It's not terribly important to understand exactly what's happening under the hood. Essentially, what we're doing is we're starting up a remote procedure call, so we're allowing other processes to call into our medicine framework on then, from there, we're also give telling it to load a specific resource.
08:35
So we load that
08:37
and we're not going to do there at all.
08:41
There you go
08:45
way paste that, and we load a resource.
08:48
There you go. You could say you could see it takes a little bit of time
08:50
and eventually lose. Now there are some areas in there that's okay.
08:54
It's not anything terrible to worry about. It's just telling you that those you can see there's nothing actually happening right now, so therefore it doesn't need to load those modules. We can see the resource is loaded. We can see that a PT too now should be able to interact with our framework. And to test that all we needed to do is clear a screen up a little bit and rerun our command.
09:11
And if everything were correctly, we should not have that particular error message anymore.
09:16
We're just going to have the air message for our modules that we're going to fix right about now As soon as this is done loading. Okay. So you can see that we no longer have our error message were correctly connected to our medicinally console. It's able to make use of those modules in our process now.
09:31
So I did slightly misspeak earlier when I referenced safety as being something that we're gonna mess with in the configuration file. That's an argument that we're going to be giving it. But we are going to look at the configuration file first and see what we can do. T sort of control the automated process used in a PT too. We were gonna do that. First we gonna clear a screen up a little bit,
09:50
and we're just gonna modify the configuration file which could be found it at sea.
09:56
No, don't do that.
09:58
See if I can remember it correctly. Yes, etc. a B t too.
10:01
Default, not C f g.
10:03
We're just gonna modify that file. We're gonna have a look at what? It hasn't it. So you can see here that the first configuration option that we have is medicine point. You'll recall from just a couple seconds ago we set up our medicine late RPC. That's all this is. Configuring is where we're connecting, which in this case is gonna be the local host. What Porter reusing and what our user name and passwords
10:24
underneath that you could see that we can also configure it or configure configure it. That's not even a word. We can configure our end map command. And remember that map is what all of this is kind of going to be based on. It's going to scan the targets. It's going to see what they're running, see what applications they have and then perform experts against them.
10:39
And so you can see that right now we're just targeting against a local host network, which is totally fine
10:45
in your sandbox. There might be a little bit more verbosity to it, a little bit more robustness, but for this I'm just demonstrating on a basic Callie V. M. So we're targeting our local host network. We have a scan time of s and we're targeting specific ports on. We can, of course, modify this to make it Maura or less secure, faster
11:01
or slower Maur or fewer ports and more or fewer targets.
11:05
All of that is configurable. You're essentially just writing your and map command broken out, piece by piece blow that you can see threading. We have a maximum number of modular, a number of threads that it's willing to run at a time. Each of the students, generally speaking, is going to be its own module performing whatever operation that module is tasked with.
11:22
And below that you can see we have some information on the responder people tool paths. And below that we have. Yet we have searching those you're not gonna mess with nearly as often. Usually you're gonna leave those alone unless you have a good reason to change the interface. But the vast majority of the time, you're really just gonna be focused on your medicine plate
11:39
and your end map commands and occasionally met messing with the number of threads you have running.
11:45
So that's the configuration file. Just when did you see that? Get familiar with it.
11:48
The next thing we want to do. I mentioned safety earlier, and that's actually I misspoke earlier and said that was part of the configuration file. In fact, it's actually one of the command options that we can give to a PT, too, when we run it. And we could see that just by running or help menu again
12:05
and scrolling back up. Here we go. So again, because resumed in the
12:09
text is a little bit screwy to read, but Tak es determines the safe level. And just like I said before the minimum safe level zero, it's actually 025125 The minimum safe level of zero is extremely unsafe. It's going to it's gonna run everything it's got. It doesn't care if it gets busted. It doesn't care if it breaks something, it's just gonna run.
12:28
The much more secure, much safer level is five
12:31
that's going to exclude a very large number of your modules.
12:35
The default, as you know, is for now, as we're going through our help menu, since we're already here, it is worth noticing that right below that we have this exclude types. And in just a second, when we see all the module types in a PT, too will understand what it means to exp
12:48
to exclude a specific type. Excuse me, I've got the hiccups apparently on and we can give it. And we can give it multiple items on this list and say, Don't run these module types. You would exclude model types if you know their security against them or if you know the answer that's already going to come back for them or if you're trying to do a test very quickly and you're looking for a specific information,
13:07
there are all sorts of reasons why you might want to specify
13:09
which types you're going to be using. Below that you can see we've got a couple of potential inputs. We've got a configuration file, which is going to already be included in it. So we don't really need to modify that. We've got the initial targets that we could modify
13:24
that we can specify rather,
13:26
and then what? Crazy there and then below that the miscellaneous coming in, the one we're gonna look at right now is list modules. So that's all of the current modules that a PT too has installed for use. And we're going to do that very easily just by running first by clearing than by running a PT, too.
13:43
I already forgot the exact command list. Modules. Okay,
13:50
list modules.
13:54
Let's have a look at what we've got here
13:56
and again. It's going to spit up this this help menu and does that pretty often. You could see that we still got those errors because we didn't modify the safety, which is my bad. I'm going to fix that now.
14:05
List modules. Tak es zero.
14:11
And we shouldn't get those ears Scroll back up to make sure.
