BHIS Webcasts | Intro to PAMSkeletonKey for Persistence w/ Ben Bowman

How does PAM abuse fit into a real‑world attack chain?

🛝 Webcast Slides
https://www.blackhillsinfosec.com/wp-content/uploads/2026/04/PAM_Tool_Slide_Deck.pdf

Join us for a free one‑hour BHIS webinar with Ben Bowman as he introduces PAMSkeletonKey, a tool designed for red teamers and CTF players to explore persistence, lateral movement, and privilege escalation on Linux systems.

Ben will teach why the tool was created, how to use it safely in lab environments, and what this technique means for defenders working to detect or prevent authentication abuse.

You'll learn a practical understanding of Linux PAM (Pluggable Authentication Modules) authentication and how it can be abused to create a skeleton‑key backdoor for persistence.

Get started with PAMSkeletonKey: https://github.com/her3ticAVI/PAMSkeletonKey

Chapters

(00:00) - Intro – 2026-04-02 Intro to PAMSkeletonKey for Persistence - Ben Bowman
(01:33) - What I Don't Know
(02:14) - Remember Mimikatz? Me neither.
(03:59) - What is PAM?
(04:43) - PAM Architecture Deep Dive
(06:54) - PAM Module Types
(08:25) - How PAM Authentication Works
(12:18) - What does this tell us?
(13:44) - What Code Changes Do We Make?
(17:28) - Pivoting & Attack Scenarios
(18:57) - The Topic of Stolen Valor
(21:14) - The Improvements
(25:50) - Demo Time
(41:57) - References
(45:39) - Q&A
(59:00) - Antisyphon Training's New LMS Walk Through

Chat with your fellow attendees in the BHIS Discord server:
https://discord.gg/bhis
in the #🔴live-chat channel

🔗 Register for FREE Infosec Webcasts, Anti-casts & Summits –
https://poweredbybhis.com

Brought to you by:

Black Hills Information Security

https://www.blackhillsinfosec.com

Antisyphon Training

https://www.antisyphontraining.com/

Active Countermeasures

https://www.activecountermeasures.com

Wild West Hackin Fest

https://wildwesthackinfest.com

Creators and Guests

Host

John Strand

John Strand has both consulted and taught hundreds of organizations in the areas of security, regulatory compliance, and penetration testing. He is a coveted speaker and much loved SANS teacher. John is a contributor to the industry-shaping Penetration Testing Execution Standard and 20 Critical Controls frameworks.

Guest

Ben Bowman

Ben Bowman is a BHIS Security Consultant who joined in 2023, bringing research experience from Madison Cyber Labs and a longtime passion for the company, and who enjoys learning from his team while spending his free time fishing, swimming, and spelunking.

Guest

Brett Jones

Brett Jones joined Black Hills Information Security (BHIS) in February 2025 as a Security Consultant. In this role, he performs penetration testing, working with companies to ensure their networks are secure. Previously, Brett was in the Army for 11 years conducting Offensive Cyber Operations. He came to BHIS through SkillBridge, a program that connects service members with real-world training and work experience in high-demand fields before their military discharge. Brett was drawn to BHIS through the sense of fellowship and camaraderie exhibited by BHIS employees and the online BHIS community. He is actively involved within the community, regularly joining Antisyphon Ask Me Anythings (AMA’s) and sharing his knowledge and experience with others to help everyone grow and succeed. Outside work, Brett enjoys reading books, playing video games, and working on his personal fitness.

Guest

Logan Bender

Logan Bender joined Black Hills Information Security (BHIS) as a Business Consultant in September 2021. Previously working as a technology advisor, Logan now advises clients on BHIS’s services and provides recommendations for improving security posture. He is excited to be part of an organization that is so involved in providing quality security content to the community, and he loves the team and helpful culture at BHIS. When he’s not working, Logan can be found in the great outdoors — camping, fishing, hunting, golfing, or snowboarding.

Producer

Ryan Poirier

Ryan Poirier began his time at Black Hills Information Security (BHIS) as the Video Producer and Editor in August 2020. Ryan polishes and perfects every webcast, podcast, and workshop on the BHIS, ACM, and WWHF YouTube Channels. Prior to Ryan’s time at BHIS, he worked for one of the largest public schools in the United States, conducting their video production and live broadcasting. He joined the BHIS team because he felt like it would be a great group of people to work with, and he couldn’t pass up the perfect next step in his career. Outside of his time with BHIS, Ryan does freelance photography, attends Cars & Coffee events, and expands his knowledge of audio and videos.

What is BHIS Webcasts?

Podcast audio-only versions of weekly webcasts from Black Hills Information Security

Ryan Poirier: 00:01

Hey everybody, welcome to the BHIS Webcasts. We've got Ben Bowman here. He's going to give us a cool, awesome presentation about a new tool that he's been working on. He's really excited to share it with you all. It's helped him a lot and hopefully, it might help you in your work.

Ryan Poirier: 00:20

And that's all I'm gonna say. I'm gonna hand it over to Ben. Ben, take it away. I'm gonna go backstage and we'll come back at the end for questions and fun stuff. That sounds see you later.

Ryan Poirier: 00:31

Thank you.

Ben Bowman: 00:33

Alright. So I'm gonna start by just introducing myself a little bit. I'm Ben. I'm a pen tester at Black Hills. I also make tools and do all sorts of cool stuff like that.

Ben Bowman: 00:45

And this is my GitHub. It should be up on the screen. Go ahead. Go check it out. Look at some of the other cool tools I've made.

Ben Bowman: 00:51

Give me a follow, star stuff, all that cool jazz. I'll just get into it. So I have a really bad habit of talking fast. I'm gonna try to make sure that I talk slow, enunciate, and keep it clear. So this is my little, like, presentation on abusing PAM.

Ben Bowman: 01:13

So for those of you that don't know, there's a thing called PAM in Linux, and I feel like it's not discussed and it can be really useful as a as a tester. But there's really no tooling available for it, so I tried to make sure that, you know, I could cover that, the empty space. So what I don't know, I don't know anything about quantum physics. I don't know anything about linear algebra, And I don't know much about persistence. Right?

Ben Bowman: 01:41

I felt like there was a gap in my in my skill set, and I'm willing to admit when I don't know something. So I didn't know much about persistence. And I started with Linux, and I realized that there wasn't a ton besides, like, crontab. You know? So in my pursuit of understanding persistence, I found a tool.

Ben Bowman: 02:03

This was when I was in college that kind of messed with something called PAM. But before we discuss what PAM is, I kinda wanna dial it back and talk about something. You guys remember Mimikatz? I think it might still be used. It's got it's gotten so fingerprinted to the point of being unusable is my understanding.

Ben Bowman: 02:24

If you type it in and hit enter in command prompt, antivirus will flag on it. Even if it's not installed, just being there, it gets flagged on. Right? But there's a feature on Mimicadge that's really cool that I really like, and I don't ever hear anybody really talk about it, mainly because it kind of can cause impact to functionality and security. Right?

Ben Bowman: 02:46

It opens a door for it opens a door for attackers to abuse besides the tester, so it's not as practical. But Mimikatz had a super cool module plug in called the skeleton key. And the skeleton key only works for Windows, and it's not super useful since antivirus became the default with Windows. And it's sort of a lost concept. I haven't seen anything about SkeletonKey worth using since Mimikatz.

Ben Bowman: 03:16

And even then when it was available, it was a little finicky. You couldn't pick what password. I'm pretty sure the password, when you ran it on the computer that it injected into is SAM or LSAS, I can't remember, but it injected it in to give you like a universal password. The password was always the same. Meaning, if you had a client and you used it in production, you're kind of leaving that hole open.

