>>So, like the uh the title suggests, we’re going to be exploiting some C and C servers today or at least exploiting some T and C and C toolkits. Um before I get right into that though uh these are or at least best to my knowledge new exploits and at the end of this I will be releasing the metasploit modules for these exploits. Um, before I get there though I just I don’t want the focus to be so much about these exploits I mean I think they’re cool the remote code execution but the takeaway should be if you’re a vulnerability researcher like this field of looking at C and C servers for exploits is a right field. There’s low laying fruit everywhere and I really don’t feel like people are or a lot of researchers are looking at it or if they’re looking at it they’re very they’re using it just for themselves and I’m not really sharing. So, um key takeaway is this is this is a really interesting field and I I highly recommend anybody who’s into vulnerability research to jump into it. So, before I get started in on the exploits I’m going to do a little bit of background. Gonna talk about some legal stuff, but then but then we’ll get into the exploits. Um, so, background on me a little bit. I’ve been into this computer computer security community for over 10 years. I currently work at uh Symantec as a threat researcher, before that I worked for the uh DOD doing COE- CNE- CNO, CNA. Um and I’ve done some time in the trenches as well. I was an IT admin...administrator before that so I know what it’s like down in the field. I feel like I kind of have a good round understanding of uh this particular area. With all that being said the disclaimer should come as no surprise to anybody. Um, everything I’m about to say up here does not represent any of the opinions of or my opinions do not resen.. represent the views of my current or former employers. Make that clear. Um, what I’m going to discuss is probably illegal, so what you do with it is up to you. If you do cool stuff with it I would love to hear about it, but what you do is your own risk. Cool? We got that covered. Alright, so, I’m going to talk about what really led me into this field and that’s one thing that bothers me about this security community that’s the security defense industry is that there’s this defeatist attitude out there like, right? Like no matter how hard we try we’re gonna lose and if you went into like a basketball game with that kind of attitude, like it’s not going to work, but somehow we expect that that’s OK for the security community. Right, like I hear this sophisticated actor term passed around all the time as if it’s some kind of excuse why a company got hacked and I don’t I don’t really understand what they’re trying to convey by using that term. I, if, if I try to picture like that conversation with the C levels when you’re trying to explain what just happened. “Uh, sir we’ve been hacked.” “What, but how di..how did they get in?!” “Oh, well, they were sophisticated.” [laughter] “Uh, like how do you know they were sophisticated?” “Well, they were wearing a monocle, so they’re clearly a sophisticated act”. [laughter] You know, like, what what does sophisticated mean in this context. Whatever it means, I don’t think it means what they’re even trying to persuay it means, right. I think they’re trying to persuay or or or excuse me, convey, excuse me, that it means that this attacker was so far beyond what we can just defenders can do that we just can’t win. And so that’s what I set out with with this to say, I was like, well, I’m going to take a look at the tools that these sophisticated actors are using and let’s just see if we’re if they’re vulnerable to attacks. If somebody was to attack them back. And so that’s where I went with this. Now, hacking back has been a very hot topic over the years, right. 5 years ago at Black Hat they did an anonymous survey asking people if they participated in hacking back in some form and anonymously, over a third of the people surveyed admitted to it. Uh, a lot of times like when a company is hacked they want justice. They want revenge. They want that person to pay for what they’ve done. So they go to law enforcement and law enforcement has their hands tied or can’t do anything or has no recourse. They, sorry. We can’t do anything about this. And so companies kind of feel obligated to take this on themselves. And I, I’m just going to do it myself. Add to that this, uh, new draft bill that uh Senator Tom Graves uh, uh out of Georgia uh is preparing to present. It’s called The Active Cyber Defense Certainty Act, the ACDC act. I love the acronym, hahuh. But um it’s basically a bill that will allow those who have been hacked to be exempt from hacking laws when their aim is to attack their assailant. So this is kind of an interesting idea. If this was proposed if this draft makes it through congress. However, generally, like