Archive for the ‘Uncategorized’ Category


Coming to Vegas: My Picks and Schedule

July 22, 2012

And, like most folks in the security industry, I’m getting ready to head to Las Vegas for the week. I’ll arrive in Sin City on Monday, 23 July 12.

I’m armed with Cobalt Strike comic fliers, business cards, and boring sell sheets. I also have a pile of Armitage stickers to give away.

In this (long) blog post, I recommend a few talks and provide my schedule. If you’d like to meet for a meal or a beverage, I’m definitely open to this. Contact me and we’ll discuss a way to sync up.

My Picks

Hacking into Smartphones

On Wednesday and Thursday at 11:45am in the BlackHat USA Arsenal, Georgia Weidman will demo her Smartphone Penetration Testing framework. This is not a tool for “hacking from” smartphones. It’s a tool set for hacking into smartphones. I highly recommend attending one of these demo sessions. I’m demoing Armitage at the same time, but if you go see Georgia twice, I’ll give you twice as many stickers.


At BSides Las Vegas on Wednesday at 11am, Matt Weeks will reveal a new defensive technology called Ambush to the world. We’ve had a few discussions about this technology. As usual, Matt is up to something incredibly novel.

This presentation will demonstrate the ability to configure signatures on everything from the highest to the lowest level API’s, catching whole classes of malware. It can prevent exploitation of certain vulnerabilities and identify shellcode, keylogging, remote control, and HTTPS-encrypted communications regardless of code obfuscation. Pentesters, red teams, and malware authors used to worry about getting caught while writing to disk. Now, no action is safe. The implementation, the Ambush Host Intrusion Prevention System, will be released open-source.

SNSCAT: Social Media Sites as Covert Command and Control

I’m really excited about this. My friends Dan Gunter and Solomon Sonya will reveal SNSCat at BlackHat USA at 2:15pm on Thursday.

“SNSCat provides a simple to use post-penetration data exfiltration/infiltration and C2 (Command and Control) platform using images and documents on social media sites (Facebook, Google Apps, twitter, imgur, etc).”

“will introduce our tool and show how one can easily move files in and out of a network using social media sites. We will next demonstrate how one can use SNSCat along with the implants we have created to establish full command and control between the controller and the listening agents.”

Grab thy Hashes

And, finally my friends Jon Claudius and Ryan Reynolds will present a survey of how different tools extract password hashes on Windows. The twist–most of them do it in a semi-broken way. They’ve analyzed the problem and they’re revealing fixes for key tools that penetration testers take advantage of.

This is extremely important. I feel like a lot of tools released at conferences are one-time things that will never see an update later on. It makes working with them frustrating as the work may be novel, make a great demo, but if it doesn’t work a year from now–what’s the benefit? It’s great to see someone looking at what we use every day, figuring out what’s wrong, and contributing back in a way that will benefit a lot of people immediately.

This talk is happening at 11am on Saturday at DEFCON.

My Schedule

Tuesday, 24 July 12

I’m hanging out at the Adaptive Penetration Testing course taught at BlackHat USA by the Veris Group LLC.

Wednesday, 25 July 12 (BlackHat USA)

I will demo Armitage in the BlackHat Arsenal at 11:45am. My goal during the demo is to explain Armitage to those who haven’t seen it and capture some of the cool tricks few people know about. For example, Ctrl+T takes a screenshot of the current tab and saves it to a preset place.

Thursday, 26 July 12. Morning (BSides Las Vegas)

At 10am, I will present Force Multipliers for Red Team Operations. Each year, in March and April, I spend most of these two months on the road hacking in several exercises. I treat these events as a laboratory for trying out ideas and making observations about how hackers work together. I will break down what I learned from this year’s season with a focus on how we organized ourselves, what worked, and offer ideas of what I’d like to see next.

Thursday, 26 July 12. Afternoon (BlackHat USA)

I’m back at BlackHat at 11:45am demoing in the Arsenal again. If you missed me on Wednesday, come by on Thursday and get a sticker. I really dig these kiosk style demos. It’s easier to connect with you and have a dialog.

Friday, 27 July 12 (DEFCON)

At noon on Friday, I’m presenting Cortana: Rise of the Automated Red Team. During this talk, I will reveal the fully scriptable version of Armitage and its stand-alone interpreter Cortana. You’ll learn how to add bots to your red team or add new features to Armitage. This project was a big effort to put together and I was very fortunate that DARPA’s Cyber Fast Track program helped make it possible.

Here’s a Hak5 segment from last year where I first talked about this next iteration for Armitage:

I also noticed that I’m speaking opposite of General Alexander from US Cyber Command and the NSA. I guarantee I will give far more live demos than he will. That said, I wish I wasn’t speaking at noon, I’d love to see his talk too.

Saturday, 28 July 12 and Sunday 29 July 12 (DEFCON)

I’m at DEFCON all weekend and I fly out Monday morning.


DARPA’s Cyber Fast Track: My Experience

November 9, 2011

Last week, I received a grant from DARPA through the Cyber Fast Track program. I consider this a big milestone in my personal career. If you’re an independent researcher or entrepreneur, bent on making your ideas real, then this program is for you.

This blog post will give you my experience applying and getting funded by this program. I’ve chosen a question and answer format because I had a ton of questions when I applied. I hope answering these questions encourages you to take advantage of this amazing opportunity.

Before we begin, please remember: none of this is the official word of DARPA. This blog post merely reflects my understanding. Also, if you arrived here with a Google search, my last name is Mudge, but I am not the Program Manager Mudge at DARPA.

What is Cyber Fast Track?

Cyber Fast Track is a DARPA program to fund us, the hacker community. Here’s the description from the Cyber Fast Track page:

The Defense Advanced Research Projects Agency’s Cyber Fast Track program is aimed at improving Cyber Security. This program will rely on the skills of small organizations, boutiques, hacker spaces and maker labs to address cyber security issues.

According to DARPA program manager, Peiter “Mudge” Zatko, instead of engaging in traditional programs that don’t produce results for years, we envision results within months by harnessing teams or individuals on the back of short, fixed-price DARPA contracts.

If you’re an individual who is trying to advance the security community through independent research, DARPA wants to hear from you. You don’t have to work for a big defense contractor, you don’t have to work for anyone. I applied as an individual with no formal organization behind me.

What is the process?

If you want to apply, I recommend reading the research announcement at FedBizOpps. This will give you all the details on the program.

Next, go to the Cyber Fast Track resources page and get the proposal template. I started my proposal without the template. This was a mistake. The template makes writing the proposal much easier. Plus, it’s better to give DARPA what they expect.

The technical meat of your proposal is 10-15 pages. I pushed the upper end of this. It took me about four days spread out over two weeks to create a proposal I was happy with.

Submitting the proposal is easy. I created an encrypted ZIP file with the proposal. I uploaded the proposal ZIP to a website. And I emailed the password to open the ZIP file to DARPA. The details on how to do this are in the research announcement.

I submitted my proposal on Friday, 21 Oct 11. I received a phone call of acceptance on Thursday, 3 Nov 11. I had a signed contract on Friday, 4 Nov 11. This is a mind blowingly fast turn-around to fund a program.

Do I need an LLC, DBA, C Corp, S Corp, LLP, or GmbH?

Nope. You can apply as an individual. I put down Raphael Mudge as my company.

Do I need a lawyer?

The contract is one page. My contract listed the milestones I proposed, the dates I said I would deliver them by, and the price I proposed for each milestone. Since I applied as an individual, I also had to affirm that I am an independent contractor, not an employee, and that I am responsible for all taxes on what I receive.

If you’ve dealt with contracts, you may know the pain of reading a “we own your first child” clause, raising the point, and cringing as some sleaze asserts “it’s boiler-plate, all contracts have it” while breathing their lunch cocktails in your face. There is none of that here. This is the simplest contract I have signed.

Who gets the rights to my work?

You keep all commercial rights. The Cyber Fast Track FAQ has a thorough answer to this question.

What does DARPA get?