Ben Bowman: 03:40

Right? So it wasn't necessarily the most useful in a, like, in that sense. But when you're dealing with SAM, you're dealing with Windows. Now this isn't super well known, I don't think, but there's an alternative to SAM in Linux called PAM. Google says, PAM, which stands for pluggable authentication modules, is a flexible centralized security framework in Linux that separates user authentication tasks from applications.

Ben Bowman: 04:11

Google doesn't think like a hacker. Right? It doesn't see what I see and what you guys should see. I say PAM is the gateway for all authentication. Whenever you SSH, log in, use sudo, it all has to authenticate through PAM.

Ben Bowman: 04:26

So if all authentication, nothing is handled through one gateway, how can we abuse this as an attacker? If all users on a Linux box authenticate through the same thing, What can we do with that? That sounds really enticing to me. So we're gonna take a little bit of a dive. And I apologize if the text is a little bit too small.

Ben Bowman: 04:48

It's hard to cram a lot of this in here because there's so much to go over. But there's a PAM API, and what happens is the stack works like this. The application calls the PAM API, and the lib PAM reads the configuration file. It changed through the modules in order, and there's different modules that come with pam. We'll talk about that in a little bit.

Ben Bowman: 05:13

Each module returns success or failure. It's essentially a Boolean. Right? It returns yes, no, one, zero. If you don't know what a Boolean is it's like a programming thing.

Ben Bowman: 05:24

It's just true or false. And they call it a Boolean because they wanna be special. I don't know if there's a better reason than that. The final results are returned to the application to utilize. So here's kind of the reason why we have that.

Ben Bowman: 05:40

You don't wanna rely on SSH Telnet to build their own authentication kind of standard. Right? Because what if they use SHA one m d five. Right? If you're using PAM, you know there's some degree of consistency and security.

Ben Bowman: 05:58

And so there's an API that you can plug into with Linux to to sort of handle authentication through users. It's really cool. There's configuration files. There's modules. There's logging.

Ben Bowman: 06:14

There is global configurations that are very dangerous that you would never touch, but they do exist. And pam underscore unix handles etcshadows. If you don't know much about Linux, etcshadows is where credentials are stored and handled and all sorts of stuff. That's that's very enticing to us. Right?

Ben Bowman: 06:38

That's my hint. So pam unix isn't pam as a whole. Pam isn't just a file. Pam is like a Linux kernel with a bunch of modules it uses. So pam underscore unix is one of the modules.

Ben Bowman: 06:55

There are four interfaces, and there's a ton of modules, but there's some that are more notable than others, and we're only gonna discuss those. The four interfaces is it handles authentication, accounts. So when you authenticate, you know, it returns true or false. Is the authentication credentials valid? Does this user exist?

Ben Bowman: 07:14

Is the password what it should be? The account, it checks if the account is locked, if it exists. It's sort of a validation thing. Session. So when you sudo, you get a session or when you log in, you get a session through PAM.

Ben Bowman: 07:28

So it handles session management as well. And then password, it handles credentials updates. So if you change your password, all sorts of stuff, that's all handled through those interfaces. What I want you to take away from this is that is a lot of sensitive things handled by one kernel module, one kernel and a bunch of its modules. So notable modules, you're gonna see me on this a few times.

Ben Bowman: 07:54

PAM Unix handles Etsy Shadow. Right? If you're getting what I'm I'm I'm putting down, it's it's exactly what we're interested in as an attacker. But there's some other cool things as well. It can handle LDAP, Kerberos.

Ben Bowman: 08:11

You can run scripts, do lockout tracking, and all sorts of stuff with PAM. So it has a lot of cool functionality. And we wanna we wanna see how we can exploit that. But we wanna focus specifically on authentication stuff because if we're talking about skeleton keys, we wanna, you know, we don't care about anything besides authentication. So here's a nice diagram that kinda helps you understand.

Ben Bowman: 08:43

There's the PAM API library, and you have applications at the top that use it. And then you have the the service modules or the stack that it works through, and then it has a configuration file as well. This is kinda what it looks like at a super high level. And you have to understand that I am not a absolute wizard kernel stuff. This was kinda my first real deep dive into it besides a previous tool I'd worked on called WiFi Forge, which touched another part of the kernel, and it was a huge rabbit hole as well.

Ben Bowman: 09:12

Every time I think I understand the kernel, it just gets worse. I mean, it's really well made. I can't believe it works, but I don't think I'm ever gonna fully understand it. So bear with me as I try to claw through kernel stuff. So here's a step by step flow, and there's a lot happening here.

Ben Bowman: 09:32

The app calls PAM start and sets up the PAM handle. The app calls the panel authenticate to trigger the auth module stack. Now I want you to pay close attention to the auth. Right? It's handling auth.

Ben Bowman: 09:43

It reads from the service and follows the auth stack from top to bottom. Each module receives credentials via the conversion or the conversation function. Modules return the Boolean. They return authentication error, authentication success. They ignore it for whatever reason.

Ben Bowman: 10:03

Maybe there's a lockout policy. It runs account checks for things like expirations, locks. Then it opens a session, and then when you log out, it kills the session. And that is from top to bottom how the flow of PAM works. That's how the API works, those are the steps that it works through when we use it.

Ben Bowman: 10:23

The con the conversation function, that's where the magic happens, and that's where we kinda wanna focus. The conversation function or the con function is how PAM asks the user for credentials. So it's a callback by the application that's then passed to lib PAM. Modules call it to prompt, and then the user provides credentials and it's sent back. Now, what's cool about this, and it seems like an oversight, I'm sure there's a really good reason why they they designed it this way, likely to standardize encryption with with it.

Ben Bowman: 11:02

But the malicious module that we make can intercept the the credentials before they're encrypted. We can take a module that handles the conversation function, and we can modify it, compile it, and swap it out so that it works the same, but there's extra code in there. Now because Linux doesn't have antivirus out of the box, unlike Mimi Knuts, you can be as loud as you want as long as you have super user root permissions. You can kinda do whatever you want. So you can swap out files in, like, a low level.

Ben Bowman: 11:42

So if you land on a box, you can swap out an authentication. And when somebody authenticates before the credentials are encrypted, you can grab them and then encrypt them, and then send them to PAM through the module. So this should be ringing a bunch of bells for you guys and sending up flares. Should be setting up a bunch of like flags, know, like, oh, we can handle credentials before they're encrypted. Yes.

Ben Bowman: 12:14

And that's exactly what we're trying to do here. What does this tell us? Credentials are encrypted by PAM after being received. They're not encrypted beforehand, likely to standardize encryption would be my guess. Although, I don't know that.

Ben Bowman: 12:29

That's just my guess. Huge if true. Big deal. This is really cool for us as an attacker, especially considering that most Linux machines aren't heavily guarded in my experience, and they don't have antivirus. There is a antivirus called clam AV that's open source that I've been kind of interested in, but that's a that's a tangent.

Ben Bowman: 12:50

So the modules are dot SO files, and m underscore UNIX dot SO should be our focus. Now if you remember a few slides back, we talked about notable modules. PAM UNIX is what kind of interacts with shadows. Right? So whenever you authenticate through SSH, whenever you authenticate through Telnet, whenever you authenticate through just the login screen, whenever you pseudo, even if you're just pseudoing, those credentials all get handled by that module before they're sent off to PAM.

