1 00:00:00,890 --> 00:00:05,370 all right so obviously this is very 2 00:00:03,210 --> 00:00:08,250 last-minute I have no slides or anything 3 00:00:05,370 --> 00:00:09,450 like that but so I guess I guess I'll 4 00:00:08,250 --> 00:00:11,250 start off with kind of giving you the 5 00:00:09,450 --> 00:00:15,540 idea of what I wanted to accomplish I 6 00:00:11,250 --> 00:00:20,400 wanted to do this for question sorry 7 00:00:15,540 --> 00:00:23,099 James Bauer just a normal InfoSec nerd 8 00:00:20,400 --> 00:00:24,720 and I got an interest in a lot of I 9 00:00:23,100 --> 00:00:27,390 basically have done stuff I started 10 00:00:24,720 --> 00:00:29,220 doing network penetration testing and 11 00:00:27,390 --> 00:00:31,289 then I moved on to app sec and then I 12 00:00:29,220 --> 00:00:33,000 started to do some threat hunting for a 13 00:00:31,289 --> 00:00:35,910 while and now I actually have a role 14 00:00:33,000 --> 00:00:37,140 doing uh for intelligence but one of the 15 00:00:35,910 --> 00:00:39,120 things I've always kind of wanted to do 16 00:00:37,140 --> 00:00:41,370 was because I find myself going back and 17 00:00:39,120 --> 00:00:43,649 doing small kind of pen test here or 18 00:00:41,370 --> 00:00:45,419 there or just being curious about you 19 00:00:43,649 --> 00:00:48,300 know infrastructure for maybe like a 20 00:00:45,420 --> 00:00:49,860 situ or something so the idea that I 21 00:00:48,300 --> 00:00:51,000 always kind of had was I would do all 22 00:00:49,860 --> 00:00:53,940 these kind of things that would be 23 00:00:51,000 --> 00:00:55,260 manual kind of over and over again you 24 00:00:53,940 --> 00:00:57,660 know kind of like the same methodologies 25 00:00:55,260 --> 00:00:59,519 and I'd be running through my you know 26 00:00:57,660 --> 00:01:01,199 my list of the things I want to 27 00:00:59,520 --> 00:01:03,049 accomplish like you know you have an IP 28 00:01:01,199 --> 00:01:05,640 I might want to look up like das 29 00:01:03,049 --> 00:01:08,010 information associated with it or on 30 00:01:05,640 --> 00:01:12,030 like the the web application side doing 31 00:01:08,010 --> 00:01:13,229 like simple recon so kind of where I 32 00:01:12,030 --> 00:01:15,270 wanted to go I was always kind of 33 00:01:13,229 --> 00:01:17,700 looking for a way of you know how can I 34 00:01:15,270 --> 00:01:20,490 find how can I build something that will 35 00:01:17,700 --> 00:01:23,009 go ahead and you know I can simply just 36 00:01:20,490 --> 00:01:25,110 give it a domain or an IP and it'll just 37 00:01:23,009 --> 00:01:27,780 take it off from there whether or not 38 00:01:25,110 --> 00:01:29,549 that's you know and but I wanted 39 00:01:27,780 --> 00:01:31,890 something that I could would automate 40 00:01:29,549 --> 00:01:34,380 that and then scale it out you know 41 00:01:31,890 --> 00:01:36,270 essentially indefinitely and then so it 42 00:01:34,380 --> 00:01:38,670 wasn't actually until and I tried you 43 00:01:36,270 --> 00:01:40,110 know taking Python and you know doing 44 00:01:38,670 --> 00:01:41,970 all that stuff but the problem was it's 45 00:01:40,110 --> 00:01:43,560 like I'm using you know multiple tools 46 00:01:41,970 --> 00:01:46,770 that are written in everything from bash 47 00:01:43,560 --> 00:01:49,229 to Python to Ruby and the output is 48 00:01:46,770 --> 00:01:51,210 totally different you know some is gonna 49 00:01:49,229 --> 00:01:53,189 be just you know XML other parts are 50 00:01:51,210 --> 00:01:55,829 just gonna be JSON some of it's just you 51 00:01:53,189 --> 00:01:57,839 know flat text and combining that all 52 