>>Hello >>Hi >>Welcome to this presentation there was a few of you still filing in um but just sit down find a seat sit down be humble [chuckles] do what Kendrick Lamar says. So instead of having a normal boring like here’s our history basically our CV on a slide uh what we have instead is a more or less summary of of our lives but I’d like to read you the bio that we submitted for this talk because I think it’s one of the greater literary works of the 21st century. We were raised by computerized wolves with a pension for fine art and rum based cocktails while tik- technically from different mothers and also sides of the world we formed the first cyber wolf brothership shell bent to [inaudible] the state of targeted malware implants to support the ongoing war against the institutionalized mediocrity of the corporate shadow government working in tandem with dolphin researchers funded by the oligarch llamas we found a way to synthesize powdered ethanol into mechanical pony fuel. That’s it [applause] [coughs] So clearly we’re here to talk about some gun it’s made of meat it shoots bullets of malware but before we do that I’d like to just give you some background of the the reason this is here and the reason is that this is a tool for red team by red teamers to solve some of the headaches and problems that we have in our day to day operations because we wanted to be able to focus on the challenges that really matter and not all the really like annoying stuff like like reporting not being very good or having to go spin up a bunch of things so also if you’re asking do I mean pentesting? No, no I do not I don’t mean to start a holy war here but it’s not a pentesting tool I don’t even think we do pentesting anymore it- it’s- it’s red teaming but this tool isn’t going to help you penetrate anything this isn’t a hacking tool that has a bunch of exploits in it this isn’t something that is going to like I don’t know penetrate a network in any way for you it’s um it’s a tool for red team. So fundamentally it’s a framework for creating, managing and interacting with stealth implants that support persistent adversarial operations you still need to have those implants you still need to be able to get them in the environment somehow it’s basically just a shell you know? Management portal. So um red team operating paradigm we th th- more background on what we do and how we do it so when we- when we do scopes we try and scope it so that it’s any systems, humans, processes,that are employed by the target we call this yoloscoping. We choose the targets for ourselves as a red team and we try most of the time pretty successfully to set the rules of the engagement for ourselves and we never time box it right? We- we set the amount of time we need as well and it’s it’s however long it takes because that’s how the adversaries work too and if we’re going to simulate something accurately, it’s however long it takes, not you have two weeks to hack us or else. Pfft. Also um sometimes we do steal stuff for real and because of that instant responders, they respond for real, they treat us like we’re real, and because of that we have to try really hard not to get caught, and we have to pull out any stops necessary. We try and read out our results to large audiences as well too not quite as large as this one but um it’s it’s it’s about trying to craft propaganda and craft a change for security to uplift things, right? It’s not- It’s not just about HA HA it’s hacked here’s your list of results so. A bit of an origin story starting out basically, new job they say hey hack stuff also cause an impact also don’t get caught also do you have shell yet, wait, do you have shell yet, do you have shell yet? So after a few weeks of do you have shell yet? I’m just like fine, I’ll just go get some malware and that sounds easy enough and and I’ll craft a social engineering campaign and I’ll just get someone to run my malware except most of the decent malwares was for windows and anything that was for osx either didn’t have encrypted co- communications which is a no go and you have full network pcap it also maybe didn’t have like persistence mechanisms or the shell wasn’t even interactive. So write your own. My first malware dot jpg basically it’s just a python script that makes reverse SSH tunnels happen, pretty rudy- rudimentary tried to put some cool tricks in there like using Twitter to resolve C2s, random scheduling, things to try to thwart our blue team and it was obfuscated and there was a nice script to try and like generate it different so I was able to try and be adaptable. And it worked good for like about a year maybe this this was a pretty effective piece of thing because when you custom write something it works good >>This is my favorite gif by the way I think in the whole presentation >>Second favorite [laughs] but this comes with some problems, first of all blue side, they don’t like getting wrecked by a python script um so naturally because it’s an adversarial game they start writing specific detections for red team and specific- specifically to detect the exact techniques that our malware deploys and because of this the attribution of the red team gets really good so our ability to do things like not tell them it’s us and have them believe that it’s not us goes down big team and suddenly we are getting attributed all over the place and we can’t be good boogeymen and plus we still have this thing that’s like mostly spaghetti code ‘cause I wrote it and I’m crap at that so we iterate new team members you say hey like one of the first things you’re gonna do, write some malware, and she writes a java SSH full implementation, goes both ways, does pretty much the same thing but looks totally different and that works for a bit then we have to iterate again we a- get one that’s written completed in bash and we add some new tricks to it we’re just like yes this is great new malware, new tricks, we’re like DJ Khaled, we da besss bar-war-warr [sings] right? It’s great except the status quo was that we ended up rewriting ou- our malware each time that we wanted something new and we had to stand up all our own c2 each time as well and we had to manage and configure it all as well this kind of sucks and we have to manage the keys and the certs and it took a lot of time and effort and this is prone to errors because of the time and effort we start messing up we accidentally reuse a C2 that gets us attributed that’s not what we want maybe things get us caught sometimes we- one time we accidentally connected to it from like the the internal corporate network now you see C- C2 and also red team laptop connecting to the same thing, yeah, owned, right? This was painful because their stuff is unreliable it’s impossible to maintain, it’s impossible to truly iterate on it, and it’s really hard to add features because again, spaghetti code, >>Spaghet >>So wouldn’t it be nice if you didn’t have to write things from scratch every time. Sorry [laughs] cutting new malware implants only took seconds, and you could pick the features you wanted for that implant and the C2 server infrastructure setup happened automagically for you and each sample was unique so when you take an MB5 of something you upload it into Virustotal that means nothing and each C2 endpoint was unique, these are operational things that we want so bake them in right? And you didn’t have to manage the keys for those servers because you know that’s hard and wouldn’t it be nice if the malware was just super fugging awesome and each time you added new things to it it just got better because you actually had a system to iterate on it? So let’s imagine I- I want you all to reach under your seats, underneath there we’ve placed like on the Oprah Show, an imaginary thinking cap for you [laughter] >>You’re not reaching under your seat >>That guy! Thank you I knew I could- I knew someone would do it, so we’ll put on our imagination hats and let’s imagine a world with better malware for red team operators like us where it- there’s a framer let’s imagine that we build it in a way so that we can build the features we need. So we have a core and the core we probably want to bolt on some modules to it maybe things like how to connect to network and this could be something like as simple as a network connection or as complex as Reddit posts or Youtube comments or Twitter things right? >>It doesn’t necessarily only have to be one either you might have multiple different C2 methods >>Right >>And you can have all of those in the same malware implant and then swap between them or- or send fragmented packets across all of them. >>Which would be really hard to do with spaghetti code. And then we can also have things like persistence modules because we want to run long term persistence ops. Bad guys already have this stuff just no one really shares it right? But we can do better simulations if we had this right? Maybe we wanna have like a dropper right? And we [laughter] the- the spoiler alert is I don’t think we have this yet but we’re- we’re building this for the best case scenario for the future to scale for like our own capability so maybe we want so that when a system is infected it takes little information like hardware ID’s of that system, submits that to the server, and then the server says, here you go just in time copulation of your malware, it’s encrypted for your system so when you pull it off that system and you throw it in your automated sandbox [smacks lips] it doesn’t work >>And even if blue team kind of know that you’re doing this you can randomize the metrics or the the IDs that you’re using on that system so they still have to put in some reversing if it- to work out you know what you’ve actually used that time >>Yeah so we’re we’re we basically wanna be able to change our IOCs programmatically, right? >>And then uh because you’ve got all of this in the one framework you can then start to do more advanced things like have threat profiles for a specific operation so maybe you know this time you want to spin off your C2 this way and you want to have it in on on this cloud provider and you wanna have um like this particular configuration for it well you can do that in the framework and you can start to simulate that with multiple operators all at the same time they don’t need to um manually do that it just happens automatically whenever you spin off that C2 and every yeah >>So you can also probably do things like if you’re you’re a red team right? Part of what you’re saying that you’re doing is adversary simulation so this could give you the ability to say, okay I’m going to add a network module in and that network module is going to dictate how the traffic looks on the wire so even though you get to use your shell like whatever you could say let’s mimic this threat actor based on a pcap get it in and get that type of traffic >>Yeah you can look at the the frequency of uh uh packets you can look at the average size of packets and you can look at the average length of connection and then you can use those types of connections in the network, split your data across multiple ones of those so when the blue team is looking for data being exfilled it’s not being exfilled over one connection but multiple connections that all look like common traffic on that- that system. >>So let’s keep imagining alright? It’s nice that if we’re gonna have more things we’re gonna have more things that we want to cronenberg altogether and we don’t wanna have to rewrite all these different components so let’s just let that be anything else and also we should probably write it in Golang right? >>That’s sexy these days >>Go- golang is sexy right? Yeah >>Who likes golang? >>And this all has to work together and it needs to come together as like a singular atomic unit like the things that make up our bodies and our ever expanding universe and it should probably adapt to any situation like Macgyver like work on different Os’ do things like that it doesn’t need to be tied to a certain thing and it should be designed eloquently >>Yeah, like Taylor >>Like Tay tay [chuckles] This guy loves Taylor Swift like for real [applause] like >>Cool so yeah that’s what we built >>Well, the beginnings >>So let’s have a look >>[laughs] No it’s done >>So, So we start with the core that you kind of saw before we need everything to- to kind of be oriented around this so you- we can bolt the functionality into a common- common uh yeah a a centerpoint. It’s essentially a microkernel so you’re managing execution flow between all the different modules and and whatever their functionality might be as well as passing data between them and then saving that and returning it to the C2 network. So the core is gonna be in a specific language uh right now our first core is written in golang and you can attach golang modules on to this uh and the- the core determines what platforms it can run on so in this case golang is trivially cross platform so you can run on uh Mac, Linux, and in- on Windows. So when you want to execute some part of that module functionality how does the core manage to do that? Well it uses two specific things uh to manage execution flow one is an event loop where modules can register themselves to handle specific events uh and it’s it’s if you’ve done any OS programming it’s very similar to like a standard OS event um when that gets signaled by any module it will then trigger the the module which is going to handle that functionality. And we have a scheduler loop maybe you wanna have some code that’s going to execute every hour, every day, or every week, uh well in this case the core will handle that for you as well. So if we look at an example of a module the C2 module is going to start with because every core needs to have a C2 module in order to connect back to meatpistol. So this is our C2 module it’s job is to without the core needing to understand how it does it connect and disconnect from the meatpistol network and provide a method for the modules to communicate data or transfer data back to the C2 network for the operators to use. So how does the core know how to use that? Well once again it comes back to the core knows that if it triggers a C2 connect event that the C2 module will do whatever it needs to do and then report back on whether it succeeded or not. So in this particular example C2 connect and disconnect. Alright. But a malware implant that only has a C2 connection is not very exciting so why don’t we add some persistence to it or why don’t we add some file capabilities to be able to put files on that system, grab files off that system, download files from the internet, then we perhaps we are doing a whole bunch of common activities every single time we compromise the system to exfil chrome cookies or you know to see a password or whatever it is you do when you get on that system why not wrap that up into a single command that can be executed on demand? And then of course we need shells, so we need an exec module and then you can start to think of a whole range of other modules that you might be able to use with the framework for example you might have a module that regularly detects um if- if anything is being scanned on that system if- if there’s responders looking for that malware so you can clean up and get off. And you can see- I mean with all of these different kinds of functionality meatpistol gives you an opportunity to pick and choose the things that you want for each implant. Not just across the entire operation but for every target system that you drop it on you can customize this it’s like a malware buffet >>Sounds delicious mmm [smacks lips] [audience laughter] >>So how does everything communicate? [laughter] >>Do that again >>We’ve spoken about how it internally communicates but how does it externally communicate with the C2 network? Well we’ve implemented uh like client to client Uni-directional data transfer which kinda sounds like half a TCP connection [laughter] so I mean that’s some impressive control flow there but uh [laughter] you know. Alright but we need this to be persistent as well because our operators are connecting to the the master C2 and the implants are connecting to the master C2 but they’re not necessarily online at the same time or the implant might come and go as it- as it pleases so we have to persist the data there so that whenever they’re both online they can get what they need. And plus at the end of the operation you wanna have a record of all the things that you have done on that target system for analysis for next time, for >>For reporting! [laughter[ >>For reporting, or cleaning up. Alright so here’s our- here’s our persistent storage and we also wanted to achieve the greatest level of hacking excellence ever displayed [laughter] >>Finally the dream is reality [chuckles] >>I know a lot of us haven’t quite got there yet but uh we- we strive for it every day to have hackers that can have two hackers on one keyboard [laughter] >>It’s real guys >>Yeah. So with having many readers and many writers on these channels, you could have two operators on different laptops in different parts of the world operating on the same shell in the same system at the same time. >>So this is actually really useful because you used to be like in your shell, in your session, or whatever, using whatever tool you’re using but you want someone else to be like hey jump in my shell and like ride along with me, maybe they’re a new person, maybe they’re more senior and you need their help so now you can have someone just like in the framework jump into your session with you and they can type or takeover but you can both see it so we used to accomplish this by like setting up shared screen sessions that we’d all jump into at the same time but >>And importantly uh even if you sp- uh spawn multiple shells on the meatpistol framework it’s not spinning up not connections it’s all multiplexing all of that data across the one connection so you can control how that occurs, so if you have C2 and you want to fragment that data up it’s fine you don’t have to like open up new connections that uh blue team can see. And to achieve that we needed to introduce some additional blocking semantics which uh yeah uh allow you to to block at the end until the the whole channel is closed which gives you an interface that looks a little bit like this. The important thing in meatpistol is to push all the complexity not at the not at the module level where you wanna write as many modules as you want and you you want them to be simple and easy to implement, you wanna push all that to the service side. So the module just sees something that it can read from it can write to it can attach and detach which is similar to a normal file open and close and then a close which essentially says there are no more writes ever going to occur on this channel, so if you read to the end it will return the EOF finally instead of blocking. So that’s how one client to client communication works, how does the whole meatpistol network look? Um well this pretty much sums it up it’s not too complication, there’s two important things that I would like to point out here, one, it’s a red team, it’s not a red person, so we have multiple operators all connecting to the master C2. And they’re operating in the same state, with the same implants, at the same time. And then the second part is the infected hosts you see down on the right hand side are all your implants but they’re not connecting directly back to the master C2 because this is obviously trivial to attribute instead we have a proxy C2 layer in the middle which you know it it could be a a simple dumb transparent proxy which just forwards packets straight through to the master C2 or maybe it’s a more intelligent C2 that will take fragmented packets and then decode them or whatever and then pass that data back. >>This this design, this model is for Opsec for teams that have to operate internally, right? Because you have all these strange things where like the real adversaries they don’t have this problem, this is- this is a design paradigm for red teams because you might be internal to your company right? You might work somewhere or be on site. You want it so that no one ever sees you talking to the same thing as the infected hosts talk to. >>Makes sense >>Yeah makes sense, right? I see a lot of nods so >>Cool, okay, well, what does it actually look like? >>Oh S**t, okay we’re um we’re gonna switch to mirror mode and not have any speaker notes or anything for the rest of the talk, you guys are okay with that [chuckles] we’re we’ll be fine >>This is fun [pops mouth][sings under breath] >>Um alright, I’m in, I’m in [inaudible] >>Is it good? Alright [inaudible] >>Is that visible? >>Can you guys see that? Want it a bit bigger [inaudible off-mic comment] Oh rea- I’ll spoil the end [laughter] Alright oh! Re- >>Wahhh >>Sorry I’m gonna have to quit and restart I need a Taylor quote, there we go >>Okay [laughter] >>So we’ve just gotten into meatpistol we’ve connected to the server if- if you had connected to this Fuzzy, what’s- what’s the first thing that you kind of would wanna do? >>Well you know we set out to do years ago was like let’s make a thing that let’s us build malware >>Cool >>Without being a headache so maybe we build some malware? Let’s make some mother f**king malware >>Alright >>Oh I got that right. >>So we’re gonna create a new blueprint we’re gonna call it Taytay because I think that’s been very well established by now [laughter] A blueprint is uh a set of configurations for a specific implant. You can create multiple blueprints at the start of an operation and it’s- you can save that for later, you don’t have to keep building the same types of implants over and over again by reconfiguring them every time. So first of all to build some malware we need to create some modules, so we need to add modules to the blueprint. We only have four at the moment but they- they implement what we need so let’s add all of those to our blueprint. [mouse clicking] >>Na, na, na, na, na, na no- you know we co- how we could do this faster if we could both type on the same keyboard [laughter] >>I know right, we need meatpistol for our meatpistol. Alright so now we have a look at the options that we can configure based on the modules that we’ve added. Fairly standard fare here uh you can set your C2 host in port because the C2 module that we’ve added is a GRPC, standard TLS authentication, etcetera, etcetera, etcetera. Some of the other options there you might not be familiar with. Darken is a custom golang or post copulation obfuscator um which we’ll go through and strip out- >>It’s a, it’s a regex >>It’s pretty much >>Sorry, it just regex’s stuff out of the binary but with ra- random bots. >>And then the uh the packer yeah there’s nothing fancy happening there either, it’s just all different options that you can set. Importantly here because it’s on Golang at the moment, you can set the OS in the architecture and it will compile for whatever you want just by changing a string like yeah, I love Golang >>That’s cool >>Yeah so we’re gonna set debug to true so that you can see the output in the demo. Uh and now we need to spin up a C2 for this. Now what we could do is we could say spin up. Meatproxy is an alias for an image identifier so and- think of any instance online, think of, an image that you’ve created, you can alias that instead of having like the i dash blah blah blah blah blah Couple of seconds later we have our C2 ready to rock n’ roll that’s what you need to do no logging in and having to two factor through Amazon and then find out you’re in the wrong region or you know whatever um cloud provider you’re using. >>Que this IP address getting like DOS’d off the Internet so [chuckles] >>But I mean eve- even that would get a bit tiresome having to spin up your own C2 every single time like if you’re gonna automate things why not go the whole way? So let’s set our C2 host and C2 port to be auto. And now let’s build it. So in the background >>I was gonna- I was just going to comment on the names like you wrote this thing so it instead of having like terrible like UIDs for everything it just creates these crazy things and one time it created a a really useful malware implant for us and it was called Cottage Wife it was really [chuckles] [audience laughs] It was with us for a long time, cooked us bread [laughter continues] >>So yeah as you can see now it’s finished it’s- it’s got the C2 it’s automatically spun that up and configured the malware to use it um I know some people in the audience are probably downloading this right now but don’t bother uh it’s not that exciting um alright woop [mouse clicks] but I mean you still have to build every single time you have one piece of malware. Wouldn’t it be cool if you could just like build more of them. And in the meantime we’ll download the first one that we just created. Now you can get this on the system anywhere that you want. Uh if you’re red teaming the whole point of meatpistol is not to compromise the system it’s to manage post compromise of the system so >>I told you it wasn’t a penetration tool >>Yeah. And you- so you can see the first build of the malware has come back here as well. Justs gives you the link and the C2 that it spun out for you. So the- this is good if you wanna do something like a USB drop you wanna se- uh set 10 USBs or whatever, copy all that across and then you’re good to go you don’t have to like sit there building all of them. [mouse clicking] Alright, so then we run the implant, we get the connect back. And you can notice it’s coming from the C2 that was automatically spun up. So now let’s have a look at the implants we’ve got. We can see we’ve got one connection from 9 seconds ago, AptlyBasil. So we can select that implant and now we can start to do things with it uh this is similar to like a um what- I mean yeah- you can pretty much do things with it. So the first thing you might wanna do is maybe pop a shell and so now we have a shell now this is not just- it’s not a dumb shell you can you can do pretty much