MUSHIKAGO is an automatic penetration testing tool using game AI, MUSHIKAGO focuses on the verification of post-exploitation. A post-exploitation is an attack that an attacker carries out after invading the target environment. By focusing on post-exploitation verification, we can understand how far an attacker can actually penetrate and what kind of information is collected. MUSHIKAGO uses the GOAP (Goal-Oriented Action Planning), which is game AI commonly used in NPC (Non Player Character). To using GOAP, we can flexibly change the content of the attack according to the environment like NPC, and mimic the attacks by real APT attackers and testers. The operation and verification results of MUSHIKAGO can be checked on the dedicated web page. Moreover, MUSHIKAGO supports ICS (Industrial Control System), and can be used for penetration testing across IT and OT (Operation Technology).

1. MUSHIKAGO: IT and OT Automation
Penetration Testing Tool
Using Game AI
Yuta Ikegami, Masato Hamamura
Powder Keg Technologies LLC

2. Speakers’ bios
Yuta Ikegami
• Researcher @ Powder Keg
Technologies
• MUSHIKAGO developer
• Insect observation
Masato Hamamura
• Researcher @ Powder Keg
Technologies
• MUSHIKAGO developer
• Appile Pie Seeker 2

3. • About MUSHIKAGO
• MUSHIKAGO Overview and Game AI
• MUSHIKAGO Demo
• Future works
• Conclusion
Today’s Outline
3

4. • MUSHIKAGO is fully automatic penetration testing tool
• MUSHIKAGO means "insect cage" in Japanese
• What can MUSHIKAGO do
・Device detection, Collect system information,
Lateral movement, and so on
• MUSHIKAGO is supposed to be installed laptop
and single board computer as raspberry pi.
What is MUSHIKAGO?
4
MUSHIKAGO PROTO TYPE
(like a cocoon)

5. • We believe it is important to always perform penetration testing
and conduct risk assessment in real time
• Manual penetration testing has problem
• The pentest result will depend on the pentester
• We saw pentest as a fun game and decided to automate it
Motivation
5
24/7

6. • MUSHIKAGO is composed of Game AI module, Arsenal
module, Database module, and GUI
MUSHIKAGO Components
6
Game AI
Database
GUI
Arsenal

7. • Game AI module receives data from Database module and plans
the contents of penetration testing.
• Game AI algorithm uses GOAP (Goal-Oriented Action Planning)
Game AI module
7
Game AI
Database
GUI
Arsenal

8. • Arsenal module is composed of penetration testing tool and original scripts
• Using Metasploit, nmap, arp-scan, exploit suggester, proxychains, tshark, and so on
• Receive the penetration testing plan from Game AI and perform the validation
Arsenal module
8
Game AI
Database
GUI
Arsenal

9. • Database module receives result of penetration testing data from
Arsenal module, and collaborate Game AI
• Collected data can be checked from GUI
Database module & GUI
9
Game AI
Database
GUI
Arsenal

10. Overview of MUSHIKAGO behavior
10
Game AI
Database
GUI
Arsenal
2. Planning of test contents
MUSHIKAGO repeats these
steps to perform a complete
penetration testing
3. Execute
penetration testing
1. Get current state data
4. Sent
results
5. Check test result

11. • Game AI is used in NPC (Non-player Character)
• Humanity is required (Actions that seem useless)
• Type of Decision Making
• Role-based AI
• State-based AI
• Task-based AI
• Goal-based AI: MUSHIKAGO uses
• Behavior-based AI
• Utility-based AI
• Simulation-based AI
What is Game AI?
11
Player
NPC Knowledge Making
Decision Making
Action Making
Game AI

12. • Goal-based AI first determines a goal and then plans actions from
that goal
• GOAP (Goal-Oriented Action Planning) is a one of implementation
a Goal-based AI
• F.E.A.R and CHOMEHOUNDS are using GOAP
Goal-based AI
12
https://www.allkeyshop.com/blog/buy-
chromehounds-xbox-360-code-compare-prices/
https://store.steampowered.com/app/21090/FEAR/

