Tuesday, 18 September 2012

Raphael Mudge - Creator of Armitage and Cobalt Strike


When we decided to launch this blog, I could think of no one else but Raphael Mudge for the inaugural post! Over the past 2+ years Raphael has done incredible work creating Armitage and the now recently released Cobalt Strike.

So for all you thousands of Armitage and Cobalt Strike fans out there, we bring to you an interview with Raphael Mudge!

Enjoy! 






RM - Raphael Mudge, Creator Armitage and Cobalt Strike
VR - Vivek Ramachandran, Founder SecurityTube.net



VR: How and when did you start your career in Infosec?


RM: I was fascinated by computer security ideas *cough*hacking*cough* and programming when I was a teenager. Sadly, I focused more on writing better IRC scripts than learning things that I would use today.

When I was in college, I had no idea that I would end up working in the security field. Before I graduated, I spent a summer in the US Air Force's Advanced Course in Engineering Cyber Security Bootcamp. This was in 2003. I was exposed to a lot of forward ideas and met people who would become friends and mentors later in my career.

This course ignited my adult interest in security--at that time, I didn't want to work in any other field.

http://www.cis.syr.edu/~sueo/papers/ace-wecs.pdf



VR: What are your key areas of research? And what fascinates you about this field?


RM: Right now, I'm working on force multipliers for red team operations. A force multiplier is a feature or ability that when combined with our existing tools, makes them far more useful and effective. To use jargon: I'm looking for ideas that add synergistic effects to the hacking process.










Armitage's red team collaboration is a force multiplier. A red team might land access on a network. During this time, they're very vulnerable. Requiring one person to perform all necessary actions (looking for data, persistence, etc.) is a great burden. With Armitage's red team collaboration technology, you may divide your team into roles based on skill and knowledge. Each person can execute their role at the same time--helping the red team take advantage of their potentially limited time on the target.

Cortana (Armitage's DARPA funded scripting language) is a force multiplier. A network might be secure against remote exploits 99% of the time, making all of our exploits useless 99% of the time. Couple these exploits with a Cortana bot that's watching for changes to the network and looking for a narrow window of vulnerability--and you'll have success you wouldn't have had otherwise.






Eventually, I hope to arrive at something that resembles the Daemon in Daniel Saurez's books. Or Skynet. You know what they say--build robotic overlords and you'll end up enslaving the people who didn't like your grammar checker. Win!


VR: For the uninitiated, can you please describe your fantastic tool Armitage?


RM: Armitage is a graphical user interface for the Metasploit Framework. Armitage's strength is that it's intuitive for all users while giving power users full access to the Metasploit Framework console. With a quick glance, you know which hosts are in the database, where you have sessions, which operating systems are on those hosts, and how your pivoting is setup. Armitage makes it easy to execute a Metasploit Framework module against multiple hosts. It also exposes a lot of post-exploitation functionality that most people don't know exists.

Armitage is also a collaboration tool. And now that Cortana is in the mix, I hope folks start to view it as a platform they may use to integrate their tools and automate parts of their engagements.

http://www.fastandeasyhacking.com/



VR: What was the inspiration behind Armitage? 


RM: Since 2008, I've volunteered on the red team for the North East Collegiate Cyber Defense Competition. The fast pace of this event, its target rich environment, and the size of the red team made the gaps in our tools obvious. We have a lot of great tactical capabilities, but lack the tools to manage them.

The 2010 NECCDC pushed me over the edge. I wrote scripts to automatically backdoor UNIX systems using default credentials the moment we were allowed to attack. We ended up with too much access and no way to manage it. We executed netcat multiple times on each system to make a shell available to each team member. This kind of worked, but clearly a better solution was needed.




I originally considered writing an IRC bot to manage the Metasploit Framework. A series of happy accidents and whimsical Saturday's playing with a few Java Swing libraries led me to pursue a Graphical User Interface that allows collaboration.



VR: How much time did it take from concept to launch? 


RM: I started playing with ideas that would become Armitage in July 2010. The happy accidents came in the form of good timing. At DEFCON 18, Ryan Linn presented Multi-Player Metasploit. He pitched Metasploit as a potential collaboration platform and he released extensions to the Remote API to aid this. His release created a foundation that I could build on.





Matt Weeks (scriptjunkie) had also released msfgui in June 2010. His code to communicate with the Metasploit Framework is still at the heart of Armitage and Cobalt Strike. He allowed me to get up and running with my ideas very quickly.

http://www.scriptjunkie.us/

Without these two efforts, Armitage would not exist. I made Armitage available the last day of November 2010. The first version took four months of effort in my spare time.





VR: What were the key challenges in building Armitage?


RM: The Metasploit Framework was a much different project when I first started developing Armitage. The Remote API had no documentation or standard. The use of one subversion repository led to features breaking randomly. I didn't know what I could or couldn't rely on.

Also, the database integration in the Metasploit Framework was optional with many database options available to users. This was a nightmare scenario to support and it was hard to provide easy setup and troubleshooting steps for early Armitage users. I am very thankful for the Metasploit Framework installer that we have today.

My choice to use my language Sleep to develop Armitage created challenges. On one hand, I was able to prototype my ideas very quickly. On the other hand, Sleep's thread safety model didn't play nicely with Java's Swing library. In the beginning, Armitage was deadlock prone under heavy use. It took me a year to understand and eliminate the issue.

Finally, the red team collaboration problem was much harder than I anticipated.
I thought I could write a client only approach to the collaboration problem--not true. For example, two RPC clients interacting with one session had undefined behavior for a long time. Sometimes two clients interacting with one session would drop it. There was no mechanism in the RPC server to lock sessions. I was stuck. I opted to release Armitage without any collaboration tools. It wasn't until February 2011 that I made progress on the collaboration problem.







VR: What was the initial response after the release? 


RM: It blew up. I think I took the community by surprise. For a first release, it had a polished presentation: nice website, promotional video, and a working implementation--not just a pipedream with some flash.

The project received a lot of attention very early on. This was both good and bad. Good, because exposure is always good. Bad, because it wasn't mature and this soured some people early on.



VR: Can you give us some idea about the number of Armitage users currently? Now that its part of the official Metasploit framework, I would assume its quite large.


RM: I don't have a good number on this. The documentation receives a solid amount of traffic each month. Based on unique visitors each month, I conservatively estimate the user base in the mid double-digit thousands. It may be higher, but I don't know.

People are regularly exposed to Armitage and it's taught in a lot of places now. I often get email from people I haven't heard from in years: "Hey Raphael, we were using Armitage for this class/event/whatever and then I noticed you wrote it--Awesome".

I know it's out there.



VR: What is the future plan for Armitage?


RM: Future plan? It's succeeded. I created a red team collaboration tool and demonstrated those ideas to the community.

That's how I felt in June 2011. I had to decide what to do with the project.

The Metasploit Framework moves very fast without any forgiveness to projects that can't keep up. Without maintenance, Armitage would end up covered in thick dust in the Metasploit Framework graveyard with msfweb, the GTK msfgui, unported Perl modules, and other things that probably took significant love and ingenuity to put together.

I didn't want Armitage to die, but to keep working on it, I had to come up with a model to sustain the project. I decided to investigate interest in a commercial penetration testing product and I started planning a roadmap for Cobalt Strike.


In November 2011, DARPA funded the start of Armitage's future direction through the Cortana project. Cortana is a scripting language that allows you to add new features to Armitage and develop headless bots that participate on a red team.

Cortana is a very exciting technology. It turns Armitage's mature red team collaboration architecture into something other projects can hook into or target.

It makes new types of assessments possible. Imagine mixing bots with humans to perform a long-term engagement. The bots could signal the humans when it's an optimal time to act.

Cortana also allows the community to innovate with Armitage and turn it into what they need. My ideas alone are a limiting factor for the project and Cortana frees it from them. You can make Armitage into whatever you want now.

Cortana and Cobalt Strike are the future of Armitage.



VR: You own a company called Strategic Cyber LLC. What activities does the company do?


RM: Strategic Cyber LLC is the steward of my search for force multipliers for red team operations.

Strategic Cyber LLC develops Armitage, Cortana, and Cobalt Strike. This isn't too hard to do since the three are very closely related.

Strategic Cyber LLC also offers a limited number of courses related to its work. Advanced Threat Tactics is its flagship course on threat emulation.

The company does not offer services such as penetration testing. Its sole purpose is to drive a future vision for red team operations in a self-sustainable way.




VR: Can you tell us more about Cobalt Strike, your flagship product?


RM: Cobalt Strike is a threat emulation tool. I am building software that will help a competent red team break into and hold control of modern, presumably secure, networks.

This sounds scary, but it's important. If a penetration tester fails to demonstrate and communicate risk to their client, the client may become complacent or think they're secure when they're not.

Cobalt Strike is a commercial fork of Armitage. I never saw Armitage as a penetration-testing tool. It's close and it's great for exercises, but it lacks things I need in a double-blind engagement against a modern network.

Armitage has no tools to get a foothold in a network. The initial version of Cobalt Strike adds a social engineering process to fill in this gap. I say process; because it includes client-side reconnaissance, adding Meterpreter to common files, disguising client-side attacks, listener management, spear phishing, and reporting. This is a beautiful marriage of features directly complements Armitage's post-exploitation and remote collaboration feature set.





Recently, I added VPN pivoting to Cobalt Strike. This feature, which creates a layer-2 tunnel into a target's network, allows an attacker with a foothold to sniff packets, host rogue services, use external tools inside the target's network, and execute man in the middle attacks. This feature makes a foothold gained with Cobalt Strike more useful to a penetration tester.

