1. Attack Team Automation Tool
Taking on the entire rebellion with 2-3 Stormtroopers
Concept came Pre TLJ, sorry
*with Empire approved images & content

2. About – ll3N1GmAll Ath, Sec-, C+, D12
Sith
Hacker
Lock pick village guy
BSidesSTL co-founder
Physical security course instructor
Infosec dentist (see Jayson Street’s talk on failure)
Certified cert haver (with 12 essential certifications & minerals!)
Daniel 11:32b (KJV)
ensl sect of alphbet

3. Impetus – (╯°□°）╯︵ ┻━┻ Vulnerability reports missing items like…ports…
Yeah, apparently that’s a thing
Large scopes, small squads, & tight deadlines
The need to use “Empire approved” existing tools
Features I wish existed; but that didn’t
Efficiency
Repeatability
Automation
Starts services, automates repetitive actions, etc
Noobs

4. Substance Simplicity is the best design choice
Well known industry standard Empire approved tools given ergonomic handles and “auto-pilot” functions
Poweshell Empire
Metasploit
Msfvenom
LBD
SSLScan
masscan
MPC
DBD
Still under active development
Fully Automated Windows, OSX, & Linux Privilege Escalation With Powershell Empire
POC attacks

5. Origin
Metasploit automation script called “ezsploit” by rand0m1ze on github
ATAT is to ezsploit what SET is to BBQSQL
Nearly identical menu structure and layout
Every existing option has been completely rewritten and/or enhanced significantly
Except for 2; more on those later
Many new options that did not exist in the original script
ATAT has over 500% more Rebel smashing goodness than its predecessor!
Msf bash loop for multi target, saw interface, merge

6. Features – Payloads
Create every conceivable Metasploit payload via MPC with ATAT’s built in payload creation “wizard”…I hate that term…
No AV gigs
All OSes
AV WIP

7. Features – Multi-Target Exploitation
Basically RHOSTS for exploit modules with common options
This feature works with modules that only require: LHOST, LPORT, RHOST, RPORT, & PAYLOAD or less
This limitation is overcome by creating separate menu options for unique exploit types as you will see

8. Features – Multi-Target Struts/Tomcat
RHOSTS feature for Apache Struts & Tomcat exploit modules
Adds:
SRVPORT
TARGETURI
HttpUsername
HttpPassword

9. Features – Multi-Target Java JMX
RHOSTS feature for the Java JMX exploit module
Adds:
SRVPORT
JMXRMI

10. Features – Multi-Target Java RMI
RHOSTS feature for the Java RMI exploit module
Adds:
SRVPORT
HTTPDELAY

11. Features – Multi-Target SNMP Enum
Support for SNMP enumeration AUX module
Integrated for simplicity; not necessity

12. Features – Multi-Target LBD
Multi-target load balancer detection
All results echo to screen along with being captured in a log within the ATAT directory

13. Features – Multi-Target Masscan all TCP
Masscan all TCP ports( ) against multiple targets
Rate limited sufficiently to prevent network meltdown; while still scanning very fast
All results echo to screen along with being captured in a log within the ATAT directory
Pause/Resume supported
Automatically feeds SSLScan

14. Features – Multi-Target SSLScan
Multi-target SSLScan script (auto-fed by masscan/nmap)
All results echo to screen along with being captured in a log within the ATAT directory
Results further sorted into these groups:
RC4, SSLv2, heartbleed, freak, weak ciphers, expired certs, SSL certs found

15. Features – Bloodhound Installs Bloodhound and dependencies
Provides instructions for simple 1st time setup
Launches Neo4j console and Bloodhound interface automatically

16. Features – Multi-Port Exploit
Launch 1 exploit at 1 target on multiple ports
Why?
Remember my earlier mention of vulnerability scan reports with port information missing?
When service identification isn’t providing clear information…_______ all the _______!!!
Non-standard
Banner/ID Fails
RPORTS

