Skip to content

jymcheong/aptc

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 

Synopsis

A set of scripts using PyMISP to extend MISP for automated payload testing.

User Documentation, click on the mind-map topics/nodes to explore further.

Demo of CVE2017-0199 payload youtube link

Sh0ut 0utz

Big thank you to the awesome folks @ https://gitter.im/MISP/MISP & Harvard-IT-security

Under-the-hood (TL;DR)

APTC overview

  • Assuming (test-case & targets) events are setup properly, tagging a test-case event with test-start tag will launch getpayloads.py
  • getpayloads.py in turn launches getresults.py to query graylog with pre-defined query statement to find indicator of success
  • It is up to you to decide what you mean by success/hit, typically a Product-under-Test will emit logs when it catches a payload. When the query can't find the indicators after a certain amount of time, it will deemed as 'miss'

Installation steps for MISP host

  1. git clone https://github.com/jymcheong/aptc.git
  2. Edit /Controller/EventsController.php
  3. Find Tag added, you should locate "return new CakeResponse(array('body'=> json_encode(array('saved' => true, 'success' => 'Tag added..."

Add the line below above the return statement

if ($tag['Tag']['name']=="aptc:test-start") shell_exec("python3 /var/www/MISP/tools/aptc/getpayloads.py -id ".$id." > /dev/null 2>/dev/null &");
  1. Create aptc folder under MISP tools directory
  2. Copy all the aptc scripts to that folder & adjust permission accordingly (eg. readable for www-data, chmod +x *.py)
  3. Create aptc folder under /var/www/MISP/app/files/taxonomies/ (or equivalent)
  4. Copy machinetag.json into that folder, update your tags & enable all of them
  5. Edit key.py to set misp_url & key
  6. Create target paths (samba mount point) to write payloads to (give appropriate permissions for read/write)
  7. Install Samba & setup share for targets to mount (by default APTC writes to /opt/aptc/targets/HOSTNAME, ie. share /opt/aptc/targets. You can change it by editing aptc.py. Refer to https://jymcheong.github.io/aptc/ to understand how this whole thing works)

Installation steps for Windows target(s)

  1. Mount the samba shared folder in your Windoze
  2. Copy filemonitor.vbs to the target(s), make it auto-run upon login (target should auto-login)

Useful links

Most convenient way to setup the latest MISP: https://github.com/harvard-itsecurity/docker-misp

About

Automated Payload Test Controller

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published