Are you sure you want to delete this task? Once this task is deleted, it cannot be recovered.
bro jia 6cc90314d3 | 1 year ago | |
---|---|---|
img | 1 year ago | |
report | 1 year ago | |
signatures | 1 year ago | |
trajectory | 1 year ago | |
A3CASD.csv | 1 year ago | |
ContentExplorer.cpython-36.pyc | 1 year ago | |
ContentExplorer.py | 1 year ago | |
CreateReport.py | 1 year ago | |
DeepExploit-A3C.py | 1 year ago | |
DeepExploit-GAILDPPO.py | 1 year ago | |
DeepExploit.py | 1 year ago | |
NaiveBayes.cpython-36.pyc | 1 year ago | |
NaiveBayes.py | 1 year ago | |
README.md | 1 year ago | |
Spider.py | 1 year ago | |
VersionChecker.py | 1 year ago | |
VersionCheckerML.py | 1 year ago | |
auto.py | 1 year ago | |
config.ini | 1 year ago | |
meta3GAIL.csv | 1 year ago | |
requirements.txt | 1 year ago | |
test | 1 year ago | |
train_cms_in.txt | 1 year ago | |
train_cms_out.pkl | 1 year ago | |
train_page_type.pkl | 1 year ago | |
train_page_type.txt | 1 year ago | |
util.py | 1 year ago |
Fully automatic penetration test tool using Deep Reinforcement Learning.
See the demo page.
See the project's wiki for installation, usage and changelog.
DeepExploit is fully automated penetration test tool linked with Metasploit.
DeepExploit identifies the status of all opened ports on the target server and executes the exploit at pinpoint using Machine Learning. It's key features are following.
Efficiently execute exploit.
DeepExploit can execute exploits at pinpoint (minimum 1 attempt) using Machine Learning.
Deep penetration.
If DeepExploit succeeds the exploit to the target server, it further executes the exploit to other internal servers.
Self-learning.
DeepExploit can learn how to exploitation by itself (uses Reinforcement Learning).
It is not necessary for humans to prepare learning data.
Learning time is very fast.
Generally, reinforcement learning takes a lot of time.
So, DeepExploit uses distributed learning by multi agents.
We adopted an advanced machine learning model called A3C.
Powerful intelligence gathering
To gather the information of software operated on the target server is very important for successful the exploitation. DeepExploit can identify product name and version using following methods.
Current DeepExploit's version is a beta.
But, it can fully automatically execute following actions:
By using our DeepExploit, you will benefit from the following.
For pentester:
(a) They can greatly improve the test efficiency.
(b) The more pentester uses DeepExploit, DeepExploit learns how to method of exploitation using machine learning. As a result, accuracy of test can be improve.
For Information Security Officer:
(c) They can quickly identify vulnerabilities of own servers. As a result, prevent that attackers attack to your servers using vulnerabilities, and protect your reputation by avoiding the negative media coverage after breach.
Since attack methods to servers are evolving day by day, there is no guarantee that yesterday's security countermeasures are safety today. It is necessary to quickly find vulnerabilities and take countermeasures. Our DeepExploit will contribute greatly to keep your safety.
Note |
---|
If you are interested, please use them in an environment under your control and at your own risk. And, if you execute the DeepExploit on systems that are not under your control, it may be considered an attack and you may have legally liability for your action. |
DeepExploit consists of the machine learning model (A3C) and Metasploit.
The A3C executes exploit to the target servers via RPC API.
The A3C is developped by Keras and Tensorflow that famous ML framework based on Python. It is used to self-learn exploit's way using deep reinforcement learning. The self-learned's result is stored to learned data that reusable.
Metasploit is most famous penetration test tool in the world. It is used to execute an exploit to the target servers based on instructions from the A3C.
DeepExploit learns how to exploitation by itself using advanced machine learning model called A3C.
The A3C consists of multiple neural networks.
This model receives the training server information such as the OS type, product name, product version, etc as inputs of neural network, and outputs the payload according to the input information. The point is, exploitation is successful when this model outputs a optimal payload according to the input information.