14:16
Now this output can be kind of ugly to look at, as you can see, especially with zoomed in text. It could be a little bit rough to read, so you can out put it to a file or you can grab against you can perform all sorts of specific.
14:28
You got all the way back up top and see past it.
14:31
There you go. So you can see that there is a requirement not meant for this Jack spots. But the rest of our modules are loaded. So we're not gonna worry about it too much. S o. The way this is laid out is our first field is the module name. Then we have the type which I mentioned just a second ago. The different types can see we have action. We have certificates rolled down and find the other types.
14:52
I think action may be the only module we have loaded right now. No below that. We have input and we have reports
14:58
s so we can disable any of those types of modules. It's a little bit of a broad. It's not really a scalpel. It's kind of a sledgehammer. Method weaken. Disable any of those types if we need to. You can see we have our safety level, which is the next field right here, which is 2453 going down the list. That again just specifies how secure or not, how secure but
15:18
how loud and how dangerous the specific module might be.
15:20
You can see that this is a two, which is to say that it is a very dangerous module. It's not the most. It's not the worst against, but it's pretty rough on, and it makes sense when you look below that you see, there was trying to do is brute force SNB passwords a pretty big deal
15:35
further down we have. If I could get it to work, We have something that might be familiar to those who are longtime viewers of breaking stuff with Joe
15:45
Comma work with me here.
15:52
Oh,
15:54
past one of them. So we got s and M p walk, which is something that we talked about before for SNP. You're actually also able to generate, and I'll find the module and loaded. Actually, you know what? I could do it this way.
16:04
Job,
16:06
See if it'll loaded for us. That's not what I meant. I meant to do it all.
16:10
Grab John. There we go.
16:11
See if it'll find it for us.
16:14
John the Ripper is a module that is available to a PT, too. It doesn't look like it came install in this particular instance of it. That's okay. Password cracking is one of the things that is built into a B D, too. As you saw with the S and P password cracker above.
16:26
I was hoping that would be a lot cooler than once. But that's okay. So the next thing and the last thing I want to look at is an actual A PT to command that we're going.
16:34
You know, we have accomplished our 1st 2 objectives of seeing you know what the tool is and what it's for and then actually getting familiar with sort of the intricacies in the in and outs of the tool. The last thing we want to do is actually run a command and see it in motion the command we're gonna run this time it's gonna be a PT, too.
16:48
We're gonna say the safety is gonna be zero through everything you got at it and we're going to do something that is extremely inadvisable to do at home or on any system. Unless it's of'em. You know, you can reboot if it crashes, and I'm actually gonna go ahead and target the local machine. I'm just gonna target my lube back and dress. And the reason I'm doing this is because again,
17:06
this this is just a BM demo to see how the tool runs and see a functional command.
17:10
We're not actually doing a pen test right now in our sandbox. We've got better targeting set up for it. It's just important to note that you generally shouldn't target your own machine with a tool that's going to throw every explain in the book at it. We're gonna do something a little bit wrong, and that's okay. Run the command
17:26
and you can see that it's gonna give us the ask your it again. It's gonna go crazy. It's gonna tell us when it's gonna save.
17:32
And now it's gonna sit for a little while and hopefully it's gonna come back and tell us that it wasn't able to exploit anything.
17:37
It starts a responder. You can see that we have one active threat, and that's the responder. That's the actual testing. What's receiving all of the commands and performing the operations and sending the information back to us? You can see that it's continuing to run again. Probably it's not going to get anything back because Callie boxes were targeting.
17:56
But this does show you what it looks like when it's actually executing. We're gonna go ahead,
18:00
kill it now.
18:00
Control C is Kat.
18:03
There we go.
18:04
So, yeah, that's it. That's what you're going to see from a PT, too, when you run it normally in an actual operation within spit out a report. You can find that it will print out to where you have your reports configured toe be located, and you'll be able to go through that report and see what operations were done.
18:19
That's gonna be the end of this video again. We do have this tool in our Callie sandbox that is specifically intended
18:25
for you to try it out and actually perform a little bit of operation with it. See how it works. So please take the time to have a look at that. If you're a pro user, by all means bust into their We have that lab on our site. If you're not an insider pro user, that's totally okay. You can download Callie and install a PT to using the instructions I showed you earlier
18:42
on. You'll be able to start running with this and play around with it and getting familiar with the tool.
18:47
So thank you all for watching this video. Hopefully, you're a little bit more familiar with it. The idea of automated pen testing is a really cool one, and hopefully you can see some use cases in your own careers and in your own work. As always, I am just thrilled that I got to teach this course. I'm thrilled that I get to keep teaching these courses. And I'm happy to have you all here.
19:03
So please, by all means feel free descended requests for tool videos you'd like to see in the future.
19:08
And additionally, if you would like to contribute to Cyber A, this is the most important thing in the world. Our website is almost entirely crowdsource. I'm one of two or three people who actually works at Cyberia creating content on the site. The best material we have the most interesting. The most engaging material comes from users like you who have something to share
19:27
and have knowledge. They want to help other people gain.
19:30
So please, by all means go to our instructor page gored community page become a TA become an instructor, help us build the best cybersecurity training content in the world. Thank you all for watching. This has been breaking stuff with Joe and I am your host Joe Perry. And thank you for watching a cyber eri on demand

How to Use APT2 (BSWJ)

The Automated Pentration Testing Toolkit (APT2), is an offensive program used to perform scans against a target environment and automatically attempt to compromise all valid targets in that environment.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor