1 00:00:04,938 --> 00:00:07,941 (dramatic entrance) 2 00:00:10,210 --> 00:00:13,146 (audience applaud) 3 00:00:15,515 --> 00:00:18,084 - What I wanna talk about today was twofold. 4 00:00:18,084 --> 00:00:20,120 First thing we wanna chat about a little bit 5 00:00:20,120 --> 00:00:22,722 is why live forensics? 6 00:00:22,722 --> 00:00:24,791 Why are we doing live response? 7 00:00:24,791 --> 00:00:27,093 And the second thing I wanna talk about 8 00:00:27,093 --> 00:00:31,097 is a tool that we released at DFLabs, 9 00:00:31,097 --> 00:00:33,433 a company I currently work for now, 10 00:00:33,433 --> 00:00:35,201 that will help you kind of script 11 00:00:35,201 --> 00:00:38,171 and automate some of your live response collection. 12 00:00:39,339 --> 00:00:41,875 I really appreciate the two keynotes 13 00:00:41,875 --> 00:00:45,045 because they teed things up for me very well, 14 00:00:45,045 --> 00:00:47,247 talking about kind of the crossover 15 00:00:47,247 --> 00:00:51,184 between instant response and threat hunting, 16 00:00:51,184 --> 00:00:53,887 as well as what is evil, right? 17 00:00:53,887 --> 00:00:54,788 We talked about this morning, 18 00:00:54,788 --> 00:00:56,955 how do you find evil? 19 00:00:56,956 --> 00:00:57,924 What is evil? 20 00:00:57,924 --> 00:00:58,925 What needs to be looked into 21 00:00:58,925 --> 00:01:02,495 versus what may be normal? 22 00:01:02,495 --> 00:01:05,364 So why do we do live forensics, right? 23 00:01:05,364 --> 00:01:08,234 Well, as he talked about in the introduction, 24 00:01:09,536 --> 00:01:10,703 Dead Box Forensics, 25 00:01:10,703 --> 00:01:12,005 we just really don't do it anymore. 26 00:01:12,005 --> 00:01:13,473 There's no time for it. 27 00:01:14,607 --> 00:01:16,276 The amount of data that we're collecting 28 00:01:16,276 --> 00:01:18,978 in those kind of situations is just kind of 29 00:01:20,413 --> 00:01:21,881 unnecessary. 30 00:01:21,881 --> 00:01:23,917 So we do live forensics when we want 31 00:01:23,917 --> 00:01:26,753 to preserve things like running processes, 32 00:01:26,753 --> 00:01:28,655 network connections, open files, 33 00:01:28,655 --> 00:01:29,856 things like that. 34 00:01:29,856 --> 00:01:33,559 When we know those are gonna be lost even 35 00:01:33,560 --> 00:01:34,627 if we did pull the drive 36 00:01:34,627 --> 00:01:36,362 or shut the system down, right. 37 00:01:36,362 --> 00:01:37,997 And obviously there's situations 38 00:01:37,997 --> 00:01:39,365 where a system can't be shut down 39 00:01:39,365 --> 00:01:41,500 so we have to do live forensics, right. 40 00:01:41,501 --> 00:01:43,136 Try telling somebody that you're gonna shut 41 00:01:43,136 --> 00:01:45,205 down their domain controller 42 00:01:45,205 --> 00:01:47,273 or you need to take a critical application offline 43 00:01:47,273 --> 00:01:49,274 because you think it might be compromised. 44 00:01:49,275 --> 00:01:52,245 So we're forced to do live forensics at that point. 45 00:01:52,245 --> 00:01:53,746 Now, of course, 46 00:01:53,746 --> 00:01:56,449 we've heard other talks about some great EDR tools, 47 00:01:56,449 --> 00:01:59,285 some great network collection tools, 48 00:01:59,285 --> 00:02:02,387 things like that that are great for grabbing things 49 00:02:02,388 --> 00:02:04,858 like running processes and network connections. 50 00:02:04,858 --> 00:02:08,661 So why, do we even need to do live forensics? 51 00:02:08,661 --> 00:02:09,863 Well, you know, sure. 52 00:02:11,064 --> 00:02:12,432 Some environments may not have 53 00:02:12,432 --> 00:02:14,066 those EDR tools in place. 54 00:02:15,502 --> 00:02:18,805 Obviously in the smaller environments 55 00:02:20,006 --> 00:02:22,308 it may not be affordable and there's still gonna 56 00:02:22,308 --> 00:02:25,778 be times where as great as the EDR solutions are, 57 00:02:25,778 --> 00:02:28,381 you're gonna need some more in depth information. 58 00:02:28,381 --> 00:02:30,483 You're looking for hooks or evidence 59 00:02:30,483 --> 00:02:31,885 of advanced threats. 60 00:02:31,885 --> 00:02:33,786 Those may be things that your EDR tools 61 00:02:33,786 --> 00:02:34,854 aren't gonna pick up. 62 00:02:36,456 --> 00:02:38,857 So as Ben talked about, right, 63 00:02:38,858 --> 00:02:41,594 threat hunting vs. IR we've heard a bunch 64 00:02:41,594 --> 00:02:42,428 of different people mention, 65 00:02:42,428 --> 00:02:43,763 what is the definition? 66 00:02:43,763 --> 00:02:46,199 Where do those things intersect? 67 00:02:46,199 --> 00:02:48,301 And I think we can all agree 68 00:02:48,301 --> 00:02:50,136 that there's a lot of crossover. 69 00:02:50,136 --> 00:02:52,539 We may not agree on exactly where that is, 70 00:02:52,539 --> 00:02:55,208 what the definition of one versus the other is, 71 00:02:55,208 --> 00:02:56,743 but there's a lot of crossover. 72 00:02:56,743 --> 00:03:00,613 So your IR obviously starts with a pivot point, right. 73 00:03:00,613 --> 00:03:02,749 When you're doing an IR investigation 74 00:03:02,749 --> 00:03:05,385 and you're gonna do live forensics as part of that, 75 00:03:05,385 --> 00:03:06,719 you've got that pivot point. 76 00:03:06,719 --> 00:03:08,321 Maybe it's an AV alert. 77 00:03:08,321 --> 00:03:09,689 Maybe you've been, 78 00:03:13,092 --> 00:03:15,195 something alerted on a data breach. 79 00:03:15,195 --> 00:03:17,430 Maybe you've got a IDS alert, right, 80 00:03:17,430 --> 00:03:19,399 you've got that pivot point to work off of 81 00:03:19,399 --> 00:03:21,601 and you can work from there. 82 00:03:21,601 --> 00:03:23,436 In threat hunting we're looking 83 00:03:23,436 --> 00:03:24,704 for that pivot point, right. 84 00:03:24,704 --> 00:03:28,174 So we don't know that there is an alert. 85 00:03:28,174 --> 00:03:30,210 We don't know that there's an incident. 86 00:03:30,210 --> 00:03:32,345 We're looking for that sign of something 87 00:03:32,345 --> 00:03:35,748 that's abnormal so that we can go from there 88 00:03:35,748 --> 00:03:37,183 and then the IR starts. 89 00:03:37,183 --> 00:03:39,886 So there's a lot of crossover between the two. 90 00:03:39,886 --> 00:03:41,019 Now, this morning, 91 00:03:41,020 --> 00:03:42,655 another great tee up, 92 00:03:42,655 --> 00:03:45,325 we talked about what are signs of evil? 93 00:03:45,325 --> 00:03:46,993 What are we looking for when we're doing 94 00:03:46,993 --> 00:03:48,894 these live forensics, right? 95 00:03:48,895 --> 00:03:51,898 Well, we're looking for things that I can't say 96 00:03:51,898 --> 00:03:53,333 or I shouldn't say are always bad 97 00:03:53,333 --> 00:03:55,168 or bad no matter what 98 00:03:55,168 --> 00:03:57,704 but are more normally suspicious, right. 99 00:03:57,704 --> 00:04:00,540 Things like your misnamed processes, 100 00:04:00,540 --> 00:04:02,809 connections to known bad hosts, right. 101 00:04:02,809 --> 00:04:04,410 You've got something connecting to something 102 00:04:04,410 --> 00:04:06,311 that's on your threat intelligence list, 103 00:04:06,312 --> 00:04:08,114 that's probably bad. 104 00:04:08,114 --> 00:04:09,849 Abnormal process owners, right, 105 00:04:09,849 --> 00:04:13,185 I think we all got a copy of the Find Evil Poster. 106 00:04:13,186 --> 00:04:14,153 Everybody knows that. 107 00:04:14,153 --> 00:04:15,221 Everybody should be using that, 108 00:04:15,221 --> 00:04:16,789 it's a fantastic resource. 109 00:04:16,789 --> 00:04:18,190 So I don't need to go up here 110 00:04:18,190 --> 00:04:19,825 and regurgitate all that to you 111 00:04:19,826 --> 00:04:22,395 but that's what you're looking for. 112 00:04:22,395 --> 00:04:25,732 Now, some things are gonna be more subtle, right. 113 00:04:25,732 --> 00:04:29,035 Those sort of things that Rick talked 114 00:04:29,035 --> 00:04:30,136 about this morning. 115 00:04:30,136 --> 00:04:32,605 Maybe they're normal, 116 00:04:32,605 --> 00:04:34,040 maybe they're not normal. 117 00:04:34,040 --> 00:04:35,808 Maybe there's a good reason for this happening 118 00:04:35,808 --> 00:04:38,144 but it could be completely malicious 119 00:04:38,144 --> 00:04:39,679 or completely benign. 120 00:04:39,679 --> 00:04:42,181 So odd ports, 121 00:04:42,181 --> 00:04:43,416 code injection, 122 00:04:43,416 --> 00:04:45,985 things like that may be normal for your AV 123 00:04:45,985 --> 00:04:47,487 but it's probably not normal 124 00:04:47,487 --> 00:04:50,023 for Adobe, right, hopefully. 125 00:04:51,391 --> 00:04:52,925 And like they talked about this morning too, 126 00:04:52,925 --> 00:04:54,127 establish your baselines. 127 00:04:54,127 --> 00:04:55,261 Know what's normal. 128 00:04:56,663 --> 00:04:58,498 If you're gonna be doing good quality threat hunting 129 00:04:58,498 --> 00:05:00,166 and you're gonna be doing live forensics 130 00:05:00,166 --> 00:05:03,136 and acquiring this data off of these hosts, right, 131 00:05:03,136 --> 00:05:04,871 that's what we're gonna talk about 132 00:05:04,871 --> 00:05:08,073 is how to actually acquire that data to examine, 133 00:05:08,074 --> 00:05:09,709 you need to know what's normal. 134 00:05:09,709 --> 00:05:11,277 You need to be able to compare that to something, 135 00:05:11,277 --> 00:05:13,513 so baselines are hugely critical. 136 00:05:14,981 --> 00:05:17,582 So when we talk about doing live forensics, right, 137 00:05:17,583 --> 00:05:18,785 it's a great tool. 138 00:05:18,785 --> 00:05:20,620 We all know there's a dozen reasons 139 00:05:20,620 --> 00:05:22,322 why we should be doing it. 140 00:05:22,322 --> 00:05:24,290 But there's certain challenges that you run 141 00:05:24,290 --> 00:05:26,426 into in live forensics that obviously you don't run 142 00:05:26,426 --> 00:05:29,195 into with the traditional disk space forensics, right. 143 00:05:29,195 --> 00:05:31,164 It's very, very important that 144 00:05:31,164 --> 00:05:33,433 that process be documented 145 00:05:33,433 --> 00:05:36,602 because when you're doing live forensics 146 00:05:36,602 --> 00:05:38,770 you're changing something, right. 147 00:05:38,771 --> 00:05:40,206 I mean, there's no way around that. 148 00:05:40,206 --> 00:05:42,275 You are altering the data and that used to be, 149 00:05:42,275 --> 00:05:43,109 10 years ago, 150 00:05:43,109 --> 00:05:44,176 that was a no, no. 151 00:05:44,177 --> 00:05:46,145 No, we can never change the data 152 00:05:46,145 --> 00:05:47,914 or we can never use it. 153 00:05:47,914 --> 00:05:49,849 And that's just not the case anymore 154 00:05:49,849 --> 00:05:52,318 but it's important to document that 155 00:05:52,318 --> 00:05:53,585 because you need to be able to prove 156 00:05:53,586 --> 00:05:55,321 how you changed the evidence. 157 00:05:55,321 --> 00:05:57,790 Are these artifacts on this host a result 158 00:05:57,790 --> 00:06:00,159 of something I did or is it a result 159 00:06:00,159 --> 00:06:01,694 of something the attacker did? 160 00:06:01,694 --> 00:06:03,496 And if your process isn't documented, 161 00:06:03,496 --> 00:06:04,996 if you just have this ad hoc process 162 00:06:04,997 --> 00:06:06,232 where you're gonna plug in a drive, 163 00:06:06,232 --> 00:06:08,868 go run some tools and get the output, 164 00:06:10,036 --> 00:06:13,172 and then six months later you go to court 165 00:06:13,172 --> 00:06:15,074 or there's some sort of a legal proceeding 166 00:06:15,074 --> 00:06:15,942 and somebody asks you, 167 00:06:15,942 --> 00:06:17,377 well, what did you do? 168 00:06:17,377 --> 00:06:19,278 You know, I plugged something in, 169 00:06:19,278 --> 00:06:21,147 I ran some tools and this is what I got. 170 00:06:21,147 --> 00:06:24,984 Well okay, you're gonna have a bad time. 171 00:06:24,984 --> 00:06:27,152 It needs to be something that's repeatable, 172 00:06:27,153 --> 00:06:28,488 that goes to the same point. 173 00:06:28,488 --> 00:06:30,590 You need to be able to say that, 174 00:06:30,590 --> 00:06:33,191 look, this is a process that we've tested. 175 00:06:33,192 --> 00:06:35,361 It's documented and we do this the same 176 00:06:35,361 --> 00:06:37,663 every single time, right. 177 00:06:37,663 --> 00:06:40,566 That's hugely important and it needs to be secure. 178 00:06:40,566 --> 00:06:42,001 You're going, you're running something 179 00:06:42,001 --> 00:06:46,239 on a live system that maybe your domain controller 180 00:06:46,239 --> 00:06:47,806 or it may just be a user workstation, 181 00:06:47,807 --> 00:06:51,377 but it could also be a critical application system. 182 00:06:51,377 --> 00:06:53,246 So it needs to be something that's secure. 183 00:06:53,246 --> 00:06:55,214 You need to know what you're running 184 00:06:55,214 --> 00:06:56,783 and you need to make sure that those tools 185 00:06:56,783 --> 00:06:58,684 that you're running only do 186 00:06:58,684 --> 00:07:00,286 what you expect them to do, right. 187 00:07:00,286 --> 00:07:01,287 I mean, hopefully, 188 00:07:03,055 --> 00:07:05,358 best, worst case scenario, 189 00:07:05,358 --> 00:07:07,393 it just does something unexpected. 190 00:07:07,393 --> 00:07:09,861 Worst, worst case scenario, 191 00:07:09,862 --> 00:07:11,464 right, somehow your USB drive 192 00:07:11,464 --> 00:07:14,100 or whatever you're running the tools off of 193 00:07:14,100 --> 00:07:16,836 had gotten infected with malware, okay. 194 00:07:16,836 --> 00:07:18,438 And now you're installing a rootkit 195 00:07:18,438 --> 00:07:19,505 on your domain controller 196 00:07:19,505 --> 00:07:21,841 and you're gonna have a bad week. 197 00:07:21,841 --> 00:07:24,210 So it needs to be a secure process. 198 00:07:25,244 --> 00:07:27,113 So how do we achieve that? 199 00:07:27,113 --> 00:07:29,382 Normally it's through batch files, right. 200 00:07:29,382 --> 00:07:32,118 Normally we've got two, 201 00:07:32,118 --> 00:07:34,754 three dozen different little individual 202 00:07:34,754 --> 00:07:36,222 live response tools. 203 00:07:36,222 --> 00:07:37,957 Maybe one goes out and grab network connections, 204 00:07:37,957 --> 00:07:41,127 one's gonna grab open files, 205 00:07:41,127 --> 00:07:42,328 things like that. 206 00:07:42,328 --> 00:07:44,130 We get all these little tools that are great 207 00:07:44,130 --> 00:07:46,332 at doing the individual thing that they do 208 00:07:46,332 --> 00:07:48,701 and we put them all on a USB drive 209 00:07:48,701 --> 00:07:50,603 and then we script them via batch file 210 00:07:51,771 --> 00:07:53,372 because we want it to be a repeatable process. 211 00:07:53,372 --> 00:07:54,574 We wanna be able to take that batch file 212 00:07:54,574 --> 00:07:57,176 and say this is exactly what we ran. 213 00:07:57,176 --> 00:08:00,979 Okay, well that works but there's some problems 214 00:08:00,980 --> 00:08:02,548 with batch files when you start looking 215 00:08:02,548 --> 00:08:03,649 at some of those requirements 216 00:08:03,649 --> 00:08:05,685 like being documented and secure. 217 00:08:05,685 --> 00:08:08,621 There's no native logging or audit trails 218 00:08:08,621 --> 00:08:09,856 in a batch file, right. 219 00:08:09,856 --> 00:08:12,225 You run a batch file, it runs, 220 00:08:12,225 --> 00:08:14,861 that's it, that's all you get. 221 00:08:14,861 --> 00:08:17,997 So if you wanna have that documentation 222 00:08:17,997 --> 00:08:18,965 that's something you have to build 223 00:08:18,965 --> 00:08:20,232 into your batch file. 224 00:08:20,233 --> 00:08:22,268 Now I've got to not only run the, 225 00:08:22,268 --> 00:08:23,535 you know, put commands in my batch file 226 00:08:23,536 --> 00:08:25,271 to run the tools, 227 00:08:25,271 --> 00:08:26,239 I've gotta put commands in there to 228 00:08:26,239 --> 00:08:27,640 pipe the output out. 229 00:08:27,640 --> 00:08:29,442 Now I need to put extra commands in there 230 00:08:29,442 --> 00:08:32,278 to actually make sure that I'm documenting 231 00:08:32,278 --> 00:08:34,413 what processes we'll run. 232 00:08:34,413 --> 00:08:38,717 Some tools are OS or CPU-architecture-specific, right. 233 00:08:38,717 --> 00:08:40,986 So maybe I have a great tool that I love 234 00:08:40,986 --> 00:08:44,924 but it only runs on Windows 7 or newer, 235 00:08:44,924 --> 00:08:47,226 or maybe it's only for 64 bit systems. 236 00:08:47,226 --> 00:08:49,262 Okay, now I've gotta put those statements 237 00:08:49,262 --> 00:08:51,097 in my batch file. 238 00:08:51,097 --> 00:08:53,132 It's easy to modify batch files, right. 239 00:08:53,132 --> 00:08:55,667 Again, you talk about the best worst case scenario 240 00:08:55,668 --> 00:08:57,370 and the worst worst case scenario. 241 00:08:58,538 --> 00:09:01,440 Best worst, maybe somebody just opened 242 00:09:01,440 --> 00:09:02,675 up the batch file, 243 00:09:02,675 --> 00:09:03,910 accidentally edited and made some changes 244 00:09:03,910 --> 00:09:05,978 and now something's gonna fail to run. 245 00:09:05,978 --> 00:09:07,146 Worst worst case, 246 00:09:07,146 --> 00:09:08,981 somebody does something malicious 247 00:09:08,981 --> 00:09:11,317 and now you're running commands with your batch file 248 00:09:11,317 --> 00:09:12,752 that you don't mean to. 249 00:09:12,752 --> 00:09:14,286 And like we talked about earlier, 250 00:09:14,287 --> 00:09:17,757 tools can easily be deleted or over placed, 251 00:09:17,757 --> 00:09:20,358 so it's not terribly secure. 252 00:09:20,359 --> 00:09:23,930 When I was doing IR the last batch file 253 00:09:23,930 --> 00:09:26,265 that I was using to run all of my tools, 254 00:09:26,265 --> 00:09:28,367 I think was something like 1,700 lines 255 00:09:28,367 --> 00:09:30,002 or something stupid like that. 256 00:09:30,002 --> 00:09:32,872 Now granted, that had some pretty output 257 00:09:32,872 --> 00:09:36,108 and do you wanna do this and that sort of thing. 258 00:09:36,108 --> 00:09:38,377 But then you go try to add another tool to that 259 00:09:38,377 --> 00:09:40,146 and you've gotta parse through 1,700 lines 260 00:09:40,146 --> 00:09:41,514 to figure out exactly where you want it 261 00:09:41,514 --> 00:09:43,883 and still there's some issues with batch files. 262 00:09:45,251 --> 00:09:48,721 So what I started writing and finally finished 263 00:09:48,721 --> 00:09:51,991 when I took this new position was something 264 00:09:51,991 --> 00:09:54,694 we're calling the No-Script Automation Tool. 265 00:09:54,694 --> 00:09:57,496 And the idea is it's free, 266 00:09:57,496 --> 00:09:59,298 you can download it. 267 00:09:59,298 --> 00:10:02,401 It's supposed to kind of help overcome some 268 00:10:02,401 --> 00:10:06,137 of those limitations of batch files, right. 269 00:10:06,138 --> 00:10:07,907 So obviously, right, 270 00:10:07,907 --> 00:10:09,175 no scripting required. 271 00:10:09,175 --> 00:10:11,310 That should be kind of obvious with the name. 272 00:10:12,812 --> 00:10:14,947 What we wanted to do was make it easy 273 00:10:14,947 --> 00:10:18,117 to configure for different CPU architectures, 274 00:10:18,117 --> 00:10:21,187 different OSs, wanted to take care 275 00:10:21,187 --> 00:10:22,688 of those things that you normally have 276 00:10:22,688 --> 00:10:24,256 to spend all kinds of time scripting 277 00:10:24,256 --> 00:10:27,126 like logging and hashing output. 278 00:10:27,126 --> 00:10:28,294 And we wanted to take care of some 279 00:10:28,294 --> 00:10:29,728 of the security issues of batch files. 280 00:10:29,729 --> 00:10:33,332 So making sure that the commands and the tools 281 00:10:33,332 --> 00:10:35,266 are verified before you run them, 282 00:10:35,267 --> 00:10:37,103 they're known and they're documented so 283 00:10:37,103 --> 00:10:39,070 that you can go back to that afterwards. 284 00:10:40,873 --> 00:10:43,976 So and as a teaser to the end, 285 00:10:43,976 --> 00:10:45,811 I didn't put the link to actually download 286 00:10:45,811 --> 00:10:47,813 it until the end so everybody has to stick around. 287 00:10:47,813 --> 00:10:49,048 So we're gonna jump right 288 00:10:49,048 --> 00:10:50,750 into actually configuring it 289 00:10:50,750 --> 00:10:51,851 and then I'll tell you at the end 290 00:10:51,851 --> 00:10:53,519 how to download it. 291 00:10:53,519 --> 00:10:56,288 So the idea behind that is that you have 292 00:10:56,288 --> 00:10:59,692 this one executable that will basically, 293 00:10:59,692 --> 00:11:02,328 automatically take care of executing all 294 00:11:02,328 --> 00:11:03,762 of those tools that you would normally 295 00:11:03,763 --> 00:11:05,598 have to put in a batch file. 296 00:11:05,598 --> 00:11:08,934 And so the way we do that and we'll see, 297 00:11:08,934 --> 00:11:11,370 in lieu of having being the only person up here 298 00:11:11,370 --> 00:11:14,540 who had to have a laptop to do a live demo, 299 00:11:14,540 --> 00:11:17,309 I put some videos in here so there'll be a couple 300 00:11:17,309 --> 00:11:19,411 of videos actually going over this process 301 00:11:19,412 --> 00:11:20,713 and executing the tool. 302 00:11:22,114 --> 00:11:24,183 Hopefully I can talk at the same speed as the video. 303 00:11:24,183 --> 00:11:25,985 It's gonna be a little bit awkward 304 00:11:26,819 --> 00:11:27,752 but we'll try it. 305 00:11:28,921 --> 00:11:30,122 So to configure, 306 00:11:30,122 --> 00:11:31,490 to set up your tools, 307 00:11:31,490 --> 00:11:33,592 you just create a tools directory, right. 308 00:11:33,592 --> 00:11:35,327 So you got your USB drive, 309 00:11:35,327 --> 00:11:37,430 you've got NAT sitting on your USB drive. 310 00:11:37,430 --> 00:11:39,765 You create this tools directory and then you start 311 00:11:39,765 --> 00:11:42,768 to organize your tools into different categories. 312 00:11:42,768 --> 00:11:44,303 Now, you don't have to, 313 00:11:44,303 --> 00:11:45,271 you can just throw them all in the tools directory 314 00:11:45,271 --> 00:11:46,505 and run them all at once, 315 00:11:46,505 --> 00:11:48,240 but the nice thing about organizing them 316 00:11:48,240 --> 00:11:50,576 into this tools directory that's over here 317 00:11:50,576 --> 00:11:53,913 is that you can create an .ini file 318 00:11:53,913 --> 00:11:56,649 or one or more .ini files that will allow you 319 00:11:56,649 --> 00:12:00,386 to specify which directories you want to run, right. 320 00:12:00,386 --> 00:12:03,322 So there's a default .ini file, 321 00:12:03,322 --> 00:12:04,990 you can set it up to run everything. 322 00:12:04,990 --> 00:12:07,793 But if you only wanna run maybe your file system 323 00:12:07,793 --> 00:12:09,295 and your OS tools, 324 00:12:09,295 --> 00:12:11,530 you can have an .ini file that just specifies 325 00:12:11,530 --> 00:12:13,064 those two directories, 326 00:12:13,065 --> 00:12:15,367 call that from the command line and run it that way. 327 00:12:15,367 --> 00:12:16,868 So it's a good idea to be able 328 00:12:16,869 --> 00:12:18,804 to split up your tools like that. 329 00:12:20,272 --> 00:12:22,141 So the other thing you can do 330 00:12:22,141 --> 00:12:23,575 within these tools directories 331 00:12:23,576 --> 00:12:25,711 is set up individual folders. 332 00:12:25,711 --> 00:12:27,513 So we can set up folders here 333 00:12:27,513 --> 00:12:30,282 for operating system version numbers 334 00:12:30,282 --> 00:12:34,954 as well as CPU architectures and nest them inside. 335 00:12:34,954 --> 00:12:37,622 So you can have your file system directory 336 00:12:37,623 --> 00:12:40,493 and then you can create a 6-10.0 folder. 337 00:12:40,493 --> 00:12:42,161 So when you're running tools 338 00:12:42,161 --> 00:12:43,929 from the file system directory 339 00:12:43,929 --> 00:12:47,800 it's only going to run on Windows version 6-10. 340 00:12:47,800 --> 00:12:49,535 You can create an x64 directory 341 00:12:49,535 --> 00:12:52,070 that will only run tools on a x64 bit system. 342 00:12:52,071 --> 00:12:54,406 And that will take care of all this automatically. 343 00:12:54,406 --> 00:12:55,574 When it executes, 344 00:12:55,574 --> 00:12:57,142 it will automatically detect the OS 345 00:12:57,143 --> 00:12:59,345 and the CPU architecture 346 00:12:59,345 --> 00:13:01,147 and just run the proper tools so you don't have 347 00:13:01,147 --> 00:13:02,982 to script all that stuff. 348 00:13:02,982 --> 00:13:04,250 As you can see, 349 00:13:04,250 --> 00:13:07,286 you can nest them here so you can have a 6-10 350 00:13:07,286 --> 00:13:09,121 and then an x64. 351 00:13:09,121 --> 00:13:10,456 You can do it in reverse 352 00:13:10,456 --> 00:13:12,691 but you can't double down on that. 353 00:13:12,691 --> 00:13:16,629 So you can't have a 6-10 x64 and then 8-10. 354 00:13:17,630 --> 00:13:19,398 It only goes two levels. 355 00:13:22,101 --> 00:13:24,303 So how do we specify command line arguments, right? 356 00:13:24,303 --> 00:13:25,671 That's important, we don't just run tools. 