phishing

modules/services/unix/email/mailserver/manifests/install.pp

@@ -1,6 +1,8 @@
 class mailserver::install {
-  $secgen_params = secgen_functions::get_parameters($::base64_inputs_file)
-  $ip = $secgen_params['server_ip'][0]
+  # $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  # $ip = $secgen_parameters['server_ip'][0]
+  # TODO: read this from parameter
+  $ip = "accountingnow.com"
 
   package { 'postfix':
     ensure => installed,

modules/utilities/unix/email_clients/thunderbird/secgen_metadata.xml

@@ -29,7 +29,4 @@
   <requires>
     <type>update</type>
   </requires>
-  <requires>
-    <type>desktop_environment</type>
-  </requires>
 </utility>

modules/vulnerabilities/unix/email_phishing/phish_victim_bot/files/MailReader.java

@@ -127,8 +127,9 @@ public class MailReader implements AutoCloseable {
 	public void sendEmail(Message prevMessage, ArrayList<String> reasons) throws MessagingException {
 		// Step 3: Create a message
 		MimeMessage message = new MimeMessage(session);
-		message.setFrom(new InternetAddress(username + "@worklink.vm"));
-		message.setRecipients(Message.RecipientType.TO, "email@local.vm");
+		// Cliffe TODO: read domain name from preferences
+		message.setFrom(new InternetAddress(username + "@" + prevMessage.getRecipients(Message.RecipientType.TO)[0].toString().split("@")[1]));
+		message.setRecipients(Message.RecipientType.TO, "guest@localhost");
 		message.setSubject("RE: " + prevMessage.getSubject());
 		// message.setText();
 		// Create the message part
@@ -207,8 +208,10 @@ public class MailReader implements AutoCloseable {
 		// A filter to check whether message body has enough keywords
 		return m -> {
 			int counter = 0;
-			for (String keyword : keywords)
+			for (String keyword : keywords) {
+				System.out.println("keyword " + keyword); // removing this line breaks things? when passing in a .split string?
 				if (getMessageBody(m).toLowerCase().contains(keyword.toLowerCase())) counter++;
+			}
 			return counter >= amount;
 		};
 	}
@@ -234,18 +237,25 @@ public class MailReader implements AutoCloseable {
 			String userConfigPath = System.getProperty("user.home") + "/.user.properties";
 			Properties userProps = new Properties();
 			userProps.load(new FileInputStream(userConfigPath));
-			String server = userProps.getProperty("server");
-			String user = userProps.getProperty("user");
-			String pass = userProps.getProperty("pass");
-			String trusted_sender = userProps.getProperty("trusted_sender");
-			String senders_name = userProps.getProperty("senders_name");
-			String recipients_name = userProps.getProperty("recipients_name");
-			String relevant_keyword = userProps.getProperty("relevant_keyword");
-			int num_keywords = Integer.parseInt(userProps.getProperty("num_keywords"));
-			String accepted_file_extension = userProps.getProperty("accepted_file_extension");
-			boolean reject_all = Boolean.parseBoolean(userProps.getProperty("reject_all"));
-			boolean suspicious_of_file_name = Boolean.parseBoolean(userProps.getProperty("suspicious_of_file_name"));
+			String server = userProps.getProperty("server").trim();
+			String user = userProps.getProperty("user").trim();
+			String pass = userProps.getProperty("pass").trim();
+			String trusted_sender = userProps.getProperty("trusted_sender").trim();
+			String senders_name = userProps.getProperty("senders_name").trim();
+			String recipients_name = userProps.getProperty("recipients_name").trim();
+			String relevant_keyword = userProps.getProperty("relevant_keyword").trim();
+			int num_keywords = Integer.parseInt(userProps.getProperty("num_keywords").trim());
+			String accepted_file_extension = userProps.getProperty("accepted_file_extension").trim();
+			boolean reject_all = Boolean.parseBoolean(userProps.getProperty("reject_all".trim()));
+			boolean suspicious_of_file_name = Boolean.parseBoolean(userProps.getProperty("suspicious_of_file_name").trim());
 			System.out.println("Configured as " + user);
+			System.out.println("password " + pass);
+			System.out.println("trusted_sender " + trusted_sender);
+			System.out.println("senders_name " + senders_name);
+			System.out.println("recipients_name " + recipients_name);
+			System.out.println("relevant_keyword " + relevant_keyword);
+			System.out.println("num_keywords " + num_keywords);
+			System.out.println("accepted_file_extension " + accepted_file_extension);
 
