digital-forensics-labs/SecGen
1
0
Fork 0
mirror of https://github.com/cliffe/SecGen.git synced 2026-02-21 11:18:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/cliffe/SecGen

Browse Source
This commit is contained in:
Z. Cliffe Schreuders
2019-04-21 00:04:47 +01:00
parent 41d88c9038 f5b62ceea7
commit c5b9fee0ed
51 changed files with 9676 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -15,3 +15,5 @@ secgen.conf
modules/encoders/compression/huffman/tmp
.rakeTasks
modules/**/Gemfile.lock
modules/generators/network/pcap/files/packet.pcap
lib/resources/images/scenario

1
Gemfile
View File

@@ -33,6 +33,7 @@ gem 'ruby-graphviz'
gem 'rsa'
gem 'gpgmeh'
gem 'digest-sha3', :git => "http://github.com/izetex/digest-sha3-ruby"
gem 'packetfu'
#development only gems go here
group :test, :development do

4
Gemfile.lock
View File

@@ -91,6 +91,9 @@ GEM
nori (2.6.0)
ovirt-engine-sdk (4.2.4)
json (>= 1, < 3)
packetfu (1.1.11)
pcaprub (~> 0.12)
pcaprub (0.12.4)
pg (1.1.3)
process_helper (0.1.2)
puppet (6.0.0)
@@ -162,6 +165,7 @@ DEPENDENCIES
nokogiri
nori
ovirt-engine-sdk
packetfu
pg
process_helper
programr!

10
README-Creating-Bases.md
View File

@@ -1,6 +1,6 @@
# Creating new SecGen bases
We encourage you to use the existing bases when developing scenarios. Introducing new base boxes require careful thought and testing of modules for compatibility. This guide is mostly indended for those who wish to extend SecGen onto further VDI platforms (in addition to VirtualBox, and oVirt), which involves recreating our existing base images on these other platforms.
We encourage you to use the existing bases when developing scenarios. Introducing new base boxes require careful thought and testing of modules for compatibility. This guide is mostly intended for those who wish to extend SecGen onto further VDI platforms (in addition to VirtualBox, and oVirt), which involves recreating our existing base images on these other platforms.
When creating base images for SecGen, follow [guidelines on creating Vagrant base boxes](https://www.vagrantup.com/docs/boxes/base.html), with these additional considerations.
@@ -15,8 +15,12 @@ When creating base images for SecGen, follow [guidelines on creating Vagrant bas
Install VM guest tools software, to enable copy-paste between VMs, graphics, etc.
## Updating repository certificates
Occasionally we apt-get update; apt-get upgrade. This can be required to avoid package repo certificates from expiring; however, this does run the risk of breaking modules.
Alternatively, it may be possible to update the keys without updating other software: `sudo apt-key update`
## Avoid SecGen leaving extra files on the VMs
You should have these directories mounted as tmpfs, so that the files used by Vagrant to provision the VMs (including puppet files, SecGen module names, etc), don't get accidentally left on the VMs that are generated.
- /tmp/
@@ -41,5 +45,5 @@ history -c
history -w
```
Finally package to upload:
vagrant package --base vmname --output packaged.box
Finally, on the host, package to upload:
`vagrant package --base vmname --output packaged.box`

1
lib/helpers/constants.rb
View File

@@ -44,6 +44,7 @@ WORDLISTS_DIR = "#{ROOT_DIR}/lib/resources/wordlists"
LINELISTS_DIR = "#{ROOT_DIR}/lib/resources/linelists"
BLACKLISTED_WORDS_FILE = "#{ROOT_DIR}/lib/resources/blacklisted_words/blacklist.txt"
IMAGES_DIR = "#{ROOT_DIR}/lib/resources/images"
PASSWORDLISTS_DIR = "#{ROOT_DIR}/lib/resources/passwordlists"
# Path to build puppet modules
STDLIB_PUPPET_DIR = "#{MODULES_DIR}build/puppet/stdlib"

3559
lib/resources/passwordlists/jtrpassword.lst Normal file
View File

File diff suppressed because it is too large Load Diff

5083
lib/resources/passwordlists/ncrackpassword.lst Normal file
View File

File diff suppressed because it is too large Load Diff

4
modules/encoders/bases/base64/secgen_metadata.xml
View File

@@ -15,7 +15,9 @@
<platform>windows</platform>
<difficulty>low</difficulty>
<solution>Encoded using Base64. Decoding tools available online e.g. https://www.base64decode.org/</solution>
<solution>Encoded using Base64. Decoding tools available online e.g. https://www.base64decode.org/
From Kali, decode using the following command: 'echo yourbase64 | base64 --decode'
</solution>
<read_fact>strings_to_encode</read_fact>
<read_fact>base64_options</read_fact>

1
modules/encoders/string/hex/secgen_metadata.xml
View File

@@ -17,6 +17,7 @@
<solution>Convert the hexadecimal (base 16) string into its ASCII value, character by character in sets of 2.