Armitage depends on the open source Metasploit Framework, whose default payloads are regularly caught by anti-virus.  In the past nine months, anti-virus vendors have answered "Shikata ga nai"* with "like hell!"  Soon, Cobalt Strike will include technologies to help customers evade anti-virus, communicate through restrictive firewalls, and quietly hold systems for a long period of time.

Shikata ga nai is Japanese phrase meaning: "nothing can be done about it"



VR: For the uninitiated, what is Threat Emulation?


RM: Threat Emulation is what Penetration Testing used to mean. It's using an adversary’s tactics against your organization to see how well its security program works when exercised in concert. A creative adversary will highlight issues that an automated scanner will never find.

One thing I'd like to add: if you're hiring a creative adversary to find issues that an automated scanner can pick up--you're wasting your money. Threat emulation only makes sense for organizations with a mature security program.

See also:

Sinan Eren -- Information Operations




Kevin Mitnick + Dave Kennedy -- Adaptive Penetration Testing



Raphael Mudge -- Modern Network Attack

https://vimeo.com/20084998 (Blogger does not allow embedding from Vimeo)



VR: What are the key differentiators of Cobalt Strike from other tools in the same category?


RM: Cobalt Strike is the best-documented penetration-testing tool on the market. There is a 7-part training course online, a full manual, and videos for most individual features. I'm not trying to just build a useful tool; I'm trying to produce better penetration testers.

Cobalt Strike's key features are its intuitive GUI, red team collaboration, and scripting with Cortana. You may think "wait! those are Armitage features" and you're correct. The difference is, Cobalt Strike adds features to Armitage and the Metasploit Framework to make them a more complete solution for a penetration tester.

The red team collaboration capability lets you share and manage a foothold gained with the social engineering tools. The VPN pivoting feature lets you use your existing tools through this foothold. There's a lot of synergy here.

Through Cortana, you may automate your engagement or respond to events as you see fit. You may also customize Cobalt Strike to your needs in a way that's compatible with updates as they're released.

Learning a new tool is scary. What if the new tool doesn't do something you rely on with your old tool? Conveniently, your existing knowledge of the Metasploit Framework and Armitage transfers to Cobalt Strike. The console is still a first-class citizen in its user interface.


VR: How has Cobalt Strike been received by the Infosec Community?


RM: It's been positive. My training materials, documentation, and past performance with Armitage have given me an initial customer base.

The Veris Group LLC taught Cobalt Strike in their Adaptive Penetration Testing course at BlackHat USA.

The United States Military Academy at West Point gets the vision of the product and they've become an early adopter of my academic program.

My early customers are raving about the product. If you're reading this and you're on the fence about Cobalt Strike, I have customers who are willing to talk to you.



VR: What is the future plan for Cobalt Strike?


RM: For the core product, my focus is on features with long-term utility. Post-exploitation features and alternative remote administration tools have long-term utility. Attacks that take advantage of intended functionality or design flaws--these have long-term utility, a high probability of success, and they're not going away.

Some features (e.g., anti-virus evasion) will involve a constant cat and mouse game. I can't distribute my product to a wide audience and stay ahead of all security vendors for my customers.  In these cases, I plan to meet my customers halfway and give them a Cortana script to integrate a base solution and source code to customize that solution to make it their own.

Once I've fleshed out the tactical foundation of Cobalt Strike, I will go back to working on the force multipliers. Next up? Distribution--I want to control multiple Cobalt Strike nodes in a seamless way.



VR: Your work is an inspiration to many. What advice would you give to budding Pentesters and security researchers? 


RM: Treat everyone you meet with respect. You are surrounded by people who are smarter than you. If you are smarter than the people you surround, look around--the smarter people are surrounding you.

Once you get that first point--you'll understand that you don't have to be the smartest person in the world to contribute. Next, pick an area that you're passionate about. Study it. Execute like crazy to solve a problem in that area. Don't be afraid to give it away.

Also, don't look for permission to contribute and put ideas out there--you won't find it. Just do it. Before I released Armitage, two people who saw it dissed it pretty hard. I expected I would get a bigger dose of that when I released. That didn't happen. If you're respectful and you put the work in--you'll find the community will treat you with respect in return.




VR: Fantastic! Thanks a lot Raphael for taking the time to do this email interview with us. We wish you and your future endeavors GREAT Success!




3 comments:

  1. Great interview...
    Permission to quote that last comment (or a portion of it) by Raphael at DerbyCon?

    ReplyDelete
    Replies
    1. @James You're absolutely welcome to do so. Technically, you don't even need to ask. It's fair use to quote something and reference where it came from.

      Delete
  2. Great article. Great product. Great person.

    ReplyDelete