Using Robots to Fight Bad Guys

At the end of last year I was invited few places (CentralPA Open Source, BSidesDFW, & BayThreat) and gave a talk about some of the work I’ve done to adapt Hubot, GitHub’s friendly-ish chatbot, and GitHub’s Chat Ops workflow for DFIR. While it was great to get the ideas out there’s a lot to deploying, using, and customizing VTR. So this is my extended breakdown of ChatOps, Hubot, Hubot-VTR, and building modules in CoffeeScript.

My Presentation#

Building Your Own DFIR Sidekick

How GitHub Uses Hubot: ChatOps#

So DevOps in general and ChatOps specifically are massive topics unto themselves and I’m not sure I’m the right person to fully address them, so here’s my short version of each:

  • DevOps: An integration of software development & systems operations to increase efficiency, consistency, repeatability, and security.
  • ChatOps: Doing devops by building tools that integrate with the teams chat applications.

Both of these techniques take advantage of modern development tools for rapid tool creation and integration, tools like Puppet/Chef for automation, and a data driven approach where feelings, conventional wisdom, and “that’s just the way we do it” is replaced with collaboration and metrics.

Benefits of Chat#

  • asynchronous: searchable, read back, push notifications
  • multi device: laptop, tablet, & phone
  • collaborative
  • flexbile interface: an extensible and easy to use interface to build tools around

The idea is to make Hubot support security ops:

  • open source intelligence
  • network forensics
  • system forensics (disk & memory)
  • reverse engineering
  • penetration testing & vulnerability management

Setting Up Hubot VTR#

Setting up Hubot is a simple task that’s best started by looking at the Hubot documentation itself. Go ahead, we’ll wait here.

Once you’ve got a basic Hubot setup you’ll want to install the VTR scripts with these directions. It should be pretty painless.

Using Hubot VTR#

Code Name Generator

Generates code names for being spooky

hubot codename

Geolocate IP

Identify the physical location of an IP address

hubot geo 1.2.3.4  
hubot geo 1.2.3.4 maxmind 

MyWOT

Look up the reputation of a website

hubot mywot example.com

Pipl

Look up OSINT on a users email address

hubot pipl email example@example.com 

Generate links for Robtext, IP/URLVoid, etc

hubot reputation ip 1.2.3.4  
hubot reputation url example.com

Reverse DNS

Get the urls associated with an IP address

hubot reverse dns example.com

Shodan

Search engine for server strings.

hubot shodan foo

Short URL Expander

Take a shortened URL and find out where it redirects to.

hubot expand url example.com

VirusTotal

Hash, URLs, IP Addresses

hubot virustotal hash abcd1234  
hubot virustotal ip 1.2.3.4  
hubot virustotal ip example.com 

Yara

Generates template for creating Yara rules.

hubot yara-template

These all require addressing Hubot directly, either by using the bots given name or an alias. So for me that would be hubot shodan openssh or ! yara-template. Both your Hubots name and alias can be configured during setup.

Writing Hubot Scripts#

Hubot scripts are written in CoffeeScript. CoffeeScript is basically a higher level language that compiles to JavaScript and is then interpreted by Node.js.

There are a few major parts of any Hubot script:

  • Documentation: This is actually quite important given that this documentation is passed along into chat when people ask for help. It’s important that this be descriptive and complete.
  • The Respond or Hear Method: Hubot can listen for anyone mentioning a specific phrase (robot.hear) addressed to anyone, or wait to be addressed directly (robot.respond). In either case this is followed with a regular expression detailing what statement to listen for. Anything in () is saved and can be used in the method body.
  • The Method Body: This is where the bulk of the work happens. Call a 3rd party API, manipulate text, anything you can think of that you can do in CoffeeScript. In nearly every case the method body has one or more msg.send “Foo” statement, which has Hubot respond back to the chat.

These are the simplest requirements, but of course there are many optional patterns as well. CoffeeScript tends to be fairly simple, so the best way to pick things up is usually just browsing through open source scripts.

My Setup#

I currently run two separate Hubots with different adapters and environments:

  • Development: On my laptop I have a Hubot running with the terminal adapter. Basically it just spawns a shell that acts as chat directly with Hubot. It’s not easy to use, but it’s fast for testing without having to redeploy, just restart the server. This system has no memory (Redis database), just a brain (Node.js server).
  • Production: I have a shared chat room with some other DFIR types and we have a shared Hubot. This Hubot is deployed onto Heroku, a single dyno system, and has a RedisToGo memory. We use Slack as our chat server, we it, and their Hubot integration is excellent. This is actually a pretty ideal setup, and definitely what I’d recommend for a first deploy.

Things to Build#

Take a look at “The List”. There are endless possibilities, new modules, new integrations. My current goals revolve around Yara, including automating signature generation. That said make this what will help you, and pull requests are always welcome.

ChatOps Resources#

Hubot & Hubot VTR

ChatOps & DevOps