first thought this is a very, very bad idea, right. Like this is a game you're not going to win in the end result. Uh, as a corporation you’re pro..first off it’s probably illegal even if that’s made legal it’s still very iffy. Um, you you got to take into fact all the lost productivity while you send your best guys, rather than defending your network, you’re now sending them to go attack. Uh not to mention the reliability. What if they attack the wrong server or the attacks came from some other company and and that company realized they’ve been attacked by you, so they hack back you. Right, this escalation game, it’s like this cyber you know the war games movie where like all these guys are hacking everybody else because one little guy. So I I felt like that that uh, the AI’s conclusion from that movie applies very well to this. It it’s probably the best strategy not to play this game at all. That being said, I do see a very useful or a very niche area where hacking back, it would be a good thing and it wouldn’t be a good thing in terms of revenge or of taking the guys out. But you see I work as a security researcher as my day job, so I try to track these, I track targeted attacks. I try to figure out who’s behind this type of attack and if I can figure out how the person acts is behind the attack, what files they stole, who else they’re targeting… Like this kind of information if I was to hack back and sit on their machine and observe that kind of information is great for defenders because then I can tell you these are the other tools they use. These are the industries they’re targeting. This is the files they want. It’s very useful in that sense, not so much in the sense of just striking back to get revenge. And to be honest, to be fair to the ACDC act that’s actually the verbiage it’s trying to convey. Uh, the act itself clearly says you cannot attack back for the purposes of causing physical or financial injury or to try to destroy day...data or machines that you basically you can’t just try to break their machine, which is a good idea anyways because if you break their machine they’re probably just going to show up somewhere else anyways. But instead the act says you can you can attack back for these purposes: uh, is to establish attribution of the criminal activity and to monitor the behavior of an attacker. Also in the bill it says you uh must um share with law enforcement that you plan to do this attack and how you plan to do this and got to give them some details beforehand. Um, I don’t know, I, anyways, I don’t plan to spend forever talking about legal stuff and I know that’s not why you came here either. But I just want to, so I’ll I’ll end my rants now, but I just want to kind of convey that what I’m about to discuss in the very near future could be legal, so this is maybe potential tools like it could be legal and this just showing it could be very plausible. So, before I get into some things I want ma..make sure we’ve got terminology clear. Uh, in some circles I’ve seen the client and server names for RATs reversed and that really bothers me. So the person who has the implant or the malware running is going to be the victim, or the I’m going to call him the target. I’m going to try and avoid victim and and I’m going to try to avoid client just because that one gets some people confused. And the reason I’m avoiding victim is because the attacker in the original scenario is going to be our victim. So, attacker victim probably terms I’m going to try to stay away from. Um, and I’m introducing a new one, that is the person that is attacking back I will call the retaliator. I really like that term because the dictionary definition is uh one who returns assaults in kind. And we’re going to be hitting them with their own medicine here so I felt like retaliator is the right name for this. Um, a little while ago one of my col...colleagues he took all the recent APT reports, the sophisticated actor reports and he kind of summed it up into uh most popular tools. Um, most referenced tools out of those papers and he posted this the uh Twitter feed and I saw this list and I was like, huh that is my shopping list. I’m going to start at the top and just start working my way down finding an exploit in each. And so if you will notice the top one is Poison Ivy and if any of you will recall or are aware there is already an exploit out there for Poison Ivy. Uh, the two individuals at the bottom of this slide developed that. I’m not going to try to pronounce their names because I would not do well . Um but uh they developed a remote execution vulnerability against the Poison Ivy C 2 server and interestingly enough after the mandiant APT1 report the malware LU guys noticed the APT1 group was using the Poison Ivy server so they used this exploitate to hack back into their infrastructure but they documented the whole thing and published it and this is one of the rare cases where we have of somebody doing a hack back for attribution or for monitoring purposes and it really shows how successful it can be. Um, this picture the farthest picture on the right is a diagram that they show that they were giving trying to show us how they built their the attackers had their infrastructure set up, how they had some VM’s, and some proxies to try to protect things. They also were able to pull back some additional tools the attackers were using and they exposed them publicly and it was it’s very insightful paper. Uh they called it uh the APT1 technical backstage. Um it’s came out I believe in 2013 it’s been around for a little while now. It’s a really good read, but I think it’s one of the rare cases where we can see how useful this type of a activity is. Another one on that list is Darkcomet. It also has public exploits. This is a blind file retrieval by these individuals. I don’t have any or I didn’t find any public documentation of anybody using this publicly. But I just thought I figured I would mention it just for a complete list. And with that we’re going to start playing with our new stuff. I’m going to start, so I know I told you I started on my on the list and worked my way down, but I’m going to work now when I present them from bottom up because I feel like it’s uh least interesting to most interesting in that order. So, forth on the list or the last one I looked at is called Xtreme RAT. Um, I’m going to be...Who’s familiar with Xtreme RAT? Have seen it, have run into it. OK K yeah, it’s not the most common APT tool kit. I I wouldn’t even really consider it a APT tool kit thing. It’s actually a was a commercial product. This image here is of the CNC server component. I’ve got one victim and that drop down list list comes with the features that the the attacker can do to that victim. Uh this tool was sold out there on the markets and uh at some point the source code was leaked and and the author just kind of quit selling it. So it’s still out there. The source code’s leaked out there and it’s still kind of out there. There’s a lot of variants that base themselves now off that source code. Um one of the i..it features are very script kiddie ish. Like you can tell it targets script kiddie delvel… like wanna be hackers. In fact, one of the features that it has is that you can play Phat flash games in app while you’re waiting for someone to click on your malware. It’s like [laughter] If you’re not very good, at least you can, you know play some Candy Crush or Jewel Quest game while you wait, cause you your fishing email sucks. But despite this it’s actually uh been cited in numerous articles as part of targeted attacks. So e- even sophisticated actors like using this tool . Um, it’s been cited in attacks against the Israeli government, Uh, in conflicts in Syria, and the Gaza strip. So kind of hotbed areas do get hit with this guy. And the easiest way to identify this inside a network is it’s uh C2 communications. Most, the uh targets we’ve seen that it either calls home one of two ways: raw TCP or a fake HTTP message. The raw TCP is always start..st..starts out with the string my version pipe and then the version 3 point 6, 3 point 7, 3 point 8 those are the the most common. And a C2 server always responds with a character X followed by linefeed character turn. It’s like super signature bull right like snore signature already exists and such. It’s it’s very easy to watch for that. Alternatively if it does HTTP requests they’ll always take the form of a GET request slash sum number dot functions and that sum number is the password that the script kiddy uses when they first run the app and the app makes sure that the password is up to 10 characters. It can’t be longer than 10 and they all have to be numeric. So looking for any URL requests for you know, 0 to 9, or 1 to 10 char...numbers dot functions is going to hit on this and most exclusively hit on this. I really doubt there’s legitimate traffic going to that URL pattern. And so, this guy, like I said there’s source code out there. It was a Delfi so I really don’t like to read d l a Delfi, so I just kind of started reviewing some of the basic C2 comms, I you know, I had myself a victim and I would do all the maneuvers to the victim and watch the C2 traffic go back and forth and one thing I noticed that striked my eye, was how the C2 server um, pushes a file down to its victim. And what it will do is it will send a message to the target and say, hey, get ready to receive my file tool slash bad dot e x e and save it to your C drive temp as calc dot e x e and then the target will respond back, OK, I'm’ ready to receive your tool named tool tool dot bad dot e x e and then the data’s passed to to the victim. And that made me think about this, why does victim need to know at all where that file is stored on the server’s hard drive? And I was like, well, maybe it does that because the server doesn’t want to keep state. It doesn’t want to keep in it’s memory that it made this request because all the data it really needs is in the response from the victim so it turns out that the first packet isn’t even necessary. As a victim I can go to the xtreme server and say, hey, I’m ready to receive your files C drive slash whatever duh duh duh duh and if that file exists, it gladly hands it to me. [laughing] >>Woo! [clapping] >>Yeah it’s kind of a blanket basic mistake, but what can I do with this? Unfortunately, I can’t do a directory listing so if.. I have to know the file exists I can do like brute force all the files, but there’s better ideas than that. Um, I didn’t take these, I didn’t make these ideas up. This is um from the link at the bottom. Blind file retrieval is an is often a case pen testers get in, so they’ve thought about this a bit and these are some things they suggest pulling back. The first one is the Win I N I file because on any version of Windows that file exists, so it’s like a sanity check. If you can pull that file back we’re good . More so, if you can pull that file back you might be able to tell what version of Windows they have. If you know what version of Windows they have, you know that path to the event logs, so we can start pulling event logs. If in the event logs there’s usually a lot of good data in there. The file..if applications crash, you know the path to the application. If a program the user runs crashes, you may know the pa..the user user name. So now if we know the username we can start pulling out files of the user’s home subdirectories like the desktop I N I because that will tell us all the folders that a person has or files on their desktop and we keep kind of iterating through their network this or or their computer finding out things like that. If it’s running, if the attacker is running this program as administrator, then we can always pull the backup of the sound data base and then we get their username and passwords maybe we could pull the backup of the registry, because the registry’s going to have a whole lot of great information and things more things we can pull from their machine. These are just some of ideas of the things you can do with that bug. On duh with that I’m going to move onto the next one. This one, uh, PlugX, Korplug or Destory, it’s called Destory because somebody’s misspelled destroy in the source code. Um, but this is uh uh more common tool. It’s been around since 2008. Uh, the the back window is the main tool used to C N C component and the front window is the pop up that you can get per victim and each tab is a set of features you can choose to do to a victim. This one is a little bit more, I don’t know what to say, professional, I don’t know but it’s a little bit more tailored. Um, I can tell the source code is passed around between groups. I see different variants of this out there but the biggest changes I see in the variants is just the gooey and not so much the functions underneath. It’s like every new hacker likes to like throw their own gooey on there put their own cue cue ID on there and claim that they wrote this, but it’s all the same stuff under the hood. Uh, some of the cool features I’ve noticed, though, uh, it has features for interacting with SQL databases for directly entering the registry for capturing packets or doing network monitoring. So it’s it’s pretty feature rich app and it’s been cited in a lot targeted attacks. Uh, most uh recently was one in February. The one that says uh, oops they did it again. Yeah, this tool has been around for quite some time. I can start naming places it’s been used against Afghanistan, in India, Mongolia, Tajikistan, Japan, Taiwan, Korea, Tibetan organizations and it just goes and goes and goes. This thing has been around for quite some time. This one I did not, or I could not get ahold of the source code for, so I was going to rely on dynamic analysis and fuzzing and so I was building a fuzzer to try to fuzz the protocol, how the victim talks to the C2 server and when I got my fuzzer up and running, this thing would fall over left and right. And I just had a hard enough time keeping the program running and getting like my the list of bugs and the vulnerabilities and potential crashes that could be turned into exploitates was so high that I got I kind of got ov..overwhelmed with the fuzzing and decided to just go look at static analysis. And so I I was looking at the code and one of the first areas I was looking at was when you receive a message from the victim, how does it handle it? And they handle it alright. When it’s recieves a message from the victim each message or packet, as they call it, each message has a little header that's Xor encoded that has it’s own little made up X O R scheme and so