Ben Bowman: 13:22

So the modules, Pan Linux, Pan Unix auth dot c file is the source code. The Linus Torvald leaves open source for you on GitHub. So it's it's open source. You can see the code, and you can you can do all sorts of stuff to it. That's good for us.

Ben Bowman: 13:42

Right? We like that. So what code changes do we actually make? The original call code calls a function to see if the user entered the right password. So it calls a function in the API to check, is this the correct password?

Ben Bowman: 13:58

The injected code that we wanna add as an if statement, if the password provided matches a password you choose, it forces a variable to PAM success. Now what this means is, if you guys remember, I think it was like a year or two ago, some SSH thing, I believe it was, Somebody tried to sneak a backdoor into it. I don't think it ended up being like a state level thing where there was like an equals instead of an equals equals, they got caught because of some sort of timing thing by some guy that really likes to maintain that library. Essentially, it was a backdoor. And it's kind of along the same lines of what we're doing here, except we're not attacking the supply chain.

Ben Bowman: 14:37

We're just modifying a kernel module and compiling it and swapping it out. I'm gonna take a drink. I'm getting dry. So what we do is we just throw some code in there. We say, password equals whatever we set it to be with the tool that I've made, then allow access.

Ben Bowman: 15:02

And it's universal for all users. So no matter what user, you can set a skeleton key password to use for all of them because this code supersedes. Now this is cool. Right? Because if you can swap out the module, if you don't know the the password for another user, then you can hijack their account with a skeleton key.

Ben Bowman: 15:21

Right? You can beat them essentially, given you already have to have root access. So there's kind of some things there. It's interesting, and it should be interesting to you as well. So you can log in as any user, essentially, if you can get this to run.

Ben Bowman: 15:40

Now one thing I wanna talk about that's cool. Skeleton keys are really cool. And that's kinda where, like, when I started this to to help strengthen my understand of persistence. I made it as far as I wanted to make it right here. But then I started to think about some scenarios where it might be useful to abuse this as well for more than just skeleton key access because if they change a password, they can't lock you out.

Ben Bowman: 16:09

And the chances of them auditing to know what file you swapped out in the kernel are pretty low. So it's a really good persistence method. The chance of finding it, especially if you clear bash history, which is included in the tool to clear it for you, It's it's it's good stuff. But people have a habit. I've noticed this.

Ben Bowman: 16:29

People have a habit of using the same password for everything. And I mean everything. I have seen domain admins use the same password across tons of accounts. So I'm not saying this is a universal rule, but the chances of somebody high privilege using the same password for a local Linux user with the same username as they do in their domain is pretty high. It's not guaranteed, but pretty high.

Ben Bowman: 16:58

And that's where I started to to really think about how we could take this a little bit further. What if we can grab the credentials before they're encrypted and store them in a file on disk? Now that's cool. But what about on the small off chance they realize something has occurred? They reverse the change.

Ben Bowman: 17:17

They tear the box down, they they segment it, you know, they isolate it on the network. What if we lose that and we can't get to that file? And we don't wanna have to check-in on that file all the time. Right? So that kinda brought me into some scenarios.

Ben Bowman: 17:33

If you're on a box and you have root, and there's a domain admin or some other high privileged user that needs to use that Linux box via SSH or whatever, they're gonna access. And when they access it, if you have root, you can run this tool and swap out. So you swap out the kernel module, and when they log in, you get their password on disk, which is really cool. You can then take that password and try it in other places. There's a really cool tool called SSH Snake, and you can plug in SSH credentials and let it kinda worm.

Ben Bowman: 18:08

It it's like a worm. It'll try everything, and then when it gets in, it'll grab keys and add it and try those again. It's really cool. I don't know how destructive it is, but I used to use it in CTFs. But the point being is that you can use these credentials to start to move other places, and that's kind of what we want.

Ben Bowman: 18:26

So one of the attack paths that I really like the idea of is you land on a box, you run this, and then a DA logs into his account on the Linux box at some point via SSH or what have you. You take his credentials and you try them in active directory, they work. That's the scenario where I could see this being super useful. And I could see it being not just possible, but probable because of how people use credentials. It's just a fact of life that people do.

Ben Bowman: 18:54

They should reuse credentials way more than they should. Before we proceed, the topic of stolen valor. I hate to steal a tool and claim it's my own, so I added a a bunch of features and improvements and quality of life. I did not make this original tool. I am big on contributing to open source, and I will admit when other people have great ideas.

Ben Bowman: 19:16

So when I was in college, stepping back a bit, I used this tool that this person made, and it was my ace in the hole for CTFs. I would always win because they would use the same password across multiple boxes so that people in on the same team could all authenticate without thinking too hard. So they changed the the credential on this box, and then I would get the credential, which would get me right back in. Right? So every time they changed the password, I would get right back in, and I also had the skeleton key.

Ben Bowman: 19:46

But the big thing that I added is the Discord webhook, and I'll kinda talk about it more. But tying back into the issue of what if we lose access to the the file on disc that has all the credentials, Discord webhook. It's always Discord webhook. Back in the day, people used to use the Dropbox API, I think. There's paste bin and a bunch of other, like, SMTP exfiltration things.

Ben Bowman: 20:12

I like Discord webhook. The chances of one of your employees using Discord is pretty high, and so restrictions are less likely than something sketchy like Pastebin. Also, it's just cool to use Discord because it pings me, sends me a message, and I like that. So I added a feature to it. This is the main one, where now you can specify a Discord webhook and whenever anyone authenticates, it will send their username, password, and the machine name to your Discord server.

Ben Bowman: 20:40

Really cool for exfiltration. And I kind of got the idea and inspiration from some rubber ducky scripts where when you would run a rubber ducky to get the Wi Fi password off of a machine, say you walk in and there's a kiosk, you plug into it, and WLAN, net SH show profile, key equals clear, and then it would send it to a Discord webhook. And I'm like, that's a cool idea. I wish I had thought of that. But I thought it'd be super useful in this because when we would do CTFs, we would use Discord to communicate if we were online.

Ben Bowman: 21:09

So it was perfect. We could have like a loop channel and dump it all into that channel. So I credit the the person that made this at the end, give them full credit, you know, added them to my references link because I want them to be acknowledged for the cool work that they put in to get this tool started before I improved quality of life and and that sort of thing. So I used it in a in c t CTFs in college. It provided functionality, but poorly.

Ben Bowman: 21:38

I forked the tool, added tons of quality of life features. I added a better user interface before there was no user interface. And there was tons of files, which is really messy, especially when you're trying to be kinda quiet. So I consolidated all the files into one script. Dependencies were not handled.

Ben Bowman: 21:55

So I would run it, and then I'd have to see, okay, what dependencies do I have to install to get this to work on a Raspberry Pi versus the CentOS device versus I think one time I even ran into Gen two, which was horrible. I don't know why they would do that, but the script won't run on incompatible OSs. It's built specifically for Debian, and I would kinda like to add functionality for other distros that have different dependency package management sort of thing. I just haven't. And Debian is probably the most common that I've seen since Ubuntu, Kali, Iterit, that sort of thing.

Ben Bowman: 22:33

So it it it can work on Debian. I have not tested it, and I doubt it would work on non Debian. The problem I also had is I would like to use this eventually. I haven't had the opportunity, but I'd like to use this on a test. The problem is in the original script, it would swap out the file and just nuke it, the old one.

Ben Bowman: 22:53

So cool. But now how are you gonna reverse this once you're done with the test when you're cleaning up? You have this back toward kernel module. They'll never find it probably, but you should definitely close the the gap. But then nuke the original file.

