|
|
|
|
|
|
|
###
|
|
|
|
# Caldera configuration
|
|
|
|
caldera:
|
|
|
|
###
|
|
|
|
# API key for caldera. See caldera configuration. Default is ADMIN123
|
|
|
|
apikey: ADMIN123
|
|
|
|
|
|
|
|
###
|
|
|
|
# Attacks configuration
|
|
|
|
attackers:
|
|
|
|
###
|
|
|
|
# Configuration for the first attacker. One should normally be enough. But it is still implemented as a list
|
|
|
|
- name: attacker
|
|
|
|
|
|
|
|
###
|
|
|
|
# Defining VM controller settings for this machine
|
|
|
|
vm_controller:
|
|
|
|
###
|
|
|
|
# Type of the VM controller, Options are "vagrant" and "running_vm"
|
|
|
|
vm_type: vagrant
|
|
|
|
###
|
|
|
|
# # path where the vagrantfile is in
|
|
|
|
vagrantfilepath: systems
|
|
|
|
|
|
|
|
###
|
|
|
|
# Name of machine in Vagrantfile, main way to reference this machine
|
|
|
|
vm_name: attacker
|
|
|
|
|
|
|
|
###
|
|
|
|
# Machine can have nicknames. They can be used in complex attacks to reference the machine in multiple ways
|
|
|
|
nicknames:
|
|
|
|
- "suspect 1"
|
|
|
|
|
|
|
|
###
|
|
|
|
# machinepath is a path where the machine specific files and logs are stored. Relative to the Vagrantfile path
|
|
|
|
# and will be mounted internally as /vagrant/<name> for linux machines
|
|
|
|
# If machinepath is not set PurpleDome will try "vm_name"
|
|
|
|
machinepath: attacker1
|
|
|
|
|
|
|
|
###
|
|
|
|
# OS of the VM guest. Options are so far "windows", "linux"
|
|
|
|
os: linux
|
|
|
|
|
|
|
|
###
|
|
|
|
# Do not destroy/create the machine: Set this to "yes".
|
|
|
|
use_existing_machine: yes
|
|
|
|
|
|
|
|
###
|
|
|
|
# List of targets
|
|
|
|
targets:
|
|
|
|
###
|
|
|
|
# Name of a specific target. It is implemented as a list, you can have several targets in your experiment
|
|
|
|
- name: target1
|
|
|
|
###
|
|
|
|
# Defining VM controller settings for this machine
|
|
|
|
vm_controller:
|
|
|
|
###
|
|
|
|
# Type of the VM controller, Options are "vagrant" and "running_vm"
|
|
|
|
vm_type: vagrant
|
|
|
|
###
|
|
|
|
# # path where the vagrantfile is in
|
|
|
|
vagrantfilepath: systems
|
|
|
|
|
|
|
|
###
|
|
|
|
# simple switch if targets is used in attack simulation. Default is true. If set to false the machine will not be started
|
|
|
|
active: no
|
|
|
|
|
|
|
|
###
|
|
|
|
# Name of machine in Vagrantfile, main way to reference this machine
|
|
|
|
vm_name: target1
|
|
|
|
|
|
|
|
###
|
|
|
|
# Machine can have nicknames. They can be used in complex attacks to reference the machine
|
|
|
|
nicknames:
|
|
|
|
- "web server"
|
|
|
|
|
|
|
|
###
|
|
|
|
# OS of the VM guest. Options are so far "windows", "linux"
|
|
|
|
os: linux
|
|
|
|
|
|
|
|
###
|
|
|
|
# Targets need a unique PAW name for caldera
|
|
|
|
paw: target1
|
|
|
|
|
|
|
|
###
|
|
|
|
# Targets need to be in a group for caldera. The group is more relevant than the paw. Better put every target in a unique group
|
|
|
|
group: red
|
|
|
|
|
|
|
|
###
|
|
|
|
# machinepath is a path where the machine specific files and logs are stored. Relative to the Vagrantfile path
|
|
|
|
# and will be mounted internally as /vagrant/<name> for linux machines
|
|
|
|
# If machinepath is not set PurpleDome will try "vm_name"
|
|
|
|
machinepath: target1
|
|
|
|
|
|
|
|
###
|
|
|
|
# Do not destroy/create the machine: Set this to "yes". Good if you want to keep this machine around between experiments
|
|
|
|
use_existing_machine: yes
|
|
|
|
|
|
|
|
###
|
|
|
|
# The folder all the implants will be installed into. IN the machine
|
|
|
|
playground: /home/vagrant
|
|
|
|
|
|
|
|
###
|
|
|
|
# List of sensors to run on this machine. They are implemented as plugins and have a unique name
|
|
|
|
sensors:
|
|
|
|
# - linux_idp
|
|
|
|
|
|
|
|
- name: target2
|
|
|
|
###
|
|
|
|
# Defining VM controller settings for this machine
|
|
|
|
vm_controller:
|
|
|
|
###
|
|
|
|
# Type of the VM controller, Options are "vagrant" and "running_vm"
|
|
|
|
vm_type: vagrant
|