Use an ascii table e.g. http://www.asciitable.com OR an online converter e.g. https://www.branah.com/ascii-converter
From Kali, use the following command: 'echo yourhex | xxd -r -p'
</solution>
<read_fact>strings_to_encode</read_fact>

0
modules/generators/flag/flag_8char_hex/flag_8char_hex.pp Normal file
View File

0
modules/generators/flag/flag_8char_hex/manifests/.no_puppet Normal file
View File

16
modules/generators/flag/flag_8char_hex/secgen_local/local.rb Normal file
View File

@@ -0,0 +1,16 @@
#!/usr/bin/ruby
require_relative '../../../../../lib/objects/local_string_generator.rb'
class HexGenerator < StringGenerator
def initialize
super
self.module_name = 'Random Hex Generator'
end
def generate
require 'securerandom'
flag = SecureRandom.hex.slice(1..8)
self.outputs << "flag{#{flag}}"
end
end
HexGenerator.new.run

24
modules/generators/flag/flag_8char_hex/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,24 @@
<?xml version="1.0"?>
<generator xmlns="http://www.github/cliffe/SecGen/generator"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/generator">
<name>Random 8 Character Hex Generator</name>
<author>Jason Zeller</author>
<author>Z. Cliffe Schreuders</author>
<module_license>MIT</module_license>
<description>Uses Ruby's SecureRandom to generate a message made up of hex digits (a-f0-9). Then this has been
shortened to 8 characters. Designed for ease of use specifically with CTFd, when copy/paste is not available.
</description>
<type>flag_generator</type>
<type>flag_ctfd</type>
<type>local_calculation</type>
<platform>linux</platform>
<platform>windows</platform>
<reference>http://ruby-doc.org/stdlib-2.2.2/libdoc/securerandom/rdoc/SecureRandom.html#method-c-hex</reference>
<output_type>generated_strings</output_type>
</generator>

0
modules/generators/image/scenario_image/manifests/.no_puppet Normal file
View File

0
modules/generators/image/scenario_image/scenario_image.pp Normal file
View File

36
modules/generators/image/scenario_image/secgen_local/local.rb Normal file
View File

@@ -0,0 +1,36 @@
#!/usr/bin/ruby
require 'base64'
require_relative '../../../../../lib/objects/local_string_encoder.rb'
class ImageGenerator < StringEncoder
attr_accessor :image_filename
def initialize
super
self.module_name = 'Scenario Image Generator'
self.image_filename = ''
end
def encode_all
filepath = "#{IMAGES_DIR}/scenario/#{image_filename}"
file_contents = File.binread(filepath)
self.outputs << Base64.strict_encode64(file_contents)
end
def get_options_array
super + [['--image_filename', GetoptLong::REQUIRED_ARGUMENT]]
end
def process_options(opt, arg)
super
case opt
when '--image_filename'
self.image_filename << arg;
end
end
def encoding_print_string
'Scenario image generator: ' + self.image_filename
end
end
ImageGenerator.new.run

20
modules/generators/image/scenario_image/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,20 @@
<?xml version="1.0"?>
<generator xmlns="http://www.github/cliffe/SecGen/generator"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/generator">
<name>Scenario Image Generator</name>
<author>Jason Zeller</author>
<module_license>MIT</module_license>
<description>Selects a specific image from the lib/resources/images/scenario directory in base64 format.</description>
<type>scenario_image_generator</type>
<type>local_calculation</type>
<platform>linux</platform>
<platform>windows</platform>
<read_fact>image_filename</read_fact>
<output_type>base64_encoded_image</output_type>
</generator>

0
modules/generators/network/pcap/manifests/.no_puppet Normal file
View File

1
modules/generators/network/pcap/pcap.pp Normal file
View File

@@ -0,0 +1 @@
require pcap::init

122
modules/generators/network/pcap/secgen_local/local.rb Normal file
View File

@@ -0,0 +1,122 @@
#!/usr/bin/ruby
$: << File.expand_path("../../lib", __FILE__)
require_relative '../../../../../lib/objects/local_string_encoder.rb'
require 'packetfu'
require 'faker'
require 'rubygems'
class PcapGenerator < StringEncoder
attr_accessor :strings_to_leak
def initialize
super
self.module_name = 'PCAP Generator / Builder'
self.strings_to_leak = []
end
def packetgen(type, data)
if type == 'tcp'
# Create TCP Packet
pkt = PacketFu::TCPPacket.new
pkt.tcp_dst=rand(1..1023)
elsif type == 'udp'
# Create UDP Packet
pkt = PacketFu::UDPPacket.new
pkt.udp_dst=rand(1..1023)
end
# Create fake mac addresses for sender and receiver
pkt.eth_saddr=Faker::Internet.mac_address
pkt.eth_daddr=Faker::Internet.mac_address
# Create fake Public IP addresses for sender and receiver
pkt.ip_src=PacketFu::Octets.new.read_quad(Faker::Internet.ip_v4_address)
pkt.ip_dst=PacketFu::Octets.new.read_quad(Faker::Internet.ip_v4_address)
pkt.payload = data
pkt.recalc
end
def datagen
data_types = [
Faker::Dota.quote,
Faker::BackToTheFuture.quote,
Faker::BojackHorseman.quote,
Faker::ChuckNorris.fact,
Faker::DrWho.quote,
Faker::DumbAndDumber.quote,
Faker::FamilyGuy.quote,
Faker::Friends.quote,
Faker::GameOfThrones.quote,
Faker::HitchhikersGuideToTheGalaxy.quote,
Faker::HowIMetYourMother.quote,
Faker::Lebowski.quote,
Faker::MostInterestingManInTheWorld.quote,
Faker::RickAndMorty.quote,
Faker::Simpsons.quote,
Faker::StrangerThings.quote,
Faker::TheITCrowd.quote
]
data_types.sample.dump.to_s
end
def encode_all
# Create an array of packets
random_number = rand (26..75)
count = 0
@pcaps = []
# Generate 25 initial packets
25.times do
packet_type = ['tcp', 'udp'].sample
pkt = packetgen(packet_type, datagen)
@pcaps << pkt
count += 1
end
# Now generate random packets till we get to our random_number
while count < random_number
packet_type = ['tcp', 'udp'].sample
pkt = packetgen(packet_type, datagen)
@pcaps << pkt
count += 1
end
# Now add our strings_to_leak packet
strings = self.strings_to_leak.join("\n")
pkt = packetgen(packet_type, strings)
@pcaps << pkt
count += 1
# Finish generating packets till we have 100
while count < 101
packet_type = ['tcp', 'udp'].sample
pkt = packetgen(packet_type, datagen)
