ThreatBox – A Standard And Controlled Linux Based Attack Platform

ThreatBox is a standard and controlled Linux based attack platform. I’ve used a version of this for years. It started as a collection of scripts, lived as a rolling virtual machine, existed as code to build a Linux ISO, and has now been converted to a set of ansible playbooks. Why Ansible? Why not? This seemed to be the next natural evolution to the configuration of standard attack platforms.

This project uses ansible playbooks and roles to perform post deployment configuration on a linux target (Tested on Ubuntu 18.04).

The project is designed to be used as a starter process in creating, managing, and using a standard attack platform for red teaming or penetration testing.

Detail on the concept of a Standard Attack Platform can be found it the book Red Team Development and Operations – A practical guide, written by Joe Vest and James Tubberville. 

Features

  • Standard tools defined as ansible roles
  • Customizations designed to make security testing easier
  • Variable list to add or remove git repositories, OS packages, or python modules. (threatbox.yml)
  • Version tracking of the deployed instance version and the deploy tool version. This is helpful it meeting compliance rules and can help minimize fear by actively tracking all tools.
    • Threatbox version created at deployment and displayed in desktop wallpaper
    • Deployed software tracked in ~/Desktop/readme
  • SSH port auto-switching. The deployment starts on port 22, but reconfigures the target system to the desired SSH port using the ansible_port variable in threatbox.yml
  • Download and compile several .net toolkits (i.e. SeatBelt.exe from Ghostpack https://github.com/GhostPack/Seatbelt)
  • Most python projects installed using pipenv. Use pipenv shell in the project directory to access. See https://realpython.com/pipenv-guide/ for pipenv usage guidance

Project Files

The following list highlights key components of this project.

File/Directory Description Usage
host Ansible hosts file Update with IP addresses of target ansible systems
group_vars/threatbox.yml common variables variable used for the project. update as needed.
threatbox_playbox.yml Primary ansible playbook Update as need to add additional roles or features
roles/common Common OS platform configuration Setup common OS settings (i.e set version in background or build)
roles/. other specific roles to configure or deploy tools add or modify roles in roles/

Quickstart

Provision

Provision one or more targets.

Note: This project was tested on Ubuntu 18.04 deployed in Digitalocean

Configuration

  1. Copy hosts.sample to hosts
  2. Edit hosts with the IP(s) of your target systems
  3. Copy group_varsthreatbox.yml.sample to group_varsthreatbox.yml
  4. Edit group_varsthreatbox.yml with the updated variables you would like to use
    • Don’t forget to update SSH key with a key that has access to the remote target

Ansible commands

# OSX issue https://github.com/ansible/ansible/issues/32499
if [[ "$(uname)" == "Darwin" ]]
then
export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=yes;
fi

# Ansible Logging
rm ./ansible.log
export ANSIBLE_LOG_PATH="ansible.log"

# Ansible Debugging
export ANSIBLE_DEBUG=False

# Execute playbook
ansible-playbook -e ansible_python_interpreter=/usr/bin/python3 -i hosts threatbox_playbook.yml

Note: Consider using Mitogen for Ansible to gain a significant performance boost. https://mitogen.networkgenomics.com/ansible_detailed.html

Tested with this ansible.cfg

[defaults]
host_key_checking = False
pipelining = True
forks = 100
timeout = 600
stdout_callback = yaml
bin_ansible_callbacks = True
callback_whitelist = profile_roles, profile_tasks, timer

#mitogen
strategy_plugins = ~/Documents/mitogen-0.2.9/ansible_mitogen/plugins/strategy
strategy = mitogen_linear

Remotely Access the system

Console access with SSH

Note: SSH may be set to a non-standard port during setup. This value is set in the group_vars/threatbox.yml files

threatboxip=10.10.10.10
sshport=52222
ssh -p $sshport -i ~/.ssh/threatbox_id_rsa root@$threatboxip

GUI Access with VNC over SSH

Note: VNC is setup but not allowed over the network. You must use an SSH tunnel to access.

threatboxip=10.10.10.10
sshport=52222
ssh -p $sshport -i ~/.ssh/threatbox_id_rsa -L 5901:localhost:5901 root@$threatboxip

Notes on the project

This project uses ansbile roles. These roles may not exactly follow the ansible style. They were designed to be used as part of this project and use a single ‘variable’ file to control the project. The roles can easily be used in other project with minor tweaks.