357 00:13:25,671 --> 00:13:27,473 We normally run them via the command line. 358 00:13:27,473 --> 00:13:30,575 We're gonna put them into a text file 359 00:13:30,576 --> 00:13:33,212 that's just named with .cmd at the end. 360 00:13:33,212 --> 00:13:34,980 So if you wanna run ping.exe 361 00:13:34,980 --> 00:13:37,316 you just create a new text file, 362 00:13:37,316 --> 00:13:39,351 put it in that same directory with ping.exe 363 00:13:39,351 --> 00:13:42,154 and call it ping.exe.cmd. 364 00:13:42,154 --> 00:13:43,856 And you just put the command line arguments 365 00:13:43,856 --> 00:13:44,990 right in that text file. 366 00:13:44,990 --> 00:13:47,226 And you can have more than one, 367 00:13:47,226 --> 00:13:48,561 so if you wanna run the same tool 368 00:13:48,561 --> 00:13:49,862 with three different command line arguments, 369 00:13:49,862 --> 00:13:51,230 you can certainly do that. 370 00:13:51,230 --> 00:13:52,765 You just put one on each line, 371 00:13:52,765 --> 00:13:55,867 it will execute it once per command line. 372 00:13:57,169 --> 00:13:58,971 All right, so this is the first video. 373 00:13:58,971 --> 00:14:01,574 Okay, so we're gonna create that tools directory. 374 00:14:01,574 --> 00:14:03,175 And that's gonna be where we're gonna store 375 00:14:03,175 --> 00:14:05,144 all of our tools by default. 376 00:14:05,144 --> 00:14:07,179 Now, it's gonna be in the same directory 377 00:14:07,179 --> 00:14:08,680 as the NAT executable itself 378 00:14:08,681 --> 00:14:10,616 because that's where NATs gonna look for it. 379 00:14:10,616 --> 00:14:12,484 So within the tools directory I talked about 380 00:14:12,484 --> 00:14:15,354 we're gonna create those individual, 381 00:14:15,354 --> 00:14:17,890 sort of category folders, right. 382 00:14:17,890 --> 00:14:22,061 So we'll create a folder for our network tools, 383 00:14:22,061 --> 00:14:23,295 our OS tools, 384 00:14:23,295 --> 00:14:24,563 things like that. 385 00:14:24,563 --> 00:14:27,199 So we'll make our network directory 386 00:14:27,199 --> 00:14:29,968 and within that we can start adding 387 00:14:29,969 --> 00:14:31,604 our different network tools. 388 00:14:31,604 --> 00:14:33,505 So in this case I'm just throwing one tool 389 00:14:33,505 --> 00:14:34,840 in here for a demo purpose. 390 00:14:34,840 --> 00:14:35,674 Now you'll see, 391 00:14:36,876 --> 00:14:40,112 when I run this I tend to prepend everything 392 00:14:40,112 --> 00:14:41,113 with a name. 393 00:14:41,113 --> 00:14:42,314 In this case I've used NAT_. 394 00:14:43,415 --> 00:14:45,416 It's not a requirement for the NAT tool 395 00:14:45,417 --> 00:14:47,086 but it is good best practice. 396 00:14:47,086 --> 00:14:48,554 Again, we talked about differentiating 397 00:14:48,554 --> 00:14:51,723 what you did versus what maybe an attacker 398 00:14:51,724 --> 00:14:53,492 or somebody else did. 399 00:14:53,492 --> 00:14:56,027 So the easiest way or one of the easiest ways 400 00:14:56,028 --> 00:14:58,364 to do that is just prepend the file name 401 00:14:58,364 --> 00:15:00,266 in front of all of your tools so you can see, 402 00:15:00,266 --> 00:15:02,267 hey, that was obviously associated 403 00:15:02,268 --> 00:15:04,737 with something I did. 404 00:15:04,737 --> 00:15:05,670 Now you can see here, 405 00:15:05,671 --> 00:15:08,240 I'm gonna create that x64 folder 406 00:15:08,240 --> 00:15:11,610 so we can jump inside that and put a tool 407 00:15:11,610 --> 00:15:13,646 inside that that will only be run inside 408 00:15:13,646 --> 00:15:16,382 of a 64 bit OS. 409 00:15:16,382 --> 00:15:19,685 We can also create that file system 410 00:15:19,685 --> 00:15:22,921 to the operating system version folders. 411 00:15:22,922 --> 00:15:26,225 So we'll create that 6-10 folder there 412 00:15:26,225 --> 00:15:28,961 and that will only be run on Windows Vista 413 00:15:28,961 --> 00:15:31,463 through Windows 10 Operating Systems. 414 00:15:31,463 --> 00:15:32,665 And then within that, 415 00:15:32,665 --> 00:15:35,867 obviously, we can nest another directory 416 00:15:35,868 --> 00:15:37,803 there as well. 417 00:15:37,803 --> 00:15:39,638 So we threw that 6-10 directory 418 00:15:39,638 --> 00:15:42,508 inside the 64 bit folder. 419 00:15:42,508 --> 00:15:46,745 So now it'll only run on 64 bit operating systems. 420 00:15:46,745 --> 00:15:50,849 Okay, so now I'm gonna throw that .cmd file in there. 421 00:15:50,849 --> 00:15:53,218 It will open that up and we'll take a look at it. 422 00:15:53,218 --> 00:15:54,887 You can see its named the exact same 423 00:15:54,887 --> 00:15:56,155 as the executable, 424 00:15:56,155 --> 00:15:57,656 that's how NAT ties those two together. 425 00:15:58,824 --> 00:16:01,727 But we just prepend a .cmd at the end 426 00:16:01,727 --> 00:16:03,829 and you can see in this case all I'm doing 427 00:16:03,829 --> 00:16:05,930 is just accepting the EULA, right. 428 00:16:05,931 --> 00:16:07,333 It's one of those system internals tools 429 00:16:07,333 --> 00:16:10,002 that's gonna pop up a EULA so we can make sure 430 00:16:10,002 --> 00:16:12,771 that we accept the EULA and we don't get a popup 431 00:16:12,771 --> 00:16:14,039 when we execute that. 432 00:16:14,039 --> 00:16:15,574 But you can put any commands you want 433 00:16:15,574 --> 00:16:17,776 in that .cmd file. 434 00:16:17,776 --> 00:16:20,445 So there's a couple of special commands 435 00:16:20,446 --> 00:16:23,082 that you can put inside the .cmd file 436 00:16:23,082 --> 00:16:24,883 that are specific to NAT. 437 00:16:24,883 --> 00:16:26,285 They're variables that allow you 438 00:16:26,285 --> 00:16:28,487 to do some special things and NAT 439 00:16:28,487 --> 00:16:30,488 will place these variables when you actually 440 00:16:30,489 --> 00:16:32,391 run the tool at runtime. 441 00:16:33,559 --> 00:16:37,062 So the first one is the %NOOUT% variable. 442 00:16:37,062 --> 00:16:39,298 And basically what that's gonna do 443 00:16:39,298 --> 00:16:41,800 is tell NAT that it doesn't need to take care 444 00:16:41,800 --> 00:16:42,734 of the output, right. 445 00:16:42,735 --> 00:16:45,904 So some tools you can do a -l 446 00:16:45,904 --> 00:16:47,906 when specify the output directory. 