Sunday, August 26, 2012

Maryland Cyber Challenge and Conference & Global CyberLympics: TeamSploit

This post is part of a five part series:  The Journey (Part 1), TeamSploit (Part 2), Trollware (Part 3), Unsploitable (Part 4), Defensive Tools For The Blind (Part 5).

Description:

TeamSploit makes group-based penetration testing fun and easy, providing real-time collaboration and automation. TeamSploit is a suite of tools for the Metasploit Framework. TeamSploit should work with any MSF product (include, OpenSource, Express, or Pro).

Features Include:

  • Exploitation Automation
  • Automated Post-Exploitation
  • Information and Data Gathering
  • Session Sharing
  • Trojans and Trollware

TeamSploit's primary goal is to automate common penetration testing tasks, and provide access and information to fellow team members.

The Origin:

TeamSploit's origin actually begins before the Global CyberLympics (GCL), and before Team ICF took first place at the Maryland Cyber Challenge and Conference (MDC3).  The basis of TeamSploit was actually a result of our preparation for the Penetration Testing round of the MDC3.  At that point in time it wasn't even called TeamSploit, nor was it nearly as feature-filled, but the foundation was laid.

It is common knowledge that a penetration test entails a lot more than simply exploiting systems.  When someone hires a team to preform a penetration test, they are not hiring a group to wreak havoc on their infrastructure, but instead they are buying a report.  In fact, a great deal of a penetration tester's time is spent preparing, drafting, and organizing the final report that will be delivered to the client.  While at the time, we didn't know the specifics of the final round of the MDC3, we did know it would include report writing or some simulation of that aspect.

Enter Auto Post - a Metasploit Meterpreter Plugin I created to assist in the reporting aspect of a penetration test.  It was essentially a collection of post exploitation process and tasks one would manually complete.  It included other Meterpreter scripts and plugins and plenty of Windows commands, all with the goal of collecting a large amount of information about a system directly after exploitation.  Many believe that Post Exploitation is the harder stage of an attack, and I aimed to make that comment obsolete.  Auto Post would capture password hashes, obtain lists of running services, provide a comprehensive list of installed software, provide information on who is logged on to the system, network infrastructure information, and much more.  Auto Post also automated the process of maintaining access, another key step of an attack, ensuring we wouldn't lose access to our targets.  In all, when running this primitive, early version of TeamSploit, you found yourself with an exhaustive log file and persistent access for each target your successively compromised - all in an automated fashion.

Ultimately, we did utilize Auto Post in our journey to victory at the penetration testing finale of the MDC3.  After gaining access to all of the systems, we delved into the produced Auto Post logs and started generating the requested reports for the competition.  In the end, we won and were rushing away to Miami, where we honestly didn't have much use for Auto Post, but we did have use to persistent access to the systems.  So TeamSploit was officially born.  At this point it was little more than a configurable, template driven version of Auto Post, but it was well on its way to becoming what it is today.  TeamSploit was slowly evolving from a simple Meterpreter script to a collection of scripts, plugins, tools, and importantly, even more automation.  For our North American Championship, we used  TeamSploit to pass sessions to each other and manage our persistent access.  However, our journey didn't end in Miami and we needed to prepare for the World Finals.

As was discussed in the previous post of this series; we knew the long wait between the regional Championships and the World Finals would breed a large amount of development, tools, and automation from our various competitors.  It was during this window of time that TeamSploit grew into the product it is today.  Feature after feature was conjured, developed, and implemented.  The team practices became a breeding ground for novel ideas and tactics, and my development time became an orchestration to develop these new tactics and automate them as much as possible.  If it could be automated, our plan was to have it automated.  And let's be honest, it is possible to automate almost everything we do, so automated it would become.

Yet the World Finals of the GCL are not the end of the TeamSploit story.  In fact, it is just the beginning.  Today TeamSploit is still under active development.  More automation is added on a constant basis and the team and I still come up with ideas that are added regularly.

Setup:

Downloading and Installing TeamSploit is simple - as the project is hosted on Subversion at Source Forge.  To checkout the latest copy of TeamSploit, simply run the following command in a terminal:
svn checkout svn://svn.code.sf.net/p/teamsploit/code/trunk teamsploit
The next step is to properly configure TeamSploit for your given team and environment.  You'll find the configuration file in your newly created teamsploit directory - teamsploit.conf.  TeamSploit comes with a large comprehensive configuration file, I'm not going to go over the entire configuration file, but I'll hit the important points.