DARPA recognizes that big contributions may come from fringe thinkers doing what they love without constraints. This program allows those who are motivated to pursue their wacky vision. Your project may not change the world, but with hundreds of these, something big is bound to happen. It’s kind of like the Y Combinator model for defense contracts. Or in short–they’re spending their money to advance the state of the art.

How much do I ask for?

This depends. How long will your effort take? I recommend that you figure out what you want to do, list several milestones, and then estimate how long each milestone will take.

Now you should have some number of hours. Make sure your time estimate is realistic. Cyber Fast Track contracts are firm-fixed price. You’re on the hook to deliver what you propose in the amount of time you claim.

Your next task is to figure out an hourly bill rate. Your bill rate must fit the government accepted rate for someone at your career level. In my last position, I worked as a Senior Security Engineer.

I used Google to search for “Senior Security Engineer” hourly rate This yielded price lists for various defense contractors. Pick one that works for you and multiply that by the number of hours you estimated. Now you know how much to ask for.

Optionally, find someone who consults for the government or owns a defense contracting company and ask them for advice. I followed both of these approaches and they each yielded the same numbers.

Do I need a security clearance, CAGE code, or a DUNS number?


What should I apply with?

The research announcement has the DARPA answer on what they’re looking for. Short answer though, they’re looking for interesting security research. Apply with what you’re interested in. Don’t worry about what the government wants or what they need. Take your thread of research, explain why it’s valuable, who it’s valuable to, and explain what’s new in your approach.

I also recommend scoping your idea as tightly as possible. I used to review proposals when I worked as a researcher and I never backed a proposal that was all over the place. The proposal reviewer should understand the problem you’re solving and your plan to solve it after they read the first paragraphs of your executive summary.

Ideally, the reviewer should understand your project from the title alone. This isn’t always possible, but do your best.

Keep in mind that Cyber Fast Track does not fund improvements to existing technologies. I have a research interest in red team organization and tactics. Armitage is my current vehicle to explore this research interest. I cut a stand-alone project out of my long-term road map. I emphasized the research questions this stand-alone project would address and this became my proposal.

What are my chances of getting funded?

DARPA has seen 30 proposals and funded 8 so far. A ~25% acceptance rate. This is better than some conferences I’ve applied to. Network World has these numbers and the titles of the current efforts.

How do I stack the odds in my favor?

Make your proposal easy to read. If your proposal is poorly written, you will torture your reviewer(s). Good proposals are short and they inform the reader.

  • Use bullets when listing several ideas. This will make them stand out.
  • Write in the active voice.
  • Use simple words over complex ones

I recommend that you visit for Plain English writing tips. I also wrote a writing style checker that may help you. If you want to read a book, try Bill Stott’s Write to the Point. It’s my favorite book on writing.

Where to go from here

Cyber Fast Track takes away all the friction for valid ideas to receive funding. This is the first time in my career I have seen something like this. If it fits you, take advantage of it!

If you’re in New York City on November 9, go to the Cyber Fast Track Town Hall at NYU Poly. Watch the Cyber Fast Track Events page for future events.


My VirtualBox Penetration Testing Lab

November 4, 2011

Last week I taught an Advanced Threat Tactics course at the Lonestar Application Security conference. I like to provide ample hands-on opportunities in my courses. The students retain much more this way. I decided to use the class proceeds to build a killer virtual machine server for my students to hack on.


My requirements were as follows:

  • Run a lot of virtual machines at once (this is not a very specific requirement)
  • Headless. I live in a Washington, DC apartment. I do not want to waste room providing a keyboard, monitor, and mouse to administer it. I do not want to travel with these items either.
  • Travel friendly. I used this server to teach a class. It needed to travel with me.
  • MacOS X friendly. I am not a Windows user.