Ben Bowman: 23:09

So now all the script creates a backup of the PAM before it overwrites it. So that way you can restore if you need to. The setup on the original tool was a lot more difficult, and you had to go and get clone or download, copy, and paste. So now I have a really easy hot button command I'll show you in the demo where you just paste it and hit enter. It pulls it down, changes the permissions for the file to execute, runs it, and then it clears your command history.

Ben Bowman: 23:36

Because on a CTF, the first thing I always do is type history to see what the people that are running the CTFs forgot to delete. A little bit of a pro tip for college students. Always run history and check the the bash history. It should be really useful. One time I found a backdoor and then just set an IP table on it, so that was fun.

Ben Bowman: 23:56

I didn't even remove it. Anyways, the way it sets up now, it kind of covers its tracks a little bit more. And if there's any sort of, like, EDR or anything like sort of detections, it they're gonna catch this because you're swapping out a kernel module. It's gonna stand out like a sore thumb likely. But if they don't, if you cover your tracks in the way that the tool has built in, the chances I'm finding it are pretty low.

Ben Bowman: 24:23

I also added PAM version detection because who knows how to check their version of PAM and the kernel Linux kernel version? I sure didn't. I do now. But I didn't. So I built it into this tool.

Ben Bowman: 24:37

So instead of the old version, now it automatically detects and pulls the right version that you need. Because if you get the wrong version mismatch, it will break. So now it just kinda does it for you. I'm really big on making tools that work out of the box and just work. So, I mean, I don't think you need to make people learn to look up their version of PAM so that they can do this.

Ben Bowman: 25:00

So and it just automatically does it. I prettied up the readme, and then I added branding to make the tool more notable, stand out, and now appears another generic abandoned CLI tool. GitHub has a plethora of five commits seven years ago. Cool tool that does amazing things, never maintained. And nobody seems to find them or use them.

Ben Bowman: 25:18

So the most funnest part of hacking is the loop. What cooler way than for Discord bot to message you with loop? I love that idea because I wanna be able to stand up and go get lunch and get a message saying you popped someone. That's super exciting, and it makes my day, and it's super elite. There's a lot of people laughing at that, but I'm I'm human.

Ben Bowman: 25:41

Okay? My my fun is the loot. That's what I live for is the loot. So I wanna make it cool delivery. So I've gotten sort of smarter with time, and I've learned that whenever you demo live, it doesn't work.

Ben Bowman: 26:00

It doesn't work ever. Things break. I demoed Wi Fi Forge, and we got into eventually run, but it broke the first time. And I had to sit there with an audience, about the same size as the audience we have now and be like, I don't know why this isn't working. I built this tool.

Ben Bowman: 26:15

I'm supposed to stand up here and look competent. It's not working, and I'm looking confident. I didn't like that, so I prerecorded a demo. It does work out of the box because I recorded the demo five minutes before we got started. So it does work, but I didn't I didn't wanna risk it if I didn't have to.

Ben Bowman: 26:32

And I didn't wanna have to sacrifice a chicken for the demo gods, I think is what John said. But because I wanna show you how long this process takes, I did not clip it. You have to sit and watch for five minutes while it compiles a kernel module, and we're gonna sit together and watch this because I think it's funny and it gives me time to kinda chatter, which I love to do. I'll walk you through it. So the first thing I do is go to the GitHub.

Ben Bowman: 27:07

If you don't know already, I'll have to share a link unless somebody can find a link and share it for me. This is where the tool is, and I'll pull it up after the fact. All you do is you copy that command and you drop it in the terminal. Hot button command, way better than before. It pulls it down, changes the permissions.

Ben Bowman: 27:29

And I didn't run the command to clear the bash history in case I needed it, but it's also a hidden file. So it's got the dot. That way, it's a little bit harder to find during investigation. And here are the options that we have. I'm gonna pause for a second.

Ben Bowman: 27:44

So we can check we can specify the Linux PAM version because detection is not always guaranteed. I did my best to make detection like a guarantee. Right? It it seems to break no matter what I do on anything whenever I try to do automatic version detection on anything Linux. I don't know why that is.

Ben Bowman: 28:00

I'm probably doing something wrong. But you can specify manually if you would like the Linux PAM version. But if you don't, it'll try to detect it automatically. It's worked for me so far, so but there's no guarantee that it does. If you do tag p, you can set your skeleton key.

Ben Bowman: 28:18

So this is like your one password for all users on the host, and it's pretty cool. Then there's the webhook. If you don't know how it works, I'm I'm not gonna demo it. But if you control or have permissions over a Discord server, you can create what's called a webhook where when you send a request to this webhook endpoints, like an API endpoint, you can deliver data that then gets put into the channel by a bot. Super cool.

Ben Bowman: 28:46

But that's how we're gonna do the Discord webhook. Then we have verbose mode because it breaks, and I need to debug, and I left it in there in case it breaks for you. So that if you're using this, you know, you can leave an issue on the GitHub because I love solving issues. You can leave an issue on the GitHub with the verbose output. So that's more for me than you.

Ben Bowman: 29:06

And then the restore, and this is what brings the PAM file back out and restores it. That way when you're done, you you can swap it back. Now it always stores the restore file on the same spot, I was kind of thinking about this a couple days ago. If somebody is aware of this tool, they're just gonna probably go check that directory and then be like, oh, well, there's a backup, so it must have been swapped out. But let's pretend that that's not an issue.

Ben Bowman: 29:28

I'll probably add a specification later where you can specify where to put it. That way, you know, it's a little bit more hidden. If this tool becomes used enough, it might become an issue, but I don't know if it will be. So but we have a help banner as well. I have this pregenerated command, but I wanna break it down for you a little bit.

Ben Bowman: 29:52

I run it. I set the skeleton key test, and then I have the webhook that I already generated for the Discord channel in the background behind the terminal. Now this is where it gets fun, Exciting and exhilarating. We have to wait for the dependencies, which takes a minute. It takes a while.

Ben Bowman: 30:10

And But I want you to know how long it takes. So if you use it, you can actually, you know, see expected behavior. Because if I cut it down, it's gonna it's gonna seem a lot longer. I did that with Wi Fi forged where I cut cut down some stuff, and then people are like, wow. It loads really slow on mine.

Ben Bowman: 30:28

And that's because I had already preinstalled it, and then I just want to install again. So I just want you to have realistic expectations. I'm I'm not gonna be fast forwarding, so I'm just gonna stand here and talk about it. Gonna be Deb Wigley distros just specifically. It's it's Debian based distro.

Ben Bowman: 30:54

Anything that uses apt. So mostly Debian based distros. I actually don't know if any other distros use apt as their package manager. I don't wanna be that guy, but I use Arch. And so I I I don't think it works on there.

Ben Bowman: 31:07

It's mostly Pac Van and Yum. So but every time I bring up I use Arch, it it causes the comments to catch on fire. So I like to poke poke the hang a little bit and get the Arch comments going. That

Ryan Poirier: 31:20

fish needs Arch, by

Ben Bowman: 31:21

the way. Yeah. That's what I was waiting for. Yeah. It it's like walking a hornet's nest.

Ben Bowman: 31:30

It's so funny. Anytime I bring a barge, there's a bunch of people that that that's pretty good and mostly true, at least for me. So, yeah, it takes a while. There's lot of dependencies because it's compiling a kernel module from source. There's like, can you compiler stuff?