|
|
|
###
|
|
|
|
# path where the vagrantfile is in
|
|
|
|
vagrantfilepath: systems
|
|
|
|
|
|
|
|
###
|
|
|
|
# simple switch defining if targets is used in attack simulation. Default is true. If set to false the machine will not be started
|
|
|
|
active: no
|
|
|
|
|
|
|
|
###
|
|
|
|
# Name of machine in Vagrantfile, main way to reference this machine
|
|
|
|
vm_name: target2
|
|
|
|
|
|
|
|
###
|
|
|
|
# Machine can have nicknames. They can be used in complex attacks to reference the machine
|
|
|
|
nicknames:
|
|
|
|
- "t2"
|
|
|
|
- "practice target"
|
|
|
|
|
|
|
|
###
|
|
|
|
# OS of the VM guest. Options are so far "windows", "linux"
|
|
|
|
# This is the example for a windows machine. Windows machines are much trickier to handle in Vagrant ! Check the documentation
|
|
|
|
os: windows
|
|
|
|
|
|
|
|
###
|
|
|
|
# Targets need a unique PAW name for caldera
|
|
|
|
paw: target2w
|
|
|
|
|
|
|
|
###
|
|
|
|
# Targets need to be in a group for caldera. The group is more relevant than the paw. Better put every target in a unique group
|
|
|
|
group: red_windows
|
|
|
|
|
|
|
|
###
|
|
|
|
# machinepath is a path where the machine specific files and logs are stored. Relative to the Vagrantfile path
|
|
|
|
# and will be mounted internally as /vagrant/<name> for linux machines
|
|
|
|
# If machinepath is not set PurpleDome will try "vm_name"
|
|
|
|
machinepath: target2w
|
|
|
|
|
|
|
|
###
|
|
|
|
# Do not destroy/create the machine: Set this to "yes".
|
|
|
|
use_existing_machine: yes
|
|
|
|
|
|
|
|
###
|
|
|
|
# Optional setting to activate force when halting the machine. Windows guests sometime get stuck
|
|
|
|
halt_needs_force: yes
|
|
|
|
|
|
|
|
###
|
|
|
|
# If SSH without vagrant support is used (Windows !) we need a user name (uppercase)
|
|
|
|
ssh_user: PURPLEDOME
|
|
|
|
|
|
|
|
###
|
|
|
|
# If SSH without vagrant support is used (Windows !) we maybe need a password
|
|
|
|
ssh_password: PURPLEDOME
|
|
|
|
|
|
|
|
###
|
|
|
|
# For non-vagrant ssh connections a ssh keyfile stored in the machinepath is required.
|
|
|
|
ssh_keyfile: id_rsa.3
|
|
|
|
|
|
|
|
###
|
|
|
|
# The folder all the implants will be installed into
|
|
|
|
# Windows can only use default playground at the moment !
|
|
|
|
|
|
|
|
# playground: C:\\Users\\PurpleDome
|
|
|
|
|
|
|
|
###
|
|
|
|
# Sensors to run on this machine
|
|
|
|
sensors:
|
|
|
|
- windows_idp
|
|
|
|
|
|
|
|
###
|
|
|
|
# Vulnerabilities to pre-install. They are implemented as plugins
|
|
|
|
vulnerabilities:
|
|
|
|
- weak_user_passwords
|
|
|
|
- rdp_config_vul
|
|
|
|
|
|
|
|
|
|
|
|
# Ubuntu 20.10 (Groovy)
|
|
|
|
- name: target3
|
|
|
|
###
|
|
|
|
# Defining VM controller settings for this machine
|
|
|
|
vm_controller:
|
|
|
|
###
|
|
|
|
# Type of the VM controller, Options are "vagrant" and "running_vm"
|
|
|
|
vm_type: vagrant
|
|
|
|
###
|
|
|
|
# path where the vagrantfile is in
|
|
|
|
vagrantfilepath: systems
|
|
|
|
|
|
|
|
###
|
|
|
|
# simple switch if targets is used in attack simulation. Default is true. If set to false the machine will not be started
|
|
|
|
active: yes
|
|
|
|
|
|
|
|
|
|
|
|
###
|
|
|
|
# Name of machine in Vagrantfile, main way to reference this machine
|
|
|
|
vm_name: target3
|
|
|
|
|
|
|
|
###
|
|
|
|
# Machine can have nicknames. They can be used in complex attacks to reference the machine
|
|
|
|
nicknames:
|
|
|
|
- "red shirt"
|
|
|
|
- "the flag"
|
|
|
|
|
|
|
|
|
|
|
|
###
|
|
|
|
# OS of the VM guest. Options are so far "windows", "linux"
|
|
|
|
# This is the example for a windows machine. Windows machines are much trickier to handle in Vagrant ! Check the documentation
|
|
|
|
os: linux
|
|
|
|
|
|
|
|
###
|
|
|
|
# Targets need a unique PAW name for caldera
|
|
|
|
paw: target3
|
|
|
|
|
|
|
|
###
|
|
|
|
# Targets need to be in a group for caldera. The group is more relevant than the paw. Better put every target in a unique group