I initially built my server to run VMWare ESXi. I built my server using parts from I read that has a terrible record with dead on arrival hard drives, so I bought these from

Here’s the part list:

  • Case: Shuttle SH67H3 [ $240 ]
  • Network Card: Intel EXPI9301CTBLK 10/100/1000Mbps PCI-Express Network Adapter [ $30 ]
  • RAM: CORSAIR XMS3 16GB (4 x 4GB) [ $100 ]
  • Processor: Intel Core i7-2600 Sandy Bridge 3.4Ghz (3.7GhZ Turbo Boost) Quad-Core [ $300 ]
  • Hard drive: Two 1TB Seagate Barracuda disks, 7200 RPM with 32MB cache [ $140 ] *

Total cost? $810

  • I picked up two hard drives to allow a RAID-1 configuration


The operating systems problem is an easy one. I own an MSDN subscription. This gives me access to all of Microsoft’s operating systems going back to Windows 3.x and DOS. Missing is Windows 95, 98, and 2000. I believe this is because of a court ruling related to their crippled Java many years ago. I’ve had MSDN since June and I am extremely happy with it.


The virtual machine software was not such an easy story. I tried VMWare ESXi first. It doesn’t need a host operating system, meaning more system resources go to powering my virtual machines. I own VMWare Fusion for MacOS X and I love it. VMWare ESXi seems like the natural choice.

I installed VMWare ESXi, a process that was not without its trials. At some point it no longer recognized my USB keyboard. I found plugging my keyboard into a port in the back of the system allowed the install process to execute smoothly. I quickly learned that the best way to manage ESXi is through the vSphere client. vSphere is only available for Windows. This immediately went against my MacOS X friendly requirement.

Also, I did not know what functionality was missing from VMWare ESXi/vSphere without their paid package. I quickly learned that the missing functionality included the ability to quickly clone virtual machines. For someone setting up a penetration testing lab, this feature is a must. Many people on Twitter came to the rescue with an assortment of hacks to get around this limitation. I don’t like hacks for simple things like cloning a virtual machine.

Also, using vSphere in a Windows virtual machine was painfully slow for me. VMWare ESXi is out for me.

VMWare Workstation

Because I’m already familiar with VMWare Fusion and Workstation for Windows, I opted to try VMWare Workstation. I installed Ubuntu 10.04LTS. I tried export the user interface using X windows and I tried interacting with it through VNC. Even on my local network, both options were too slow. VMWare Workstation quickly failed the test for me.


The last option I tried was Oracle’s VirtualBox. I should have tried it first. I installed VirtualBox on Ubuntu 10.04LTS server. I didn’t install X windows at all. The entire install was done while logged in remotely from on MacOS X. I then set up phpVirtualBox to administer the system. phpVirtualBox is fantastic. I can easily configure, make linked clones of, snapshot/restore, and start/stop my virtual machines.

Through phpVirtualBox it’s also trivial to create multiple “host-only” networks and assign them to your virtual machines. This is great for creating isolated enclaves bridged only by a dual-homed virtual machine I set up.

VirtualBox also has an RDP server built-in. phpVirtualBox exposes a flash RDP client to allow me to interact with the virtual machines in my browser. The VirtualBox Guest Additions also fixed wonky mouse issues for me.

In the end I went with VirtualBox and phpVirtualBox as my headless virtual machine solution of choice.

One tip: when running VirtualBox, make sure the kvm-intel and kvm-amd kernel modules are not loaded. These modules conflict with VirtualBox and your VMs will not start. Just because they don’t exist on one boot doesn’t mean you won’t see them later. I was bit by this. Save yourself from my pain.


So, with my hardware in place I set up a penetration testing lab. I had a Windows 2008 domain controller, several Windows 2003 servers, several Windows XP and Windows 7 workstations, and a garden variety of Linux boxes for various purposes. I’ve had up to 15 virtual machines running simultaneously and can go higher. This lab passed my “run lots of virtual machines test”.

Using my browser and phpVirtualBox I was able to administer every aspect of the virtual machine creation and configuration process. This system passed the headless requirement.

This box fit into my carry on luggage and TSA let me through the checkpoint with it no problem. At BWI two or three personnel looked at it quizzically, but they let it through. I was quite happy as I didn’t want to check it for fear of what that might do to the system.  So this system passed the travel requirement too.

And, thanks to the headless admin through a browser, this system is definitely MacOS X user friendly as well.

Setting up a penetration testing lab is a good way to hone your system administration skills. It’s also a lot of fun and makes a great place to experiment with different attack techniques at a greater scale.

If you have any questions, leave them in the comments.