they decode the message header and then they look that the message is small enough to sit.ss to fit on the stack buffer that they prepared for. Right, that that’s a good security trick. That uh 61 that F0001 so it has to be smaller that 61 K, which is a rather large message. If it doesn’t fit then it shows uh a pop up message. However, this code to check that the message will fit on the stack is down here in this decode packet function. Um, I can’t see my mouse. It’s on, it’s on line 36, but you’ll see up on line 29 it copies the packet to the stack and then later it decides maybe I should have checked if it was going to fit. [laughter] And so, I can, because it’s on the stack right, we can ret..we can override the return address. But the return address isn’t hit until this function leaves, which means if I overflow this buffer I’m going to get control as soon as this function finishes, but before the function finishes it pop ups this pop up message. That verly, very clearly tells the attacker what just happened. Right, P E decode packet, come on. Don’t you understand? You just got exploited buddy. And and the funny thing is, no matter what they do, if they click the X or they click the OK it doesn’t matter cause I get code flow either way. They just have to acknowledge this in some sort of way. Now, that’s not cool. I agree. Um, but uh, turns out that this message is like the de facto error. In fact if you end map uh PlugX server, it will show this message. It’s just doesn’t, it’s like I don’t know what happened message is really what this message is trying to say. And so for this one I have a demo. Real quick. Um, se..I see my mouse. The right half of the screen is going to resent..represent the attacker’s computer. And the left half of the ss.. screen represents the retaliator’s computer. I’m going to start up the uh PlugX server and then I will just point my uh, my exploit script at it. So I’ll start up my PlugX exploit script. Uh, because it’s a VM I already know the IP address, so I’m just gonna type in the IP address and set the attack at that at that. We’ll talk more about how to find out who to target later. Now, I’m going to pause this real quick and and have it aside. One of those papers, er or the articles that I mentioned was a talk from Black Cat known as, I know you want to unplug me where they talked about PlugX RAT and talked about the, uh duh, that’s not what I wanted to do. Alright, I’ll just start this up while I talk some more. Um and they talked about the the diff..different variants they observed. And they, in their terms they observed 3 types. What basically they used 3 different X source schemes they changed and so I’ve written my module to be able to handle each type, but I can’t know ahead of time what type you're targeting. So basically your you will run the check command and the if it’s not the right type, we’ll change the type and then check command again until you validate that you’ve got the right type. So you see, you see, PlugX type 1, type 1 old and type 2. So I run the check command. The check command says, yep, you’re good. So we’ll hit exploit and it will pass the attack against the server. There you see the pop up message over there. Uh the attacker is like, what the heck and hits X, or the victim now. And you see my meterpreter sessions is speeding up. I’m going to do a quick sysinfo yeah once upon a shell and I think no note popping notepad visually. There it is. [applause] Alright, onto the last one. Uh, Ghost RAT. How many of you have seen or heard of Ghost RAT before? Yeah, yeah, that I like that hands. That that’s exactly like what this guy is. It is the one that’s been around forever. Um, at least 10 years. It was really originally written by a group they called themselves C Ruffus Security Team. Also, known as the uh, Red Wolf Security Team. Uh, all, it’s most often sited in attacks attacks that come out of uh Asia region. Uh this image is of C2 tool kit and again you right click on a victim and there’s your feature set. Kind of a typical feature set. Nothing fancy. Um, this is, this is almost in my opinion the uh the measuring stick for RATs is uh is Ghost RAT. Like they should at least be able to do what it what it can do. And Ghost RAT, it has been cited in so many articles. So many articles. Um, these are just a few that I could fit on the screen there. Um, most recently is the one down on the bottom left which was just this year. Uh, Ghost writer was being spread this Eternal Blue. So it’s still very popular. I think the oldest one on there I I can’t find the updates but it’s been around for at least 10 years. And again, i..it is uh very easy to identify based on it’s Pcat, based on it’s uh traffic. It has a signature 5 byte ghost pattern. The first 5 characters in in each packet message from the victim to the C2 server or from the C2 server back to the victim. Now