In training, this model executes more than 10,000 exploits to the training servers via Metasploit while changing the combination of the input information. This model is updating the weights of the neural network according to the exploitation results (rewards), which will gradually optimized the neural network.
After training, this model can output the optimal payload according to the input information.
In order to shorten the training time, training is executed by multithreading.
Therefore, learning by using various training servers, DeepExploit can execute accurate exploit according to various situations.
So, DeepExploit uses training servers such as metasploitable3, metasploitable2, owaspbwa for learning.
DeepExploit gathers the target server information such as OS type, Opened port, Product name, Product version using Nmap. As a Nmap result, DeepExploit can extract below information.
Idx | OS | Port# | product | version |
---|---|---|---|---|
1 | Linux | 21 | vsftpd | 2.3.4 |
2 | Linux | 22 | ssh | 4.7p1 |
3 | Linux | 23 | telnet | - |
4 | Linux | 25 | postfix | - |
5 | Linux | 53 | bind | 9.4.2 |
6 | Linux | 80 | apache | 2.2.8 |
7 | Linux | 5900 | vnc | 3.3 |
8 | Linux | 6667 | irc | - |
9 | Linux | 8180 | tomcat | - |
As a Nmap result, if web ports such as 80, 8180 are opened, then the DeepExploit executes below examination.
ex) Contents exploration result.
Idx | Port# | found content | product |
---|---|---|---|
1 | 80 | /server-status | apache |
2 | 80 | /wp-login.php | wordpress |
3 | 8180 | /core/misc/drupal.init.js | drupal |
4 | 8180 | /CFIDE/ | coldfusion |
HTTP response sample is below.
HTTP/1.1 200 OK
Date: Tue, 06 Mar 2018 06:56:17 GMT
Server: OpenSSL/1.0.1g
Content-Type: text/html; charset=UTF-8
Set-Cookie: f00e68432b68050dee9abe33c389831e=0eba9cd0f75ca0912b4849777677f587; path=/;
Etag: "409ed-183-53c5f732641c0"
…snip…
<form action="/example/confirm.php">
By the DeepExploit uses Signature, it can easily identify two products that OpenSSL and PHP.
Server: OpenSSL/1.0.1g
confirm.php
It is very easy.
In addition, by the DeepExploit uses Machine Learning, it can identify more products that Joomla! and Apache.
Set-Cookie: f00e68432b68050dee9abe33c389831e=0eba9cd0f75ca0912b4849777677f587;
This is feature of Joomla!.
Etag: "409ed-183-53c5f732641c0"
This is feature of Apache.
Beforehand, by the DeepExploit learned these features using Machine Learning (Naive Bayes), it can identify products that couldn't identify by Signature.
The DeepExploit execute the exploit to the first target server using trained data and identified product information.
It can execute exploits at pinpoint (minimum 1 attempt).
If the DeepExploit succeeds the exploitation, then session will be open between DeepExploit and first target server.
The DeepExploit executes the pivoting using opened session in Step 2.
Afterwards, the DeepExploit that do not have direct connection to the internal server can execute exploits through the first server (=compromised server). As a result, the DeepExploit is repeating Step1 to Step3 in the internal server through compromised server.
The DeepExploit generates a scan report that summarizes vulnerabilities.
Report sample is below.
MBSD Blog
Sorry, now Japanese only.
English version is coming soon.
Isao Takaesu
takaesu235@gmail.com
https://twitter.com/bbr_bbq
Dear OpenI User
Thank you for your continuous support to the Openl Qizhi Community AI Collaboration Platform. In order to protect your usage rights and ensure network security, we updated the Openl Qizhi Community AI Collaboration Platform Usage Agreement in January 2024. The updated agreement specifies that users are prohibited from using intranet penetration tools. After you click "Agree and continue", you can continue to use our services. Thank you for your cooperation and understanding.
For more agreement content, please refer to the《Openl Qizhi Community AI Collaboration Platform Usage Agreement》