When attacking, auditing, or defending modern internal networks, intelligence is everything. Understanding the environment to the best possible degree can be the difference between successfully penetrating, or defending, the target environment.
Over the years, internal audit and testing engagements have been operating on various assumptions within switched networks, often driving engagement execution methods.
But what if these assumptions were wrong?
What if programs and network gear didn't always do what they're supposed to do?
What if we could utilize the idle time; the off-hour pauses; the days, sometimes weeks, that exist between deployment and engagement execution; to understand the network and reclaim wasted time?
As attackers, what if we could leverage the realities of modern networks and the things customers do to ‘prepare’ for an engagement (backups, security scans, etc.) through 100% passive methods?
What if you could gain a foothold into an organization prior to engagement by simply listening?
Obtaining information about the network in a stealthy manner can be difficult within a mature environment. Even during overt engagements, obtaining the information you need within a limited time window can be difficult. There are engagement delays, there are poor descriptions, there are poor assumptions, there are simulated or test environments.
These things can easily lead to unrealistic scope reductions and assumptions (intentional or unintentional) a real-world attacker would not be subject to. What you believe, what you expect, invariably affect what you do and where you look.
Prebellico is great for red teams, blue teams, penetration testers, auditors, defenders and hunters alike; anyone who wants to know more about the network they're in. It is a 100% passive network reconnaissance tool designed to challenge assumptions made about the target environment that may have arisen around the intent of the engagement.
Prebellico fingerprints the environment without touching it, gathering information about the target environment prior to, and during, an engagement without transmission, including what is called reverse port scanning.
Deployment and execution is simple. Simply launch Prebellico as a root user, select the listening interface, and the information it gathers will be:
- dumped to the screen
- logged to a file
- recorded to a database file (SQLite)
Prebellico has built in query options to explore acquired db information, and the log file matches screen output verbatum.
By design Prebellico operates in a 100% passive state while ignoring traffic generated by the localhost and uses very few resources. Concequently, there is no need to be concerned about it impacting an environment or overusing resources, regardless of the engagement timeline or objective.
Want to further understand an environment you don’t yet have access to?
Want to know how to better scope your engagement prior to execution?
Want to understand the environment your tending?
Prebellico has the ability to process PCAP files (with a maximum SNAPLEN of 262144 bytes) prior to, during, or after an engagement.
This can be used for processing historical data obtained elsewhere or for scope validation purposes prior to engagement kickoff. You can also merge this data during the engagement by copying the database over and specifying the database and log file at launch time, if so desired.
./prebellico.py --help
usage: prebellico.py [-h] [-i INF | -r READ] [-l LOG] [-d DB] [-e EXTRA]
[-w WAIT] [-s] [-q]
[--report | --credentials | --listhosts | --listnetworks | --ip IP]
optional arguments:
-h, --help show this help message and exit
-i INF, --inf INF Specify the interface you want Prebellico to listen
on. By default Prebellico will hunt for interfaces and
ask the user to specify an interface if one is not
provided here.
-r READ, --read READ Specify a PCAP file to read from instead of a network
interface. By default Prebellico assumes that traffic
is to be read from a network interface.
-l LOG, --log LOG Specify an output file. By default Prebellico will log
to "prebellico.log" if a logfile is not specified.
-d DB, --db DB Specify an SQLite db file you want to write to. By
default this will create, if need be, and write to
"prebellico.db" if not specified by the user, as long
as the file is an actual Prebellico DB that the user
can read from.
-e EXTRA, --extra EXTRA
Specify extra filtering using PCAP based syntax. By
default, "ip or arp or aarp and not host 0.0.0.0 and
not host <interface_IP>" is used as a filter.
-w WAIT, --wait WAIT *Pending implementation. Specify a period of time in
hours to wait for new intelligence before shifting to
a new form of intelligence gathering.
-s, --subsume Include traffic from the target interface from
Prebellico output. By default this traffic is excluded
to ensure data generated by the interface while
interacting with the environment does not taint the
"fingerprint" of the target environment.
-q, --quiet Remove the Prebellico banner at the start of the
script.
Options to query intel obtained by Prebellico. You may only specify one query at a time, along with an optional db with '-d' or '-db':
--report Provide a high level SITREP on all observed network
activity.
--credentials *Pending implementation. Provide a brief summary about
credentials obtained by Prebellico.
--listhosts Provide a list of known internal hosts.
--listnetworks Provide a list of known networks, assuming a /24
netmask.
--ip IP Provide specific details about what Prebellico already
knows about a host.
IT truths:
- There's always bugs
- Things don't always work as they should
- Designs aren't always executed to perfection
The fact is, sometimes packets get to places they shouldn't.
With prebellico you'll be prepared to catch them.
- semi-passive mode: further enumeration leveraging acquired intel
- remote probe: no local DB, exfil to remote master
- improved hash recognition and recording
- db merging / importing
- network graph