 			// Try connecting to the mailserver
 			MailReader reader = new MailReader(server, user, pass);
@@ -256,29 +266,29 @@ public class MailReader implements AutoCloseable {
 				messageFilters.add(m -> false);
 				messageReasons.add("I think this is a phishing email");
 			} else {
-				if(trusted_sender != "") {
+				if(trusted_sender != null && !trusted_sender.isBlank()) {
 					// Message sender
 					messageFilters.add(m -> getSender(m).startsWith(trusted_sender));
 					messageReasons.add("I don't trust the sender");
 				}
-				if(senders_name != "") {
+				if(senders_name != null && !senders_name.isBlank()) {
 					// Message body contains sender name (either first or last name at least once)
-					messageFilters.add(containsKeywords(senders_name.split("|"), 1));
+					messageFilters.add(containsKeywords(senders_name.split("\\|", -1), 1)); //new String[] { "jed", "jd" }, 1));
 					messageReasons.add("The message doesn't include the sender's name");
 				}
-				if(recipients_name != "") {
+				if(recipients_name != null && !recipients_name.isBlank()) {
 					// Message body contains recipient name (either name at least once)
-					messageFilters.add(containsKeywords(recipients_name.split("|"), 1));
+					messageFilters.add(containsKeywords(recipients_name.split("\\|", -1), 1));
 					messageReasons.add("It's not addressed to me");
 				}
-				if(relevant_keyword != "" && num_keywords != 0) {
+				if((relevant_keyword != null && !relevant_keyword.isBlank()) && num_keywords != 0) {
 					// Message body seems relevant (contains keywords)
-					messageFilters.add(containsKeywords(relevant_keyword.split("|"), num_keywords));
+					messageFilters.add(containsKeywords(relevant_keyword.split("\\|", -1), num_keywords));
 					messageReasons.add("It's unrelated to me");
 				}
 				// Attachment has file extension (i.e. is an executable file, or document)
 				attachmentFilters.add(a -> getFileExtension(a).equals(accepted_file_extension));
-				if(accepted_file_extension == "") {
+				if(accepted_file_extension != null && !accepted_file_extension.isBlank()) {
 					attachmentReasons.add("I cannot run that file extension");
 				} else {
 					attachmentReasons.add("I can only open " + accepted_file_extension + "files");

modules/vulnerabilities/unix/email_phishing/phish_victim_bot/manifests/install.pp

@@ -1,43 +1,50 @@
 class phish_victim_bot::install {
-  require java
 
   $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
-  $port = $secgen_parameters['port'][0]
 
   $strings_to_leak = $secgen_parameters['strings_to_leak']
   $leaked_filenames = $secgen_parameters['leaked_filenames']
   $usernames = $secgen_parameters['usernames']
+  $passwords = $secgen_parameters['passwords']
   $phish_victim_bot_configs = $secgen_parameters['phish_victim_bot_configs']
 
