This webcast originally aired on January 23, 2025.
In this video, Ralph May discusses Orbit, a tool he developed for enhanced vulnerability scanning and continuous pen testing. The video delves into the origins of the tool, its integration with Nuclei for high-performance scanning, and its application in ANTISOC for Black Hills Information Security. Ralph also provides a detailed demo of Orbit, showcasing its features, capabilities, and the benefits of open-sourcing the tool for the cybersecurity community.
- Ralph May’s tool, Orbit, is designed to run nuclei scanning at scale, offering a solution for continuous pen testing with customizable and scalable features.
- Black Hills Information Security’s ANTISOC service is focused on continuous pen testing and attack surface management, aiming to improve security posture over time by simulating persistent threat activities.
- Nuclei is highlighted as a high-performance vulnerability scanner that is open-source and free, using a community-driven approach to template creation, making it a valuable tool for pen testers.
Highlights
Full Video
Transcript
Jason Blanchard
Hello everybody, and welcome to today’s Black Hills Information Security webcast. We have Ralph made. Today, we’re going to talk about introducing Orbit. So Ralph has been working on a tool and what happens is when we ask, hey, do you want to give a webcast?
And things like that, and you’re like, hey, what slots do you have available? And so Ralph took today’s. And then, at the beginning of the week, I’m like, Ralph, are you ready? And he’s like, yeah, kind of. And so what we’ll do is we’ll do the webcast today and then Ralph’s going to go ahead and give you all the information.
And then afterwards we might have some follow up, stuff that we work on. But if you can ask questions at any time inside, Discord or inside Zoom, and we’ll do the best we can to do a Q&A at the end if we have time.
So today, if you ever need a pen test, red team, threat hunt, active SOC or continuous pen testing, you know where to find us. At Black Hills Information Security, we’re not just a webcast and comic book and conference company; We’re also a pen test company and security services. And so, Ralph, are you ready?
Ralph May
I’m ready.
Jason Blanchard
All right, I’m going to go backstage, I’m going to take care of the Hack It stuff and I’ll be here in case you need me for anything. All
Ralph May
Thanks.
Jason Blanchard
See you soon.
Ralph May
All All right, welcome. First of all, everyone, thank you for coming to see, me introduce this tool called Orbit. we’re going to kind of get into it, but, this comes from, a lot of work over the last, I would say about two months of just becoming a coder now.
So I’m just a developer, but it has a purpose. We’ll kind of get into it, and I think that I might be the first one to be kind of open sourcing, a tool like this.
I’ve seen some other stuff kind of similar. but, you’ll see. All right, so just a quick agenda. We’re going to talk, I’m going to do a quick introduction about me, who I am, all the other fun stuff.
I’m also going to talk about ANTISOC, what it is, and kind of what we do over there and kind of how this tool, came to be. we’re going to talk about nuclei and what it can do, can’t do all the other fun stuff.
And then we’re going to talk about the problem that I had that I was trying to solve, the tool that I made out of this problem, which I named Orbit. And then we’ll kind of get into, some of the conclusions here.
So, and we’re also going to demo. I’m going to demo the tool, show you how it works, show you what it looks like, all the other fun stuff. So you can kind of really get a quick idea of what this is and how you might be able to use it.
All right? All right, introduction. So that is me, Ralph May. there’s actually an AI generated picture of me ingesting a bunch of pictures of me.
Fun. my contact stuff on there. LinkedIn, GitHub. I also teach a class called Hacker Ops where I teach, DevOps for hacking or doing penetration tests.
Me and co-founder Travis also do a physical exploit class where we teach people how to break into buildings. I work at Black Hills Information Security now. I have been doing pen testing for climbing up close to a decade consulting.
So I’ve pretty much touched it all. And my new hobby now is developing tools to help people do pen testing. All right, so, for anybody who might have taken my class, this is kind of a continuation of some of the things that I’ve done and applying that to a, software.
So. All right, with that being said, let’s talk about ANTISOC. Okay. and the reason we’re going to talk about ANTISOC is that was really the edifice for me creating this tool, or really it’s more of an application than a tool.
And I’m going to talk about kind of what we, what we do there. Right?
So for those who don’t know, ANTISOC is a offering that we have at BHIS, which is, the best way to describe it is we’re your friendly neighborhood apt. Right?
And the really, the edifice for this was we were doing a lot of. I was doing red teams and other people on the team were doing red teams. And one of the problems that we had as a tester is that we wanted to do, longer engagements, right?
We, we would go through, we would get on an engagement and it would either end too fast or we weren’t getting the success we wanted. And we always kind of envisioned like, hey, what if we could do this, for six months or longer.
Right? But obviously there is an issue with that. And the flip side of doing a, a test for a year for example, is that no company really wants to pay for me to, to just work on their company for a year.
that would make these tasks extremely expensive. Okay. And what we found is that over time things would change in the attack space that were all about kind of luck.
So sometimes we would have a red team. We got lucky because there was a new technique that had just came out and we were able to utilize it. And other times we weren’t as lucky, there wasn’t as good of techniques. so the real question we had is what if you could red team your company all year and how would that affect your security posture?
And so that was the edifice for ANTISOC and the idea of doing a continuous pen testing.
And kind of looking at how we could turn that not only to the goal of seeing how your security changed over the year, but also kind of how we could still make money at it.
because nobody wanted to pay for my time directly for a year. But that being said, we came out with ANTISOC and some of the things that we decided to kind of include in there is we would be testing companies over a year and to make this all work we would bring in a bunch of companies, right?
A bunch of companies that wanted to have essentially a red team all year. but some of the things that we were doing in there was initial access. So trying to find initial access to a company.
Just like you would on a red team, we also throw in some assumed compromise. So obviously we’ll take some different times during the engagement and we will get access to the internal environment if we don’t gain it organically.
and with that obviously we’ll test out some post exploitation techniques as they come out through the year and we kind of apply that as a group. So we’ll test different companies at different times at different phases.
the other thing it kind of brings to the table is the purple teaming concept, without a purple team. So where we would have companies say hey, we want you to test this, we want you to test that or hey, could you go look at this?
And we’ll kind of devote some time to that. and then kind of the last thing that we’re doing with cpt, right now is scanning. So attack surface management,
Which has kind of been kind of coined recently. I say recently over the last couple years, where you could scan your Attack surface all the time and try to find vulnerabilities and be able to remediate, those.
And so there’s a bunch of ASM attack service management tools or software now that have come out to kind of reach that goal.
and this mostly is focused on external at this point. it doesn’t have to be, but right now it’s mostly been the focus is on external, attack surface enumeration and kind of figuring out what assets are out there and what kind of vulnerabilities you might be susceptible too.
in that vein, when we talk about scanning, so one of the things that we’re doing at ANTISOC is obviously we’re scanning for vulnerabilities. so what we try to do is we try to scan the attack surface that we’ve enumerated, all the time looking for whatever kind of vulnerabilities we could actually utilize.
we’re not particularly concerned about your SSL V3 findings because those are something that can’t exploit. But what we are looking for is really the difference in time.
So typically when you do a red team, you might do a scan and you see that this thing is vulnerable or you see nothing. But if you apply that on a longer timescale, obviously new vulnerabilities get introduced that if you are able to get a closer time to detection or closer time to the actual exploit being released, there’s a higher chance that the company will still be vulnerable to that exploit.
some other things that we’re doing at Black Hills and with ANTISOC is data breach analysis. So we’re also scanning for breach credentials and reusing those and other things like that.
There’s a whole other segment of kind of, us trying to feed in as much data as we can to with the goal of just gaining access. and then as I said we’re doing vulnerability scanning but we’re kind of doing it in the attack surface management or ASM Lite.
And what I mean by ASM light is that for our customers we’re not going to report every single thing that is an issue. We’ll give that data to them. But what we’re really looking for is things we can actively exploit to gain access.
so we’re taking the attacker’s mindset as opposed to, the big list of things that all could possibly be remediated but don’t actually enable an Attack path.
So that’s why I’m calling it kind of ASM Lite because as a service we’re not really delivering possibly every single finding that an asm, platform might produce. But we’re looking for specifically what we can do to actually exploit with these scans.
All right, all with that in mind, vulnerability, vulnerability scanning options. So when we started setting up this ANTISOC we kind of had some choices.
and by the way, these are just some of the choices out there. There are a bunch of other ones including actual ASM products. I think when we kind of set this up they were less but they’ve become more more options have become available in the in the space.
But some of the things that we looked at were nessus, qualys and a couple other scannings and nuclei.
Which we’re going to talk about today. and it’s funny because nuclei is probably seems like the biggest underdog in this, vulnerability scanning options.
But it’s actually been our biggest success in finding exploitable vulnerabilities. and not to get into which one is necessarily better than the other, just going off data driven, we tried a couple.
This thing started producing results and that has led to kind of this rabbit hole that I’ve dove down. All
So with that being said though, before you can even do a vulnerability scan or scan attack surface, you need an attack surface. So some of the things that we’re also doing, not part of the tool that I’ve created but is obviously enumerating the attack surface.
This is domains, IP addresses, services, ports and then doing that a continuous basis trying to figure out what has changed in the attack service. Now typically for most customers this isn’t large changes in the attack surface, but it is nice to pull in as much information as we have as possible because we’re trying to find the thing that they forgot about or the thing that they.
Oh, I didn’t know someone had set that up. They weren’t even supposed to set that up. That’s the kind of finding that we’re looking for.
when we find exploitable things and services that aren’t even there.
Or that are there but they don’t even know they’re there. M. But anyways, before we start doing scanning we need to gather all this information.
so again, this is kind of another process. and then so with that being said, after we have Our attack surface. We know what IPs and domains we want to scan.
we kind of get into what we needed with vulnerability scanning at ANTISOC specifically. Okay. So if you’ve ever done a traditional pen test, you get on the pen test and you’re like, all right, here’s the scope.
They’ve given you all these IP addresses and then you go scan those and then you go from there working through findings and then manually enumerating all of that.
But because ANTISOC isn’t a one time point in time, we need to kind of move through doing this all the time.
So with the products that we looked at it, we needed something we could do consistent scans, we needed something that would give us actionable data and findings. Right? So something we could actually confirm really quickly.
we needed to be scalable. So this is kind of gets into where I’m going here. But when you’re doing these scans, I can’t just do one customer, I need to do 10 customers or 20 customers.
I might need to do them all at once.
I need some kind of history of what has changed. having that would be pretty nice. And then obviously some control over the the ability to to automate these scans and what exactly the scan is doing.
if you’ve ever ran different kind of scanning software, sometimes you can set, what things you want to scan for. and I need to be able to control these. Now a lot of products offer that, but when we get into the scalability, that’s where a lot of products like for example just traditional Nessus, kind of falls flat on their face.
the last thing I’ll say about scanning and ANTISOC is building or buying. So obviously we tried out some commercial tools. We didn’t try out all the ones for all the ASMs and working through that.
But just some things to consider before you build your own scanner, other things like that. do the current options meet your needs? This should be the first question when you’re looking at these. hey, is there something that already does this?
Because developing a tool is kind of a time consuming process. cost is a factor. Some of these tools can be extremely expensive and actually be counterproductive to their value to the organization or to your organization when you’re passing along that cost.
when you’re doing consulting, the value to the customer is something you should also consider. are, are you increasing the cost to give less value to the customer, value to the team. Does it really help in finding.
So our goal at ANTISOC is to gain access to an organization and let them know, right? Let them know how and what the actual attack path would be.
does this scanning tool, does it actually help me find, actionable vulnerabilities that I can demonstrate that impact?
and then, does it have any kind of customization? Because, in our particular seat, we’re not an organization scanning ourselves, we’re scanning a lot of other organizations. So we might have some examples where we need to, be able to customize things.
So. All right, let’s go and talk about Nuclei. Okay, so if there’s one thing you take from this whole webcast, you can literally forget everything.
But if you haven’t used Nuclei, you should go run Nuclei. Okay. If you’re not using it in your traditional pen test, you are missing out. Absolutely. Okay, I’m, going to go into some reasons why, but just to, the TLDR about Nuclei is if you don’t know what it is and you haven’t used it, you absolutely should be using it in this industry.
Okay. so what is it? It’s a high performance vulnerability scanner. Okay. it’s written in golang and it uses a simple yamble for vulnerability templates.
That’s actually one of its kind of power tools. it supports multiple protocols. When I first heard about Nuclei, I said, oh, yeah, it sounds interesting. It seems like it’s for web apps, right?
It’s just for web app scanning. That is not true. Okay? it can be used for all different types of protocols. Besides HTTP, there are a lot of templates already in there for HTTP, but, there’s also TCP, DNS, there’s a ton of enumeration stuff.
whois JavaScript and honestly, the sky’s the limit. Okay. there’s not necessarily a protocol limitation that says it can only be used to find vulnerabilities in an HTTP protocol.
it’s very fast. It does, scan processing and request clustering. So, what ends up happening is you have all these, findings or templates, which you don’t have to make.
they’re kind of like if you’re familiar with Nessus, they’re like Nessus, NASMs, right, which technically you could write yourself. But the difference is Nuclei templates are actually hosted on their GitHub and anyone can see them, anyone can Contribute to them.
So it’s kind of a group tank of everyone contributing findings, into this tool. Awesome.
Nuclei is just a CLI application. Like I said, it’s written in golang. And what you do, just to really the documentation is pretty good. But the simplest way to describe it is you have a list of hosts that you want nuclei to scan.
you open up the CLI tool and you type in nuclei and pass it the what do you call it? The list. Right, so let’s say a text file, new, line separated and it will start scanning all of those hosts for every single finding that it has in the template.
Now you can configure this to scan only certain templates and other things like that is very configurable. There’s actually a lot of options in Nuclei, some of which I think aren’t as well documented.