13. 1. Symbolize the environmental
information and state of the game
2. Create an action using a symbol
3. Planning with actions
GOAP
13
Symbol
Symbol_TcpScan
Symbol_IdentOS
Symbol_LateralMovement
Symbol_GetProcessInfo
・・・
Symbol_GetSecret
TcpScan
Priority 1
Precondition Symbol_TcpScan=NULL
Effect Symbol_TcpScan=TRUE
Lateral Movement
Priority 1
Precondition Symbol_TcpScan=TRUE
Symbol_IdentOS=TRUE
Effect Symbol_LM=TRUE
Get Secretfile
Priority 1
Precondition Symbol_LM=TRUE
Effect Symbol_GetSecret=TRUE
…
…
GetSecretfile
…
…
1. Symbolize
2. Action create
3. Planning

14. • GOAP works well with penetration testing.
• It can be automation and used in various environment or situation
• It’s easy to extend a module
• Only change symbol and action, it could extend a module
• GOAP does not require pre-training or training data like other
AI, and can apply multiple tools
• Related works have shown that automation can be performed
with only a single tool using machine learning, but there are no
studies with multiple tools
Using GOAP in Pentest
14

15. 1. Pentest to IT system
2. Pentest to OT system
3. Pentest to Hack The Box
MUSHIKAGO DEMO
15

16. • Goal: Stealing secret file (mushikago_secret.txt)
• Place in target user’s (local or domain) Desktop folder or network storage folder
DEMO: Pentest to IT system
16
10.1.0.0/16
192.168.100.0/24
192.168.200.0/24
192.168.88.0/24
172.16.10.0/24
・・・
Enterprise Zone2
Processing LAN
Server LAN
Enterprise Zone1
Local HMI
Controller LAN
IT
DMZ
OT
VERIFICATION
NETWORK DIAGRAM
MUSHIKAGO
Connect to the network
This demo target is local user this machine and domain user

17. • Goal: Identify ICS devices and protocols, and attacking
DEMO: Pentest to OT system
17
10.1.0.0/16
192.168.100.0/24
192.168.200.0/24
192.168.88.0/24
172.16.10.0/24
・・・
Enterprise Zone2
Processing LAN
Server LAN
Enterprise Zone1
Local HMI
Controller LAN
IT
DMZ
OT
MUSHIKAGO
Connect to the network
VERIFICATION
NETWORK DIAGRAM
This demo target is the railroad plant

18. DEMO: Pentest to OT system
18
10.1.0.0/16
192.168.100.0/16
192.168.200.0/16
192.168.88.0/16
172.16.10.0/24
・・・
Enterprise Zone2
Processing LAN
Server LAN
Enterprise Zone1
Local HMI
Controller LAN
IT
DMZ
OT
MUSHIKAGO Connect the mushikago to the network
VERIFICATION
NETWORK DIAGRAM
10.1.0.0/16
10.3.0.0/16
10.3.0.0/16
10.30.0.0/16
・・・
MUSHIKAGO
Railroad plant
Forward
Back
Rapid
PLC
HMI
Modbus/TCP(operation)
Operation Commands
・Forward
・Back
・Rapid ..
Analog I/O
BACnet/UDP(check state)
• Goal: Identify ICS devices and protocols, and attacking

19. • Hack The Box is an online penetration testing training platform.
• Take control of the user and administrator privileges of the machine and get the flags of the
Desktop folder.
• Optimum machine is Windows machine and running http file server which has vulnerabilities.
DEMO: Pentest to HTB
19
MUSHIKAGO
Pentest over VPN
https://www.hackthebox.eu/

20. • Support for other operating systems
• Currently, MUSHIKAGO mainly supports Windows
• Add characteristic simulation mode and ATP group simulation mode
• Focusing on deep checking
• Focusing on spread on infection
• Add exploitation can lateral movement
• Improvement of GUI
• Merge Fuzzing tools to detect zero-day vulnerability
• Use other AI for optimization
• Password guessing, Selecting attack candidates, and so on
Future Works
20

21. • MUSHIKAGO is an automated penetration testing tool for IT and OT.
• MUSHIKAGO can be used independently of the user's skills because the
settings and operation is very simple.
• Check here for information about MUSHIKAGO
• PKT HP: https://powderkegtech.com
• Twitter: @TechKeg
• Youtube: https://www.youtube.com/channel/UCcBHUaYYkqyW8fjbIjiY1ug
• GitHub: https://github.com/PowderKegTech/mushikago
Conclusion
21