|
|
|
|
group: red
|
|
|
|
|
|
|
|
###
|
|
|
|
# machinepath is a path where the machine specific files and logs are stored. Relative to the Vagrantfile path
|
|
|
|
# and will be mounted internally as /vagrant/<name> for linux machines
|
|
|
|
# If machinepath is not set PurpleDome will try "vm_name"
|
|
|
|
machinepath: target3
|
|
|
|
|
|
|
|
###
|
|
|
|
# Do not destroy/create the machine: Set this to "yes".
|
|
|
|
use_existing_machine: no
|
|
|
|
|
|
|
|
###
|
|
|
|
# The folder all the implants will be installed into
|
|
|
|
playground: /home/vagrant
|
|
|
|
|
|
|
|
# Sensors to run on this machine
|
|
|
|
sensors:
|
|
|
|
- linux_idp
|
|
|
|
|
|
|
|
###
|
|
|
|
# Vulnerabilities to pre-install. They are implemented as plugins
|
|
|
|
vulnerabilities:
|
|
|
|
- sshd_config_vul
|
|
|
|
- weak_user_passwords
|
|
|
|
|
|
|
|
###
|
|
|
|
# General attack config
|
|
|
|
attacks:
|
|
|
|
###
|
|
|
|
# configure the seconds the system idles between the attacks. Makes it slower. But attack and defense logs will be simpler to match
|
|
|
|
nap_time: 5
|
|
|
|
|
|
|
|
###
|
|
|
|
# The obfuscator to use between the implant and the server. Not all obfuscators are supported by all implants. Existing obfuscators:
|
|
|
|
# plain-text, base64, base64jumble, caesar, base64noPadding, steganography
|
|
|
|
caldera_obfuscator: plain-text
|
|
|
|
|
|
|
|
###
|
|
|
|
# Jitter settings for the implant. it is min/max seconds. The first number has to be smaller. Default is 4/8
|
|
|
|
caldera_jitter: 4/8
|
|
|
|
|
|
|
|
###
|
|
|
|
# A list of caldera attacks to run against the targets.
|
|
|
|
caldera_attacks:
|
|
|
|
###
|
|
|
|
# Linux specific attacks. A list of caldera ability IDs
|
|
|
|
linux:
|
|
|
|
- "bd527b63-9f9e-46e0-9816-b8434d2b8989"
|
|
|
|
###
|
|
|
|
# Windows specific attacks. A list of caldera ability IDs
|
|
|
|
windows:
|
|
|
|
- "bd527b63-9f9e-46e0-9816-b8434d2b8989"
|
|
|
|
|
|
|
|
###
|
|
|
|
# Plugin based attacks. Will result in plugins being called
|
|
|
|
plugin_based_attacks:
|
|
|
|
###
|
|
|
|
# Linux specific attacks, a list
|
|
|
|
linux:
|
|
|
|
- hydra
|
|
|
|
- nmap
|
|
|
|
###
|
|
|
|
# Windows specific attacks, a list
|
|
|
|
windows:
|
|
|
|
- hydra
|
|
|
|
- nmap
|
|
|
|
|
|
|
|
###
|
|
|
|
# Configuration for the plugin based attack tools
|
|
|
|
attack_conf:
|
|
|
|
###
|
|
|
|
# Hydra configuration
|
|
|
|
hydra:
|
|
|
|
###
|
|
|
|
# A list of protocols to brute force against. Supported: "ssh"
|
|
|
|
protocols:
|
|
|
|
- ssh
|
|
|
|
- rdp
|
|
|
|
#- ftps
|
|
|
|
###
|
|
|
|
# A file containing potential user names
|
|
|
|
userfile: users.txt
|
|
|
|
###
|
|
|
|
# A file containing potential passwords
|
|
|
|
pwdfile: passwords.txt
|
|
|
|
nmap:
|
|
|
|
|
|
|
|
###
|
|
|
|
# General sensor config config
|
|
|
|
sensor_conf:
|
|
|
|
###
|
|
|
|
# Windows IDP plugin configuration
|
|
|
|
windows_idp:
|
|
|
|
###
|
|
|
|
# Name of the dll to use. Must match AV version
|
|
|
|
dll_name: aswidptestdll.dll
|
|
|
|
|
|
|
|
###
|
|
|
|
# Folder where the IDP tool is located
|
|
|
|
idp_tool_folder: C:\\capture
|
|
|
|
|
|
|
|
|
|
|
|
###
|
|
|
|
# Settings for the results being harvested
|
|
|
|
results:
|
|
|
|
###
|
|
|
|
# The directory the loot will be in
|
|
|
|
loot_dir: loot
|