1 of 65

PENTEST�COLLABORATION�FRAMEWORK �Armory

gitlab.com/invuls/pentest-projects/pcf

2 of 65

Shaposhnikov Ilya

Rostelecom, RedTeam member�
Student at Bauman Moscow State University�
Captain of “Invuls” security team and “SFT0” CTF university team�
IoT security researcher

#WHOAMI

Немного обо мне: меня зовут Шапошников Илья�Работаю редтиме в ПАО Ростелекоме, провожу пентесты и тестирования iot устройств

Также обучаюсь в МГТУ им баумана�И являюсь капитаном команды безопасности Invuls и университетской CTF-команды SFT0

А в свободное время исследую IoT на безопасность. Те кто были в 2019 году на Blackhat Europe могли видеть наше с командой выступление с утилитой IotSecFuzz.�######�Few words about me: my name is Ilya Shaposhnikov�

I work in redteam at Rostelecom company and carry out pentests and testing of iot devices�

I’m also a student at Bauman Moscow State Tech(K)nical University and the captain of the Invuls security team and SFT0 university CTF team.

And in my free time I research IoT for security. Those who were at Blackhat Europe in twenty nineteen could see our team and I with the IotSecFuzz utility.

3 of 65

Network offensive project types

4 of 65

Network offensive project types

S

SOLO

One person does all the work.

5 of 65

Network offensive project types

S

P

PAIR

Multiple testers.

SOLO

One person does all the work.

6 of 65

Network offensive project types

T

S

P

PAIR

Multiple testers.

SOLO

One person does all the work.

TEAM

Whole team is involved.

7 of 65

Main work problems:

8 of 65

scope.txt

Storage of initiation information about the project

Main work problems:

9 of 65

scope.txt

Storage of initiation information about the project

Network

Information about network obtained during testing

Main work problems:

10 of 65

3

scope.txt

Storage of initiation information about the project

Network

Information about network obtained during testing

Report

Generating reports

Main work problems:

11 of 65

3

4

scope.txt

Storage of initiation information about the project

Network

Information about network obtained during testing

Report

Generating reports

Teamwork

Team collaboration

Main work problems:

12 of 65

3

5

4

scope.txt

Storage of initiation information about the project

Network

Information about network obtained during testing

Report

Generating reports

Storage

Keeping all projects in a single standard

Teamwork

Team collaboration

Main work problems:

13 of 65

3

5

4

scope.txt

Storage of initiation information about the project

Network

Information about network obtained during testing

Exchange

Fast transmission of vulnerability information without reporting

Report

Generating reports

Storage

Keeping all projects in a single standard

Teamwork

Team collaboration

Main work problems:

14 of 65

scope.txt

hosts.xls

id_rsa

domains.txt

client.ovpn

network

Problem №1: project initial information

Scope�

Networks�
Domains�
Final goals�

Connection intructions�
Project timing�
Testers

1

2

Проблема номер 1 - хранение изначальной информации

В данном случае нужно понять, какую информацию обычно хранят. Это могут быть:

scope тестирования - сети/домены или иная информация�Также нам нужно понимать как подключиться к тестируемому сетевому сегменту и сколько времени может потребоваться на проект�И конечно знать кто будет выполнять из коллег данный проект

#####

Problem number 1 - storage of the original information

In this case, you need to understand what information is usually stored. It can be:

testing scope - networks / domains or other information

We also need to understand how to connect to the tested network segment and how long it may take for the project.

And of course, know who will carry out this project from colleagues. кОллигс

15 of 65

Problem №2: network testing information

Network�

Domains�
Opened ports/services�

Issues�

Credentials�
Vulnerabilities�

Integration with tools

Проблема номер 2 - хранение технической информации о тестируемой сети в том числе и которую нашли по ходу тестирования

Это могут быть:

Информация непосредственно о сети (домены/ip/порты и сервисы на них)
Обнаруженные проблемы безопасности (уязвимости и учетные данные)
А также результаты сканирований из сторонних утилит которые проблематично обрабатывать вручную

####

Problem number 2 - storing technical information about the tested network, including that found during security testing

It can be:

Information directly about the network (domains / ip / ports and services on them)
Detected security issues (vulnerabilities and credentials)
As well as the results of scans from third-party utilities that are problematic to process manually

