Alexa – Go Hacker Mode

Now you can say “Alexa, hacker mode!” and ask her a series of questions about encodings, command line help for programs like Metasploit(tm), Nmap, NetCat. Like: “How do you do a services fingerprint scan with Nmap?” Or “What is the HTML encoding for double-quote?” etc.

The app will be submitted for free public use, but if you want to use it now, or contribute to it, you need to create an Alexa Skills account to put the speech definitions in, and a AWS account for the program logic. And of course, you’d need to have a Tap, Dot, Echo or CoWatch watch. The links will be provided below for the Amazon sites.

This project was created by David Cross to assist him with day to day work.

” I’m a full time red-team hacker and recently I was told by my doc that I was going to lose some significant eye sight. I wanted to immortalize some things I know, and also build some general tools into Alexa while I can still see a bit better so I don’t have to have a Google window always open while I’m working… and Alexa works well for asking and answering quick questions. As you may note, I went way beyond quick questions, but one does that when they’re trying to take over the world. Alexa is also handy for a little-known ability to send “card” data, or a little text version of what it answers for you which is nice for getting syntax detail that doesn’t quite come across easily in speech. Rumor has it the new Echo’s will have a screen on the front so cards will be displayed there as well as in the Alexa app.”

What is Hacker Mode?

Hacker Mode is a collection of Node.JS code and JSON that builds two important pieces of a whole:

1. An Alexa Skill (a set of lists that describe how to talk to a Lamdba expression)
2. A Lambda expression (a Java Script that consumes a JSON representing a voice request)

1) The Alexa Skill is comprised of:

INTENTS – (what categories of things the user may want to do)

• This file includes JSON to describe what TYPES of things can be asked.
  It also references the list of items that provide the subject of the question.

SAMPLE UTTERANCES – (examples of things that can be asked)

• This file is a list of ways the user can phrase questions which include items.

ITEM LISTS – (slot types are specific topics Alexa will provide answers for)

• These files are lists of words or phrases that should be recognized.

2) The Lambda expression is currently composed of only one file:

Hacking.js which is your Lambda expression that will respond to Alexa voice requests.

App Structure

Before you start on your road to Alexa skill building that you use one of their built-in samples to get an idea of how it works. Bookmark both sites as you’ll have them open a lot during development and you’ll be cutting and pasting code into the sites.

The interesting thing is that these two pieces of an Alexa app are in fact created and tested IN TWO SEPARATE WEB SITES!

Two directories to match the basic structure (Lambda and AlexaSkill)

• Create your Alexa Skill in: https://developer.amazon.com/edw/home.html#/skill/
  
• Create your Lambda expression in: https://console.aws.amazon.com/lambda/home?region=us-east-1#/functions/

Getting Started

Once you have your feet wet, and have tested a “demo” skill on your Alexa device… From there, you can create a new skill and preferably call it Hacker Mode and drop the lambda code in on the AWS side and link the two with AWS Lambda ARN number that is generated when you create the Lambda expression. This basically marries the Alexa skill in the skills web site to the logic in your Lambda expression on the AWS site.

Amazon has some good tutorials (and free swag apparently):

https://developer.amazon.com/public/solutions/alexa/alexa-skills-kit/content/fact-skill-1?&sc_channel=SEM&sc_campaign=Fact-Skill&sc_detail=Branded&sc_segment=Alexa-Tutorial&sc_publisher=Google&sc_country=WW&sc_medium=SEM_Fact-Skill_Branded_Alexa-Tutorial_Google_WW_0007&sc_trackingcode=0007&gclid=CMOFndDV1dMCFViRfgodZrIDLQ

This one is not too bad:

https://www.pluralsight.com/guides/node-js/amazon-alexa-skill-tutorial

When you start your Alexa it will pick up the list of skills from your account on the skills web site. The Intents, utterances and lists of items tells Alexa how to assemble a JSON request that can be consumed and translated into something useful by the Lambda “program”. Basically, when a request comes in, the Lambda server “wakes” the lambda logic and “runs” it on the incoming JSON. If the Intent is one that it has a function handler for, it will try to match the ITEM that comes in to a list of items in the lambda code and respond with whatever the prescribed answer is for that combination of INTENT and ITEM.