@pcaps << pkt
count += 1
end
# Put packets in pcap file and return contents.
file_contents = ''
pfile = PacketFu::PcapFile.new
pcap_file_path = GENERATORS_DIR + 'network/pcap/files/packet.pcap'
res = pfile.array_to_file(:filename => pcap_file_path, :array => @pcaps, :append => true)
file_contents = File.binread(pcap_file_path)
File.delete(pcap_file_path)
self.outputs << Base64.strict_encode64(file_contents)
end
def get_options_array
super + [['--strings_to_leak', GetoptLong::OPTIONAL_ARGUMENT]]
end
def process_options(opt, arg)
super
case opt
when '--strings_to_leak'
self.strings_to_leak << arg;
end
end
def encoding_print_string
'strings_to_leak: ' + self.strings_to_leak.to_s
end
end
PcapGenerator.new.run

24
modules/generators/network/pcap/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,24 @@
<?xml version="1.0"?>
<generator xmlns="http://www.github/cliffe/SecGen/generator"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/generator">
<name>pcap File Generator</name>
<author>Jason Zeller</author>
<module_license>MIT</module_license>
<description>pcap generator. Wraps strings_to_leak (commonly used with a flag generators for CTF) in an Ethernet
packet. Output is a base64 encoded file.
</description>
<type>pcap_generator</type>
<platform>linux</platform>
<read_fact>strings_to_leak</read_fact>
<default_input into="strings_to_leak">
<generator type="flag_generator"/>
</default_input>
<output_type>base64_pcap_file</output_type>
</generator>

0
modules/generators/passwords/custom_list_password/custom_list_password.pp Normal file
View File

0
modules/generators/passwords/custom_list_password/manifests/.no_puppet Normal file
View File

35
modules/generators/passwords/custom_list_password/secgen_local/local.rb Normal file
View File

@@ -0,0 +1,35 @@
#!/usr/bin/ruby
require_relative '../../../../../lib/objects/local_string_generator.rb'
class CustomPasswordGenerator < StringGenerator
attr_accessor :list_name
def initialize
super
self.module_name = 'Custom List Password Generator'
self.list_name = ''
end
def generate
self.outputs << File.readlines("#{PASSWORDLISTS_DIR}/#{list_name}").sample.chomp
end
def get_options_array
super + [['--list_name', GetoptLong::REQUIRED_ARGUMENT]]
end
def process_options(opt, arg)
super
case opt
when '--list_name'
self.list_name << arg;
end
end
def encoding_print_string
'list_name: ' + self.list_name.to_s + print_string_padding
end
end
CustomPasswordGenerator.new.run

25
modules/generators/passwords/custom_list_password/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,25 @@
<?xml version="1.0"?>
<generator xmlns="http://www.github/cliffe/SecGen/generator"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/generator">
<name>Custom List Generator</name>
<author>Jason Zeller</author>
<module_license>MIT</module_license>
<description>Allows you to specify custom password list to generate from.