447 00:16:47,906 --> 00:16:49,775 You don't need NAT to pipe that output 448 00:16:49,775 --> 00:16:53,045 for you into a file. 449 00:16:53,045 --> 00:16:54,979 So if you specify the %NOOUT% command 450 00:16:54,980 --> 00:16:59,251 in the command file NAT will not pipe 451 00:16:59,251 --> 00:17:00,786 that output out for you automatically, 452 00:17:00,786 --> 00:17:03,021 you can specify that in the command file. 453 00:17:03,022 --> 00:17:07,326 Now obviously, where we do that is going 454 00:17:07,326 --> 00:17:09,294 to be different for each execution, right. 455 00:17:09,294 --> 00:17:10,729 You don't know what drive letter, 456 00:17:10,729 --> 00:17:12,564 what folder you're gonna wanna pipe the output 457 00:17:12,564 --> 00:17:16,435 into when you're running NAT at runtime. 458 00:17:16,435 --> 00:17:18,503 So that's what that second variable is for, 459 00:17:18,503 --> 00:17:19,838 the %OUTDIR% directory. 460 00:17:19,838 --> 00:17:22,875 When you run NAT it's going to ask you 461 00:17:22,875 --> 00:17:27,146 where you wanna output the files to? 462 00:17:27,146 --> 00:17:29,380 And that's gonna change so you can use 463 00:17:29,381 --> 00:17:32,484 that %OUTDIR% variable within your command file 464 00:17:32,484 --> 00:17:34,852 to specify whatever output directory 465 00:17:34,853 --> 00:17:36,588 is chosen at runtime. 466 00:17:36,588 --> 00:17:39,425 And the last one is just the %SYSROOT% variable, right, 467 00:17:39,425 --> 00:17:41,659 see Windows system 32. 468 00:17:41,660 --> 00:17:43,962 But on some systems that can change 469 00:17:43,962 --> 00:17:46,231 so that's just a variable that you can use. 470 00:17:47,699 --> 00:17:49,501 So how do we actually run this? 471 00:17:49,501 --> 00:17:52,104 What does it actually look like when we execute? 472 00:17:52,104 --> 00:17:56,141 So this is the command line interface. 473 00:17:56,141 --> 00:18:01,080 Pretty simple, you've got a help menu obviously. 474 00:18:02,014 --> 00:18:03,849 We'll talk about integrity files. 475 00:18:03,849 --> 00:18:06,652 We also have that .ini file so like I said, 476 00:18:06,652 --> 00:18:08,353 you can create the default .ini file. 477 00:18:08,353 --> 00:18:09,521 That's what will be used 478 00:18:09,521 --> 00:18:11,889 if you don't specify anything. 479 00:18:11,890 --> 00:18:13,992 But you can specify that .ini file 480 00:18:13,992 --> 00:18:17,296 on the command line if you wanna call 481 00:18:17,296 --> 00:18:18,864 a different one that maybe only runs 482 00:18:18,864 --> 00:18:20,866 a certain subset of your tools. 483 00:18:22,267 --> 00:18:25,771 So while we're waiting for me in the video here, 484 00:18:25,771 --> 00:18:28,740 the integrity check file is something 485 00:18:28,740 --> 00:18:31,210 that can be used to verify the tools 486 00:18:31,210 --> 00:18:32,644 that you're running, right. 487 00:18:32,644 --> 00:18:34,046 So we talked about tools 488 00:18:34,046 --> 00:18:36,648 getting accidentally replaced, maliciously replaced, 489 00:18:36,648 --> 00:18:40,485 we talked about the same thing in your commands. 490 00:18:42,421 --> 00:18:44,857 So an integrity check file basically allows you 491 00:18:47,192 --> 00:18:49,228 to kind of create a gold standard, 492 00:18:49,228 --> 00:18:50,462 if you will, 493 00:18:50,462 --> 00:18:53,198 or a known set of tools that you create that. 494 00:18:53,198 --> 00:18:54,500 And then you can create this integrity 495 00:18:54,500 --> 00:18:57,336 check file and every time you're executing 496 00:18:57,336 --> 00:18:58,570 that after that, 497 00:18:58,570 --> 00:18:59,838 it's gonna check and make sure that all 498 00:18:59,838 --> 00:19:02,474 of your tools are the way they were 499 00:19:02,474 --> 00:19:04,476 when you created that integrity file, right. 500 00:19:04,476 --> 00:19:05,944 So nothing's been changed. 501 00:19:05,944 --> 00:19:07,379 No MD5s are different. 502 00:19:07,379 --> 00:19:10,215 No command line arguments are different. 503 00:19:10,215 --> 00:19:12,384 So we'll go ahead and we're gonna run NAT 504 00:19:12,384 --> 00:19:14,219 and you can see you get a security warning. 505 00:19:14,219 --> 00:19:16,588 We haven't created that integrity check file yet 506 00:19:16,588 --> 00:19:17,889 so it's gonna pop up and say, 507 00:19:17,890 --> 00:19:18,824 hey, you know, 508 00:19:18,824 --> 00:19:20,159 you're not verifying your tools, 509 00:19:20,159 --> 00:19:21,527 this can be dangerous. 510 00:19:21,527 --> 00:19:23,462 Are you sure you wanna continue. 511 00:19:23,462 --> 00:19:26,865 Now, there's nothing but you can if you want. 512 00:19:26,865 --> 00:19:29,401 I'm not here to tell you how to do your business 513 00:19:29,401 --> 00:19:32,471 but it will at least prompt you to say, 514 00:19:32,471 --> 00:19:34,606 hey something, you should be creating 515 00:19:34,606 --> 00:19:35,674 this integrity check file. 516 00:19:35,674 --> 00:19:36,908 So we're gonna select no. 517 00:19:36,909 --> 00:19:38,977 And then we're gonna run NAT 518 00:19:38,977 --> 00:19:41,380 and we're gonna run it with the -c command 519 00:19:41,380 --> 00:19:42,714 to create that integrity check file. 520 00:19:42,714 --> 00:19:44,183 And you can see what it's done 521 00:19:44,183 --> 00:19:46,752 is it's gone through and it's hashed every single 522 00:19:46,752 --> 00:19:48,954 executable in all of our paths. 523 00:19:48,954 --> 00:19:52,758 It's hashed all of the .cmd files. 524 00:19:52,758 --> 00:19:54,193 And you can see for the text files 525 00:19:54,193 --> 00:19:56,161 it's actually also displaying the content 526 00:19:56,161 --> 00:19:57,095 of those text files. 527 00:19:57,095 --> 00:19:58,030 So it's actually gonna show us 528 00:19:58,030 --> 00:19:59,697 what commands were running. 529 00:19:59,698 --> 00:20:00,799 So it's gonna go through. 530 00:20:00,799 --> 00:20:01,733 It's gonna do all that. 531 00:20:01,733 --> 00:20:02,868 It's gonna display it to you. 532 00:20:02,868 --> 00:20:04,336 And we're gonna say, 533 00:20:04,336 --> 00:20:07,639 are these commands and these executables trusted? 534 00:20:07,639 --> 00:20:08,840 If you say yes, 535 00:20:08,840 --> 00:20:10,408 it'll create that integrity check file. 536 00:20:10,409 --> 00:20:13,445 And you can see it's gonna ask you for a password. 