00:01:55,829 --> 00:01:59,279 together and I just couldn't come up 53 00:01:57,840 --> 00:02:00,810 with I was always just scratching my 54 00:01:59,280 --> 00:02:02,219 head trying to I'd get like a little bit 55 00:02:00,810 --> 00:02:02,909 further but I just couldn't really get 56 00:02:02,219 --> 00:02:05,610 anything going 57 00:02:02,909 --> 00:02:07,560 so really wasn't until about six months 58 00:02:05,610 --> 00:02:10,008 ago that I was looking into more stuff 59 00:02:07,560 --> 00:02:13,500 and I came I kind of stumbled across 60 00:02:10,008 --> 00:02:15,720 like DevOps stuff 61 00:02:13,500 --> 00:02:18,410 and so I was looking at a few DevOps 62 00:02:15,720 --> 00:02:22,620 solutions and what I actually ended up 63 00:02:18,410 --> 00:02:23,970 settling on was get lab pipelines so I 64 00:02:22,620 --> 00:02:28,500 don't know if you guys are familiar with 65 00:02:23,970 --> 00:02:30,660 how pipelines work it's essentially 66 00:02:28,500 --> 00:02:33,690 pretty easy I mean you're setting up you 67 00:02:30,660 --> 00:02:35,549 it's really just a ya know file but 68 00:02:33,690 --> 00:02:38,700 you're you're kind of it's all based off 69 00:02:35,550 --> 00:02:40,320 of containers which at the time for a 70 00:02:38,700 --> 00:02:43,200 security perspective I really wasn't too 71 00:02:40,320 --> 00:02:44,790 big into containers you know you know 72 00:02:43,200 --> 00:02:46,500 particularly like docker containers I 73 00:02:44,790 --> 00:02:48,480 had used them before but I never really 74 00:02:46,500 --> 00:02:50,160 had like a great purpose for him so I 75 00:02:48,480 --> 00:02:51,480 was like alright whatever but then I was 76 00:02:50,160 --> 00:02:53,790 like as I started looking into the 77 00:02:51,480 --> 00:02:56,579 DevOps IDE which is pretty much all 78 00:02:53,790 --> 00:02:59,940 based off of containers for the most 79 00:02:56,580 --> 00:03:01,950 part it started to get kind of cool so 80 00:02:59,940 --> 00:03:04,440 the first thing I was the first thing I 81 00:03:01,950 --> 00:03:06,929 kind of wrote for a pipeline was is like 82 00:03:04,440 --> 00:03:09,329 okay I create let's say you create a 83 00:03:06,930 --> 00:03:12,239 JIRA ticket or you do a commit in a 84 00:03:09,330 --> 00:03:14,070 github repo like whatever you have that 85 00:03:12,239 --> 00:03:16,590 can essentially kick off like a web hook 86 00:03:14,070 --> 00:03:18,180 it's pretty much all you need so when I 87 00:03:16,590 --> 00:03:21,690 first started I basically we created a 88 00:03:18,180 --> 00:03:24,450 text file in a github repo and I would 89 00:03:21,690 --> 00:03:26,160 put in a domain name and from there 90 00:03:24,450 --> 00:03:28,440 essentially what I had to do was like 91 00:03:26,160 --> 00:03:30,359 the web hook would go to goes to 92 00:03:28,440 --> 00:03:33,329 essentially like gitlab and that kicks 93 00:03:30,360 --> 00:03:36,450 off my trying to think how I should 94 00:03:33,330 --> 00:03:38,640 structure this when you do like the 95 00:03:36,450 --> 00:03:42,510 pipeline you can break the pipeline down 96 00:03:38,640 --> 00:03:45,450 into what's called stages and those 97 00:03:42,510 --> 00:03:49,350 stages can be they can either run in 98 00:03:45,450 --> 00:03:51,810 parallel or they can run you know the 99 00:03:49,350 --> 00:03:53,790 one right after another and so depending 100 00:03:51,810 --> 00:03:56,280 on what you want so like the first thing 101 00:03:53,790 --> 00:03:58,560 I would do is I would have I created a 102 00:03:56,280 --> 00:04:01,590 container with just a docker container 103 00:03:58,560 --> 00:04:05,130 that had masking in it and I basically 104 00:04:01,590 --> 00:04:06,870 have my you know gitlab pipeline what it 105 00:04:05,130 --> 00:04:10,350 starts off it basically like takes that 106 00:04:06,870 --> 00:04:12,930 domain name and just does a dig on it to 107 00:04:10,350 --> 00:04:14,820 get the IP address from it it takes that 108 00:04:12,930 --> 00:04:18,298 because you guys are familiar with masks 109 00:04:14,820 --> 00:04:21,149 an you know he needs an IP feeds that IP 110 00:04:18,298 --> 00:04:25,349 into it mask and takes that jumps out 111 00:04:21,149 --> 00:04:27,599 that information into XML which is then 112 00:04:25,349 --> 00:04:30,780 actually fed into 113 00:04:27,600 --> 00:04:32,639 nmap and so these are happening you know 114 00:04:30,780 --> 00:04:34,409 one right after the other and then but 115 00:04:32,639 --> 00:04:38,699 the interesting thing is is that what I 116 00:04:34,410 --> 00:04:41,100 did was when masscan gets the IP and it 117 00:04:38,699 --> 00:04:45,479 starts doing its TCP port scan across 118 00:04:41,100 --> 00:04:47,820 you know all 65,000 I also have unicorn 119 00:04:45,479 --> 00:04:49,800 doing the UDP scan at the same time in 120 00:04:47,820 --> 00:04:51,960 parallel because what happens is these 121 00:04:49,800 --> 00:04:54,720 are actually different containers and so 122 00:04:51,960 --> 00:04:56,099 there are actually different IPS and so 123 00:04:54,720 --> 00:04:57,570 the cool thing about this type of 124 00:04:56,100 --> 00:05:00,030 solution is and what I got really 125 00:04:57,570 --> 00:05:02,580 excited about is is that depending on 126 00:05:00,030 --> 00:05:05,669 how you set this up I never have to be 127 00:05:02,580 --> 00:05:09,750 worried about being blocked because eat 128 00:05:05,669 --> 00:05:10,948 the the pool of IPs is is huge and 129 00:05:09,750 --> 00:05:12,960 there's tons of ways that you can set 130 00:05:10,949 --> 00:05:13,620 that up I mean just depending on how you 131 00:05:12,960 --> 00:05:14,880 know you want to build your 132 00:05:13,620 --> 00:05:17,100 infrastructure you can essentially have 133 00:05:14,880 --> 00:05:20,190 it where you could literally kick off 134 00:05:17,100 --> 00:05:23,630 container that will be spun up in you 135 00:05:20,190 --> 00:05:26,130 know as a small little you know ec2 and 136 00:05:23,630 --> 00:05:28,289 every time you do a job it's gonna kick 137 00:05:26,130 --> 00:05:29,699 up a new one and you know so that's 138 00:05:28,289 --> 00:05:33,240 gonna be a different IP so you never 139 00:05:29,699 --> 00:05:34,950 have to worry about you know being you 140 00:05:33,240 --> 00:05:36,990 know scanning from home or so or 141 00:05:34,950 --> 00:05:38,219 scanning from your you know a VPS that 142 00:05:36,990 --> 00:05:40,530 you have or a box that you have on a 143 00:05:38,220 --> 00:05:41,940 network somewhere which for me is kind 144 00:05:40,530 --> 00:05:44,460 of cool but they also the good thing 145 00:05:41,940 --> 00:05:47,639 about it is is that the way they accuse 146 00:05:44,460 --> 00:05:49,138 work in pipelines you know that's so 147 00:05:47,639 --> 00:05:50,310 let's just say that we you know our 148 00:05:49,139 --> 00:05:53,160 whole thing that we want to do is we 149 00:05:50,310 --> 00:05:54,780 just want to basically do mask and to do 150 00:05:53,160 --> 00:05:58,080 all the IP you know to do all the ports 151 00:05:54,780 --> 00:06:00,359 feed the open ports to end map and an 152 00:05:58,080 --> 00:06:01,740 end map but do a more intensive scan on 153 00:06:00,360 --> 00:06:04,860 