Conducting Massive Attacks With Open Source Distributed Computing

Video thumbnail (Frame 0) Video thumbnail (Frame 9236) Video thumbnail (Frame 18472) Video thumbnail (Frame 29836) Video thumbnail (Frame 35461) Video thumbnail (Frame 36963) Video thumbnail (Frame 38358) Video thumbnail (Frame 42251) Video thumbnail (Frame 48626) Video thumbnail (Frame 53404) Video thumbnail (Frame 54613) Video thumbnail (Frame 60224) Video thumbnail (Frame 61404) Video thumbnail (Frame 64249)
Video in TIB AV-Portal: Conducting Massive Attacks With Open Source Distributed Computing

Formal Metadata

Conducting Massive Attacks With Open Source Distributed Computing
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Distributed computing is sexy. Don't believe us? In this talk we'll show you, on a deep, practical level and with lots of (mostly Python) code, how a highly automated and effective computer network attack could be crafted and enhanced with the help of distributed computing over 'Big Data' technologies. Our goal is to demystify the concept of using distributed computing for network attacks over an open source distributed computing cluster (Hadoop). By the end of this highly demo-focused talk you'll have an understanding of how an attacker could use three of our open source custom-written distributed computing attack tools, or easily build their own, to do whatever it is that they're into (we don't judge). Alejandro Caceres (@DotSlashPunk) is a software developer, web application penetration tester, and security researcher. His main interest is in the nexus between distributed computing and network/application attacks. He is the founder of the PunkSPIDER project, presented at ShmooCon 2013, which is an open source project to fuzz the entire Internet's web applications using a Hadoop cluster. He's also the owner of Hyperion Gray, a software development company focused on open source projects in the area of distributed computing as it relates to security. He didn't know how to work in shamelessly mentioning the DARPA Cyber Fast Track research project he is also working on (Web 3.0, also being presented at DEF CON 21), so he just wrote it in at the end of the bio. He is very classy.
Complex (psychology) Web crawler Multiplication sign Direction (geometry) Mereology Neuroinformatik Estimator Bit rate Different (Kate Ryan album) Information security Injektivität Cybersex Mapping Open source Internet service provider Sound effect Physicalism Bit Control flow Web application Process (computing) Internetworking Right angle Ideal (ethics) Quicksort Information security Implementation Server (computing) Sequel Open source Control flow Branch (computer science) Mass Parallel computing Entire function Field (computer science) Power (physics) Goodness of fit Reduction of order Energy level Implementation Computing platform Focus (optics) Dependent and independent variables Information Sine Projective plane Analytic set Feasibility study Vector potential Quilt Word Personal digital assistant Computational science
Code Multiplication sign Set (mathematics) Water vapor Function (mathematics) Mereology Neuroinformatik Radio-frequency identification Different (Kate Ryan album) Partition (number theory) Rhombus NP-hard Mapping Internet service provider Coordinate system Bit Staff (military) Type theory Message passing Process (computing) Internetworking Order (biology) output Website Right angle Absolute value Quicksort Freeware Resultant Row (database) Point (geometry) Functional (mathematics) Server (computing) Observational study Virtual machine Limit (category theory) Parallel computing Mass Entire function Field (computer science) Number Moore's law Goodness of fit Internetworking Operator (mathematics) Computer hardware Reduction of order Implementation Metropolitan area network Task (computing) Scaling (geometry) Key (cryptography) Code Limit (category theory) System call Word Software Function (mathematics) Point cloud Key (cryptography)
Group action Building Distribution (mathematics) Code Multiplication sign Price index Complete metric space Function (mathematics) Parallel port Counting Mereology Neuroinformatik Impulse response Word Uniform resource locator Military operation Single-precision floating-point format Website Vulnerability (computing) Constraint (mathematics) Arm Mapping Electronic mailing list Parallel port Mereology Instance (computer science) Statistics Web application Process (computing) Phase transition Configuration space output Right angle Remote procedure call Automation Physical system Resultant Web page Dataflow Functional (mathematics) Open source Online help Limit (category theory) Power (physics) Time domain Latent heat Subject indexing Reduction of order output Absolute value Domain name Dataflow Key (cryptography) Chemical equation Projective plane Code Counting Line (geometry) Limit (category theory) System call Subject indexing Word Logic Search engine (computing) Personal digital assistant Function (mathematics) Fuzzy logic Library (computing)
Point (geometry) Standard deviation Web crawler Functional (mathematics) Code State of matter Demo (music) Mereology Neuroinformatik Twitter Number Latent heat Different (Kate Ryan album) Touch typing Reduction of order Information security Vulnerability (computing) Standard deviation Focus (optics) Information Real number Code Plastikkarte Bit Mereology Group action Statistics Subject indexing Process (computing) Angle Personal digital assistant Blog Website Right angle Sinc function Writing
Mobile app Type theory Process (computing) Sequel Information Plastikkarte Website Right angle Database Mass 2 (number) Vulnerability (computing)
Web page Domain name Point (geometry) Greatest element Website Coma Berenices Flow separation Vulnerability (computing) Number
Web page Web crawler Server (computing) Service (economics) Multiplication sign Demo (music) 1 (number) Function (mathematics) Parameter (computer programming) Mereology Proper map Term (mathematics) Internetworking Reduction of order Energy level Proxy server Injektivität Mapping Bit Process (computing) Internet service provider Order (biology) Video game Website Point cloud Quicksort Row (database)
Complex (psychology) Web crawler Distribution (mathematics) Demo (music) Source code Disk read-and-write head Mereology Neuroinformatik Radio-frequency identification Semiconductor memory Befehlsprozessor Personal digital assistant Videoconferencing Injektivität Scripting language Area Touchscreen Mapping Bit Band matrix Proof theory Type theory Process (computing) Sample (statistics) Frequency Phase transition Order (biology) Right angle Task (computing) Point (geometry) Sequel Open source Entire function Number Revision control Latent heat Read-only memory Band matrix String (computer science) Reduction of order Energy level Task (computing) Information Demo (music) Database Group action Cartesian coordinate system Exploit (computer security) Software Personal digital assistant Musical ensemble