Ben Bowman: 31:55

And you can see here in in the recorded demo that I'm moving it around and hitting the enter bar a couple times because even I'm starting to get worried that it's not gonna work. That's how long it takes, but it works. RPM. So it detected the version of the kernel successfully. It downloads and patches, so it adds the modifications to the kernel.

Ben Bowman: 32:21

So that would be like your if statement, your Discord webhook, and then it compiles it. And I actually I gotta say, I'm not a great programmer. I'm actually sort of subpar in my opinion compared to people that I know. But I'm really good at c. I can use c like a wizard, and that's the one thing I can do.

Ben Bowman: 32:40

And I can tell you with confidence that compiling huge programs in c's actually takes quite a while. When you're compiling hello world, it takes like half a millisecond. But when you're compiling something big, it it takes a while. Jim? Yeah.

Ben Bowman: 32:58

So in college, this is stepping away from it, but kinda talking while this does this thing. In college, you know, I thought I was a lead programmer going into it. I had a huge hubris. I'm so cool. And then I got into college, I was like, I don't know anything.

Ben Bowman: 33:13

I don't know how to program. I knew more about security, but less about development. And one of my favorite parts is making tools and cool stuff. So I thought I was lead because I knew hello world and Python, and then they threw me into a 16 bit assembly, then 32 bit assembly, and then 86 assembly. And I learned about little Indian and all sorts of cool stuff.

Ben Bowman: 33:35

But then once we learned assembly using VIM, which is disgusting, I don't know why people use VIM, They'll tell you, I love VIM, and then they'll have a thousand plug ins for VIM to make it useful, and it's essentially just Nano then. But not to whack that too hard, but so then we were allowed to move over to Nano and c, which was cool. But that's why I'm probably so solid in c is because I was forced to go through assembly, then c, then c plus plus, then Go. I'm gonna stop carrying around the Go mark. I think Go is probably really cool, but I don't use it a ton.

Ben Bowman: 34:12

I used it to build Go spoof, but shout out to Ivan, the intern. He wrote a ton of cool code for that. I guess I'll just plug in another tool while we wait as well. Ivan Kasmuhalupa is an intern that that works making cool stuff with me. And he made a really cool, like, addition to a tool that Joe and I made.

Ben Bowman: 34:35

The tool's called GhostBoof. Go check it out. It's a cyber deceptive tool. It kind of is like a a fresh take on Port Spoof, so go check it out. Yeah.

Ben Bowman: 34:56

I think the worst part about Vim two is I would try to exit out, and I would do colon q exclamation forgetting to save, and then it would just nuke all my code. But it was really cool having experience with with Assembly because then when I got into the master's degree, I I took software like exploitation, and there was some really cool stuff like knobs slides, that sort of thing. That was really fun. I'll tell you dirty secret though. There were some of those that I really didn't understand, and the deadlines got, like, a day away, and I get nervous.

Ben Bowman: 35:33

And I would run a command that would dump processes, but also what directory they were running out of, and so I could find other people's code and go look at what they did. Don't tell my professor, though. He'll probably he'll probably be very upset. So this is just our secret, guys. Do not tell Andrew Kramer from Dakota State University that I did that.

Ben Bowman: 36:01

Nobody tell him. Okay? You guys are great. See how long it takes? I'm gonna jump forward a little bit because even I'm starting to feel bad.

Ben Bowman: 36:21

Okay. When it's done compiling when it's done compiling, there we go, it says build successful, backing up the file, and then installing. You don't have the option to not back it up because I don't wanna be I don't wanna, like, feel bad when inevitably somebody runs it in production even though you shouldn't, and it breaks stuff. So I don't give you the option. So in the future, if somebody uses it and they open an issue like, you broke this, I can be like, no.

Ben Bowman: 36:51

You broke it, but here's how you can fix it. So it kinda gives it's kinda like a saving grace that I thought about because that's something I would do. I don't know how to get it to gracefully exit because it seg exec falls, but it's not because of any, like, improper coding. It's just because you're swapping out PAM, which handles pseudo because it interacts with shadows. And so it kills pseudo sessions when you swap it out.

Ben Bowman: 37:16

So it just kills a session because you're swapping out a kernel module. But it segfalves. Don't get scared. I don't know what to do about it. I think it looks funny, so I'm gonna leave it.

Ben Bowman: 37:31

So anyways, now that it's done, I locked the computer and I kinda show you, you know, how it works. I almost shut the computer down there. That was pretty graceful. Okay. Also, my DMs run at the speed of a toaster.

Ben Bowman: 37:55

I don't even no matter how many resources I give it, it doesn't I don't know. Okay. So I enter a bogus password that's invalid. Right? Just to just to see what happens.

Ben Bowman: 38:07

And then I log in with the legitimate password. Okay. So the legitimate password is Password 1Bang. And then the one that entered that was incorrect, even though it's incorrect and look at it. I sized it up for you older people that can't see.

Ben Bowman: 38:23

I thought of you. It saves it even if it's an unsuccessful or an unsuccessful attempt, right, which is really cool. But it goes to the Discord server, which is really cool. I mean, you get into a Linux box. Right?

Ben Bowman: 38:38

You drop this on there, and then you call your POC, you're like, can you check this out? It looks weird. They log in, You know, a little bait and switch. I don't know if that's considered fair game or not. I think it depends on the client, but it'd be funny.

Ben Bowman: 38:50

Imagine. Close your eyes and visualize with more. I logged in to Root on this one to show that the skeleton key password, which is Test, works on other accounts. So it is the first time I've ever logged in to Root, so it's taken its time. But Cool.

Ben Bowman: 39:28

Logged in as root. Log back out. It does that weird thing where it shows a bunch of scramble on the screen. No idea why. Log back in inheritance, my user, with test this time.

Ben Bowman: 39:48

And you can see every time every time it captures, every attempt, even if it's invalid, because there is a chance because people are people that they will try to log in to a local Linux account using their domain admin password because that's just muscle memory. And so even though it's invalid, it still saves it because that could be the password elsewhere. I've seen it on phishing campaigns where people will log in with three different passwords, trying every password they have. So even though it's in doubt, it's important to collect that stuff. I'd be really curious to see if you can build pipelining into this that then pulls the credentials out and runs it through SSH SNAKE on the network to automatically, like, turn it into full compromise with pretty much no interaction.

Ben Bowman: 40:32

I'm all about automation, so there's a lot of cool stuff that you could do with this from this point. But I think it's pretty specific to, like, the test and what you're doing and what pathways you find. So building any tooling beyond this point is kind of like it would be very niche to that test, and it wouldn't be useful, like, in a general sense. And then, of course, as promised, I restore. It swaps out the PAM the the PAM module, kernel module, and the sync faults because you're messing with sudo again.

Ben Bowman: 41:11

So I don't know how to get that to gracefully do that. One thing I did find interesting, when I first built this, I had I reboot the the computer every time because I assumed the kernel logic modules were loaded into memory. That was my assumption. All kernel modules are loaded into memory. Turns out they're actually only loaded when they needed, which is pretty cool, and it's probably why your RAM doesn't have to be 400 gigabytes.

Ben Bowman: 41:35

It can be, like, four to run. But, you know, I learned as I go. So you don't have to restart the computer to get it to work, which is really cool. So when you're using this, you don't have to cause any sort of, like, outage. It just works by swapping it because next time it gets called, it's it's the new file.

Ben Bowman: 41:51

So well, it's something cool I learned along the way that I think is worth sharing. Here's my references. So there is a MITRE attack path for skeleton key specifically. Now this this MITRE attack path is seems to be built specifically with mini cats in mind because I don't think anybody else has really made a more than one time use tool for this sort of thing. So mini cats is about the only thing with the skeleton key that I know of.