each port you know looking for the 154 00:06:01,740 --> 00:06:07,229 particular service and sending back that 155 00:06:04,860 --> 00:06:09,419 information to you or storing it and so 156 00:06:07,229 --> 00:06:11,010 the cool thing about using pipelines and 157 00:06:09,419 --> 00:06:12,750 this is where the the DevOps stuff 158 00:06:11,010 --> 00:06:15,150 really starts to become cool is is that 159 00:06:12,750 --> 00:06:17,400 the way that the queues work is I could 160 00:06:15,150 --> 00:06:20,880 have I could give it one domain or I 161 00:06:17,400 --> 00:06:24,989 could give it you know I could give it 162 00:06:20,880 --> 00:06:28,400 an entire you know wild-card subdomain I 163 00:06:24,990 --> 00:06:33,270 can say hey you know whatever here's 164 00:06:28,400 --> 00:06:36,270 4,000 yahoo.com domains and for each one 165 00:06:33,270 --> 00:06:38,760 it will kick off a separate pipeline and 166 00:06:36,270 --> 00:06:39,609 those are all running it those are all 167 00:06:38,760 --> 00:06:41,319 running in parallel 168 00:06:39,610 --> 00:06:42,669 not like obviously not all thousands of 169 00:06:41,319 --> 00:06:44,470 it depends on your resources but you 170 00:06:42,669 --> 00:06:47,469 could have anywhere from you know one to 171 00:06:44,470 --> 00:06:49,300 ten or twenty running at the same time 172 00:06:47,470 --> 00:06:52,840 and then what happens at least in my 173 00:06:49,300 --> 00:06:54,370 pipelines is as a period after nmap does 174 00:06:52,840 --> 00:06:56,758 like a more specific scan on those 175 00:06:54,370 --> 00:07:00,789 individual ports it then takes that data 176 00:06:56,759 --> 00:07:03,580 drops it into it it sends it on forward 177 00:07:00,789 --> 00:07:06,460 but at the same time it sends the that 178 00:07:03,580 --> 00:07:09,310 data to an s3 bucket and then I actually 179 00:07:06,460 --> 00:07:10,989 have Splunk go out to s3 every few 180 00:07:09,310 --> 00:07:14,440 minutes and grab that and import it into 181 00:07:10,990 --> 00:07:16,659 my into my dashboard so once it does 182 00:07:14,440 --> 00:07:19,629 that in at the same time I hope you guys 183 00:07:16,659 --> 00:07:21,669 can see that the like the the scaling is 184 00:07:19,629 --> 00:07:25,000 amazing but then also being able to do 185 00:07:21,669 --> 00:07:26,740 so many things in parallel you know that 186 00:07:25,000 --> 00:07:28,360 you just could not you'd always be doing 187 00:07:26,740 --> 00:07:29,949 those things linearly you know when 188 00:07:28,360 --> 00:07:33,129 you're manually doing it which is what 189 00:07:29,949 --> 00:07:34,900 I've just done for so many years so you 190 00:07:33,129 --> 00:07:36,789 know then after it basically gets those 191 00:07:34,900 --> 00:07:38,469 ports it basically just reps that out 192 00:07:36,789 --> 00:07:41,500 and says like hey are there any you know 193 00:07:38,469 --> 00:07:43,539 HTTP ports if there are I say oh well 194 00:07:41,500 --> 00:07:45,449 hey send it over to another pipeline I 195 00:07:43,539 --> 00:07:47,500 have seating over here just waiting and 196 00:07:45,449 --> 00:07:49,810 send a web hook over there with some 197 00:07:47,500 --> 00:07:52,300 information containing you know the the 198 00:07:49,810 --> 00:07:54,370 domain and the port and have what web 199 00:07:52,300 --> 00:07:56,770 grab just back some basic information 200 00:07:54,370 --> 00:07:59,860 about it and then what web basically 201 00:07:56,770 --> 00:08:02,370 does that takes it puts it out as I have 202 00:07:59,860 --> 00:08:04,900 it going to JSON which again goes to the 203 00:08:02,370 --> 00:08:07,569 s3 bucket which goes back into Splunk 204 00:08:04,900 --> 00:08:09,849 which also then says like hey if web 205 00:08:07,569 --> 00:08:12,969 comes back with certain things then go 206 00:08:09,849 --> 00:08:15,009 ahead and kick off you know go Buster on 207 00:08:12,969 --> 00:08:17,259 that and start doing directory 208 00:08:15,009 --> 00:08:19,779 brute-forcing and then take that 209 00:08:17,259 --> 00:08:21,520 information set it to another s3 bucket 210 00:08:19,779 --> 00:08:23,169 that would go back in this block and so 211 00:08:21,520 --> 00:08:25,960 what's really cool is is that it just 212 00:08:23,169 --> 00:08:27,789 starts to you know you put in one piece 213 00:08:25,960 --> 00:08:29,469 of information and then you're literally 214 00:08:27,789 --> 00:08:31,509 looking at a dashboard that just starts 215 00:08:29,469 --> 00:08:34,149 to populate like crazy with all this 216 00:08:31,509 --> 00:08:37,240 information and like I said depending on 217 00:08:34,149 --> 00:08:38,529 your resources and budget I mean you can 218 00:08:37,240 --> 00:08:41,320 talk about you know you're talking about 219 00:08:38,529 --> 00:08:43,689 scanning potentially you know dozens of 220 00:08:41,320 --> 00:08:46,480 domains or eyepiece all at the same time 221 00:08:43,690 --> 00:08:47,949 all in parallel and that information but 222 00:08:46,480 --> 00:08:50,170 it and it just doesn't stop from there 223 00:08:47,949 --> 00:08:52,029 so essentially what happens after go 224 00:08:50,170 --> 00:08:52,910 Buster finds particularly and then what 225 00:08:52,029 --> 00:08:55,520 I what I've also 226 00:08:52,910 --> 00:08:56,600 done was I have jobs that run because 227 00:08:55,520 --> 00:08:59,150 you can have pipelines are run on 228 00:08:56,600 --> 00:09:00,380 schedules so for instance there are a 229 00:08:59,150 --> 00:09:02,540 few people on the Internet to have 230 00:09:00,380 --> 00:09:05,060 really great word list and so what I 231 00:09:02,540 --> 00:09:07,699 have it do is on the schedule I say hey 232 00:09:05,060 --> 00:09:09,739 every night at midnight go to their 233 00:09:07,700 --> 00:09:12,320 github repos download their latest word 234 00:09:09,740 --> 00:09:14,330 list for whatever plus mine and my 235 00:09:12,320 --> 00:09:16,640 private github repo that I personally 236 00:09:14,330 --> 00:09:19,520 like combine it all together you know do 237 00:09:16,640 --> 00:09:21,980 a unique sort and then basically store 238 00:09:19,520 --> 00:09:24,050 it in this github repo and it does that 239 00:09:21,980 --> 00:09:26,540 on schedule every single night well like 240 00:09:24,050 --> 00:09:28,010 when go Buster basically kicks off the 241 00:09:26,540 --> 00:09:29,990 first part of that code that I have in 242 00:09:28,010 --> 00:09:33,410 that yellow file basically says hey go 243 00:09:29,990 --> 00:09:35,390 Buster go here and download my personal 244 00:09:33,410 --> 00:09:37,339 word list from my private github repo 245 00:09:35,390 --> 00:09:39,140 that's the collective of all the stuff 246 00:09:37,340 --> 00:09:39,920 that I really like and use that when 247 00:09:39,140 --> 00:09:42,920 you're doing your directory 248 00:09:39,920 --> 00:09:44,449 brute-forcing and so the the part of the 249 00:09:42,920 --> 00:09:45,890 schedules is pretty cool as well because 250 00:09:44,450 --> 00:09:47,210 it's like you can constantly keep all 251 00:09:45,890 --> 00:09:49,130 this stuff updated because I don't know 252 00:09:47,210 --> 00:09:52,190 about you guys but you know things like 253 00:09:49,130 --> 00:09:54,530 