2. $ whoami
• Security researcher and penetration tester for
Veris Group
• Co-founder of the Veil-Framework #avlol
o www.veil-framework.com
o Shmoocon ‘14: AV Evasion with the Veil Framework
o co-wrote Veil-Evasion, wrote Veil-Catapult and Veil-
PowerView
• https://github.com/HarmJ0y/
• http://harmj0y.net
3. tl;dr
• Cortana? wtf
• OK that’s cool, what can I do
• Cortana use cases:
o grabcreds.cna - auto hash dumping
o safetynet.cna - saving shells
o veil_evasion.cna - #avlol :)
o user_hunter.cna - find DAs
o beacon.cna - graphical beacons*
4. Cortana? wtf
• Raphael Mudge’s DARPA cyber fast track
project
• Allows for the scripting of Armitage and/or
Metasploit itself
o Some of this functionality is restricted to Cobalt
Strike - marked by a *
• Doesn’t seem to have publically caught on
o Which is dumb, since it’s incredibly useful
5. Cortana: Why Use It
• Allows for the easy customization of an
already existing, powerful tool
• Many standard pentest actions can be
automated and manipulated in useful ways
• Lets you minimize the time spent doing
repetitive tasks
6. Cortana Background
• Cortana is a set of extensions to the Sleep
language that allows for the control of
Armitage/Metasploit
• Sleep = Java-based scripting language
heavily inspired by Perl and written by
Raphael
o http://sleep.dashnine.org/documentation.html
o http://www.fastandeasyhacking.com/download/corta
na/cortana_tutorial.pdf
7. Sleep 101
• “Sleep is primarily a glue language and was
designed from the ground up to be
embedded in Java applications…[it] brings
the power of Perl to the Java platform.”
• Much of the backend of Armitage is actually
written in Sleep
https://today.java.net/pub/a/today/2005/07/14/sleep.html
8. Cortana 101
• Interaction with Metasploit is baked in
through utilization of MSF’s RPC interface
• You can send commands to a Meterpreter
session, interact with the backend database,
launch modules, etc.
• m_cmd($1, “sysinfo”);
• host_info($address);
• exploit("windows/smb/ms08_067_netapi", $addr);
9. Cortana 101
• Triggers can be set up to asynchronously
fire on various actions/events:
o new sessions
o meterpreter/shell commands
o new hosts/services/routes/etc.
• Lets you perform contextual actions and
automate a lot of post-exploitation
11. Cortana 101
• The user interface for Armitage can be easily
modified:
o new program menus
o new meterpreter action menus
o changeable host icons
• Lots of examples at:
https://github.com/rsmudge/cortana-scripts
https://github.com/HarmJ0y/cortana
13. Use Case #1
• On each meterpreter session that comes in,
we always like to grab all credentials we can
from the box:
o hashdump
o run mimikatz
o see if a user we want is logged in
• ASPNET? Guest? SUPPORT_*? no thx
14. How Can Cortana Help?
• grabcreds.cna
o on session_sync { … }
o m_cmd($1, "wdigest");
o on meterpreter_wdigest { … }
• On each host that comes in:
o run hashdump and mimikatz
o filter out account names we don’t want
o dump creds to the database
o check users found against a designated list
o announce results on the team chat*
16. Use Case #2
• Losing shells sucks
• Our standard procedure is to inject additional
sessions (or beacons*) for fallback in case
our main working session dies
o and not to just one C2 server
● This becomes tedious when you’re dealing
with A LOT of shells and various handlers
17. How Can Cortana Help?
• safetynet.cna
o on session_sync { … }
o launch("post", …)
• automatically runs a payload inject module
against each host
o injects a “safetynet” payload
• Problem:
o we want to inject two payloads, one from the existing
process context and one into explorer.exe
18. Sidenote: smart_payload_inject.rb
• Existing payload_inject.rb only allows for
injection against predefined process IDs
• smart_migrate.rb allows for “smart”