16 of 65

Problem №3: teamwork

17 of 65

Problem №3: teamwork

“Oh, I have already scanned this host for opened ports!”�

18 of 65

Problem №3: teamwork

“Oh, I have already scanned this host for opened ports!”�
“Did anyone bruted directories at …?”�

19 of 65

Problem №3: teamwork

“Oh, I have already scanned this host for opened ports!”�
“Did anyone bruted directories at …?”�
“You can find credentials at whatsapp/jira or …�better take this USB storage :)”

20 of 65

Problem №3: teamwork

“Oh, I have already scanned this host for opened ports!”�
“Did anyone bruted directories at …?”�
“You can find credentials at whatsapp/jira or …�better take this USB storage :)”�
“There is a heardbleed at … Why noone told me about it?!”

21 of 65

Problem №4: report creation

~ 100 issues�~ 100 report pages�~ (100 x N) wasted time�
Identical templates but same wasted time every project�
No pentester likes report creation�
Same report standarts for whole team

Проблема которую многие из безопасников не любят - это проблема создания отчета. Кроме самого процесса написания отчета есть еще причины почему к этому этапу так плохо относятся: это обьем работы, одинаковые отчеты и наличие разныл шаблонов к которым надо приспосабливаться.

###

A problem that many security professionals don't like is the problem of creating a report. In addition to the process of writing a report, there are other reasons why this stage is so badly treated: �it is workload, �the same reports every project �and the presence of different templates to which you need to adapt.

22 of 65

Problem №5: fast information exchange

23 of 65

Problem №5: fast information exchange

“I need to create a report only 1 critical vulnerability? Can I just send its description to system administrator?”

24 of 65

Problem №5: fast information exchange

“I need to create a report only 1 critical vulnerability? Can I just send its description to system administrator?”�
> Can you send me a vulnerability of … project? There is the same issue inside mine project. ��< No problems, but I can’t give you all project information due to security. Wait an hour, will try to export information from it.

В случае разграничения прав внутри компании некоторым из команды могут быть не доступны чужие проекты, но может потребоваться получить доступ к какой то информации. А проблема в том, что чаще всего не выдавая доступ ко всему проекту, не получится выдать доступ например только к 1 уязвимости.

#######�

In the case of differentiation of rights within the company, some of the team may not have access to other people's projects, but it may be necessary to gain access to some information. And the problem is that most often without giving access to the entire project, it will not be possible to give access, for example, to only 1 vulnerability.

25 of 65

Problem №6: projects storage

“We need an NFS server for our projects!”��
“Who can tell me where to find a report for second pentest of XXX company?”��
“Let’s check first if they fixed previously found vulnerabilities? Oh... Where are they?.. and who tested this before?”

26 of 65

Current solutions

27 of 65

Current solutions

01

PAID

Utilities for which full functionality is available only with a paid subscription

1

28 of 65

Current solutions

01

02

ONLINE

Online utilities, which are not always safe to store information about projects in the cloud

2

PAID

Utilities for which full functionality is available only with a paid subscription

1

29 of 65

Current solutions

01

02

03

ONLINE

Online utilities, which are not always safe to store information about projects in the cloud

2

PAID

Utilities for which full functionality is available only with a paid subscription

1

DEPRECATED

Outdated utilities, the most famous of which is Lair Framework.

3

Lair

Framework

30 of 65

31 of 65

Pentest Collaboration Framework

Opensource -> Free�
Cross-Platform: Python v3.9�
Portable: Flask + SQLite3�
Easy installation�
Cloud support�
Tools integration�
… and more features!

Утилита бесплатная, опенсорсная и уже доступна для скачивания на официальном gitlab репозитории
Тк она написана полностью на Python версии 3.9 то она является еще и кроссплатформенной!
Портативность утилиты обеспечивается за счет использования базы данных SQLite3(это настраивается)
Для установки утилиты потребуется запустить всего лишь 3 команды!
также есть поддержка облаков и установкой в 2 клика
И другие фичи о которых мы поговорим далее

########

The utility is free, open source and is already available for download on the official gitlab repository
Since it is written entirely in Python version three dot nine, it is also cross-platform!
The utility's portability is ensured by using a SQLite3 database (this is configurable)
To install the utility, you need to run only 3 commands!
there is also support for clouds and installation in 2 clicks
And other features that we will talk about further фЁвер

32 of 65

Pentest Collaboration Framework

Disadvantages:�

Slower�

Python + Flask�
SQLite3 (portability)�

No react interface yet�
Some requests are extrimely slow due to many operations (example: large scan import)�
No websocket support yet

Но прежде чем пойти далее, стоит сразу же предупредить о ее минусах:�1. Тк она написана на Python и использует SQLite3, то производительность падает.