Available password lists are located in: lib/resources/passwordlists
</description>
<type>password_generator</type>
<type>custom_list_password</type>
<platform>linux</platform>
<platform>windows</platform>
<read_fact>list_name</read_fact>
<default_input into="list_name">
<value>jtrpassword.lst</value>
</default_input>
<output_type>generated_passwords</output_type>
</generator>

16
modules/generators/structured_content/person/secgen_local/local.rb
View File

@@ -12,6 +12,8 @@ class PersonHashBuilder < StringEncoder
attr_accessor :account
attr_accessor :credit_card
attr_accessor :national_insurance_number
attr_accessor :age
attr_accessor :profession
def initialize
super
@@ -25,6 +27,8 @@ class PersonHashBuilder < StringEncoder
self.credit_card = ''
self.national_insurance_number = ''
self.account = []
self.age = ''
self.profession = ''
end
def encode_all
@@ -35,6 +39,8 @@ class PersonHashBuilder < StringEncoder
person_hash['email_address'] = self.email_address
person_hash['credit_card'] = self.credit_card
person_hash['national_insurance_number'] = self.national_insurance_number
person_hash['age'] = self.age
person_hash['profession'] = self.profession
if self.account != []
account = JSON.parse(self.account[0])
@@ -57,7 +63,9 @@ class PersonHashBuilder < StringEncoder
['--password', GetoptLong::REQUIRED_ARGUMENT],
['--credit_card', GetoptLong::REQUIRED_ARGUMENT],
['--national_insurance_number', GetoptLong::REQUIRED_ARGUMENT],
['--account', GetoptLong::OPTIONAL_ARGUMENT]]
['--account', GetoptLong::OPTIONAL_ARGUMENT],
['--age', GetoptLong::REQUIRED_ARGUMENT],
['--profession', GetoptLong::REQUIRED_ARGUMENT]]
end
def process_options(opt, arg)
@@ -81,6 +89,10 @@ class PersonHashBuilder < StringEncoder
self.national_insurance_number << arg;
when '--account'
self.account << arg;
when '--age'
self.age << arg;
when '--profession'
self.profession << arg;
end
end
@@ -93,6 +105,8 @@ class PersonHashBuilder < StringEncoder
'password: ' + self.password.to_s + print_string_padding +
'credit_card: ' + self.credit_card.to_s + print_string_padding +
'national_insurance_number: ' + self.national_insurance_number.to_s + print_string_padding +
'age: ' + self.age.to_s + print_string_padding +
'profession: ' + self.profession.to_s + print_string_padding +
'account: ' + self.account.to_s
end
end

15
modules/generators/structured_content/person/secgen_metadata.xml
View File

@@ -19,6 +19,8 @@
<read_fact>email_address</read_fact>
<read_fact>username</read_fact>
<read_fact>password</read_fact>
<read_fact>age</read_fact>
<read_fact>profession</read_fact>
<!-- Takes account as a non-default value and fills in the missing fields with the randomly generated data. -->
<read_fact>account</read_fact>
@@ -47,6 +49,19 @@
<default_input into="national_insurance_number">
<generator type="national_insurance_number_generator"/>
</default_input>
<default_input into="age">
<generator type="number_range">
<input into="lower_bound">
<value>18</value>
</input>
<input into="upper_bound">
<value>85</value>
</input>
</generator>
</default_input>
<default_input into="profession">
<generator type="profession"/>
</default_input>
<output_type>person</output_type>
</generator>

18
modules/services/unix/http/parameterised_website/manifests/install.pp
View File

@@ -33,6 +33,7 @@ class parameterised_website::install {
$strings_to_leak = $secgen_parameters['strings_to_leak']
$images_to_leak = $secgen_parameters['images_to_leak']
$images_mode = $secgen_parameters['images_mode']
$security_audit = $secgen_parameters['security_audit']
$acceptable_use_policy = str2bool($secgen_parameters['host_acceptable_use_policy'][0])
@@ -138,10 +139,19 @@ class parameterised_website::install {
}
if $images_to_leak {
::secgen_functions::leak_files{ 'parameterised_website-image-leak':
storage_directory => $docroot,
images_to_leak => $images_to_leak,
leaked_from => "parameterised_website",
if $images_mode {
::secgen_functions::leak_files { 'parameterised_website-image-leak-mode':
storage_directory => $docroot,
images_to_leak => $images_to_leak,
mode => $images_mode,
leaked_from => "parameterised_website",
}
} else {
::secgen_functions::leak_files { 'parameterised_website-image-leak':
storage_directory => $docroot,
images_to_leak => $images_to_leak,
leaked_from => "parameterised_website",
}
}
}

3
modules/services/unix/http/parameterised_website/secgen_metadata.xml
View File

@@ -28,6 +28,9 @@
<read_fact>visible_tabs</read_fact>
<read_fact>hidden_tabs</read_fact>
<!-- Allows you to set mode of images_to_leak -->
<read_fact>images_mode</read_fact>
<read_fact>port</read_fact>
<read_fact>theme</read_fact>

2
modules/services/unix/http/parameterised_website/templates/subtemplates/main_container.html.erb
View File

@@ -27,7 +27,7 @@
<% # Default style -%>
<% else -%>
<% @main_page_paragraph_content.each do |pg| -%>
<p> <%= pg %></p>
<%= pg %>
<% end -%>
<br/>
<% end -%>

1
modules/utilities/unix/system/leak_to_file/leak_to_file.pp Normal file
View File

@@ -0,0 +1 @@
require leak_to_file::init

23
modules/utilities/unix/system/leak_to_file/manifests/init.pp Normal file
View File

@@ -0,0 +1,23 @@
class leak_to_file::init {
$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
$leaked_filename = $secgen_parameters['leaked_filename'][0]
$base64_file = $secgen_parameters['base64_file'][0]
if $secgen_parameters['account'] and $secgen_parameters['account'] != '' {
$account = $secgen_parameters['account'][0]
$username = $account['username']
$storage_directory = "/home/$username/"
} else {
$username = 'root'
$storage_directory = $secgen_parameters['storage_directory'][0]
}
leak_to_file::leak_file { '$storage_directory/$leaked_filename':
leaked_filename => $leaked_filename,
storage_directory => $storage_directory,
base64_file => $base64_file,
owner => $username,
group => $username,
}
}

21
modules/utilities/unix/system/leak_to_file/manifests/leak_file.pp Normal file
View File

@@ -0,0 +1,21 @@
define leak_to_file::leak_file($leaked_filename, $storage_directory, $base64_file, $owner = 'root', $group = 'root', $mode = '0660', $leaked_from = '' ) {
if ($leaked_filename != ''){
$path_to_leak = "$storage_directory/$leaked_filename"
# create the directory tree, incase the file name has extra layers of directories
exec { "$leaked_from-$path_to_leak-mkdir":
path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'],
command => "mkdir -p `dirname $path_to_leak`;chown $owner. `dirname $path_to_leak`",
