New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for high-level access of shells #158

Open
pry0cc opened this Issue Aug 16, 2017 · 5 comments

Comments

Projects
None yet
4 participants
@pry0cc
Contributor

pry0cc commented Aug 16, 2017

When a shell is initiated, we should be able to access the shell in some sort of terminal multiplexer via SSH, perhaps we can even add a temporary ssh server as a Lego?

This is my idea of a perfect projects with a good workflow for chatops.

Everybody is in chat, we've just got the green light do an assessment on "company X", the bot is called "Gibson".

penteter> gibson: be verbose
gibson> verbosity level set to 10/10
pentester> gibson: start project Company X
pentester> gibson: recon-people
gibson> Scanning LinkedIn, Scraping Emails from Google, Looking up reverse whois information.
gibson> Company X, 103 employees found, 83 emails, 5 directors.
pentester> gibson: recon-network
gibson> Doing reverse whois lookup, locating domain names and IP address space, Doing DNS Recon
gibson> Port scanning and banner grabbing servers associated with Company X.
gibson> 184 hosts found, 10 unusual services, 43 web servers
pentester> gibson: recon-web
gibson> Crawling web presence, locating web-apps, login panels, doing light vuln scan on web apps
gibson> 3 Login panels found
gibson> Heuristics show Email, CRM, General User Accounts
pentester> gibson: spearfish email
gibson> Cloning email login page, modifying post form
gibson> Sending spearfish email to 83 emails
(time goes by)
*** Joins company-x-001
company-x-001: ssh x@31.43.12.259:3030
(Now, I propose we add a simple SSH server into this bot as a lego, we can do highlevel stuff in chat, and then do nitty gritty shell magic directly through a temporary ssh session)

pentester> company-x-001: install backdoor
company-x-001> pentester: backdoor installed successfully.

We can incorporate tmux with this session as well, so anybody logging into view it can see what anybody is doing, thus incorporating the collaborative feel of a chatbot, but without sacrificing the ease of a real shell.

gibson will also be able to alert when new things have been achieved, such as getting data from mimikatz, installing a backdoor, or getting root on the system

company-x-001> Root achieved!
company-x-001> Got hashes successfully, stored locally to database and queued for lookup and cracking.

These alerts will appear automatically by watching the activity of the pentester, and of course his activity is recorded for later reports.

This is just the beginning of something potentially massive, this is a basic outline of how I think it should work.

@bbriggs

This comment has been minimized.

Show comment
Hide comment
@bbriggs

bbriggs Aug 17, 2017

Member

This is a really great picture of where I want to go with the collection of offensive tools and legos we have planned.

What we need to do in order to get to this point is to figure out what tools would be used in the backend (MSF, recon-ng, etc) and then write lego wrappers for them. Then we would need to define workflows around those tools. This would definitely be a very high level abstraction, so we'd also need a way to step out of the "hacking on rails" workflow and into the data that the bot itself brings back.

I think starting with the recon bits is the most valuable and then moving into active attacks after the recon flows are worked out.

Member

bbriggs commented Aug 17, 2017

This is a really great picture of where I want to go with the collection of offensive tools and legos we have planned.

What we need to do in order to get to this point is to figure out what tools would be used in the backend (MSF, recon-ng, etc) and then write lego wrappers for them. Then we would need to define workflows around those tools. This would definitely be a very high level abstraction, so we'd also need a way to step out of the "hacking on rails" workflow and into the data that the bot itself brings back.

I think starting with the recon bits is the most valuable and then moving into active attacks after the recon flows are worked out.

@oaktree347

This comment has been minimized.

Show comment
Hide comment
@oaktree347

oaktree347 Aug 17, 2017

This is going to take more than a few legos. You should write a recon library, that uses relevant APIs. Take that library and be able to call it from legos. Maybe deal with JSON. As for SSH: that'd be the hardest bit. Also not very quiet to have a bot on a server. Tons of network activity.

oaktree347 commented Aug 17, 2017

This is going to take more than a few legos. You should write a recon library, that uses relevant APIs. Take that library and be able to call it from legos. Maybe deal with JSON. As for SSH: that'd be the hardest bit. Also not very quiet to have a bot on a server. Tons of network activity.

@bbriggs

This comment has been minimized.

Show comment
Hide comment
@bbriggs

bbriggs Aug 17, 2017

Member

Agreed that having it do the whole chain would be quite difficult. We'll eat this elephant a bite at a time. The first milestone should be recon.

Member

bbriggs commented Aug 17, 2017

Agreed that having it do the whole chain would be quite difficult. We'll eat this elephant a bite at a time. The first milestone should be recon.

@DrewBe

This comment has been minimized.

Show comment
Hide comment
@DrewBe

DrewBe Aug 17, 2017

Question: will this eventually have support for calling home to C2 Servers (In the event we plop the bot on an internal network) and/or VPN connections in order to assess internal networks as well? Or is this meant to test external networks and webapps only?

DrewBe commented Aug 17, 2017

Question: will this eventually have support for calling home to C2 Servers (In the event we plop the bot on an internal network) and/or VPN connections in order to assess internal networks as well? Or is this meant to test external networks and webapps only?

@bbriggs

This comment has been minimized.

Show comment
Hide comment
@bbriggs

bbriggs Aug 17, 2017

Member

Maybe in the far future, but I wouldn't count on it. I really want to focus on the information aggregation part of this for now.

Member

bbriggs commented Aug 17, 2017

Maybe in the far future, but I wouldn't count on it. I really want to focus on the information aggregation part of this for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment