Multi-Player Metasploit: Tag Team Pen Testing and Reporting

•Download as KEY, PDF•

0 likes•602 views

This presentation discusses how database components of Metasploit can be used through XMLRPC to facilitate pen testing data sharing and collection in order to ensure real time actionable information is available to all testers at all times.

Technology

Multiplayer Metasploit
Tag-Team Pen Testing and Reporting
Ryan Linn
Defcon 18

Outline

• Description of Problem
• Discussion of current solutions
• Overview of XMLRPC database
integration
• Discussion of types of objects
• Demos

What’s the problem?

• Pen testing/security audit teams need
to share information
• How do you plan further action?
• What about deltas from previous tests?
• No easy way to automate reporting

Analysis of current solutions

• Dradis - best alternative, imports data
great, but hard to further actions, no
integration with other tools
• Leo - geared toward one person and
logging/reporting only
• Wiki - multi-user but arbitrary
organization, hard to convert to further
action or reporting

overview of solution

• Metasploit is readily available
• Extend XMLRPC to facilitate DB
transactions
• XMLRPC extension allows central
logging
• All information is actionable
• Data can be added real time

Types of Objects
• workspaces - separate spaces for data
• hosts
• services
• vulns
• notes - general purpose data storage
• events - log of commands executed
• loots - phat loots lives here
• clients - web clients
• users - users + credentials

Workspaces

• Values:
• name
• created_at
• updated_at
• boundary
• description

Hosts
• created_at • os_name
• updated_at • os_ﬂavor
• address • os_sp
• address6 • os_lang
• mac • arch
• comm • purpose
• name • info
• state • comments

Services

• host
• port
• proto
• state
• name
• info

Notes

• ntype
• service
• host
• critical
• seen
• data

Events

• host
• name
• seen
• critical
• username
• info

loots
• host
• service
• ltype
• path
• data
• content_type
• name
• info

Clients

• host
• ua_string
• ua_name
• ua_ver

Users
• username
• crypted_password
• password_salt
• persistance_token
• fullname
• email
• phone
• company
• prefs

Demos

• Service Startup
• Launching Nmap with Nsploit
• Storing BeEF data in Metasploit
• External report generation
• Difﬁng workspaces

Thanks

• Defcon staff and attendees for a great
conference
• Heather Pilkington, Scott Hilbert,
Jonathan Cran, HD Moore, Egypt,
anyone else I’ve forgotten
• Fyodor, Wade Alcorn for Nmap and
BeEF

Contact Information

• IRC: sussurro
• Twitter: @sussurro
• Blog: blog.happypacket.net

What's hot

Neo4j + MongoDB - SF Graph Database Meetup Group Presentation

William Lyon

Knowledge graph

Brecht Van de Vyvere

Building a knowledge graph of the Belgian War Press

Open Knowledge Belgium

How to create/improve OSS product and its community (revised)

SATOSHI TAGOMORI

Why we love ArangoDB. The hunt for the right NosQL Database

Andreas Jung

Cassandra Summit 2015 - Building a multi-tenant API PaaS with DataStax Enterp...

Restlet

Powering an API with GraphQL, Golang, and NoSQL

Nic Raboy

RealTime Recommendations @Netflix - Spark

Nitin S

City of Atlanta Oracle Application Footprint

Danny Bryant

Web services soap

Khan625

Introduction to Azure DocumentDB

Radenko Zec

MongoDB - Getting Started

Ahmed Helmy

Solving text search problems with Ruby on Rails

Andrii Gladkyi

All about data persistence in Windows 8

Andrei Marukovich

globus.pptx

Sam Van Loon

LoCloud Geocoding Application, Runar Bergheim, Asplan Viak Internet

locloud

Hw09 Next Steps For Hadoop

Cloudera, Inc.

Advanced Exfiltration Techniques

Jonas Lejon

I was presenting the new trends and possibilities for a decade in open source monitoring 3 years ago at OSMC. It's time now to see if we can make some monitoring without Nagios. We'll then explore: - Collectd, Diamond, Packetbeat, StatsD and Logstash for collecting metrics and events - Graphite, InfluxDB for storing time series data - Elasticsearch for storing events - Kibana and Grafana for dispaying and searching metrics and events. - Seyren and Cabot for notifications What is possible with such a solution? How does it work compared to Nagios…? Is it iso-functionnal, maybe better than a Nagios based solution? Is there any migration path from Nagios? We'll try to answer all theses questions and maybe more!