the source code for Ghost RAT has been leaked online and so many people or many attackers chai… or know that the ghost is a big red flag, so they’ll try to change it to something else. Uh, that second image is from a talk uh Snorre gave where he these are different 5 byte characters he’s seen that change to. They usually always only change the 5 bytes just because that’s easiest and if you change it to something longer it requires a lot of other changes in the code, but even still it’s very easy to identify this. No matter what those 5 bytes are because it’s always followed by another pattern of 2 integers and then a compressed buffer. So it’s still very easy to identify no matter what the byte character is. And like Xtreme RAT it was it had a very similar logic bug, but this one is the other way around. When it’s requesting a file from its victim, it will tell the victim, hey, give me your local file you know document user C file dot dot, so I can save it to this path. And I’m like oh that’s very very nice. Here’s the data you can save it to that path. Oh, by the way, I also have this second file that I’d like you to save to your startup folder. [laughter] >>And sure enough, if you know the path to their startup file it will put it right there. Now, the startup file cha..folder changes in different versions of Windows, so that’s not the most reliable way. If you can endmap their machine and tell what version Windows that they have then, boom, you can do this. But, um, I had to find a better way and sure enough Ghost RAT has another..made it very handy for me. It is uh vulnerable to a DLL side load attack. Meaning if I just drop a file named O L E D L G uh uh dynamic flyberry right in that same folder, the local folder, then it will try to load that file whenever Ghost starts up and it’s looking for only one function in that fol.. in that uh DLL and that’s O L E U I BUSY. It’s basically a function that can ask is the UI busy and it expects to hear a 1 as a return from that. I don’t know, a 1 means not busy. It really confusing, but anyways all you have to do is make a you make your malware into a de..a DLL have it export this one function that just returns 1 all the time and Ghost will be none the wiser. It doesn’t break anything doing that and the next time Ghost starts up it will load your malware and or everytime Ghost starts up it will load your malware. So that was cool, but it requires dropping something to disk and I I wasn’t done picking on Ghost yet, cause, Ghost, like I said has the source code so I started looking at the source code and right away this one stood out to me. It didn’t uh I mean I found it like in like an hour or two. It’s basicly this is in the handling of the drive list as given from a victim. So that when the victim says oh I have drives C, D and E that’s it’s in a buffer right. And you’ll notice on that second line it just assumes that the list it takes the length as given by the victim rather than assuming the length is less than its buffer size. So if I pass a list of drives that are longer than the usual max of 26 then I can overflow a buffer within this particular C class. So the buffer you’re over I’m overflowing is in line 45, the remote drive list. Which means I can override any one of those um objects below inside the class. A lot of those objects below are other C classes. So I can override the pointer to those C classes and then when enou...the actual code flow tries to call a function in one of those C classes it’s going to end up calling a pointer to, a pointer that I control that needs to point to another pointer that points to my code flow. So I basically have to set up a pointer to a pointer to a function that I want to run. Which is kind of messy. Uh pointer to pointers aren’t really the funnest things to use for exploitation, but um they work. If I had an information disclosure where that if would give me the layout of memory, that would make pointer to pointer uh code uh flow pretty easy. But I’m lazy. I didn’t spend time looking for that and I knew that I could just do a heap spray and having a really good chance of landing in my own heap. So that’s what I did instead. I did the lazy man’s approach. Um, after I release these modules I would love to see somebody maybe who’s more willing to do work than I am. Um, heh,heh [laughing] make the the exploit a little bit cleaner that way. But none the less, that’s what I did. Um, DEP would break this approach, but DEP seems to break the the executable. Whenever I would run Ghost RAT on a machine that forced DEP’s execution, or if I opted in, Ghost would just crash. It wouldn’t even run. So, didn’t need to really worry about DEP. That could probably be changed but it wasn’t a problem for me. Now before I go on to show that uh demo there, or the video. I wanted to talk about uh something that uh another researcher called kevin the