17. Features – Multi-Port Auxiliary
Launch 1 auxiliary module against many hosts (where RHOSTS is supported) & against as many ports on each host as you wish
Basically RPORTS functionality for AUX modules
Again, for checking targets with reports of a vulnerability without complete information about where the service is running
And where the service may not be running on a standard port
Hopefully none of you find yourself in need of these multi- port features; but if you do…nothing else will do…
Searching for things on random ports
This is your Obi-Wan Kenobi

18. Features – Listeners & PostEx
Create any type of listener Metasploit has to offer with built in intelligent automated post exploitation features
Identifies the target’s platform
Runs a wide array of applicable post exploitation modules using MSF’s own relied upon logic; but with a larger than normal set of post exploitation modules than MSF’s default

19. Features – Persistence
Durandal backdoor builder by Skysploit (Travis Weathers)
Updated to work with newer gcc-mingw-w64-i686 compiler
Persistent encrypted daemonized reverse shells for:
Windows
Linux/NetBSD/FreeBSD/OpenBSD
Required significant fixes to function
Persistent encrypted daemonized bind shells for:
Work in progress
Android Meterpreter APK builder
Encrypted (HTTPS protocol)
Persistent
Stable

20. Features – Empire & DeathStar
Launches Powershell Empire Console & RESTful API
Launches DeathStar Domain Admin Automation Tool
Admin PSE REST API
Create/Kill/Use
Listeners
Stagers – WIP 21/31
Agents
Fully Automated Post Ex
Windows – WIP
Linux – WIP
OSX – WIP

21. Features – Wireless Attacks
HostAPD-WPE
Enterprise WPA Fake RADIUS Attacks
Enterprise WPA Challenge / Response Pair Cracking
Asleap
John The Ripper
Airgeddon
DoS
WPA/WPA2 Online & Offline Attacks
Aircrack
Hashcat
Handshake tools (capturing & cleaning)
Evil Twin / Rogue AP Attacks
WPS Attacks
Reaver
Bully
WEP Attacks
Why not right?
WiFi Jammer

22. Features – Data Exfiltration
Push Files via SCP
Creds required
Generates SCP command syntax for uploading to target
Push Files with Powershell & Meterpreter
Starts Apache
Generates MSF command for uploading a files to target
Generates PSH command for pulling files from attacker machine to target
Pull Files with Meterpreter
Generates MSF command to download files from target via Meterpreter
Wireless Password Stealer (plaintext)
Windows 32 & 64 bit Credential Harvester
Grabs nearly every imaginable password and private key type

23. Features – Dependency Checker
Prepare, charge, & make ready the laser cannons
Installs and/or configures:
PowerShell Empire
DeathStar
pip install various python dependencies
gcc
gcc-mingw-w64-i686
DBD
Curl Jq
Bettercap
HostAPD-WPE
Airgeddon
Bloodhound
Etc., Etc., Etc….

24. Remaining Items – ¯\_(ツ)_/¯
Option 3 – Msfconsole
Shortcut to launch msfconsole; very minor fixes to make this work
Otherwise, no reason to alter this
Option 5 – Armitage
Shortcut to launch Armitage GUI; very minor fixes to make this work
*this slide not approved by the Galactic Empire

25. Platforms Tested on: Kali Parrot OS Kali chroot environment on Android
Use ATAT-chroot Github repo
ATAT-chroot has been customized for use in a Kali chroot environment.

26. Demo Time
Exploit with automated post exploitation

27. Source https://github.com/ll3N1GmAll/ATAT
Compatible with the current gcc-MingW-W64 compiler package that is available on newer systems (32 & 64 bit)
Ported to chroot environment for Android mobile usage
Compatible with the older MingW32 compiler package on older systems (32 & 64 bit)
No longer maintained

28. Contacts (twits & IRC) @ll3NiGmAll ll3N1GmAll lll3N1GmAlll Email/Etc.
Not very active on the twits
ll3N1GmAll
Much more active on IRC
lll3N1GmAlll
Alternate nick
/Etc.
Come talk to me