provider => shell,
}
# Create file.
file { $path_to_leak:
ensure => present,
owner => $owner,
group => $group,
mode => $mode,
content => base64('decode', $base64_file)
}
}
}

35
modules/utilities/unix/system/leak_to_file/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,35 @@
<?xml version="1.0"?>
<utility xmlns="http://www.github/cliffe/SecGen/utility"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/utility">
<name>Leak base64 to file</name>
<author>Puppet Labs</author>
<author>Jason Zeller</author>
<module_license>MIT</module_license>
<description>Leak base64 to a file where specified by storage_directory.</description>
<type>system</type>
<platform>linux</platform>
<!--optional details-->
<reference>https://forge.puppet.com/puppetlabs/accounts</reference>
<read_fact>leaked_filename</read_fact>
<read_fact>base64_file</read_fact>
<read_fact>storage_directory</read_fact>
<read_fact>account</read_fact>
<default_input into="leaked_filename">
<value/>
</default_input>
<default_input into="base64_file">
<value/>
</default_input>
<default_input into="storage_directory">
<value>/var/log</value>
</default_input>
</utility>

23
modules/vulnerabilities/unix/ctf/pcap_file/manifests/init.pp Normal file
View File

@@ -0,0 +1,23 @@
class pcap_file::init {
$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
$leaked_filename = $secgen_parameters['leaked_filename'][0]
$base64_file = $secgen_parameters['base64_file'][0]
if $secgen_parameters['account'] and $secgen_parameters['account'] != '' {
$account = parsejson($secgen_parameters['account'][0])
$username = $account['username']
$storage_directory = "/home/$username/"
} else {
$username = 'root'
$storage_directory = $secgen_parameters['storage_directory'][0]
}
leak_to_file::leak_file { $leaked_filename:
leaked_filename => $leaked_filename,
storage_directory => $storage_directory,
base64_file => $base64_file,
owner => $username,
group => $username,
}
}

1
modules/vulnerabilities/unix/ctf/pcap_file/pcap_file.pp Normal file
View File

@@ -0,0 +1 @@
require pcap_file::init

44
modules/vulnerabilities/unix/ctf/pcap_file/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,44 @@
<?xml version="1.0"?>
<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
<name>pcap file</name>
<author>Jason Zeller</author>
<module_license>MIT</module_license>
<description>Release a pcap file with a flag, into storage_directory.
Can specify an account file is owned by or defaults to root.
</description>
<type>pcap</type>
<type>system</type>
<privilege>none</privilege>
<access>local</access>
<platform>linux</platform>
<read_fact>base64_file</read_fact>
<read_fact>leaked_filename</read_fact>
<read_fact>account</read_fact>
<read_fact>storage_directory</read_fact>
<default_input into="base64_file">
<generator type="pcap_generator"/>
</default_input>
<default_input into="leaked_filename">
<value>capture.pcap</value>
</default_input>
<default_input into="storage_directory">
<value>/var/log</value>
</default_input>
<hint>A pcap file has been leaked with a message inside a packet.</hint>
<solution>Use sftp to copy file to Kali. Then, use Wireshark to find message/flag.</solution>
<requires>
<module_path>utilities/unix/system/leak_to_file</module_path>
</requires>
</vulnerability>

23
modules/vulnerabilities/unix/ctf/zip_file/manifests/init.pp Normal file
View File

@@ -0,0 +1,23 @@
class zip_file::init {
$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
$leaked_filename = $secgen_parameters['leaked_filename'][0]
$base64_file = $secgen_parameters['base64_file'][0]
if $secgen_parameters['account'] and $secgen_parameters['account'] != '' {
$account = parsejson($secgen_parameters['account'][0])
$username = $account['username']
$storage_directory = "/home/$username/"
} else {
$username = 'root'
$storage_directory = $secgen_parameters['storage_directory'][0]
}
leak_to_file::leak_file { $leaked_filename:
leaked_filename => $leaked_filename,
storage_directory => $storage_directory,
base64_file => $base64_file,
owner => $username,
group => $username,
}
}

53
modules/vulnerabilities/unix/ctf/zip_file/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,53 @@
<?xml version="1.0"?>
<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
<name>Zip File</name>
<author>Jason Zeller</author>
<module_license>MIT</module_license>
<description>Release a zip file with a flag. Password optional.