But in general the tool is pretty simple to use. Have a list of hosts that you want to scan and pass it in there, you’re ready to go. Okay, so what you’re looking at here is just kind of the output of the cli.
you can see that it, if it doesn’t have all the templates, it’ll actually go download the latest version of the templates from the git repository. And then you can see how many templates it has. right now in this particular example it had 7,425 different templates that were signed from the project.
There’s also 182 unsigned templates. so these are templates that are in I would say in the process of being reviewed to be added. and so I didn’t pass anything else, so just said, hey, no results, better luck next time.
Okay. All right, so when you with that being said, this is what the templates look like. They’re all in YAML. So this is for CVE 24, 27, 3, 4, 8, mouthful there, but remote, remote command execution code for Apache.
And the big things here at the top is kind of like metadata about this particular finding. but down here is kind of what it’s going to do.
So, so it’s going to make an HTTP request for Gremlin, a post request, and it’s going to pass in the host name that you pass in, in that file. It’s going to look for this content type and it’s going to match on these right here.
And if it does Get a match. Then it will say, hey, this is probably vulnerable. And at the bottom here we have this digest, which is the checksum for the signed template.
So, in simple, form, it’s really easy to write these, different kinds of requests and match. You can write your own, which is the most amazing part. If you find something that is unique or maybe not necessarily a finding, but you want to search across all of, maybe all of your clients for this particular thing, you can make your own, template and search for it.
It’s a great way to kind of search at scale for some kind of issue, even if that issue isn’t directly a cve.
Maybe it’s just a misconfiguration. Other things that aren’t being checked for. So very cool. so why did we choose Nuclei, for ANTISOC?
and there, one thing I, I didn’t put in here is that Nuclei is open source and it is 100% free. So that could have helped us in our, in our choices.
But the reason we still use it is because results number, one, we have found findings with Nuclei that we have actively exploited on our customers at Anti Stock through our engagements.
I can’t say that for other tools.
So this time to detection, where something new comes out, we’re able to scan for it. And that we scan and then apply that to the customer and then exploit it to move forward is very short.
And that’s what we’re really looking for at ANTISOC is getting what has changed that it is vulnerable and being able to execute. And, obviously, Nuclei has helped us in that department.
I did say it was free. So cost has obviously been, a driving factor. So we’re not paying for any kind of licensing or any kind of like, scaling issues as far as cost goes.
overall Nuclei is very fast, even though it does do a lot of scanning. so there can be some issues with really large attack surfaces and other things like that. So. So, before I say that this is all rosy and perfectly green, there are some issues, when it gets to bigger attack surfaces, they are surmountable.
But, just something to be said. that said, though, it is very fast, even comparatively to some of the more commercial solutions. and then customizability, so being able to build your own templates is amazing.
And then, being able to set those up, for scans is also really, really useful. Right, okay, so let’s talk about my problem.
All right, we talked about, ANTISOC, we talked about the fact that I need a scanning tool, and we talked about nuclei is a good candidate.
So let’s talk about what I was trying to solve. So nuclei scanning at scale. So I told you nuclei is a CLI tool. Great.
Yay. I love clis. Okay, so I can just run a scan for one customer. Cool. Great. Now I need to run it for two people. Okay, now I got this thing. I’m going to run it for two people every week. All right, now I got three.
Now I got four. All right, now my IP is blocked. Now you can see scaling is an issue. I have another problem.
I need to control my cost. We are running these scans to provide value to our customers, but I can’t make this, make us pretty much lose money just trying to try every tool to get everything, to get that, just that 1% left. Right?
So I need to make sure cost is considered. I need it to be customizable, because we’re not just looking for everything. We’re looking for certain things.
And we might want to tailor it to provide better value for our customers. And I also need it to be, something that provides some kind of expandable IP space.
Because the problem with scanning is we’re coming from the outside. We do have customers that want to know exactly what IP we use. We can do that. we have other customers that want us to be like, well, how would an attacker do it?
and most importantly, some customers have other systems in place that say, too many requests from this ip, we’re going to block it. So some way to expand that so I can get that data.
I just want to know, is this vulnerable?
All right, so first take. All right, so this is what we first, implemented at, ANTISOC to attack this problem.
So I used, CI CD pipelines. What I did is using Ansible and Terraform. I used a CICD pipeline to call all my scans. Okay.
by building some Ansible and Terraform, I could essentially provide, some of the values I needed to scan. So the list of IP addresses and, what instance types I want to use.
So, like, what kind of virtual machines I want to use on some cloud provider. And I would execute the scans. additionally, it would save the output, right? The scan, results into an S3 bucket.
So we’d have some kind of history of all these scans and the customers. this did create something that was highly scalable, meaning that the more customers I add, that didn’t necessarily, add to the time it Took to run these scans because I would make another VM for every customer.
So one VM per customer. So it scales very well. and we integrated that with JIRA for deploying and the results. So the way we would turn this on or start a scan is that we would create a ticket and it would run the scan using a CI CD pipeline.
When the scan was finished, it would save the results and it would make another ticket letting people know that the scan was done and here’s the results. And then we’d manually triage that data and the results. Obviously, some of the problems with the CICD pipeline is all code, no interface.
So there’s only a little bit of output that we’re getting here, just the results from the ticket. So everything else in the middle is kind of black magic. there’s really no history, so there’s no real database.
so things are happening, scans are occurring, but we don’t really have like a huge history of exactly what happened, what scans failed, state of the, of the saved findings.
So when a finding would come in, we wouldn’t necessarily know if it’s already been triaged before because I have no way to compare, I don’t have a database. So whence we would have to pretty much just have tribal knowledge or some other way to mark M that a data, that a finding is still a finding or that it’s already been acknowledged as something that we don’t need to worry about.
so that was one of the other CI CD problems is I just didn’t have a database, I didn’t have a way to like save a history of what happened. I had no good way to search through that data. So I have all these JSON files, that’s great.
And I technically could probably write some little bash, Python, whatever script to search for these things. but I didn’t have a native way to do this. I did have all the data, the raw data, which is important, but I never a way to really search through the findings.
and it was better than manually running scans, but I had no data metrics so I didn’t have any idea about whether customers were getting more of this or anything that I could easily share really.
No metrics. I would have to create that separately outside of this cicd.
But it does function. The plan is to go where I’m going to go next, which was to build a web application. Now I wanted to build a web application not because I just wanted to Build a web app.
Everyone’s doing it. It’s so hot right now. But mainly because at ANTISOC, it’s not an individual. We are working as a team. So having an interface that we can all work for, work together on is important.
I wanted the interface to be simple. I wanted it to be something that kind of had some intuitiveness to it, so you don’t necessarily need a huge on ramp to utilize this. Again, I wanted to allow for groupthink, so being able to see the findings as a group, remediate findings or mark findings as a group.
I wanted to scan at scale with no code experience. So while my CI CD pipeline was cool and it is being rebirthed inside of this tool, it didn’t really allow others to see what was going on without knowing what was inside of that.
So not understanding terraform and ansible. So I didn’t want you to have to learn those tools. So I’m taking that away. And I wanted you to be able to search through this data visually. I wanted you to visually look at the findings and other things like that across customers and be able to dial down into what you were looking for as these results came back.
So, before I dive into the Orbit, I want to talk real quick just about what about Project Discovery cloud?
Because if you haven’t looked at Project Discovery, they also offer a Project Discovery cloud offering, which sounds kind of like what I would need.
so we checked it out and I did run some definite scans from there.
And so I had a few issues which kind of ended up me developing this application. Number one was it did have a definite high cost that we’d have to pass on to the customers.
For running these scans. while the interface is slick and it did look nice, it definitely was a cost. Now I’m not saying that Orbit has zero cost, but it was more than the cost of the infrastructure, let’s put it that way.
Which I don’t blame anyone for trying to make money. That’s not the point. But it’s just something to consider. the other issue we had is it’s kind of a black box. Okay, so, as a black box we were not getting data back sometimes, or I didn’t have any way to control the IP address that these, scans were coming from.
I didn’t have any way to control a lot of things that I wish I had control over. So I could ask for those features.
Or I could try to get some of that control back, which is kind of the route I ended up taking. the third thing was customer data. Now I’m handing off that customer data to a third party.
they might be SOC 75 audited or other things like that. Not to knock on any of these ratings or anything like that, but that is something that now I have a third party involved in the customer’s data.
and then finally we tested it and sometimes it would just fail. on scans that I was able to get to complete, it would sometimes fail. No good reason. so we just had some issues and that’s kind of what led to this next thing.
additionally, if I wanted to add any other features, I could ask Project Discovery to do it. But some of those might actually start to creep outside. Rightfully so of what Project Discovery should possibly be building.
Lots of projects have this where somebody asks for a feature and it would be great at ANTISOC, but no one else is going to pay for it.
And so that’s where you kind of get into this situation whether I should build this thing or should I buy this thing.
so I kind of felt like we were going to end up with features that weren’t going to be built into it. I was going to have to buy it anyway. Anyways.
All right, so let’s talk about Orbit. So all of that, backstory leads up to the tool that I ended up building.
So what is it? it is the ability to run nuclei scanning at scale. Okay. If you only need to run a scan for a couple hosts for your engagement, absolutely.
There’s nothing wrong with the CLI and you can definitely do it. But as a consultancy you probably derive a lot more value being able to do this without having to set up all of that stuff. Especially considering you’re probably not scanning from your house.
So you’re already going to have to set up a vm, but at ANTISOC it provides even more value because we need to scan all the time.
The other thing it is, it’s completely self hosted. So you can host it on, on your computer or in a cloud to share with others. it’s multi user, multi cloud because it uses Terraform in the backend.
It’s not exclusively for just one cloud provider. And the demo I’m gonna show you today we’re just gonna be doing digitalocean cause that happens to be what we use. But as I add more cloud providers, it’s super easy. Cause Terraform is the backend that interfaces with these APIs and it supports every cloud, and it has a simple web interface, or at least I believe it’s simple.
I wrote it. So, I’ll leave it up to you guys, but I don’t think it needs a whole lot of explaining to what’s going on. Even though I’m going to give you a demo. Here’s a simple diagram of kind of how it works, right?
So you have Orbit, this web interface that you kind of load in a scan that you want to do. Let’s break it down as simple as possible. And then Orbit will go ahead and build your Ansible and Terraform for you.
It does this all automatic. It doesn’t need you to enter or decide how Terraform works. You don’t need to know Ansible, you don’t need to know Terraform to use this tool. once that is built, it will go ahead and deploy an instance over in DigitalOcean or AWS.
It’ll run the nuclei, scan for you and then get all of that data back. It’ll save it to an S3 bucket. It’ll also save that data back to Orbit into a database. So we can actually, what do you call it?
Analyze that data and sort it, filter it, all the other fun stuff. and then you also have an archive in that S3 bucket of the actual raw data.
So that’s kind of a simple diagram of how it works. obviously it scales as you do more scans, you can do more scans at once. you can have, every scan would be its own, DigitalOcean instance.
What’s the tech stack? How does this work? It’s golang, which means that technically it can compile to any, architecture or operating system. I do have some limitations though.
mainly Windows, because the, fact that I am running Ansible and Windows doesn’t necessarily natively run great on Windows, but you can run it in Docker. it uses a SQLite DB for the backend.
The front end is svelte, which is a very fun, front end framework. the actual, infrastructure as code is Ansible and Terraform.
So I’m kind of mixing both of those together. Terraform is deploying the infrastructure and Ansible is running the commands on the host, and getting that data back. it is an agentless design.
it builds a payload, ships that payload over to the virtual machine, execute it and then communicates back. All right, demo time.
And may the gods bless me. Here we go. I sacrificed many animals to do this demo.
What is Orbit? This is Orbit right here. What we have is a dashboard. obviously I’ve already logged into it to save us time, but it does have authentication built into it.
If you click up here on the top right, you can see I’m logged in as Ralphisexample.com. there’s also dark mode for everybody who rejoices, and not having to look at all the white.
So it’s fully dark moded. right here is the dashboard. we have the running scans completed scans, failed scans, vulnerabilities by client. we don’t have a whole lot of data in here because, we’ll see.
and then, Obviously the last 30 days there’s not much data in here because this is just a demo. But I’m going to kind of walk you through how to set this up. All right, so, as an administrator of this, what you would need to do is go over to accounts.
this is where. That’s my account. Excuse me, Users. This is where you can add users. You can go up here, add a user. you can actually set them into a group as well. So, you can have groups of users, excuse me, groups for permissions.
So I have our back built into this. So there’s user groups, admin manager, editors, you can have a viewer only user. which is kind of interesting. So a lot of these settings stuff you can’t, see.
but over here you can invite users. Add users. You can invite users if you set up email. So it’ll send them an email, they can log in, reset password, obviously all the kind of accoutrements of, simple user management.
Right, cool. But the big thing we need to do to actually run a scan is we need to set up some providers, right? So over here we have our providers menu. to run a scan, we pretty much need two things.
We, we need somewhere to run it. So some kind of compute resource. In my case, I’m using DigitalOcean. And then we also need an S3 bucket. And this is where data is going to get saved, for the scan.
And over here I’m setting the kind of, things that I wanted to do. terraform state storage and scan state storage. You can’t run a scan without these, down here you can see I configured it for DigitalOcean Spaces.
I set the region in there, set a bucket, and put some paths in there. Okay. So, when you first start up the application, it’ll ask you to build these out and then under DigitalOcean under here it’s kind of cool.
So after you add an API key which gets saved in the database encrypted, you are able to pick out the region. This pulls the region and the projects available to you and your user directly from the API from DigitalOcean.
It also lets you pick out your droplet size which you can set a maximum size here so you can pick out which droplet size. So this way you’re not trying to figure out all this information. You can also add tags for the VM as it runs for the deployment.
you can, at the top here you can enable or disable these scans. so you can have multiple different providers. At the top here we can add some other ones. You have aws, we also have notification providers.
So like email provider over here we can set up that smtp, set the name here. so yeah we have all that but the main two things you need to run a scan is an S3 bucket to save the data and the actual resource.
if you want to you can also use this to do DNS management. So if you want these machines to have DNS name, if you go to configure, you can see we can choose a domain that we’d like to use for this but we don’t have to.
All right, after you set those things up we go over to clients and we add a client. adding client’s pretty simple. You give it a client name, give it a home page, where the company, homepage, a generated secret name which it’ll use within the code.
So you don’t necessarily give out client names in other places you can have client groups. So if you had a group of if you have a group that you want to put all the clients, that way you can just scan a group as opposed to scanning an individual client.
But right now I have set up just for this demo I have this bhis, homepage. There’s no group but essentially we’re just kind of defining a client. After that we need to define some targets.
So over here you can add a target, so you can add a list, new line separated, give it a target name. We get to say Test, say Test.com. we’re not going to use this one.
And then you can set a client for bhis. And now we have a new target list right attached to a client. you can put as Many targets, in there. Right now I just have black hills informationsecurity.com as one of my targets.
And then the last thing you need to actually run a scan is the profiles. So this is where we’re going to set up just a couple little things that are only really going to need to be set up once.
the first is a Nuclei profile. So this is a YAML configuration. and what this does is set some of the settings inside of Nuclei. This is where you can also set in things like avoid certain types of scan templates and other things like that.
This uses their default, configuration, from Nuclei to set these things up. the YAML, it’s a YAML configuration for configuring Nuclei scans. you can optionally set up Interact servers.
These are what are used for, certain types of scans when they have to do HTTP requests, that require an Interact or kind of an intermediary server to make these work. By default, Nuclei uses some public ones, but you can set up your own if you want to control that.
And then finally there’s these little scan profile. What this is really here to do is this is defining, which Interact server you want to use, what VM provider you want to use.
So in our case we added that DigitalOcean, we’re going to add that in there. If you want to customize the size of the VM that you want to use for this, you can pull that down and then which bucket you want to use.
So we set those buckets up. So we’re kind of, we have these things, but we could have a lot of different providers. We could have, other things like that. So the profile kind of brings them all together so that every time you run a scan, you’re not asked all of these questions all over again.
To actually make this scan work, you can set this as a default. you can have more than one obviously, in here as you kind of expand out.
that’s really all you need to run a scan. Okay, so over in scans you click Scan. We have some targets and we have a client and all we have to do is just say add scan.
So I’m going to go ahead and say test demo. I want to pick the target. I’m pick bhis, I’m pick the profile.
The scan profile. This is the Nuclei scan, or excuse me, this is the profile. Like what, resources you want to use. The Nuclei profile, which we’re just going to use Nuclei. So this is kind of what the Scan should do from a nuclei perspective and then we’ll pick our client and then we can have a one time scan or a scheduled scan for this case we’re just going to do one time.
So I’m going to do create and start scan. And then in the background here it might take a second. I’ll reload this page.
You can see that our scan has started. You can see that I also have some other scans that I’ve already ran. I’ll show you those. This scan right now is building the ansible and terraform for me.
when the machine comes online there’s actually a terminal button here. You can access the terminal directly. It creates an SSH key. directly to the in the backend code there’s an SSH key that’s used as soon as you start the server.
That’s what’s used to configure these devices. What it uses, it uses websockets when you press the terminal to actually create an SSH connection between the, the orbit server and your device. And you can manually start sending commands to the device.
Obviously you can stop it here you can also see the logs too. you can see on this finish scan that I have some important data that I wanted to know. Like when did it start, when did it finish. What profile, what IP address was used for the scan which gets saved into the database.
And then I can also go ahead and download the results. So this is kind of fun. So what happens is when the results, when the scan is done it saves the files to an S3 bucket.
And then right here I can download those directly from the S3 bucket. It uses a signed URL for S3. So when I click this it just downloads the file both a full size and a small.
The full has a lot more diagnostic information. So you have the raw JSON from the nuclei scan.
you can also look at the logs here. This is where you can see where the actual scan executed and all the ansible logs of all the stuff that it did. for the most part this isn’t important but if there was a failure you would find out what happened inside the log data here.
then obviously you can archive projects. Let’s say you’re done with the project because we want to save some information. One of the cool things that it does is it keeps track of cost. So it pulls in real time data from the digitalocean instance and then it knows when the Digitalocean instance started when it stopped, and now I can calculate how much it costs me.
so instead of deleting things, we archive things so that we can save, the value.
So I can start figuring out how much does every scan cost me every week, every month or whatever, at scale.
Obviously, as you add more people, another fun thing that you can do in here is I don’t want to use a cloud provider. I have no reason to spin this up.
But I want to use one other feature in here, which is the findings, dashboard, which I’ll show you. You can manually upload JSON files right here. So if you go ahead and just go browse for a JSON file, a nuclei scan that you ran wherever you want, you can upload it in here and manually look at that data.
So what, the backend will do is it’ll take that JSON file and strip it all apart and put it inside the database so you can actually view it. That being said, let’s go look at it.
So if we go over to the findings page, this is where we can investigate all the findings that occurred from that scan. what’s cool is you can sort by severity.
you can look at just criticals, just highs. You can pull this in a multi select or just criticals and mediums, you can sort across clients. So if you had a bunch of clients, by default it search for all of those.
You can also search across marking these findings. So acknowledge, false positive, remediated, other things like that. you can search for the search term inside the field as well. If you look for just a particular name.
and then once you have that in, you can go do apply these filters. Obviously for the criticals and mediums there’s nothing there because this scan came back with just informationals.
but if you open up this, what happens is we group findings because of the way nuclei works is that a finding may affect a bunch of different assets. So if you have 500 IP addresses that were all affected by this particular finding, it will group them into one dropdown.
So that way you’re not looking through 500 mediums that are the same exact finding just for all different host. so in that dropdown you can look at that, you can go to view details and this is where you can pull the data that directly came from the nuclei finding.
the references. You can see the request that it sent out. So this was the exact request, this was a DNS request. And you can also see the response if it’s available, if it was an HTTP request.
so this one right here, you should be able to see the curl command. So this curl command is awesome. It allows you to recreate if this was a critical finding. You can take this curl command and test it out yourself if you don’t believe what nuclei found.
the other cool thing you can do is because now we have a database, I can acknowledge this finding, I can say it was remediated. I can also go ahead and add a note down here and say, hey, with text, blocks, heading tags, all the other fun stuff.
Hey, this is, this finding was bad. Whatever it is, save the note. so you can keep track of all your findings. And because we’re all logged in as a group, obviously we could all look at the same data at the same time.
When someone makes a finding edit or whatever it may be, we’ll be able to see that stuff.
if we another thing I wanted to show is that we also have templates. So this is a in browser template browser for the nuclei findings. When the server starts, it automatically downloads all the latest nuclei findings.
You can see those right in here. I’ll just dive into one. This uses the VS code editor inside of Orbit. so you can go ahead and look at this finding.
and if what it’s doing, you can also create custom findings down here. So if we go down to new template and say test, colon test, we’ll say save.