2. Также нет React веб интерфейса

3. Из-за большого количества операций некоторые запросы, например, обработка nessus отчета, может занимать некоторое время

4. И также нет поддержки вебсокетов что может быть критично для чатов

####

But before going further(фЁвер), I should immediately warn you about disadvantages:

1. Since it is written in Python and uses SQLite3, the performance drops.

2. Also there is no React web interface

3. Due to the large number of operations, some requests, for example, processing a nessus report, may take some time.

4. And also there is no support for websockets, which can be critical for chats

33 of 65

First steps into

34 of 65

Step #0: Framework installation

Choose your runtime options

35 of 65

Step #0: Framework installation

01

Docker

Usually takes up a lot of space

1

Choose your runtime options

36 of 65

Step #0: Framework installation

01

02

Standalone

You only need Python and git on your computer

2

Docker

Usually takes up a lot of space

1

Choose your runtime options

37 of 65

Step #0: Framework installation

01

02

03

Standalone

You only need Python and git on your computer

2

Docker

Usually takes up a lot of space

1

Cloud

Installation on the cloud using these buttons on the PCF repository page

3

Choose your runtime options

38 of 65

Step #0: Framework installation

Config editing

39 of 65

Step #0: Framework installation

Config editing

Scheduled database backup

Database: SQLite3 or PostgreSQL

40 of 65

Step #0: Framework installation

Config editing

Scheduled database backup

Website speed & security

Database: SQLite3 or PostgreSQL

41 of 65

Step #0: Framework installation

Config editing

Scheduled database backup

Website speed & security

Additional authorization

Database: SQLite3 or PostgreSQL

42 of 65

Step #0: Framework installation

Config editing

Scheduled database backup

Website speed & security

Additional authorization

HTTPS

Database: SQLite3 or PostgreSQL

43 of 65

Path of PCF “hero"

44 of 65

Path of PCF “hero"

WORKSPACE

Special workplace for users & teams

45 of 65

Step #1: Workspaces

46 of 65

Step #1: Workspaces

Config

Logs

Templates

API Tokens

User info

47 of 65

Step #1: Workspaces

Config

Logs

Templates

API Tokens

User info

Teams

Admins

48 of 65

Step #1: Workspaces

Config

Logs

Templates

API Tokens

User info

Projects

Teams

Admins

49 of 65

Path of PCF “hero"

WORKSPACE

Special workplace for users & teams

PROJECT�MODERATION

Moderation and usage instructions

50 of 65

Step #2: Projects moderation

51 of 65

Path of PCF “hero"

WORKSPACE

Special workplace for users & teams

PROJECT�MODERATION

Moderation and usage instructions

PROJECT�INFORMATION

Types of information which can be stored

52 of 65

Step #3: Project information

Network information

IP

Ports�
Domains�
Comments�
Check status�
OS�

Networks�
Hosts/Ports export tool

В начале идет рабочий процесс с заполнением информации о хостах: открытые порты/сервисы, домены, комментарии к хостам, статус проверки(нашли ли что или нет) и ОС. ��Также можно добавить информацию о сетях к которым получили доступ (в том числе для визуализации). ��И последняя возможность - экспорт хостов и портов в произвольном формате для дальнейшего использования в других утилитах

######

At the beginning, there is a workflow with filling in information about hosts: open ports / services, domains, comments to hosts, check status (whether they found anything or not) and OS.

You can also add information about the networks to which you got access (including for visualization).

And the last opportunity is to export hosts and ports in an arbitrary format for further use in other utilities.

