Dark Side Ops: Custom Penetration Testing enables participants to “break through” to the next level by removing their dependence on 3rd-party penetration testing tools, allowing for outside-the-box thinking and custom tool development designed specifically for the target environment.
Dark Side Ops (DSO) is a course on targeted attacks, evasion, and advanced post exploitation… with a twist. The thesis of DSO is this: if you want to credibly simulate a real world attacker, you need advanced capability. You can’t do this with unmodified open source tools. This course teaches students how to build and modify advanced capabilities. Let’s take a closer look.
Quick Background on Dark Side Ops
The DSO course revolves around two tools: Throwback and Slingshot. Throwback is a custom beaconing payload built for persistence.
Pic 1 – Throwback Screenshot
Slingshot is a full-featured payload built for interactive post exploitation. Think of it as a stealthy Meterpreter-like payload. Silent Break Security specializes in full scope assessments and made these tools for their use.
Pic 2 – Slingshot Screenshot
Throwback is publicly available, but students get a more advanced version of this tool. Slingshot is not available unless you take this course. Students get source code to both tools.
In the course I took, we went through 15 labs in two days. An instructor would get up, briefly introduce a topic and motivate the student about why it’s important. These presentations were kept short to allow students to immediately jump into the labs.
The first labs taught us how to configure Throwback, package it into a user-driven attack, and deliver this package to a user via phishing. These labs took us through how to get a foothold into a modern enterprise.
The next labs were on stealthy post exploitation. Stealthy post exploitation implies that you DO NOT touch disk. Not touching disk requires Reflective DLL injection, which was a heavy focus. We were taught how to configure builds for x86 and x64 Reflective DLLs. We also spent time porting existing executables and capability into Reflective DLLs. One of my favorite labs had us transform Mimikatz into a Reflective DLL and tie it into the Slingshot payload.
One module of DSO covered Linux post-exploitation and pivoting techniques. This material was a mix of things I had heard of, but hadn’t tried, and new things. There wasn’t enough time to give this topic justice, but the instructors provided a wealth of material to look at later.
We also had labs on advanced Windows pivoting, lateral movement, persistence, and privilege escalation. Advanced Windows pivoting had us use named pipes to control compromised systems in a stealthy way. The lateral movement, persistence, and privilege escalation labs each reinforced the value of DLL Hijacking. We spent a lot of quality time with SysInternals tools doing this. As with the rest of the course, each lab had us build and modify code and try it out in our self-contained lab.
Do not fear the code…
The point of DSO is to learn how to modify and build new capabilities. This requires working with code. I was impressed with how Silent Break Security chose to handle this.
The DSO labs spent a lot of time on how to setup and configure build environments for these custom capabilities. I know, first hand, what a pain it is to get every setting right to build a proper Reflective DLL. If one setting is off, it won’t work. This is very detail oriented and this topic was given ample respect.
The labs didn’t require us to write any new code. We would mostly tweak variables and copy/paste code the instructors provided. Some labs provided the copy/paste code out of order to prod students to actively think about the file they were looking at.
The course requirements state that l33t programming skills are not required for this course. This is a fair statement. The copy/paste approach allows novice programmers to get through the labs. More advanced programmers can take Slingshot and Throwback home and extend these tools for their own use.
In case you can’t tell, I’m extremely positive about this course. By themselves, Slingshot and Throwback make the course worth the price of admission. The code to Slingshot is written in a way that’s favorable to extension. It’s not intimidating to work with. The tools also have the base feature set you need to conduct red team operations with them.
I also appreciate the deep focus on a few key topics, like DLL Hijacking and Reflective DLL Injection, rather than a fire hose of one-off tricks.
The course did stray from its main focus time to time. I feel the Linux stuff could be split into a separate one or two day course. At the same time, this material was good. I didn’t get as much out of the material on operational security.
For teams that buy or build custom capability, I see a benefit in this course. The process taught in DSO is similar to what other teams use for blackbox penetration tests. DSO is an opportunity to see a sound attack process and execute it with another toolset. This will make any operator better, much in the same way knowing multiple languages makes one a better programmer.
DSO will teach you how to build your own tools. It will also teach you advanced tradecraft that very few penetration testers have access to.
Three years ago, I would have killed to take a course like this. It would have saved me a lot of time. Even with my day-to-day experiences building tools, I learned a lot from this course and consider it time well spent.
Who should take DSO?
The course is setup to allow non-developers to participate. DSO does a good job linking tool development and tradecraft. Any operator, even those with limited exposure to programming, can benefit from knowing how the tools they use work. I suspect a sub-goal of DSO is to inspire these students to start their developer journey by adding to the provided tools.
This course requires students to follow detailed instructions. Those who read the code and think about how it works will get the most benefit. You don’t have to be an expert in C and you do not have to know Visual Studio.
Any developers that attend the course will benefit from penetration testing experience. I say this because hacking is a weird thing. A lot of people think they understand it, but unless they’ve done it, it’s hard to appreciate what the on-the-ground problems are. I think DSO hits the high points here, but someone who hasn’t felt these problems may wonder why the course focuses so much on post-exploitation and evasion.
This course is best for offensive professionals who straddle the line between developer and operator. If this is you, I highly recommend this course.
Video: Brady Bloxham’s talk at DerbyCon 2014 entitled, “Getting Windows to Play with Itself: A Pen Testers Guide to Windows API Abuse.”
Where to go next?
Silent Break Security teaches Dark Side Operations: Custom Penetration Testing from time-to-time at conferences. Brady has setup a mailing list that you can sign-up with to find out when it’s taught next. You can also reach out to Silent Break Security directly to invite them to your organization for a class.
About the Author
Raphael Mudge is the Founder and Principal of Strategic Cyber LLC. His company’s Cobalt Strike product helps red teams improve intrusion response and defense by simulating real-world attacks. He blogs regularly at http://blog.cobaltstrike.com.