Features

ThreatBox Custom Commands

AVvXsEivvIysUdsh9aJooEws9pZrWXvbdks z7nnitLeeUmuVnl xRsAW96 B64btF5SJS d3AfDgMlL R4mSAP3FZvWVpCMx Jx0ILw7HQymB8JwAXlCOsjDPElykv5ybat5hExMRFjR4kU B68tK7eh1hcC2Jrloe BPVadUFrefUo1NJUq 4 ZKoCHcirGg=w640 h458

Tool Categories

AVvXsEjkGTLMrVeq48Kqr5EwQnQc BNRNwA F9EGOSKpLNqmiyGd1uhTMqWMivwfC1 x4wZCrqLW4ztPpFFrOp7zlYYl nlZLcd a1V5cNC JuexI9gyyJSLU8SNoLGxSjdBHlR2B4AITju63Yp0XHtHvAmDl7Dj5bvqtz1ZZ7vz8GlD x z7X6mqXryVsEyxA=w640 h270

Tracking of all installed tools

AVvXsEglsEAE8hNxhHpa9 rfbLP0XLI2rUg74YyipeZ mTd4H0YKrVG7YWETyAVgdNPCFymlUzCwJMNLGnV8t oHYiq1DNijY IH6RZY kTOD Zp16mYum2x5J6MbhzR32Z95ebn8tJHsahusgPakCOh4VNz7BCCUqus T21GPTq3vf8hPIAn uAUQrTGDZNg=w640 h356

Automatic terminal logging

AVvXsEhGeb u7ier9WMGtF n2rzx9yWrt2az6naSQEGUhnYcbjHcr1OZDCAIFQ1mohMdQTTtP29MxIKsWIheE1IIFvOKiFZwajR7 P CCFe6ZOIYF4ql2gw4FB2gMoNgPVOzXeAL3AN5oIgr2aYm FWnWl4Gfq8HPqgva kVyC Z16sy 8h38WOPMxLWuajTSA=w640 h244

Custom terminal options provide more context

AVvXsEgqF0QWjw91 twXViqmFM2qRZFUnZfneW5zWXfvfhB r Km4kUy2vYbNt56ZAtGU4nFZpoNE0jQM3 yL5 aUk0Vb0WdM7ZlwSMdG2J636u5iMNQikBLqzgUQ 7aY77246JtO8d2CS74VvlHZN1oSyweDrWqq3Ap8lUMjpjFVkC3Yw ZnUsxEpnw4DlKAA=w640 h248

Light version of the terminal 

Pipenv keep Python projects independent

AVvXsEg1aFsbPe cnhEsuDzbJ9 Fwm6SaRq2Xig7g wWNKT4ZDVMCUS Zg1a1jA1K8lNheP1fGLXG9QoVwzw8iQ4V3s24inXk56xS hlkHdmDChQI86DXEQKeEfhWP4OfU2JWjPI9b87RfMJt4CaTBv1epQVHRqb1CTXjG8TomtOW4zrYNqfDVEJPbd1x7iwFQ=w640 h40

Example of SilentTrinity running in pipenv environment

AVvXsEh9bpESOyPjiyIIHdTmzW9PTz3Nan0l2Z5OU3EZ7YJFt6IsaCkYJ2o F8vW482JQ5qu0H3uwO9LtWcS1dppBmgGzgIBd0D4yUIH0HOh49ulpVMHRwUvGwjSR8Vbilrz4OqgrENg RH4 IIO0hRtcAifm4YLIX26uyK2oSip87tm8 w19Xog0EIqftVESA=w640 h292

click here to read full Article

Read More on Pentesting Tools

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: