From 04440bb1ab4e3f8ed3160e086499b23bfcd6651d Mon Sep 17 00:00:00 2001
From: Thorsten Sick <thorsten.sick@avast.com>
Date: Wed, 26 May 2021 09:37:26 +0200
Subject: [PATCH] Attack plugins will now get the full machine object for
 targets

---
 app/calderacontrol.py                         |  3 +-
 app/experimentcontrol.py                      |  2 +-
 plugins/base/attack.py                        | 28 +++++++++++++++++--
 plugins/default/kali/hydra/hydra_plugin.py    |  2 +-
 plugins/default/kali/nmap/nmap_plugin.py      |  5 ++--
 .../default/kali/nmap/nmap_sneaky_plugin.py   |  2 +-
 .../kali/nmap/nmap_stresstest_plugin.py       |  2 +-
 7 files changed, 34 insertions(+), 10 deletions(-)

diff --git a/app/calderacontrol.py b/app/calderacontrol.py
index 655325d..7db5d18 100644
--- a/app/calderacontrol.py
+++ b/app/calderacontrol.py
@@ -544,7 +544,8 @@ class CalderaControl():
 
         if attack_logger:
             attack_logger.start_caldera_attack(source=self.url,
-                                               paw=paw, group=group,
+                                               paw=paw,
+                                               group=group,
                                                ability_id=ability_id,
                                                ttp=self.get_ability(ability_id)[0]["technique_id"],
                                                name=self.get_ability(ability_id)[0]["name"],
diff --git a/app/experimentcontrol.py b/app/experimentcontrol.py
index b63a546..c97231d 100644
--- a/app/experimentcontrol.py
+++ b/app/experimentcontrol.py
@@ -204,7 +204,7 @@ class Experiment():
             plugin.set_attacker_machine(self.attacker_1)
 
             # plugin.__set_logger__(self.attack_logger)
-            plugin.__execute__([target.getip()])
+            plugin.__execute__([target])
 
     def zip_loot(self):
         """ Zip the loot together """
diff --git a/plugins/base/attack.py b/plugins/base/attack.py
index 387b3ba..5143071 100644
--- a/plugins/base/attack.py
+++ b/plugins/base/attack.py
@@ -3,6 +3,7 @@
 
 from plugins.base.plugin_base import BasePlugin
 from app.exceptions import PluginError
+from app.calderacontrol import CalderaControl
 import os
 
 
@@ -27,6 +28,8 @@ class AttackPlugin(BasePlugin):
         self.sysconf = {}  # System configuration. common for all plugins
         self.attacker_machine_plugin = None  # The machine plugin referencing the attacker. The Kali machine should be the perfect candidate
         self.target_machine_plugin = None  # The machine plugin referencing the target
+        self.caldera = None  # The Caldera connection object
+        self.targets = None
 
     def copy_to_attacker_and_defender(self):
         """ Copy attacker/defender specific files to the machines. Called by setup, do not call it yourself. template processing happens before """
@@ -88,6 +91,25 @@ class AttackPlugin(BasePlugin):
 
         self.attacker_machine_plugin = machine.vm_manager
 
+    def set_caldera(self, caldera: CalderaControl):
+        """ Set the caldera control to be used for caldera attacks
+
+         @param caldera: The caldera object to connect through
+         """
+        self.caldera = caldera
+
+    def caldera_attack(self, target, ability_id):
+        """ Attack a single target using caldera
+
+        """
+
+        self.caldera.attack(self.attack_logger,
+                            paw=target.get_paw(),
+                            ability_id=ability_id,
+                            group=target.get_group(),
+                            target_platform=target.get_os()
+                            )
+
     def get_attacker_playground(self):
         """ Returns the attacker machine specific playground
 
@@ -112,11 +134,13 @@ class AttackPlugin(BasePlugin):
         @param targets: A list of targets, ip addresses will do
         """
 
+        self.targets = targets
+        ips = [tgt.getip() for tgt in targets]
         self.setup()
-        self.attack_logger.start_kali_attack(self.attacker_machine_plugin.config.vmname(), targets, self.name, ttp=self.get_ttp())
+        self.attack_logger.start_kali_attack(self.attacker_machine_plugin.config.vmname(), ips, self.name, ttp=self.get_ttp())
         res = self.run(targets)
         self.teardown()
-        self.attack_logger.stop_kali_attack(self.attacker_machine_plugin.config.vmname(), targets, self.name, ttp=self.get_ttp())
+        self.attack_logger.stop_kali_attack(self.attacker_machine_plugin.config.vmname(), ips, self.name, ttp=self.get_ttp())
         return res
 
     def get_ttp(self):
diff --git a/plugins/default/kali/hydra/hydra_plugin.py b/plugins/default/kali/hydra/hydra_plugin.py
index 3934cf7..8256e36 100644
--- a/plugins/default/kali/hydra/hydra_plugin.py
+++ b/plugins/default/kali/hydra/hydra_plugin.py
@@ -33,7 +33,7 @@ class HydraPlugin(AttackPlugin):
         cmd += "sudo apt -y install hydra;"
         for t in targets:
             for p in self.conf['protocols']:
-                cmd += f"hydra -L {self.conf['userfile']}  -P {self.conf['pwdfile']} {p}://{t};"
+                cmd += f"hydra -L {self.conf['userfile']}  -P {self.conf['pwdfile']} {p}://{t.getip()};"
 
         res = self.attacker_run_cmd(cmd) or ""
 
diff --git a/plugins/default/kali/nmap/nmap_plugin.py b/plugins/default/kali/nmap/nmap_plugin.py
index 730141c..788c011 100644
--- a/plugins/default/kali/nmap/nmap_plugin.py
+++ b/plugins/default/kali/nmap/nmap_plugin.py
@@ -7,7 +7,7 @@ from plugins.base.attack import AttackPlugin
 
 # TODO All scan patterns need explicit logging into the attack log !
 # TODO: Add config for subnet range for ping sweeps
-# TODO: Add IP exclusion --exclude ip,ip,ip to not accidentially scan non-targets
+# TODO: Add IP exclusion --exclude ip,ip,ip to not accidentialy scan non-targets
 # TODO: host discovery Ping scan: -sn
 # TODO: host discovery PE ICMP echo
 # TODO: host discovery PP ICMP timestamp
@@ -21,7 +21,6 @@ from plugins.base.attack import AttackPlugin
 # TODO: --traceroute in addition to host discovery
 # TODO: -R <ip> reverse DNS. Needs a DNS in the big picture. No idea if valuable
 # TODO: host discovery reverse DNS resolution
-# TODO OS identification
 # TODO service discovery
 # TODO stealth scans
 # TODO firewall evasion
@@ -83,7 +82,7 @@ class NmapPlugin(AttackPlugin):
         cmd = f"cd {pg};"
 
         for t in targets:
-            cmd += f"nmap {t};"
+            cmd += f"nmap {t.getip()};"
 
         res += self.attacker_run_cmd(cmd) or ""
 
diff --git a/plugins/default/kali/nmap/nmap_sneaky_plugin.py b/plugins/default/kali/nmap/nmap_sneaky_plugin.py
index 6ad338e..6508c53 100644
--- a/plugins/default/kali/nmap/nmap_sneaky_plugin.py
+++ b/plugins/default/kali/nmap/nmap_sneaky_plugin.py
@@ -29,7 +29,7 @@ class NmapSneakyPlugin(AttackPlugin):
         pg = self.get_attacker_playground()
         cmd = f"cd {pg};"
         for t in targets:
-            cmd += f"sudo nmap -T1 -F -D RND:5 -f --randomize-hosts {t};"
+            cmd += f"sudo nmap -T1 -F -D RND:5 -f --randomize-hosts {t.getip()};"
 
         res += self.attacker_run_cmd(cmd) or ""
 
diff --git a/plugins/default/kali/nmap/nmap_stresstest_plugin.py b/plugins/default/kali/nmap/nmap_stresstest_plugin.py
index 8ae993f..c548ccb 100644
--- a/plugins/default/kali/nmap/nmap_stresstest_plugin.py
+++ b/plugins/default/kali/nmap/nmap_stresstest_plugin.py
@@ -31,7 +31,7 @@ class NmapStresstestPlugin(AttackPlugin):
 
         cmd = f"cd {pg};"
         for t in targets:
-            cmd += f"nmap -T5 --min-parallelism 100 --max-scan-delay 1 {t};"
+            cmd += f"nmap -T5 --min-parallelism 100 --max-scan-delay 1 {t.getip()};"
 
         res += self.attacker_run_cmd(cmd) or ""