+  ensure_packages(['openjdk-11-jre', 'openjdk-11-jdk', 'zip' ])
+
+  user { 'guest':
+    ensure     => present,
+    password   => pw_hash("guestpassword", 'SHA-512', 'bXlzYWx0'),
+    managehome => true,
+  }
+
   if $usernames {
     $usernames.each |$index, $username| {
       # Create user
       user { $username:
         ensure     => present,
-        home       => "/home/$username",
+        password   => pw_hash($passwords[$index], 'SHA-512', 'bXlzYWx0'),
         managehome => true,
       } ->
       file { "/home/$username/.user.properties":
         ensure   => present,
-        owner    => 'root',
-        group    => 'root',
+        owner    => $username,
+        group    => $username,
         mode     => '0600',
-        content => $phish_victim_bot_config[index],
+        content => $phish_victim_bot_configs[$index],
       }
       # run on each boot via cron
       cron { "$username-mail":
-        command     => "sleep 60 && cd /home/$username && java -cp mail.jar:. MailReader  &",
+        command     => "sleep 60 && cd /home/$username && java -cp /opt/mailreader/mail.jar:/opt/mailreader/activation-1.1-rev-1.jar:/opt/mailreader/ MailReader &",
         special     => 'reboot',
         user        => $username,
       }
 
       ::secgen_functions::leak_files { "$username-mail-file-leak":
         storage_directory => "/home/$username",
-        leaked_filenames  => $leaked_filenames,
-        strings_to_leak   => $strings_to_leak[$index],
+        leaked_filenames  => [$leaked_filenames[$index]],
+        strings_to_leak   => [$strings_to_leak[$index]],
         owner             => $username,
         mode              => '0600',
-        leaked_from       => "phish_victim_bot",
+        leaked_from       => "phish_victim_bot-$username",
       }
 
     }
@@ -57,6 +64,13 @@ class phish_victim_bot::install {
     mode     => '0755',
     source => 'puppet:///modules/phish_victim_bot/MailReader.class',
   }->
+  file { '/opt/mailreader/activation-1.1-rev-1.jar':
+    ensure   => present,
+    owner    => 'root',
+    group    => 'root',
+    mode     => '0755',
+    source => 'puppet:///modules/phish_victim_bot/activation-1.1-rev-1.jar',
+  }->
   file { '/opt/mailreader/mail.jar':
     ensure   => present,
     owner    => 'root',
@@ -65,5 +79,4 @@ class phish_victim_bot::install {
     source => 'puppet:///modules/phish_victim_bot/mail.jar',
   }
 
-
 }

modules/vulnerabilities/unix/email_phishing/phish_victim_bot/secgen_metadata.xml

@@ -22,7 +22,8 @@
   <read_fact>strings_to_leak</read_fact>
   <read_fact>leaked_filenames</read_fact>
   <read_fact>phish_victim_bot_config</read_fact>
-  <read_fact>username</read_fact>
+  <read_fact>usernames</read_fact>
+  <read_fact>passwords</read_fact>
 
   <default_input into="strings_to_leak">
     <generator type="message_generator"/>
@@ -41,6 +42,12 @@
   <default_input into="usernames">
     <value>mailuser</value>
   </default_input>
+  <default_input into="passwords">
+    <value>password</value>
+  </default_input>
+
+<!-- https://www.cs.bham.ac.uk/~tpc/LearnToPhish/ -->
+<!-- https://www.usenix.org/system/files/conference/ase18/ase18-paper_chothia.pdf -->
 
   <requires>
     <type>update</type>

scenarios/labs/cyber_security_landscape/7_phishing.xml

@@ -42,6 +42,14 @@
         <value>j.baker</value>
         <value>j.wilkinson</value>
       </input>
+      <input into="passwords">
+        <value>newbie</value>
+        <value>oldguy</value>
+        <value>jobgiver</value>
+        <value>kingmaker</value>
+        <value>monkeys</value>
+        <value>monkeys</value>
+      </input>
       <input into="strings_to_leak">
         <generator type="flag_generator" />
         <generator type="flag_generator" />
@@ -50,7 +58,18 @@
         <generator type="message_generator" />
         <generator type="message_generator" />
       </input>
+      <input into="leaked_filenames">
+        <value>flag</value>
+        <value>flag</value>
+        <value>flag</value>
+        <value>flag</value>
+        <value>file</value>
+        <value>file</value>
+      </input>
 
+      <input into="server_ip">
+        <datastore access="0">IP_addresses</datastore>
+      </input>
 
       <input into="phish_victim_bot_configs">
 <value>user=s.lord