First things first, make sure you change the first configuration option:

#  Change this to a '1' (no qoutes) when you finish editing this file... 
TS_CONFIG=1

This ensures that you actually configure TeamSploit before attempting to run it the first time, saving you a great deal of headaches down the road.

Now you'll need to specify the interface you are using:

TS_MY_INT=eth0

Next you are going to want to configure the team database to which you are connecting.  Obviously someone needs to be running a database.  The team member who plans host the server simply needs to setup a PostgreSQL database and share the following information with you:

TS_DB_NAME=teamsploitdb 
TS_DB_HOST=192.168.1.100 
TS_DB_PORT=5432 
TS_DB_USER=teamsploit 
TS_DB_PASS=password
If a fellow teammate is running the MSFD service, you'll want to specify connection information for that as well:
TS_MSFD_CONNECT=1 
TS_MSFD_HOST=192.168.1.100 
TS_MSFD_PORT=51337
The final item you'll want to properly configure happens to be one of the most important.  The team mates and ports you'll be sharing sessions with:

TS_TEAM_MATES="192.168.1.101;192.168.1.102;192.168.1.103;193.168.1.104" 
TS_TEAM_PORT=1025 
TS_TEAM_PORT_2=7000 
TS_TEAM_PORT_HTTP=80 
TS_TEAM_PORT_HTTPS=443 
TS_TEAM_PORT_DNS=53
At this point, TeamSploit should be configured and ready for you to start using.

Usage:

Loading TeamSploit is as simply as running the TeamSploit executable in your teamsploit directory:
./teamsploit
Unless otherwise configured, TeamSploit is now going to load two windows (three if you are connecting to a MSFD Service):

TeamSploit Screenshot

Within your Primary shell, you can exploit systems and Auto Post Exploitation will complete - passing sessions to both your Listener as well as each of your team mates.

Within the Listener, you can interact with any sessions you've received, from both your own exploitation as well as sessions your fellow team mates have acquired.

TeamSploit actually loads a number of very useful modules, like:

At this point, you can compromise a target network with very little effort.  The very first thing you'll need to do is configure a Nessus policy to only audit exploits that have a corresponding Metasploit module.  You can follow the directions provided by Dark Operator if you'd like (Directions).

Connect TeamSploit to Nessus (be sure to replace the relevant details):
nessus_connect username:password@nessus_host:port ok
 Find your newly created Metasploit-Only Nessus Policy:
nessus_policy_list
Start a scan against your targets (be sure to replace the relevant details):
nessus_scan_new PolicyID "Scan Name" AddressRange 
You can monitor your scan with the following:
nessus_scan_status 
Once the scan is done, you'll need to import your results to TeamSploit (the Scan ID should have been returned when starting the scan):
nessus_report_get ScanID 
Now we are ready to exploit the systems:
vuln_exploit 
As each system is exploited, the Auto Post Exploitation will complete - sharing sessions with your listener and your team mates.  If during this time period you'd like to interact with your newly compromised systems, you can do so inside of your listener.

Now that all of the systems (with vulnerabilities returned by Nessus) have been compromised, it is time to pass the hash and see if we can obtain any more of our targets:
pass_the_hash 
At this point, all of the collected credentials will be used against all of the remaining targets.  With any luck, this will obtain you further access (especially with password reuse and Windows domains).

And that's it.  With only a few commands and a couple of minutes, we've successfully infiltrated a target network, obtained ingrained access, gathered a large amount of system information, and can now laugh at the System Administrators as they fight with the Trollware.


Video:

This demonstration shows the usage of TeamSploit from both the attackers (left window) and victims (right window) perspective.

The attacker on the left has a base installation of TeamSploit on BackTrack R3 and is targeting the administrator on the right. The premise of this scenario is the admin on the right hand side is completing typical daily administrative work and does not know an attacker is targeting their system.

Note: This video is based off of Revision 4 of TeamSploit



2 comments:

TehCount said...

Very nice!

Unknown said...

Interesting cyberlympics, So, how was it? Looks like it turned out so well.. :)
_____________________
Ashley | Soccer News