Can specify an account file is owned by or defaults to root.
</description>
<type>zip_file</type>
<type>system</type>
<privilege>none</privilege>
<access>local</access>
<platform>linux</platform>
<read_fact>base64_file</read_fact>
<read_fact>leaked_filename</read_fact>
<read_fact>account</read_fact>
<read_fact>storage_directory</read_fact>
<default_input into="base64_file">
<generator type="zip_file_generator">
<input into="password">
<generator type="custom_list_password">
<input into="list_name">
<value>jtrpassword.lst</value>
</input>
</generator>
</input>
</generator>
</default_input>
<default_input into="leaked_filename">
<value>protected.zip</value>
</default_input>
<default_input into="storage_directory">
<value>/var/log</value>
</default_input>
<hint>A zip file has been leaked with a flag.</hint>
<hint>If using a password, use the default dictionary from '/usr/share/john/password.lst'.</hint>
<solution>Use the following command: fcrackzip -u -D -p /usr/share/john/password.lst filename.zip</solution>
<requires>
<module_path>utilities/unix/system/leak_to_file</module_path>
</requires>
</vulnerability>

1
modules/vulnerabilities/unix/ctf/zip_file/zip_file.pp Normal file
View File

@@ -0,0 +1 @@
require zip_file::init

1
modules/vulnerabilities/unix/system/jtr_crackable_user_account/jtr_crackable_user_account.pp Normal file
View File

@@ -0,0 +1 @@
require jtr_crackable_user_account::init

51
modules/vulnerabilities/unix/system/jtr_crackable_user_account/manifests/account.pp Normal file
View File

@@ -0,0 +1,51 @@
define jtr_crackable_user_account::account($username, $password, $super_user, $strings_to_leak, $leaked_filenames) {
# ::accounts::user changes permissions on group, passwd, shadow etc. so needs to run before
if defined('writable_groups::config') {
include ::writable_groups::config
$writable_groups = [File['/etc/group']]
} else { $writable_groups = [] }
if defined('writable_passwd::config') {
include ::writable_passwd::config
$writable_passwd = [File['/etc/passwd']]
} else { $writable_passwd = [] }
if defined('writable_shadow::config') {
include ::writable_shadow::config
$writable_shadow = [File['/etc/shadow']]
} else { $writable_shadow = [] }
$misconfigurations = concat($writable_groups, $writable_passwd, $writable_shadow)
# Add user account
::accounts::user { $username:
shell => '/bin/bash',
password => pw_hash($password, 'SHA-512', 'mysalt'),
managehome => true,
before => $misconfigurations,
}
# sort groups if sudo add to conf
if $super_user {
exec { "add-$username-to-sudoers":
path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'],
command => "echo '$username ALL=(ALL) ALL' >> /etc/sudoers",
}
}
if $password == '' {
exec { "remove_password_from_account_$username":
command => "/usr/bin/passwd -d $username",
require => Accounts::User[$username],
}
}
# Leak strings in a text file in the users home directory
::secgen_functions::leak_files { "$username-file-leak":
storage_directory => "/home/$username/",
leaked_filenames => $leaked_filenames,
strings_to_leak => $strings_to_leak,
owner => $username,
leaked_from => "accounts_$username",
}
}

14
modules/vulnerabilities/unix/system/jtr_crackable_user_account/manifests/init.pp Normal file
View File

@@ -0,0 +1,14 @@
class jtr_crackable_user_account::init {
$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
$account = parsejson($secgen_parameters['account'][0])
$username = $account['username']
::jtr_crackable_user_account::account { "jtr_crackable_user_account_$username":
username => $username,
password => $secgen_parameters['password'][0],
super_user => str2bool($account['super_user']),
strings_to_leak => $secgen_parameters['strings_to_leak'],
leaked_filenames => $secgen_parameters['leaked_filenames']
}
}

56
modules/vulnerabilities/unix/system/jtr_crackable_user_account/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,56 @@
<?xml version="1.0"?>
<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
<name>JtR Crackable User Account</name>
<author>Jason Zeller</author>
<module_license>MIT</module_license>
<description>Unprivileged user account with a password from John the Ripper default dictionary.
For use with training specifically on John the Ripper.