Gateway (telecommunications) Point (geometry) Server (computing) Service (economics) Divisor Code Multiplication sign Real-time operating system Online help Neuroinformatik 2 (number) Revision control Bit rate Square number Series (mathematics) Physical system Simulation Demo (music) Mapping Parallel port Bit Line (geometry) Limit (category theory) Testbed Process (computing) Calculation Order (biology) output Right angle
Gaussian process Group action Distribution (mathematics) View (database) Multiplication sign Demo (music) Function (mathematics) Fault-tolerant system Usability Computer configuration Personal digital assistant File system Series (mathematics) Service (economics) Mapping Open source Electronic mailing list Bit Virtualization Flow separation Message passing Process (computing) Hash function Order (biology) output Summierbarkeit Right angle Problemorientierte Programmiersprache Quicksort Task (computing) Point (geometry) Freeware Service (economics) Computer file Virtual machine Password Mass Number Power (physics) Operator (mathematics) String (computer science) Computer hardware Reduction of order Software cracking Installable File System Context awareness Information Forcing (mathematics) Video tracking Java applet Code Computer hardware Password
Uniform resource locator Touchscreen Process (computing) Simultaneous localization and mapping Hypermedia Configuration space Online help Quicksort Parameter (computer programming) Window
Scripting language Greatest element Group action Touchscreen Multiplication sign Virtual machine Parallel port Instance (computer science) Limit (category theory) 19 (number) Coprocessor Number Type theory Process (computing) Bootstrap aggregating Configuration space Right angle God Task (computing)
Point (geometry) Presentation of a group Freeware Open source Multiplication sign Mass Coma Berenices Shape (magazine) Perspective (visual) Neuroinformatik Power (physics) Twitter Bit rate Radio-frequency identification Computer hardware Touch typing Software testing Office suite Information security Presentation of a group Observational study Moment (mathematics) Projective plane Open source Sound effect Twitter Entire function Arithmetic mean Hash function Personal digital assistant Blog Whiteboard Information security Row (database)
thank you mr is. at all just happened on the. we're leaving go from here really. let's get started with the stock stark lesson computer security and not wouldn't titles. right. what's the us that. i can infuse the. i'm in pain but thank you. both the growth think the uk a cool. but only one thinking i'm good thinking oh yeah you know thanks to ship it was great fun. so that's like a little hidden perk they don't tell you about for the a speaker's package you get a nice cool that she had access to speakers room and a little bit of asked watching some of any way it's going to get started so local everyone thinks offer coming to my doctor i hope everyone to enjoy the conference so far sox are. a massive attack's with open source distributed computing and i see me tell you all know what all those words mean together here in just a minute so sofia's enjoy it was so who might just be as nose up here talking to you i'm one hundred servers become the alex the owner of honor pretty much everything of paper and three. it happening it's just a small are indian open source startup we're completely focused on the nexus between distributed computing and often security so i think there's huge potential in the field and hopefully after the stock as agree with me. such studied physics back in college and most my research is focused on have had distributed computing with scientific experiments and i'm really just open a branch out into breaking ship that so that's where i'm from i'm also the founder the punks better projects it would hear her the punks better project will sleep more than like five people. one unexpected was awesome. so i want it too much about it because we are going to get into it here in just a couple sides so don't have so little background came up with the stock after percent upon spiritual khan word got back to the c.e.o. of my company at the time that i was building a cyber what in which spiders like it's a community focused but the case. in security project so that's like the most ridiculous thing i've ever heard. so after laughing about that for a minute kind of got to thinking you know what would it take to actually build a distributed attack platform right so different examples i'm going to show you here today are just kind of what came out with tinkering with that idea so there's also three i was in the stock its it's really highly demo focus so deftly stick around until phones. as for us. i asked her to know. i'm so let's get into it to start off a dreary computing is is really big rain our aid you heard a lot about it there's all kinds of i.b.m. commercials and stuff like that here big data a lot it's a nice little buzz word on so big reason for for that is that we've seen some really cool stuff come out that makes this. the processing of things have really really easy the sort of it is that pretty much all folks are doing with this is his lots of powerful analytics of its kind of cool right analytics a quilt will like that but i'm really into that kind of thing it bores me a little bit so i've been kind of looking for more interesting use cases for distributed computing. a couple of technologies that have come out our patch of how do which is an implementation of the map reduce parallel programming concept of going to get all up in map reduce here in just a few minutes i won't go too far into that arena. it's so i ask you know when it will explore through what exactly is some fun stuff that we can do with history computing the answer of course there is massive attack's with open source material computing which you might notice is the title of my time. so what's a high level idea behind a series of attacks what exactly do i mean when i say something like massive attack's right so what i'm talking about here is conducting really well known after effective attacks stuff that has a relatively high rate of success and in doing that hundreds or i'm sorry hundreds of thousands or. even millions of times even in a really coordinated and effective manner so what a fundamental research into the so far is that on hopeless and so much was boilers that you can break into so many things that part of the problems going to be dealing with like but why do with all this broken ship how what do with all this information from the stuff that i've broken. so direction i can get too far into you know what we do with that information afterwards we're going to be more interested in the breaking of things if you well as it's really with the sofa or cool nights like as not in fact let's define what we mean by a distributed stack up by this i mean an attack. the uses of various computing resources in an effective and coordinated manner so why do we want to do this really what was going to be to our advantage. once that the time required to attack a massive amount of things and again remember i'm talking about hundreds of thousands or millions of things all at once is that it could take a really long time to do this so you want to be waiting months even potentially a year or years for an attack to finish that it's not just annoying and just impractical but it also allows. for response teams to the particular targets are talking about to respond in lots of different in complex ways to kind of want to bang out the attack could get in and get out sort of thing for us so just to give you an example picture target of like two hundred and fifty thousand web applications for example associated with a particular. target right so this could be every web application associated with a country for example which is so let's say you try to run just basic about fuzzing followed by like an automated sequel injection kind of thing so with a really optimistic estimate doing this in in a nonpareil way might say something like a minute per target and and.
it's pretty optimistic that means you end up with something like one hundred seventy three days hundred seventy four days to actually finished that attack with if we don't want to wait that long for obvious reasons. if you think that target number is unrealistic you for to mention punks better couple times already we've done checks on about one point three one point four million sites so far and our target is two hundred fifty million sites so it's a completely realistic target when you're talking about a really really large tax free. so why else that's so well so sometimes you need a little bit of coordination between your computing resources straight this again picture a large scale attack on a massive network may be like a a fairly said significant portion of the internet for example and let's say that you realize that in order to conduct that attack on a large scale you're going to need more computing power right so. like i said we don't want this attack to take too long as so in an uncoordinated man or maybe you spin of some clouds server something like that and you can just start a bunch of attack sort of in a dumb way just as you'd expect maybe you have a little spread the that runs in executes the usual commands on on each machine for example so mr running into a whole bunch of problems with the. right if if anybody's are trying to act like that. you know this so you may want to know like when an attack is actually finished on one of those knows right so once a note has finished its part in the attack you you've just three of some computing resources and in order to make your attack as efficient as possible you want to be able to run more stuff on that note. that's not really going to be possible in this way unless you know you can hack something out but it's not going to be ideal for so another issue that you run into is how do you actually make sure that your computing resources are kind of push to the limit you might have lots of different types of servers maybe you're running the study your basement somewhere on commodity hardware so are you actually know that. all these resources are being pushed to limit and you're using everything that's available to you as you can check out some kind of writing code something that monitors the resources in a particular machine and and ensures that it's using all of them at once but again that's not going to be ideal or going to spend a significant amount of time on that and we want to be able to do this relatively easily. so if all this just sound kind of hard to use their there's been some really great advances in the field the that make this actually not that hard to do to basically solved every single problem associated with using large numbers of nodes to conduct a coordinated attack. you get into talking about some of these and then moved into the three examples and three diamonds and i talked about so for the most part we're going to be talking about one of the best and most popular tools out there for distributed computing which is a patch had you. don't you guys are familiar with how do you and know everything around it already that's what i expected the right course so we do need to go over some background on what to do is just bear with me if you already know this coming from a scientific background myself i have used a couple different calls for for message passing for just three competing like m p i. which mainly has support for fortran and and see so i myself have to deal with of fortran m.p.i. implication it was actually a real pain in the ass and not something that i would ever everyone to again do that fortune seventy seven which is ancient stuff so. but if we get into how duke works which is through map reduce of from will show you if it's implemented right which it is an apache how do you get really really easy to write code they can paralyze your tasks really quickly and enough to do that much work left to show you all about how and how you would do that so i mention map reduce couple times already been. but what exactly is it right movie as are familiar with not produce a parallel programming concept who also pretty good amount of people awesome. so let's see a problem the like to distribute across the node produce works would start out with is called a map function so i'm actually going to go very end up in the wall map reduce his aam it might appear a little bit confusing at first as to why we're doing things the way we are but don't worry there's a couple more size on this that. will illustrate all that for you guys and also couple really good examples that make it simple so just bear with me if you don't get all this so all at once. so first thing you do is read a map function that functions really simple it just takes in data as key value pairs and outputs a set of key value pairs as its results so that functions written in such that it's a single operation on a single keep our key value care for you so as the person writing it you're just reading this for one in put at a time. not to worry about all that massive amounts of data you're reading it for one input record of time only this is automatically distributed across the cluster and how to this operation for each of your key value pairs each machine in the cluster has the map function and it has a set of key value pairs that it's responsible for doing whatever operation it is that you like your map function to do. so i like to think the map step is the part that generates somewhat process to be data if you well in a distributed matter it's usually not the solution to your problem although sometimes it can be but it's pretty simple it is his input key value pairs run a map function of urging all the machines in the crowd in the cluster and and out putting he valued pairs after that so pretty simple. after the map step is done you move on to the reduced staff there can be some intermediate steps for some additional processing but generally would move to the reduced and the input of the urdu sept is really simply just the output of the previous map step so a partition is going to take the values from the map step with common keys and distribute them such that one note in the cloth. so is responsible for running the reduce or function on all the values with common keys so this is again the third across across the entire cluster so reduces usually the party gives you the solution to the problem and i know that was like a lot of words that i just set you on and it might be a little bit confusing there's a couple size of my clarify this if it's not completely clear the face. as the starting to show up for a second bomb and let you guys read through this for a minute and get a little water and then i'm going to read through myself and hopefully this will make things a little bit clear along with the example afterwards.
the. the. it's opel's lineup maybe not but there's all this happening just in summary of what not produced is give piece of one value so one impulse to map or function right and that functions distributed across the costs are used a list of results that the key so that can be no something like he stepped to the use of two sheets of two values of three key. these have to balance of four and so on so forth reached the value care. all the values that the same key piece of to our logically group together and are just a function with them be applied to this group in parallel so that the first group and then build something in return so these are usually be what we would call our results so have a common question when you're kind of first dealing with map reduce is well what why do we do it that way. what's the use of having the values with the same key group together i'm going to show you exactly why we do that here in just a minute just in the next phase is so a few things to keep in mind once you write a map or in reduce or. it's going to distributed to the remote nodes and and slaves automatically so you don't actually have to deal with anything that's actually distributing things and doing it when things happen or where things happen or why things happen in this place is that they do happen so i do take care of a a lot of really important parts of distribute computing on things like like i mentioned automated. fishing for remote nodes are automated assurance that the jobs going to get done so if for example you have to know that goes down. you just very seamlessly send it to another note and its able to detect it actually takes a step further from dealing with notes that go down to actually expecting that notes will go down so you can run it on really should be harder to do all the time and and. it really solid results from so what else there's also a few configurations items that you consider how do they really useful so i mentioned before that you want to be able to push or resources to the absolute limit right you can do that very easily with a deep in just a couple lines of configuration you don't have to deal with you know going to each of your nodes in figuring out some kind of code to make. the resources are all being pushed their limit how to pull actually do pretty much all that for you with just a couple of here asians critical. it's not so it's going in that specific example on so first offer. very few complaints about the distributed computing community in the patchy had duped and all the really nice useful community behind it the one thing i could complain about is that if you look at map reduce and just google it try to find some really simple examples of it the only picking thing you're ever going to find is a word count example so. that's really annoying because once you just start seeing the same example again if you don't quite get it at first you want to see another simple example that all kind of help you out that so it always seems to me like with how to cure either reading a workout example or are you have to like pour through hundreds of tons of job of coaches figure out something really really simple. i also work cancer really really boring of all it is essentially it counts the instances of a word in a particular piece of text so that's kind of lame but it's on a better example to get to you also example is his top called scan so pumpkins a free open source to appear in great released through the web application father. and it's what powers the punks better project that i know i've mentioned a couple times and haven't said much more about going into so pictures situation where you have a list of you are on strike you have a ton of your els potentially something like a few hundred thousand or even a million or so we want to be able to perform a map produced job in how do the fuzz these your as quickly and search for. own abilities on the pages another constraint they were going to place on the job is that we want all the vulnerabilities associated with a particular domain to finish at the same time so this is going to help you out with you don't want a bunch of disparate you are always being returned as a result is not really without any care to who they actually belong to and this is we're going to see. that the way that map reduce works by grouping the specific east together during their do step is going to help you a lot since so it's no good everybody so good it's i'm not somebody call this. but the job flow look like within something like skin so as i mentioned before we start with the map or step in putting the value pairs were doing here is we just care about a list of your as in this case so our input she is going to be none someone really care about . the in this case are you are always going to be the value so essentially what this does it makes it just a dumb list right we're not associate and eighty's with a specific you are also come in not yet at least