OSMC 2014: Time to say goodbye to your Nagios setup | Oliver Jan

NETWAYS

THE POWER OF OPENDJ AND REST

ForgeRock

What's hot (20)

Neo4j + MongoDB - SF Graph Database Meetup Group Presentation

Knowledge graph

Building a knowledge graph of the Belgian War Press

How to create/improve OSS product and its community (revised)

Why we love ArangoDB. The hunt for the right NosQL Database

Cassandra Summit 2015 - Building a multi-tenant API PaaS with DataStax Enterp...

Powering an API with GraphQL, Golang, and NoSQL

RealTime Recommendations @Netflix - Spark

City of Atlanta Oracle Application Footprint

Web services soap

Introduction to Azure DocumentDB

MongoDB - Getting Started

Solving text search problems with Ruby on Rails

All about data persistence in Windows 8

globus.pptx

LoCloud Geocoding Application, Runar Bergheim, Asplan Viak Internet

Hw09 Next Steps For Hadoop

Advanced Exfiltration Techniques

OSMC 2014: Time to say goodbye to your Nagios setup | Oliver Jan

THE POWER OF OPENDJ AND REST

Similar to Multi-Player Metasploit: Tag Team Pen Testing and Reporting

Marc Schwering – Using Flink with MongoDB to enhance relevancy in personaliza...

Flink Forward

Chicago HUG Presentation Oct 2011

Abe Taha

Node.js

Matt Simonis

Planidoo & Zotonic

David de Boer

Apache Geode Meetup, London

Apache Geode

Lantea platform

Neuzilla

AWS 2020 Year in Review reInvent ReCap

CloudHesive

Presto Summit 2018 - 02 - LinkedIn

kbajda

CNIT 121: 14 Investigating Applications

Sam Bowne

Zero to Sixty with Oracle ApEx

Bradley Brown

Social Connections 2015 CrossWorlds and Domino

Paul Withers

Building a Flexible UI with Oracle ApEx

Bradley Brown

HBaseCon 2015 General Session: Zen - A Graph Data Model on HBase

HBaseCon

In our recent Big Data Warehousing Meetup, we discussed Data Governance, Compliance and Security in Hadoop. As the Big Data paradigm becomes more commonplace, we must apply enterprise-grade governance capabilities for critical data that is highly regulated and adhere to stringent compliance requirements. Caserta and Cloudera shared techniques and tools that enables data governance, compliance and security on Big Data. For more information, visit www.casertaconcepts.com

Big Data Warehousing Meetup: Securing the Hadoop Ecosystem by Cloudera

Caserta

London Hug 19/5 - Terraform in Production

London HashiCorp User Group

Best Practice in Web Service Design

Lorna Mitchell

Big Data Analytics 2: Leveraging Customer Behavior to Enhance Relevancy in Pe...

MongoDB

Until now, the only way to surface your Customers’ Domino data in IBM Connections has been via XPages. But over the last year IBM Domino Developers, the Domino landscape and the Java web development landscape have undergone a significant change. See how to use the popular Vaadin framework to create a standard web application on IBM Websphere Liberty using IBM Domino as either a NoSQL or Graph database.

CrossWorlds: Unleash the Power of Domino for Connections Development

LetsConnect

DevOpsDays Seattle - Self-Service Ignite

Lowell Young

Voldemort Nosql

elliando dias

Similar to Multi-Player Metasploit: Tag Team Pen Testing and Reporting (20)

Marc Schwering – Using Flink with MongoDB to enhance relevancy in personaliza...

Chicago HUG Presentation Oct 2011

Node.js

Planidoo & Zotonic

Apache Geode Meetup, London

Lantea platform

AWS 2020 Year in Review reInvent ReCap

Presto Summit 2018 - 02 - LinkedIn

CNIT 121: 14 Investigating Applications

Zero to Sixty with Oracle ApEx

Social Connections 2015 CrossWorlds and Domino

Building a Flexible UI with Oracle ApEx

HBaseCon 2015 General Session: Zen - A Graph Data Model on HBase

Big Data Warehousing Meetup: Securing the Hadoop Ecosystem by Cloudera

London Hug 19/5 - Terraform in Production

Best Practice in Web Service Design

Big Data Analytics 2: Leveraging Customer Behavior to Enhance Relevancy in Pe...