word lists and stuff are I usually 254 00:09:52,190 --> 00:09:56,090 update them right before I need them and 255 00:09:54,530 --> 00:09:58,760 I'm going out looking for like is there 256 00:09:56,090 --> 00:10:00,140 anything newer or cooler or what or you 257 00:09:58,760 --> 00:10:02,000 know like someone will have something in 258 00:10:00,140 --> 00:10:03,680 you know and it's the same thing for 259 00:10:02,000 --> 00:10:05,120 payloads I have a schedule that does 260 00:10:03,680 --> 00:10:06,530 payloads for like cross-site scripting 261 00:10:05,120 --> 00:10:08,110 because people will come out with 262 00:10:06,530 --> 00:10:10,189 something like somebody put something on 263 00:10:08,110 --> 00:10:13,160 Twitter the other day which was like a 264 00:10:10,190 --> 00:10:15,920 really nice wofe bypass for cross-site 265 00:10:13,160 --> 00:10:18,650 scripting and I was like oh that's 266 00:10:15,920 --> 00:10:20,990 really great so I you know added that to 267 00:10:18,650 --> 00:10:23,360 my own personal like little list and so 268 00:10:20,990 --> 00:10:24,620 again like palos dictionaries you can 269 00:10:23,360 --> 00:10:26,900 run these pipelines that just have it go 270 00:10:24,620 --> 00:10:28,550 out and get all this stuff put it 271 00:10:26,900 --> 00:10:30,470 together combined it's sort of do 272 00:10:28,550 --> 00:10:32,420 everything you want put it up to your 273 00:10:30,470 --> 00:10:35,570 own personal you know then upload it to 274 00:10:32,420 --> 00:10:37,069 your repo and so whenever you call jobs 275 00:10:35,570 --> 00:10:39,320 or you're doing anything it's like you 276 00:10:37,070 --> 00:10:40,580 note that it's always up to date and 277 00:10:39,320 --> 00:10:42,230 then of course if you want to get more 278 00:10:40,580 --> 00:10:44,900 complicated with it you can go ahead and 279 00:10:42,230 --> 00:10:46,820 take you know you can have notifications 280 00:10:44,900 --> 00:10:49,910 so basically sometimes I'll have 281 00:10:46,820 --> 00:10:51,860 notifications either I go directly to 282 00:10:49,910 --> 00:10:54,050 like a slack channel that says like hey 283 00:10:51,860 --> 00:10:56,420 you know the word list you know update 284 00:10:54,050 --> 00:10:58,310 it or whatever and then there's also 285 00:10:56,420 --> 00:11:00,589 like emails in case something happens 286 00:10:58,310 --> 00:11:04,459 like hey it failed for we know whatever 287 00:11:00,590 --> 00:11:05,769 particular reason but the what's really 288 00:11:04,460 --> 00:11:07,689 interesting is and this is why 289 00:11:05,769 --> 00:11:08,800 he's like kind of you know that's why I 290 00:11:07,689 --> 00:11:10,118 was kind of really curious about this 291 00:11:08,800 --> 00:11:12,609 talk about how people are getting like 292 00:11:10,119 --> 00:11:15,429 further than that because the the use 293 00:11:12,610 --> 00:11:18,189 cases get like incredibly complicated 294 00:11:15,429 --> 00:11:19,480 when you go past you know just like 295 00:11:18,189 --> 00:11:22,089 directory brute force and like when you 296 00:11:19,480 --> 00:11:23,709 start to make actual logic even just 297 00:11:22,089 --> 00:11:27,850 actually like when you start to do tons 298 00:11:23,709 --> 00:11:30,729 and like thousands of IPs just doing 299 00:11:27,850 --> 00:11:32,019 nmap stuff used and then you try to keep 300 00:11:30,730 --> 00:11:33,699 that's why it's Blanc is great and I'm 301 00:11:32,019 --> 00:11:35,980 I'm a big blunt guy because I like I 302 00:11:33,699 --> 00:11:37,540 like being able to throw in just tons of 303 00:11:35,980 --> 00:11:39,220 different data and different data 304 00:11:37,540 --> 00:11:40,868 sources and have Splunk be able to go 305 00:11:39,220 --> 00:11:42,999 ahead and handle it regardless of if the 306 00:11:40,869 --> 00:11:45,999 data changes over time and I don't have 307 00:11:42,999 --> 00:11:49,839 to worry about it but let me see if I 308 00:11:45,999 --> 00:11:52,079 can think of a real good way of so the 309 00:11:49,839 --> 00:11:54,910 the potential is pretty amazing to me 310 00:11:52,079 --> 00:11:56,439 especially on the and I haven't met too 311 00:11:54,910 --> 00:11:58,509 many people that are you know a lot 312 00:11:56,439 --> 00:12:00,610 especially on the like the dev it's a 313 00:11:58,509 --> 00:12:01,989 cop stuff it's more like they're you 314 00:12:00,610 --> 00:12:04,389 know we have this code you know we're a 315 00:12:01,989 --> 00:12:06,699 software company we do a commit it 316 00:12:04,389 --> 00:12:08,319 basically will kick off you know a some 317 00:12:06,699 --> 00:12:10,179 tool of a scanner that's going to scan 318 00:12:08,319 --> 00:12:13,420 that for you know could be you know HP 319 00:12:10,179 --> 00:12:15,069 whatever and it's gonna look for you 320 00:12:13,420 --> 00:12:17,079 know vulnerabilities in this code and if 321 00:12:15,069 --> 00:12:18,929 it does it'll fail the job or if it 322 00:12:17,079 --> 00:12:20,920 doesn't it will go ahead and push it and 323 00:12:18,929 --> 00:12:24,040 but being able to take that and actually 324 00:12:20,920 --> 00:12:28,179 start to do like a lot more technically 325 00:12:24,040 --> 00:12:29,799 difficult things beyond just like I'm 326 00:12:28,179 --> 00:12:32,799 trying to give you another example like 327 00:12:29,799 --> 00:12:36,040 so the way that I also have it is like I 328 00:12:32,799 --> 00:12:37,389 basically have a I have this all split 329 00:12:36,040 --> 00:12:39,129 up which is kind of like happening all 330 00:12:37,389 --> 00:12:41,529 in the background in parallel like I 331 00:12:39,129 --> 00:12:44,860 said which is you know if it finds an 332 00:12:41,529 --> 00:12:46,149 interesting you know like let's say I do 333 00:12:44,860 --> 00:12:48,610 a brute force directory and it comes 334 00:12:46,149 --> 00:12:53,919 across you know something like a you 335 00:12:48,610 --> 00:12:56,139 know you know my PHP admin I can 336 00:12:53,919 --> 00:12:58,119 basically have that kicked off to 337 00:12:56,139 --> 00:13:00,970 basically fine you know the version of 338 00:12:58,119 --> 00:13:03,579 that and then it basically uses like the 339 00:13:00,970 --> 00:13:04,720 API for something like vulner sore you 340 00:13:03,579 --> 00:13:06,059 know there's a lot of those now they're 341 00:13:04,720 --> 00:13:09,009 basically like hey here's the version 342 00:13:06,059 --> 00:13:10,988 that it was crept out is that vulnerable 343 00:13:09,009 --> 00:13:12,339 if it is okay great 344 00:13:10,989 --> 00:13:13,749 cuz like and I guess this is kind of 345 00:13:12,339 --> 00:13:16,089 where I should have started but like I 346 00:13:13,749 --> 00:13:17,319 said it wasn't prepared for this but so 347 00:13:16,089 --> 00:13:19,060 because my thing is it's like I'm not 348 00:13:17,319 --> 00:13:21,640 trying to basically make this 349 00:13:19,060 --> 00:13:23,439 completely you know autonomous you know 350 00:13:21,640 --> 00:13:25,750 hack all things kind of thing what I'm 351 00:13:23,440 --> 00:13:27,280 really trying to do is if I only have my 352 00:13:25,750 --> 00:13:29,200 I finally having allotted amount of time 353 00:13:27,280 --> 00:13:30,670 like let's say