Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcement Learning by Isao Takaesu

1,885 views

Published on

DeepExploit is fully automated penetration testing tool using Deep Reinforcement Learning. It identifies the status of all opened ports on the target server and executes the exploit at pinpoint. DeepExploit’s key features are the following:

1) Efficiently execute exploit:
DeepExploit can execute exploits at pinpoint (minimum 1 attempt).

2) Deep penetration:
If DeepExploit succeeds the exploit to the target server (=compromised server) with in the perimeter network, then it executes the exploit to internal servers via compromised server.

3) Self-learning:
DeepExploit can learn how to exploitation by itself.

By using our DeepExploit, you will benefit from the following:

For penetration testers:
(a) They can greatly improve the test efficiency;
(b) The more penetration testers use DeepExploit, DeepExploit learns how to method of exploitation using Deep Reinforcement learning. As a result, accuracy of test can be improved.

For Information Security Officers:
(c) They can quickly identify vulnerabilities of own servers. As a result, prevent that attackers attack to your servers using vulnerabilities, and protect your reputation by avoiding the negative media coverage after breach.
Because attack methods to servers are evolving day by day, there is no guarantee that yesterday’s security countermeasures are safety today. It is necessary to quickly find vulnerabilities and take countermeasures. DeepExploit will contribute greatly to maintaining your safety.

  • Login to see the comments

[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcement Learning by Isao Takaesu