so we're at a map which is going to be applied to eat your l in parallel out again the map or just essentially just as your els using a really simple thousand library that i wrote. and then determines the domain of the u.r.l. and that's it that's all the the map or is going to do so after that it uses output in which itself which is going to be the domain of the your all thought was as the key and the list of vulnerabilities for that you are well as the map or i'm so as the value so any vulnerabilities that come out. it's a list you get to keep being the domain value being a list of vulnerabilities. it's so keep in mind that all this is going to get distributed across the cluster for you so that the urals that are going to be frozen parallel. the answer the urals are going to be far as in parallel as much as possible and all that's an old completely in an automated way using how do so will really have to write any that logic ourselves which is really really useful so now because the domain of the you're also was was the key of the matter as well as the input of the reduce are right to keep that in mind that they reduce their. and for each your all with the common domain is going to get sent to a single node for processing fees so the reduce was going to run in parallel for each group of your els with the common domain and all that of course is going to get distributed across the cluster as well but what you're seeing already is that each domain is going to get handled by a particular note at a time. in a specific reduce step. now was that actually useful their dysfunction is just a combined just outputs a so it does have some other dysfunction does combine the list i think that fox is hitting me like right about now by the way i like all of our anyway. and so reduce or function does come on the list of vulnerable pages in the one big list for specific domain that it's going to index them to a back and search engine in both better using such as solar other back and which one that have a choice because we're adding a search engine a patch dollars a search engine back and. but over all that that's pretty simple right i'm. but how easy is it to code really i keep mentioning coating up a map or and reduce or but it's still kind of abstract you guys like what does that look like to keep mentioning it's easy to write but what i mean by easy to me like one hundred lines of code two hundred lines of code was no the show you this story about actually reading all of it and you know doing a thorough code review or anything.
like that but just take a look at it if you notice it is about twelve lines of actual code and it's written in python that's one i was our this arm operate here and up next is going to be reduced or which i reduce or is just like ridiculously simple it's like six lines of code for.
i noticed a couple things in the map or in the reduce or first off as i mentioned they are written in pipe on what we've done is use a function and how do called how to streaming that reads from standard in the standard out to partition set up the job properly only at it like to foreign to how exactly you would use that but suffice to say that it's just a bash one liner to. could run a job and not produce after you've written your map or and and you reduce or over the kind of person that really wants like many details on how to run all that stuff how to write nappers producers properly specific offence of security follow me on twitter have given you all those angles and a bit or our blog where we're going to be posting all the ship really in detail so if you want all that different. the keep in touch since nothing about the point was that the map or in the reduce or that i showed you are really the only part of punk and that's distributed computing focus right now in other words if if you're actually download and which you can often get bucket you noticed the most of it is actually pretty standard stuff right you were not doing anything to create. the to distribute is this code essentially it's it's a no standard causing library that i've written some solar indexing stuff some other you know fairly simple things but then you see also a map and reduce or which again is the only part of it that's really distributed computing focus so we're really trying to get here is that there's nothing really to mysterious about ready. your own distributed computing focus code it's it's all if you understand the basic concepts you're really going to be able to write to serve attack could relatively easily as falling asleep by the way and that's killing the a m. it's so hopefully that will prevent that from happening. what's that. drink near him. so. i. so. drinking will help will help from people keep them from falling asleep right. i feel good idea of of the right so. sometime after mentioning that stark as much as i was but all have been doing is is talking at you so we need to stop. it's the first off first i'm going to show you this punk spider. obviously first thing we want to do here is read the banner so we're providing a lot of vulnerability information on a bunch of sites that we don't own so the spinners really important and and i do take a pretty seriously goes to provide free information the website users and owners regarding website security status so that means you go on the site look for vulnerabilities what i'm really hoping for to. the use with his if your site owner or a site user to know the vulnerability state of that site right so you're out there giving a credit card number or any kind of personal information you want to make sure that that's not being the all over the place this really what the site is being used for on its don't want to take. so a couple things you can see here to everybody see that are cases that come out over their perfect so couple things we can do here on we can search by a particular u.r.l. or by the title of the site so it's going to go and search by your all done here is very specify the on specific vulnerabilities that.
we like the sites to have that you're searching for right so we're going to go and check on them. this changes it from and and orange or querrey three to say basically any site with the search turned out i tie in with any type any of these types of vulnerabilities and these are been sequel sequel and and process working on its. well enough to have actually going to do one better we're going to search for every single site that has been abilities and so you can it supports wild card characters so you can just go into a little star and you get absolutely every sites in the database and it's going to be done back to on think it just a second search because that's actually a large very right there.