53 of 65

Step #3: Project information

Issues storage

Connection with..

ip
ip : port
hostname
hostname : port

Share URL
Issues templates
Proof-of-Concept

Image
Text

Для добавления уязвимостей есть отдельная вкладка. Кроме стандартных полей уязвимости - ее также можно прикрепить к ip, ip:port, domain or domain:port. Также из новшеств - можно создать ссылку, по которой к данной уязвимости могут получить доступ все желающие (без раскрытия другой информации). Также к уязвимости можно прикрепить poc: image or text

#######

There is a separate tab for adding vulnerabilities. In addition to the standard vulnerability fields, it can also be attached to ip, ip & port, domain or domain & port.

Also from the innovations - you can create a link by which everyone can access this vulnerability (without disclosing other information).

You can also attach proof of concept: image or text to the vulnerability

54 of 65

Step #3: Project information

Notes & Files

Notes can be connected with hosts�
Save scanner output�
Personal notes�
Project files �(example: keys)

55 of 65

Step #3: Project information

Discovered credentials

Table with credentials�
Multiple credentials import from txt (example: from .csv)�
Fast hash check with 10k popular passwords�
Export credentials

А что делать если вы например нашли сайт с логином и паролем admin admin? Тогда вы можете занести их на вкладку “credentials”. Тут есть несколько фич:

Множественное экспортирование из txt файла в произвольном формате
Быстрая проверка добавленных хешей на топ-100-10к популярных паролей
Экспорт учетных данных с вариацией паролей для использования в других утилитах

#######

And what if you found a site with a username and password admin/admin, for example? Then you can add them to the “credentials” tab. There are several features here:

Multiple export from txt file in arbitrary format
Quick check of added hashes for the top 10-thousand popular passwords
Export credentials with password variations for usage in other utilities

56 of 65

Step #3: Project information

External tools integration

Import

Nmap
Nessus
Qualys
. . .

Export

ip / port
credentials

Scan

Shodan
ipwhois

Одной из основных проблем для нас было обьединением результатов многик утилит. С этим PCF тоже может справиться! Список утилит, поддерживаемых PCF вы видите на экране.

Мы разделили утилиты на 3 категории:

Import - категория импорта результатов сканирований
Export - экспорт, например, ip/port/credentials для обработки в другой утилите
Scan - специальные запросы непосредственно от PCF

######

One of the main problems for us was combining the results of many utilities. The PCF can handle that too! You can see the list of utilities supported by PCF on the slide.

We have divided tools into 3 categories:

Import - category for importing scan results
Export - export, for example, ip / port / credentials for processing them with another utility
Scan - special requests directly from PCF

57 of 65

Step #3: Project information

Sniffers - HTTP sniffer

58 of 65

Path of PCF “hero"

WORKSPACE

Special workplace for users & teams

PROJECT�MODERATION

Moderation and usage instructions

PROJECT�INFORMATION

Types of information which can be stored

INFORMATION�EXPORT

Reports generation & JSON export

59 of 65

Step #4: Data export

JSON-data�
Report - python jinja engine�

txt/html/tex/…�
zip (txt/html/tex/…)�
docx

60 of 65

Path of PCF “hero"

WORKSPACE

Special workplace for users & teams

PROJECT�MODERATION

Moderation and usage instructions

PROJECT�INFORMATION

Types of information which can be stored

API

Special interface for communicating with PCF

INFORMATION�EXPORT

Reports generation & JSON export

61 of 65

Step #5: API

62 of 65

DEMO!

63 of 65

#TODO

Flask -> Django�
Vue.js�
Websockets�
ORM database�
Net-NTLM sniffer

More tool integrations�
Network graph update�
Google cloud support

64 of 65

Questions?

Repo 🚀: gitlab.com/invuls/pentest-projects/pcf

Chat 💬: t.me/PentestCollaborationFramework

Demo: pcf-hacktivitycon.herokuapp.com

Contacts: @drakylar (vk.com, telegram, facebook, linkedin, discord), iljashaposhnikov@gmail.com

65 of 65

THE END?

Repo 🚀: gitlab.com/invuls/pentest-projects/pcf

Chat 💬: t.me/PentestCollaborationFramework

Demo: pcf-hacktivitycon.herokuapp.com

Contacts: @drakylar (vk.com, telegram, facebook, linkedin, discord), iljashaposhnikov@gmail.com