migration into explorer.exe
• Combine the two -> easy injection into a
specific process name, explorer.exe default
23. Use Case #3
• Armitage/Cobalt Strike are great, but
sometimes we want specific gui
modifications
• Say we want to have a Cobalt Strike
workspace containing only hosts with active
beacons*
*http://www.advancedpentest.com/help-beacon
24. How Can Cortana Help?
• We can grab the active beacon list
o @beacons = call('beacon.list');
• We can setup ‘heartbeat’ callbacks to
periodically perform actions
o on heartbeat_5s {…}
• We can modify our gui in useful ways
o filter host_image { …change a host’s gui image …}
o bind Ctrl+B { open_beacon_browser(); }
26. Use Case #4
• psexec in Metasploit is great, but the
standard exe templates = no good
• Veil-Evasion does a great job at generating
AV-evading executables :)
• But generating each time, reconfiguring
paths, etc. is a pain
27. How Can Cortana Help?
• veil_evasion.cna
o filter user_launch { … }
o exec(SYSTEM COMMAND);
• Invokes Veil-Evasion to generate a binary,
intercepts psexec calls in Armitage, and
substitutes this in for a custom EXE
• No more caught payloads :)
28. Sidenote: swing >_<
• Exposed Cortana functions are great, but
didn’t quite cover exactly what we wanted
• Luckily, Cortana scripts can integrate various
java/swing GUI manipulations
• And guess what? Armitage has examples.
And it’s BSD-licensed
33. Use case #5
• What’s the usual goal for a smash-and-grab
pentest?
• Find out who the domain admins are
• Find where they’re logged into
• Find a set of credentials that gives us
SYSTEM on their box
• psexec, pop a box, mimikatz, profit
34. Situational Awareness 101
• Manual process on the domain side:
• net user /domain
• net group /domain
• net view
• net view <hostname>
• net sessions <hostname>
35. Netview.exe
• Rub Fuller (@mubix) released a tool at
Derbycon 2012 called Netview, which
“enumerates systems using WinAPI calls”
• Can find hosts, shares, and logged on users
across a network
• Two API calls really interest us:
o NetServerEnum – enumerate (from the DC) domain
systems of a certain type
o NetWkstaUserEnum – get users logged onto a
system
36. Metasploit
• Most of this type of functionality already
exists in Metasploit (of course):
• smb_enumusers_domain
o uses NetWkstaUserEnum (through railgun) to get
users logged into a particular machine
• local_admin_search_enum
o checks a range of IPs to see if the current user has
admin access, and grabs the logged in users with
NetWkstaUserEnum as well
37. Metasploit
•
• enum_domain_group_users
o runs “net groups GROUP /domain” against a host
and parses the results
• computer_browser_discovery
o queries the default domain controller for all hosts of
a particular type using NetServerEnum
38. user_hunter.rb
• New Metasploit module, drawing from
existing functionality
• Takes a username, userlist, or domain group
to query against the local DC
• Takes a host list, or runs “net view” to try to
enumerate all machines on a domain
39. user_hunter.rb
• Runs NetWkstaUserEnum against each
target host to determine the users logged
into the machine
• Compares this against the target user list,
throwing a specific user.hunter note into the
database when it finds a match
• point -> click -> be told where DA’s are
40. How Can Cortana Help?
• We can interact fully with the msf database
o @notes = call("db.notes")["notes"];
• We can setup ‘heartbeat’ callbacks to
periodically perform actions
o on heartbeat_5s {…}
• We can modify our gui in useful ways
o filter host_image { …change a host’s gui image …}
41. Cortana – user_hunter.cna
• Cortana script that periodically polls the MSF
database for our user.hunter notes
• Modifies the host icons of any systems with
found users
o i.e. any systems where a DA is logged into!
• Also adds an option to launch the
user_hunter.rb module from any
meterpreter session
43. Recap
• Cortana is awesome, contribute!
o https://github.com/rsmudge/cortana-scripts
o https://github.com/HarmJ0y/cortana
• Many standard assessment actions can be
automated and manipulated in useful ways
• The less time you spend doing repetitive
actions = the more you can spend pwning
the client