but not too long. so it's called on the start seeing sites that are essentially a mass write these are vulnerable sites that if you are user given your personal information to any of these sites to be pretty pissed off right says.
it's got out of the bottom we actually see the number of pages of vulnerable sites six thousand one hundred sixty six just to be clear on this a lot of articles on points better got this wrong after we presented its move on but this is six thousand one hundred sixty six pages of vulnerable domains. so within each domain we can have several vulnerable com websites and vulnerable pages of tender means per page so that sixty one thousand six hundred and sixty vulnerable domains and within each domain if we go ahead and expand it search of from with more than.
on within each page for a show main we have several vulnerabilities anyway long story short what i'm trying to get at is there's a lot more vulnerabilities in here than six thousand one hundred sixty six it's right up at about three hundred thousand or so so far as this is all made made possible by using stance as i mentioned punk scan is what powers.
this on the back and and making it distributed over actually a relatively small how to cluster and pushing our resources really really hard were allowed us to get this level of data now actually the main issue that we've had with spider is usually terms of service stuff so we try to run the stuff on cloud servers and you know we've been through bunch. proxies and something that but i guess they have some kind of monitoring up on a lot of times and we've gotten the a long story short i get kicked off a cop providers like all the frickin time it's really nice. they work for cup run here by the way. anybody that cut back their which one. however experts are. she wanted to much more because i we have proper ridership but anyway. if it's one of the get down actually showing you a specific record you can actually sort of see sort of picture the map reduce job running here if you look at one of the specific records right working at ajax a dot si and i've no idea what the site is or what they do on something with ajax maybe on so you can actually see the parameters. you can actually see a something the injection the parameters and and reading the output so you see that this one's looking for me some in a little bit more cut idea over here and then we see it moving to the next premier page over here and i'm just the kind of moving down right of those are map sept that i was talking about are essentially just taking your l. entering through the. rumours attempting a few basic basic really safe by the way injections and reading the output are doing anything else without were not exploiting and human abilities obviously or anything like that we're just providing this back to the user in order to be used for around. good things and not that things some of his life for their for some reason i'm anyway so it's going to fire and what made all this possible what would a lot of us to basically target the entire internet is to distribute his job was actually would not have been part of it would probably have like ten. thousand sites done here if we hadn't been distributing this and and using how do to help us put our resources as well as coordinate all this stuff and a really simple matter. that's bonfire.
but i think a prankster.
making its. i so surely some stuff and now want to get into specifics use cases of that i was just an example the kind of what your appetite right that's what you're going to see his is me showing your explaining demos so we're going to cover three areas and the tools related to each one is one of this one is deteriorate khan best example of this is actually and which have. already talked about some going to run through this really really quickly. it's actually just want to greatly speed up repetitive tasks right lot of network application reconnaissance on targets is just repetitive tasks when you're dealing with massive targets were not getting into really low level complex attacks were getting into common stuff that succeeds a lot his article. the thing i really did want to say about history common and writing your own map reduce jobs and things like that is to always be careful to consider your problem right. are you need of c.p.u. memory band with what exactly is it they are trying to solve so with and we had the issue is that we just need a faster fussing right we have to figure out what what will help us fuzz faster is it or get any band with the beginning the c.p.u. memory. which of the do a little bit of research in order in order to figure that out if you're interested in the days of that and this is a this is percentage move on this year check out the video it could cause a lot more detail the short of it is that c.p.u. and memory were far far more important than any kind of bandwidth so this actually turned out to be really useful for us because the string the job we knew. really going to help us and it turned out it did it help us a ton so just always consider your problem be really careful before you write these things as. i the next one is really fun. so just be clear and just as i've mentioned don't misuse punk spider under attack the sights on to expire that's really not what it was built for and i would become oppressive on at the people were actually using it for that. we're going to look at what we could do with that type of information if we were complete dix will what he wants to read the actual exploitation face right so mostly because it's fun and that's the fun thing to do and we like reading this review computing to but also for the same reasons i've been mentioning all long right we want to get up are attacked and. we wanted help us coordinate our research it's so damn example when i'm going to show you is a distributor version of sequel map was how many of you are familiar with sequel. such an automated database take over and stealing tool kind of thing really really cool to is presented the left and i think like one four years ago something like that. that's probably completely wrong as presented that kind of some point i have no idea when i kind of made up that number on the fly. so an example to show you. all this stuff is the source of the source code is going to be available online immediately after the conference so deftly take a look at it if you want to know more about it it's in the proof of concept phase right now not what i would call real tool just yet but if you're coming to derby khan i am going to be presenting on a. the refined version of this to you can actually use and and has a lot more features than what it has current the other way than in the tool is called mr injector so the reason for this is a more people snap produce right so injector because injection obviously so m.r. injector and i had turned into mr injector. but i think it's kind of funny like literally nobody else has ever thought that i was a funny name for anything but that's kind of just how i work and also my head like a picture it was like a cross to make mr doughnut and mr peanut and it's just it's amazing for me but nobody else really thinks that the us for educating in any way of so. first going to move on. it's so we set the stage for here this is the next demo screen you're seeing is divided into two parts rights of the left hand side it is a sequel him up owning targets in a nondescript manner is written kind of just what you'd expect it right you you have a simple python or show script run sequel map on targets and around see just.