To shed more light on this: If you want Alexa to be able to answer the question “who’s the greatest {talent} of all time?” you would break that down into an INTENT called: “TheGreatest”

You’d create a list of things to fill in the blank with … like: hockey player, hacker, singer

You’d create a set of sample utterances that look basically like: Who is the greatest {talent_list} of all time, or Who’s the best {talent_list}, or Who is the most epic {talent_list} of all time.  Once you have those lists, you can drop them into your Alexa Skill configuration. Then you’d tailor your Lambda expression code to match the {talent_list} named items like: hacker, singer, hockey player to your list of responses in your lambda’s JavaScript code.  In Hacker Mode I use a “database” built out of JSON objects and I have a row named for each possible option that includes a speech response and sometimes even also includes a text response.

You’d create a set of sample utterances that look basically like: Who is the greatest {talent_list} of all time, or Who’s the best {talent_list}, or Who is the most epic {talent_list} of all time.  Once you have those lists, you can drop them into your Alexa Skill configuration. Then you’d tailor your Lambda expression code to match the {talent_list} named items like: hacker, singer, hockey player to your list of responses in your lambda’s JavaScript code.  In this case I do it with a database built out of JSON objects and I have a row named for each possible option that includes a speech response and sometimes even also includes a text response.

Anyway, peek through the code and it will start making sense.  It really comes together once you’ve set up one of Amazon’s provided demo projects like Favorite Color.

Further in Depth

The heart of the Lambda expression is basically a program inside of a JSON object. Which is weird but bear with me. (We live in a JavaScript world) JSON, for those that aren’t familiar is a basically a less wordy version of XML. And as such, it can hold data in various forms.

The heart of the Lambda expression is basically a program inside of a JSON object. Which is weird but bear with me. (We live in a JavaScript world) JSON, for those that aren’t familiar is a basically a less wordy version of XML. And as such, it can hold data in various forms.

The goal of the Lambda expression is to provide a means of accessing your answer data that Alexa will speak back, and to trip a function of the program or a “handler” to handle a specific INTENT type. So, going back to the example of the “TheGreatest” intent example, you’d have a function in Javascript within the Lambda expression that is tagged with that intent name. As the Lambda interpreter loads your expression and tries to match what is being asked with possible responses it sees there’s a match and fires the logic of your function to respond to the incoming INTENT type and ITEM type. In this case INTENT is “TheGreatest” and ITEM is “hockey player”. Your Lambda expression function will then look up in a data structure the answer for that query which is “Wayne Gretzky”.

At the very bottom of the Lambda expression included in this project you’ll notice a bunch of constants defined which determine the way JSON structures map to variables. The intent is not to make it more complicated, but rather to provide a means of mapping translations to the data structures into other languages. I gave up on that idea early on and hard coded the mappings. Eventually, when we get fancy, I want to separate out the JSON data definitions into separate files to make it easier to edit them. But for now I wanted to simplify the idea of what’s happening and simplify the replacing of the Lambda expression with a simple copy and paste instead of uploading a structured zip file which is the only alternative.

What is Basically Done

NetCat
NMAP
Metasploit
Html Encodings
Hex Encodings
ASCII encodings
URL encodings
HTTP Headers lookup
HTTP Verbs lookup
TCP/UDP Ports (common)

What Needs to Be Done

all TCP/UDP ports
HTTP response codes
UU char encodes
IP to IntegerIP value conversions
Powershell goodies
WMIC commands
Lin/Win commands for basic user creation and system management
*commands for every decent hacker tool out there like nCat an upgraded netcat with HTTPS support
*commands for “living off the land” like creating a web server using OpenSSL 🙂
** commands for actually kicking off a scanning a local subnet target with nmap maybe on your own Kali
*** a command language for auto-pwning local subnet systems which would require a CNC server with strong crypto and message verification.

“In short, let’s make this the new pen testing framework shall we?
When I think of where I want this to go, I want to get beyond just curiosity questions like what is the hex encoding for carriage-return, but get to weightier matters like:”

“Alexa, Hacker Mode…”
“Now in hacker mode…”
“autopwn 192.168.0.11 for me”
“Are you sure you want to autopwn 192.168.0.11?”
“Yes, I’m sure.”
“You are now root on 192.168.0.11.”
“What would you like to do? Copy files, scan a target or create a user?”

YOU GET THE IDEA!!! SKYNET without the guns and robots BASICALLY…