</description>
<type>system</type>
<privilege>user_rwx</privilege>
<access>local</access>
<platform>linux</platform>
<read_fact>leaked_filenames</read_fact>
<read_fact>strings_to_leak</read_fact>
<read_fact>account</read_fact>
<read_fact>password</read_fact>
<read_fact>flag_password</read_fact>
<default_input into="leaked_filenames">
<generator type="filename"/>
</default_input>
<default_input into="password">
<generator type="custom_list_password">
<input into="list_name">
<value>jtrpassword.lst</value>
</input>
</generator>
</default_input>
<default_input into="strings_to_leak">
<generator type="flag_generator"/>
</default_input>
<!-- password, strings_to_leak, and leaked_filenames generate from this account will not be used -->
<!-- They can be passed in or generated by default above -->
<default_input into="account">
<generator type="account"/>
</default_input>
<hint>Password is susceptible to cracking. Try to obtain /etc/passwd and /etc/shadow.</hint>
<hint>Use John the Ripper to crack password.</hint>
<solution>Use the following command: 'john -wordlist=/usr/share/john/password.lst yourhashfile'</solution>
<requires>
<module_path>utilities/unix/system/accounts</module_path>
</requires>
</vulnerability>

51
modules/vulnerabilities/unix/system/ncrack_crackable_user_account/manifests/account.pp Normal file
View File

@@ -0,0 +1,51 @@
define ncrack_crackable_user_account::account($username, $password, $super_user, $strings_to_leak, $leaked_filenames) {
# ::accounts::user changes permissions on group, passwd, shadow etc. so needs to run before
if defined('writable_groups::config') {
include ::writable_groups::config
$writable_groups = [File['/etc/group']]
} else { $writable_groups = [] }
if defined('writable_passwd::config') {
include ::writable_passwd::config
$writable_passwd = [File['/etc/passwd']]
} else { $writable_passwd = [] }
if defined('writable_shadow::config') {
include ::writable_shadow::config
$writable_shadow = [File['/etc/shadow']]
} else { $writable_shadow = [] }
$misconfigurations = concat($writable_groups, $writable_passwd, $writable_shadow)
# Add user account
::accounts::user { $username:
shell => '/bin/bash',
password => pw_hash($password, 'SHA-512', 'mysalt'),
managehome => true,
before => $misconfigurations,
}
# sort groups if sudo add to conf
if $super_user {
exec { "add-$username-to-sudoers":
path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'],
command => "echo '$username ALL=(ALL) ALL' >> /etc/sudoers",
}
}
if $password == '' {
exec { "remove_password_from_account_$username":
command => "/usr/bin/passwd -d $username",
require => Accounts::User[$username],
}
}
# Leak strings in a text file in the users home directory
::secgen_functions::leak_files { "$username-file-leak":
storage_directory => "/home/$username/",
leaked_filenames => $leaked_filenames,
strings_to_leak => $strings_to_leak,
owner => $username,
leaked_from => "accounts_$username",
}
}

14
modules/vulnerabilities/unix/system/ncrack_crackable_user_account/manifests/init.pp Normal file
View File

@@ -0,0 +1,14 @@
class ncrack_crackable_user_account::init {
$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
$account = parsejson($secgen_parameters['account'][0])
$username = $account['username']
::ncrack_crackable_user_account::account { "ncrack_crackable_user_account_$username":
username => $username,
password => $secgen_parameters['password'][0],
super_user => str2bool($account['super_user']),
strings_to_leak => $secgen_parameters['strings_to_leak'],
leaked_filenames => $secgen_parameters['leaked_filenames']
}
}

1
modules/vulnerabilities/unix/system/ncrack_crackable_user_account/ncrack_crackable_user_account.pp Normal file
View File

@@ -0,0 +1 @@
require ncrack_crackable_user_account::init

55
modules/vulnerabilities/unix/system/ncrack_crackable_user_account/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,55 @@
<?xml version="1.0"?>
<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
<name>NCRACK Crackable User Account</name>
<author>Jason Zeller</author>
<module_license>MIT</module_license>
<description>Unprivileged user account with a password from nCrack dictionary.</description>
<type>system</type>
<privilege>user_rwx</privilege>
<access>local</access>
<platform>linux</platform>
<read_fact>leaked_filenames</read_fact>
<read_fact>strings_to_leak</read_fact>
<read_fact>account</read_fact>
<read_fact>password</read_fact>
<read_fact>flag_password</read_fact>
<read_fact>username</read_fact>
<default_input into="leaked_filenames">
<generator type="filename"/>
</default_input>
<default_input into="password">
<generator type="custom_list_password">
<input into="list_name">
<value>ncrackpassword.lst</value>
</input>
</generator>
</default_input>
<default_input into="strings_to_leak">
<generator type="flag_generator"/>
</default_input>
<!-- password, strings_to_leak, and leaked_filenames generate from this account will not be used -->
<!-- They can be passed in or generated by default above -->
<default_input into="account">
<generator type="account"/>
</default_input>
<hint>Password is susceptible to cracking.</hint>
<hint>Use nCrack to crack password. If you don't know the username, try using the /usr/share/ncrack/minimal.usr dictionary.</hint>
<solution>Use the following command: 'ncrack -v --user username -P /usr/share/ncrack/default.pwd host_ip:22'</solution>
<requires>
<module_path>utilities/unix/system/accounts</module_path>
</requires>
</vulnerability>

103
scenarios/examples/vulnerability_examples/crackable_user_accounts.xml Normal file
View File

@@ -0,0 +1,103 @@
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<name>Crackable User Accounts Example</name>
<author>Jason Zeller</author>
<description>
This scenario gives examples of crackable user accounts based on certain passwords.