And then under custom, you see these have this exploit now that’s my new one. If I double click it, I can edit this and say test YAML. And so now it’ll use that in our scans. or you can tell Orbit to not use this in your scans, when you set up the nuclei profile.
But this allows you to make custom YAML files right from here. What’s cool about this? As, as a team you can add stuff and not be like, hey, did you share me that cool other scan thing that you create or that cool YAML file that you use to look for these things?
so you can look for this. all you can also delete these. Obviously. we don’t need any more.
And then findings, you can see over here we are acknowledging remediating, having notes. You can also click these and do as a group. So if there was like hundreds of these, you can mark them all as false positives.
That becomes a really useful one. and I think that is about it. as far as the features go for right now, you can control your monthly cost.
So this is a great way to start building in that cost generator. So this will control which VMs you can actually select. You can control the data management, email settings and some other fun stuff. Inside of here, in the dashboard you can see that our scan is still going.
I would say the scans take about five minutes to do a very simple scan because of the deployment process. but, and then the terminal, I’m not sure if you guys can see that, but it just opened up another terminal.
So in a browser. But you guys are getting a chance to play with that.
Okay, so that is kind of a demo of Orbit and all the fun stuff, that it can do. all right, so some important information. So first of all this project is going to be open source and it will be on GitHub very soon.
So when I made the date for this webcast I was like no problem, I’ll have the docs done, I’ll have all this stuff done. Well no, it came and it went.
I am very close to having all this stuff. Obviously you can see the demo, functionality wise we’re working here but I want to give you guys an end product that you can actually consume easily, without any issues.
Obviously the cost is going to be free, it’s going to be open source project and it’s currently under active development. So I like mini have released tools that we kind of make think are cool and then let sun sale and there’s no harm, no foul, right?
It’s a free thing. But in this particular case, I can tell you right now it is going to continue to get active development because we’re using it actively in ANTISOC. So it is going to continue to get more features and more importantly continue to get refinements which is what I’ve kind of moved into right now.
hopefully some beautiful docs. If you’ve clicked on that link, which I’ve seen a couple people say the site’s not there. It will be up today. I have the doc site ready and then after I do some more testing I’ll be putting the code actually on GitHub and on the doc site it will have the link to GitHub.
but spoiler alert, it’s GitHub.com orbit scanner. there will be a getting started guide. It’s pretty easy to install.
so some other little kind of nuances that people might be asking, why was I running it on localhost? this is seems like dev only. you can run this on your computer and you do not need to open up any firewall rules or set up anything to do the cloud infrastructure, the way that it works is it will use that API key and deploy the infrastructure.
And that system, when it needs to send data back to orbit, opens up a reverse SSH tunnel.
to orbit from it. So you don’t have to open up any firewall rules to send the data back. Once the scan is done, it deletes and destroys the machine entirely. So, you could definitely run it behind a firewall.
You don’t need to open it up, to, any ports or anything like that.
Conclusion. All Nailing my time markers. All right, so just a quick recap. Scanning at scale can be hard. Okay. that’s really what I was trying to solve here when you have to scan at scale.
But what I ended up solving is a bunch of other problems for people who don’t necessarily need to scan at scale and just really want to run nuclei easily. and affordably because I’m only paying for the exact time that scan ran.
In DigitalOcean, which a lot of times it could be sense, nuclei is super customizable. And without this, this tool would just be a cool web interface, a button that allows you to deploy VMs. Okay. While that is very cool, this takes it obviously a step further and puts the first action in place, which is getting data and then analyzing that data.
there’s definitely value in building versus buying. While I don’t, while there’s many products out there which I will handfully buy immediately, in this particular case, there’s a lot of value we got internally for trying to put this together.
And the team is going to see value into the future, not just for ANTISOC, but but for BHIS at large. And to deliver the tools, you have to build tools that allow you to work as one.
so what I really wanted from this was groupthink. At ANTISOC, we’re working as a group and I wanted the tool that we could work together on as opposed to something that runs in the background and then someone has to individually look at this.
So I really wanted, a group tool. And the best way to do that is with a web interfaces versus a cli.
we have pretty much established that on the Internet at this point. I don’t see us checking our bank accounts via CLI or anything like that. Not to hate on CLI because it has its place. I’m just saying when you get a group of people together.
now I don’t have to explain all of the ins and outs of this command line tool. Cool. All right, with that said, let’s open it up for any questions. I know there’s lots of words just flying across the screen, but well done, Ralph.
Thanks.
Jason Blanchard
Ralph, can you hear me?
Ralph May
Oh, I hear you. All
Jason Blanchard
Well done, Ralph. Good job. And to everyone that participated, engaged, and posted memes, thank you for that too.
if you haven’t checked in yet for Hackett, please do so. All right, Ralph, you mentioned ANTISOC. Could you please explain what ANTISOC is real quick for anyone who doesn’t know what ANTISOC is at Black Hills?
Ralph May
yeah, I will re explain that. The main thing, that ANTISOC is it’s continuous pen testing. and that’s what we’re using this tool for. to run scans all the time and get a good, idea of, the attack surface of our customers and then exploiting them, actively.
Obviously we do some other things in there which was in that slide. the other things include, internal, post compromise testing and other kinds of purple teaming and other kinds of, pieces in there.
But the bigger goal is to pretend to be a, apt all the time for an organization.
Jason Blanchard
So, Ralph, from my perspective, when you sit down to create a tool, like, what’s the first thing you do? Like, do you open up, go like, what program do you open up?
Where you go, like. And you just start, right? Because like, I write, I have a blank sheet of paper, I use Word or something, and I start writing a story. How do you start writing a tool?
Ralph May
I start with the problem first, right? What is the problem? And being, able to define that problem, right? So what is the. And then you start looking for the solution.
How, how could I solve that problem? And what you find sometimes is that there’s no obviously easy answer. But more importantly, you have to stack in other things to bring it together.
And then you start architecting what it should look like. this tool is actually not a product of me sitting down and saying, I have one problem and I know how to solve it.
Actually, this tool is a product of me doing that a bunch of times, Iterating through and then figuring out what all of these things do together to solve that Bigger problem.
it doesn’t solve just one thing. It solves like five different things. Okay. and I did that all in kind of iterative process that has taken me a while to get there.
Jason Blanchard
So here’s a question. what do you do to avoid SIN protection? If you’re only using a single host to scan, you’ll likely get back blacklisted. Running nuclei.
Ralph May
Sure. So, there’s a couple different ways to approach this, but we’re running scans at scale.
So the first thing that I do, and that’s already built in, is, Orbit will keep track of every host that gets skipped.
Nuclei has a process of trying a certain amount of times and then skipping a host. I’ll keep track of those hosts and then I’ll go back and figure out why they’re getting skipped. And this leads into some of the new, some of the probably more advanced features that are going to come to this tool, which is scaling into multiple clouds and then testing back to figure out why you’re getting blocked.
This is actually two problems, right? You’re describing the first problem which is getting blocked. I’m describing the actual problem which is running the scans at scale. Those two problems are related to each other, but it doesn’t matter whether you use Orbit or not.