Ben Bowman: 42:19

Not to say there isn't something I don't know of. I don't know a lot. So but there is a MITRE, like, thing on it. There is 80 persistence skeleton key through the hacker recipes. I really like the hacker recipes.

Ben Bowman: 42:33

They have good references. But they have a section on it, and they could probably show you how the MimiCats Windows side works on it a little bit more. I believe it uses SAM. I I'm not gonna 100% say it because I didn't my goal wasn't to dig into that. It was to dig into this because I was more interested in Linux persistence.

Ben Bowman: 42:51

You know, I wanted that more than Windows. There is the repo of the the person that made the original tool. I think it's really important to give them credit because they came up with the idea. Although I stumbled onto it, that is the original creator. So credit where credit is due.

Ben Bowman: 43:07

They made a really cool tool, and I think I just polished it up and made it even more practical. So good on them. I hope they see this Sunday, and they're like, woah. And they merge my pull request because I don't wanna keep the repo. I would like to merge it back into the main one because I don't want the credit.

Ben Bowman: 43:26

I just wanna show off cool toys. So that'd be cool. That's what I've got. If if you wouldn't mind taking a second, going and giving me a follow on GitHub. My GitHub is this.

Ben Bowman: 43:42

It'd be really nice to get some more follows. I work on open source tooling in my free time some, and then on on Black Hills, I'm on on some other. But I make cool tools, and there's a lot of really cool things that you can do that people just don't know about. So giving me a follow and following what I do kind of I feel like can help propagate some some areas of testing that are less commonly covered because that's what I like to do. You can find me on LinkedIn here.

Ben Bowman: 44:06

Give me a follow on LinkedIn. I like talking to people. Every time I do something, somebody reaches out and talks to me, asking me questions, and that's great. I don't mind at all. I love to hear from you, so please follow me on on LinkedIn.

Ben Bowman: 44:16

I've got some blogs. There is a blog to accompany this. It's called the p and PAM stands for persistence, which is really cool. Who's hiding back there? A research paper.

Ben Bowman: 44:29

I talked about this in the pre show banter. I did a research paper on cyber deception and if it's actually effective. It is. It's got like a I I think it's been a while since I wrote the paper. I wrote it with some other people, but it's, like, 76% effective.

Ben Bowman: 44:44

So if you employ cyber deceptive tactics, it slows down the attack path, like, 76% as opposed to just no deception, and we use time based scaling for that. It was really cool. Wi Fi Forge, if you haven't seen it already, let's see if my VM will load sometime this year. Wi Fi Forge is another really cool tool I made. I like to show it off, and I like people to see it.

Ben Bowman: 45:14

If you come to Wild West Hacking Fest, we usually demo it. So that's pretty much all I've got, and that's why my spiel, my cool tool, and everything that I learned from it. So go give them stars. Go give them follows. Credit origin is due.

Ben Bowman: 45:30

I believe we have the original repo here. Yep. This is the original repo. Lots of people seem to know about it. So cool.

Ben Bowman: 45:39

Fantastic.

Ryan Poirier: 45:41

Reach out, Ben. You did it. You hit forty five minutes.

Ben Bowman: 45:44

You're kidding. You made it. You guys That was so easy. I wasn't even nervous. It wasn't even mad at all.

Ryan Poirier: 45:53

If you guys have questions for Ben, feel free to put that in the Zoom q and a. We've got a couple that we'll get to. Also, you can also put it in Discord, and we will get to some questions. We do have a couple of questions from from Zooms, as I said. First one was, any support for Slack or plans for Slack?

Ben Bowman: 46:15

I don't, you know, I don't make plans and I don't make promises because I like to overpromise and under deliver. I would like to add that in the future. It's not too hard to add. So if you'd like to add it yourself into a PR, I'd be happy to do it. But, yeah, it sounds like a cool feature, and I could see where that would be more useful than Discord if you have, like, a company thing or something like that.

Ben Bowman: 46:35

So no no plans to add it, but I might get bored and add it in the future. PR is always accepted as well.

Ryan Poirier: 46:44

Got question for or from someone on Zoom that I think you kinda answered this one, but it was in pre pre show. How do you get to the point of where you're creating your own tools versus using someone else's tool, using another tool, at what point do you decide, you know what, I'm gonna build my own thing?

Ben Bowman: 47:13

Oh man, that's a great question. You're essentially asking me, how do I know I'm moving from, like, what I would consider to be, like, a junior or a more beginner tester into something more senior? I feel like the differentiation or one of them, it'd be one of many, is your ability to understand what you're doing enough to create it. And I would say, when you use tools enough daily, the problem with doing it as a profession versus doing it as a hobby is you don't do it enough to fully get that depth of understanding. And you're also not doing it in a while in the wild.

Ben Bowman: 47:43

You're using it in controlled environment, so behavior is expected. When you use it outside of a controlled environment, it behaves in ways you don't expect, and just seeing it behave in those ways helps you understand it. And then you can see, like, okay. This tool is good for this, but this other tool that exists is subpar or there is no tool. And then when you when you work with it enough where you start to see gaps, then you can start building tools to fill those gaps.

Ben Bowman: 48:07

So I would say it's less about, like, how skilled and experienced you are. It's more about exposure. How often are you exposed to these attack paths to see where there's stuff lacking? That's what I would say.

Ryan Poirier: 48:20

Awesome. People are asking a lot of people are asking for your GitHub link, so we've got I've added it to the resources in Zoom. I've also added it to the resources in Discord. If you go to the slides resources channel in Discord, you're gonna see the link for the YouTube for the the the webcast slides and for now for his GitHub link. So we're gonna get you

Ben Bowman: 48:44

some more people following you, Ben. I like followers. The cool part is we have followers. I like followers because they sometimes will, like, find issues and do, like, pull requests. We have one specifically on that I can think of off the top of my head is Ruff Labs.

Ben Bowman: 49:00

I don't know if Ruff Labs is here, but Ruff Labs has contributed so much to, like, Wi Fi forging stuff. So I like the community being present because I get to do cool stuff like that.

Ryan Poirier: 49:15

Got a comment from Zoom again. Webhooks at Discord and Slack are neat, but isn't that basically sending client data to those platforms?

Ben Bowman: 49:25

Yeah. So this is just kind of a it's not like I said, it's not meant to be used in production. You use this tool at your own risk. Depends. Slack, it can be used to handle sensitive information, I believe.

Ben Bowman: 49:38

It's not necessarily like, it can be used a little bit more corporatized than Discord can. Discord, yeah, pretty much. I wouldn't use it for that. But building web hook web hooks for, like, Slack or Teams where it is controlled by you more or a little bit more, like, safe, that shouldn't be too hard to do. So correct.

Ben Bowman: 49:59

I wouldn't send client data to Discord. That's very good. Very smart. I wouldn't it's a good way to get

Ryan Poirier: 50:05

in trouble. Yeah. Great point. Thanks for that. Those are basically the questions I see.

Ryan Poirier: 50:12

There was a comment about LinkedIn link not working, but it looks like someone got that figured out. It's they're trying to get to your LinkedIn.

Ben Bowman: 50:19

Oh. If somebody can find it, would you drop it for me? CCDC. CCDC. I actually used to be in CCDC.

Ben Bowman: 50:30

I also did CPTC. I love doing CTFs. The arch nemesis of Madison or Dakota State was University of Central Florida. They were always beating me by, like, just a smidge too. It was so frustrating.