hermit has does…. Or kev the hermit. Um he has written a number of decoders. So if you’re given a piece of malware from any one of of the these families with the exception of PlugX you can run the script on it and it will extract from that piece of malware the C2 address that it would spent meant to call home to along with some other configuration data. So, if you’re the victim of one of these attacks and you find this file you can pass it to a script, find the address of the C2 server and then we can use =metasploit to attack that C2 server. But uh, if you’re too im..so if you’re too impatient to wait for yourself to be attacked you could always search virus total for you know these files for the servers to do a quick search for Ghost you know RAT uh samples and find quite a few. That a some may be old, some might not. Or Shodan was very nice recently and added a malware hunter feature that looks for C2 servers and one of the C2 servers that they look for is Ghost so we could just do a quick shopping list off of Shodan and and have some fun. Um, again, this demo is same setup. Attacker or or adversary on the uh right, uh retaliator on the left, um and this one I’m going to do just slightly different in that I’m going to build a malware sample from the Ghost RAT tool and I’m going to pass that malware sample to the retaliator and then using that script that uh kev the hermit wrote extract the C2 info and then use that to attack back. So I made the sample and then I wasn’t thinking and I closed Ghost RAT. Oops, press the button. Alright, sorry I make you watch it again. Yeah, so, I make the sample and then I’m just going to drag it out of the VM, uh, in the usual case where I did a arrive via an email or a watering hole attack, but I’m not going to go through all of that. We all know how those work. So, I just dragged the file out of the VM and then I’m going to run the uh RAT decoder script on that sample. If I can type fast. There it is, um and it uh you can see on it the C2 address and the port that that that it’s looking to go to. Uh, I realized my mistakes. Started back up the uh Ghost Writer server and on the left I’m starting up an exploit and then I’m going to load my module um set the remote address to the remote address that we extracted from the malware itself. [silence] Uh, just quick info showing what’s uh available. I don’t want to click pause, I’ll try, I’ll try. No I won’t, I don’t dare. So if you find a C2 server that doesn’t use the Ghost magic you can just set the magic to be match whatever the Ghost the the server is and I throw my exploit now it’s going to take just a minute because I’m spraying the heap so I’m spending a lot of data sending a lot of data over but they receive the uh stage the the interpreter session starting. I’m going to do the same set of commands. I’m going to, as soon as it comes back. Eh..do the sysinfo. Spawn a shell. Then, this time I’ll plop calc just to be different. Yes, there she is. [clapping] On a Window’s 10 machine! [applause] So that begs to question, then what? What do we do now? And to be honest, I’m not quite sure. This is an area that hasn’t really been discussed, at least publicly. But, here’s what I would suggest maybe, and and maybe these are bad ideas. I’m not sure. Um, somebody else sh..could decide. I don’t know. But uh one of the first things I would be interested in doing would be Netstat, because Netstat would tell you all other connections to that box. If there are other victims behi..besides yourself they would be they would show up inside of this Netstat listing, so you could find out who else is targeted. Um, everyone of these C2 tools has a folder for the files that have been downloaded from victims and I would look at that. I would see what files have they pulled from other victims. What were they interested in? What did they pull from you? Um, also, maybe you would want to install some sort of persistence so you can stick around longer. Maybe you would want to install a keylogger to see what else they’re up to. If they’re dumb enough to log into Facebook from their uh ops machine. Who knows? A lot of different things that are optional to do, but whatever you do I highly suggest you don’t go the revenge route, but you sit quiet and you listen because I feel like that’s where the most value in these are. Right? The more you observe about your adversary, the the more likely you are to to win in the long run. So with that, that’s about all I had. I appreciate you guys coming and and spending the time here. This URL [applause] Thank you. [applause] Thank you. That URL is where I currently have a fork of the metasploit until I get them um pulled up into the main branch. And it depends on how well I am at at meeting all the checkmarks before that will happen. So and you can grab it there until they’re released. Again, thanks anyways. >>Woo! [applause]