537 00:20:13,445 --> 00:20:16,181 So we enter the password and it's going to 538 00:20:16,181 --> 00:20:19,017 take that information and encrypt it 539 00:20:19,017 --> 00:20:22,454 and put it into a file on the USB drive itself 540 00:20:22,454 --> 00:20:24,223 so that will always be present there, 541 00:20:24,223 --> 00:20:26,091 and it will always check that from now on 542 00:20:26,091 --> 00:20:27,525 every time you execute NAT. 543 00:20:37,669 --> 00:20:39,738 I should've done this in like six 544 00:20:39,738 --> 00:20:41,974 or seven chunks, I apologize. 545 00:20:41,974 --> 00:20:43,475 All right, so now we're gonna go ahead 546 00:20:43,475 --> 00:20:45,177 and run NAT again. 547 00:20:45,177 --> 00:20:46,278 Now you can see it's gonna prompt us 548 00:20:46,278 --> 00:20:47,512 for the password. 549 00:20:47,512 --> 00:20:48,813 So we'll go ahead 550 00:20:48,814 --> 00:20:50,249 and if we enter an incorrect password 551 00:20:50,249 --> 00:20:51,216 it's just gonna pop up, 552 00:20:51,216 --> 00:20:52,484 tell us the password's wrong. 553 00:20:53,585 --> 00:20:55,287 If we run it again, 554 00:20:55,287 --> 00:20:57,422 this time we'll enter the correct password. 555 00:21:06,999 --> 00:21:07,833 Possibly, 556 00:21:09,134 --> 00:21:12,404 might have clicked the right password. 557 00:21:12,404 --> 00:21:13,672 There we go, 558 00:21:13,672 --> 00:21:14,873 okay so you can see what I've done here 559 00:21:14,873 --> 00:21:19,511 is I've modified that respond.bat file. 560 00:21:19,511 --> 00:21:20,612 So this is what happens. 561 00:21:20,612 --> 00:21:21,813 We entered the correct password 562 00:21:21,813 --> 00:21:23,448 but it's gonna pop up and say, 563 00:21:23,448 --> 00:21:25,217 hey, something doesn't match here. 564 00:21:25,217 --> 00:21:27,052 Now, do you wanna run this? 565 00:21:27,052 --> 00:21:28,887 Are you okay with this not matching? 566 00:21:28,887 --> 00:21:31,089 Is this a acceptable change 567 00:21:31,089 --> 00:21:33,792 or is this maybe malicious? 568 00:21:33,792 --> 00:21:35,726 We can see in this case it's gonna show us 569 00:21:35,727 --> 00:21:38,297 what the new file was. 570 00:21:38,297 --> 00:21:42,134 If we want we can use V and it will actually display 571 00:21:42,134 --> 00:21:44,803 the contents of the integrity check file 572 00:21:44,803 --> 00:21:46,838 that currently exists so we can compare 573 00:21:46,838 --> 00:21:49,274 what it used to say with what it does say. 574 00:21:49,274 --> 00:21:51,776 Now, in this case I just changed the text to 575 00:21:53,545 --> 00:21:55,580 this is another sample batch file 576 00:21:55,580 --> 00:21:57,515 versus a sample batch file. 577 00:21:57,516 --> 00:22:00,052 And we can choose then after we view the contents 578 00:22:00,052 --> 00:22:02,154 of that whether that's an acceptable change or not. 579 00:22:02,154 --> 00:22:04,189 Now, there's some, 580 00:22:04,189 --> 00:22:05,891 there in the security warning you'll see 581 00:22:05,891 --> 00:22:10,629 it notes some tools do change things like config files 582 00:22:10,629 --> 00:22:12,063 every time they execute. 583 00:22:12,064 --> 00:22:15,100 So it's not always malicious when you see a change. 584 00:22:15,100 --> 00:22:16,568 But it's something that you wanna look at 585 00:22:16,568 --> 00:22:19,204 and so that's why we can display both versions 586 00:22:19,204 --> 00:22:24,209 and give you the option to run that tool or not. 587 00:22:25,577 --> 00:22:26,378 So you can see we've entered the correct password, 588 00:22:26,378 --> 00:22:27,611 no change has been made. 589 00:22:27,612 --> 00:22:29,247 We can see it's detected a 64 bit 590 00:22:29,247 --> 00:22:30,849 Windows 10 operating system. 591 00:22:30,849 --> 00:22:33,718 And it tells us by default the data's gonna be written 592 00:22:33,719 --> 00:22:36,421 to the D drive in that particular folder. 593 00:22:36,421 --> 00:22:38,523 Now, the way that that's chosen by default 594 00:22:38,523 --> 00:22:40,625 is the root of the drive 595 00:22:40,625 --> 00:22:42,227 that you're running the tool from 596 00:22:42,227 --> 00:22:46,098 and the name of the Windows host. 597 00:22:46,098 --> 00:22:48,367 So you can change that if you want 598 00:22:48,367 --> 00:22:52,236 but that's the way that the default is chosen. 599 00:22:52,237 --> 00:22:53,472 If you're running it from, 600 00:22:53,472 --> 00:22:56,141 say, a Windows Share or something like that, 601 00:22:56,141 --> 00:22:57,743 obviously you can change it. 602 00:22:57,743 --> 00:22:59,177 But in this case we're gonna say no, 603 00:22:59,177 --> 00:23:00,544 we don't wanna change it. 604 00:23:00,545 --> 00:23:02,447 And it's gonna go right into the execution. 605 00:23:02,447 --> 00:23:04,549 We can see it's gonna tell us as we're executing 606 00:23:04,549 --> 00:23:06,718 what tools we're executing. 607 00:23:06,718 --> 00:23:08,887 It's gonna hash the output at the very end 608 00:23:08,887 --> 00:23:10,054 and then it's gonna tell us whether 609 00:23:10,055 --> 00:23:11,890 it completed successfully or not. 610 00:23:11,890 --> 00:23:13,592 And that's how simple it is. 611 00:23:13,592 --> 00:23:15,694 There was no other scripting required. 612 00:23:15,694 --> 00:23:17,863 It's just gonna run all those tools for us. 613 00:23:17,863 --> 00:23:21,900 So as soon as I click any key to continue here 614 00:23:21,900 --> 00:23:23,135 we're gonna jump and just look 615 00:23:23,135 --> 00:23:24,069 at the output real quick so we can see 616 00:23:24,069 --> 00:23:25,803 what we're actually collecting. 617 00:23:25,804 --> 00:23:28,473 So we can see this is the directory 618 00:23:28,473 --> 00:23:30,008 that we've created up here. 619 00:23:30,008 --> 00:23:33,145 Now, if we open that up we're gonna see 620 00:23:33,145 --> 00:23:35,247 there's a couple of special files in there. 621 00:23:35,247 --> 00:23:36,581 One of them is 622 00:23:37,749 --> 00:23:41,052 the NAT.log which is our log file. 623 00:23:41,052 --> 00:23:42,553 The other one is MD5.txt. 624 00:23:42,554 --> 00:23:45,090 And then you can see we've got the same directories 625 00:23:45,090 --> 00:23:47,759 that we saw in our .ini file, 626 00:23:47,759 --> 00:23:50,762 in this case I only ran it with three. 627 00:23:51,663 --> 00:23:55,600 So the NAT.log file, 628 00:23:55,600 --> 00:23:56,568 which I believe is the first one 629 00:23:56,568 --> 00:23:58,403 we're gonna look at here, 630 00:23:58,403 --> 00:24:00,939 that's gonna be a log of all of the activity 631 00:24:00,939 --> 00:24:02,174 that NAT took. 632 00:24:02,174 --> 00:24:04,376 So here we go. 633 00:24:04,376 --> 00:24:06,878 So we can see it's timestamped. 634 00:24:06,878 --> 00:24:09,414 We can see exactly what commands were executed, 635 00:24:09,414 --> 00:24:10,749 what tools they were run from, 636 00:24:10,749 --> 00:24:13,151 what the MD5 hash values of the tool, 637 00:24:13,151 --> 00:24:14,386 all that stuff is? 638 00:24:14,386 --> 00:24:15,487 So when we talk about the process needing 639 00:24:15,487 --> 00:24:17,722 to be documented and repeatable, 640 00:24:17,722 --> 00:24:20,158 here we can see we can document exactly 641 00:24:20,158 --> 00:24:22,394 the date and time we ran the tool, 642 00:24:22,394 --> 00:24:23,528 what the hash value was, 643 00:24:23,528 --> 00:24:25,397 where it was located? 644 00:24:25,397 --> 00:24:26,498 Everything is right there 645 00:24:26,498 --> 00:24:28,233 and that comes prepackaged right along 646 00:24:28,233 --> 00:24:30,268 with all of your output. 647 00:24:41,279 --> 00:24:44,316 Dramatic pause for the next file. 648 00:24:44,316 --> 00:24:46,184 This is the MD5.txt file 649 00:24:46,184 --> 00:24:47,918 and this is a hash of all of your output. 650 00:24:47,919 --> 00:24:50,822 So the very last thing we do before we exit NAT 651 00:24:50,822 --> 00:24:52,023 is hash all that output. 652 00:24:52,023 --> 00:24:53,558 So as soon as those were created, 653 00:24:53,558 --> 00:24:55,660 we have a hash value of the output 654 00:24:55,660 --> 00:24:57,829 of each one of the tools you ran, 655 00:24:57,829 --> 00:25:00,232 so you can prove that, you know, 656 00:25:00,232 --> 00:25:01,966 right after I ran it this was the hash value. 657 00:25:01,967 --> 00:25:03,335 This hasn't been modified. 658 00:25:04,302 --> 00:25:05,971 These are legitimate files. 659 00:25:16,114 --> 00:25:17,682 And the very last thing we'll look at 660 00:25:17,682 --> 00:25:19,150 is just some of the sample outputs 661 00:25:19,150 --> 00:25:21,653 so you can see we've jumped into the network folder. 662 00:25:21,653 --> 00:25:24,623 We can see the output is gonna be named 663 00:25:24,623 --> 00:25:26,258 for the tool. 664 00:25:26,258 --> 00:25:29,828 So tcpvcon.txt I think is the one I opened. 665 00:25:29,828 --> 00:25:31,329 That was the tool I ran. 666 00:25:31,329 --> 00:25:33,697 You can see we've got openports 667 00:25:33,698 --> 00:25:35,700 and then openports_1. 668 00:25:35,700 --> 00:25:37,435 That's what it'll look like if you run a tool 669 00:25:37,435 --> 00:25:40,004 with more than one command line option. 670 00:25:40,005 --> 00:25:44,476 You'll have a one, a two, a three appended to it. 671 00:25:44,476 --> 00:25:48,413 So you've got the output in separate files. 672 00:25:49,848 --> 00:25:53,084 So if we open tcpvcon.txt we'll see it's basically 673 00:25:53,084 --> 00:25:55,921 just gonna be the output of the text 674 00:25:55,921 --> 00:25:57,689 of the tool that we ran. 675 00:25:57,689 --> 00:25:59,057 But the only thing that will be appended 676 00:25:59,057 --> 00:26:01,459 up at the top is gonna be the date and time 677 00:26:01,459 --> 00:26:03,028 that it was executed as well as 678 00:26:03,028 --> 00:26:05,096 the command line arguments that were executed. 679 00:26:05,096 --> 00:26:06,965 So if you're running the tool multiple times, 680 00:26:06,965 --> 00:26:08,466 multiple command line arguments, 681 00:26:08,466 --> 00:26:11,168 it will tell you what command line tool, 682 00:26:11,169 --> 00:26:13,471 what command line you executed that tool with. 683 00:26:15,907 --> 00:26:18,743 So final notes on the tool before I wrap up. 684 00:26:19,678 --> 00:26:22,180 Free, use it at your own risk. 685 00:26:22,180 --> 00:26:24,416 If you blow up your domain controller with it, 686 00:26:24,416 --> 00:26:28,386 don't send me hate mail on Twitter or something. 687 00:26:29,754 --> 00:26:30,822 Just do your thing. 688 00:26:31,990 --> 00:26:36,227 It's available at dflabs.com/NAT. 689 00:26:37,095 --> 00:26:38,530 It's a marketing thing. 690 00:26:38,530 --> 00:26:40,498 I tried to get it without the put in your name 691 00:26:40,498 --> 00:26:42,867 and your email address and all that. 692 00:26:42,867 --> 00:26:44,235 They do ask for that information 693 00:26:44,235 --> 00:26:45,603 before you download it. 694 00:26:45,604 --> 00:26:47,672 We won't spam you or anything like that. 695 00:26:50,475 --> 00:26:52,043 We'll give you a little tip. 696 00:26:52,043 --> 00:26:54,312 All that's gonna do once you register 697 00:26:54,312 --> 00:26:56,414 is send you to our GitHub page. 698 00:26:57,582 --> 00:27:00,619 So if you came across our GitHub page 699 00:27:00,619 --> 00:27:02,687 you could probably download it right from there 700 00:27:02,687 --> 00:27:04,121 without having to put in your information, 701 00:27:04,122 --> 00:27:05,557 just throwing that out there. 702 00:27:06,524 --> 00:27:08,158 So questions, comments, 703 00:27:08,159 --> 00:27:10,295 suggestions, any other entertaining things 704 00:27:10,295 --> 00:27:11,997 that you want to send me, 705 00:27:11,997 --> 00:27:13,698 that's my email address right there. 706 00:27:13,698 --> 00:27:14,833 If you don't write that down 707 00:27:14,833 --> 00:27:16,201 and you wanna contact me later, 708 00:27:16,201 --> 00:27:18,236 I'm at LinkedIn, Twitter 709 00:27:18,236 --> 00:27:19,971 and obviously you can contact me right 710 00:27:19,971 --> 00:27:21,840 through the company on our website. 711 00:27:21,840 --> 00:27:23,608 All right, thank you guys very much. 712 00:27:23,608 --> 00:27:25,275 The download link. 713 00:27:25,276 --> 00:27:27,012 Appreciate the time. 714 00:27:27,012 --> 00:27:29,681 (applause) 715 00:27:29,681 --> 00:27:32,450 (dramatic music)