anything you want so if you want to go into vim you can go into vim I’m in vim. >>The test for this guys interview was write me a shell that’s actually fully interactive. In a day. No. It’s probably important to note that the things that you can do right now is dictated by what modules you chose earlier. Also we have tab complete I know like any tool if you don’t have tab complete it’s like garbage right like it’s the- the metric that everything is judged by >>And we’ve got history. And then you exit out and you’re back in the framework again. So at this point you might even be like oh yeah that’s great well that’s a shell like I can literally do that in every single tool that I’ve ever had before. Well we also have this. So remember how I said that all channels are persistent? All channels are persistent and that shell session, every read and ever write is recorded, with a timestamp so that you could literally ask ecinema your entire session on that box. If we wanted to view what happened in that session sorry there’s a little bit of a- there we go. And we have the full session that we just showed you, but saved. >>That’s not useful at all right? ‘Cause no one here ever forgets to like start their terminal logging or you know take a screenshot or anything like that, right? No >>And you could also do analysis on that at the end of the operation if you wanna do like smart detection of like certs or or keys or anything in your ce- uh shell sessions you can do that at the server level without the operator having to- to manually do that. Uh you might also want to you know tell the implant to sleep for a little while maybe you- yeah if you- if you’re gonna do this manually it’s not quite as useful but what you can do is automate this process so if you can say I wanna have a shell herder which will- within 3 hours I can have one implant in this particular environment and then the framework could sleep all the other implants for you so you’re having minimal connection back to the C2 until you need something and then you’ll trigger it and it’ll wake up for you. >>I know sleep might sound boring, but imagine you wanna go home for the weekend or the night, right? You’re not working anymore, it’s off business hours, you don’t want any network traffic going to and from the systems because that’s really anomalous right? So sleep sleep’s actually useful. Go on >>So I mean there’s a whole bunch of all the commands that you can do here um but we’ll we’ll leave that up to to people to kind of explore. >>That’s meatpistol basically >>That’s meatpistol >>yeah, so, uhh [applause] Oh [applause] Hmmm Surely our presentation’s somewhere [chuckles] there it is. Cool. Okay so one thing you should know like I mean this was and still is very much alpha as fug >>You know >>And I mean that’s just how it is so but the thing is we’ve used this on a number of operations now and it’s solved a real problem for us malware implant creation with like jenky scripts that we were writing it used to take days because you had to test it you had to figure it out and you had to try and develope something to- to manage this and it didn’t scale from one thing to another you had to constantly redo all of this stuff. Now it takes seconds for us. >>And the important thing as well is in a- in a red team operation you want the experience for the red team operator to be the same every single time so they can get used to the workflow but you want your actual method of operation to be totally different from the forensics side. So with a framework like this you can have a a- very familiar face for the red team operators while changing modules or changing how they’re configured for example like different C2 or whatever it might be to have a very different experience on the blue team side when they’re looking at the malware you’re dropping and how it’s communicating. [sighs] Yeah so once you get locked into a serious malware collection the tendency is to try and push it as far as you can. >>Yeah so about a week ago maybe less than a week ago um >>It was like four days >>My like house got turned in like a weird scene from Silicon Valley there was like 3 people sitting on my couch and like contributing because John had a bright idea he’s like maybe we can get someone to see if they could like write a new core in a different language so, why do we have a Python core? >>Yeah, well yeah, it’s- it’s- it’s- one thing to kind of write something for your own internal use, getting people to be able to use that and understand how it works is an entirely different thing. So we thought it would be cool to to throw it out there as a challenge to some students to say hey you know write a Python core for this before our talk in 4 days uh so a big shout out to Glen and Shawn, are you guys here right now? Yeah >>It’s their first Def Con yay! >>It’s their first Def Con [applause] >>Gettin’ shout outs on their first Def Con >>And in four days time uh after being bribed with uh an a lunch in West Oakland >>Fancy! >>And uh yeah they they managed to get a Python core up and running and working with a- with a shell module and everything so kudos. >>Cool. So. What’s the best way to increase this? Right? Um Obviously like the more you