and ago one after the other exactly how you would scripted if you didn't want to spend too much time i write. right inside uses distributed computing through be closer to conduct the attack. so this is a real attack running on a test bed of servers so even those of us but of service is an actual attack that we conducted and what you can see is a series of you see those shelves run by enough to read that too much under them you're going to see little red squares pop up each time a target has been owned by. own i mean that we're actually still in the system hashes so. take a look and what i really want you to pay attention to is the rate at which these things that i could actually be pretty obvious what i want to look for. in this is not a simulation we didn't just you know do a bunch of calculations to see if this work we actually ran this attack and and. recorded it to show the guys were also kind of jumping in in the middle of the attack pull things just barely saw making it the demo but important thing is the rate that you're seeing here. the. there's an easy target get on this is actually real time this is not set up in any way or anything like that for real time targets being on and you see that obviously the right side is much much much faster. even though i look at the left side almost kind of pulling for right i'm always i are come on little buddy let's go. what they're saying there's another on our eye. one point. it will continue to run and i'm going to stand here are currently while at the run. the feeling that alcohol even more now. how many matters on. i believe we were running something like ten nappers for node ten notes. that's what is running in parallel so already see that just with a relatively small cluster with ten notes. greatly greatly speed up the attack right that. the greatly speed up the attack on. now sixty one targets in forty five seconds so we have under a second per target and what makes this really possibly it's not just the fact that you have more computing resources it's really not it's the fact that you're able to push those resources to the absolute limit with really simple code enough to get into really complex off in order for that to happen. so my goat is that what i really wonder show use that these techniques actually work so maybe there's some skeptics out there are things like oh well been with is going to be a limiting factor year at the same gateway that's just not going to work in the sec so i don't stock first of all and next of all it actually works.
so shut up and magic person for us. this is an example of the matter that i wrote actually this is a really really early version of the map or that i wrote it. it's really simple right its pipeline code we're doing is we're running a a simple like some process stop the open which just runs the show command and replacing you are all with whatever input that we have right really really simple code and this actually works if you're to run this map or three hundred streaming it would actually work now that what we've done is we've gone back and refine a little bit with. a help my friend mark was right there in the red sure we were find that a good amount but this could actually works and runs really really well so as you can see that's what like i'm in this like ten lines or something like that really really simple.
it's. right so the open of the tool its output in the what's called the how to file system is something else that's going to make all this stuff even more or even easier for you so hundred thousand sums a virtual file system that's distributed across all the nodes it's fully accessible on absolutely any know that you have out there so you have to worry about on. what no gironde in order to retrieve the output you can actually be on any one of your distributed nodes just grab it from anywhere and you have that information just read your disposal for whatever it is that you're into the with with that information so it really really convenient so wound up with right wind up with a bunch of password hashes and we need to do something with these right i mean well. so we've been here for just on a large amount of targets and always really cool is if only we had a really fast distributed pass for crack. as someone tell you about a really fast through the past week after that i wrote we've conducted recognizance on a bunch of attacks right way we have exploited a massive number of targets and the stone a bunch of passer hashes so these actions could take a long time to crack were impatient we want something that's pretty a patient not time intensive not super expensive. the and and we don't want anything that uses any kind of specialized hardware right but don't want anything that the were going on to gotten by a bunch of g p's are something that we just want to be able to click a few things and cracks a mash right. it's so you might notice in the previous examples i made the assumption that you can build or have access to enough machines actually run how to cluster that's actually not that hard for anybody the same kind of intimidated by that separates and that's really odd a simple process there's a bunch of guys out there you can get a really decent one running with you know eight. attend those running like a couple hours so it's really simple let's say that just really busy you don't want to deal with all that and what you want to do is you want to be able to click a few buttons and just have an instinct cluster to use force so i'm going to show you how you can do that and and. crack a password over the cluster by using appearing grace custom built tool which is called crack. so immediately that this was an extremely simple tool to write. the job of actually on deterring that stuff was not trivial do you actually have to worry about how is that they're going to partition the stuff i mean to me when we started this it was it's really simple right i mean each operation you're just you know your hashing a string and comparing it to another hash seems simple enough it's easily paralyze the bull i think that. so we're not on. and and seems really easy to do but what you run into is that duke is expecting as its input a massive list of things right. we don't really have that massive listen and usable way right if we were to try to just like compute all the ashes and input a list from a file that should crash for any reasonable pastor wright so it was a little bit complicated we had to write our own little language that could result represent a series of characters in order to distribute this job. i think i'm actually getting close to the in here but what i'm going to show you is spinning a powerful cluster over amazon's unlocked plastic map reduce service century all this is a point and click spend up to what it costs to run this job and get me on the way sort of thing really cool for all and yet lasting there's lots of ways to crack passwords i'm not claiming this is the best way. the fastest way the most efficient way anything like that just say it's and option and something that you can have a new tool belt if you don't mind spending some money for convenience for a cracker. this is a really good technique. this. actually really long view.