That’s still a problem, right? Whether I’m getting blocked or not. How Orbit can solve it though, is keeping track of that information so that you can iteratively start looking through. Is it an IP problem or is it a type of scan problem?
Jason Blanchard
Will it work with self hosted nuclei?
Ralph May
I’m unsure of the answer to that question. Will it work with self hosted nuclei? yeah, I don’t, I don’t know how to answer. I, I guess I’m, I’m confused about the question, I guess.
Jason Blanchard
Okay. And then, Ralph, why do we make it free?
Ralph May
Because I love all you guys. yeah. I talked to somebody about this before I released and they said why, there’s a lot of commercial products out there.
Ralph May
so I think the, for me, this is giving back to the community and values that we embolden.
And I think the other thing is that this allows us and the community to both grow together, as opposed to necessarily just finding another way to, take a buck from it.
But, our customers at ANTISOC benefit from this, the organization benefits from this, and the community benefits from this.
Jason Blanchard
Deb, do you see any other questions that I missed?
Deb Wigley
I do not. And if we missed your question, feel free to Ask again.
Jason Blanchard
Ralph?
Ralph May
Yes. As far as timeline goes, for everybody who’s wondering where this is, it’s probably about next week. I’ll have it on GitHub. all the code. Like I said, I would rather have it tested a bunch with some other people having set it up than have that all just come back to me into having to do that for everyone at scale.
so just wanted to do some more testing. This webcast came up sooner than I wanted. but, yeah, I’ve been, Hopefully it’ll be very soon.
Jason Blanchard
Ralph, have you ever heard that theory or the report that came out where people said if they. If they were going to run a marathon, they posted on social media, said, I’m going to run a marathon. And they get all the dopamine from people saying, yeah, that’s awesome.
That’s great. And then they don’t run the marathon. Is that what’s going to happen with this? Wow.
Ralph May
So I already ran the marathon, Jason. I already ran it. So I don’t have to worry about that. All I have to do is, is share the results.
Deb Wigley
Yeah.
Daniel Lowrie
Hey, guys, I just wanted to pop in. There were a few questions in the zoom. Q and A.
Ralph May
Okay.
Daniel Lowrie
I didn’t know if you guys saw that or not, but there was some stuff going on there. Yeah, lots of stuff. Let’s see here. Where do I begin? Why not? Oh, the first one is, is nuclei noisy or not so much?
Ralph May
Yes, nuclei is very noisy, but value is your choice. So the more noisy it is, probably the more things it’s going to find.
That’s not an inclusive statement. But the less noisy things are, probably the less it’s scanning for, but the way that we kind of architected this is to say, noise be damned, if you would like, you can block this. Okay. the bigger question that we typically really divulge down to is, are we affecting the quality of service for customers?
Which sometimes can be a problem. So I think that’s the bigger one to ask than, is this a noisy or not noisy? Because guess what? The noise. The Internet’s noisy. It’s really noisy out there.
Anybody can scan you at any point for any reason. so, yeah, and for some customers, we do end up doing an IP whitelisting, which is another feature, that is needs to get added to this.
Daniel Lowrie
But, yeah, sometimes a little noise is a good thing, right?
Ralph May
Yes.
Daniel Lowrie
It’s not a bad thing. someone asked. Well, I guess it’s William asked, why not, Renjen Re. Yeah. Re Engine Renjin. I have not heard of this.
Ralph May
I had like a, a 10th hour thing. I’m like, did I just build something that somebody already made and it worked perfect? Like, what did I, what did I do? Like, it’s like coming out of the cave and being like, did I, did I miss something?
and the truth is there’s a possibility that somebody has made something just like this. This. Okay. But the value for the organization is above and beyond those other things.
And I’ll explain why. Now I can add that one little feature that we need in our organization to help us succeed and be more successful as opposed to figuring out how someone else did it and their tool to do it.
that’s kind of one of the benefits of building versus buying. but when I did look, I didn’t see anything. And I’m totally okay with running someone else’s tool if it gets the job done. If I had seen what somebody else was doing and it was working perfect, I might, I might have fell into that cave.
Daniel Lowrie
So yeah, Bill asks, oh, go ahead.
Jason Blanchard
I’m just picturing like you make an open source version of someone else’s commercial tool and they’re like, I think I.
Ralph May
Might have to a certain degree. yeah. So yeah, these things happen.
Deb Wigley
I have a question. Well, I don’t have a question. Someone in the chat has a question about, just the inner workings of Black Hills SOC ANTISOC. Does BHIS ANTISOC communicate with BHIS SOC at high level to better inform Slack how to better protect BHIS partners against real world attackers?
Ralph May
I think the answer to that question is yes and the answer to that question is no. So we don’t collaborate together to kind of gamify the system.
But we do share intelligence about maybe trending things or other attack venues that they should be look out for. If we come up with a novel attack technique, the soc should know about this novel technique so they can detect it or stop it.
Additionally, if a novel technique is being discovered in the SoC, we would love to use that on our customers to see if they are also vulnerable, whether they have the sock or not.
Deb Wigley
So makes sense for sure.
Jason Blanchard
Someone says, I’d love to share notes at some point. I’ve built something very similar.
Ralph May
I know, I know. It’s, it’s one of those that came, that came from.
Jason Blanchard
Not renjinjin.com I can also confirm this is their first time coming to this webcast, so I can almost guess they, like, saw the title and, like.
Ralph May
Oh, yeah, yeah, I know. It’s like one of those things. Yeah, go ahead.
Jason Blanchard
We’re gonna have you wrap up and then we’ll stick around for a couple minutes of post show.
Ralph May
Yeah.
Jason Blanchard
All So, Ralph, if you could sum up everything you talked about today in one final thought, what would it be?
Ralph May
Nuclei is amazing, and you can make it scale. And if you take one thing away from this webcast, go run Nuclei scans. there’s a lot of value there.
Jason Blanchard
All right, so if you join us today for the very first time or the 10th time or 50th time, thank you so much for coming back. we appreciate you. Next week, we’re going to do this again with John Strand at 4:00pm Eastern Time.
so John’s doing a very special webcast next week about all the things we’ll continue to ignore in 2025. so if you want to hear John rant for essentially an hour, come back next week for 4pm or you can attend, his sock core skills class next week, which is a pay what you can class, and you can also attend Bo’s, Bo Bullock’s pay what you can workshop tomorrow on Intro to Cloud Security.
So we have a lot of stuff going on, and so we appreciate you being here. Thank you so much for being part of this community. Thank you so much for continuous to, continuing to learn. And thank you for engaging in discord in a way that we can all like.
Because when. When it’s just you, like, talking into a screen and you don’t see any kind of reaction, it’s boring. And so you make these not boring. So thank you so much for being here for that.
Deb, any final thoughts?
Deb Wigley
as always, thank you for choosing to spend an hour or an hour and a half, two hours, however long you gave us today with us, we realize there are so many things that you could spend your time on, and listening to Ralph talk for an hour is always brings joy to my heart.
So thank you for choosing to do the same.
Ralph May
Yep.
