the metabrik platform - rapid development of reusable ... · i metasploit-like syntax i completion...

The Metabrik Platform - Rapid Developmentof Reusable Security Tools

Patrice Auffret

metabrik.org

March 2017

Patrice Auffret metabrik.org

The Metabrik Platform - Rapid Development of Reusable Security Tools

Whoami?GomoR

I Information security engineer for 15 yearsI Perl developper for same amount of timeI CPAN author

I Net::Packet (obsolete)I Net::Frame suite (successor)I Net::WriteI Net::SinFP/Net::SinFP3 (2012: hack.lu, ekoparty,

EuSecWest)I Metabrik (and Metabrik::Repository)

I InterestsI Forensic analysisI Network protocolsI Big data (mining)I https://www.sisyphe.io/



What is Metabrik?The subject of today...



A Pokemon?Yes, but no.

I Source:http://www.mypokecard.com/fr/Galerie/Pokemon-Metabrik



A platformAnd much more.

I A UNIX-like shellI A true language with a Read-Eval-Print-LoopI Many Briks

I A development/prototyping platformI To build quickly the right tool



A true language?Yes. Kill the troll now. But Perl is better than Python anyway :)

I Source: eweek - April, 30th 2010



Why?CLI rules

I Everything should be possible via command lineI Automate all the things

I Do it once principleI Tired of repeated throw-away scriptsI Code reusability rules

I UNIX shells too simpleI Pipe too limitedI Needed a powerful language

I Rapid development from a CLII Writing scripts is also possible

I Normalized syntax in human readable form



Comparison with REbusInteractive usage versus fully automatic one

I Same goal: normalize tool usageI REbus: replace the human

I Not a shellI Usage is not so easyI Written in PythonI Input/output automation

I Metabrik: help the humanI Manual input/outputI Easy Brik usage

I Both are using wrappers around existing toolsI Metabrik does not only use wrappersI It tries to use best Perl CPAN modules



Demo 1 - The Metabrik Shell (~3 minutes)

I 3 kinds of command linesI externalI Brik’s commandsI Perl code (REPL)

I 5 Brik’s commandsI use, set, get, run, help



FeaturesMost notable ones

I Shell: builtinsI cd, alias, ...

I Customizable shell with history handlingI File .metabrik_rcI File .metabrik_history

I Metasploit-like syntaxI Completion for commands, files, variablesI Control keys like Ctrl+R



BriksYou have the knowledge, detail is in the Brik

I Many wrappers around external programsI but not only

I Object-orientedI defined by properties like tags, category or attributesI a Brik may inherit from one or more othersI Example: file::psv inherits from file::csv

I Add features to existing toolsI There is always one lackingI Example: forensic::scalpel

I A reusable Perl moduleI a command line interfaceI a classic interface



brik::tool BrikMakes a Brik easy to use

I Two kind of dependenciesI System packagesI Perl modules

I Easy to install and useI run brik::tool install database::cvesearchI use database::cvesearchI help database::cvesearch

I Easy to update asI run brik::tool update



Special variablesWhere we keep some Perl philosophy

I Example:I run shell::command capture ls /I my $count = scalar(@$RUN)

I Input/output handling via $RUNI This is the new pipeI Perl basic data typesI You sculpt it to your needs

I Other special variablesI $SETI $GETI $CON, $LOG, $GLO, $SHEI $USE, $ERR, $MSG, $REF



Demo 2 - forensic challenge (~3 minutes)Or how to quickly solve a problem

I Some miscreants kidnapped your catI We found an old device on crime-sceneI We have to analyze this dataI File analysis

I file::typeI file::compressI image::exif

I Extract dataI forensic::scalpel



Metabrik Core and Metabrik RepositoryWhat’s the difference?

I Metabrik CoreI core::globalI core::shellI core::logI core::contextI Minimal system and Perl modules dependencies

I Metabrik RepositoryI 240+ Briks (and counting)I brik::tool to manageI brik::search to searchI Install dependencies only when needed



brik::tool and brik::searchYour best friends

I Search by tag, command, category or string...I run brik::search tag video

I brik::tool for managementI create a skeleton of a new Brik

I run brik::tool create_brik my::firstI create a skeleton of a new program

I run brik::tool create_tool my_tool.pl



A MetatoolFrom prototype to industrialisation

I Finalized prototypeI run brik::tool create_tool iplocation.pl

I Shell commands conversion to code

1 # She l l Metabr ik2 use lookup : : i p l o c a t i o n3 run lookup : : i p l o c a t i o n f rom_ip 93.184.216.34

1 # Per l program2 use Metabr ik : : Core : : Context ;3 my $con = Metabr ik : : Core : : Context−>new ;45 use Metabr ik : : Lookup : : I p l o c a t i o n ;6 my $ l i = Metabr ik : : Lookup : : I p l o c a t i o n −>new_f rom_br i k_ in i t ( $con ) ;7 my $h = $ l i −>from_ip ( $ ip ) ;



Demo 3 - automate malware analysis (~3 minutes)Or how to extract Indicators of Compromise

I Use a VM as a scapegoat (sacrifice it)I Take a fingerprint of its memory/process/registry beforeI Run a malwareI Take a fingerprint of its memory/process/registry afterI Instrumentalise a VM and take a snapshot

I system::virtualboxI Execute program remotely

I remote::winexeI remote::wmi

I Perform a diff on a Windows machine-stateI forensic::volatility



Demo 4 - bind all Briks together (~5 minutes)Make it straightforward

I Use all previous Briks to write a new oneI remote::windiffI Automates diffing between two VM states



Enlarge your toolsUse more Briks

I Code: lib/Metabrik/Remote/Windiff.pmI Improve a tool by yourself from the 240+ Briks

I run file::csv write $process_diff out.csvI run client::dns ptr_lookup $ipI run api::virustotal ipv4_address_report $ipI run api::shodan host_ip $ip



Weaknesses of this approachOr just more work todo?

I Relies on incomplete toolsI Volatility is based on reverse engineering WindowsI WMI too...and we found some parsing bugs

I Depends on the ability to snapshot a VM memoryI What if we wanted to use a physical machine?

I No live analysisI And approach already taken by VolatilityBot

I https://github.com/mkorman90/VolatilityBotI (But requires a Python agent to be installed)



Now for a better approachHave you heard about sysmon?

I Monitors Windows system changes likeI Loading of drivers and imagesI Registry changesI Filesystem changesI Process accessesI ...and more

I Live stream through Windows Event logs



Collect all the thingsSysmon and network

I Put everything into an Elasticsearch storageI Winlogbeat for Windows Event logsI tcpdump-like to capture network traffic

I (but no live stream yet)



Understanding malwares without l33t skills (1/2)Automate all the things now.

I We need remote capabilities forI SysmonI Windows DefenderI Upload/download

I We need local capabilities forI Interacting with ElasticsearchI Performing forensic analysis on pcap files



Understanding malwares without l33t skills (2/2)Automate all the things now.

I Sysmon + WinlogbeatI remote::sysmon, remote::winsvc, forensic::sysmon

I ElasticsearchI server::elasticsearch, client::elasticsearch

I tcpdumpI client::tcpdump

I smbclient + winexeI client::smbclient, remote::winexe, remote::windefend

I New Brik remote::sandbox



remote::sysmon && forensic::sysmon

I remote::sysmonI Generate configuration (full logging by default)I Deploy/undeploy sysmon agent to remote host with

remote::winexeI Update configuration on remote host

I forensic::sysmonI A client::elasticsearch childI Queries everythingI Saves state as CSV filesI Performs diff analysis on CSV files



Give me malware to test :)You have a spambox, do you?

I Acquire malware sample from browsing your spamboxI But automated, of course

I And there is a Brik for that: client::imap



Demo 5 - Acquire malware sample (~2 minutes)

I Use client::imap Brik



Demo 6 - the remote::sandbox Brik (~8 minutes)

I Sysmon + winlogbeat + Elasticsearch are readyI Will use remote::sandbox and client::tcpdumpI Take a snapshot from collected events from ElasticsearchI We have to disable the antivirus before executing malware



Demo 7 - pcap to Elasticsearch (~3 minutes)

I Explore pcap data with forensic::pcap



Analysis conclusionWe have to, at some point, conclude.

I A ZIP file containing a ZIP containing a JS fileI A JS using WScript to download PNG imagesI Images are in fact executable filesI We now have some IOCs

I MD5 sums (or whatever your want)I A registry keyI IP addressesI Domain names and URLs

I (And we didn’t looked at the a.doc file)



Some of the best BriksFor some catagories

I api::*I splunk, ...

I client::*I elasticsearch, mongodb, redis, rest, openssh, twitter,

splunk, ...I server::*

I rest, snmp, dns, ...I proxy::*

I http, ssh2tcp, ...I www::*

I shorten, google, ...I lookup::*

I iplocation, oui, ...I network::*

I nmap, linux::iptables, sinfp3, ...Patrice Auffret metabrik.org


Conclusion

I Reaching the 250 Briks milestone...I Everything becomes a Perl variableI Automate all the things from CLII Add missing features to existing toolsI Normalization brings easenessI Shell unification tooI Understand the philosophy and playI POLL: who would be interested in a workshop?



Question(s)?

I Code available on: http://trac.metabrik.org/I Howto install: https://www.metabrik.org/metabrik/install/I Docker: docker pull metabrik/metabrikI Twitter: @MetabrikI Twitter: @PatriceAuffret



the metabrik platform - rapid development of reusable ... · i metasploit-like syntax i completion...

Documents