Ryan Poirier: 50:45

Like, yeah. I could root for my my people. They're just down the road for me.

Ben Bowman: 50:50

Oh, yeah? Yeah. They they're really good. I I don't they're not at a cybersecurity college, but they had a group of of people that were just phenomenal. I think some of them were X Force Red, and that helped them get enough exposure to be, like, extraordinarily good compared to a college student.

Ben Bowman: 51:06

So Like, but it was a lot of fun.

Ryan Poirier: 51:09

I got to meet a few of them at at a b sides last year. They're good people.

Ben Bowman: 51:13

Yeah. They're they're really friendly. I like them. I I think the the one that always stands out is there was a competition for Missy. I think they're called TAC now, and they're in Baltimore, I think.

Ben Bowman: 51:24

I went down there for a test, and it was like neck and neck. We had first place for four days, and then on the last hour of the last day, they took first place, which yeah. So And then Nice. It looks like your LinkedIn on your on your GitHub is using your full name for the URL, and you just used Ben on the actual LinkedIn profile. So that's why it's broken.

Ben Bowman: 51:49

Gotcha. Makes sense. I'll fix it later. I'm not super stressed. I posted his LinkedIn in the Discord chat for those who are asking.

Ryan Poirier: 52:02

I see it. Copy that to Zoom as well. Day staying for everybody. Alright. I don't see any other questions.

Ben Bowman: 52:23

It doesn't say that I work at Black Hills. I'm pretty sure my LinkedIn says I've worked at Bend for twenty three years. So but that is me, I promise. I just don't like to put what I work for whatever reason.

Ryan Poirier: 52:38

Here's a new question.

Ben Bowman: 52:39

Yeah.

Ryan Poirier: 52:40

Is exfiltrating that's a hard word for me to say. Exfiltrating the data to these sites a way to avoid detection? By the way, you on GitHub and LinkedIn. Great video.

Ben Bowman: 52:53

Yes. Thank you. I think it depends, you know, exfiltration, different different setups can do different things. Typically, when you go through a webhook, I have never had it I've never been stopped using like exfiltration just in like a CTF, but I've never had the chance to do exfiltration through those sort of channels. So I don't really know if they're watched super close.

Ben Bowman: 53:21

I think it depends on the the policy of the company. If if employees are allowed to use like Discord, then you probably wouldn't be watched or monitored, and traffic to Discord isn't gonna stand out, especially when the data is wrapped in encryption when it goes through. So I think it's very dependent. I that's a hard one to answer without trying to do in the wild, and I'm not gonna try to export client data to Discord in the wild to test that. So I will never know.

Ben Bowman: 53:46

But if you find out, please let me know. Not

Ryan Poirier: 53:53

seeing any more questions now. Any any final remarks you wanna give us? Any summary of of anything? Or you probably did that already in your slides, but give you another chance

Ben Bowman: 54:05

to wrap up. Thanks for attending. It was a lot of fun. I always like doing these. And, you know, if you follow me, you can follow open source stuff that I make and you can contribute.

Ben Bowman: 54:14

I love when people contribute. So thanks for attending, guys. It was fun. I had a good time. Yep.

Ryan Poirier: 54:19

Awesome. Nicely done. So we're gonna officially end the webcast, but we're gonna stick around for a couple more minutes to Yep. I think do some some promo things. John's back, I think, maybe for that stuff.

Ryan Poirier: 54:33

So, let's do the old

John Strand: 54:36

Let's give it a let's give it a few minutes. We can, we can still, we can still you know, people can answer or Ben can answer some more questions. We can talk about anything and kinda become an ask me anything for the next five minutes. And then I'm going to switch into marketing role, and we're gonna do some marketing propaganda specifically for our, anti psych and corporate security training. So if you don't wanna get that, then get out of here.

John Strand: 55:02

You got your opportunity. We don't we don't do that at the beginning and force you to set through a marketing speech. But if your organization is doing security training and, you're looking to buy security training this year, hang out. It might be something that'd be worth your while to check out as well. Let's get a round of applause for Ben.

John Strand: 55:22

I think that was fantastic. And and I know that people were curious about, like, the actual sleeping space. And I then I thought we were joking in all honesty. So I don't know if you're aware, but I am now across the hall at the, the official BHIS John sleeping space where we do in fact have the air mattress on the floor. And, that's that's where I go whenever I like like I like sleep here or I have naps or anything like that.

John Strand: 55:56

So.

Ben Bowman: 55:56

Oh, you're actually here. Oh, right. I didn't know you were actually in the office. Cool.

John Strand: 56:03

No, dude. I came down specifically to show people this room.

Ben Bowman: 56:06

That was worth the trip, I hope.

John Strand: 56:10

Oh, I I think it was. I think it was. So if you guys all have any more questions for like, Brett is here as well. I'm here. Ben's here.

John Strand: 56:19

Or you guys have any questions about pen testing or any of those things? Now is a good time. And like I said, you and have three minutes left before we get into marketing propaganda.

Ben Bowman: 56:29

Let me tell you guys about silver ticket attacks. I just learned about them in great depth, and I think they're really cool.

John Strand: 56:36

Ask What do should do about this? Let's talk about that. That'd be good.

Ben Bowman: 56:42

Silver reticulated attacks are really cool, and I I'd have to reread it. But I was interested in being a little bit sneakier on some tests that I do. When I'm on an internal, there's no, like, point in being sneaky other than I just like to see if I can do it. And if I have a client that's willing to play ball, I play ball. But silver ticket attacks are really cool because unlike the golden ticket attack, where you are forging tickets with the KRBTGT account, the silver ticket never touches the domain controller.

Ben Bowman: 57:08

And so if they're lacking on endpoint detection, it's really quiet comparatively. So that's if you guys don't know, Silver Ticket Attack, that's pretty cool. You should go look at that. That's my obsession right now after the PAMS thing ended. That's my new one.

John Strand: 57:25

You damn believe that. What's the Pam thing? The Pam were like this webcast.

Ben Bowman: 57:32

Yeah. This webcast. But it's a full third. Like Yeah. It's it's done, though.

Ben Bowman: 57:37

I'll forget about it. It's over.

Ryan Poirier: 57:40

Very cool. I thought it was someone maybe a singer talking lady on the beach.

John Strand: 57:46

I see a lady on the beach. I'm like, what the hell does that have to do? Oh, Pamela Anderson. Okay. Yeah.

John Strand: 57:51

That's that's it. Yep. That's it. That's it as well.

Ben Bowman: 57:55

No. No. No. I don't go to the beach. I don't leave the house.

Ben Bowman: 57:57

I I burn in the sun, so I just kinda hide in my bedroom.

John Strand: 58:00

Yeah. This is really, for Blanchard. Spending days out fencing and, you know, he's out riding fences and, you know, yeah,

Ben Bowman: 58:08

it's That's really cool. I like building fence. I love building fence. Just got a You and I bought a house.

John Strand: 58:14

Did you guys get one for a skid steer, or is

Ben Bowman: 58:16

it or was it like Bobcat. We got one for Bobcat. The pounds point in one's in, so it's it's game it changed the game. Used to have to dig in by hand. My hands would bleed.

Ben Bowman: 58:25

Horrible.

John Strand: 58:27

Yeah. I I you know, we got a the Montana post driver. Right? And we did all of our fencing around our house with that thing. It it is it is truly a life altering event to get that.