get the more capability we get to do different things, to simulate different stuff uh the idea would be to share it or not which uh sharing it was our intent um I messed up a little bit we >>WE >>messed up a little bit >>we messed up a little bit >>Uh I didn’t realize there was a um an approval process in order to open source things and I just didn’t do that like I was told about it like today and um so [sighs] uh we- we can’t. But um we’ll- we’ll go- get back >>We’ll come back to that >>We’ll probably. Don’t worry. Um I’m gonna do whatever I have to do to to make this thing reality >>We, we >>We will >>We will [laughter] >>So you’re probably wondering about the name. So of course any good tool has like a you know a backronymed name um and it needs to it needs to be self referential I think that’s what recursion is right? Is that recursion? >>Yeah, yeah >>What is tranal? >>So we were thinking meatpistol maybe like we’re throwing this around some idea meatpistol enthralls angry tyrants proposing intimate sexy-times teasing oligarch llamas but then we also thought maybe marginally erect alpacas tactically pursuing international slave trading oligarch llamas would be a good one too [laughter] but but then we though you know maybe it’s just a modular embedded adversary tooling platform >>Yeah no- nobody cares >>Yeah [laughter] the point is we called it meatpistol because we can and also I mean like maybe you got you picked up on that [laughter][applause] It’s- it’s an homage to an awesome tool, right? And we had to call our thing something. So it’s natural for people to wanna compare this tool with other tools because like we understand like there is a lot of really cool stuff in the ecosystem of offensive tooling that you can use and we’ve- we get that question a lot I mean we’ve been socializing this with other red teams in the industry to see like what is it- what should we work on this, should we develop it and most of the first few questions are like comparison type questions and so we’ll just address a few of those before we have to answer it a million times offline. People as us how’s it different from metasploit, right? I um I don’t want to start holy war again um so if you disagree with me right now just sit down be humble for a moment don’t throw anything and uh we can talk about it later but I think metasploit is a tool that is inherently fundamentally designed to ta- to be an exploit database where you can pair an exploit with a payload and then having whatever auxiliary models you want right? To weaponize things, to penetrate, to-to-to actually be a pentesting tool. It’s definitely grown into much more than that but we have no intention of being an exploit database. People also ask is this the same as Cobalt Strike? And I mean no it’s obviously a different tool, but Cobalt Strike I see as something that really helps you simulate adversarial scenarios, right? You can do spear phishing, you can do pivots, you can visualize the network, it’s really really cool but it’s visualization, its automation, ours is just give me malware. ‘ Also they’re like did you hear about Empire and I was like yeah and then I was like checking it out and I like as I’m looking through the models in Empire and I see that like one of the post exploitation modules is like giving me credit I’m like what the s**t so I was like super flattered and flabbergasted by that but it’s a really it’s a really cool tool um it’s a post exploitation agent believe that’s what it says on the Github page. Ours is make me malware, manage C2, manage infrastructure. And then um actually the Def Con CFP panel asked us this they’re like they just demped fuzzbunch does that make your tool irrelevant? And I was like s**t does it make our tool irrelevant? And so I went and and like looked up the fuzzbunch stuff and I was like pfft this is all Windows stuff and they’re like it’s a really cool bag of tricks but it is in no way something that’s gonna help our team run operations. Perfect. So meatpistol not an exploit database, not click to win automation, it’s not post exploitation agent, it’s not a bag of cool tricks, it’s it’s obviously a meat cannon that shoots out malware implants. No. Meatpistol is a framework for red teams to create better implants over time to manage them in a more professional and less ad hoc crazy way it’s an efficiency tool cause we want to be the best red team we can be and we think efficiency is the way to do it. It’s also multi-user implant management, an interaction portal, a single place to do everything make your stuff and interact with it. It’s also an offensive infrastructure automation tool I think that’s one of the ways it started. >>It’s trying to strike that nice balance between having that commodity malware and that custom malware cause nobody has time for custom malware every time >>So the point is meatpistol is something that has saved us a lot of times and and pain. And now it could be yours in the near future but while while we ca n’t open source it today uh we do have some t-shirts that are pretty cool >>Yeah >>So there’s a bit of a challenge here. If you can figure it out, you can have meatpistol t-shirt. So thank you that’s, that’s our talk. >>Woo! [applause]