Jason Blanchard
And if you’re a Kickstarter backer for the comic book, it’s going to be coming to you February 24th. Check your inbox to see the recent update.
Ralph May
Okay.
Jason Blanchard
All Okay, so we’re in post show. Ralph Daniel, you got any more questions for Ralph There?
Daniel Lowrie
There are, There are many, many, many questions that popped up in Zoom. another one, which was, I thought was a really good one, was when a scan is complete, this Comes from Dale. When a scan is complete, will automatically delete the digital ocean node.
Or do you have to manually track those drops?
Ralph May
Oh, yeah, no, it’s all automatic. So it automatically deletes, cleans up every single asset that it made in that cloud provider. and in the future, other cloud providers. And you just have the data. So you only pay exactly for that scan, which is what I was really going for.
Daniel Lowrie
That’s very cool. That’s what we like to hear. Right? I figured that was going to be the answer, but because anybody that has to put their credit card on this thing.
Ralph May
Yeah. So the other thing to note is that, I thought about that. So what if it fails? Okay, so the dashboard will let if a scan is still running but the scan failed or the machine is still running because it keeps track of when it’s actually been destroyed.
Okay. So if a scan failed but it didn’t get destroyed, you’ll know that that scan failed and it’s not destroyed. Additionally, there’s a button to just destroy it so you don’t have to keep that asset going or you can investigate via the logs or the terminal if you just want to jump in there to figure out why or what happened.
So you have all of those choices. But the cloud works best when you only use existing exactly what you need. And it works horrible when you try to use it as conventional infrastructure.
Daniel Lowrie
Yeah, yeah. That seems like you actually did some research on this. I mean, I could be wrong. I could be wrong. let’s see here. We have. Can Orbit be integrated easily with open source?
Seems like wasm.
Ralph May
WASM never used it. That doesn’t mean it’s bad or good. I have no idea. but yes. So integrations would be something I move forward to. one of the things that I’ve, got a lot integration is notifications.
So I did. I forgot to show the rules notifications tab. Oh my gosh. there’s notifications for Jira. what, do you call it? Teams?
other things like that. And what you can do is get notified when scan’s complete if there’s been a higher critical finding across all customers, groups of customers, other things that you can build multiple rules around. notifications. So I totally missed out notifications, but people get to see it when they set it up.
Daniel Lowrie
Okay, here’s one from an anonymous attendee. They asked, does Orbit require cloud access for scanning or can those assets like a bucket, be on a local VM or with Orbit itself, I’m thinking of Internal scanning in environments with limited Internet access.
So can we keep this in house only or do we have to have access to some cloud infrastructure to spin this up? I mean, it seems at scale.
Ralph May
Yeah. So right now it definitely is designed for cloud infrastructure. Just kind of the way it works. The reason I use an S3 bucket, that’s something that everyone can always access whether the machine, no matter where it’s at.
and then also because it allows me to save an unlimited amount of data. So, I’m not worried about the host itself, but, could that be a possibility? Yes, in the future?
I think what’s ended up, possibly going to be is more of another approach that I’ve seen other people take, which is an agent driven approach. So from like an internal testing or unopened would be more of like an agent driven, approach.
which. Yes, but architecturally speaking, yeah, you could definitely save the data locally. but it’s not integrated right now.
Daniel Lowrie
Yeah, not the only. There’s another person asking for on prem infrastructure support. I get it.
Like a lot of people, like, I don’t want it to traverse outside of anything. I don’t want to have to depend on it. If the Internet goes down or if we have an air gap system or maybe a very siloed section of our network, I still want to be able to scan it.
It makes sense that they’re wanting that, but it’s got to start somewhere.
Ralph May
Yeah. So the way that I would. Architecturally, the way I thought about doing internal scanning is actually you deploy an agent and just communicates back, to orbit. And then that’s how it runs its deal.
Because right now, the way that I’m actually doing the communication is I’m using the cloud and then doing the SSH to create that, communication back. So just always depends. But, yeah, that’s it.
Deb Wigley
That’s it for us.
Daniel Lowrie
No, no. Is that it? You want to call it a day?
Deb Wigley
You want to call it Ralph?
Ralph May
It doesn’t matter.
Jason Blanchard
Next.
Deb Wigley
What are you gonna do next?
Jason Blanchard
Gonna get the website up.
Ralph May
Yeah, yeah, yeah, I know. I was in one of those things like last like 10th hour. I already have it built. It just needs to be published and turned on.
Deb Wigley
He already ran the race. He just across the finish line. I guess, like you’re right, right there.
Ralph May
Already ran the race.
Jason Blanchard
Well, the problem with finishing the marathon is you’re so exhausted. Like, you just, you don’t even want to go running again for a couple weeks. And so, yes, Ralph, thank you so much.
Thanks for sharing your knowledge. thanks for being a part of the ANTISOC where you create things like this and get to give them away for free. yeah. Need it. Need anything from us before you go, Ralph?
Ralph May
No. Hey, everybody who’s still here, thank you very much for listening to me yak for an hour. I know you have a lot of things to do in your life and listening to me, I appreciate it. and then hopefully, get to help some people out that needed this.
Jason Blanchard
Yep. All right, so don’t forget the pay what you can stuff coming up tomorrow and next week, and then the news on Monday next week, and the new.
Ralph May
Everything counts for Hackett, everything counts. Whoa.
Deb Wigley
No, sorry, not the classes. Yeah, we, we did decide during this webcast what hack at 40 was going to be, though. What the rewards.
So that’s coming soon. And it’s not socks.
Ralph May
Sorry.
Jason Blanchard
It’s not socks. Something different.
Deb Wigley
Something better.
Jason Blanchard
Daniel, anything before we go?
Daniel Lowrie
Man, this was a lot of fun. I really enjoyed watching this because this is the kind of thing that really kind of like, stokes my fire. I’m very interested in things, of this nature. Played around with nuclei myself, so.
Very cool tool. I, can’t wait for that GitHub to be live at 5, because I’m.
Ralph May
Going to go have to do GitHub. Yeah, I’m sure everyone’s going to find every single bug in that damn thing somebody asked about.
Daniel Lowrie
Did you security test it? It’s like, yeah, we do that.
Ralph May
No. Oh, my God. how many things slowed me down in the process because I thought about how I could hack it, it just blew my. Like, I went into a whole architectural design about storing the API keys.
Like, do you store them in plain text? Obviously, that’s my biggest crown jewel. So I ended up encrypting them with an environment variable. And only allowing. And you can never extract them.
They only get extracted for certain things. And then when you use Ansible, it re. Encrypts all the. Yes. Architecturally, being a security person is horrible for designing software because it slows you down like crazy.
Daniel Lowrie
You’ll never get anything done.
Ralph May
Yeah. God. So anyway, sorry, last.
Deb Wigley
Last rant.
Ralph May
Yes, I’ll. I’ll rant you final rant.
Jason Blanchard
All right, everybody, thank you so much. We’ll see you soon. Ryan, go ahead and kill it with fire.
Ready to learn more?
Level up your skills with affordable classes from Antisyphon!
Available live/virtual and on-demand
