Reave is a post-exploitation framework tailored for hypervisor endpoints. It is currently under development.
Reave follows a traditional listener/agent model, where the user may set up multiple listeners of various flavors that accept any number of agents. The framework currently provides a Python agent and supports the following objectives:
- Interactive terminal sessions
- Automatic enumeration of hypervisor hosts, including:
- What guest systems are installed
- What network shares and datastores are mounted
- What local users are associated
- What domain the hypervisor is a part of
- Modular payloads supporting capabilities such as:
- Exfiltration: of datastores, files, virtual disks.
- Persistence: Adding, modifying, deleting local users, installing SSH keys and reverse shells
- Enumeration: Further network scanning, etc.
The goal of Reave is to provide a framework one can leverage to automate and expedite pentesting campaigns in environments that are either heavily virtualized, or where target/critical infrastructure is hosted on hypervisor platforms such as ESXi and Proxmox.
On the server, simply run app.py:
python3 reave/app.py
On your client of choice, upload reave/agents/client.py
and run the file. The following configuration options are available:
_LISTENER_HOST
Hostname/IP of the server_LISTENER_PORTS
List of ports that the agent will attempt to connect to in round-robin fashion_LISTENER_SECRET
Association key of the listener the agent will bind to_AGENT_LOGLEVEL
Debug logging levelBEACON_INTERVAL
Interval the agent will beacon onBEACON_JITTER
Random jitter factor added to beacon intervalSTART_TIME
What time of day the agent will start beaconingEND_TIME
What time of day the agent will stop beaconingSOCKET_TIMEOUT
Timeout for the agent's socketPID_FILE
PID file the agent uses to ensure it isn't already running on the endpointTRANSFER_BLOCK_SIZE
Block size the agent will use when transfering files to the server
The command line has three distinct contexts:
- Listener
- Payload
- Agent
To enter the listener context, use command listener
. From there, several options are available:
list List all active listeners
add <host> <port> <secret> Add a listener
remove <uuid> Remove a listener
Exit this context by using command back
To enter the agent context, use command agent
. From there, several options are available:
list List all agents
interact <uuid> Interactive terminal session with agent.
'quit' to exit.
create Start creating a new agent script.
Will write to ./data/ directory
get <uuid> <file> Transfer file from the agent endpoint to downloads directory
Exit this context by using command back
To enter the payload
context, use command payload
. From there, several options are available:
list List all loaded payloads
info <name> Get information about a payload
use <name> Select payload for use
set <option> <value> Set payload option to value
run agent <uuid> Run the payload on an individual agent
run listener <uuid> Run the payload on all agents on the listener
Exit this context by using command back
Reave also supports defining what format you would like to view enumeration data in. To switch to a particular format:
format json Output information in table format.
format table Output information in JSON format.