that I have like two 354 00:13:29,200 --> 00:13:32,800 hours tonight to hack or do whatever 355 00:13:30,670 --> 00:13:34,689 like I want to be as efficient as 356 00:13:32,800 --> 00:13:37,000 possible I want to basically look at a 357 00:13:34,690 --> 00:13:39,460 list or have alerts that basically like 358 00:13:37,000 --> 00:13:41,710 hey spend your time on these URLs or 359 00:13:39,460 --> 00:13:44,380 these domains or these IPS in this 360 00:13:41,710 --> 00:13:46,090 software right here and this is where 361 00:13:44,380 --> 00:13:47,140 and so that's currently where that's 362 00:13:46,090 --> 00:13:48,910 where my machine learning is going to 363 00:13:47,140 --> 00:13:52,540 start coming in is is that I'm gonna 364 00:13:48,910 --> 00:13:54,040 have these basically quantified entries 365 00:13:52,540 --> 00:13:57,430 of this is where I should spend my time 366 00:13:54,040 --> 00:13:59,170 at and then as I'm doing manual things 367 00:13:57,430 --> 00:14:00,520 on there all like let's say that I'm 368 00:13:59,170 --> 00:14:02,439 running a burp suite and I'm doing other 369 00:14:00,520 --> 00:14:04,300 stuff that's all going back into Splunk 370 00:14:02,440 --> 00:14:06,580 and then as I actually begin to find 371 00:14:04,300 --> 00:14:08,290 vulnerabilities that are not false 372 00:14:06,580 --> 00:14:11,650 positives and are actually executable 373 00:14:08,290 --> 00:14:13,480 that data feeds back into it to make the 374 00:14:11,650 --> 00:14:15,010 decision of like well hey here's a 375 00:14:13,480 --> 00:14:16,630 cross-site scripting vulnerability that 376 00:14:15,010 --> 00:14:19,060 actually works in here 377 00:14:16,630 --> 00:14:20,350 what other don't you know out of all the 378 00:14:19,060 --> 00:14:23,050 domains that we've looked at what other 379 00:14:20,350 --> 00:14:24,970 URLs are similar to that and let's try 380 00:14:23,050 --> 00:14:27,939 that same payload in those ones and 381 00:14:24,970 --> 00:14:29,740 record the results out of it and so it's 382 00:14:27,940 --> 00:14:31,510 kind of like imagine if you had all of 383 00:14:29,740 --> 00:14:33,940 your pen tests from all of the years 384 00:14:31,510 --> 00:14:36,160 like every tool that you ran in a 385 00:14:33,940 --> 00:14:37,810 central location and every time you do 386 00:14:36,160 --> 00:14:40,060 or learn something cool it can literally 387 00:14:37,810 --> 00:14:42,400 go back and try it on all the previous 388 00:14:40,060 --> 00:14:43,719 stuff that closely matches what you're 389 00:14:42,400 --> 00:14:45,640 looking at like what you're working on 390 00:14:43,720 --> 00:14:46,930 right now so that's kind of like the 391 00:14:45,640 --> 00:14:48,640 idea of it's like it's really just about 392 00:14:46,930 --> 00:14:50,079 like efficiency it's not about it I 393 00:14:48,640 --> 00:14:52,210 really wanted to have just the highest 394 00:14:50,080 --> 00:14:53,440 probability of you know I'm gonna be 395 00:14:52,210 --> 00:14:55,090 able to spend two minutes and say yes 396 00:14:53,440 --> 00:14:56,710 this is vulnerable to this this is right 397 00:14:55,090 --> 00:14:58,660 here great move on to the next one move 398 00:14:56,710 --> 00:15:00,310 on to the next one rather than having to 399 00:14:58,660 --> 00:15:02,319 spend so much time you know just working 400 00:15:00,310 --> 00:15:03,670 on recon and scanning and stuff like 401 00:15:02,320 --> 00:15:07,210 that and sitting there waiting for tools 402 00:15:03,670 --> 00:15:12,000 to to run so uh yeah I guess that's it 403 00:15:07,210 --> 00:15:12,000 so ok thanks a lot appreciate