CrossWorlds: Unleash the Power of Domino for Connections Development

DevOpsDays Seattle - Self-Service Ignite

Voldemort Nosql

Recently uploaded

Intro in Product Management - Коротко про професію продакт менеджера

Mark Opanasiuk

I'm excited to share my latest predictions on how AI, robotics, and other technological advancements will reshape industries in the coming years. The slides explore the exponential growth of computational power, the future of AI and robotics, and their profound impact on various sectors. Why this matters: The success of new products and investments hinges on precise timing and foresight into emerging categories. This deck equips founders, VCs, and industry leaders with insights to align future products with upcoming tech developments. These insights enhance the ability to forecast industry trends, improve market timing, and predict competitor actions. Highlights: ▪ Exponential Growth in Compute: How $1000 will soon buy the computational power of a human brain ▪ Scaling of AI Models: The journey towards beyond human-scale models and intelligent edge computing ▪ Transformative Technologies: From advanced robotics and brain interfaces to automated healthcare and beyond ▪ Future of Work: How automation will redefine jobs and economic structures by 2040 With so many predictions presented here, some will inevitably be wrong or mistimed, especially with potential external disruptions. For instance, a conflict in Taiwan could severely impact global semiconductor production, affecting compute costs and related advancements. Nonetheless, these slides are intended to guide intuition on future technological trends.

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

Peter Udo Diehl

Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)

Julian Hyde

How to differentiate Sales Cloud and CPQ on first glance might be tricky if you do not know where to look and what to look at. You will know :-) Managing the sales process within Salesforce is a common use case that can be managed with standart Sales Cloud. If you want to do entire quoting process you will find out Salesforce CPQ solution exists. What is then the difference if both can handle selling products? You will see comparison of 10 different features, which Sales Cloud and Salesforce CPQ handle differently. Simple question you will always remember if you should consider using Salesforce CPQ will be a cherry on top.

10 Differences between Sales Cloud and CPQ, Blanka Doktorová

CzechDreamin

Welcome to UiPath Test Automation using UiPath Test Suite series part 2. In this session, we will cover API test automation along with a web automation demo. Topics covered: Test Automation introduction API Example of API automation Web automation demonstration Speaker Pathrudu Chintakayala, Associate Technical Architect @Yash and UiPath MVP Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

UiPath Test Automation using UiPath Test Suite series, part 2

DianaGray10

The standard Salesforce Approval process can be limiting in many ways, especially in complex scenarios. What if there was a way to implement very flexible approvals where one can use Apex code to make data updates in unrelated records, dynamically generate next steps details, and compute assignees on the fly? And still use UI-based configurations to implement concrete approval processes. In this session, we will share ideas behind such a solution and show a few lines of code to get you started.

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder

CzechDreamin

In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring. Learn about: • The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks. • Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective. • Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification. • Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process. Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Inflectra

This talk focuses on the practical aspects of integrating various telephony systems with Salesforce, drawing on examples from implementations in the Czech scene. It aims to inform attendees about the spectrum of telephony solutions available, from small to large scale, and their compatibility with Salesforce. The presentation will highlight key considerations for selecting a telephony provider that integrates smoothly with Salesforce, including important questions to support the decision-making process. It will also discuss methods for integrating existing telephony systems with Salesforce, aimed at companies contemplating or in the process of adopting this CRM platform. The discussion is designed to provide a straightforward overview of the steps and considerations involved in telephony and Salesforce integration, with an emphasis on functionality, compatibility, and the practical experiences of Czech companies.

Integrating Telephony Systems with Salesforce: Insights and Considerations, B...

CzechDreamin

Screen flow is a powerful automation tool that is commonly designed for internal and external users. However, what about the guest users? We will dive into various methods of launching screen flows and understand how to make them publicly accessible, extending their usability to a broader audience. The presentation will also cover the implementation of security layers and highlight best practices for a smooth and protected user experience. Discover the potential of screen flows beyond conventional use and learn how to leverage them effectively.

Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade

CzechDreamin

AI presentation and introduction - Retrieval Augmented Generation RAG 101

vincent683379

Designing inclusive products is not only a social responsibility but also a business imperative. This talk delves into the journey of creating accessible hardware products that cater to diverse user needs. Key Topics Covered: 1. Introduction to Inclusive Design - Importance of accessibility in product design - Overview of Comcast's commitment to making products accessible to a wide audience 2. Case Study: Xfinity Large Button Voice Remote - Initial challenges and the evolution of the product - User research and feedback that shaped the design - Key features of the final product and their benefits 3. Designing for Diverse Needs - Understanding human-centered design and its historical context - The impact of designing for people with disabilities on overall product quality - Examples from other industries, such as architecture and industrial design 4. Integrating Accessibility from the Beginning - The cost and efficiency benefits of designing for accessibility from the start - The process of embedding accessibility as a core trait rather than an optional feature 5. Real-World Impact and Continuous Improvement - Insights from in-home studies with users having assistive needs - How continuous feedback and iterative design lead to better products - The role of inclusive research and development practices

Designing for Hardware Accessibility at Comcast

UXDXConf

Generative AI architecture, at its core, revolves around the concept of machines being able to generate content autonomously, mimicking human-like creativity and decision-making processes. Unlike traditional AI systems that rely on predefined rules and data inputs, generative AI leverages deep learning techniques to produce new, original outputs based on patterns and examples it has learned from vast datasets. This capability opens up a multitude of possibilities across various domains within an enterprise.

The architecture of Generative AI for enterprises.pdf

alexjohnson7307

Intelligent Gimbal FINAL PAPER Engineering.pdf

Anthony Lucente

Join us as we dive into the latest updates to the UiPath Orchestrator API, including new limits and features for 2024. Discover how these changes can enhance your automation projects and streamline your workflows. 📚 Overview of UiPath Orchestrator API 🔧 Recent changes to API limits 🛠️ How to adapt to new limits 📋 Best practices for using the Orchestrator API efficiently ❓ Q&A session

Exploring UiPath Orchestrator API: updates and limits in 2024 🚀

DianaGray10

Agentic RAG What it is its types applications and implementation.pdf

ChristopherTHyatt

The New York Times continues to lead in user-centered design by innovating and adapting to enhance both user engagement and understanding, aligning product experiences with its journalistic mission. This presentation discusses innovative strategies in user experience at The New York Times, focusing on subscriber experiences and storytelling. Key Points Covered: - Mission-Driven Design: Emphasizing the Times' mission to "seek the truth and help people understand the world," the design team prioritizes clarity and engagement to support high-quality journalism. - UX Design Principles: The team follows five core UX tenets—clarity, time optimization, craftsmanship, accessibility, and trust—to maintain a strong focus on user-centric design. - Innovative Design Strategies: Product Feature Advancement, Editorial Expression, Long-term Visioning - Integrating Diverse Content: Examples include the successful integration of popular games like Wordle, which not only entertain but also attract and retain a diverse user base.

Transforming The New York Times: Empowering Evolution through UX

UXDXConf

As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other? Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024

Tobias Schneck

IESVE for Early Stage Design and Planning

IES VE

I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.

"Impact of front-end architecture on development cost", Viktor Turskyi

Fwdays

ScyllaDB has the potential to deliver impressive performance and scalability. The better you understand how it works, the more you can squeeze out of it. But before you squeeze, make sure you know what to monitor! Watch our experienced Postgres developer work through monitoring and performance strategies that help him understand what mistakes he’s made moving to NoSQL. And learn with him as our database performance expert offers friendly guidance on how to use monitoring and performance tuning to get his sample Rust application on the right track. This webinar focuses on using monitoring and performance tuning to discover and correct mistakes that commonly occur when developers move from SQL to NoSQL. For example: - Common issues getting up and running with the monitoring stack - Using the CQL optimizations dashboard - Common issues causing high latency in a node - Common issues causing replica imbalance - What a healthy system looks like in terms of memory - Key metrics to keep an eye on This isn’t “Death-by-Powerpoint.” We’ll walk through problems encountered while migrating a real application from Postgres to ScyllaDB – and try to fix them live as well.

Optimizing NoSQL Performance Through Observability

ScyllaDB

Recently uploaded (20)