John Strand: 58:40

So You can

Ben Bowman: 58:41

put in, like, miles of fence in no time. It's insane. And then we got this one thing called, like, the Texas stretcher, and we used to use, like, like, a ratchet system to tighten water. And now you can just, like, clamp it. It's so cool.

Ben Bowman: 58:53

Anyways Yeah.

Ryan Poirier: 58:54

Guys don't care about Yeah. Sounds

John Strand: 58:56

like a very good swap. Alright. Well, thank you so much. I'm gonna go through, and I'm gonna show off the new LMS that we've created and anti siphon security training. And, Ryan, can you get the email address?

John Strand: 59:12

It's info at anti psych I think it's info@antipsychandtraining that we can share with people in the chat. I would appreciate it. I'm gonna take over the screen share real quick. Once again, we are moving into marketing propaganda. One of the things that we like to do is do this a bit different.

John Strand: 59:28

I I know a lot of companies like to sneak this in. It's like, well, use some marketing propaganda with your cool free webcast. We do it at the end, so you have a chance to get the hell out of here. You do not have to stay for this marketing propaganda. But all that being said, I think what we have is really super cool, and I wanna share that right now.

John Strand: 59:48

And soon it was completely taken over my screen. So this is the new LMS. We've moved over to thought industries, and we have, right now, I think we have over 50 classes that are set up in the anti siphon security training platform. And, specifically, the group of people that I'm trying to talk to today are the people that work in corporations and they buy security training. Right?

John Strand: 01:00:13

Security training is, like, crazy expensive. Like, you're looking at, like, six day training at, like, $10, even for on demand type training. It's it's crazy expensive, and then there's a lot of other ones that are kind of in line with that same pricing. We try to be very, very affordable for corporations and have all of the quality that you would expect for any of the big security training companies that you would have out there as well. We have a number of classes right now in mine.

John Strand: 01:00:44

I only have six that I'm actively using. This is my these are my classes. Right? So I have introduction to penetration testing, SOC core skills, information security core skills, which we've renamed active defense, cyber deception, and CIS controls. But the big thing I wanted to talk about was the, course catalog.

John Strand: 01:01:03

So if we go to anti siphon let me an anti siphon. Anti siphon training. Anti psych and training. For corporations, we have our entire course catalog, for, like, a really good price right now. So our course catalog right now for everything that's on demand, like I said, I think it's over 50 classes at the moment, and it's it it's it runs the gamut.

John Strand: 01:01:35

Right? You have red team classes. You have blue team classes. You even have some basic systems administration classes, center for Internet security, critical control classes, audit, compliance. And if you remember, we tend to do these Black Friday sales where it's the entire course catalog for, like, $1,500 a learner.

John Strand: 01:01:54

Right? And that's too much training. That is more training than one person can do in an entire year, but we find it's really powerful for people that are trying to learn or they don't know what their forward looking information security training needs are gonna be. Right? If you're looking at teams, especially now with artificial intelligence and trying to provide context to LLM models, you may be doing something where you're working on Linux forensics.

John Strand: 01:02:19

Gotta learn that out so you can train your AI to help you with it. And speaking of AI, we even have introduction to AI for cybersecurity professionals built into this as well. So you don't know what's gonna happen in the course of the year. And trying to get people trained up and acquire the training can be very, very difficult at the last minute whenever you need those particular skills. This makes it so it's just completely available for you and your team to be able to gain access to the training that you need at the drop of a hat.

John Strand: 01:02:48

We also have a ton of labs. You know, we give a ton of labs away for free, to the community, and that's the stuff we give away. Right? We do amazing, information security training for corporations as well. And if you would like, just provide, I think Ryan just put it into the Discord server or Megan or somebody.

John Strand: 01:03:08

You just shoot us an email. Info@antisyphontraining.com, and we'll sit down and we'll talk with you about it. But the dashboard is super fantastic. Very, very good slick interface. Thought Industries has just been fantastic for us for switching out.

John Strand: 01:03:24

But, also, if you're a manager, we have a bunch of different management tools that are available on the back end where you can do full user management. You can set up sub managers. You can assign specific training classes to people, and you can track their progress through the training platform as well. So it's not just a bunch of classes. We have a whole bunch of different completion reports so you can track the progress of your learners on the, on the thought industries platform where we're doing all this.

John Strand: 01:03:55

I also have some other things that you guys wouldn't see as managers. Like, I have access to panoramas and things like that. But we can see these are the people. This is the percentage completion. This is how much time they've allocated and what things they've actually completed on it as well.

John Strand: 01:04:10

So please do me a favor. If you're looking to spend on information security training. Right? It's really expensive. We usually say you can train your entire team for the cost of training one person, at some of the other training places that are out there, and then the quality is every bit as high as you would get from other places that'll go, nameless.

John Strand: 01:04:33

So I'm gonna throw it over to questions. Ryan, do we wanna share out, the the Discord server? And I would be happy to answer any questions that anyone has. Once again, shoot us an email to info@antisiphontraining.com, or we can put that in as well. Brian, the time traveling nerd herder, can, get us a link as well, but I'm happy to answer any questions that you all would have about anti siphon and what we are doing.

Ryan Poirier: 01:04:57

Yeah. We got the email in, the resources channel in Discord, and I put it in chat here on Zoom.

John Strand: 01:05:06

Yep. Very cool. Got a lot of people typing it up. Okie's typing up some questions. There you go.

Logan Bender: 01:05:17

John, you could also hit on the, continuous guidance training package too that we couple on with the anti cipher training as part of best. That's which is really cool too. I think that's a a Oh, yeah.

John Strand: 01:05:27

Do you wanna talk a little bit? Yep. So it's a Black Hills information security expert decision support, and, it's where you you don't have any questions, like, just about architecture, information security guidance moving forward, what are products that you should be using, things like what is a what is a silver ticket attack, things like that. You can set up a consulting call with the consultants of Black Hills information and security and get an expert in some with somebody that either is in our sock defending it or our developers that are developing it or our pen testers that are actively attacking it as well. So

Logan Bender: 01:06:09

I missed anything, Logan? I was gonna say the, the pairing of the pen test findings, the report where we recommend anti siphon training Mhmm. Classes for the team as well too. I think that's really cool. Like, you do a pen test with us.

Logan Bender: 01:06:22

Maybe your team's lacking in a certain area or, you know, your team's looking to learn more in a particular field, we will pair our report, as part of the deliverable to recommended anti siphon training. So your team would get access to the whole on demand platform that John just showcased there a little bit and the the, the the platform there. But, again, it's a really cool, addition on top of a pen test to have recommended training to help better your team as part of

Ben Bowman: 01:06:49

it too. So just one

Logan Bender: 01:06:50

of the education things that we're doing on top of the BHIS pen testing side of the house.

John Strand: 01:06:56

Like we said, check it out. Has coins as sales points for a class? I can get you guys coins. Do you guys want coins? I got coins.

John Strand: 01:07:11

I got poker chips. You know, I don't know what you guys want there.

Ben Bowman: 01:07:15

So They had, the challenge coins that were, I think, thumbs probably sand.

John Strand: 01:07:20

Oh, yeah. Yeah. They are like the but those challenge coins, you only got those if you won the CTF challenge. That was the big thing. You had to earn that.

John Strand: 01:07:30

You know, you had you had to earn those. And I've I've both think I've got a box somewhere, a whole bunch of those coins still floating around in my house. So alright. With that, let's wrap it up. Thank you very much, Ben.

John Strand: 01:07:42

Excellent presentation, sir. And everybody else, thank you for joining, and we'll see you on our next webcast. Take care, everybody.