they go right so what's going on here let me go and talk you through this i started out.
every start up as showing really screwed up screen there you go so here i just can't really see that ok by the way.
sort of walk through it anyway door about it. all a concert it's ok. so screen the full screen windows media player this little thing.
yeah that didn't help ayala slam that's less i wasn't anybody and afghan ever for anything or so into his i'm specifying i knew what was called the job so this essentially just as setting your basic job configurations copy a few things on doing is i'm telling at the location of the jar and a few basic arguments on the jar.
when the script for this is a really really freaking cool screen right so what's going on here and specifying my instance types and my instance numbers so i'm telling it how large to i want this closer to the sea at the top is the master notes on extra large machine for the master know which is a pretty big machine on amazon's easy to you. of the for my once lived machine i said a cluster compute eight extra large which is a thirty two processor machine which is pretty big and then at the bottom over here where you see the seventeen setting it to again really larger side of about nineteen nodes here and i really wanted to show you this demo with like some extra. zeroes so i would be like one seventy or even seventeen hundred and you could pretty much practice was like that but that does get a little bit expensive and you have to be careful how you use that because you need a special permission from amazon and they already kind of hated me so anybody from amazon here. i know that it was on that they have some really powerful stuff and some really cool stuff but. the. so we're doing here is where god configuring the note to. they are going to skip around us so we're doing here if you see down here where it says one bootstrap action created what it didn't specify one minute ok but i didn't specify on one particular action to do on this across the cluster before your job actually starts what i did there was i set the number of. napper tasks so that's the number of parallel task that occur on each note and that's what i'm talking about where i say you can push your resources the absolute limit was really really simple configuration items long story short because i'm running out of time.
in case you can't predict what's going to happen you correct the hash and it's done and you did that and it completely distributed men are pretty quickly.
and that's on crack.
i am ok.
art anyway i hope you guys have enjoyed it. no you can't finish yet no no let up way you need my time as an injury time in office them out. ar. rebecca know or your first time speaker defcon i am you or i am but i presented earlier to know a great you're the guy with the thing rate ok i'm going to we're not here for you because we already shot you however we learned rebecca back up please come to embrace the river because talk. one could i was a acra i did not do a shot so rises so we're going to fix that right now and rebecca. the like start a new tradition she is going to take tylenol with her shot. so that's awesome had a shot last name in go away. you are. of the room. three. to me. i was doing here that's no no don't touch it is not done yet to all right thank you are right. here's a republican. actually the age when they use now you can finish her. but she and things are coming in. a board china. because the whole thing. have been just a. the young babies that is appreciated. that's making was worth at least a moment and so differently enjoy this whole thing. short of it is deterring computing is is awesome when you need to run are extremely kind and for him at this point. one when you get when you need to run a massive attack. oh one more shot. so in a year ago. i. once you was a boy. considering i'm not going to have time to go home and shower before i get on an airplane the person the people on both sides of me on the southwest flight are going to love me. actually. well as though it is very little red of liquor a literary have liquor more bruce somebody in a you again. i. well. a mixing the big thing that the with a row. the discovery. i'm doing it for you all. here's years. i. the. you know distributing you know the ship to you so. where you can go from here on what way into my where am i. so just drink something drinking and. so different injured through the concept to hear what effect does this mean for you rights of leveraging through computing for off from a sense of perspective lets you run really powerful massive attack scenarios and all using open source technology is commodity hardware should the you can just say to your friends like i need a bunch of hardware year old shape and run it on their so really really. full stuff so you imagine pen testing massive targets with this we can really do this in an extremely effective manner right now so something like ten testing entire freaking country with the awesome so if anybody wants the army to that deficit down. so i really think that the security implications of the of this or are broad so we can feasibly simulate a massive attack's new we can better study it in better prepare for it and see what exactly that's going to mean for for massive targets like an entire country so follow me on twitter dot such i'll answer all your questions. the thing almost anything at all. i definitely see see more about us and check out some more details on the presentation at the be divvied of you that appearing great dot com to help better check out our blog. now the us and says and they said everybody a monstrous to do when i say we write this and we write that it's usually tomas if it's not the mosque its mark which again is that guy right there next to a minimum girlfriend the secret project everybody involved that apaches our foundation and all of you guys thanks a lot.