  1. 1. Deep Exploit - Fully automated penetration test tool - October 30th, 2019 Blue Box 2019 Presented by Isao Takaesu
  2. 2. © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019 About the speaker. Security Engineer, Programmer, CISSP, Master degree (Info Tech) My works are : (1) Vulnerability assessment (Detect vulnerabilities / Propose countermeasures) (2) Research & Development (Automatic pentest technology using Machine Learning) - Past talked in conference - Black Hat Arsenal ASIA/USA/EURO, DEFCON Demo Labs/AI Village, CODE BLUE, PYCON JP etc.. (3) Human resource development ・Judge of “HITB+ AI Challenge” (Fully automated cybersecurity competition using Machine Learning.) ・Instructor of “Security Next Camp” (HR development program for cybersecurity in Japan.) ・MINI Hardening project (Learn how to respond to cyber security incidents.) ・Secure Brigade (Share information security technology know-how with books and podcasts.) ・AISECjp (Hold a study group on Machine Learning security in Japan.) Mitsui Bussan Secure Directions, Inc Professional Service Div. Isao Takaesu Twitter: @bbr_bbq GitHub: 13o-bbr-bbq
  3. 3. What is Deep Exploit ? Deep Exploit Perimeter Network External Firewall Web Servers DNS Servers Internal Firewall Database Server Web Server Internal Network Internal Computers Fully automatically exploit the target on perimeter and internal networks. © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  4. 4. ML ModelA3C of Reinforcement Learning Penetration Test Framework Deep Exploit Target Server RPC API Exploit ML model : Operate the Metasploit via RPC API. Metasploit : Execute “Exploit” and “Post-Exploit” . Send Commands Receive Result ML model and Metasploit are linked via RPC API. Overview © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  5. 5. ・Penetration test framework by Rapid 7. ・Command operation is required. ・It has many “Exploit modules”. ・It has many “Targets”. ・It has many “Payloads”. ・It has various RPC API. We can operate it from external program (ML model) We must select optimal exploit module, targets and payload according to succeed the exploitation. What is Metasploit? © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  6. 6. Beforehand, ML Model needs to train how to exploit. I use Deep Reinforcement Learning which can select optimal payload. ・ ・ ・ ・ ・ ・ ・ ・ ・ State (s) Target server info collected by Intelligence Gathering. Q value Payload… ・ ・ ・ ・DNN outputs the payload according to the input information. ・Agent executes the exploit using payload. ・DNN learn optimal exploit based on “exploit result” using Backpropagation. Action (a) Exploit Target Server Deep Neural Network Reward (r) Exploit result Learn(Backprop) using “Reward” Reinforcement Learning Agent State (s’) Changed state What is ML Model. © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  7. 7. ML ModelA3C of Reinforcement Learning Penetration Test Framework Deep Exploit Trained Data RPC API Save/Restore Training Servers Training DeepExploit uses vulnerable servers for learn how to exploit. Send Commands Receive Result Training environment. © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  8. 8. ・ ・ ・ Numerous Trials (about >10,000) ・ ・ ・ Worker thread Parameter Server ・ ・ ・ … ⊿w=gradw ⊿w=gradw ⊿w=gradw ・ ・ ・ Worker thread Worker thread send recv recvsend recv send Target Host info OS type Product Name Version Exploit module Target Payloads cmd/unix/bind_ruby linux/x86/shell/bind_tcp bsd/x64/exec generic/debug_trap linux/mipsle/shell_bind_tcp mainframe/shell_reverse_tcp ・・・ … ・ ・ ・ Training Servers ・ ・ ・ ・ ・ ・ Learn how to exploitation while trying numerous exploits on multi threads How to learn “Exploitation”. © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  9. 9. https://youtu.be/8ht4y9tboNY [Demo] Training of Exploitation. © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  10. 10. Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Processing Flow. © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  11. 11. Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering 1. Nmap : identify open ports, products. 2. Contents discovery : identify Web products using found product contents on the Web port. 3. Web crawling : collecting HTTP responses on the Web port. By analyze HTTP responses using String-matching and Naive Bayes, identify Web products. Intelligence Gathering. © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  12. 12. Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering 1. Nmap : identify open ports, products. 2. Contents discovery : identify Web products using found product contents on the Web port. 3. Web crawling : collecting HTTP responses on the Web port. By analyze HTTP responses using String-matching and Naive Bayes, identify Web products. Intelligence Gathering. © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  13. 13. Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report HTTP/1.1 200 OK Date: Tue, 06 Mar 2018 06:56:17 GMT Server: OpenSSL/1.0.1g Content-Type: text/html; charset=UTF-8 Set-Cookie: f00e68432b68050dee9abe33c389831e=0eba9cd0f75ca0912b4849777677f587; path=/; Etag: "409ed-183-53c5f732641c0" …snip… <form action="/example/confirm.php"> What are included the Web products in this HTTP response? Question. © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  14. 14. Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report HTTP/1.1 200 OK Date: Tue, 06 Mar 2018 06:56:17 GMT Server: OpenSSL/1.0.1g Content-Type: text/html; charset=UTF-8 Set-Cookie: f00e68432b68050dee9abe33c389831e=0eba9cd0f75ca0912b4849777677f587; path=/; Etag: "409ed-183-53c5f732641c0" …snip… <form action="/example/confirm.php"> Answer (1). It can identify OpenSSL and PHP using String-Matching. But, this HTTP response includes more products. © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  15. 15. Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report HTTP/1.1 200 OK Date: Tue, 06 Mar 2018 06:56:17 GMT Server: OpenSSL/1.0.1g Content-Type: text/html; charset=UTF-8 Set-Cookie: f00e68432b68050dee9abe33c389831e=0eba9cd0f75ca0912b4849777677f587; path=/; Etag: "409ed-183-53c5f732641c0" …snip… <form action="/example/confirm.php"> Answer (2). It can identify joomla! and Apache using Naive Bayes. © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  16. 16. Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Open session between “Deep Exploit” and front server. Step 2. Exploitation ・ Execute exploit to front target server using trained data. ・ Open session between “Deep Exploit” and target server. Connectable Execute exploits Front target ServerDeep Exploit Compromised ・ ・ ・ Target Server Info Optimal Payload Exploitation. © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  17. 17. Step 1. Intelligence Gathering Fully automatic (No human) Step 3. Post-Exploitation Step 4. Generate Report Pivoting and execute the exploit to internal servers. Step 2. Exploitation Step 3. Post-Exploitation ・ Pivoting and execute the exploit to internal server via compromised server. Connectable Exploit via Front target server Internal target Servers Connectable Execute exploits Front target ServerDeep Exploit Compromised ・ ・ ・ Target Server Info Optimal Payload Post-Exploitation. © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  18. 18. Step 1. Intelligence Gathering Fully automatic (No human) Step 3. Post-Exploitation Step 4. Generate Report Step 2. Exploitation Step 3. Post-Exploitation ・ Execute exploit to internal target servers via front target server Connectable Exploit via Front target server Internal target Servers Connectable Execute exploits Front target ServerDeep Exploit Compromised ・ ・ ・ Target Server Info Optimal Payload Deep Exploit repeats Step1-3 in internal servers. Post-Exploitation. © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  19. 19. Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 4. Generate Report ・ Generate the report of penetration test. Generate Report. © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  20. 20. Server-A IP: 192.168.184.132 Deep Exploit IP: 192.168.184.145 Connectable Directly connect Scenario 1. Single target server https://youtu.be/mgEOBIM4omM [Demo] Exploitation. © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  21. 21. Scenario 2. Exploitation via compromised server (=Server-A) [Demo] Exploitation. https://youtu.be/DsBNOGBjJNg Connectable Directly connect Connectable Exploit via Server-A Deep Exploit IP: 192.168.184.145 Server-A IP: 192.168.184.132 Server-B IP: 192.168.184.148 (Only permits Server-A to connect) Perimeter Network Internal Network © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  22. 22. Scenario 3. Deep penetration [Demo] Exploitation. Server-A IP: 192.168.220.145 Deep Exploit IP: 192.168.220.150 Server-B IP: 192.168.220.146 (Only permits Server-A to connect) Connectable Connectable Exploit via Server-A Connectable Exploit via Server-A Directly connect Perimeter Network Internal Network Server-C IP: 192.168.220.152 (Only permits Server-A to connect) https://youtu.be/s-Km-BE8NxM © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  23. 23. ・I developed a fully automated penetration testing tool called DeepExploit. ・The DeepExploit consists of ML model and Metasploit. ・The ML model is Deep Reinforcement Learning that can learn how to exploit by itself. ・ The DeepExploit can execute exploit at pinpoint (minimum 1 attempt) using ML model. ・ If succeeds the exploit, the DeepExploit can execute exploit to the internal servers. ・Current version of DeepExploit is PoC, so I have any blueprints: - I have to improve accuracy of exploitation. - I exchange the ML model to Monte Carlo Tree Search (MCTS). Conclusion. © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  24. 24. ・Source codes & Usage https://github.com/13o-bbr-bbq/machine_learning_security/tree/master/DeepExploit GitHub: 13o-bbr-bbq Resource © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019
  25. 25. © 2019 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. Blue Box 2019 Who we are: Company MBSD - Mitsui Bussan Secure Directions, Inc. Established 2001 Head office Tokyo, Japan Paid in capital JPY 400 Mil (100% subsidiary of Mitsui & Co., Ltd) Employees 256 Industry affiliations Leading companies in Japan, such as telecoms, banks, retailers, internet business and the governments. Businesses Professional security services to protect business from cyber attacks. Vulnerability Assessment/Penetration test (Web/NW/Internet of Things…) Services Managed Security Services, Incident Response, GRC Consulting, R&D.
  26. 26. Reference all source codes and document: https://github.com/13o-bbr-bbq/

×