</description>
<type>ctf</type>
<difficulty>easy</difficulty>
<system>
<system_name>server</system_name>
<base platform="linux" type="server"/>
<!-- Generate ncrack_and jtr passwords for use with their respective vulnerability below -->
<input into_datastore="passwords">
<!-- The custom_list_password generator will take any filename from: lib/resources/passwordlists/ -->
<generator type="custom_list_password">
<input into="list_name">
<value>ncrackpassword.lst</value>
</input>
</generator>
<generator type="custom_list_password">
<input into="list_name">
<value>jtrpassword.lst</value>
</input>
</generator>
</input>
<!-- Generate a basic crackable user account using the random_weak_password generator -->
<!-- Generated password is not released as a flag -->
<vulnerability name="Crackable User Account"/>
<!-- Use ncrack_crackable_user_account vulnerability to add a user account to system -->
<!-- This vulnerability is designed for a hacker to use the 'ncrack' utility in Kali with a default password list-->
<!-- Hints for using this utility are available -->
<!-- See ncrack_crackable_user_account vulnerability for more information -->
<!-- This creates a flag that is the generated password from selected list: flag{password} -->
<vulnerability module_path=".*ncrack_crackable_user_account.*">
<input into="password">
<datastore access="0">passwords</datastore>
</input>
<input into="flag_password">
<generator type="concat_flag_generator">
<input into="strings_to_join">
<datastore access="0">passwords</datastore>
</input>
</generator>
</input>
<input into="leaked_filenames">
<value>flag_here</value>
</input>
<input into="strings_to_leak">
<value>So, you think you are an expert huh? I wonder if you can figure out my password.</value>
<value>This account password is also a flag. For example, if the password is "123456" the flag is: flag{123456}</value>
<value>Here is a flag for finding this message:</value>
<generator type="flag_generator"/>
</input>
<input into="account">
<generator type="account">
<input into="username">
<value>guest</value>
</input>
</generator>
</input>
</vulnerability>
<!-- Use jtr_crackable_user_account vulnerability to add a user account to system -->
<!-- This vulnerability is designed for a hacker to use the 'john' utility in Kali with a default password list -->
<!-- Hints for using this utility are available -->
<!-- See jtr_crackable_user_account vulnerability for more information -->
<!-- This creates a flag that is the generated password from selected list: flag{password} -->
<vulnerability module_path=".*jtr_crackable_user_account.*">
<input into="password">
<datastore access="1">passwords</datastore>
</input>
<input into="flag_password">
<generator type="concat_flag_generator">
<input into="strings_to_join">
<datastore access="1">passwords</datastore>
</input>
</generator>
</input>
<input into="leaked_filenames">
<value>flag_here</value>
</input>
<input into="strings_to_leak">
<value>So, you think you are an expert huh? I wonder if you can figure out my password.</value>
<value>This account password is also a flag. For example, if the password is "123456" the flag is: flag{123456}</value>
<value>Here is a flag for finding this message:</value>
<generator type="flag_generator"/>
</input>
</vulnerability>
</system>
</scenario>

43
scenarios/examples/vulnerability_examples/ctf_module_examples/pcap_file.xml Normal file
View File

@@ -0,0 +1,43 @@
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<name>pcap_file Example</name>
<author>Jason Zeller</author>
<description>
This scenario demonstrates leaking a pcap file with a flag embedded and cleartext.
</description>
<type>ctf</type>
<difficulty>easy</difficulty>
<system>
<system_name>server</system_name>
<base platform="linux" type="server"/>
<!-- Release pcap file -->
<vulnerability type="pcap">
<input into="base64_file">
<generator type="pcap_generator">
<input into="strings_to_leak">
<generator type="flag_generator"/>
<value>
******SECRET*******From now on, make sure that all network traffic is properly encrypted.******SECRET******
</value>
</input>
</generator>
</input>
<input into="leaked_filename">
<value>capture.pcap</value>
</input>
<input into="storage_directory">
<value>/var/log</value>
</input>
</vulnerability>
</system>
</scenario>

50
scenarios/examples/vulnerability_examples/ctf_module_examples/zip_file.xml Normal file
View File

@@ -0,0 +1,50 @@
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<name>zip_file Example</name>
<author>Jason Zeller</author>
<description>
This scenario demonstrates leaking a zip file with a flag embedded and zip can be password protected.
</description>
<type>ctf</type>
<difficulty>easy</difficulty>
<system>
<system_name>server</system_name>
<base platform="linux" type="server"/>
<!-- Release zip file -->
<vulnerability type="zip_file">
<input into="base64_file">
<generator type="zip_file_generator">
<input into="password">
<generator type="custom_list_password">
<input into="list_name">
<value>jtrpassword.lst</value>
</input>
</generator>
</input>
<input into="strings_to_leak">
<generator type="flag_generator"/>
<value>
Congratulations you have cracked our protected zip file. We wish there was more information here but we are just not that smart. Here is a flag for your troubles.
</value>
</input>
</generator>
</input>
<input into="leaked_filename">
<value>protected.zip</value>
</input>
<input into="storage_directory">
<value>/var/log</value>
</input>
</vulnerability>
</system>
</scenario>