At the end of last year I was invited few places (CentralPA Open Source, BSidesDFW, & BayThreat) and gave a talk about some of the work I’ve done to adapt Hubot, GitHub’s friendly-ish chatbot, and GitHub’s Chat Ops workflow for DFIR. While it was great to get the ideas out there’s a lot to deploying, using, and customizing VTR. So this is my extended breakdown of ChatOps, Hubot, Hubot-VTR, and building modules in CoffeeScript.
How GitHub Uses Hubot: ChatOps
So DevOps in general and ChatOps specifically are massive topics unto themselves and I’m not sure I’m the right person to fully address them, so here’s my short version of each:
- DevOps: An integration of software development & systems operations to increase efficiency, consistency, repeatability, and security.
- ChatOps: Doing devops by building tools that integrate with the teams chat applications.
Both of these techniques take advantage of modern development tools for rapid tool creation and integration, tools like Puppet/Chef for automation, and a data driven approach where feelings, conventional wisdom, and “that’s just the way we do it” is replaced with collaboration and metrics.
Benefits of Chat
- asynchronous: searchable, read back, push notifications
- multi device: laptop, tablet, & phone
- flexbile interface: an extensible and easy to use interface to build tools around
The idea is to make Hubot support security ops:
- open source intelligence
- network forensics
- system forensics (disk & memory)
- reverse engineering
- penetration testing & vulnerability management
Setting Up Hubot VTR
Setting up Hubot is a simple task that’s best started by looking at the Hubot documentation itself. Go ahead, we’ll wait here.
Once you’ve got a basic Hubot setup you’ll want to install the VTR scripts with these directions. It should be pretty painless.
Using Hubot VTR
Code Name Generator
Generates code names for being spooky
Identify the physical location of an IP address
hubot geo 18.104.22.168 hubot geo 22.214.171.124 maxmind
Look up the reputation of a website
hubot mywot example.com
Look up OSINT on a users email address
hubot pipl email email@example.com
Generate links for Robtext, IP/URLVoid, etc
hubot reputation ip 126.96.36.199 hubot reputation url example.com
Get the urls associated with an IP address
hubot reverse dns example.com
Search engine for server strings.
hubot shodan foo
Short URL Expander
Take a shortened URL and find out where it redirects to.
hubot expand url example.com
Hash, URLs, IP Addresses
hubot virustotal hash abcd1234 hubot virustotal ip 188.8.131.52 hubot virustotal ip example.com
Generates template for creating Yara rules.
These all require addressing Hubot directly, either by using the bots given name or an alias. So for me that would be hubot shodan openssh or ! yara-template. Both your Hubots name and alias can be configured during setup.
Writing Hubot Scripts
There are a few major parts of any Hubot script:
- Documentation: This is actually quite important given that this documentation is passed along into chat when people ask for help. It’s important that this be descriptive and complete.
- The Respond or Hear Method: Hubot can listen for anyone mentioning a specific phrase (robot.hear) addressed to anyone, or wait to be addressed directly (robot.respond). In either case this is followed with a regular expression detailing what statement to listen for. Anything in () is saved and can be used in the method body.
- The Method Body: This is where the bulk of the work happens. Call a 3rd party API, manipulate text, anything you can think of that you can do in CoffeeScript. In nearly every case the method body has one or more msg.send “Foo” statement, which has Hubot respond back to the chat.
These are the simplest requirements, but of course there are many optional patterns as well. CoffeeScript tends to be fairly simple, so the best way to pick things up is usually just browsing through open source scripts.
I currently run two separate Hubots with different adapters and environments:
- Development: On my laptop I have a Hubot running with the terminal adapter. Basically it just spawns a shell that acts as chat directly with Hubot. It’s not easy to use, but it’s fast for testing without having to redeploy, just restart the server. This system has no memory (Redis database), just a brain (Node.js server).
- Production: I have a shared chat room with some other DFIR types and we have a shared Hubot. This Hubot is deployed onto Heroku, a single dyno system, and has a RedisToGo memory. We use Slack as our chat server, we it, and their Hubot integration is excellent. This is actually a pretty ideal setup, and definitely what I’d recommend for a first deploy.
Things to Build
Take a look at “The List”. There are endless possibilities, new modules, new integrations. My current goals revolve around Yara, including automating signature generation. That said make this what will help you, and pull requests are always welcome.
Hubot & Hubot VTR
- Hubot & Hubot Source
- Hubot VTR Scripts & Hubot VTR Rhodey
- Chatops @ GitHub — Jesse Newland
- Programming Butler: Hubot Scripts Explained — Jon Hoyt
- Code School: Learn Coffeescript